ASIC's Regulatory Focus for 2025: Enforcement Actions and Priorities

Staying true to its enforcement priorities for 2025, the Australian Securities and Investments Commission (ASIC) has launched several enforcement actions against businesses in breach of various regulations and misconduct. This article compiles some notable enforcement actions by ASIC in the first quarter of 2025, linking those enforcement actions to its respective priorities.

Keeping aware of ASIC’s enforcement priorities and actions provides valuable insights into the regulatory landscape and the actions being taken to uphold market integrity. Read on to stay ahead of the regulatory curve and keep abreast of evolving regulatory norms and expectations.

ENFORCEMENT PRIORITIES AND ACTIONS

ASIC’s enforcement priorities for 2025 were designed to address the growing risks to consumers, driven by cost-of-living pressures. The regulator emphasised that these priorities aim to safeguard Australians from financial harm and target individuals who seek to exploit them.

The full list of ASIC’s enforcement priorities for 2025 is as follows:

• misconduct exploiting superannuation savings;
• unscrupulous property investment schemes;
• failures by insurers to deal fairly and in good faith with customers;
• strengthening investigation and prosecution of insider trading;
• business models designed to avoid consumer credit protections;
• misconduct impacting small businesses and their creditors;
• debt management and collection misconduct;
• licensee failures to have adequate cyber-security protections;
• greenwashing and misleading conduct involving ESG claims;
• member services failures in the superannuation sector;
• auditor misconduct; and
• used car finance sold to vulnerable consumers by finance providers.

These priorities are in addition to ASIC’s ongoing focus areas, which include misconduct that undermines market integrity, affects First Nations people or poses a significant risk of consumer harm. They also cover systemic compliance failures by major financial institutions; emerging conduct risks within the financial system; and failures related to governance and directors’ duties.

With ASIC’s enforcement priorities for 2025 now outlined, the following paragraphs highlight some of the significant enforcement action undertaken by ASIC during Q1 2025, focusing on the areas most relevant to our clients and financial services licensees, and providing insight into how these actions align with ASIC’s enforcement objectives and what it means for businesses in the financial services sector.

Member services failures in the superannuation sector

Member service failures in the superannuation sector remains an important enforcement priority for ASIC in 2025 on the basis that all Australians have a right to expect to be dealt with efficiently, honestly and fairly by their superannuation fund. In addition, ASIC expects superannuation trustees to communicate proactively with members and deal responsibly with members.

On 11 March 2025, ASIC commenced proceedings against AustralianSuper Pty Ltd, the trustee of Australia’s largest superannuation fund, over delayed processing of nearly 7,000 death benefit claims¹. ASIC alleges that between 1 July 2019 and 18 October 2024, AustralianSuper failed to process death benefit claims efficiently, honestly and fairly when it took between four months and four years from the date the claim form was returned to assess at least 6,897 death benefit claims². ASIC also alleges that AustralianSuper failed to pay member’s benefits as soon as practicable after the member’s death in respect of at least 752 members, in one case taking 1,140 days to make the payment.

Last November, ASIC initiated civil penalty proceedings against United Super Pty Ltd, the trustee of the Construction and Building Unions Superannuation Fund (Cbus), alleging delays in processing death benefit and total and permanent disability insurance claims affecting more than 10,000 members and claimants³. The proceedings are still ongoing.

In addition to the above in relation to death benefit claims handling failures, the Federal Court of Australia also ordered, on 21 February 2025, that AustralianSuper pay a pecuniary penalty of $27 million in respect of failures to merge multiple member accounts. In the period between 1 July 2013 until 31 March 2023, approximately 90,700 AustralianSuper members had multiple accounts that should have been merged. These members incurred approximately $69 million in losses through multiple administration fees, insurance premiums and lost investment earnings. All affected members have been remediated⁴.

Key takeaway: Following the suite of enforcement actions, ASIC released on 31 March 2025 which provides detailed observations from ASIC’s review of death benefit claims handling practices of 10 trustees over a two-year period. The report contained 34 recommendations to superannuation trustees and calls on the superannuation industry to immediately review and address death benefit claims handling deficiencies by adopting the list of recommendations outlined.

Licensee failure to have adequate cybersecurity protections

Holders of an Australian Financial Services Licence (AFSL) are required to ensure that they have adequate cyber risk management systems in place under the Corporations Act. Furthermore, ASIC expects licensees to prioritise and invest in systems that protect their customers and maintain integrity in the financial system.

On 12 March 2025, ASIC commenced proceedings against FIIG Securities Limited (FIIG) for allegedly failing to have adequate cybersecurity measures to protect itself and its clients against cybersecurity risks. ASIC alleges that this ultimately enabled the theft of approximately 385GB of confidential data, with some 18,000 clients notified that their personal information may have been compromised⁵. The stolen data included highly sensitive customer information, including names, addresses, birth dates, driver’s licences, passports, bank accounts and tax file numbers⁶. Proceedings continue but you can read our further analysis on this case here.

ASIC's enforcement action against FIIG is consistent with its current enforcement priorities in ensuring that licensees have adequate cybersecurity protections and reflects ASIC's evolving approach to cyber risk management. Even though FIIG had a risk management system (which included an IT Information Security Policy and Cyber and Information Security Policy), ASIC claims FIIG failed to implement measures identified in those policies⁷.

Key takeaway: ASIC has repeatedly emphasised the importance of ensuring the operating effectiveness of risk management, in addition to design effectiveness and has issued a number of guides to help organisations improve their cybersecurity practices in particular, including good practice guidance and a list of key questions for boards to ask about their firm’s cyber resilience.

Greenwashing and misleading conduct involving ESG claims

Recent greenwashing cases brought by ASIC against fund managers and issuers signifies the regulator’s ongoing scrutiny of misleading and deceptive conduct in relation to environmental, social and governance (ESG) claims and greenwashing by product issuers.

On 18 March 2025, the Federal Court imposed a penalty of $10.5 million against Active Super, finding that it made false and misleading representations by investing in securities that were claimed to be eliminated or restricted by certain ESG investment screens⁸.

In addition to the standard disclosure documents such as the Information Memorandum and the Product Disclosure Statement, this case warns issuers that misleading and false disclosures can also relate to statements made on an issuer’s website, social media pages and media interviews.

Key takeaway: Given ASIC’s continued focus on ESG and greenwashing, issuers should take steps to ensure that their ESG disclosures continue to align with their actual practices. Furthermore, this is a timely reminder for issuers that ASIC enforcement proceedings for ESG statements and greenwashing can be instigated irrespective of whether the claim pertains to marketing of an offer to retail or wholesale investors.

You can read our full article on greenwashing here.

Business models designed to avoid consumer credit protections

Following changes to laws governing small amount credit contracts in 2022 and 2023 under the Financial Service Reform Act 2022 (FSR Act), ASIC has expressed concern around business models that may be attempting to avoid the additional consumer protections imposed on small amount credit contracts. In particular, the regulator has put lenders that provide small amount credit contracts (also known as payday loans) on notice that they may be breaching consumer protection laws.

Recent action taken by ASIC in the small credit sector includes:

• Civil penalty proceedings against Ausfinancial Pty Ltd, trading as Swoosh Finance, for alleged breaches of its design and distribution obligations by failing to review its target market determinations and continuing to provide credit contracts to consumers, despite increasing complaints received directly from customers or via the Australian Financial Complaints Authority;
• Securing $16 million in penalties against Ferratum Australia Pty Ltd (in liquidation) for a number of alleged contraventions of the National Credit Act including entering contracts which imposed prohibited fees, incorrectly calculating payout amounts for its customers and failing to maintain the systems necessary to ensure it charged customers properly for early payouts on small amount credit contracts; and
• Federal Court action against Sunshine Loans Pty Ltd, a small amount lender, for allegedly charging an amendment or rescheduling fee that ASIC argued was not permitted by the National Credit Code. This matter is subject to an appeal from Sunshine Loans.

In March 2025, ASIC published Report 805: Falling short: Compliance with the small amount credit contract obligations which sets out its observations from its recent review into lenders, in light of the changes to laws governing small amount credit contracts. The report highlighted instances where lenders conducted practices that increase the risk of breaching the responsible lending obligations, including inducing customers to consent to being offered alternative products that may be unsuitable, providing medium amount credit contracts for loan amounts just above the small amount credit contract threshold with relatively short repayment periods, and consolidating existing debts under a small amount credit contract into an alternative credit contract (potentially with additional funds required by the consumer).

Key takeaway: Lenders of small amount credit contracts need to consider their regulatory obligations, and ensure that they consider a consumer’s requirements and objectives before offering to enter into a credit contract.

Used car finance sold to vulnerable consumers by finance providers

In line with its enforcement priority to drive better consumer outcomes, particularly for those living in regional and remote locations, including First Nations communities, ASIC has launched a review into the motor vehicle finance sector and will be looking at the compliance of lenders, brokers and other intermediaries, and reviewing how loan defaults, hardship practices and dispute resolution processes are managed⁹.

ASIC currently has ongoing proceedings against car finance company Money3 Loans Pty Ltd for alleged breaches of responsible lending obligations¹⁰, and car dealership Diamond Wheels, Keo Automative, and a former director, for allegedly providing unlicensed car loans to consumers, many of whom paid an excessive interest rate¹¹.

This project seeks to strengthen processes, practices and compliance across the car finance industry and address the potential for consumer harm. ASIC aims to improve the experiences of consumers, who are borrowing money to buy a car, particularly people residing in regional and remote locations, including First Nations peoples.

Key takeaway: Initial high-level insights from ASIC’s review will be published in the second half of 2025, followed by a more detailed public report. ASIC have also advised that they will take enforcement action to protect consumers where appropriate.

ASIC has started the year with a range of enforcement actions reflecting its key priorities, and has secured some significant victories in recent court proceedings.

The evolving regulatory landscape requires financial services businesses to remain vigilant and proactive. Staying informed and responsive to ASIC’s actions will be crucial for navigating the regulatory challenges of 2025.

Should you need any assistance navigating the regulatory environment, please reach out to our expert team at Hazelbrook Legal: enquiry@hazelbrooklegal.com.

Material in this article is available for information purposes only and is a high-level summary of the subject matter. It is not, and is not intended to be, legal advice. Hazelbrook does not guarantee the accuracy of the information provided. You should first obtain professional legal advice prior to taking any action on the basis of any information contained in this article. This article is copyright. For permission to reproduce this article please email Hazelbrook Legal: enquiry@hazelbrooklegal.com