The Australian Securities and Investments Commission (ASIC) has overhauled its guidance on industry codes of conduct in the financial services and credit sectors, clarifying when it will approve codes and confirming that both approved and non‑approved codes can influence industry standards.
The changes are set out in an updated Regulatory Guide 183, Codes of conduct for the financial services and credit sectors (RG 183). The guide applies to insurers, intermediaries, and product manufacturers that use industry codes within their governance, distribution, and customer arrangements.
ASIC’s revised RG 183 reflects legislative changes since the guide was last updated in 2013 and reorganises the material to explain ASIC’s role, the criteria for code approval, and the steps industry bodies and code owners must follow to obtain and maintain approval.
The regulator maintains that developing a code remains voluntary and that a code does not need ASIC approval to operate. However, it says approval is intended to signal that consumers can have confidence in and rely on an approved code.
Read next: ASIC overhauls M&A and fundraising relief
The guide no longer describes codes solely as “complementing existing legislative requirements” and instead outlines broader expectations for what ASIC regards as an effective code. It states that a code should achieve at least one, and preferably more than one, of several outcomes, including addressing areas not fully covered by law, elaborating on legal obligations to provide additional protections for consumers, or clarifying how statutory requirements apply in day‑to‑day practice.
The guidance also recognises that non‑approved codes can contribute to changes in industry practice and consumer outcomes, and encourages owners of those codes to consider ASIC’s benchmarks when designing and updating their frameworks.
Following consultation on Consultation Statement 26 (CS 26), stakeholders sought clearer explanations of how code obligations may be enforced. In response, ASIC has expanded its discussion of enforcement pathways, noting that codes may operate through a mix of contractual rights, internal dispute resolution, external dispute resolution, and, in some cases, “enforceable code provisions” made under legislation.
ASIC has confirmed that it is up to the code applicant or code owner to nominate provisions it proposes as enforceable code provisions for the purpose of obtaining approval. ASIC will then assess those provisions as part of its consideration of the overall code.
On breach reporting, RG 183 is now linked more explicitly to ASIC’s existing breach reporting regime. Where a breach of a code provision also constitutes a breach of the law, the underlying conduct may be reportable under the reportable situations framework. ASIC notes that regulatory relief may apply to some automatic reporting obligations but has not set detailed expectations on when a breach of an enforceable code provision would be “significant,” pointing out that no enforceable provisions currently exist in approved codes.
On monitoring, ASIC has not introduced new, specific surveillance requirements tied to codes. Instead, it has aligned code‑related monitoring with its wider enforcement and supervision program and indicated that, where appropriate, it will engage with code administrators on sector‑wide monitoring and compliance activity related to approved codes.
ASIC has retained its approval criteria, which are prescribed by legislation, but has adjusted aspects of the guidance in response to industry feedback. Some respondents argued that approved codes should always be contractually enforceable between subscribers and customers. ASIC has not made this a mandatory feature, but has more strongly encouraged code owners to consider contractual enforceability when structuring their codes.
The revised guide highlights that code committees and administrators need sufficient resourcing to perform their functions, and ASIC now expects approval applications to include information about the financial and operational support available to the code administrator.
ASIC has also broadened the examples of sanctions that may be used for code breaches, while not expressing a preference for public naming of non‑compliant subscribers over other measures. The regulator has restated that it may revoke approval where it considers a code no longer meets, or substantially meets, the approval criteria, rather than linking revocation to particular volumes or types of subscriber breaches.
Suggestions for a tiered or partial approval framework that would distinguish between large and small institutions were not adopted. ASIC said the statutory regime does not permit partial approval, although the guidance acknowledges that non‑approved codes can still be used by sectors seeking to formalise standards without entering the ASIC approval process.
ASIC has restructured the approval process set out in RG 183 by moving the independent review earlier in the life cycle of a code. Independent review is now described as part of Stage 1, covering code development and updates, followed by a separate stage focused on consultation on the draft code.
The guide confirms that ASIC‑approved codes must be independently reviewed at least once every five years under legislation. There is no corresponding requirement for a code to be amended after each review or resubmitted to ASIC for reapproval. ASIC indicates that earlier reviews may be appropriate where developments arise that affect consumers but does not support replacing full independent reviews with narrower, targeted reviews, referring instead to the existing legislative and explanatory framework.
On consultation, ASIC encourages code owners to conduct public consultation on draft codes. ASIC retains the option to run its own public consultation where it considers that appropriate, to be determined on a case‑by‑case basis.
