The Financial advice update is a round-up of regulatory developments and issues affecting financial advice.
It covers all areas of financial advice regulation and includes a broad range of content relevant to Australian financial services (AFS) licensees who are advice licensees and financial advisers.
The topics of this update are:
maintaining accurate records on the financial advisers register
assessing adviser qualifications
ASIC’s review of cold calling for superannuation switching business models
cyber security – third-party exposure
financial adviser registration
Report 779 Superannuation and choice products: What focus is there on performance?
provisional relevant providers, and
keeping up to date with financial advice news.
Maintaining accurate records on the financial advisers register
AFS licensees are reminded to check that the information about their financial advisers on the financial advisers register is correct. AFS licensees should pay particular attention to their adviser’s approved qualification(s), ability to provide tax (financial) advice services, business address and telephone number.
Any incorrect or out-of-date information must be rectified by lodging a ‘maintain’ transaction on ASIC Connect.
ASIC recently identified errors and inconsistencies on the financial advisers register, including in relation to records of approved degrees and qualifications: see 24-142MR ASIC urges AFS licensees to correct records on the financial advisers register (1 July 2024).
Common errors include:
failure to record the degrees accurately in line with the Corporations (Relevant Providers Degrees, Qualifications and Courses Standard) Determination 2021 (Determination)
recording degrees that are not approved degrees, but are professional designations (e.g. ‘Certified Financial Planner’)
recording degrees that are not approved degrees, but are bridging courses (which may be listed in the Determination but must be coupled with another qualification to meet the requirements of the professional standard), and
recording qualifications that are not approved qualifications under the Determination (e.g. the Financial Adviser Exam, Australian Qualifications Framework 1–5 qualifications, and training or qualifications listed in Regulatory Guide 146 Licensing: Training of financial product advisers (RG 146)).
It is a serious offence to knowingly provide false or misleading information to ASIC or to fail to take reasonable steps to ensure that the information provided to ASIC is true and correct. It is also an offence to fail to update the financial advisers register within 30 business days of a financial adviser’s details changing.
ASIC will shortly be commencing a compliance program to ensure that the information recorded on the financial advisers register about approved qualifications is correct and take action where necessary.
Assessing adviser qualifications
If you are an advice licensee, among other things, you must ensure your relevant providers (i.e. advisers who are authorised to provide personal advice to retail clients in relation to relevant financial products) comply with the ‘qualifications standard’ in section 921B(2) of the Corporations Act 2001 (Corporations Act) before authorising them, even if they have been previously authorised by another advice licensee.
Financial advisers who are existing providers have until 1 January 2026 to meet the qualifications standard. For more information, see the quick reference guide on the ASIC website.
Generally, an existing provider who meets the criteria for an experienced provider can rely on the experienced provider pathway to meet the qualifications standard and the professional year standard without needing to undertake further education and training. For more information on the experienced provider pathway, see Information Sheet 281 FAQs: Relevant providers – Accessing the experienced provider pathway (INFO 281).
Under section 921B(2) of the Corporations Act, a person who is, or is to be, a relevant provider must have completed a bachelor or higher degree, or equivalent qualification, approved by the Minister. This applies to both existing providers and new financial advisers, as well as advisers with foreign qualifications. For a list of approved degrees and equivalent qualifications see the Determination.
Assessing your advisers’ qualifications against the Determination
To assess whether your adviser(s) has completed an approved bachelor or higher degree, or equivalent qualification, under the Determination, see the guidance for AFS licensees to check qualifications on the Qualification, exam and professional development page of the ASIC website.
As an AFS licensee, you must ensure that the qualifications exactly match those listed in the Determination. If a domestic qualification has been completed in accordance with Schedule 1 of the Determination, but does not satisfy the prescribed conditions (e.g. unit codes or names do not match or different commencement dates), then an application can be made to Treasury to assess whether the qualification satisfies section 921B(2) of the Corporations Act: see Domestic qualifications: Criteria for assessment on the Treasury website.
If an adviser has foreign qualifications, an application can also be made to Treasury to assess whether these qualifications are equivalent to an Australian bachelor’s or higher degree: see Foreign qualifications: Criteria for assessment on the Treasury website.
If Treasury establishes that an adviser has completed an approved degree or qualification, the relevant provider’s authorising AFS licensee must record this on the financial advisers register as an approved degree or qualification. This can be completed during the appointment process or by submitting a maintenance transaction if the adviser has already been appointed by the AFS licensee.
ASIC’s review of cold calling for superannuation switching business models
In our 2023–27 Corporate Plan, ASIC announced a cross-sector project focused on deterring cold calling for superannuation switching business models. Our review identified that some cold calling businesses are using high-pressure sales tactics to induce consumers into taking unnecessary and inappropriate superannuation switching advice, leading to poor outcomes for clients. These adverse outcomes range from superannuation erosion due to high fees and charges, to the risk of a reduced superannuation balance due to inappropriate investment in high-risk and/or low-quality superannuation products.
Some of the cold calling operators – which make unsolicited calls to consumers after obtaining their personal information from third-party data brokers or by using online click-bait – have lead-generation and referral arrangements with a small subset of financial advisers who typically recommend consumers switch to super products that charge significant fees.
ASIC has observed considerable volumes of superannuation fund movement as a result of cold calling conduct, including inflow into platforms, high-risk property investments and significant payments to cold calling operators.
ASIC also observed some cold calling businesses bypassing data brokers by posting click-bait advertisements on social media platforms like Facebook and Instagram. These advertisements often promote superannuation comparison calculators that give consumers the impression their existing superannuation fund is underperforming.
ASIC identified several areas of concern and is reminding advice licensees and financial advisers of their respective obligations to act in the best interests of consumers when providing financial services.
Advice licensees should ensure they have in place adequate monitoring and supervision arrangements to detect concerning conduct and to make sure their advisers are acting in the best interests of their clients.
Deterring cold calling for superannuation switching models is an ASIC priority. We will continue to take action, where appropriate – including enforcement action – against individuals or entities who are engaging in misconduct.
You can find more information on ASIC’s review of cold calling for superannuation switching business models in our news item Exposing high-pressure cold calling tactics and social media click-bait leading to superannuation switching (7 May 2024).
We have issued Information Sheet 282 Unsolicited contact leading to financial advice (INFO 282) for unlicensed entities that engage with consumers, leading to financial advice. It sets out how the financial services laws apply to these entities and reminds them of their responsibility to ensure that their conduct complies with the law.
ASIC has also launched a consumer awareness campaign, encouraging consumers to ‘just hang up’ when contacted by cold calling operators and to ‘just scroll past’ social media click-bait advertisements.
To report misconduct, see Make a report of misconduct to ASIC on the ASIC website.
For more information, see:
24-092MR ASIC issues warning over dodgy cold calling operators and online baiting tactics (7 May 2024)
24-094MR ASIC calls on super trustees to improve gatekeeping of member savings (9 May 2024)
Cyber security – Third-party exposure
The practice of outsourcing services and products is crucial to most organisations operating in today’s economy, with 76% of leading global businesses outsourcing IT functions. While financial services businesses can outsource their services to third-party suppliers, they cannot outsource the associated risks and liabilities.
Recently, ASIC released findings from our 2023 Cyber Pulse Survey: see Report 776 Spotlight on cyber: Findings and insights from the cyber pulse survey (REP 776). Worryingly, 44% of participating organisations admitted to not managing third-party or supply chain risk.
ASIC has observed a growing number of cyber attacks on Australian organisations stemming from third-party attacks that exploit weaknesses in an organisations supply chain, giving them easy access to the organisation’s systems and networks.
AFS licensees from across Australia have told ASIC they consider cyber security the biggest risk to their business, listing it as a high priority item for board meetings and noting they run regular staff training at all levels of their business. AFS licensees have moved to reinforce their internal cyber security after a series of high-profile incidents from late 2022. With many organisations acting to improve internal defences, their focus must now turn to mitigating third-party exposure – the new frontline in cyber risk management.
For example, the SolarWinds breach of 2020 exploited a vulnerability in SolarWinds’ platform, giving the threat actor access to 3,000 email accounts across 150 organisations, including government agencies and multinational corporations. The breach cost each affected organisation an average of US$12 million.
To enhance the cyber resilience of Australia’s financial institutions against known threat actors, the Council of Financial Regulators (CFR) developed the cyber and operational intelligence-led exercises (CORIE) framework: see Revised CORIE framework and rollout on the CFR website. CORIE uses threat intelligence to simulate adversary attacks and assess the cyber resilience of an organisation. Recent CORIE simulations have exposed vulnerabilities in third-party controls, including instances where third parties held administrator-level access to critical systems.
The recent Latitude Financial cyber attack underscores the need for enhanced scrutiny of third parties with access to core systems. While IT outsourcing is essential for many organisations, basic controls – like multifactor authentication (MFA) for external providers – could minimise breach risks.
Another concerning trend demonstrated by CORIE simulations is the use of weak passwords. Even with complex password creation requirements, users can find ways to craft weak passwords like ‘Pa$$w0rd123!’.
MFA is one of the most effective techniques available to protect organisations from a cyber incident. Where MFA is not available, the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) recommends the use of passphrases: see Passphrases on the ACSC website. These measures should be implemented as part of a broader cultural shift throughout an organisation, driven by employee education, cyber awareness training and rigorous third-party risk assessment.
To mitigate cyber risk, organisations must take an active approach to identifying, assessing, and monitoring third-party cyber risks. We encourage organisations to start by asking three simple questions:
