Topics
- Compliance and Regulation
Introduction
The risk themes of global turmoil, organisational resilience, climate change and data privacy have shaped the Australian regulatory environment during the last two years. With continued media focus on customer data breaches, service outages, conflicts and severe weather events over the past 12 months, these will likely continue to be a focus in the coming year.
This outlook covers key highlights across the Australian regulatory landscape during the coming year.
Financial Services Focus Areas
Two major implementation efforts are dominating the financial services regulatory landscape; the implementations of CPS 230 Operational Risk Management and the Financial Accountability Regime (FAR). The Australian Prudential Regulatory Authority (APRA) will also be keenly focused on improving Governance practices in the Superannuation industry.
CPS 230 Operational Risk Management
Regulated entities must be compliant with APRA’s CPS 230 Operational Risk Management Prudential Standard from 1 July 2025. CPS 230 extends and replaces existing APRA Prudential Standards relating to Outsourcing (CPS/HPS/SPS 231) and Business Continuity Management (CPS/SPS232). Final implementation guidance was only released by APRA in June and we note that a large number of regulated entities still have significant work to do to be compliant with this new Standard. This includes identifying Critical Operations, documenting related processes, identifying process risks and controls, identifying Tolerance Levels for disruptions, uplifting Business Continuity Plans and revising vendor risk management processes and supplier contracts.
See our ‘CPS 230 Focus Areas for Compliance with the New Standard’ for more details on the updated and enhanced requirements for operational risk, business continuity and service provider management under CPS 230.
Financial Accountability Regime
The Financial Accountability Regime (FAR) commenced for authorised deposit-taking institutions (ADIs) and their authorised non-operating holding companies (NOHCs) on 15 March 2024. It will apply to insurance entities, their licensed NOHCs, and superannuation trustees from 15 March 2025. As such, significant work is being undertaken within the Insurance and Superannuation industries to document Executive Accountability Statements and Reasonable Steps, and to put in place mechanisms for the monitoring and maintenance of these.
Superannuation
Earlier in August, APRA announced that it had entered into an enforceable undertaking (EU) with United Super Pty Ltd and BUSS (Queensland) Pty Ltd.
This followed widespread media coverage of criminal allegations against the Construction, Forestry and Maritime Employees Union (CFMEU) and its officials, including in relation to fraud, corruption, and links with organised crime. These two Superannuation Trustees are both partially owned by the CFMEU and have CFMEU officials occupying a material number of seats on their Boards (3 of 14 and 4 of 8 respectively).
The Trustees have agreed to commission independent reviews against their obligations under Prudential Standard SPS 520 Fit and Proper and their compliance with the duty to act in the best financial interests of beneficiaries of the funds.
This follows debate over the conflicts inherent where funds have Directors who are nominated by union or employer groups. There is also increasing scepticism around whether political donations made by these funds are in the best interests of their members.
APRA has indicated that it intends to make the results of these reviews public. This mirrors its approach to the 2018 Prudential Inquiry into the Commonwealth Bank of Australia, where it published the results of the inquiry and required all major banks and insurers to perform a self-assessment against the findings.
It seems likely that Superannuation Trustees will be directed to conduct similar reviews. Trustees should be prepared for scrutiny over:
Expansion of SOCI Scope
Reforms to the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act) have expand the designation of infrastructure sectors that are regarded as critical within Australia, and increased obligations on owners and operators of critical infrastructure assets to protect Australia’s social and economic interests. This includes the following sectors:
- Communications
- Financial services and markets
- Data storage and processing
- Defence
- Higher education and research
- Energy
- Food and grocery
- Healthcare and medical
- Space technology
- Transport
- Water and sewerage
Central to these reforms is the requirement under Part 2A of the SOCI Act to prepare and maintain a critical infrastructure risk management program (CIRMP) that considers risks that could materially impact the effective operation of each critical infrastructure asset. Section 30AG requires that the Board provide an annual attestation over the currency and effectiveness of the CIRMP, and the first of these annual attestations for in-scope critical infrastructure sectors is due to the Department of Home Affairs on 28 September 2024.
In addition, the Cyber Security Framework requirements under the SOCI Act are due for implementation by 17 August 2024, and require all critical infrastructure operators to meet a baseline level of cyber security maturity in line with a designated framework NIST, AESCSF, Essential 8 or ISO27000. These reforms provide the government with unprecedented authority to intervene in the response to a security incident, and access operational information relevant to critical infrastructure assets, highlighting Australia’s response to increasing geopolitical tension in the Asia Pacific region.
Privacy Act Updates
The current iteration of the Privacy Act 1988 (Cth) is set to undergo significant legislative reform in 2024 after the Australian Government has agreed to 38 proposals and agreed-in-principle to 68 proposals in its response to the recommendations given in the Attorney General’s Privacy Act Review Report. The reform areas agreed to by the Australian Government include:
- Security and destruction of personal information
- Automated decision making
- Children’s privacy
- Enforcement
- APP codes
The legislated proposals drafted by the Attorney General’s Department are expected to go before Parliament in August 2024. These will require organisations to uplift privacy practices including data governance and disclosures.
Climate-related Financial Disclosures
With half of global GDP being moderately or highly dependent on nature, ESG continues become a more pronounced aspect of regulatory compliance. In 2023, the Australian Treasury proposed compulsory climate-related disclosures for all entities required to prepare annual reports under the Corporations Act 2001 (Cth), which has subsequently been drafted into amendments to the Corporations Act 2001 earlier this year. The obligation requires large-scale reporting entities to publish annual sustainability reports from 1 January 2025, with a staged timeline over the subsequent two financial years for medium and smaller enterprises.
The Australian reporting standards broadly align to those under International Financial Reporting Standards (IFRS) S2 Climate-related disclosures with the following 4 key tenets:
Transitional arrangements are intended to be applied, to limit the impact of these disclosures on smaller entities.
Summary
The risk themes of global turmoil, organisational resilience, climate change and data privacy will continue to be a focus in the coming year, all of which will have noticeable impacts on existing and future compliance obligations.
Amstelveen is well positioned to assist clients with addressing obligations across these themes. Contact a member of our team to discuss your needs.