This article was written by Paul Derham (Partner) and Matt Twomey (Robo Advice, Financial Advisory and Commercial Lawyer) of Holley Nethercote Commercial & Financial Services Lawyers.
30 August 2016 marks the release of ASIC’s much-anticipated RG 255: Providing Digital Advice to Retail Clients. Its arrival is somewhat lacklustre because it contains no departure from ASIC’s existing policy direction around key issues like responsible manager competency despite some great ideas being tabled in the earlier consultation paper.
However, there are still 5 key takeouts for all of the digital advice providers out there operating in Australia (many of whom are our existing clients), as well as a few useful ‘heads up’ sections for people thinking about entering the already-congested Australian robo market. We also manage to draw a poignant analogy between the Kardashian sisters and Australian privacy law, so please keep reading.
So, what do you need to do?
For existing robo-businesses, jump straight down to the key takeouts section. For new market entrants, read on:
New market entrants: What do you need to do?
Read the regulatory guide! It steps you through getting a licence 101 and tells you about your key obligations, the difference between personal and general advice, and what organisational competence means to ASIC. You’ll quickly realise that what it means to ASIC is something very different to what it means to the rest of the industry.
As with any financial services business, it is necessary for a digital advice provider to ensure that they have the competence to provide the financial services that they are authorised to provide. This means that although a robot is providing the advice, at least one responsible manager needs practical regulated experience over the last 3+ years, coupled with some relevant qualifications.
Also, keep an eye out for the commencement of ASIC’s regulatory sandbox initiative. It will be helpful to new fintech businesses in the startup phase.
Key Takeout 1: Strengthen your cyber security defences
Did you know, according to ASIC’s Corporate Plan 2016-2017 released on 1 September 2016, cyber security incidents detected in 2015 in Australia increased by 109% over the preceding year, a substantially faster rate than the global average? It’s no surprise that ASIC is placing an increased emphasis on having the appropriate technological resources in place to maintain client records and data integrity, and to protect confidential information. The takeout? Go straight to page 22 of the regulatory guide to see ASIC’s expectations around cyber security frameworks, such as the National Institute of Standards and Technology’s Framework for improving critical infrastructure cybersecurity.
If cyber security is the Kim Kardashian of regulatory themes (she appears all over the internet despite your best intentions to avoid her), then Australian Privacy Principle (APP) 11 – Security of Personal Information – is the equivalent to her lesser known younger-sister Khloé Kardashian. Still an important person in her own right, this APP is often breached in the event of a cybersecurity breach – your systems are compromised and so is your customer’s personal information.
(And just to show how sexy cyber security can be, read the OAIC Report on the Ashley Madison privacy breach for a real life case study of how things can go badly and publicly wrong.)
We suggest that you get your IT team to work through these benchmark standards and ensure your security framework is state-of-the-art, and your client data protection standards meet APP requirements. Also, for all you fintech lovers, here’s some interesting Google Trend Analysis:
Interestingly, the phrase ‘Khloe Kardashian’ is more popular than the phrase ‘FinTech’ when comparing search behaviour over the past 12 years. It is still far less popular, however, than the phrase ‘Kim Kardashian’ as Khloe is the lesser known sister. The same rule applies, sadly, to Australian Privacy Principle 11, despite its importance. Coincidentally, if Kim Kardashian’s details are put into the algorithm, the sheer volume of searches for her literally breaks the algorithm in that FinTech and Khloe’s search results are so small that they are unreadable (and yes, you can record this article as CPD).
Why Your Enterprise’s Finances Rely on Employee TrainingGo to article >>
Key Takeout 2: Test algorithms and advice
One of the key expectations from the regulatory guide is that providers of digital advice will be expected to monitor and test the algorithms which underpin their offering (and maintain evidence of testing). A record should also be kept of the purpose, scope and design of an algorithm.
Similarly, the advice that is provided to clients should be tested regularly and providers should have in place procedures for sampling of the advice provided.
ASIC has stated that the testing should:
- Be conducted by individuals suitability qualified to test compliance with the law;
- Not be a tick the boxes exercise, and involve consideration of all appropriate material (even if this is outside of the digital advice provided);
- Be conducted frequently during the commencement of services and then upon changes to the algorithm.
If the tests which occur identify breaches of the Corporations Act, or are likely to cause loss to clients, providers are expected to take steps to remedy this issue. This may involve:
- Suspending and fixing the algorithm;
- Lodging a breach report;
- Remediating clients who have suffered losses.
Acknowledging the irony of not recommending a tick-box approach, we think a key takeout is to go to page 21 of the RG (at paragraph 255.74) and work through the various testing methods in a similar way that you would work though a checklist.
Key Takeout 3: Check your professional indemnity insurance (PI) exclusions before you’re excluded for cover when you most need it.
Some policies include sneaky or oft-missed clauses that carve out key elements of a digital advice-provider’s business. The takeout: ASIC has helpfully provided 5 considerations on page 23 that you should look at in one hand, with your PI schedule in the other.
Remember also that if you are using an Authorised Representative model, then your licensee will most likely be including you under its PI cover and you will need to talk to them about this.
Key Takeout 4: Benchmark your scoping tools against ASIC’s minimum expectations
It’s no surprise that a contentious element of digital advice is how the robots can comply with the best interests obligations, which include the best interests duty.
Regulatory Guide 255 confirms that it is ASIC’s expectation digital advice providers will comply with the best interests duty, unmodified.
Digital advice providers are also expected to have in place the appropriate mechanisms to ensure that potential customers who are not suitable for the service are “triaged” out.
In particular, it is necessary to have in place systems so that:
- Any customer who asks for advice which is not provided by the algorithm is filtered out;
- Any customer who provides inconsistent answers is filtered out.
Also, providers who provide scaled advice must ensure that they have detailed procedures to:
- Explain what is provided (and what is not provided) by the offering;
- Ensure that the client is aware of the key concepts, risks, benefits and costs associated with the advice;
- Explain what dispute resolution processes are available to the client.
So, the key takeout is to go to page 27 of the RG, and work your way through 9 questions that ASIC poses, to test whether your scaling process meets ASIC’s minimum expectations.
Takeout number 5: Implement an ongoing review process
AFSL holders are required by law to take reasonable steps to ensure that their representatives comply with the financial services laws. You also need to take reasonable steps to ensure that your algorithms behave themselves on an ongoing basis.
ASIC includes 8 paragraphs of commentary on this point on pages 30-31 which should not be ignored. The takeout: Update your existing monitoring and supervision processes in light of ASIC’s commentary.
By actioning the five takeouts in this article you’re five steps closer to keeping yourself out of court and the hands of the regulator. Good luck!