Financial Services Updates

Key Takeaways from ASIC Info Sheet 283

The Australian Securities and Investments Commission (ASIC) has released Info Sheet 283, which provides guidance on supervising business communications of market intermediaries and their representatives to ensure compliance with obligations under the Corporations Act and Market Integrity Rules. 

Record keeping of communications and effective monitoring of those records has been an important global theme. In addition to the work by ASIC in this space, US regulators have imposed significant fines on banks for off channel unrecorded communications such as WhatsApp and the UK FCA has repeatedly raised this as an issue in their Market Watch briefings.

ASIC often follows up info sheets with additional thematic reviews and enforcement actions and it is important that market intermediaries consider their risk appetite for supervisory arrangements, and specifically review their recording and monitoring of off-channel communications as a result of this Information Sheet.  

Scope of Supervision

ASIC expects market intermediaries to have robust systems and processes in place to effectively supervise their business communications of their representatives. This includes (i) appropriate recording and (ii) monitoring of those records to prevent and detect misconduct such as market abuse, misuse of confidential information nor other compliance issues like privacy of client information or third parties communicating with employees for non-business purposes.  Non-business communications which are collected as part of this will likely attract obligations under the Privacy Act.

Record-Keeping:

Market intermediaries must ensure that all business communications are recorded and retained in accordance with regulatory requirements. The use of WhatsApp and other similar communication channels have been a target of regulators around the globe. We recommend that market intermediaries take steps to ensure all communications are going through recorded channels. Licensees should identify and assess risks associated with business communications and tailor their supervision accordingly and within their risk appetite.

Communication channels such as WhatsApp can be valid and effective methods of communication.  However, ensuring that they are appropriately recorded is crucial.  If it is not possible for this to occur then these channels should not be used.

• Questions to ask yourself:

Monitoring and Review:

Market intermediaries should implement regular monitoring and review processes to detect and address any non-compliant communications promptly.  Monitoring communications is seen by ASIC as crucial to detect and prevent market abuse, inappropriate disclosure of confidential information or other breaches. 

In our experience ASIC notices for internal and external correspondence often identifies emails and correspondence that evidences issues or breaches unrelated to an investigation and creates new potential regulatory enforcement action. 

• Questions to ask yourself:

Compliance Expectations

Market intermediaries should develop clear policies and procedures that define acceptable communication practices and outline the consequences of non-compliance. Market intermediaries should keep policies and procedures up to date with the changing regulatory landscapes and technological advancements.

• Questions to ask yourself:

Training and Awareness: 

Market intermediaries should provide ongoing training to employees to ensure they understand their obligations and the importance of compliant communications through authorised channels.

• Questions to ask yourself:

Next steps 

The challenge for businesses now is that there are multiple ways in which employees are communicating. In some cases they are using employer issued devices and in others they use their own.  They may have a laptop, a desk phone, a mobile and a tablet.  Each device creates new potential risks of unauthorised and unrecorded communication. In particular, where systems are clunky employees may decide to use different communication methods for ease of communication. Ensuring that your policies and procedures comply with your employment law obligations, the terms of any employment contracts and data protection and privacy rules in this context will become increasingly important.

Remote and hybrid working also makes this more challenging to detect communication on unauthorised services. 

In some ways the Australian regulatory system is more challenging than some other jurisdictions. For instance the UK and EU have specific rules on telephone conversations and electronic recording detailing exactly what needs to be recorded and for how long. 

Despite this we expect ASIC will rapidly lose patience with market intermediaries who do not properly record or monitor those communications. ASIC has already slated a focus on reviews of supervisory controls for remote working arrangements in compliance with the market integrity rules on technological and operational resilience, and unauthorised communications may be another angle it considers in this context.

Compliance with Privacy Act

Not covered in the ASIC brief but of crucial importance to market intermediaries will be ensuring that your practices, procedures, and systems also comply with your Privacy Act.

The Privacy Act regulates the collection of Personal Information in Australia, including under Info Sheet 283. Personal Information which exists in "business communications" may be exempt from the Privacy Act. Personal Information which is collected but not contained in "business communications" will likely attract Privacy Act obligations. These obligations will require you to undertake a risk assessment and be able to identify and destroy Personal Information which is contained in the "non-business communications" you have also collected.

• Steps to consider: