Financial Services Updates
04 July 2024
The Australian Securities and Investments Commission (ASIC) has released Info Sheet 283, which provides guidance on supervising business communications of market intermediaries and their representatives to ensure compliance with obligations under the Corporations Act and Market Integrity Rules.
Record keeping of communications and effective monitoring of those records has been an important global theme. In addition to the work by ASIC in this space, US regulators have imposed significant fines on banks for off channel unrecorded communications such as WhatsApp and the UK FCA has repeatedly raised this as an issue in their Market Watch briefings.
ASIC often follows up info sheets with additional thematic reviews and enforcement actions and it is important that market intermediaries consider their risk appetite for supervisory arrangements, and specifically review their recording and monitoring of off-channel communications as a result of this Information Sheet.
ASIC expects market intermediaries to have robust systems and processes in place to effectively supervise their business communications of their representatives. This includes (i) appropriate recording and (ii) monitoring of those records to prevent and detect misconduct such as market abuse, misuse of confidential information nor other compliance issues like privacy of client information or third parties communicating with employees for non-business purposes. Non-business communications which are collected as part of this will likely attract obligations under the Privacy Act.
Market intermediaries must ensure that all business communications are recorded and retained in accordance with regulatory requirements. The use of WhatsApp and other similar communication channels have been a target of regulators around the globe. We recommend that market intermediaries take steps to ensure all communications are going through recorded channels. Licensees should identify and assess risks associated with business communications and tailor their supervision accordingly and within their risk appetite.
Communication channels such as WhatsApp can be valid and effective methods of communication. However, ensuring that they are appropriately recorded is crucial. If it is not possible for this to occur then these channels should not be used.
What communication channels do we use today? |
How are those communication channels being recorded and for how long? Is this sufficient? |
What constitutes "business communications"? How can we demonstrate data has been defined as being in or out of scope? |
Do we have mechanisms to prevent other applications being installed? How does this work with a 'bring your own device' policy? |
How would I know that someone is using unauthorised communications channels? What disciplinary action is available to me, and should I take, if they are? |
Market intermediaries should implement regular monitoring and review processes to detect and address any non-compliant communications promptly. Monitoring communications is seen by ASIC as crucial to detect and prevent market abuse, inappropriate disclosure of confidential information or other breaches.
In our experience ASIC notices for internal and external correspondence often identifies emails and correspondence that evidences issues or breaches unrelated to an investigation and creates new potential regulatory enforcement action.
What technological solutions are available to monitor communications? |
Is anyone using existing solutions to monitor communications? Are our alert parameters appropriately calibrated and regularly reviewed, or do we need to invest further? |
What are the key risks in our business that we might detect? Are these logged in our risk register? |
Have we conducted a risk assessment of the use case? Does this include privacy considerations? |
Do we have appropriate controls in place to detect issues and incidents? |
What incidents and misconduct have we detected that we could show to ASIC if asked? Are these logged in incident registers, and reportable situations notified to ASIC if required? |
If ASIC asked for particular communications would be able to easily extract these? |
Market intermediaries should develop clear policies and procedures that define acceptable communication practices and outline the consequences of non-compliance. Market intermediaries should keep policies and procedures up to date with the changing regulatory landscapes and technological advancements.
Have our policies kept up to date with the changes in communication channels? |
Market intermediaries should provide ongoing training to employees to ensure they understand their obligations and the importance of compliant communications through authorised channels.
Are staff aware of their obligations and the potential penalties for using unauthorised communication channels? Are they completing mandatory training, and is this logged in our training register? |
Is training on this regularly updated and relevant to the communication channels we use? |
The challenge for businesses now is that there are multiple ways in which employees are communicating. In some cases they are using employer issued devices and in others they use their own. They may have a laptop, a desk phone, a mobile and a tablet. Each device creates new potential risks of unauthorised and unrecorded communication. In particular, where systems are clunky employees may decide to use different communication methods for ease of communication. Ensuring that your policies and procedures comply with your employment law obligations, the terms of any employment contracts and data protection and privacy rules in this context will become increasingly important.
Remote and hybrid working also makes this more challenging to detect communication on unauthorised services.
In some ways the Australian regulatory system is more challenging than some other jurisdictions. For instance the UK and EU have specific rules on telephone conversations and electronic recording detailing exactly what needs to be recorded and for how long.
Despite this we expect ASIC will rapidly lose patience with market intermediaries who do not properly record or monitor those communications. ASIC has already slated a focus on reviews of supervisory controls for remote working arrangements in compliance with the market integrity rules on technological and operational resilience, and unauthorised communications may be another angle it considers in this context.
Not covered in the ASIC brief but of crucial importance to market intermediaries will be ensuring that your practices, procedures, and systems also comply with your Privacy Act.
The Privacy Act regulates the collection of Personal Information in Australia, including under Info Sheet 283. Personal Information which exists in "business communications" may be exempt from the Privacy Act. Personal Information which is collected but not contained in "business communications" will likely attract Privacy Act obligations. These obligations will require you to undertake a risk assessment and be able to identify and destroy Personal Information which is contained in the "non-business communications" you have also collected.
What is our definitions of business and non-business communications? |
How will we identify the difference between the two definitions above in data we are collecting and storing? |
Have we completed a Privacy Impact Assessment (PIA) on the solution for Info Sheet 283? Does this include legal advice on the application of the Privacy Act to this use case? |
Are the controls identified in the PIA implemented for the Info Sheet 283 procedures? |
Can we demonstrate to the OAIC that we have fulfilled our Privacy Act obligations relating to the collection of this data? |
Author: Greg Patton, Senior Associate.
The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
Readers should take legal advice before applying it to specific issues or transactions.