17 September, 2016
ASIC has published Regulatory Guide RG255, "Providing digital financial product advice to retail clients" (RG255), following a period of consultation.
RG255 provides a road map for providers of digital (robo) advice and sets out ASIC's expectations of licensees who provide such services. It covers topics such as organisational competence, the monitoring and testing of algorithms and compliance with the best interest duty.
In March 2016, ASIC released Consultation Paper 254, "Regulating digital financial product advice" (CP254) in response to the emergence of digital financial product advice offerings in Australia. In conjunction with CP254, ASIC produced a draft Regulatory Guide entitled "Providing digital financial product advice to retail clients". See here for our earlier commentary on CP254 and the draft Regulatory Guide.
Following feedback on CP254, ASIC has now published Regulatory Guide RG255, "Providing digital financial product advice to retail clients" (RG255).
While the Corporations Act 2001 (Cth) (Corporations Act) should ideally be technologically agnostic to the method by which a financial service is delivered, the fact remains that digital advice presents a new set of consumer risks. The challenge for regulation, and for ASIC, is to strike a reasonable balance between consumer protection and commercial reality.
Through CP254, ASIC sought industry feedback on the following topics:
- the application of the organisational competence standards to digital advice licensees;
- the steps digital advisers should take to monitor and test algorithms underpinning digital financial advice; and
- how to meet the best interest duty using a digital advice model.
In response to this feedback, ASIC has finalised RG255. We comment briefly below on the position adopted in RG255 in response to the feedback on these 3 topics. Click here to access the feedback published by ASIC.
Organisational competence
A licensee is required to comply with the organisational competence requirements in Regulatory Guide RG105 (which requires that the responsible managers collectively have appropriate knowledge and skills to cover authorised activities). Separately, under RG146, natural person advisers are required to meet minimum training and competency standards, but these will not, of course, apply to digital algorithms.
ASIC will require that digital advisers have at least one responsible manager who meets the minimum training and competency standards under RG146. ASIC has adopted a six month transitional period for existing licensees to comply with this requirement (ie. to have one responsible manager trained to the required level).
Digital advice providers must also have adequate human resources to support their regulated activities. ASIC's position is that a digital advice licensee must have at least one person with a general understanding of the
technology and algorithms used to provide the digital advice. Whilst ASIC accepts that a digital advice licensee may outsource certain functions and not understand the specific computer coding of an algorithm, ASIC expects the licensee to have persons in the business who understand the rationale, risks and rules behind the algorithms.
Monitoring and testing algorithms
ASIC expects digital advice licensees to regularly monitor and test the algorithms that underpin their advice. In RG255, ASIC states that effective monitoring and testing would involve all of the following:
- appropriate system design documentation describing algorithms (which must be retained for seven years);
- a documented test strategy, change management processes, security, and control over algorithm changes;
- the ability to suspend advice if an error is identified; and
- adequate human and technical resources to monitor and supervise algorithms through an adequate and timely review of the advice provided.
In relation to security measures, ASIC also reminds digital advisers in RG255 of the risk of malicious cyber activity, especially with more business moving to 'cloud' technology. ASIC expects digital advisers to meet recognised IT security standards, such as AS ISO/IEC 27001:2015, or an equivalent.
The 'best interest' duty and scaled advice
Section 961B(2) of the Corporations Act sets out a number steps that advisers can take to ensure they discharge their duty to act in the best interests of the client when providing personal financial product advice to the client. If these "safe harbour" steps are followed, the adviser is taken to have discharged the "best interests" duty.
Section 961(6) of the Corporations Act specifies that the best interest duty extends to persons who provide personal advice through a computer program. Accordingly, it is clear that the law in its current form is applicable to digital advisers.
ASIC sets out in RG255 its minimum expectations of licensees who provide scaled digital advice. ASIC emphasises the importance of communicating the scope and limitations of the advice, and considering how the communication is delivered (including device specific considerations).
ASIC expects that digital advisers will include a filter or triage process within the information gathering process to identify if the advice is not appropriate for the client, and filter the client out of the advice model.
Digital advisers must have robust compliance arrangements in place to regularly test and monitor the advice produced. Reviewers should have the skills to critically form their own views on the quality of the digital advice. If a system defect is identified, further advice should not be given until the defect is rectified. In addition, ASIC may need to be notified, and a remediation activity may be required.
ASIC is considering in more detail advice review programs and client remediation. Consultation Paper 247, "Client review and remediation programs and update to record- keeping requirements" (CP 247) was released for comment on 16 December 2015.
For further information, please contact:
Corey McHattan, Partner, Ashurst
corey.mchattan@ashurst.com
