Chapter 4: Delivery to be enhanced with 'future-proofing' design



This Chapter addresses key findings and recommendations across five aspects of delivery:

• Workforce management: workforce capabilities and ongoing workforce planning to ensure ASIC has the right skills and resources to address the challenges of the future.
• Organisation structure: the defining features of organisation design, (excluding the setup of executive and governance roles, which are discussed in Chapter 2) and the impact these have on efficiency and effectiveness.
• Regulatory tool kit: the tools that support the market-facing teams in day-to-day operations in order to monitor, detect, understand and respond to possible harm and wrongdoing.
• Stakeholder management: the way in which ASIC engages with stakeholders, including the regulated population, in the use of its regulatory tools.
• Data infrastructure: the way in which ASIC captures, shares and uses data in support of the achievement of its enduring objectives and strategic priorities.

The components of delivery addressed in this Chapter provide ASIC smarter leverage in the context of its increasing responsibilities and ongoing funding constraints. They collectively enable ASIC to make better use of its workforce, data, technology, tools and relationships with external stakeholders to spot emerging patterns or risks quickly, and devise the right solutions. Additionally, a focus on delivery enables the regulator to take a forward looking approach to ensuring it has the workforce skills, organisation capabilities, tools and systems to address challenges today and in the future.

Key observations and recommendations are summarised in Table 12 below.

Table 12: Key observations and recommendations

	Observations
Workforce capabilities and management	Some ASIC staff lack sufficient professional confidence in their roles to credibly challenge regulated entities and develop and defend independent judgements. The workforce also faces gaps in relation to a number of critical skill sets that will become increasingly important in the future (for example, big data, digital disruption, behavioural economics). The existing secondment program is not being fully leveraged to close these gaps. ASIC has only relatively recently begun to develop a documented forward looking approach to organisation-wide workforce planning and has engaged external consultants to assist in developing a methodology. This process lacks maturity and has not yet been extended to Commission level skills gap assessment. It is also unclear the extent to which forward-looking processes are being developed to address requirements for support functions. PSA requirements may limit ASICs ability to flexibly respond to identified gaps.
Organisation structure	ASIC's organisation structure is distinct from many peer regulators, being organised around stakeholder groups rather than by functional teams. The Panel understands the genesis and recognises the relative strengths and shortcomings of ASIC's current stakeholder based organisation structure model. ASIC is currently making progress on addressing concerns on existing silos through OneASIC and cluster specific initiatives, but could still do more to allow its people to work more flexibly across silos, to enhance cooperation, and to address risk concentrations in the most efficient and effective way. Additionally, the choice of a more expensive organisation model than the traditional model creates an imperative for an ongoing focus on efficiency and cost control at ASIC.
Regulatory tool kit	ASIC has acted on prior reviews to improve the use and management of enforceable undertakings and has addressed many of the previously identified shortcomings. ASIC has initiated several 'lessons learned' reviews across enforcement cases, although informed stakeholder feedback indicates this is yet to translate to material improvement. ASIC's approach to litigation sometimes lags recent progress made by other Australian regulators. For example, pleadings can be dense, complicated and lacking in focus. There is a perception that ASIC's selection of cases for litigation can be risk averse (tending to prefer cases with a higher probability of success, rather than selecting cases that have strong merits, but also allow ASIC to test the veracity of the law). ASIC's approach to collaborative partnerships (for example, co-regulation) is relatively limited and could be better leveraged to product more robust regulatory outcomes and deliver better value for money in resource use. ASIC uses a wide range of guidance material, and is generally proactive in its guidance approach. However in select cases, policy development and decisions lack sufficient evidencing. Further, some stakeholders feel that there is insufficient consultation during the consultation process for policy guidance development. There may be an expectations gap as to the extent and rigour of merit assessment and analysis conducted in licensing and registration. The current choices around language and communication do not appear to be informed by behavioural economics (for example, the perception that 'licensing' requires ASIC to conduct due diligence to evaluate the merits of a prospective licensee). ASIC has taken positive steps to enhance surveillance processes in the past year, and there is further room to expand the scope of tools being used. The Panel commends the quality of ASIC's supervision, with investments in real time monitoring capabilities representing global best practice and delivering positive outcomes. Educational tools are well used, and ASIC does lead international best practice in advancing broad consumer financial literacy. However, future initiatives and focus may need to be more targeted and informed by Consumer Advisory Panel (CAP) priorities and there remains potential to further leverage non-for-profits.
Stakeholder management	While ASIC engages with regulated entities through a variety of touch points, this can be uncoordinated (particularly between stakeholder and enforcement teams and for more complex and diverse entities). Some stakeholders express dissatisfaction with the policy consultation process, particularly with regard to response time, engagement style and proportionate focus across various types of external stakeholders. External panels are not being fully leveraged and there is some inconsistency in perceived impact on strategy development. Additionally, there does not seem to be a systematic review or active and regular management of panels once created (that is, there is an element of 'set and forget' in their structure and purpose).
Data management	ASIC has identified a number of weaknesses in the existing data infrastructure, including fragmented databases, a reliance on legacy applications, and challenges in search functionality. ASIC has initiated a major IT transformation program to address identified issues in workflow applications and business processes (FAST 2), although the Panel has some concerns particularly as to whether or not these projects have been 'future proofed' and the extent to which the program will 'still leave ASIC with additional investment required'.99 Additionally, the programs may not go far enough to address the full scope of infrastructure weaknesses, particularly around the sophistication of MIS (efficiency reporting and management dashboards) and performance measurement capabilities. There is further potential for ASIC to collabora te with other regulators in data sharing and data analytics and championing open data policies. Like most other regulators, ASIC is aware of the potential for data and advanced analytics to support its regulatory activities, but is only at the early stages of implementing these capabilities.

	Recommendations
Workforce capabilities and management	Recommendation 21: ASIC to increase the scale and diversity of the secondment and exchange program. Recommendation 22: ASIC to improve workforce planning to include a more forward looking, strategy informed, top-down view (progressing and internalising work to date). Recommendation 23: ASIC to refresh its career value proposition to help attract and retain staff and support future secondment, by clearly articulating and tailoring messaging, and identifying strategies to deliver on this message (that is, to 'make it real'). Recommendation 24: Government to remove ASIC from the PSA as a matter of priority, to support more effective recruitment and retention strategies.
Organisation structure	Recommendation 25: ASIC to launch a pilot project to assess the suitability of dedicated project based teams to improve flexibility across units and reduce the impact of silos. Recommendation 26: ASIC to implement a regular review of internal business processes and systems, supported by improvements in MIS to drive operational efficiency and reduce the cost burden on regulated entities.
Regulatory tool kit	Recommendation 27: ASIC to enhance enforcement effectiveness through developing a more targeted risk based approach to litigation for cases that are strategically important, and prosecutes through more focused pleadings and strategic appointment of senior counsel. Recommendation 28: ASIC to proactively develop opportunities to enhance the use of co-regulation for relevant groups of the regulated population where this will deliver superior regulatory outcomes, including through strengthened licensing and registration regimes.
Stakeholder management	Recommendation 29: ASIC to develop and implement a formal tiered stakeholder relationship model based on entity nature, scope, risk and complexity. Recommendation 30: ASIC to recalibrate advisory panel setup to ensure more systematic value add for example, through a larger pool of experts that can be called upon to advise on various issues as needed based on issue-specific needs and expertise gaps, coupled with regular performance assessment and enhanced internal responsibility to act on recommendations.
Data management	Recommendation 31: ASIC to execute its FAST 2 transformation program, 'future-proofing' design and expanding scope as required. Recommendation 32: ASIC to launch new programs of work to close additional identified gaps for example, to enhance the ability to measure and report for MIS. Recommendation 33: ASIC to invest in the development and application of big data 'reg-tech' analytics, through identifying specific applications for regulatory data analytics and building required staff skills/capabilities. Recommendation 34: ASIC, in conjunction with the Council of Financial Regulators (CFR), to develop a forward work program to design and implement open data policies and data analytic collaboration.

4.1. Workforce capabilities and management — work in progress but whole of agency lens needed

Over 2014-15, ASIC had an average of 1,609 permanent staff (FTE) working across seven locations. These employees come from a broad range of backgrounds, with a mix of private and public sector experience.¹⁰⁰

In reviewing ASIC's workforce capabilities and management, the Panel distinguishes between assessments of:

• Current skills and capabilities, particularly with regard to professional confidence and skill gaps.
• Learning and Development (L&D) programs, specifically secondments and exchanges, in closing identified gaps.
• ASIC's approach to forward looking workforce planning.
• Impediments created by the PSA.

Skills and capability assessment

The composition of ASIC's workforce is partly diverse, with a narrow mix of educational and workplace experiences. The figures below summarise educational and work experiences of staff at the SES and EL 1 and EL2 levels within the stakeholder, enforcement and legal functions:¹⁰¹

Figure 24: Professional qualifications (1st degree)¹⁰²

Figure 25: Primary professional experience by industry¹⁰³

Figure 26: Professional experience (of working life) by sector (private, public or ASIC)¹⁰⁴

Analysis of workforce composition indicates that, on balance, there may be too great a concentration of legal expertise, both in terms of university qualifications and industry experience. Across the entire regulatory cohort, approximately a third of working life has been spent in the private sector, although this is dominated by experience in law firms (40 per cent of primary professional experience, excluding regulatory experience). The need for a refresh of ASIC's skills-mix is further reinforced by the results of an analysis of current skill expertise against future-oriented capabilities conducted within MIG.¹⁰⁵

This exercise identified a number of areas where ASIC needs to build expertise to meet future challenges. These include behavioural economics, technological adeptness and stakeholder management, together with adapting to emerging global regulatory issues, cyber-crime and technological innovation. Further evidence was provided during SEL leadership interviews and roundtables, which highlighted gaps in data analysis, industry specific and project specific knowledge and project management experience.¹⁰⁶

In addition, the Panel also notes a need to enhance capabilities to assess the impact of emerging trends on ASIC's activities in a forward looking and innovative way. For example, there is currently a gap in the ability of ASIC staff to fully assess the implications of digital disruption, including new market entrants, business models and technology, on the way in which ASIC should administer policy.¹⁰⁷ It may be possible to expand the scope of the Innovation Hub as a way to develop these skills.

Analysis should be conducted in order to identify emerging risks and to better understand market benefits, such that ASIC can
adapt its approach to promote business innovation whilst mitigating risk. In this instance, for example, graduated frameworks may be needed so as not to impose burdensome requirements on new entrants. The Panel is of the view that the existing capabilities of the ASIC workforce are not well suited to this type of analysis.

Alongside identified skill gaps, the Panel has also identified that some ASIC staff lack professional confidence in their roles. The Panel defines professional confidence as the collective belief of staff in their own capabilities and 'team safety'. Embodied in this definition is the capability and confidence of staff to challenge and debate views, both internally within ASIC and with regulated entities; to take a questioning and sceptical view in their discussions; to form and defend independent judgements; and to listen and respond to different points of view without lapsing into defensiveness, or defaulting automatically to 'black letter' interpretation of law. In assessing professional confidence, the Panel has considered four criteria.

• Individual competency: Most staff are confident that they have the skills and capabilities required to fulfil their roles. For example, in the PwC supplementary staff survey, 69 per cent of staff agreed they have the right skills and capabilities to perform their role¹⁰⁸ and in the Orima survey 75 per cent agree that their job gave them the opportunity to work on the things they do best.¹⁰⁹ However, by contrast, only 44 per cent of the regulated population and 58 per cent of related stakeholders agree that ASIC staff/managers that they interact with have the necessary skills for the role.¹¹⁰
• Team competency: Many staff expressed some doubt over their colleagues' capabilities, with only 42 per cent of respondents in the PwC supplementary staff survey agreeing that their team is made up of people with the right skills and capabilities.¹¹¹
• Decision making processes and empowerment: Some ASIC staff are uncomfortable in stating or defending a point of view externally due to inconsistency in decision making. Furthermore, only 48 per cent of staff surveyed agreed that ASIC is consistent in its decision making.¹¹² Internal and external stakeholders also feel that lower level ASIC staff may not be sufficiently empowered to make decisions. For example, in the Susan Bell Research Survey only 47 per cent of the regulated population agreed that the ASIC staff and managers they interact with have the authority to act.¹¹³
• Team safety: In interviews and roundtables with staff, it also emerged that some staff members do not feel they are rewarded or encouraged to challenge internal decisions by more senior staff.

Without professional confidence, a regulator will find it difficult to simultaneously probe and challenge regulated entities on the right topics with the right questions, while maintaining productive working relationships with them.

The Panel acknowledges that these statements assessing skill, capability and confidence are based on a generalisation of the capabilities of ASIC's workforce, and that there is likely significant variability both within and across teams. However, while it is difficult to assess the extent to which these issues are embedded and widespread across the organisation, it is clear that there are some gaps that ASIC should be seeking to address.

Additionally, the Panel notes that the median tenure of SES level employees is 15.5 years.¹¹⁴ EL2 median tenure is nine years and EL1 median tenure is eight years.¹¹⁵ As a result ASIC's workforce has, on balance, significant experience and stability. However, there are also a number of potential negative consequences:

• Senior staff may become too removed from the regulated population and external stakeholders.
• There may be a lower degree of employee motivation, due to stagnation in career opportunities for advancement. For example, only 47 per cent of staff agree that they have the opportunity to progress career goals within ASIC.¹¹⁶
• Limitations on the ability to promote EL2 staff to SES level (see Chapter 5 for a discussion on the influence of the PSA), with increased risk that EL1 and EL2 staff then leave to seek advancement elsewhere.
• Staff may be less likely to identify areas of inefficiency and suggest ways that processes could be conducted more efficiently than may be the case in an environment with higher turnover.

Addressing this lack of professional confidence, identified skill gaps and challenges will largely be addressed by specific recommendations around secondments, workforce planning and requirements under the Public Service Act, discussed in subsequent sub-sections.

Additionally, ASIC could consider making committee meetings open to all staff to listen to in real time, such as is done at the ACCC. The exception, of course, would be where a matter being discussed is confidential or highly sensitive. This would improve transparency, and assist staff understand how decisions are being made to improve their professional confidence when representing the views of ASIC to external stakeholders.

Secondments and exchanges

ASIC has a formal performance management cycle, including annual assessment against individual performance plans, midpoint review discussions, self-assessment and ongoing one-on-one feedback. It also has a number of programs for skill development in place, including secondments (for example, to other regulators in Australia and globally, other public agencies, investment banks, law firms, and investment banks), external learning courses, technical/job-specific training, Communities of Practice and a Regulator Network.¹¹⁷

The Panel considers that the existing secondment and exchange program is not being fully deployed to address identified capability gaps. More specifically, secondments are mostly policy and legally focused, with limited placement to close gaps in areas such as data analytics, behavioural economics and industry knowledge. For example, of 45 outbound secondments, only seven are to the private sector, split between professional services firms and an investment bank. Additionally, only one secondment involves an SEL level staff member, suggesting insufficient use to address gaps at mid to senior levels.¹¹⁸

The Panel also notes that secondment programs are used more extensively by foreign regulators. For example, while ASIC's total secondments and exchanges represent around four per cent of its staff, the Financial Conduct Authority's (FCA's) secondments and exchanges represent 9 per cent of FCA's staff.¹¹⁹ The Panel therefore suggests increasing the scale and diversity of the secondment and exchange program.

The set of available secondments should be enhanced in alignment with identified areas for skill development, such as data analytics, and industry expertise. ASIC should also set targets for the number of staff participating in these programs at all levels. In the longer term, the program should be expanded at the senior executive levels to help ensure that senior management remain up to date with industry best practice and are able to relate to the issues of the regulated population and related stakeholders.

The Panel is confident that potential
conflict issues can be effectively managed, as has been demonstrated by other regulators. Expansion of the secondment program should also deliver positive outcomes with regard to professional confidence. ASIC should ensure that it clearly defines the secondment value proposition and communicates this across relevant employee groups. It should also ensure that it has partnership programs in place with relevant industry companies, law firms, analytics companies and other regulators.

Workforce planning

While each team in ASIC has a succession plan and there is a defined process and detailed document which outlines ASIC's current workforce, this does not yet incorporate a developed and embedded documented workforce planning process to identify skill gaps given requirements over the next three to five years and a plan to address these gaps.¹²⁰

However, ASIC has recognised this issue, and has engaged an external service provider to assist in developing a more strategic approach to workforce planning, looking at where ASIC needs to be in three to five years to meet future needs. This project is currently being conducted across the MIG, Regulatory and Registry businesses. However, it does not extend to support functions or a Commission level skills-gap assessment. ASIC has suggested (but not documented) that workforce planning for the balance of staff is being conducted by separate third parties or internally.

The key outcomes of the project are to:

• identify the capabilities that are important now and in the next three to five years;
• enhance workforce planning, recruitment and talent practices to close identified gaps;
• enable the identification of appropriate development opportunities to meet skill requirements.

While this engagement is producing a better understanding of capability gaps and strategic planning, this work should be extended to the support functions and fully embedded and internalised into ASIC processes to ensure ongoing future use without reliance on external consultants. This will facilitate a more coordinated, integrated top-down resource allocation approach, addressing strategic needs with regard to capability gaps.

As part of planning to be able to close identified gaps, ASIC should also invest in developing an improved employee value proposition. This should involve:

• Clearly articulating the benefits of working at ASIC and tailoring this message by level. For example, by comparison, at the entry level, the FCA targets young finance graduates who are interested in obtaining a good baseline overview of UK markets, and learning skills that are valued by the private sector.
• Developing clear messaging around the type of people ASIC wants to attract.
• Identifying how to make the appeal 'real', for example through critical review of exit interviews, reviewing the performance management process and adapting learning and development programs.

Public Service Act employment

ASIC staff can be employed through the PSA, the ASIC Act and using Individual Flexibility Arrangements (IFAs):

• PSA: Primary form of employment for ASIC's staff. Employment contracts under the PSA are subject to terms and conditions agreed in Enterprise Agreements (EAs). The Act also contains a set of regulations regarding recruitment.
• ASIC Act: ASIC can also hire staff under subsection 120(3) of the ASIC Act, which may provide more competitive remuneration and more flexibility in employment contracts. As of 30 June 2015 ASIC has 67 people employed under this Act, of which 22 were at the SES level.¹²¹
• IFAs: enables variation of an EA's terms and conditions for example, remuneration, allowances, leave. Use of IFAs is relatively uncommon and there are currently only 27 instances of IFAs in use outside SES level.¹²²

Operating under the PSA has a number of implications for ASIC:¹²³

• A cap on the number of SES to 25. Currently ASIC employs 45 staff at the SES level, of whom 23 are employed under the PSA with the remaining 22 employed under the ASIC Act (the latter are not counted towards the cap). The 23 appointed under the ASIC Act do not have Human Resource delegations and functions outlined under subsection 78(7) of the PSA and related regulations, directions and rules.
• A remuneration cap for SES who are employed under the PSA.
• Salary increases, terms and conditions for all non-SES staff are subject to government's Workplace Bargaining policy.
• The Government's Workplace Bargaining policy does not allow ASIC to lift salary bands to meet the market.
• Recruitment and management of on-going and non-ongoing staff appointments subject to Commissioner regulations. ASIC was subject to the PSA 18 month 'interim recruitment arrangements' from November 2013 to June 2015.

Salary restrictions are a particular impediment at the EL1 and EL2 levels, as ASIC is unable to compete with the remuneration packages from peer agencies (APRA and RBA) and private industry. For example, Table 13 compares non-executive salaries at ASIC and APRA for roughly equivalent roles, and while the roles do not perfectly align, demonstrates that salaries are relatively less attractive at ASIC.

Table 13: Non SEL salary comparison between ASIC and APRA (2013)¹²⁴

ASIC		APRA
ASIC 4	$75,225—$84,318	Level 2 lower/upper	$58,200—$97,000
EL 1	$98,583—$114,032	Level 3 lower/upper	$84,400—$140,600
EL 2	$111,677—$156,488	Level 3 lower/upper Level 4 lower	$84,400—$199,900

In comparison to the non-executive levels, ASIC reports that it competes on a different proposition at the SES level, with applicants generally expressing an interested in becoming a 'regulator' as opposed to being attracted by a salary package. ASIC's SES remuneration packages are also relatively competitive with industry.¹²⁵

Being subject to the PSA negatively impacts ASIC in that it:

• impacts ASIC's ability to attract and retain suitably qualified employees who may be attracted elsewhere by better remuneration packages;
• slows down and impedes the ability to promote internally, particularly from EL2 to SES level;
• limits opportunities for career advancement, therefore contributing to employee attrition;
• has an operational effectiveness consequences, with many SES level staff employed under the ASIC Act and therefore having no formal delegations powers. This also places additional pressure on those staff employed under the PSA Act;
• increases reliance on IFAs which affect efficiency given the additional complexity of managing these arrangements;
• increases the frequency with which ASIC must go to the market to advertise roles, increasing cost.

To provide more flexibility during recruitment, and to enhance the attractiveness of ASIC within the job market, the Panel recommends that ASIC be removed from the PSA. Importantly, this would enable ASIC to provide remuneration packages that are more in line with the peer regulators (for example, APRA) and will also provide more flexibility.

The Panel views removal from the PSA as an important factor in its ability to successfully recruit a HoO. This will allow A
SIC to compete for talent and to ensure the HoO has the necessary powers of delegation.

The panel notes that APRA and the RBA are not bound by the PSA and that there is no clear rationale as to why some agencies are included in the PSA and some are not, other than historical context.¹²⁶ For example, the RBA was formed in 1959 as a result of removing the central banking functions from the Commonwealth Bank. The bank was not subject to the PSA and, as such, the RBA retained this exclusion. The Panel therefore views the application of the PSA to ASIC to be an idiosyncratic historical legacy that should be removed without delay.

Workforce capabilities and management: recommendations summary

4.2. Organisation structure — opportunities to address some weaknesses

ASIC's organisation structure comprises eleven stakeholder teams (focusing on surveillance, supervision, policy guidance, licensing, and engagement for various groups of stakeholders), five enforcement teams and a Small Business Compliance and Deterrence team, spread across four groups within three clusters (Markets, Investors and Financial Consumers, and Registry, the latter of which the government is considering selling).¹²⁷

Figure 27: Overview of ASIC's organisation structure

This stakeholder orientated organisation structure evolved from a 2008 McKinsey strategic review and was intended to break down silos that existed between the former four directorates (enforcement, consumer protection, compliance and regulation). It was also intended to position teams closer to market sectors, provide clearer points of contact for stakeholders and clearer team objectives, and to move the organisation to a flatter structure with smaller teams to enable more staff recognition and visibility. This organisation structure is distinct from many peer regulators, as it is organised around stakeholder groups rather than by functional teams.¹²⁸

The Market Integrity Group (MIG, formed following the transfer of responsibility for the supervision of real time trading from ASX to ASIC in 2010), has a different structure and has consolidated the three market focused stakeholder teams (Financial Market Infrastructure, Market and Participant Supervision, and Investment Banks) and the Market Integrity Enforcement team. The Stakeholder and Enforcement teams within MIG are strongly aligned in their approaches and collaborate on resourcing and KPIs. Additionally, two hybrid teams have been established (the Markets Misconduct Enforcement Team and Participant Misconduct Enforcement team) with staff having both enforcement and surveillance skills. The Small Business Compliance and Deterrence team is also vertically integrated.¹²⁹

The Panel recognises that there are conflicting views on ASIC's stakeholder model for organisation structure, particularly around the extent to which it breaks down or creates silos. Some internal and external stakeholders suggest that the 2008 change has been successful in creating a more collaborative and efficient model, and facilitates more flexible resourcing, including resource sharing within clusters.¹³⁰ However, some stakeholders suggest that the change has created new and more numerous silos, with a flatter structure resulting in a duplication of activities across teams.¹³¹ For example, enforcement activities are split across the Markets and the Investors and Financial Consumers cluster. This duplication excludes support activities, which are consolidated in a single area and provide services across the regulatory business.

Other noted benefits of the current model include:

• superior communication outcomes, with clearer touch-points for regulated entities based on industry focus;
• a higher degree of industry expertise, delivering more targeted outcomes and improved staff development outcomes;
• facilitation of resource sharing within clusters, as silos are smaller and relatively weaker than in a purely functional model.

Limitations include:

• a lower degree of knowledge and information sharing across teams, which is also expressed in stakeholder feedback regarding handoffs between surveillance and enforcement (see discussion on stakeholder management in this Chapter);
• increased likelihood of misalignment of business plans (see Chapter 3 for a discussion on the strategic planning process);
• duplication of activities, requiring additional resources and increasing costs (it is a more expensive organisation model than a traditional functional model);
• reduced resource allocation flexibility across clusters.

The Panel recognises that there is no 'ideal' organisation structure, and that judgements need to be made about the relative merits of different structures. It is not the role of the Panel to make recommendations about an appropriate organisation structure. This is properly the prerogative of management. However, in the context of the changes to internal governance structures recommended in Chapter 2, the Commission may wish to consider whether consequent refinements to the organisation structure may be warranted, especially to ensure clarity of responsibility and accountability in relation to executive management functions.

ASIC is making progress in addressing concerns over silos. For example, the OneASIC project is streamlining processes between teams, including transition and handover points for work, documents and data.¹³² Additionally, the Corporations Cluster is engaged in 'Project Unity' which involves:¹³³

• sharing of responsibility for surveillance, enquiries, investigation and disruption work across the cluster;
• development of greater understanding by the enforcement teams of stakeholder team projects, aiming for more targeted and timelier outcomes;
• engagement and collaboration of enforcement staff with stakeholder teams from initial enquiries through to completion of any enforcement activity.

The Panel considers that ASIC should continue to identify ways to organise itself more flexibly to be able to work across silos to address key risk concentrations in the most efficient and effective way possible. For example, ASIC currently does not employ temporary project teams around key risk concentrations. Implementing such flexible structures could assist in improving collaboration across the organisation.

As such, the Panel recommends that ASIC launch a pilot project to test the ability of temporary dedicated project tea
ms to better respond to strategic priority areas. These 'hit' teams would comprise permanent resources drawn from across the organisation based on required skills and expertise on a full time basis to address specific issues or risks over a defined time-period. As the prevalence of that issue or risk diminishes, resources can be allocated elsewhere.¹³⁴ ASIC should set targets of the percentage of resources that are fungible across the organisation in order to ensure sufficient flexibility and to embed 'hit' teams into resource planning. This is a systematic and structured approach, in contrast to existing project teams and taskforces which are largely part-time.¹³⁵

Specific project-based teams would also help ASIC work across silos based on strategic focus areas, enhancing cooperation and ensuring organisation wide priorities are allocated the necessary resources across clusters and teams. Referring back to an identified skill gap in analysing the impact of digital disruption (see section 4.1), the Panel suggests that a project team on this topic would be a good choice to pilot the program.

Finally, the Panel notes that ASIC's choice of a more expensive organisation model (given duplication of activities across stakeholder groups) than the traditional model, creates an imperative for an ongoing focus on efficiency and cost control. Only 54 per cent of ASIC staff agree that ASIC continuously improves internal operations.¹³⁶ ASIC should therefore ensure it has a regular procedure in place for reviewing the efficiency of its internal business processes. This will help to identify areas where the organisation structure is creating inefficiencies and possible work-arounds.

The Panel understands that a review of internal processes will be occurring in the near future, but there seems to be a limited understanding of exactly how this review will operate, particularly in relation to where it will obtain the necessary data to conduct analysis on efficiency. As such, improvements in data infrastructure and MIS will be an important enabler. Ongoing improvements in internal business processes ensure that limited resources are used more efficiently, and also assist in reducing the regulatory burden on industry.

More broadly, ASIC should also aim to conduct a full and thorough organisational review within the next three years. This review should draw on external expertise, and could be conducted together with the review of organisational culture (see recommendation 12).

Organisation structure: recommendations summary

4.3. Regulatory tool kit — best practice in some and potential for improvement in others

ASIC's regulatory toolkit comprises:

• Education: Development and delivery of education tools, including MoneySmart and other measures to promote improved financial literacy.
• Policy development, advice and guidance: Development of policies outlining market rules (based on legislative mandate) and assistance to stakeholders to interpret legislation for example, through information sheets, regulatory guides and reports. This function is intended to improve compliance and reduce the need for subsequent surveillance and enforcement activity, as well as to ensure high quality policy.
• Authorisation and licensing: Licensing of market operators, financial institutions and financial market participants (includes granting, suspending and cancelling licenses).
• Supervision:¹³⁷ The continuous process of detection of possible harm/wrong-doing based on analysis of real-time trading on Australia's domestic markets and Australian Financial Service License holders against market integrity rules. This activity is primarily managed by the Market and Participant supervision team within MIG.
• Surveillance: Activities to detect possible harm/wrong-doing either on a reactive or proactive basis. This is a discrete and non-continuous process (in contrast to supervision), and is the primary tool used by the stakeholder teams.
• Enforcement: The responses to identified wrongdoing and harm, including administrative action, enforceable undertakings, civil and criminal prosecution.
• Collaborative partnerships: Such partnerships can act to better leverage the skills and expertise of the private sector in close co-operation with the regulator. Limited budgets and resources also necessitate a more creative approach by some regulators in pursuing collaborative partnerships for example, co-regulation, quasi-regulation and self-regulation (see Box C). This can assist in easing the resource burden on the regulator, and can ultimately deliver better outcomes for the regulated population.

This toolkit is illustrated below in Figure 28.

Figure 28: ASIC's enduring objectives and regulatory toolkit¹³⁸

ASIC's least intrusive tools — education and guidance — are also generally its most proactive and cost effective. Education and guidance enable ASIC to signal its expectations for behaviour of the regulated population. These tools utilise considerably less resources and give more certainty of outcome than an enforcement process. Done effectively, a proactive approach promotes desirable conduct and pre-empts and prevents behaviour that might later require a more intrusive and reactive response.

At the other end of the spectrum, ASIC has a range of enforcement actions — administrative, civil or criminal. Enforcement actions signal the serious consequences of misconduct, and although directed at the individual level can act as a general deterrent of future misconduct if delivered in a timely way.

As an outcome of this review, the Panel has identified a number of opportunities for improvement across the set of regulatory tools. However, those related to enforcement are the most significant, and are therefore the focus of the Panel's recommendations.

Education

ASIC's educational tools are aimed at enhancing financial literacy amongst consumers and investors.¹³⁹ Available material and programs, including MoneySmart and school education programs are widespread and have garnered a significant amount of interest amongst consumers and investors, with over five million visitors to the MoneySmart website in 2014-15.¹⁴⁰

While the overall financial literacy strategy is comprehensive and 'world best', the Panel notes an opportunity to be more targeted in how educational resources are deployed in the future. This is supported by feedback from consumer advocacy groups, which suggest that ASIC's balance between general support and targeted intervention for the most vulnerable groups should shift going forward. For example, older Australians are not explicitly targeted in any substantive sense by ASIC led initiatives in the current strategy. A nar
rower view on the most vulnerable may be a more efficient and effective use of ASIC's resources.

In deploying financial literacy resources in a more targeted and tailored way, ASIC should also look to further partner with not-for-profits and other agencies to deliver outcomes. This has been recognised by ASIC in its Financial Literacy Strategy, which states that a key priority is to 'strengthen coordination and effective partnerships'. For example, bespoke targeted programs are currently being run by not-for-profits in the area of Indigenous financial literacy, and would benefit from additional support from ASIC. While ASIC is aware of these activities and references them in its financial literacy strategy, there is currently no partnership arrangement. Common feedback from stakeholder groups suggested that, going forward, ASIC should also ensure that priorities and delivery mechanisms, which are presently guided by the Financial Literacy Board, are also informed by the insights and expertise of the Consumer Advisory Panel (CAP).

Policy development, advice and guidance

ASIC produces a wide range of guidance material to assist the regulated population in understanding laws and policies. For example, guidance may be developed where new legislation is passed, stakeholders indicate there is uncertainty about how an existing law applies, there is a general low degree of compliance or ASIC wants to communicate a specific message.¹⁴¹ The World Bank states that the consultation process should allow sufficient time for consideration, development of discussion papers to facilitate discussion, publication of drafts for comment, together with a cost and impact assessment, and a response to comments received.¹⁴²

While the majority of stakeholders agree that guidance material is generally produced proactively (66 per cent of the regulated population and 72 per cent of related stakeholders with assessment of fair, good or excellent),¹⁴³ the Panel received feedback from external stakeholders that there was often insufficient consultation, despite an average time for consultation of longer than eight weeks over the past two years. ASIC is of the view that consultation periods are sufficient, which indicates an expectations gap between internal and external perceptions.

In some cases, insufficient consultation results in policy guidance that can be impractical, require modification once implemented, or shows a lack of understanding of key issues (see section 4 in this Chapter for further discussion on ASIC's engagement with stakeholders for policy consultation). The Panel notes however, that there may be other reasons for modification, for example driven by implementation complications that could not have been reasonably foreseen during the consultation process.

Further, the Panel observed some inconsistency in how strategic policy decisions are made. For example, rules established with regard to Dark Pools and High Frequency Trading (HFT) demonstrated a sound process of issue identification, analysis, consultation and assessment prior to issuing the rules.

On the other hand, there was no documented research undertaken by ASIC with regard to the 2008 short selling ban, and ASIC failed to proactively consult with peer regulators overseas who also implemented similar bans. In this instance, ASIC implemented a ban on naked shorts in all stocks and some covered shorts on Friday 19 September 2008. Following the initial ban, the policy was then amended the following Monday (22 September) in order to ban all short selling, bringing ASIC's approach into line with that being undertaken by offshore regulators.¹⁴⁴

Section 4 of this Chapter outlines the Panel's view that a more outward oriented Commission should assist in improving the quality of policy development, advice and guidance, through ensuring Commissioners have sufficient time to meet with external stakeholders.

Authorisation and licensing

While members of the regulated population are broadly positive on ASIC's performance in providing efficient registration and licensing, the Panel believes that the general public may not fully understand what ASIC does and does not do as part of this function.

More specifically, 48 per cent of the regulated population rates ASIC's performance in meeting its objective for efficient registration and licensing as good or excellent, 32 per cent rate it as fair and 11 per cent rate it as poor or very poor.¹⁴⁵

However, the Panel is concerned that, in ASIC's 'licensing' of an intermediary, there may be an expectations gap as to the extent and rigour of merit assessment and analysis conducted. ASIC advises that it currently conducts a partial due diligence, and reviews matters such as organisational competences and resources, as well as capacity to comply with the financial services laws at the time of licensing.

However, the Panel is concerned as to whether this analysis meets the level of rigour expected by investors, who may be assuming a full merit-based assessment. In particular, there is a strong and not unreasonable presumption on the part of consumers and investors, that the issuing of a license is an endorsement of the worthiness of a licensee to hold that license. Discussions with informed stakeholders suggest this this is a potential emerging risk area, that should be reviewed by ASIC and the Government (if any legislative change is needed). This potential confusion also extends to 'registration' of a Managed Investment Scheme. This misinterpretation of ASIC's role, which was identified through the Panel's stakeholder consultation and roundtables, is a contributor to the expectations gap discussed in Chapter 2.

ASIC has also separately raised concerns with regard to its ability to protect investors. For example during the 2009 Inquiry into Financial Products and Services in Australia by the PJC, ASIC highlighted a number of issues including the 'low' threshold for entry into the licensing regime compared to the 'relatively high' threshold for cancelling a license. ASIC also indicated difficulties in trying to assess whether an applicant will comply with obligations and meet license conditions before they have commenced business. This has been amended, in part, by the FOFA reforms, which allow ASIC to refuse to issue (or cancel or suspend) a license where ASIC feels that the licensee is likely to contravene their obligations (as opposed to ASIC needing to be confident that they will). As a response to the FSI the Government has also agreed to develop legislation to enable ASIC to consider a broader range of factors in determining whether an applicant satisfies the 'fit and proper' test to be granted an AFSL and credit license.

The Panel considers that there are significant potential widespread risks in the current licensing system which fall short of desired standards and warrant the close attention of both the Government and ASIC. As a result, the Panel considers that the current approach to due diligence of potential licensees needs to be strengthened. In particular, measures should be taken to increase the current 'low' threshold for entry into the licensing and registration system, for example by increasing requirements relating to professional qualifications, standards and experience. In the view of the Panel, ASIC should seek to apply such additional requirements to the greatest extent possible within the scope of its existing powers, although some reinforcement of these powers may be necessary through legislative amendment.

These enhancements to the licensing and registration system provide an ideal opportunity for ASIC to expand its use of co-regulation models by collaborating with relevant i
ndustry associations to lift professional standards and ensure a more robust and effective regime. It is envisaged that such a co-regulation model could be funded on a full cost recovery basis as part of the licensing process. Moreover, the co-regulation model could also be used in conjunction with the Government's announced response to the FSI to strengthen ASIC's powers to ban individuals from managing financial firms and to consider strengthening ASIC's enforcement tools in relation to the financial services and credit licensing regimes.

ASIC must be continuously vigilant on managing expectations and should invest to ensure that investors and consumers have a full understanding of the types of analysis it conducts when undertaking partial due diligence. The Panel sees opportunities to apply ASIC's emerging behavioural economics capabilities to ensure that language choice reinforces the correct public perceptions.

Supervision

ASIC has invested in new technologies and systems which have delivered enhanced supervisory capabilities. This includes the Markets Analysis and Intelligence surveillance system which enables real time surveillance and the interrogation and analysis of large data sets. The PwC evidence report notes that this system has been referred to by internal and external stakeholders as best practice.¹⁴⁶ The Panel's consultation with stakeholders confirms this view is shared by market participants and the relevant regulated population cohort.

These advances have reduced the time taken to conduct searches in trading activities and to commence a formal investigation after identifying misconduct, which has halved since before 2010 (from three months to six weeks). Additionally there has been a 23 per cent reduction in the time from when ASIC first becomes aware of potential misconduct to that matter being handed over to the Director of Public Prosecutions.¹⁴⁷

Stakeholders are broadly satisfied with ASIC's market supervision, with 51 per cent of stakeholders rating it as excellent or good, 32 per cent as fair and 10 per cent as poor or very poor.¹⁴⁸

Surveillance

ASIC has taken a number of steps to enhance surveillance processes since the 2014 Senate Inquiry, although there is still scope to drive consistency across teams and to expand the range of tools being used (particularly for proactive surveillance).¹⁴⁹

Enhancements since the Senate Inquiry include the development of the Risk-Based Surveillance Guide (first issued in February 2015) and a central repository of surveillance-related information. However, while the Guide includes overarching principles for performing surveillance, application varies across teams, and there is no obligation to use the guide or follow its approach, resulting in inconsistent approaches to surveillance. While the Panel acknowledges that the approach to surveillances must be tailored, it is important that a consistent set of principles be applied to ensure external stakeholders view ASIC's decision making process as consistent across teams.

Additionally, there is further scope to enhance the range of tools being used by ASIC. For example, some peer regulators locate teams at significant regulated entities to conduct real time supervision and perform entity specific reviews of key policies and processes.¹⁵⁰

ASIC should also look to enhance its relative focus on proactive thematic investigations. For example, a number of stakeholders expressed a view that simple financial analysis across ASIC data should have been able to identify in advance some historical risk issues such as Storm Financial.

Enforcement

The Panel commends ASIC's recent work to enhance transparency through publishing Enforcement Reports, in addressing concerns on the use of Enforceable Undertakings (EUs) and in initiating 'lessons learned' reviews. However, there are a number of residual weaknesses in ASIC's current approach to litigation.

Transparency in enforcement outcomes is an important part of managing perceptions and achieving deterrence. As such, the Panel supports the introduction of ASIC's Enforcement Reports, although notes they are limited in that they report based on publicly announced actions which are not comprehensive. Therefore, there may also be a significant number of actions that are not reported upon.

Additionally, in response to the recommendations made as part of the Senate Inquiry in 2014, ASIC has taken a number of steps to address concerns raised about the transparency, monitoring and use of EUs. For example, it has incorporated the outcomes of enforceable undertakings on the register and has begun to publish summaries of expert reports that are produced in connection with enforceable undertakings. Additional enhancements include:¹⁵¹

• the development of a set of guidelines for independent experts appointed under an EU;
• regularly negotiating independent monitoring of EUs;
• including further information in annual reports;
• changes in relation to drafting, implementation and monitoring of EUs.

ASIC has also accepted recommendations proposed by the Australian National Audit Office following its review of ASIC's administration of EUs in June 2015 to address concerns about record keeping and measuring effectiveness.¹⁵²

In the past ASIC has conducted ad-hoc legal reviews and hindsight reviews of major cases. Since 2013, some parts of ASIC have formalised this process and introduced 'lessons learned' reviews to identify ways to continually improve performance. These are generally conducted internally as a workshop and contain an overview of the specific project/case, and a discussion of what was done well, what could have been improved, and agreement on a list of recommendations for future projects.¹⁵³ Findings are reported to the Enforcement Committee. However, informed stakeholder feedback indicates that this is yet to translate to material improvement in ASIC's approach to enforcement.

In general, based on pertinent stakeholder feedback, the Panel understands that litigation practices of peer regulators (such as the ACCC, ATO), following recent concerted improvement, display the following features:

• focused pleadings;
• early identification and narrowing of matters in issue;
• targeted evidence, including expert evidence and willingness to use expert conclaves;
• willingness to engage and work collaboratively with opposing parties, to progress cases to trial and resolve potential interlocutory matters by consent as far as possible, without resort to court rulings;
• willingness to explore early private resolution of interlocutory issues and cases generally;
• willingness to enter into arrangements with opposing parties to expedite trial processes;
• cases that are conducted in accordance with best practice approaches to litigation.

While views regarding ASIC's approach to litigation are not universal, some informed external stakeholders interviewed by the Panel expressed concern that ASIC's approach to litigation is lagging against some of the above features, relative to peer regulators, and that this gap is widening in some instances. This is also broadly in line with the views expressed by the High Court in the 2012 Fortescue Case.¹⁵⁴

To enhance the use of enforcement as a regulatory tool, the Panel recommends that ASIC:

• develop a targeted approach to litigation, pushing risk appetite to pursue cases t
  hat are strategically important, particularly in testing the veracity of the law pursuing conduct. While ASIC is able to cite a number of specific examples¹⁵⁵ where they have pursued strategically important cases, it is the view of a number of informed stakeholders consulted by the panel that ASIC is not doing enough in this area, or as much as peer regulators;
• enhance pleading tactics, by developing cases with more focused pleadings;
• ensure that workforce planning provides for the right skills and capabilities in litigation (see section 1 of this Chapter for a discussion of work force capabilities);
• ensure selection of senior counsel is not swayed by 'rack rates' as opposed to overall cost effectiveness;
• use litigation as a way of communicating key messages to the regulated population to have the desired deterrence effect. The ACCC does this effectively through targeted stakeholder consultation in establishing annual priorities and a concerted and strategic communications program delivered by the ACCC Chair and Commissioners. There is a persistent perception (including among informed stakeholders) that this is not being pursued by ASIC to the fullest extent possible and that the current strategy is not having the desired effect.

ASIC should also consider formalising the use of Skilled Person Reviews as an extension of the enforcement toolkit. This tool is currently employed by the FCA and allows it to commission reviews by external consultants to obtain an understanding of aspects of a regulated entities activities that cause the regulator concern or where further analysis is warranted.

Collaborative partnerships

Currently, ASIC is engaged in a limited number of collaborative partnerships (see description in Box C above). The Panel notes some partnerships existing prior to ASIC taking over responsibility for the relevant area, such as:

• The Takeovers Panel was established in its current form under the ASIC Act (but based on its predecessor the Corporations and Securities Panel), and has powers under the Corporations Act.¹⁵⁸
• Some External Dispute Resolutions (EDR) schemes developed prior to ASIC assuming responsibility for consumer protection in 1998. Since then, ASIC has provided input to develop and rationalise EDR.
• Insurance and banking codes of practice.

In other circumstances, ASIC has played a key role in developing more collaborative relationships:

• The Markets Disciplinary Panel, which draws on some elements of disciplinary arrangement in place with the ASX prior to 2010, but also has incorporated elements that were not present in the ASX predecessor.¹⁵⁹
• The ePayment Code, which was recently developed in partnership with the RBA, ACCC and industry.

Quasi-regulation conducted by industry bodies includes:

• The ARITA Code of Professional Practice, which establishes a standard for professional conduct in the insolvency profession
• Audit surveillances and report writing by the Chartered Accountants Australia and New Zealand (CA ANZ) and CPA Australia, which are considered by ASIC.

The Panel appreciates that there are mixed views around co-regulation and other forms of quasi-regulation and self-regulation, and that these arrangements are not always appropriate. For example, there is generally less reliance on these forms of regulation in the case of exchanges, given the need to ensure neutrality of the regulator where there is exchange competition and to manage conflicts of interest.

That being said, the Panel has formed the view based on consistent stakeholder feedback and its own assessment that there remains scope to expand use of collaborative partnerships (co-regulation, quasi-regulation, and self-regulation) to more effectively leverage private sector expertise to achieve better regulatory outcomes. For example, as discussed earlier in this Chapter, there may be scope to use co-regulation to enhance the effectiveness of the licensing regime. Increasing the use of these arrangements would assist ASIC to lower the cost to the regulated population, and would also deliver more effective and efficient outcomes in some cases.

Entities for which this may be appropriate include auditors and insolvency practitioners, although the choice should ultimately be informed by a thorough assessment of the relevant industry associations, and the extent to which they are able to monitor, review and discipline market participants.

The appropriate type of arrangement will be dependent on the target industries, but could be modelled on the Takeover Panel and the Markets Disciplinary Panel (with suitable modifications). The credibility of these Panels is derived in large part by the fact that industry participants are being judged by peers, who have relevant market knowledge and expertise.

Industry bodies could also be established as licensing agents under the supervision of ASIC. This latter case would be similar to the independent industry funded body to be established to set industry standards for financial planners, as part of the Government's response to the FSI (although in this case the body would be under the supervision of ASIC, rather than being independent).

The Panel recognises that confidence around the efficacy of associations will be a major consideration in pursuing this recommendation, but suggests that ASIC begin to work toward this as a desired longer-term position. For example, the Panel notes the opportunity for co-regulation to evolve to more rigorous merit based licensing processes based on full cost recovery. This would address community misperceptions as to the nature of the current licensing processes of ASIC.

Regulatory toolkit: recommendations summary

4.4. Stakeholder management — a tiered strategy needed and scope for better leverage

In assessing stakeholder management, the Panel distinguishes between:

• engagement and relationship management of regulated entities, through formal engagements (for example, warning or no action letters and formal notices) and meetings;
• the consultation process for policy and guidance material development (with industry, investors and financial consumers, and other government departments and agencies);
• engagement with external advisory panels; and
• engagement with other regulators (domestic and international).

Relationship management of regulated entities

Regulated entities express frustration over a perceived lack of coordination across teams within ASIC. In particular, the Panel identified that handovers between the Stakeholder and Enforcement teams were a consistent theme in this feedback. Referral to the enforcement team occurs when the surveillance team identifies a significant contravention of the law and concludes that enforcement will result in a significant impact (based on a formal triage process). The Panel identified a number of challenges with the way stakeholder relationships are managed through this process. For example:¹⁶⁰

• Stakeholders report that they are often not made aware that a matter has moved from surveillance to enforcement until contacted by the enforcement team for documentation and information.
• Stakeholders expressed a sentiment of 'starting again' when a matter is moved to enforcement.
• In some instances, data requests are duplicated (resulting in unnecessary cost burdens both for ASIC and affected entities), and the Enforcement team does not always attempt to source documents internally.
• The quality of communication and engagement may vary across teams dealing with the same stakeholders, and this can involve inconsistent or 'mixed' signals as to the approach being adopted by ASIC.

It is worth noting that stakeholders have identified that these challenges are less present in MIG, where there is perceived to be a stronger relationship between Stakeholder and Enforcement teams.¹⁶¹

Additionally, large diversified entities may have touch points across multiple stakeholder teams and some stakeholders expressed concern about the additional burden this creates where there are a number of matters underway at any one time.¹⁶² While there are examples of stakeholder teams within ASIC that have relationship managers allocated to key regulated entities or stakeholders (for example, MIG and some stakeholder teams in Investors and Financial Consumers), there is not currently a formal or consistent approach to this across the organisation and remains contained within existing silos.

To address concerns around often uncoordinated interactions, the Panel recommends ASIC introduce a formal tiered stakeholder relationship model. This is supported by the findings of the Susan Bell Research Survey, which found 'building a relationship management model' in the top three suggested focus areas for ASIC.¹⁶³

The model should allow scope for differential levels of engagement based on the nature, scope, and complexity of the regulated entities. Risk tiering should also be used as a key input into designing the relationship model to ensure resources are deployed to the areas of highest priority. An example structure is laid out below in Figure 29. In this example, it should be noted that coverage for mid-sized firms would vary over time depending on whether or not they are exposed to what ASIC considers to be key risk concentrations at that point in time.

Figure 29: Stakeholder relationships: tiered coverage model

Consultation process

The Panel also observed an expectations gap with regard to the quality of consultation in policy guidance, with 97 per cent of ASIC leadership rating ASIC as good or excellent on its willingness to consult with industry on policy guidance compared to 33 per cent of the regulated population.¹⁶⁴ Interviews and roundtable discussions highlight key shortcomings in the process including:

• External stakeholder perceptions that response times are too short, and provide insufficient opportunity for industry to fully consider all issues. This is despite an average consultation period of over eight weeks in the past two years.
• A perception that ASIC sometimes disregards the outcomes of the consultation process. However, the Panel acknowledges that ASIC will not be able to, and should not seek to, act on all suggestions received during consultation.
• Limited use of smaller roundtable style meetings with groups of stakeholder with common interests.
• A perceived disproportionate focus on feedback from larger stakeholders (industry funds, banks, insurance companies).
• The tendency to sometimes come across as demanding, rather than consultative.
• Insufficient and ineffective use of external panels, and a lack of documented evidence of how input is incorporated.

While the quality of policy guidance is generally high, there are some cases where sub-optimal policy outcomes (policies that are impractical require modification once implemented or show a lack of understanding of key issues) could have been avoided if consultation was more extensive. For example, in the case of the 'bad apples' and 'culture' projects (focus on identifying 'rogue' financial planners and improving financial firm culture and conduct respectively), the Panel received consistent feedback from external stakeholders that ASIC failed to provide sufficient upfront detail on project scope and objectives. As a result stakeholders were not able to provide input on suggested ways to approach the issue or to help shape information requests to be as efficient as possible.

Moving to a more outward oriented model will require the implementation of recommendation 5, such as the elevation of the Commission to a non-executive role, to enable focus on strategy, accountability and external engagement (see Chapter 2 for further discussion). In becoming more externally aware, the Panel expects that the Commissioners and organisation will engage more frequently and rigorously with stakeholders to improve policy outcomes.

External advisory panels

ASIC relies on a number of external advisory panels, described in Chapter 1 and Commissioners provided positive feedback on the value they see from these panels. It is broadly accepted that the Consumer Advisory Panel and MSAP are functioning well.¹⁶⁵ Additionally, several cases of panel impact were brought to the Panel's attention, including the role of the Director Advisory Panel in assisting ASIC in finalising its approach in respect of proxy advisors.

However, the Panel is not fully confident that ASIC is currently obtaining the maximum value of advisory panels. While ASIC was able to demonstrate through a number of examples the impact that panels can have, interviews did not indicate a consistent view of how panels are being used to deliver impact. Further ther
e was little documentation demonstrating exactly how panel views were included in the strategy planning processes. Additionally, the Panel notes that there is limited active management of external panels, and there is limited formal responsibility within ASIC to ensure panel recommendations are acted upon. Further, ASIC does not formally assess the performance of panels once they are established.¹⁶⁶

As such, the Panel recommends making a number of changes to calibrate the way external panels are structured and used. This includes reviewing:

• Membership renewal and targeting to ensure members have the necessary skills to advise on future challenges.
• Structure, with the possibility to move to a more nimble model based on a larger pool of relationships that can be drawn on in combination as required — a true panel model as opposed to the current standing committee style which can result in a 'set and forget' approach.
• Forward agenda, to ensure panels focus on key strategic questions.
• Minutes, in order to increase the likelihood that the results of panel discussions will feed into strategic decision making.
• Ongoing effectiveness of the model and outcomes by the Commission.
• Assigning formal responsibility to internal ASIC staff to act upon panel recommendations.

See also discussion in Chapter 3 on the role of external panels in the strategy setting process.

Domestic and international regulators

ASIC coordinates with both domestic and international regulators, including through the CFR and the International Organisation of Securities Commissions (IOSCO). This can take the form of cross-regulator taskforces, such as the Serious Financial Crimes Taskforce and Project Wickenby, or through any bilateral interaction.

The Panel has identified a number of areas where coordination with domestic regulators (for example, APRA) could be enhanced. In particular:

• enhanced data sharing (discussed further in section 5 of this Chapter);
• improving the role of the CFR in coordination (see Chapter 5);
• coordination of stakeholder management (where appropriate) to minimise the regulatory burden. For example, regulators can coordinate information requests and work together to ensure there is no contradiction in their policies and rules.

ASIC's current Chairman is also the current head of IOSCO. This has had a number of positive outcomes for Australia, including raising the country's profile, ensuring that the international regulatory agenda takes account of Australian issues, and in helping to move Australia's capital markets toward greater global integration. The importance of this role further increases the imperative to reduce the operational burden of the combined executive and governance roles (discussed in Chapter 2), in order to allow sufficient time for strategic and accountability work. The Panel recommends that Commissioners continue to seek out similar opportunities for integrated regulators leadership in the future.

Stakeholder management: recommendations summary

4.5. Data infrastructure — work underway but a long way to go

ASIC's capacity to understand the behaviour of regulated entities and to detect potential harms greatly depends on the quality of its IT infrastructure and data, the efficacy of its data tools and the expertise of staff. ASIC has already heavily invested into upgraded IT and data infrastructure to address identified weaknesses, although additional work will be required to close the gap to best practice.

Identified data infrastructure weaknesses

In assessing the quality of data infrastructure, the Panel has considered three components:

• data management: the quality of the data environment, including how it is captured and stored (that is, data architecture);
• data usability: the extent to which the data can be easily accessed and used in analysis, by both ASIC staff and the public (under the requirements of the ASIC Act);
• data use: the way in which data is used (via analysis) to drive decision making.

Challenges faced as a result of the current data infrastructure were a theme in the staff survey, interviews and roundtable discussions. For example, only 62 per cent of staff agree it is easy to locate required information (20 per cent neutral, 18 per cent disagree).¹⁶⁷ Identified weaknesses in current infrastructure span across each of the three components considered by the Panel.¹⁶⁸ The majority of these issues have been recognised by ASIC and improvements are underway.

• Data management:
  • reliance on legacy infrastructure for example, IBM 3090 mainframe applications and 100+ Lotus Notes applications, no integrated operating platform;
  • differences in data collection and recording practices across the organisation, which evolved differently based on the easiest way of capturing that data. For example, taxonomies used across teams differ;
  • limited data digitisation;
  • data architecture being built and maintained 'in house', where there could be a possibility to outsource for improved and lower cost outcomes.
• Data usability:
  • inefficiencies in data search functionality across multiple siloed data bases;
  • difficulties in obtaining a whole-of-ASIC view about an entity or individual;
  • skills gaps, including business analyst capability, data specialists;
  • whole classes of data made available as PDF only, limiting how they can be used (for example, can be used to verify firm is listed, but needs to be manually processed before it can be used for analytical purposes);
    • This has also been impacted by funding constraints and the non-digital form of data specifications under current legislation. As such, legislative change may be required to enable ASIC to obtain data in the required format.
  • limited progress on using data to measure operational efficiency of internal processes;
  • lagging progress on open data, although this is consistent with slow Government-wide progress in developing a coordinated data policy and removing legislative restrictions.
• Data use:
  • Lack of progress on big data capabilities compared with peers. While ASIC has begun to address the required infrastructure to support analytics in the future, it has not defined how it plans to use 'reg-tech' capabilities or how it will develop the capabilities to complete this analysis internally. In contrast, regulators such as the SEC and FCA are more progressed for example, the SEC is developing a National Exam Analytics Tool to access and systematically analyse massive amounts of trading data from firms in a short time for examination/supervision purposes.
  • MIS for internal management (management dashboard reporting) and the ability to measure internal efficiency. This has limited the ability of the Panel to make a full assessment of ASIC's capabilities, including the efficient and effective use of resources.
  • There is no Chief Data Officer to lead data-driven transformation.

Further, the Panel notes that total IT investment across ASIC has decreased
11.7 per cent in the past three years, with the largest proportion of spend directed to business as usual and supporting legacy infrastructure.¹⁶⁹

Existing transformation projects

ASIC's senior management understands that ASIC needs to develop better IT systems and improve its analytical capabilities, and acknowledges this in the 2015-2019 Corporate Plan. As such, work to address some of these concerns has already begun, and there are currently three key initiatives driving the transformation of the Regulatory business:¹⁷⁰

• The FAST Program (Flexible Advanced Surveillance Technologies): a four year, industry funded program established in 2012. This program includes the implementation of a new Integrated Market Surveillance System (to replace the legacy SMARTs system), a regulatory compliance portal, enhanced investigation analytics capabilities, and delivery of end to end management and supervision of workflows across the Market Participants team.
• The Regulatory BOM (Business Operating Model) Commission paper: a strategic blueprint defining current state, drivers of change and target state, and a transformation strategy for the Regulatory Business. This program was led by two external expert consultants and was also independently reviewed by another external service provider. The results of this paper were used to inform the FAST 2 program development.
• The IT component of the OneASIC program (FAST 2): a business led program to address issues identified in the Regulatory BOM project. The IT component will address issues around data search functionality (including PDFs), delivering a common language and standardised data fields, a new search tool and common workflows.

However, the Panel has some concerns, particularly in regard to the FAST 2 project:

• ASIC was not able to provide documents outlining the business case for the investment. The Panel therefore feels unable to make a fully informed assessment as to the scope and likely impact of the changes and is not sure how extensively these were considered.
• Participants in roundtables, interviews and in the staff survey indicated that the IT strategy is still catching up on historical under-investment in infrastructure. Therefore the Panel is concerned that the plans may not be 'future proofed' (that is, it may not provide adaptability for future requirements), and will deliver a system that is relevant for today, but might be behind contemporary peer practice. As noted in the PwC evidentiary report, 'this will still leave ASIC with additional investment required to ensure they are a leading international regulator where data and technology are fully harnessed'.¹⁷¹
• As stated in the PwC evidentiary report, 'ASIC seems to have been slower to recognise the importance of data analytics and innovation than organisations such as the ATO and RBA but is now trying to catch up. These regulators' investment in better data management and analytics is ahead of ASIC's by a number of years.'¹⁷² This sentiment was echoed in external roundtable discussion on technology and big data. At present, existing programs appear to be focused on closing an existing gap, rather than moving directly to best practice. Acceleration of these programs is likely to be necessary for ASIC to keep pace with the rate of change in markets, products and services in which it regulates.¹⁷³
• The program needs to be complemented by improved reporting to ensure that necessary MIS can be produced, for example to measure and report on internal efficiency metrics.
• The program has been designed around existing processes, which may not be efficient and raises potential issues of retrofitting in the near term if business processes are structurally changed.

Overall, the Panel concludes that while the program will close existing gaps, it will likely still leave ASIC lagging compared to peer regulators when it is implemented. This issue was a focus area of PwC's expert assessment of ASIC's IT programs. While PwC's report was purely a factual evidence collection exercise and did not include observations and judgement, the PwC expert conducting the IT assessment has reviewed this section of the Panel's report and agrees with the Panel's conclusions.

Further requirements

Further improvements in ASIC's smart use of data may emerge to address these issues through ASIC's data analyst network. This group of 75 staff from across business and IT has the aim of increasing knowledge and capability in areas of understanding power of data and driving further enhancement of data analysis capability.

It is also worth noting that some stakeholders have raised concerns over data accessibility under the potential sale of the registry business and that these were not identified or addressed in the ASIC Corporate Plan. The Panel suggests that ASIC address these data access and other risks in sale planning and execution.

ASIC should continue with existing transformation programs to address legacy system issues. However, further work will be required to close additional gaps. For example, enhancing MIS to include efficiency statistics that can be used to inform decision making.

A separate body of work will also be required to drive data management and analytics across ASIC. Addressing the underlying data management infrastructure is an important first step in developing big data capabilities. While these projects are ongoing, ASIC should look to understand exactly how it plans to use 'reg-tech' analytics to extract meaningful insights from improved data. For example, it should conduct a scan of peer regulators to identify how big data is being used elsewhere. ASIC can then conduct a gap assessment against current capabilities to identify additional requirements for investment. ASIC should also look to build or acquire the relevant expertise to run big data analytics programs. Secondment of data analytics specialists or leading peers could be a solution to build from within (see section 1 in this Chapter).

ASIC should also take an active role in promoting more open government data sharing across financial regulators, through the CFR. ASIC has vast amounts of valuable data and limited legal limitations on sharing information with, and receiving information from other regulators. Given internal resourcing constraints, ASIC would directly benefit from the private sector and academics undertaking more extensive research and analysis on ASIC data sets. Given that they provide new perspectives, they could provide alternative insights on developments, and would also be able to improve the quality of the data through curating and advising on anomalies or limitations in the data made available.

The Panel acknowledges that upgrading the data infrastructure will be expensive, and will likely require additional government funding.

Data infrastructure: recommendations summary