As Australian financial services (AFS) licensees continue to work through the implications of the recent Federal Court decision respect to cybersecurity deficiencies and breaches of the general obligations under the Corporations Act 2001 (Cth), ASIC has again recently reiterated its willingness to pursue contraventions of the broad standards prescribed in section 912A of the Corporations Act by commencing proceedings against wholesale licensee, Lanterne Fund Service Ltd.
ASIC alleges that Lanterne failed to, amongst other things, maintain adequate risk management systems and resources to carry out its supervisory arrangements over its corporate authorised representatives (CARs) and authorised representatives (ARs) that operated under its AFSL.
While ASIC's recent proceedings focus on contraventions of the general obligations under the Corporations Act from a cybersecurity and CAR and AR risk management perspective, there are certainly lessons for AFS licensees more generally, which are also relevant for Australian credit licensees. This recent activity confirms ASIC's current focus on compliance with AFSL obligations, with particular regard to an AFS licensee's obligation to have adequate risk management systems. And it seems that this could simply mark the beginning, with ASIC casting a wider net in its future compliance and enforcement activities. As noted by ASIC Deputy Chair, Sarah Court:
"ASIC expects all wholesale licensees to reduce risk by ensuring their businesses develop, implement and maintain robust risk and compliance procedures. As… [the proceedings against Lanterne] demonstrate, when ASIC sees a business it considers to have deficient risk management processes, we will look to take action."
Lanterne conducted a business of authorising other financial services providers to operate as CARs or ARs under its AFSL from 13 March 2019 to 5 October 2021. During this period, Mr Peter Cozens was Lanterne's only full time employee, its sole director and responsible manager (noting that Lanterne had a second responsible manager who had no direct involvement in the business for part of this period).
A variety of businesses operated under Lanterne's AFSL, including venture capital funds, managed investment schemes and wholesale management services, spanning across various industries such as renewable energy, technology, healthcare, real estate, biotechnology, and agriculture.
While Lanterne did not provide financial services directly to clients, the total funds under management of all CARs equated to approximately $1.65 billion by October 2021. Lanterne charged each CAR an upfront fee of $5,000 to become authorised under its AFSL and ongoing fees of $3,000 per month. However, ASIC has alleged that Lanterne failed to apply these fees to ensure the financial services provided under its AFSL were provided in accordance with the general obligations set out in the Corporations Act.
ASIC's case against Lanterne
A summary of ASIC's allegations against Lanterne and compliance expectations on AFS licensees in respect of the general obligations is outlined below.
AFS licensees must have adequate risk management systems
AFS licensees should have risk management systems that are supplemented by risk management tools to assist with identifying and evaluating risks faced by its business, including the risks of non-compliance with financial services laws and the risks relating to its CARs and ARs. Such risk management systems should include a documented risk management framework (which includes risk management tools such as a risk matrix, incident management process and compliance management system), which describes how the AFS licensee manages and mitigates identified risks, and how regularly the risk management system should be reviewed (internally and externally) and updated.
ASIC has alleged that Lanterne contravened its obligation to have adequate risk management systems in place based on its failure to engage internal or external personnel with risk management expertise, its failure to have an adequate compliance management system which had regard to the nature, scale and complexity of its business and its failure to implement an adequate risk management system with basic risk management tools that:
- identified and assessed the risks faced by its business and its CARs and ARs;
- documented and identified or assessed risks;
- managed or mitigated risks, including the failure to have incident management processes in place; and
- provided independent oversight or monitoring of its risk management systems.
Instead, Lanterne relied on:
- an outdated Compliance Manual that omitted regulatory and compliance obligations of its CARs, ARs and itself as an AFS licensee; and
- its initial due diligence of the directors of potential CARs and monthly compliance self-assessments by the CARs to monitor and identify risks associated with the CARs and ARs.
Maintain competence to provide financial services
To maintain competence to provide financial services, AFS licensees should have sufficient responsible managers that are appropriately qualified in the financial services offered by its CARs and ARs across the industries and business in which they operate. An AFS licensee should have documented and implemented processes for assessing its responsible managers to ensure they are appropriately qualified and have sufficient time to effectively conduct their roles.
In its Concise Statement, ASIC notes that Lanterne failed to have:
- any processes to ensure it had appropriate qualified responsible managers;
- responsible managers with sufficient time to effectively conduct their roles; and
- a sufficient number of appropriately experienced responsible managers for the businesses operated by Lanterne and its CARs.
AFS licensees have a duty to ensure its representatives are adequately trained and competent to provide the financial services. To do so, AFS licensees should have available internal or external training and competency programs, which clearly document the skills and competencies required by its ARs to provide the authorised financial services. Each AR should be assessed against relevant skills and competencies matrixes to ensure those skills and competencies are maintained and up-to-date.
AFS licensees should also maintain training records to assess the effectiveness of the training on an annual basis.
ASIC claims that Lanterne relied solely on the unaudited monthly self-assessment compliance reports provided by its ARs to satisfy itself that its ARs had undertaken training. As such, Lanterne failed to assess the skills and competency requirements of representatives of its CARs or ARs.
Lanterne also failed to provide any training, professional development or other instructional programs for its CARs and ARs.
Reasonable steps to ensure representatives comply with financial services laws
ASIC expects AFS licensees to have effective and documented processes to:
- conduct background checks and due diligence investigations of representatives of its prospective CARs and ARs;
- provide clear guidance and instructions to its CARs and ARs about their compliance with financial services laws;
- ensure effective supervisory systems are in place to conduct regular reviews of its appointed ARs to ensure they remain appropriate; and
- monitor and supervise CARs and ARs through a program of reviews and audits following a prescribed methodology (with the frequency of such audits depending upon the risk assessment of each CAR and AR, with higher risk CARs and ARs being reviewed and audited more frequently);
- ensure negative audit findings, events and breaches are reported and addressed accordingly.
ASIC also expects the board of directors or an independent party to monitor and supervise management and responsible managers of AFS licensees.
ASIC has alleged that Lanterne failed to implement reasonable steps to ensure its representatives comply with financial services law. Specifically, ASIC has noted that Lanterne failed to implement:
- documented and robust due diligence processes for prospective CARs and ARs;
- monitoring and audit processes on its CARs, ARs, employees and responsible managers; and
- failed to ensure ARs remained appropriate.
ASIC expects AFS licensees to have adequate resources and documented processes in place covering its basic functions of:
- risk and compliance – to supervise and monitor its representatives;
- IT – to ensure appropriate assessments and plans are designed, implemented and regularly updated (e.g. cyber security assessment, disaster recovery plans, acquisition and installation of appropriate hardware and software);
- financial management – to implement appropriate processes to ensure solvency and positive net assets test, cash needs requirements and audit requirements are met; and
- human resources – to implement documented performance management systems, staff training and development programs and plans to deal with the loss of key personnel.
Lanterne has allegedly failed to have available and maintain adequate resources and documented processes, including a failure to have:
- any adequately trained and skilled compliance and risk management personnel;
- any human resources capability;
- adequate IT capability including a failure to implement any IT-related plans (eg. cyber security and disaster recovery);
- adequate financial management capability having regard to the nature and scale of its business; or
considered and assessed the financial resources it required to provide the financial services covered by its AFSL and carry out supervisory arrangements.
Provide financial services efficiently, honestly and fairly
In ASIC RG 104: AFS licensing: Meeting the general obligations, ASIC broadly notes that an AFS licensee is required to do all things necessary to ensure that financial services are provided so as to meet all of the elements of "efficiently, honestly and fairly".
The obligation to provide financial services efficiently, honestly and fairly is also a standalone obligation that operates separately from the other general obligations outlined in section 912A of the Corporations Act.
ASIC relevantly provides that a breach may still amount to a failure to provide financial services efficiently, honestly and fairly even where contravention of the other general obligations under section 912A of the Corporations Act does not arise.
ASIC has formed the view that Lanterne has failed to provide financial services efficiently, honestly and fairly by virtue of its failures to comply with the general obligations outlined above.
Given Lanterne's alleged failures, ASIC is seeking the following:
- a declaration from that Court that Lanterne contravened the obligations mentioned above;
- orders that Lanterne engage an independent expert to review and report on Lanterne's systems, processes and controls, establish a risk management and compliance program as well as implement any relevant recommendations arising from the expert's compliance report; and
- orders that Lanterne pay a pecuniary penalty determined by the Court (as well as the costs of the independent expert and ASIC's costs of and incidental to the proceeding).
The action against Lanterne is a good reminder for all AFS licensees and even Australian credit licensees that compliance with the obligations under section 912A of the Corporations Act (and section 47 of the National Consumer Credit Protection Act 2009 (Cth) for Australian credit licensees), should not be considered a one-size-fits-all and “set and forget” proposition. Instead, compliance with these obligations needs to be considered in the context of nature, scale and complexity of a licensee's business, and requires ongoing review and change as the business and the surrounding circumstances and risks facing the business change.