Regulatory Highlights: September 2023

Posted On: 3 November, 2023 Xiaoshu Liu

Welcome to our Regulatory Highlights for September 2023.


Financial Services Highlights


ASIC issues interim stop order on Storehouse Residential Trust (SRT) due to TMD deficiencies


ASIC has issued an interim stop order on SRT, a registered managed investment scheme promoted by K2 Asset Management Ltd (K2), due to TMD deficiencies, preventing K2 from giving a product disclosure statement (PDS) for, providing financial product advice to retail clients recommending SRT, or issuing interest in the scheme.

ASIC’s concerns are surrounding the broadness of the TMD, the lack of proper consideration of the risks and features of SRT, and the inconsistent information contained in the TMD.


Table 1: TMD Description and Issues


Target Market Determination


Risk profiles

SRT is rated as to carry very high risk.

Investors’ risk profiles included high or medium risks.

SRT as core investment

The target market includes those intending to hold the funds between 25-75% in their portfolios.

SRT is not well diversified with a high risk.

Investment objective

The target market potentially includes investors with an objective of capital preservation or income generation.

Capital loss is a material risk and the possible lack of regular income distribution by SRT.

Investment horizon

The target market potentially includes investors with an investment horizon of less than two years.

The suggested investment horizon is five years or more.


The target market includes those needing annual redemptions.

SRT is illiquid and the assets held therein are aligned with investment horizons of three to five years. It is not committed to providing redemptions.

Distribution conditions

The TMD states that SRT is only suitable for distribution to investors that have received general financial product advice.

This fails to establish the distribution conditions for direct distributions to investors, or distribution via financial product advice where such distribution is likely to occur.  


ASIC targets DDO breaches by OTC derivatives and other high-risk product providers


ASIC targets retail over-the-counter (OTC) derivatives providers and other high risk products with respect to their compliance with their design and distribution obligations (DDOs).

ASIC Deputy Chair Karen Chester expressed ASIC’s disappointment in these product providers’ little change in their response to their DDOs.

REP 770 calls for issuers to:

  • Avoid overly relying on questionnaires as a primary distribution filter.
  • Review the mass marketing activities of OTC derivatives.
  • Rely more heavily on the available data when designing derivative products, preparing TMDs and distribution arrangements.

ASIC has acted against five OTC derivative issuers for DDO breaches, resulting in 10 interim stop orders in the past six months, and will continue to act in the event of DDO breaches and the risk of consumer harm, including stop orders and court proceedings.  


ASIC v PayPal: Unfair Contract Term


ASIC has initiated proceedings against PayPal Australia Pty Limited (PayPal) alleging that the following term in its standard form contract used for small business customers is unfair under s 12BG of ASIC Act 2001 (Cth) (ASIC Act), seeking declarations that the term is void, and seeking injunctions and corrective orders.

Your responsibility to notify PayPal of pricing or fee errors Once you have access to any account statement(s) or other account activity information made available to you by PayPal with respect to your business account(s), you will have 60 days to notify PayPal in writing of any errors or discrepancies with respect to the pricing or other fees applied by PayPal. If you do not notify PayPal within such timeframe, you accept such information as accurate, and PayPal shall have no obligation to make any corrections, unless otherwise required by applicable law. For the purposes of this provision, such pricing or fee errors or discrepancies are different than unauthorised transactions and other electronic transfer errors which are each subject to different notification timeframes as set forth herein.” (Concise Statement [6])

ASIC alleges that the term is unfair as it has the effect of allowing PayPal to retain overcharged or wrongly charged fees unless a small business if a small business customer fails to notify PayPal the error within 60 days of the fee in customer’s account statement.

ASIC further alleges that the term falls within the scope of s 12BG because the term:

  • Causes ‘a significant imbalance’ in the contractual ‘rights and obligations’ between the parties.
  • Is not ‘reasonably necessary’ to protect PayPal’s ‘legitimate interests’.
  • Would ‘cause detriment’ to the small business account holders if PayPal relies on the term.


Interactive Brokers’ penalty for ‘negligent’ and ‘reckless’ conduct


Interactive Brokers Australia Pty Ltd (Interactive Brokers) has received an infringement notice for $832,500 from the Market Disciplinary Panel (MDP) for its ‘negligent’ conduct by failing to identify suspicious trading done by one of its clients, and its recklessness in continuing to allow further suspicious trading to be completed after ASIC raised its concerns about the trades, and its failure to maintain the necessary organisational and technical resources to comply with its legal obligations.  

The MDP concluded that Interactive Brokers ought reasonably to have suspected the client’s orders were intended to increase the instrument’s closing price and hence create a false and misleading appearance of the price. The red flags include:

  • The client placed and amended the orders late in the Closing Single Price Auction for a low volume or value.
  • The client returned or held the instrument at the high of the day.
  • The client’s behaviour was inconsistent with their previous trading during the relevant day.

The MDP considered that Interactive Brokers’ responses were inadequate, including:

  • Lengthy delays in closing alerts.
  • A lack of records with respect to reviews of the alerts.
  • A lack of any actions to address the trading activities in question.
  • A failure to lodge a suspicious activity in a timely manner to ASIC.

The above conduct indicates that Interactive Brokers lacks staff with the necessary skills, knowledge, or experience to properly handle the alerts, and its failure to exercise proper supervision over the relevant staff members.


ASIC v Bit Trade: DDO contraventions


ASIC has brought civil penalty proceedings against Bit Trade Pty Ltd (Bit Trade), the operator of Kraken that offers crypto exchange services to Australian customers, alleging its failure to comply with its DDO obligations with respect to the ‘margin extension’ offered to Australian customers.

ASIC alleges that:

  • Bit Trade’s margin extension is a credit facility on the basis that it offers customer credit for use in the spot transactions of some crypto assets and entitles customers to receive credit of up to five times the value of the assets used as collateral.
  • Bit Trade has been offering this margin trading product to retail clients since January 2020, and continued to do so without firsts preparing a TMD when DDOs were introduced on 5 October 2021.
  • Bit Trade issued this margin extension product to over 1,160, and 968 of these customers have incurred a total loss of around $12.95 million since 5 October 2021.
  • Bit Trade continued to offer the margin trading product without a TMD despite ASIC’s concern in June 2022.

ASIC seeks declarations, pecuniary penalty and injunctions that prohibit the continuance of the alleged conduct.


ASIC v NAB (No 2): $2.1 million penalty for unconscionable conduct


This followed the Federal Court’s decision in November 2022, which held that the National Australia Bank Ltd (NAB)’s continuation to charge fees against customer accounts when knowing it was not entitled to do so, while failing to inform the customers of the wrongful charges or remind customers to check their accounts amounted to unconscionable conduct within the meaning of s 12CB(1) of the ASIC Act.

NAB took 2 years to stop the charging these incorrect fees.

While recognising that the bank searched for solutions in good faith, Derrington J remarked that the bank’s ‘inability to manage its own computer systems and its unwillingness to apply sufficient resources to remedy the problem in a timely manner’ was the ‘central cause’ of the whole problem.


ASIC licensing and professional registration updates July 2022 – June 2023


ASIC released REP 712 with updates for the 2022 – 2023 financial year with respect to licencing and professional registration activities. REP 772 showcases ASIC’s continuous efforts in monitoring and ensuring high standards in the Australian financial and credit licensing sectors. Most importantly:

  • ASIC received a total of 1,272 applications for both AFS and credit licences.
  • The regulator successfully finalised 1,464 such applications and granted 332 new AFS licences and 149 new credit licences.
  • ASIC noted that 401 licence applications were either withdrawn or rejected at the lodgement stage, and 515 licences were cancelled, and 26 were suspended.
  • ASIC is in the process of enhancing its licensing processes and systems, and seeking to increase the level of engagement with stakeholders during the application phase.



Cybersecurity and Scams


Cybersecurity: system vulnerability and third-party risks


ASIC Chair Joe Longo spoke about cybersecurity at the recent Australian Financial Review Cyber Summit held on 18 September 2023. Mr Longo emphasised that when it comes to cybersecurity:

  • Every system is vulnerability and organisations must plan for it, and
  • There is always a risk when relying on third parties.

System vulnerability

Every system is vulnerable and system design should adopt a ‘threat thinking’ approach and consider how a system might be broken and exploited. No system is impregnable and resilience, the ability to deal with a significant cybersecurity incident is crucial, and a clearly thought-out risk management strategy.

Third-party risks

Mr Longo made it clear that organisations must have controls over the cybersecurity risks associated with using third parties, and it is unlikely to be sufficient to solely rely on the security measures of the third parties.

Cybersecurity risk management is an integral party of good corporate governance and must start at the top, and must cover board oversight, management reporting, risk assessment, identification and remediation, and implementation of controls.

ASIC expects directors to adequately address cybersecurity risks and implement controls to protect key assets and enhance cyber resilience in their organisations, having regard to the nature, scale, and complexity of an organisation’s business. A failure to do so may lead to breaches of their regulatory obligations.

Reduction of third-party risks

The key points that may assist organisations to reduce third-party cybersecurity risks include:

  • Never set and forget: actively manage the supply chain and vendor risk.
  • Planning and testing: regularly test communication to customers, regulators, and the market in the event of an incident, and the response and recovery plan.
  • Identification of critical information and systems: critical information and systems must be identified before they can be effectively protected.


National Anti-Scam Centre (NASC) warns of spikes threatening Chinese students


The NASC noted that reports of scammers posing as Chinese police that targeted young people studying in Australia more than doubled in August as compared to July 2023. Between 1 January and 21 September 2023, there had been 1,244 reports and $8.7 million in losses to the scam.

The likely scamming processes

  • Scammer 1 calls a victim, pretending to be from a phone service provider or financial institution, informing the victim that their identity is being used in a scam or a serious financial crime.
  • When the victim denies their involvement, the Scammer 1 transfers the call to Scammer 2 pretending to be the Chinese police, with the phone number displayed as the official police number using telephone spoofing technology.
  • Scammer then tells the victim that they may face extradition to China or deportation, and then offers the victim an opportunity to stay in Australia while the investigation takes place, provided that they make a payment. Fake documents such as warrants are generated.
  • Often multiple scammers will call the victims many times and may involve video calls appearing to the Chinese police. There have even been reported visits to the victims’ Australian homes by persons dressed as police officers.
  • Scammers may monitor their victims 24/7 using messaging platforms and video technology.

Potential warning signs

  • A call, message or email claiming to be from a phone company, bank, government agency, claiming that you have been involved in a serious crime or that your identity has been used in it.
  • The caller says that you are required to prove your innocence, threatened with legal action, arrest or deportation.
  • The caller tells you that you will have to pay a fee, find, bond or bail to get away with it.
  • The caller tells you not to speak about the matter with others and keep your camera on at all times.
  • The caller may ask for your personal information, such as your passport details, date of birth or bank information.

Self-protection and tips

  • Hang up!
  • Call the local police in Australia, the international student support body at your university or your local Australian-Chinese community support service.
  • Do not engage with the callers and do not follow their instructions, such as keeping your camera on or handing over your personal information or money.
  • Call 000 immediately if you are concerned about your safety.