Regulatory Update July 2022

• Cybersecurity
• Financial Product Advice (General vs Personal)
• Marketing Financial Products
• Greenwashing

CYBERSECURITY

AFSL holders and their ARs are legally obligated to have adequate risk management systems, and this obligation includes having adequate cybersecurity systems. Given the increasing role of technology in the workplace, cyber risk is an expanding area of regulatory focus for ASIC.

Although there is no official Regulatory Guide, ASIC has provided information to improve firms’ cyber resilience, including a basic good practices guide, key questions to consider, and further resources. In general, it is important to take advice from experts on baseline standards of cybersecurity in the context of the size/scale of firm operations.

There is a regulatory expectation that appropriate frameworks, policies, and controls (i.e., a ‘cyber strategy’) are in place to ensure cyber resilience and manage cybersecurity risks. Such management requires ongoing assessment of potential cyber risks and the cyber strategy’s effectiveness in protecting against these risks. Reading through ASIC’s good practices and key questions for boards to consider is a useful way to assess cyber resilience. Another resource for self-assessment is ASIC’s health check report. The Australian Cyber Security Centre’s ‘Essential Eight’ strategies to mitigate cybersecurity incidents provide effective baseline requirements to follow for protection against targeted attacks. A cyber strategy can be assessed against these and categorised into one of three maturity (robustness) levels. Again, it is important to consult thirdparty experts with extensive cybersecurity knowledge, and not rely on social or commercial norms when developing and updating a cyber strategy. Furthermore, training and upskilling employees to understand the cyber strategy is necessary to meet the obligation of having adequate human resources.

The May 2022 case of ASIC v RI Advice is the first of its kind in Australia and echoes the importance of actively managing cybersecurity risks in the financial products/ services landscape. After nine cyber security incidents between 2014 and 2020 across its ARs, RI Advice was found to have breached its obligation as a licensee to act efficiently and fairly by failing to have adequate cyber risk management systems and procedures in place. For ARs operating in this increasingly hostile cyber environment and handling the sensitive financial information of wholesale investors, it is sensible to view the case of ASIC v RI as a cautionary example of poor cybersecurity practices, and to develop and regularly update a robust cyber strategy that is grounded in expert advice.

FINANCIAL PRODUCT ADVICE (GENERAL VS PERSONAL)

If an AR is only licensed to provide ‘general’ financial advice, it is important to distinguish between what ASIC considers as general vs. personal advice, so as not to unintentionally provide recipients with the latter.

‘Personal’ financial product advice is that which is provided having considered one or more of the recipient’s objectives, financial situation and needs (or where a reasonable person might expect the provider to have considered one or more of these matters). In other words, it is financial product advice that is tailored to a person’s circumstances. ‘General’ advice is financial product advice that is not personal advice. As such, when giving general advice, it is important to ensure that the recipient is aware the advice is ‘general’ in nature and is not accounting for their personal circumstances.

ASIC has issued guidance in the form of a Regulatory Guide (RG 244), which can be found here.

A recent ASIC enforcement in this area was the $10.5 million fining of Westpac subsidiaries in August 2021 for providing non-compliant personal advice. Enforcements of this kind highlight the fact that including a general advice disclaimer on any communications where financial product advice is provided, though necessary, will not prevent a court from determining that personal advice has been provided.

MARKETING FINANCIAL PRODUCTS

ASIC has been carefully monitoring the marketing of managed fund performance and risks, as per their announcement in late March, working to identify potentially misleading or deceptive representations. It is therefore particularly important for fund managers to take a considered approach when creating and disseminating promotional material. A good starting point is to ensure that the material is compliant with the relevant Regulatory Guide released by ASIC (RG 234), which can be found here. “Table 1”, beginning on page 7 of the Guide, is a handy overview of the guidelines for reference.

Recent ASIC enforcements have scrutinised inaccurate comparisons with other financial products or benchmarks, as well as the misuse of common words or phrases, in describing a product’s financial performance or risk level. In November 2020, ASIC placed a stop order on advertisements for Skyring’s Fixed Income Fund after representations were made that investing in the fund was of a similar risk level to bank-issued deposit products, which was found to be an inaccurate comparison. More recently, La Trobe was fined $750,000 for using the word ‘stable’ in various advertisements when describing the risk of investing in their Australian Credit Fund, with the Court finding that the word implied no risk of substantial losses (which was not the case).

A consequential recent ASIC enforcement is the case brought against Mayfair 101 Group in December 2021 – fined $30 Million after several subsidiaries were found to have made false or misleading representations in promoting Mayfair’s Fixed Income Notes. These representations included falsely comparing the risk profile of the Notes to bank term deposits, as well as the wrongful use of general words like ‘certainty’ and ‘confidence’. Notably, Mayfair was also found to have implicitly made the false comparison to bank term deposits by submitting keywords to Google so websites advertising its products appeared as sponsored links when searching for ‘bank term deposits’ and ‘best term deposits’. This is consistent with the notion that any medium of any form where a financial product or service is promoted, from information memoranda to sponsored search engine links, can be seen as marketing of the product.

GREENWASHING

A significant factor to consider when making representations in marketing material is that of potential ‘Greenwashing’. In June, ASIC released a detailed Information Sheet, revealing an increased regulatory focus on the offering or promoting of sustainability related products. The Sheet provides self-assessment guidance to avoid engaging in ‘Greenwashing’. ASIC defines ‘Greenwashing’ as “the practice of misrepresenting the extent to which a financial product or investment strategy is environmentally friendly, sustainable, or ethical”, and considers a sustainability-related (SR) financial product as that “where the issuer has incorporated [SR] considerations – such as ESG matters – into its investment strategies and decision making.”

The current regulatory setting for communications about SR products falls under existing prohibitions against misleading or deceptive statements and conduct when promoting or offering financial products. Risk of breaching these prohibitions arises when representations are made about future sustainability-related matters that are not supported with reasonable grounds. To avoid misleading or deceptive practices, ASIC poses several questions designed to facilitate: 1) Truth in promotion (clear labels and defining sustainability-related terminology), and 2) Clarity in communication (providing clear explanations of how sustainability-related considerations are factored into investment strategies). These questions are summarised below:

Is the product ‘true to label’ (i.e., does the product name align with the underlying assets)?:
+ Given the lack of standardised labelling for SR products, product labels should not mislead. Try to avoid absolute terms.

Has vague terminology been used?:
+ Terms like ‘socially responsible’ and ‘impact investing’ carry different meanings for different people. Where such terms are used, it is important to explain and clarify what is meant by them.

Are headline claims potentially misleading?
+ If communications contain a headline claim about SR matters, the claim itself should not be misleading, and qualifications cannot be used to rectify an \otherwise misleading impression.

Has the way sustainability-related factors are incorporated into investment decisions been explained?
+ For example, stating that a product ‘considers sustainability factors’, without explaining how, is inadequate. It is unlikely to help investors understand the product’s SR investment strategy.

Has the sustainability-related investment screening criteria been explained?
+ Best to avoid broad promotional statements to describe investment screens. Representations should help investors understand the product’s SR investment criteria.

Do you have any influence over the benchmark index? If yes, has the influence been accurately described?
+ If influence over an index is undisclosed, investors may be misled to believe that the issuer has little or no involvement in the development of the product’s underlying investment screens.

If relying on sustainability-related metrics (such as ESG scores) as investment screens, has the way the metrics are used been explained?
+ Maintain clarity so as not to mislead investors; explaining the extent of evaluation using the metrics, the sources of the metrics, the underlying data used to calculate the metrics, and any limitations arising from relying on the metrics.

Are there reasonable grounds for a stated sustainability target? Has the way this target will be measured and achieved been explained?
+ To avoid breaching misleading statement prohibitions, it’s best to clearly explain what the target is, how and when you expect to meet it, how you will measure your progress against it, and any assumptions relied on in setting the target and measuring your progress.

Is it easy for investors to locate and access relevant information?
+ Provide investors with information that is concise and clear enough for investors to understand the SR considerations underpinning the product being offered. This information should be consistent across all mediums.

Overall, ASIC endorses clear and honest representations and explanations where ESG-related factors are considered in making investment decisions and are referenced in promotional materials.