ASICs AFS licensee crackdown: lessons learnt from Lanterne and RI Advice -

This year ASIC has increased its focus on ensuring that Australian financial services licensees are compliant with their general obligations under the Corporations Act 2001 (Cth). How can you ensure compliance and avoid being ASIC's next target?

ASIC has ramped up its pursuit against non-complying Australian financial services (AFS) licensees, with its latest target being a "licensee for hire" business, Lanterne Fund Services Pty Limited (Lanterne).

On 6 July 2022, ASIC commenced civil proceedings against Lanterne in the Federal Court of Australia for Lanterne's breach of its general obligations under the Corporations Act 2001 (Cth) (Corporations Act). Among other claims, ASIC asserts that Lanterne failed to have adequate risk management systems and failed to have adequate and competent resources, with regards to the oversight of its authorised representatives (ARs) and corporate authorised representatives (CARs) that operate under its AFS licence.

ASIC's action against Lanterne follows its proceedings against another AFS licensee, RI Advice Group Pty Limited (RI Advice) earlier this year. On 5 May 2022, the Federal Court of Australia found that RI Advice had breached its general obligations under the Corporations Act (including its failure to have adequate risk management systems) as a result of cybersecurity attacks across its AR networks.¹ ASIC is seeking largely the same orders against Lanterne, as it did against RI Advice.

Both cases highlight ASIC's increasing scrutiny of AFS licensees' non-compliance with their general obligations, including AFS licensees' oversight across their AR and CAR networks.

This article explores ASIC's expectations of AFS licensees and the lessons learnt in light of ASIC's current action against Lanterne and its successful action against RI Advice.

ASIC's current action against Lanterne

From 13 March 2019 to 5 October 2021, Lanterne did not provide financial services directly to wholesale clients. Lanterne instead ran a "licensee for hire" business, where it authorised other financial service providers to operate under its AFS licence as a CAR or an AR.

Lanterne's CARs spanned a variety of:

businesses, including venture capital funds, digital asset funds, and climate change advisory services; and
industries, including renewable energy, technology, healthcare, real estate, and biotechnology and agriculture, among other businesses and industries.

ASIC claims that during the relevant period, Lanterne failed the general obligations of an AFS licensee, as listed in the table below. We also list ASIC's expectations of an AFS licensee in regards to the relevant general obligation.

	General obligations²	ASIC's expectations³
1.	An AFS licensee must have adequate risk management systems	ASIC claims that Lanterne did not have a risk management framework and basic risk management tools, nor staff with appropriate risk management expertise or any external risk management consultants. Further, Lanterne only relied on its initial due diligence of potential CARs and had its CARs and ARs self-report their compliance to Lanterne. ASIC claims that this is in breach of Lanterne's general obligation to have adequate risk management systems. ASIC instead suggests that an AFS licensee should, among other expectations, have a risk management system which: identifies and evaluates business risks (including risks relating to its ARs and CARs); and integrates a compliance management system to identify, evaluate, and respond to regulatory risks. An AFS licensee should also regularly review and update its risk analysis and risk management systems – both internally and through independent oversight.
2.	An AFS licensee must have adequate resources available to provide the financial services covered by its AFS licence, and to carry out supervisory arrangements	ASIC claims that Lanterne did not have adequately trained and skilled compliance and risk management personnel (particularly to undertake its CAR and AR audits and reviews), nor any human resources capability, adequate information technology capability, or adequate financial management capability. Further, Lanterne also failed to consider and assess the financial resources it required to provide the financial services covered by its AFS licence and to carry out supervisory arrangements. ASIC claims that this is in breach of Lanterne's general obligation to have adequate resources available to provide the financial services covered by its AFS licence, and to carry out supervisory arrangements. ASIC instead suggests that an AFS licensee should, among other expectations: have systems and processes to ensure it understands its human resource needs, and implement a plan to fulfil those needs (including regular reviews); and document a technology resourcing plan based on an assessment of its hardware and software needs, as well as undertake a security assessment (including a cybersecurity assessment). Further, an AFS licensee should develop and implement a response to that assessment and a disaster recovery plan.
3.	An AFS licensee must maintain the competence to provide the financial services covered by its AFS licence	ASIC claims that Lanterne did not have responsible managers with sufficient time or expertise to oversee its CARs' businesses nor adequate processes for ensuring that its responsible managers were appropriately qualified. ASIC claims that this is in breach of Lanterne's general obligation to maintain its competence to provide the financial services covered by its AFS licence. ASIC instead suggests that an AFS licensee should, among other expectations, have sufficient responsible managers with the skills and experience in the financial services offered by its CARs and ARs and across the industries and businesses in which they operate (with sufficient time to effectively conduct their role). Further, an AFS licensee should have a documented and implemented process for assessing its responsible managers, and for ensuring they remain appropriately qualified over the course of its business.
4.	An AFS licensee must ensure that its representatives are adequately trained (including by complying with the CPD provisions), and are competent to provide the financial services covered by its AFS licence	ASIC claims that Lanterne did not assess its CARs' and ARs' skills and competencies, nor provide or arrange training, professional development or other instructional programs for them. Further, Lanterne relied only on its ARs' monthly self-assessment compliance reports to satisfy itself that its ARs had undertaken training. ASIC claims that this is in breach of Lanterne's general obligation to ensure that its representatives are adequately trained and are competent to provide the financial services covered by its AFS licence. ASIC instead suggests that an AFS licensee should, among other expectations: establish training and competency programs and processes which documents the required skills and competencies of its ARs (which assesses each AR against the criteria); develop and implement training programs (either in-house or externally); and maintain a record of training, and assess the training's effectiveness at least annually.
5.	An AFS licensee must take reasonable steps to ensure that its representatives comply with the financial services laws (with few exceptions)	ASIC claims that Lanterne did not provide its CARs and ARs with clear and practical guidance about the nature, extent, and discharge of their obligations under the financial services laws. ASIC claims that this is in breach of Lanterne's general obligation to take reasonable steps to ensure that its representatives comply with the financial services laws. ASIC instead suggests that an AFS licensee should, among other expectations: provide its CARs and ARs with clear guidance and instructions about their compliance with the financial services laws; have an effective and documented process for its CAR and AR background checks and due diligence (including ongoing checks); and design and implement an effective system for monitoring and super the AFS licensee's response to negative audits).
6.	An AFS licensee must do all things necessary to ensure that the financial services covered by its AFS licence are provided efficiently, honestly and fairly	ASIC claims that Lanterne is in breach of its general obligation to do all things necessary to ensure that the financial services covered by its AFS licence is provided efficiently, honestly and fairly, by virtue of Lanterne breaching its other general obligations (as listed above). The reference to "efficiently, honestly and fairly" has perplexed the financial services industry since the introduction of the FSR regime in Chapter 7 of the Corporations Act. From a judicial perspective, various cases have considered the phrase, with the conventional interpretation being affirmed by Justice Beach in ASIC v AGM Markets Pty Ltd (in liquidation) (No 3)⁴ as follows: "First, the words "efficiently, honestly and fairly" are to be read as a compendious indication requiring a licensee to go about their duties efficiently having regard to the dictates of honesty and fairness, honestly having regard to the dictates of efficiency and fairness, and fairly having regard to the dictates of efficiency and honesty. Second, the words "efficiently, honestly and fairly" connote a requirement of competence in providing advice and in complying with relevant statutory obligations. They also connote an element not just of even handedness in dealing with clients but a less readily defined concept of sound ethical values and judgement in matters relevant to a client's affairs. I have emphasised here the notion of connotation rather than denotation to make the obvious point that the boundaries and content of the phrase or its various elements are incapable of clear or exhaustive definition." Despite the judicial guidance, determining compliance with this general obligation is not always clear and it will be interesting to see how this aspect of ASIC's claims are treated by the Federal Court.

Orders sought by ASIC

In the present case against Lanterne, ASIC seeks:

declarations from the Court that Lanterne contravened its general conditions attaching to its AFS licence;
that Lanterne engage an independent expert to review its systems, processes, and controls, and that Lanterne implements the independent expert's recommendations; and
that Lanterne pay a pecuniary penalty (to be decided by the Court), as well as the costs of the independent expert, and ASIC's costs incidental to the proceeding.⁵

The date for Lanterne's first hearing is yet to be scheduled by the Court.

These orders are similar to the orders ASIC successfully sought against RI Advice earlier this year – specifically, the Federal Court:

declared that RI Advice was in contravention of two general conditions attaching to its AFS licence;
ordered that RI Advice engage with a cybersecurity expert to identify and implement further measures (ie documentation and controls) to adequately manage its cybersecurity risk and cyber resilience across its AR network;
ordered that RI Advice pay the costs of the cybersecurity expert, and the costs associated with implementing the further measures; and
ordered that RI Advice pay $750,000 towards ASIC's costs.

ASIC's successful action against RI Advice

In an Australian first, RI Advice was found to have failed to manage its cybersecurity risks and cyber resilience, in contravention of an AFS licensee's general obligations under the Corporations Act to:

have adequate risk management systems; and
provide its financial services honestly, efficiently and fairly.

In this case, a number of RI Advice's ARs experienced cyber security incidents (ie. ransomware and hacking attacks), where the attackers accessed sensitive client information. Inquiries and reports made on RI Advice's behalf following the incidents revealed the following issues in its ARs' management of cybersecurity risk:

computer systems did not have up-to-date antivirus software installed and operating;
there was no filtering or quarantining of emails;
there were no backup systems in place, or backups were not being performed; and
there were poor password practices including the sharing of passwords between employees, use of default passwords, passwords and other security details being held in easily accessible places or being known by third parties.⁶

The Federal Court of Australia found that these facts were sufficient to give rise to RI Advice's breach of its general obligations as an AFS licensee.

Reportable situations

It is important to note that if you suspect that a reportable situation has arisen with respect to your CARs' or ARs' conduct, it may be reportable to ASIC (in addition to your own reportable situations). For this reason we consider it is prudent to seek legal advice to determine the significance of the reportable situation and whether a report to ASIC is necessary.

Conclusion

ASIC's actions against Lanterne and RI Advice demonstrate that obtaining an AFS licence is the easy part – ensuring that your business has the necessary resources and competence to monitor compliance, assess risks, and review systems, particularly across CAR and AR networks – is the hard part.

Footnotes

¹ASIC v RI Advice Group Pty Ltd [2022] FCA 496 (5 May 2022) (ASIC v RI Advice).

² Corporations Act 2001 (Cth), ss 912A(1)(a), (ca), (d), (e), (f), and (h).

³ ASIC v Lanterne Fund Services Pty Limited (6 July 2022) VID379/2022 (ASIC v Lanterne), Concise Statement, at [C].

⁴ ASIC v AGM Markets Pty Ltd (in liquidation) (No 3) [2020] FCA 208 (26 February 2020), at [506]-[507].

⁵ ASIC v Lanterne, Notice of Filing and Hearing.

⁶ ASIC v RI Advice, at [17].

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.