The Franchising Code aims to strike a balance in relation to disclosure by franchisors and the rights of franchisees.

The report contains a total of 18 recommendations to Government.

The recommendations in relation to disclosure include a requirement for a franchisor to disclose the rights of the franchisor and franchisee to conduct and benefit from online sales, including any ability of the franchisor to conduct online sales.

There are recommendations relating to an obligation to act in good faith being inserted into the Code, and the introduction of civil pecuniary penalties for breaches of the Code.

There are also a number of recommendations aimed at addressing specific problematic areas, for example, the issue of franchisor failure.

No recommendation has been made that franchisees receive an exit payment or goodwill payment at the end of the term of their franchise agreement. However, a recommendation has been made that any restraint of trade clauses in the franchise agreement which prevent the franchisee from carrying on a similar business in competition with the franchisor, are not enforceable by the franchisor against the franchisee in certain circumstances.

The Government has not yet indicated its response to the recommendations.

The AML/CTF Act and Rules set a minimum baseline for reporting entities to know their customers and beneficial owners.

Potential reforms discussed in the paper include:
• amend the AML/CTF Rules to explicitly require reporting entities to identify and take reasonable steps to verify the identity of beneficial owners for all categories of customer that are legal persons or legal arrangements, and clarify that the term ‘beneficial owner’ means the natural person(s) (individual(s)) who ultimately owns or controls a customer.
• where a customer is acting on behalf of a person amend the AML/CTF Rules to explicitly require a reporting entity to take appropriate steps to determine whether the customer is conducting a transaction on behalf of another person or third party, and accordingly identify the beneficiaries and the destination of the transaction.
• amend the AML/CTF Rules to explicitly require a reporting entity to identify and verify the settlor of a trust.
• amend the AML/CTF Rules to define the meaning of “politically exposed person”, require reporting entities to introduce appropriate risk-based controls to identify whether their customer (and beneficial owners) may be a foreign, domestic or international organisation PEP, include provision for the conduct of explicit enhanced CDD measures where the customer is a PEP, and prescribe specific measures to be taken to perform a range of enhanced CDD measures for high-risk situations.
• amend the AML/CTF Rules to include an explicit requirement that Part A of a reporting entity’s AML/CTF program must include appropriate risk-based systems and controls to ensure that the reporting entity has a reasonable understanding of the nature of the customer’s business or occupation.
• introduce a general obligation for reporting entities to keep CDD information up to date and relevant, and that risk-based systems be used to determine what CDD information should updated or verified and at what intervals.

Currently reporting entities must have in place AML/CTF programs to identify, mitigate and manage risks that a designated service it provides may involve or facilitate money laundering or terrorism financing. Before providing a service, reporting entities are required to have appropriate CDD programs in place to:
• enable them to ‘know their customers’ (KYC)
• perform ongoing customer due diligence
• monitor transactions, and
• report suspicious matters to AUSTRAC.

The proposals do not affect fundraising by charities in the form of donations.

The Consultation Paper proposes to either:

• remove existing exemptions available to charities that raise investment funds under Regulatory Guide 87 Charities (RG 87) from 28 June 2014 (Option A), or
• retain existing exemptions on the basis that they are only available to organisations that satisfy both existing and new conditions to the exemptions (Option B).

ASIC is proposing that in order to fundraise charities must hold 75% of their assets in assets that directly relate to their charitable purpose; and where the fund is offered to retail clients:

• have an Australian financial services licence, and
• meet minimum capital and liquidity requirements.

ASIC has chosen 28 June 2014 for Option A because it aligns with the date that APRA proposes in its discussion paper issued 19 April 2013 as the date from which amendments to current exemptions under the Banking Act for RCDFs would become effective.Background

The exemptions in Option B would only be of assistance to a debenture issuer if it obtained any exemption required from the Banking Act. APRA has proposed for discussion that from 28 June 2014 it will no longer give an exemption for RCDFs, a number of which are also charitable investment fundraisers, where the RCDF accepts retail investments.

ASIC proposes to roll over relief that is currently available to schools for school enrolment deposits without amending the terms of the relief.

If Option B is adopted the amendments to the existing exemptions will be phased in over several years and be subject to a transition period.

The key elements of the draft legislation are:

• the new unfair contract terms regime will apply to general insurance contracts on an equivalent basis to the regime applying to other financial products or services in the Australian Securities and Investments Commission Act 2001. The new regime is modified appropriately for contracts of general insurance;
• consumers and the Australian Securities and Investments Commission (ASIC) will be able to take action for unfair terms in a standard form consumer contract of general insurance, such as seeking a court declaration that a term is unfair. A court will have access to a range of remedies in such circumstances;
• an insurer found by a court to have an unfair term will be in breach of the duty of utmost good faith and will not be able to rely on the term;
• ASIC will be given powers to enforce unfair contract terms for general insurance contracts by reference to the enforcement and investigation powers it has in the Australian Securities and Investments Commission Act 2001;
• the amendments will apply to standard form consumer contracts of general insurance entered into, or renewed, on or after the commencement day, and to terms varied on or after the commencement day. The commencement day will be 12 months after the day the Act receives Royal Assent, giving general insurers a transition period to review their standard form consumer contracts for unfair terms.

The draft legislation will apply to:

• standard form consumer contracts of general insurance which are entered into, or renewed on, or after, commencement; and
• a term in a standard form consumer contract of general insurance that is varied on or after commencement.

Insurers will be given a 12 month transition period to review their standard form consumer contracts for unfair terms before the commencement of the changes.

Related article: ACCC unfair contract terms report
ACCC Guide to unfair contract terms law

The proposed CPS 220 will replace the existing industry-specific risk management standards for general insurers and life insurers, and will include the risk management requirements for ADIs that are currently spread across a number of ADI prudential standards.

CPS 220 will not apply to the superannuation industry. Instead, RSE licensees must comply with the superannuation-specific risk management prudential standard due to commence on 1 July 2013.

The most important changes contained in CPS 220 are the requirements for:

• a Chief Risk Officer (CRO) who is independent from business lines, the finance function and other revenue-generating capabilities. The CRO must not be the Chief Executive Officer, the Chief Financial Officer, Appointed Actuary or Head of Internal Audit; and
• the establishment of a separate Board Risk Committee that provides objective non-executive oversight of the implementation and on-going operation of the institution’s risk management framework. The Committee must be chaired by an independent director who is not the chair of the Board.The chair of the Board Audit Committee may also chair the Board Risk Committee.

APRA is proposing that the Risk Committee must operate under a different charter than the Board Audit Committee, although APRA’s composition requirements will not prohibit the same people sitting on both committees.

The Board Risk Committee is required to provide prior endorsement for the appointment or removal of the CRO. If the CRO is removed from their position, the reasons for removal must be discussed with APRA as soon as practicable, and no more than 10 business days, after the Committee’s endorsement is agreed upon.

The Board Risk Committee must invite the CRO to attend all relevant sections of meetings of the Committee.

APRA proposes that the chair of the Board and the chair of the Board Risk Committee make an annual attestation as to the adequacy and effectiveness of its risk management framework.

Prudential Standard CPS 510 Governance will also be changed to require the Board Audit Committee to provide prior endorsement for the appointment or removal of the APRA-regulated institution’s auditor and Head of Internal Audit. If the auditor or Head of Internal Audit is removed from their position, the reasons for removal must be discussed with APRA as soon as practicable, and no more than 10 business days, after the Committee’s endorsement is agreed upon.

APRA expects to finalise the proposed CPS 220, updated CPS 510 and a prudential practice guide prior to their implementation date of 1 January 2014.

Under ASIC’s Regulatory Guide 104 Licensing: Meeting the general obligations (RG 104) licensees must:

• ensure migrating representatives are competent and adequately trained. It is important that they are effectively screened and their background checked,
• have adequate supervisory arrangements in place to identify and address deficiencies quickly, and
• have adequate financial, technological and human resources to supervise and monitor new representatives, especially in cases of business growth.

The Future of Financial Advice reforms strengthens ASIC’s licensing and banning powers in relation to all licensees by giving ASIC powers to:

• refuse to issue or to cancel/suspend a licence where the licensee is likely to contravene their obligations instead of needing to establish that they will contravene or have contravened their obligations;
• ban individuals from providing financial services if they are likely to contravene a financial services law; and
• ban individuals from providing financial services if they are not of good fame and character or not adequately trained or competent to provide financial service.

What do you need to do?

• Review your policies, notices and consents
• Adopt a timetable which allows for printing and IT changes

You will need to change your privacy policy to:

• include details of how a person can seek access to their personal information and correction of the information;
• explain how a person can complain about a breach of the APPs and how you will deal with privacy complaints;
• specify if you are likely to disclose personal information to recipients overseas and, if so, the countries in which such recipients are likely to be located; and
• Remove references to “NPPs”.

You will need to provide more information to individuals when you collect their personal information:

• if you are likely to disclose their personal information to recipients overseas and, if so, the countries in which such recipients are likely to be located;
• that your privacy policy includes details of how to seek access to their personal information and correction of the information; and
• that your privacy policy includes details of how to complain about a breach of the APPs and how you will deal with privacy complaints.

You will also need to implement a privacy compliance program that:

• ensures your organisation complies with the APPs;
• enables your organisation to deal with inquiries or complaints about compliance with the APPs; and
• establishes procedures to identify and manage privacy risks and compliance issues.

Change your direct marketing practices for materials sent in hard copy and social media mechanism allowing individuals to “opt out” of further direct marketing:

• include a statement that a request to “opt out” can be made;
• obtain an individual’s consent before using their sensitive information for direct marketing; and
• maintain details of the source of the personal information you use for direct marketing.

Review your current arrangements for offshore data storage or processing:

• Draft new standard offshore outsourcing terms
• Review storage and security
• Train your staff

Credit: review your commercial and consumer credit applications and credit check and default reporting procedures.

The OAIC has not yet authorised a Credit Reporting Code of Conduct.

The OAIC has published an APP Checklist.

• does the procedure concern the collection, disclosure, use and storage of “personal information” (as defined in the Privacy Act?)
• does “confidentiality” include “privacy”?
• are the obligations regarding the handling of personal information set out in the Privacy Act (including the Privacy Principles) considered?

NPP 1 (which will be replaced by APP 2 which deals with the collection of solicited personal information) requires that:

• personal information may only be collected where necessary for a function or activity of the organisation
• collection must not be by unfair or unlawful means, and
• reasonable steps must be taken to provide the individual to which the information relates with notice of specified matters, including the identity of the organisation collecting the information, the purpose of the collection, and the contact details of the organisation.

NPP 2 (which will be replaced by APP 6) provides that personal information may only be used or disclosed for the purpose for which it was collected (the ‘primary purpose’), unless a specified exception applies. This requires an organisation to have a clearly defined purpose for the initial collection of personal information, which is also consistent with the requirements of NPP 1.

NPP 4 (which will be replaced by APP 11) relates to data security and requires organisations to take ‘reasonable steps’ to protect the personal information that they hold from misuse or loss and from unauthorised access, use, modification or disclosure.

The OAIC is currently developing guidance on the reasonable steps with respect to information security that organisations are required to take under the Privacy Act.

The OAIC has also published a voluntary Data Breach Notification Guide which outlines steps that organisations should consider in preparing for and responding to information security breaches, including notifying affected individuals. The Government is considering mandatory data breach notification provisions.

NPP 9, which relates to trans-border data flows, currently provides that organisations cannot avoid their Privacy Act obligations by sending personal information offshore.

NPP 9 generally prohibits an organisation from disclosing personal information to someone in a foreign country who is not subject to a comparable information privacy scheme, unless the individual has consented.

NPP 9 will be replaced by APP 8 which deals with cross-border disclosures of personal information: this principle will not prohibit cross-border disclosures of personal information but organisations will be accountable for any disclosure of personal information outside Australia, unless one of a number of exceptions applies. Before any actual cross border disclosure of personal information occurs, an organisation must have put into place appropriate arrangements in relation to the information.

The Tax File Number Guidelines 2011 (TFN Guidelines) issued under the Privacy Act regulate the collection, storage, use, disclosure, security and disposal of individuals’ TFN information.

Guideline 6 of the TFN Guidelines states that TFN recipients must take ‘reasonable steps’ to safeguard TFN information. This includes protecting TFN information from misuse and loss, and from unauthorised access, use, modification or disclosure, and ensuring that access to records containing TFN information is restricted to individuals who need to handle that information for legal purposes.

Part IIIA of the Privacy Act governs the handling of credit information files, credit reports and other credit worthiness information about individuals by credit reporting agencies and credit providers. CRAs and credit providers must also ensure that credit information files and credit reports are subject to security safeguards as are ‘reasonable in the circumstances’.

The OAIC suggests that the Draft APRA Practice Guide also refer to de-identification as a tool for managing data risks.

The Government will provide an unindexed $35,000 concessional cap to anyone who meets certain age requirements.

The start date for the new higher cap will be 1 July 2013 for people aged 60 and over. Individuals aged 50 and over will be able to access the higher cap from 1 July 2014.

The higher cap is temporary and will cease when the general cap indexes to $35,000 (expected to be 1 July 2018).

A key feature is a product dashboard which will provide a single page summary of key performance indicators for each MySuper product. See the sample product dashboard.

These indicators will include an annual dollar disclosure of fees, the target investment return and a clear statement of investment risk.

The Regulation:

• prescribes the way in which information in the product dashboard is to be worked out and presented;
• prescribes how fees for superannuation products are to be disclosed in product disclosure statements;
• prescribes the portfolio holdings information that will be publicly available on an registrable superannuation entity (RSE) licensee’s website;
• specifies the types of documents and information that trustees will need to publish on their websites (including information on trustee and executive officer remuneration);
• requires RSE licensees to include the latest product dashboard in the member’s periodic statement; and
• requires trustees to inform members that they can request written reasons for decisions made (and in cases where no decision has been made) in relation to non-death benefit complaints.
• requires dual regulated entities to inform the Australian Securities and Investments Commission (ASIC) of events that may lead to material adverse changes in their financial position;
• prescribes factors that may be used for a lifecycle investment strategy;
• permits the governing rules of a superannuation fund to limit contributions that are transfers from a foreign superannuation fund;
• clarifies the circumstances in which a person is a defined benefit member to ensure they are excluded from certain MySuper requirements, and gives priority to accumulation interests (of both members and other beneficiaries) over defined benefit interests in the event of a winding-up of a technically insolvent defined benefit fund;
• makes various technical and consequential amendments such as: requiring RSE licensees to provide the Australian Prudential Regulation Authority (APRA) with early disclosure of successor fund transfers and other information; applying relevant provisions to persons involved in the management of an RSE licensee that is also a First Home Saver Accounts provider; and to update references in the regulations; and
• repeals and/or amends existing regulations relating to subject matter that will be dealt with in APRA prudential standards and to update the definition of an eligible rollover fund.