Top concerns for credit licensees and how to manage them

We have put together a list of some of the most common compliance concerns raised by credit licensees in our Annual Compliance Trends Survey Report and some suggestions on how to manage them.  Although some of these concerns are specific to credit licensees and the credit industry, many of the points are applicable to AFSL holders as well.

Cybersecurity

Cybersecurity is the largest specific compliance risk and concern for licensees. The Court’s finding in the RI Advice case has shown that managing cybersecurity risk needs to be informed by experts and the recent ASIC filing against HSBC shows that the regulator has high expectations in relation to cybersecurity.  While these cases involve AFS licensees, it is likely that ASIC and the Courts will expect similar standards of credit licensees.  This is because the same obligations regarding risk management and efficiency, honesty and fairness, apply to both sets of licensees.

Only 60 per cent of survey respondents have a dedicated cyber policy so there seems to be plenty of room for improvement in how credit licensees plan for and manage cyber incidents.  With outsourcing identified as a high-risk area for credit licensees, your policy should include how to manage the risk posed by the exchange of data with third party service providers, with regular review of contracts and performance.

Breach reporting

While credit licensees told us that they are reporting breaches more frequently, ASIC has repeated its concerns on the lack of reporting: only three per cent of credit licensees reported in FY2024, which is down from the four per cent reporting in FY2023.[1]  The reportable situation regime is still reasonably new to credit licensees.  See our breach reporting tool (available to HN Hub subscribers only) for help with determining whether or not a breach is reportable.  Remember that the obligation extends to obligations under the product design and distribution regime.

Risk management

Credit licensees told us that more than one in five of them do not have a compliance committee, and for those that do, most have a committee which meets quarterly.  Appointing a compliance committee, or at least a compliance manager, centralises the management of compliance with your general obligations under section 47 of the National Consumer Credit Protection Act 2009 and those arising under other Acts.

Quarterly meetings allow regular review, assessment and remediation of compliance issues, though you will need processes that allow for faster assessment of potential reportable situations given the strict timelines for reporting breaches.  Keeping good records of matters before the committee is an excellent way to document compliance matters and inform the maintenance of compliant policies and procedures.

Product design and distribution

According to survey responses over the last two years, review periods for Target Market Determinations under the product design and distributions obligations are trending longer. This is despite the regulator’s increasing enforcement focus on licensees ensuring that their TMDs are regularly reviewed and updated as needed.  Of the recent case ASIC filed against Swoosh, ASIC Deputy Chair Sarah Court has stated “ASIC will continue to take action against entities that do not comply with their design and distribution obligations. Publishing a target market distribution is not an isolated task: it must be reviewed and updated where there are circumstances indicating that the target market is no longer appropriate”.

Complaints

With the first ASIC IDR data publication in December last year indicating that 22 per cent of complaints related to credit products, credit licensee concerns about complaints are warranted.  This is especially so where a significant minority of licensees still require complaints to be in writing, despite regulators noting that complaints should also be accepted if made orally.

ASIC is concerned that the data reported to it may not fully reflect the complaints received and warns that the ongoing analysis of the data will inform its other regulatory activities.  While the identification and tracking of complaints will assist with your reporting obligations, it also assists with the management of complaints, including in circumstances where credit licensees tell us they consider the experience of the representative (40 per cent), and previous review outcomes (40 per cent), when considering whether to conduct a review of a representative.  See HN Hub for our ‘Guide to IDR Reporting (ACL)’ (available to subscribers).

AI

In response to our new question in the 2024 survey, credit licensees told us that they are using AI but that most of them do not find it useful to manage compliance.  This is consistent with a recent market review conducted by ASIC on the use and adoption of AI, which found that the use of AI is currently relatively cautious.  ASIC also found, however, that nearly half of licensees using AI did not have policies in place for its use.  Given that AI is a tool that is not going away and can offer business efficiencies, consider its use and when doing so, ensure you have appropriate policies in place to govern its use in relation to privacy, disclosure, fairness, bias, and cybersecurity. See the guidance issued recently by the OAIC on the use of AI, which includes addressing privacy risks.

Training representatives

Developing and maintaining the competence of staff is a key compliance concern for licensees.  Providing regular and ongoing training in areas specific to staff roles, including as required for Responsible Managers, but also in areas of concern identified by the regulator, will assist in maintaining the competence of all staff to engage in your licensed activities.  Issue specific training in relation to key risk areas such as misleading and deceptive conduct in the context of greenwashing.  This, along with training on the basics of credit regulation and the consumer credit legislative regime, will increase organisational understanding of the legislative requirements for licensees.  Ensure that training plans are regularly reviewed, training registers are kept up-to-date, and that these responsibilities are managed by a nominated staff member.

For more information about Holley Nethercote’s compliance resources for credit licensees, refer to our HN Hub – Running an ACL: Compliance Manual, available to HN Hub subscribers.

Do you want to know more?

Author: Samantha Hills (Partner)

[1] See ASIC, REP 800 Insights from the reportable situations regime: July 2023 to June 2024, published October 2024, page 9