Although Australia’s GDP contracted by 1.1% in 2020,1 its worst economic performance in almost three decades,2 the country has had a swift and strong recovery. Consumer and business spending are high, exports are booming, unemployment has dipped to 5.1%3 and the economy is now larger than it was pre-pandemic.4 Australia’s promising outlook is at risk, however, as a June 2021 outbreak of the dangerous COVID-19 Delta variant placed about half of the country’s population under lockdown,5 and a slow vaccination rate has compounded this uncertain landscape.
Regulators must accelerate the digitalization of the economy in order to secure Australia’s recovery from the COVID-19 pandemic. The government has spearheaded numerous initiatives aimed at bolstering Australia’s digital transformation, such as the Artificial Intelligence (AI) Action Plan and the Digital Economy Strategy, as the country’s competitiveness has lagged in recent years. Australia ranked seventeenth in the world for its digital economy on the 2020 Digital Intelligence Index, a downgrade from its 2017 ranking as number eleven.6 Greater investments in digital talent and innovative technologies like cloud, internet of things and big data could help the country contend with digital powerhouses such as the EU, Korea, Singapore and Taiwan.
Efforts toward strengthening cybersecurity will be especially critical in safeguarding financial stability and future-proofing the economy. In April 2021, the Australian Prudential Regulation Authority (APRA) identified cybersecurity as one of three main areas integral to the financial sector’s long-term strength and resilience.7 The national Cyber Security Strategy, released in August 2020 amidst increasingly frequent and sophisticated cyberattacks, allocates AUD $1.67 billion (approximately USD $1.25 billion) towards cybersecurity over a ten-year period.
Australia’s ambitious 2021 digital agenda also focuses on the expansion of the national digital identity scheme, reforms to the anti-money laundering and counter-terrorist financing framework and amendments to the Consumer Data Right framework. The Reserve Bank of Australia has been investigating the risks and benefits of issuing a central bank digital currency (CBDC). In November, the central bank partnered with Commonwealth Bank, National Australia Bank, financial services company Perpetual and blockchain software technology company ConsenSys to launch a project exploring a DLT-based, wholesale CBDC.
Financial Regulatory Authorities
The Reserve Bank of Australia (RBA) is Australia’s central bank, charged with issuing the country’s currency and maintaining economic stability. The Reserve Bank’s Payments System Board governs and develops payments system policy.
The Australian Competition and Consumer Commission (ACCC) is a regulatory commission operating under the Department of the Treasury. The Commission is mandated with protecting consumer and business rights, industry regulation, and preventing anti-competitive market and business practices.
The Australian Securities and Investments Commission (ASIC) is the supervisory body overseeing the country’s securities market. The commission primarily enforces trading practices and laws against misconduct in the financial sector.
The Australian Prudential Regulatory Authority (APRA) promotes financial stability and supervises institutions in the banking and insurance sectors.
The Council of Financial Regulators (CFR) is an independent coordinating body for the Country’s main financial regulatory agencies. The members are the RBA, ASIC, the Australian Prudential Regulatory Authority (APRA), and the Department of the Treasury.
The Department of the Treasury is Australia’s main economic policymaker. The Treasury is also responsible for the nation’s federal budget and market regulation.
The Office of the Australian Information Commissioner’s (OAIC) is the national data protection agency that enforces the country’s Privacy Act and other related privacy laws. The commission dispenses guidance to entities regarding Privacy Act compliance.
Policy, Laws and Regulations
Non-Bank Lending and Financing Sector Risk Assessment, 24 June 2021
The Australian Transaction Reports and Analysis Centre (AUSTRAC) published its Non-Bank Lending and Financing Sector Risk Assessment for money laundering and terrorist financing. AUSTRAC designates the overall threat of money laundering and terrorist financing to the non-bank lending and financing sector to be at a medium level, while terrorist financing alone presents a low threat. The principal threat to the sector is fraud, especially loan application fraud, identity fraud and welfare fraud. Main vulnerabilities include cash deposits facilitated through third-party branches or agents, online delivery channels and a low rate of direct customer interaction. Cash deposits facilitated through third-party branches or agents limits institutions’ ability to conduct oversight and detect suspicious activity, particularly when the transaction falls below the transaction reporting threshold. Although individuals present a lower risk of money laundering and terrorist financing than do non-individuals, a low rate of direct customer interaction further inhibits institutions from conducting oversight and lowers transparency. The increased use of online delivery channels has also complicated the threat landscape as it facilitates cyber fraud, as with the cases of fraudulent loan applications.
Action Plan for Artificial Intelligence, 17 June 2021
The government released the AI Action Plan, which outlines measures towards making Australia a global leader in the development and adoption of “trusted, secure and responsible AI.” The four focus areas towards achieving this goal include:
- “Developing and adopting AI to transform Australian businesses
- Creating an environment to grow and attract the world’s best AI talent
- Using cutting edge AI technologies to solve Australia’s national challenges
- Making Australia a global leader in responsible and inclusive AI”8
The action plan includes a AUD $124.1 million (approximately USD $93 million) investment towards implementation of the measures, alongside the establishment of a National AI Centre, four Capability Centres and a Next Generation AI Graduate program.
AML/CTF Reforms, 15 June 2021
The Anti-Money Laundering and Counter-Terrorism Financing Rules Amendment Instrument 2021 (No. 1) was registered in the federal register of legislation. The instrument implements some of the changes made by the Anti-Money Laundering and Counter-Terrorism Financing and Other Legislation Amendment Act 2020 by amending several chapters of the AML/CTF framework. Amendments to Chapter 3 on correspondent banking now require a correspondent to assess ML/TF risks of a correspondent banking relationship when conducting initial due diligence, as well as ongoing due diligence. Amendments to Chapter 6 specify the requirements for a reporting entity when there is suspicion as to the veracity or adequacy of previously obtained information per customer due diligence and know-your-customer (KYC). The reporting entity must take swift measures to gather and obtain additional KYC information, and update and verify existing KYC information. Amendments to Chapter 7 (reliance on third parties) expand the procedures that may be utilized for customer identification. Per the explanatory statement accompanying the instrument, “These are customer due diligence procedures that have been carried out by another person in accordance with one or more laws of a foreign country. The foreign law or laws must give effect to the FATF Recommendations relating to the identification and verification of customers, beneficial owners and agents, and record-keeping of these procedures.”
Data-Matching Program Regarding Cryptocurrency Designated Service Providers, 08 June 2021
The notice “Commissioner of Taxation – Notice of a data-matching program - Cryptocurrency 2020-21 to 2022-23 financial years” was published in the federal register of legislation. The notice announces that the Australian Taxation Office (ATO) will acquire account identification and transaction data from cryptocurrency designated service providers for 2021 through 2023, as an extension of the data-matching program first launched in April of 2019. The data to be obtained includes client identification details and transaction details. The ATO has expressed concern that the anonymity in the trade of crypto assets has facilitated tax evasion.
Proposed Updates to the ePayments Code, 21 May 2021
The Australian Securities and Investments Commission (ASIC) published a consultation paper detailing proposed updates to the ePayments Code, “a voluntary code of practice that regulates electronic payments.” ASIC proposes to make the code mandatory, allow the authority to conduct
“targeted ad hoc monitoring of compliance,” extend the code to small businesses and incorporate biometric authentication into the code. Biometric authentication would be defined and incorporated due to the increasing use of biometrics (e.g., fingerprints) in the authentication of transactions. The current code does not mention biometric authentication, as it was not widely utilized the last time the code was reviewed. The updated ePayments Code is expected to be released in late 2021.
Government Launches Digital Economy Strategy, 06 May 2021
As part of the 2021 Federal Budget, the government launched the Digital Economy Strategy, which allocates AUS $1.2 billion (approximately USD $901 million) towards digitalization policies and actions. The government aims to become a “modern and leading digital economy by 2030.” Initiatives include:
- “Over [AUS] $100 million to support digital skills for Australians
- Building Australia’s capability in Artificial Intelligence
- Enhancing Government services
- Investment incentives
- Helping small and medium businesses
- Unlocking the value of data in the economy
- Strengthening safety, security and trust”9
The government will also seek to bolster cybersecurity by:
- Allocating AUD $43.8 million (approximately USD $32.9 million) towards expanding the Cyber Security Skills Partnership Innovation Fund
- Establishing a ‘Secure G’ Connectivity Test Lab “in partnership with the private sector to trial innovative approaches to network security and data protections”10
- Creating a National Data Security Action Plan that establishes a roadmap for the development of clear data security standards
- Piloting three Cyber Hubs “to enable leading agencies such as Defence, Home Affairs and Services Australia to provide cyber services for those agencies that cannot match their breadth and depth of skills”11
The Australian government has been especially keen to digitalize its services, promote digitalization in the private sector and invest in innovative technologies. Per the Digital Transformation Strategy, launched in 2018, Australia seeks to become one of the globe’s top three digital governments by 2025.
Updated New Payments Platform Roadmap, 29 April 2021
The Australian New Payments Platform (NPP) issued its updated New Payments Platform (NPP) Roadmap, along with updates on its increasing use. The NPP, launched in February 2018, is an open access infrastructure designed to facilitate near real-time, 24/7 payments in Australia. As of April 2021, 2.2 million transactions are conducted per day on the NPP, and it is utilized by over 105 financial institutions. The Updated NPP Roadmap addresses the progress in the development of a capability that enables customers to authorize third parties to initiate payments from their bank accounts, using the NPP. Due to numerous factors, including the COVID-19 pandemic, the implementation date is expected to be in early-to-mid-2022.
Update to Victoria’s e-Signature Law, 23 March 2021
The state of Victoria passed the Justice Legislation Amendment (System Enhancements and Other Matters) Bill 2021, which amends the Electronic Transactions (Victoria) Act 2000 and allows for the electronic signing and remote witnessing of legal documents. Documents include deeds, mortgages, wills and powers of attorney. The law makes permanent emergency measures that were temporarily instituted due to the COVID-19 pandemic. It went into effect 26 April 2021.
Victoria's amended law is progressive in that it permanently allows electronic signatures and remote witnessing to be used for critical estate planning documents including wills and powers of attorney. Globally, many jurisdictions have been slow to permit e-signatures for such documents although in many cases e-signature laws were enacted a decade or two before.
Cyber Operational Resilience Intelligence-Led Exercises Framework, 07 December 2020
The Council of Financial Regulators (CFR) unveiled its Cyber Operational Resilience Intelligence-Led Exercises (CORIE) pilot program guideline for financial institutions in Australia. The CORIE framework, developed in response to increasing cyber threats to the financial sector, utilizes targeted threat intelligence to test institutions’ cyber resilience and help regulators understand systemic weaknesses in the sector’s cyber readiness. According to a press release, “CORIE's exercises will mimic the tactics, techniques and procedures (TTPs) of real-life adversaries, creating and utilising tools, and using techniques that may not have been anticipated and planned for. These exercises measure the ability of an organisation to detect, respond and recover from the operations of a real adversary based on such TTPs.” CORIE has begun as an industry pilot program composed of key financial institutions, invited by the CFR, to provide feedback on the framework and gauge its effectiveness.
Consultation on Phase 2 of Digital Identity Legislation, 14 June 2021
Consultation on Phase 2 of the Digital Identity Legislation closed July 14, and the bill is expected to be introduced to Parliament in late 2021 after a third phase of drafting and consultation. The Digital Identity Legislation aims to expand the Australian digital identity framework into the private sector and state and territory governments, in what the government dubs a “whole-of-economy” solution. Per Phase 2 of the drafting process, the government maintained proposals for a permanent oversight authority, an accreditation system and non-mandatory participation; introduced an interoperability principle and changed the definition of digital identity. Digital identity is thus defined as “a distinct electronic representation of an individual which enables that individual to be sufficiently distinguished when interacting online, including when accessing online services.” The interoperability principle clarifies how system participants work together. The legislation also aims to secure privacy consumer safeguards by law. Under the current Digital Identity scheme, Australians can access over 75 government services through two accredited identity service providers, Australia Post and myGovID. According to the Minister for Employment, Workforce, Skills, Small and Family Business, Stuart Robert, over 2.5 million Australians and 1.27 million businesses utilize digital identity to access government services.12
Amendments to the Consumer Data Right Rules, 30 June 2021
The Australian Treasury issued exposure draft amendments to the Consumer Data Right (CDR) rules, the third version of the rules. The CDR, introduced in 2017, aims to give Australians greater control over the use and disclosure of their data within the economy. The draft amendments seek to enable greater participation in open banking. Barriers to entry, including the cost of accreditation, have dissuaded some businesses from adopting it. They introduce a sponsored accreditation model, by which an accredited person can sponsor a party seeking to become accredited. Parties seeking accreditation could also forego accreditation by becoming a CDR representative, and an accredited person would assume liability on their behalf.
The draft amendments also grant consumers more flexibility and power over their data. Consumers would be allowed to share data with a trusted professional advisor, including lawyers, financial counselors, financial planners, mortgage brokers, registered tax agents and qualified accountants. Per the proposed “CDR insight,” consumers could consent to the sharing of their data outside the CDR framework for low-risk, prescribed purposes necessary for the consumer to receive a service. Prescribed purposes include consumer identification and verification of the consumer’s account balance, income and expenses. Under the current CDR, both joint account holders must indicate their willingness to share account data in the case that one account holder seeks to share it. The draft amendments allow for one joint account holder to independently share data by consenting to an accredited party, and either of the joint account holders can invalidate the setting.
Ransomware Payments Bill 2021, 20 June 2021
The Ransomware Payments Bill 2021, introduced in the Parliament of the Commonwealth of Australia, introduces a requirement for all Commonwealth entities, state or territory agencies, businesses and others to report ransomware payments made in response to a ransomware attack. Obliged entities must report all ransomware payments to the Australian Cyber Security Centre (ACSC). Ransomware attacks have become increasingly prevalent in Australia and around the globe as the COVID-19 pandemic spurred entities to digitalize. According to the ACSC, Australians report an average of 164 cybercrimes per day.13
1. Hutchens, Gareth et al. “GDP figures show economy shrank in 2020 but grew 3.1 per cent in December quarter.” Australian Broadcasting Corporation, 02 March 2021. https://www.abc.net.au/news/2021-03-03/gdp-december-quarter-2021/13210412.
2. “Australia in first recession for nearly 30 years.” BBC, 02 September 2020. https://www.bbc.co.uk/news/business-53994318.
3. Pandey, Swati. “Analysis: Shut off from the world, Australia fosters red-hot growth at home.” Reuters, 28 June 2021. https://www.reuters.com/world/asia-pacific/shut-off-world-australia-fosters-red-hot-growth-home-2021-06-27/.
4. Pandey, Swati. “Australia’s economy booms to pre-pandemic levels as consumers, businesses spend.” Reuters, 02 June 2021. https://www.reuters.com/world/asia-pacific/australia-gdp-climbs-18-q1-back-pre-pandemic-time-2021-06-02/.
5. “Australia Covid: Seventh city locks down amid vaccine chaos.” BBC, 01 July 2020. https://www.bbc.co.uk/news/world-australia-57661144.
6. Kowalkiewicz, Marek. “Did someone drop a zero? Australia’s digital economy budget spend should be 10 times bigger.” The Conversation, 12 May 2021. https://theconversation.com/did-someone-drop-a-zero-australias-digital-economy-budget-spend-should-be-10-times-bigger-160626.
7. Libatique, Roxanne. “What key issues must the financial sector address post COVID-19?” Insurance Business, 29 April 2021. https://www.insurancebusinessmag.com/au/news/breaking-news/what-key-issues-must-the-financial-sector-address-post-covid19-253567.aspx.
8. “Australia’s AI Action Plan.” June 2021. https://www.industry.gov.au/sites/default/files/June%202021/document/australias-ai-action-plan.pdf.
9. “Digital Economy Strategy 2030.” https://digitaleconomy.pmc.gov.au/sites/default/files/2021-05/digital-economy-strategy.pdf.
10. “Australia’s Digital Economy.” https://digitaleconomy.pmc.gov.au/strategy/foundations/cyber-security.
11. “Australia’s Digital Economy.” https://digitaleconomy.pmc.gov.au/strategy/foundations/cyber-security.
12. Brookes, Joseph. “Govt unveils digital ID private sector expansion plans.” InnovationAus, 10 June 2021. https://www.innovationaus.com/govt-unveils-digital-id-private-sector-expansion-plans/.
13. Khadem, Nassim. “Are Australians at a 'turning point' on cybersecurity or still unprepared?” Australian Broadcasting Corporation, 10 January 2021. https://www.abc.net.au/news/2021-01-11/australians-turning-point-on-cyber-security-cyberattacks-crime/13018884.
*DISCLAIMER: This information is OneSpan's interpretation of the compliance requirements as of the date of publication. Please note that not all interpretations or requirements of the applicable laws are well-settled and its application is fact- and context-specific. The information contained in this document should not be relied upon as legal advice or to determine how the law applies to your business or organization. We encourage you to seek guidance from your legal counsel with regard to law applying specifically to your business or organization and how to ensure compliance. This information is provided “as-is” and may be updated or changed without notice. OneSpan does not accept liability for the contents of these materials.
Last updated: November 2021