The ASIC (Australian Securities and Investments Commission) has updated its regulatory guidance on the prohibition of hawking financial products in the country.

The regulatory guide (RG 38) portrays the changes in the anti-hawking system under the Financial Sector Reform 2020, commencing on the 5th of October, 2021. It also clarifies how the reform affects commercial practices and how an industry can comply with it.


In 2018, ASIC identified bad sales behavior and poor customer outcomes by assessing unsolicited life insurance sales calls, where 40% of the consumers reported feeling pressured to buy a product.

In 2019, the ASIC passed legislation prohibiting the unsolicited selling of direct life insurance and consumer credit insurance.

In July 2021, ASIC issued Consultation Paper 346 Updates to RG 38 The hawking prohibition in July 2021, asking stakeholder opinion on proposed RG 38 (21181MR) updates. ASIC received 19 written submissions and carried out a meeting with industry and consumer groups on multiple occasions.

The proposed reforms were designed to tackle the harm caused to consumers by unwanted products sold to them through cold calls or other unwelcome contacts.

ASIC Deputy Chair Karen Chester said, ‘These updates put in place fairness measures, so customers are not offered items they don’t want or need. The prohibitions mean a consumer’s need will determine how any business offer products. ‘

What is new

The reforms introduced by the government mean that customers will have more choice over how and when they are offered products, instead of being amidst a situation where they feel

forced to make snap decisions. Under the new law, ASIC will have the power to deal with businesses that pressure people into purchasing products that aren’t beneficial for them.

The guideline clarifies industries on how to comply with the system and how the reforms influence business operations. With the constructive responses from the industry and other stakeholders obtained throughout the consultation process, ASIC improved its guidelines. Additionally, ASIC also shared 12 samples of the input received.

ASIC has said that at the start of the new obligations, which start during the first week of October, it will take a fair attitude if industry players make best efforts to comply (21-213MR).

Key features of the reforms include:

  1. All financial products (as specified in the Corporations Act 2001);
  2. A definition of “unsolicited contact” that includes any “real-time engagement in the manner of a conversation or discussion” without consumer agreement, in addition to in-person meetings and phone conversations;
  3. Consumer assent to contact must be voluntary, positive, clear, and reasonable to comprehend;
  4. The consent be only valid for six weeks from the date it is given and that the consumer has the right to withdraw it at any time; and
  5. A statutory right of return for customers who have been subjected to hawking.

The Treasurer has approved regulations exempting certain products from the hawking regime since ASIC published its consultation. RG 38 provides a summary of products that are exempt from the hawking prohibition under the Corporations Regulations.

For further reading: ASIC, 21-257MR ASIC publishes guidance on hawking reforms, [media release], 23rd September 2021.

Key considerations when adopting a voice analytic system for compliance

Selecting voice analytic systems for compliance requires a better understanding of compliance and risk, future risk management trends, and how technologies like AI & Automation that can support a successful risk transformation program.

Many voice analytical systems are limited to topics of interest or keyword spotting, which is not aligned with organizational compliance and risk management objectives. Transitioning to an automated system requires several considerations and action plans around it.

Here are the Top-5 areas that require consideration and the questions to ask while adopting one.

Compliance Coverage

Non-financial risk, including compliance and conduct risk, is where organizations usually have guidelines, standards, supervision frameworks, and training regimes. Compliance requirements may include conduct-related obligations, industry codes, and policies. Sometimes, there are state-level obligations besides the federal laws. In addition, each product and service has T&C and disclosure requirements that must be fulfilled at the operational level.

So, what matters here?

  • Is the compliance coverage comprehensive, and can we support a standard-based approach?
  • Is our compliance monitoring principles-based or a random review? How do we keep a principles-based approach?
  • How is regulatory change supported, operationalized, and monitored?

Risk-based supervision

Risk-based supervision has a significant role in promoting good conduct. In seeking to ensure that customers are treated fairly, for example, an risk-based supervision approach assesses the risks of unfairly treating customers and the adequacy of controls to prevent this.

Supervisors are usually resource-constrained, so this approach increases the effectiveness of supervision through improving supervisory outcomes while also increasing efficiency through improved resource allocation and processes.

It involves allocating resources to the areas of most significant risk.
In contrast to a tick-box-based approach, each policy is prioritized based on the fines, reputational damage, customer detriment, and cultural aspects.

So, what matters here?

  • Do we currently prioritize each obligation and policy differently?
  • How do we standardize risk criteria?
  • How do we factor-in risk in our assessments?

Incident and breach reporting

It is essential to label the occurrence that may or may not involve a compliance breach, a complaints escalation, a sensitive customer data breach, or serious misconduct by a staff member,  among other things.

Classifying various events as incidents and breaches from an automated supervision system is critical. KRI & KPI can also determine the type of event.

So, what matters here?

  • The volume of incidents, what we must know vs. what is good to have? How do we address false positives?
  • Can I understand each event's impact, for example, cost and reputational damage?
  • Can I do internal and regulatory reporting based on specific obligations and policy breaches?
  • How do we support regulatory inquiries? Do we have enough detail?

Actionable insights

Actionable insights give various stakeholders like customer experience, risk/compliance, and supervisors the ability to leverage insights and act upon them. These factors will dictate your response and thus how well you can minimize the financial, regulatory, and reputational risks to you, your company, and the customers you serve. For example,

  • Which departments should get involved
  • What actions should be taken
  • How the occurrence will be resolved
  • Whether notification will be required
  • Who to notify, when to notify, and how to notify

So, what matters here?

  • How can we shift the focus of the supervision team from information collection to information analysis post-automated supervision model?
  • Can we configure a role-based action plan?
  • Can we achieve timely remediation and continuous improvement?
  • How can we support peer review & quality assurance and measure daily performance improvement?
  • How can we create a perfect balance between compliance, quality, and customer experience and drive strategic initiatives
  • Can the CX, Compliance, and QA teams have specific insights to act on and improve operational processes?
  • How can we benchmark our progress based on the actions taken?

Explainable AI & Humans in the loop

While the accuracy of the predictions is critical, it should not be the only criteria to evaluate, and the operationalization of AI technology requires serious consideration.

Operationalization and incorporation of AI into business can be pretty challenging and require considerable planning. Therefore, the voice analytic system should be able to integrate seamlessly and should not be limited as a complementary function. AI-explainability and Humans in the loop are key features that can help in this direction.

In contrast to a "black box" based approach AI system can provide details on how it arrived at such a decision. AI explainability is essential for internal assessments and regulatory investigations, which can be supported by an evidence-based approach and explain how a conclusion has been made.

An automated supervision process driven by AI must be able to learn and adapt from the business users' knowledge in the decision-making process, gain experience, and repeat the same. Human in the loop is a capability where various business users like the Customer Experience, Quality, and Compliance team can provide input based on the respective business domain and feedback.

So, what matters here?

  • How can we capture the feedback from the business users and incorporate the learnings in future predictions?
  • Can it support AI explainability, and how well is the human bias managed?
  • What are the boundaries when it comes to delegating supervision to machines look like?
  • How do humans need to be involved in the loop and day-to-day decisions making process?

A step-by-step guide for automating the supervision process for monitoring compliance and customer experience.

  • Are you ready to automate your manual compliance monitoring?
  • Does your current supervision involves manual listening of hours of calls and reviewing communication logs?
  • Have you received a regulatory investigation request for a significant compliance breach and are not sure where to start?
  • Do you have customer complaints and need to better understand customer concerns and sentiments?

We're talking about setting up efficient supervision processes with automation, significant cost savings, huge customer experience gain, and risk reduction.

Below are the 5- key steps for setting up an automated incident reporting

Step 1: Identify policies

Most regulated firms usually have documented quality assurance systems that include: roles and responsibilities; pre-defined procedures for identifying, assessing, and understanding each of the quality, compliance issues, and material risks to capture operational issues.

It is usually documented as a QA scoring spreadsheet for quality assurance and compliance similar to the below format.

Supervisors manually listen to hundreds of hours of phone calls and score each conversation against quality, customer experience, and compliance requirements.

The first step here is to bring some of these requirements to a standard format in the form of policies that is easy to maintain across the organization and set up governance standards for the supervision process.

Mapping the requirements to a policy-based standard format

Map each of the requirements to policy type. For example, all legal requirements fit into the regulatory policy type. Any product T&C or disclosure requirements can fit into the procedure or default policy option.

Standardizing policies makes it easier to manage incidents and set up action plans around them.

Step 2: Define the scope

This step requires mapping each policy with the business objective and scope.

This ensures that business policies are associated with geography, business unit, product, and processes. It supports adequate oversight of the incident management systems by risk/compliance, operational, and board of governance functions, and supports clear reporting.

Step 3: Define KRI & KPI

Performance criteria need to be defined with two key sets of criteria

  • KRI for policies to support a risk-based supervision model
  • KPI to support a customer-centric approach

Every policy is different and needs to be prioritized differently based on the responsible entity’s risk appetite and the risk tolerance for each material risk identified.

Risk-based supervision is a structured process and approach that identifies the most critical risks faced by the regulated entity. In contrast to a tick-box-based approach, each policy will be prioritized based on the fines, reputational damage, customer detriment, and cultural aspects.

A customer-centric approach is a way of doing business that fosters a positive customer experience at every customer journey stage. It builds on customer loyalty and satisfaction, which leads to referrals for more customers.

What customer experience metrics or KPIs can be measured?

  • First call resolution, NPS
  • Customer sentiment and tone
  • Concerns and complaints
  • Automated scorecard for overall customer experience

Step 4: Map communication channels

For effective supervision, monitoring should be looked beyond just the contact center and all communication channels need to be identified for each of the policies.

Customers want you to use the channels they’re most comfortable with, from phone calls to web chat, SMS, email, and social media. They expect a seamless experience across all of them.

An omnichannel solution allows agents to handle requests and share information across multiple channels, including phone calls, webchat, email, SMS, and social media.

Post-pandemic hybrid work has become mainstream. With most communication happening through text or video calls, this leads to massive data build-up and challenges in supervision. This creates a huge challenge in the tracking of employee activities, and goals.

Step 5: Monitor & comply

The result of the monitoring is an incident and breach reporting system. Firms can classify incidents or breaches depending on the severity, risk classification, and internal and regulatory reporting requirements.

The incident and breach register need to ensure there is a clear action plan defined and set up for the incident and breach management. For example,

  • How frequently does it need to be monitored?
  • What happens when there is an incident or breach is reported?
  • Who gets notified and how often?
  • What are the actionable insights?
  • What are the remediation actions and follow on reporting?

Below is an example of how a customer vulnerability policy can be monitored to support financial inclusivity. Understanding what aspects of customer vulnerability need to be monitored is the first step.

The key takeaways

So, before setting up an incident management system to automate the supervision process, keep in mind these five tips:

  • Make sure all your supervision requirements refer to a common standard and policy-driven
  • Don't put all policies in the same bucket and prioritize policies based on the risk threshold
  • Omni-channel and hybrid work is here, so think beyond the contact center
  • The system should give actionable insights and set existing supervisors free from repetitive mundane tasks. Now supervisors can focus on operational performance and customer experience review and optimization.