Doing Business in Australia: Chapter 6 - Regulation of Financial Services

Products and services provided by financial service providers (including banks and other financial institutions) are subject to regulation under the financial services provisions of Chapter 7 of the Corporations Act 2001 (Cth) (Corporations Act). Chapter 7 applies to financial service providers that target customers located in Australia and may deem those financial service providers to be providing financial services in Australia, even if that financial service provider has no place of business in Australia.

Chapter 7 of the Corporations Act regulates the financial services industry in several ways including:

1. Requirement to be licensed with ASIC – financial service providers that engage in conduct that constitutes the provision of a financial service in respect of a financial product may require an Australian financial services licence (AFSL) issued by the Australian Securities and Investments Commission (ASIC), Australia’s financial services’ conduct regulator.
   The following activities are examples of regulated financial services: providing financial product advice, dealing (which includes issuing varying and disposing) or arranging for another person to deal in a financial product, making a market for a financial product, operating a registered scheme, providing custodial or depository services, providing crowd-funding services, providing claims handling and settling services and providing a superannuation trustee service.
   Chapter 7 defines financial products broadly and this definition generally covers products such as securities (i.e. shares and debentures; see the Fundraising chapter of this publication), derivatives, foreign exchange contracts, general and life insurance products, interests in managed investment schemes, deposit accounts, superannuation interests, non-cash payment facilities (such as smart cards, digital wallets, payment tokens, credit/debit cards, cheques, travellers cheques and certain electronic payment facilities) and margin lending facilities. Other forms of credit products are specifically excluded from this regime but may come within the Australian Credit regime discussed below.
2. Conduct and disclosure obligations – providers of financial services face conduct, consumer protection and disclosure obligations in relation to activities connected with financial services and products, including the obligations to act efficiently, honestly and fairly, adequately manage conflicts of interest and implement risk management frameworks.
   Generally speaking, persons issuing regulated financial products to retail clients face more extensive initial and ongoing disclosure obligations than those dealing just with wholesale clients. Entities should also consider consumer protection provisions under the Australian Securities and Investments Commission Act 2001 (Cth) (ASIC Act) and the Australian Consumer Law (ACL) (see the Consumer protection and product liability chapter of this publication) as well as privacy laws (see the Privacy chapter of this publication).
3. Reporting obligations – providers of financial services must undertake regular and ad hoc reporting to relevant regulators including breach reporting.
4. Product governance – issuers and distributors of most classes of financial products to retail clients must comply with Australia’s product governance regime, also known as the ‘design and distribution obligations’ regime in Part 7.8A of the Corporations Act. These obligations apply to the issuing and distribution of in-scope financial products and services to retail clients and require issuers and distributors to retain a consumer-centric approach to designing and targeting financial products.

There are exemptions to the licensing and disclosure regimes as prescribed under regulations or legislative instruments that may be available to financial service providers. For example, certain foreign financial service providers are exempted from the licencing regime until 31 March 2024 under the ‘limited connection’ exemption or (if they have been approved by ASIC because they are regulated in a way which ASIC regards as ‘sufficiently equivalent’ to an AFSL) under the ‘passporting exemptions’ when they provide financial services to wholesale clients in Australia.

ASIC is a very active regulator with wide-ranging powers and is not afraid to litigate. ASIC also has a competition mandate. ASIC has a product intervention power (PIP) under Part 7.9A of the Corporations Act which allows ASIC to make a product intervention order when a financial or credit product has resulted, will result, or is likely to result in significant consumer detriment. This power allows ASIC to intervene in a wide range of ways and ASIC may, if necessary, ban financial or credit products when there is a risk of significant consumer detriment. An example of ASIC’s recent use of its PIP power includes its ban on the issue and distribution of binary options to retail clients which is in place until 1 October 2031.

In addition to ASIC, the Australian Prudential Regulation Authority (APRA) is the prudential regulator in Australia, with supervisory responsibilities in the banking, insurance and superannuation sectors. Any providers of banking, insurance and superannuation products will be dual-regulated in Australia by ASIC and APRA.

Banking

An entity that carries on 'banking business' in Australia must be an authorised deposit-taking institution (ADI) supervised by APRA. For the purposes of the Banking Act 1959 (Cth) (as amended) (Banking Act), an entity carries on banking business if it:

• takes deposits; and
• makes loans and advances.

Some particular aspects of banking business are also subject to regulation by ASIC, the Reserve Bank of Australia (RBA) and the Australian Transaction Reports and Analysis Centre (AUSTRAC).

A foreign bank wishing to establish a presence in Australia could either:

• create a new subsidiary that is subject to the supervision of APRA; or
• apply for registration as a foreign ADI which is subject to lesser supervision of APRA; or
• consider the availability of cross border exemptions.

If approval as a foreign ADI is granted, the foreign ADI is primarily supervised by the relevant regulator in the foreign ADI’s home jurisdiction and is subject to lighter-touch supervision by APRA. Typically, however, APRA will impose constraints on a foreign ADI’s operations including:

• approval from the home regulator to establish a branch in Australia;
• only accepting a minimum initial deposit of more than AUD $250,000 from customers who are individuals and non-corporate institutions;
• restrictions on receipt of deposits, with the foreign ADI generally only being able to provide products and services to ‘wholesale clients’;
• having adequate financial and non-financial resources;
• meeting comparable capital adequacy standards in the foreign ADI’s home jurisdiction;
• having sufficient liquidity at all times within the Australian branch (where applicable) for the foreign ADI to meet its obligations which are or may become payable in the next 30 days; and
• disclosure requirements.

Another approach open to a foreign bank is to establish a representative office in Australia. This may enable the foreign bank to maintain a presence in Australia so that it can receive enquiries about services which it provides offshore. A representative office in Australia may not conduct any form of banking business or activities related to the administration of banking business.

Finally, an overseas bank may conduct banking business with Australian counterparties from its offshore offices without a licence from APRA provided:

• the overseas bank does not maintain an office or permanent staff in Australia, including staff employed by another entity within the banking group which conducts business on its behalf;
• the overseas bank is not soliciting business from retail customers in Australia;
• all business contracts and arrangements are clearly transacted and booked offshore, and are subject to an offshore legal and regulatory jurisdiction; and
• the overseas bank does not breach section 66 of the Banking Act, which restricts the use of certain words and expressions, such as ‘bank’.

Use of the term 'bank' requires approval from APRA and is usually conditional on the applicant obtaining an authority to carry on a banking business or open a representative office.

An entity regulated as an ADI is subject to comprehensive supervision by APRA under a separate supervisory framework. ADIs are also subject to a suite of prudential standards relating to conduct, governance, oversight, risk and prudential requirements. In addition, there are ongoing obligations including reporting to APRA on ad hoc matters and breaches.

APRA is an active regulator with regulated entities but generally takes less public action than ASIC given its mandate of financial stability.

Consumer credit

Generally speaking, an Australian credit licence will be required where a business provides credit to consumers which are individuals (or a unique Australian body type called a strata corporation) who are ordinarily resident in Australia where the credit is provided for:

1. personal, domestic or household purposes; or
2. investment in or improvement of residential real estate.

This type of credit is subject to the National Consumer Credit Protection Act 2009 (Cth) (NCCPA) and the National Credit Code (NCC) (contained in the NCCPA). As well as obtaining an Australian Credit Licence, the credit provider is subject to a range of obligations:

1. Requirement to be licensed with ASIC – as noted above, businesses providing credit to consumers will require a credit licence unless an exemption is available.
2. Conduct – providers of consumer credit must undertake responsible lending assessments prior to the provision of credit.
3. Disclosure obligations – providers of consumer credit face consumer protection and disclosure obligations in relation to certain activities connected with consumer credit products.
4. Reporting obligations – providers of consumer credit must undertake regular and ad hoc reporting to relevant regulators including breach reporting.

Certain Australian credit products will also be subject to the DDO and PIP regimes, which are discussed above. 

The NCC contains highly prescriptive requirements relating to the form and content of loan and security documentation, as well as statutory disclosures and notices which must be given. The NCC specifies mechanisms for enforcement of loans, prescribes a process for dealing with hardship cases, provides relief against terms of an arrangement which may be characterised as "unjust" and also provides for disputes to be dealt with by an approved external dispute resolution scheme, AFCA, which has jurisdiction to make decisions that are binding on the credit provider.

Currently ‘buy now pay later’ products can generally be structured to exist outside consumer credit regulation. However, the new Australian federal government has stated that it intends to amend the NCCPA to include buy now play later products.

Payment services

Regulation of payment services in Australia is primarily directed at parties that hold value or effect transfers/payments on behalf of customers. Under the Payment Systems (Regulation) Act 1998 (Cth) (PSR Act), an entity that participates in a ‘designated payment system’ and which holds value for a customer must be an ADI or a purchased payment facility provider approved by APRA. For these purposes designated payment systems include, for example, VISA, MasterCard and American Express, as well as Australian domestic clearing and settlement services such as EFTPOS. To be a designated payment system the RBA must designate the payment system as such under the PSR Act.

There are some exceptions to the requirement to become a regulated purchase payment facility provider, including storing value which can be used to pay no more than 50 persons, or storing value that does not exceed AUD $10 million. This provides some relief for smaller businesses during a start-up phase.

In practice, providers of payment services generally enter into an alliance arrangement with an ADI through which value is stored with the ADI for the benefit of the provider's customers. Another approach is for the payment service provider to obtain a bank guarantee from an ADI in favour of the payment service provider’s customers. Once APRA has determined that the payment service provider is of a sufficient size, it will generally require it to become an approved purchased payment facility provider.

In addition to compliance with the PSR Act, payment service providers will need to consider the application of other regulatory regimes including whether the product being offered constitutes:

• a ‘non-cash payment facility’ under the Corporations Act for which an entity is required to hold an AFSL or otherwise be exempt;
• the provision of a remittance service, which requires registration as a remittance service provider with AUSTRAC; or
• the provision of a stored value card, which requires enrolment with AUSTRAC.

Australia also has an e-Payments Code, which is a voluntary code of practice that regulates electronic payments (including ATM, EFTPOS, debit and credit card transactions, online payments, internet and mobile banking and BPAY). Banks, credit unions, building societies and other providers of electronic payment facilities to consumers may elect to subscribe to this Code.

The e-Payments Code:

• requires subscribers to give consumers clear and unambiguous terms and conditions, information about changes to terms and conditions (such as fee increases), receipts and statements;
• sets out the rules for determining who pays for unauthorised transactions; and
• establishes a regime for recovering mistaken internet payments.

Although not a strict legal requirement, ASIC expects that a holder of an AFSL will comply with the e-Payments Code as a matter of good licensing practice, where the Code is relevant to any of the AFSL holder’s products. Subscribers to the e-Payments Code must warrant that they will comply with the Code in the terms and conditions they give consumers, and consumers may raise a complaint for a breach of the Code to the subscriber.

The e-Payments Code has recently been updated by ASIC, with changes due to commence on 2 June 2023 addressing:

• updates to compliance monitoring and data collection;
• mistaken internet payments;
• unauthorised transactions; and
• complaints handling.

Insurance

The regulation of insurance in Australia is differentiated between general insurance, life insurance and private health insurance, particularly from a prudential perspective. For the purposes of Chapter 7 of the Corporations Act (and certain consumer protections in the ASIC Act), general insurance and life insurance products are deemed to be financial products, with few exceptions. Importantly, private health insurance products are not financial products and are regulated under a separate regime.

Engaging in any of the following in relation to general insurance and life insurance products are regulated financial services:

• dealing (which includes issuing, varying and disposing) or arranging for another person to deal;
• providing advice, whether general or personal; and
• providing claims handling and settling services, subject to certain exceptions.

In addition to the licensing, disclosure, conduct and reporting obligations in Chapter 7 of the Corporations Act, the other key legislative obligations that apply to general insurers and life insurers are:

• in respect of general insurers: the Insurance Act 1973 (Cth);
• in respect of life insurers: the Life Insurance Act 1995 (Cth); and
• in respect of both general insurers and life insurers: the Insurance Contracts Act 1984 (Cth) (Insurance Contacts Act).

The Insurance Contracts Act provides a range of important protections for general and life insurance policyholders. These include various restrictions on the exercise of an insurer’s rights that would otherwise be available at common law, such as the ability to cancel or avoid a contract of insurance based on an insured’s non-disclosure or misrepresentation, and the ability for the insurer to rely on pre-existing condition exclusions. The Insurance Contracts Act also implies a duty of utmost good faith into all contracts of insurance. Additionally, the unfair contract terms regime under the ASIC Act applies to contracts of insurance.

General insurers and life insurers are dual-regulated by ASIC and APRA. They are required to hold an AFSL issued by ASIC and be a registered insurer with APRA. There are also voluntary quasi-regulatory regimes that operate in general and life insurance industry, including:

• the General Insurance Code of Practice, as published by the Insurance Council of Australia;
• the Life Insurance Code of Practice, as published by the Financial Services Council, the second version of which is effective from 1 July 2023; and
• the Insurance Brokers Code of Practice, as published by the National Insurance Brokers Association.

While these codes do not generally have the force of law, in some cases, sanctions may be imposed by a relevant industry body for non-compliance.

In terms of regulatory and judicial trends, there is a continuing movement towards greater policyholder protection and accountability for consumer harm. The last 24 months has been transformational for the Australian insurance sector as it implemented the single largest program of regulatory reform it has ever experienced, with reforms spanning licensing, claims handling, product design and terms, and distribution. Further reform is also expected. For example, the current Banking Executive Accountability Regime under the Banking Act has been proposed to extend to all APRA-regulated entities, including general, life and private health insurers.

Superannuation

The superannuation sector is heavily regulated in Australia. Like the insurance sector, superannuation trustees are dual-regulated by ASIC and APRA. All superannuation trustees are required to hold an AFSL issued by ASIC and a Registrable Superannuation Entity (RSE) licence, which is issued by APRA.

An interest in a regulated superannuation fund is a financial product under Chapter 7 of the Corporations Act. Engaging in any of the following in relation to superannuation products are regulated financial services:

• dealing (which includes issuing, varying and disposing) or arranging for another person to deal;
• providing advice, whether general or personal; and
• providing a superannuation trustee service.

In addition to Chapter 7 of the Corporations Act and the ASIC Act, regulated superannuation funds are regulated by a specific consumer protection and prudential regime in the Superannuation Industry (Supervision) Act 1993 (Cth) (SIS Act). The SIS Act operates in conjunction with an extensive regime of taxation law, that regulates (among other things) taxation and contributions limits in superannuation. At a high level, the SIS Act provides:

• a prudential licensing regime for trustees of regulated superannuation funds;
• a framework for APRA to make prudential and reporting standards that superannuation trustees must follow;
• performance requirements for superannuation products;
• conduct covenants that apply to both the superannuation fund trustee and the trustee’s directors, including requirements to exercise care, skill and diligence, manage conflicts and give priority to the interests of beneficiaries;
• restrictions on the release of superannuation benefits until beneficiaries meet a condition of release, such as reaching retirement age; and
• standards with respect to reporting data, investment management, actuaries and auditors of the funds.

Self-managed superannuation funds (SMSFs) are private superannuation funds and are also regulated under the SIS Act. However, SMSF trustees are supervised by the Australian Taxation Office rather than APRA, and they are not required to hold an RSE licence under the SIS Act.

The Australian superannuation sector continues to be in a state of upheaval and receive political attention. The Federal Government is reviewing various reforms implemented by the sector, including the scope of the Your Future Your Super reforms. In addition, the Government is undertaking a review into the quality of financial advice, which will impact how financial advice is provided to superannuation fund members. Similar to the insurance sector, it has also moved to extend the Banking Executive Accountability Regime to superannuation trustees under the proposed Financial Accountability Regime, thereby further enhancing the accountability obligations that apply to superannuation trustees and their directors, officers and senior executives.

Digital assets

The regulation of digital assets in Australia is currently under review with a view to providing certainty on their regulatory status. At present, the classification of digital assets requires an analysis of the features of each digital asset to determine if it meets the definition of a financial product.

The new Australian federal government has recently announced its policy position in relation to digital asset regulation. Treasury has stated that it will prioritise a ‘token mapping’ exercise during 2022, to help create standardised terminology for digital assets, which will inform regulation. The exercise was initially due to be finalised by the end of 2022, but now, a consultation paper will be issued by the end of 2022, with the work to continue in 2023. Further, Treasury has stated it will progress work on a licensing framework, review innovative organisational structures, look at custody obligations for third party custodians of digital assets and provide additional consumer safeguards.

The Australian Financial Complaints Authority (AFCA) is Australia’s external dispute resolution scheme that assists consumers and small businesses to resolve complaints with financial firms. Most financial firms are required to have a dispute resolution system that consists of:

• an internal dispute resolution (IDR) procedure which complies with ASIC’s requirements; and
• be a member of AFCA.

Membership to AFCA is open to any entity that is required under Commonwealth legislation or Instruments to be a member of an external dispute resolution (EDR) scheme. Additionally, entities in the financial services and superannuation industries and other related industries may elect to join AFCA even if they do not have a requirement to do so.

AFCA generally determines complaints relating to:

• Credit, finance and loans;
• Insurance;
• Banking deposits and payments;
• Investments and financial advice; and
• Superannuation.

AFCA may provide several types of remedies including awarding compensation for loss suffered by the customer. The AFCA Rules set out who is eligible to make a complaint to AFCA and what kinds of complaints it can deal with, however, if both the consumer and financial firm consent, AFCA may be able to hear complaints that are outside of its jurisdiction. For most superannuation complaints, AFCA’s determination is binding immediately on the making of the determination, and if the determination is to vary or substitute a trustee decision, unless otherwise ordered by AFCA, the determination comes into effect from the day the original decision was in effect. AFCA’s decisions for non-superannuation complaints are binding if the consumer accepts AFCA’s decision, and if a compensation cap applies, the consumer waives the excess of their claim.

AFCA itself is subject to several obligations. For instance, AFCA is required to refer and report contraventions to appropriate authorities, including reporting serious contraventions to ASIC. Similarly, AFCA is also required to refer possible systemic issues which it has identified as arising from complaints made under the scheme to one or more of the regulators.

Financial Sector (Collection of Data) Act

Under the Financial Sector (Collection of Data) Act 2001 (Cth) (FSCODA), an entity which is a foreign corporation, a trading corporation formed in Australia, or a financial corporation (but not an ADI) and carries on business in Australia and has assets from the provision of finance which exceeds AUD $50 million must register with APRA.

A registered entity has an obligation to report monthly and quarterly to APRA. Reporting obligations include relevant assets of related companies (whether or not they are themselves registered), which would not otherwise be reported. In practice, APRA usually only requires quarterly reporting once the assets of a registered entity from the provision of finance exceed AUD $250 million.

The purpose of FSCODA is to enable APRA to collect data about the level of indebtedness in Australia. This informs monetary policy set by the RBA and enables the Australian Bureau of Statistics to publish accurate information about Australia's indebtedness, for the purposes of ensuring transparency within the market for the benefit of investors.

Since early 2018, under the Banking Act, APRA has possessed the power to impose prudential standards on entities that are registered financial corporations under FSCODA. To date, APRA has not exercised this power.

Anti-Money Laundering and Counter-Terrorism Financing Act

An entity providing financial services may be providing a 'designated service' for the purposes of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML/CTF Act). The AML/CTF Act was introduced to meet Australia's international treaty obligations established by the Financial Action Task Force (FATF). Its broader objectives include detecting, deterring and disrupting money-laundering and terrorism financing (ML/TF) activity and other serious financial crime.

If an entity provides designated services for the purposes of the AML/CTF Act and meets a ‘geographical link’ test, it will be considered a 'reporting entity' and become subject to regulation by AUSTRAC. If an entity is subject to the AML/CTF Act, it must:

• enrol with AUSTRAC or where money remittance is being conducted or a digital currency exchange operated, be registered with AUSTRAC;
• carry out an assessment of the ML/TF risks in its business having regard to matters such as customer profile, jurisdictions in which the financial service as offered, the products sold, and the channels though which they are sold;
• establish, maintain and adhere to an effective AML/CTF program which is approved and overseen at board level and is designed to identify, mitigate and manage those ML/TF risks by reference to a range of prescribed matters; and
• adhere to various obligations including in relation to:
  • initial, ongoing and enhanced customer identification and verification;
  • monitoring transactions to detect unusual activity that may be suggestive of ML/TF activity or other financial crime;
  • reporting certain matters to AUSTRAC (including certain suspicious activity, threshold cash and e-currency transactions, international transfers and annual compliance reports); and
  • additional due diligence regarding customers, employees and some third parties.

AUSTRAC is an active regulator and the legislation at present prescribes a maximum civil penalty of AUD $22.2 million for each breach of the AML/CTF Act.

The AML/CTF Act currently applies to digital currency exchange providers if they have a geographical link to Australia, and therefore captures crypto asset secondary service providers who meet the definition of digital currency exchange providers.

Financial Transaction Reports Act

The Financial Transaction Reports Act 1988 (Cth) (FTR Act) operates alongside the AML/CTF Act and imposes a number of obligations on cash dealers, including an obligation to report suspect transactions, cash transactions of AUD $10,000 or more or the foreign currency equivalent, and international funds transfer instructions to AUSTRAC. For these purposes a cash dealer is widely defined and is not limited to parties which are in fact dealing with currency. For example, any AFSL holder is a cash dealer. It also requires the verification of the identity of persons who are signatories to accounts, and prohibits accounts being opened or operated in a false name. However, because the obligations specified in the FTR Act have largely been replaced by obligations under the AML/CTF Act, the FTR Act now mostly only affects solicitors, and motor vehicle dealers who act as insurers or insurance intermediaries.