Published by the Australian Financial Markets Association in the AFMA Member News, July 2016.

ASIC's Market Supervision team has identified key regulatory priorities for the year ahead. We encourage you to consider these when reviewing your firm's risk management framework and focus your compliance, supervisory and risk management efforts to ensure compliance with ASIC's regulatory requirements.

The Market Integrity Group within ASIC has been restructured with our Investment Banks and Market and Participant Supervision teams merged to create a new Market Supervision team. For stakeholders this provides a more integrated arrangement when dealing with ASIC. Dedicated relationship managers will engage with stakeholders on a broader range of issues, and reviews of firms will include market participants and investment banks. We expect this will result in better stakeholder engagement, efficiency and regulatory outcomes.

Our key regulatory priorities for 2016-17 are:

• cyber resilience and technology disruption
• firm culture and conduct, and
• handling of confidential information and managing conflicts of interest in research and corporate advisory.

ASIC has prioritised these three existing and emerging risks because, if not properly addressed, they could adversely affect market integrity and investor confidence.

Regulatory Priority 1: Cyber resilience and technology disruption

Cyber threats have become a key global risk to business and financial market stability. ASIC is actively encouraging entities to improve cyber resilience practices. The overall stability of the financial market ecosystem may only be as strong as the weakest link.

Reading Report 429 Cyber resilience Health check, released in 2015, can help entities improve cyber resilience by:

• increasing awareness of the risks
• encouraging collaboration between industry and government
• providing health check prompts to help businesses consider their cyber resilience, and
• identifying how cyber risks should be addressed in the regulatory context – including considering board oversight of cyber risks.

Read Report 468 Cyber resilience assessment report: ASX Group and Chi-X Australia Pty Ltd to:

• learn some good practices for cyber resilience in investment banks, and
• identify key questions that directors and board members should ask executives.

ASIC will continue to provide cyber self-assessment questionnaires to selected groups of market participants each quarter and conduct cyber resilience health checks with participants. We will provide information back on common areas for improvement. 

Regulatory Priority 2: Firm culture and conduct

ASIC defines culture as a set of shared values and assumptions within an organisation. It represents the 'unwritten rules' for how things really work.  We want culture and conduct risk to be ‘front of mind’, so stakeholders make changes that lift standards, and disrupt and address problems early.

To address cultural and conduct related issues it is imperative that firms focus first and foremost on setting the right tone from the top.  It is also important to:

• cascade cultural values to the rest of the organisation;
• translate values into actual business practices; and
• ensure take-up through:
  • staff accountability;
  • effective communication and challenge;
  • recruitment, training and rewards; and
  • governance and controls.

This year we will be introducing more cultural indicators into our risk-based surveillances. We will be stepping up our approach and where we think there may be a problem, look more closely, to uncover problems and address them.

We are undertaking a suite of work in respect of culture and conduct in the markets area. In particular, we are reviewing attitudes to conduct risk, sound remuneration policies, management of confidential information and conflicts of interest, and supervisory frameworks and risk management. 

Regulatory Priority 3: Handling of confidential information and managing conflicts of interest in research and corporate advisory

The leakage of confidential, material price-sensitive information about a listed entity harms investor confidence and increases the risk of insider trading. This has been an ongoing area of focus for ASIC, with the publication of Report 393 Handling of confidential information: Briefings and unannounced corporate transactions back in 2014.

Through firm reviews we have identified a number of risk areas relating to how firms treat confidential information and conflicts of interest in sell-side research and corporate advisory. Further detail on our findings will be published shortly.

Regular review of controls (including policies, procedures, training and monitoring) will assist in ensuring you are appropriately managing risks.

Additional areas of focus

Ensure client money is appropriately handled

Over 2015–16 we conducted several reviews on how market participants meet their obligations for client money in the Corporations Act 2001 and ASIC market integrity rules. We identified some examples of inappropriate use of client monies and inadequate procedures. We intend to continue these reviews over 2016–17.

 Ensure financial stability and capital review

We continue to see structural shifts emerge throughout the industry, with a number of firms undertaking steps to recapitalise or restructure their organisations.

Over the past year, we have had reason to question the accounting behind capital calculations for a number of participants as part of our review of their financial strength. This work is ongoing.

Ensure supervisory frameworks, risk management and controls are in place

Given the market environment and search for revenue-generating business lines, firms taking on increased risks need to make sure the appropriate supervisory, risk management and compliance controls are in place.

In particular, we will be assessing whether firms are adequately resourced from a human, technological and financial perspective. We will also consider how conflicts of interest are managed across a range of business lines, including financial advice, research, corporate advisory, sales and trading. This theme links in with our ongoing work on culture and conduct.

Ensure appropriate product distribution for retail over the counter (OTC) derivatives and complex products

We have achieved a large number of regulatory outcomes on retail OTC derivatives and this work will continue in 2016-17. We will also be broadening our focus to include distribution of complex products including hybrids.

Report suspicious activities

Our supervision of market participants’ trade monitoring and surveillance practices will continue. In particular, we want participants to meet their suspicious activity reporting (SAR) obligations.  Where our systems identify suspicious market activity and the market participant has not lodged a (SAR), we will seek to understand the process that led to this decision.

ASIC published a letter setting out its market supervision regulatory priorities for 2016–17 on 27 July 2016. Read the full letter.