Information Management under fire at ASIC

Information Silos and underinvestment in data and technology have emerged as issues at the Australian Securities and Investments Commission (ASIC), according to a report from the Financial Regulator Assessment Authority (FRAA).

The FRAA was established in response to the Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry (Royal Commission). The Royal Commission recommended the creation of an independent oversight authority to assess the effectiveness and capability of market regulators ASIC and APRA.

The report into the Effectiveness and Capability Review of the Australian Securities and Investments Commission (ASIC) looked at three areas:

  • strategic prioritisation, planning and decision‑making 
  • surveillance
  • licensing.

It found that “In our view ASIC is generally effective and capable in the areas reviewed, although there are important opportunities to enhance its performance.”

These include a recommendation that ASIC requires a substantial uplift in its data and technology capability, which will involve cultural change.

The FRAA noted there has been long term underinvestment in ASIC’s data and technology capability.

It found that ASIC has a comparatively lower annual technology spend than some other domestic public sector agencies and international market conduct regulators.  ASIC’s annual technology spend as a proportion of total spend, averaged over 4 years is around 10%. Comparatively, Services Australia is 12%, ATO is 16%, the United States’ SEC is 17%, and the United Kingdom’s FCA is 21%.

An ASIC staff survey revealed widespread dissatisfaction with the development and deployment of the new CRM system. Some staff cited cultural factors such as risk aversion, siloed teams and a short‑term focus as the fundamental reason for the current low level of data and technology capability at ASIC.

The CRM system is designed to record compulsory requests for information, allowing ASIC staff to view all interactions with an entity in a single location and assess whether the same or similar information is already available. However, ASIC staff members who provided feedback regarding their experience with the CRM system conveyed a largely negative sentiment.

Where data is available, ASIC staff cited challenges in obtaining and accessing this information. Most staff agreed that they know what information is collected and stored across ASIC that might be useful in their team’s surveillance activities.  However, staff survey comments noted that accessing this data internally is problematic and that this inhibited their ability to use data to inform surveillance activities.

‘Data is located on too many systems, [and so staff] cannot form an overall big picture of an entity or organisation,’ commented one staff member.

The new ASIC CRM system is viewed by ASIC staff as an obstacle to effective surveillances. ASIC staff reported that the poor user interface and design of the new CRM system make tracking, reporting and coordinating surveillance activities difficult and time consuming.

Only 22% of ASIC staff agreed that their surveillance activities are supported by an easy-to-use information management system.  There was broad feedback from ASIC staff members in the survey, focus groups and interviews around the inadequacy of the CRM system, it being described as time consuming and overly cumbersome.

‘[The CRM system] is a major hindrance – hard to search for past work, hard to record information in current work, time [intensive] in managing cases,’ a staff member commented

‘Many of the barriers to ASIC’s supervisory activities relate to the current case management system, which is best described as a barely minimum viable product and takes up significant resources and capacity. This heavily affects information sharing, because teams avoid using the system as it’s so unfriendly and time consuming, which makes it harder for other teams to learn about our work or access our information,’ said another

Information Silos

Many ASIC staff members commented that teams operate in silos within ASIC and information is rarely shared effectively between teams. Some ASIC staff members also observed opportunities for improved internal collaboration and increased awareness of available resources.

One staff survey noted ‘[there is a need for] greater internal information sharing [as] not all teams know what activities others undertake unless you have a personal network.’

Another commented ‘Better coordination across ASIC could help to minimise regulatory burden on the entities under surveillance – this work has started but is in its infancy and not especially well planned.’

External stakeholders raised similar concerns about internal coordination and information sharing. Only 9% of external stakeholders agreed that ASIC surveillance staff members collaborate well with other areas of ASIC. 

Of ASIC staff surveyed, only 55% agreed that there is effective coordination between ASIC and other Australian regulators.

Internationally, ASIC’s statutory mandate is one of the broadest. ASIC has a wider regulatory remit than comparable market conduct regulators in overseas jurisdictions, including the United States, United Kingdom, Germany, Netherlands, Hong Kong and New Zealand. Singapore is the only comparable jurisdiction with a wider remit.

ASIC has made progress to uplift its data capabilities, hiring a Chief Data and Analytics Officer in February 2020, and establishing dedicated teams of specialists to build data and analytical capabilities within stakeholder and licensing teams. ASIC also introduced a digital lead role in February 2022 to focus on ASIC’s digital strategy,

ASICs clunky and unwieldy Web portal was identified as a barrier to effective and timely granting of Australian Financial Services Licenses (AFSL). The portal is old and industry stakeholders highlighted the inability to upload documents to the portal and the cumbersome process to update licensee details. In targeted interviews, industry commented that the portal was old and not intuitive, with one noting that the portal hasn’t changed since 2008.

Stakeholders noted that once an application has been lodged, the licensing portal does not update on the progress of applications. Applicants must seek to obtain updates directly from the licensing team, which the team is not always resourced to respond to.

ASIC plans to upgrade a digital upgrade of the portal in 2022-2023. It also plans 2 smaller projects that will bring incremental improvements. These projects will assist the licensing team by automating record-keeping and enabling AFSL applicants to upload supporting documents, previously sent via email. These projects were scheduled to be completed by 30 June 2022 but have been delayed.

ASIC Chair Joe Longo said, ‘We need to keep pace in an environment of accelerated change in order to be a confident and ambitious regulator. I welcome the FRAA’s recommendations which align closely with my priorities for ASIC.

ASIC is also trialling the use of artificial intelligence (AI) and machine learning in its financial market surveillance activities. Here are some examples of these initiatives.

Data analytics in surveillance

Markets Assessment Intelligence (MAI) system: the MAI system alerts ASIC to suspicious trading activity, is used to conduct real time monitoring of listed equities markets and post trade monitoring of listed equities and derivatives markets. In 2020–21, ASIC upgraded this system and enhanced its data and analytics capabilities by moving it to a cloud provider. The improved system stores more data securely and facilitates the analysis of a larger volume of data from financial markets to identify suspicious trading activity. The MAI system generates approximately 200 alerts per day (through assessment of approximately 200,000 daily trades) and is the source for the majority of equities surveillances.

Using AI to assess breach report data: before the October 2021 amendments to breach reporting requirements, ASIC received over 4,000 breaches every year. These breach reports were assessed manually. In 2020, ASIC trialled applying an AI algorithm to breach report data. This initiative sought to help triage breach reports to identify matters more quickly for referral to stakeholder or enforcement teams. The AI algorithm also helped identify matters where no further action should be taken. This initiative demonstrated that AI could be used to reduce manual effort in the triage process and simplify the assessment process, resulting in a more efficient, less resource intensive process. Using a representative sample of breach reports, the AI trial provided 65% accuracy in triaging breaches to the correct team. ASIC considers that the results of the trial are encouraging and it has plans to operationalise an automated AI assisted triaging process in 2022 23.

Using machine learning to review prospectuses: the Corporations team receives around 800 prospectus submissions a year. These prospectuses undergo a time sensitive manual risk rating process. Using a predefined set of keywords and machine learning algorithms, ASIC developed an automation solution that will improve the efficiency and accuracy of the prospectus risk rating process. This solution will reduce the manual work required from the Corporations team. ASIC expects the first version to be operational by 31 August 2022, noting that utility of the first version may be limited and there will need to be ongoing development and enhancements, including integration with portal data.

The full report is available HERE.