Just one month after the 2025 Professional Planner Licensee Summit, which heard how advice is in a new golden age, the future of licensing may once again be up in the air.
The country’s largest licensee owner by adviser numbers, Entireti, will meet the corporate regulator in court over accusations its subsidiary Fortnum Private Wealth failed to have sufficient cybersecurity protocols in place to protect client data, after an alleged cyberbreach led to the data of more than 9000 clients of one FPW practice being published on the dark web.
For those advisers and practices that want to maintain a licensing relationship with an external licence provider, it raises the question of the extent legal obligations can – and should be – outsourced.
Licensees play an important role in the financial advice process of making sure advice given to clients is of the highest standard and in the client’s best interests. Likewise, licensees should make sure the systems and protocols set up for advice practices are of the highest standard.
The FPW practice at the centre of the cyberbreach employed someone to handle its IT infrastructure, who had provided a guarantee that’s what they would do. Professional Planner understands FPW will argue the supplier didn’t follow through on this guarantee; and the supplier maintained that there was no system compromise even after the first breach was discovered.
The highest profile cybersecurity case for advisers and licensees in the past half decade was RI Advice, in which the Federal Court found the licensee breached its license obligations by failing to have adequate risk management systems in place to manage its cybersecurity risks, an issue that arose when practice in its network was hit with a cyberattack.
Entireti will argue that it had sufficient standards in place at the time the FPW practice was attacked.
The profession has often been left bewildered about the specifics of its regulatory obligations and what is required of it. Cybersecurity was one of many subjects ASIC Commissioner Alan Kirkland was pressed about at the Licensee Summit last month.
“If we do come asking about your practices, in line with your risk management obligations as a licensee, and you’re able to say ‘here’s a recognised standard in relation to cybersecurity that we are benchmarking our practices against and assessing ourselves on a regular basis’, you’re going to in a much better position to demonstrate compliance with the law then if you’re not doing it against some sort of recognised benchmark,” Kirkland said.
Kirkland pointed to the Australian Cyber Security Centre’s Essential Eight – which outlines eight standards firms should follow to mitigate cyber risk – as well as the US National Institute of Standards and Technology cybersecurity framework.
“If you’re doing that it helps with your procurement and engagement with other parties because you’ll be asking them about how they comply with their relevant frameworks,” Kirkland said.
Professional Planner understands the standards FPW had in place were based on the Essential Eight.
Incidentally, Kirkland said based the most recent survey the regulator conducted (in 2023), it was found that 40 per cent of licensees were not modelling their cybersecurity practice on industry standards.
Kirkland told the summit that licensees are still responsible for cybersecurity, whether the services are handled internally or through a third-party service.
“Most people have got a mix,” he said.
“[Breaches] can happen to anyone. You shouldn’t assume that because you’re big, you’re more protected or because you’re small you’re more immune. There’s a lot of risks that come from third-party relationships, from suppliers, from other people in your supply chain.”
Professional Planner has written extensively on the challenges faced by licensees, including that they take on a lot of risk for insufficient financial reward compared to other players in the value chain. This has contributed to other parts of the financial chain running highly profitable business, while licensees lagged.
It’s only been in recent years that a combination of focusing on offering a greater suite of services including to out-of-network providers, taking equity stakes in practices, and introducing variable fee arrangements tied to revenue have allowed licensees to share in a greater proportion of the advice margin, which they feel matches the contribution they make to the success of advice practices and more appropriately reflects the risk they take on.
As an adviser, being licensed is compulsory, but being licensed by an external licensing provider isn’t. It’s set up a point of friction in the industry whereby licensees feel advice practices have too much power. If a practice feels a licensee is overreaching – say, on lifting the standard of the practice – then the practice can get its own license and be in charge.
That’s easier said than done, however. Setting up your own license is time consuming and comes with a with a tonne of liabilities. There are a number of high-quality third-party compliance firms who work with self-licensed and larger licensees, but whether all self-licensed firms are willing to pay for that service is another matter.
And if a self-licensed firm is targeted by ASIC and doesn’t want to take up the fight, is it willing to accept the fine or close shop, the latter further disadvantaging clients.
In the past, advice was considered a loss-leader designed to help institutional advice owners distribute product. Advice has since, appropriately, evolved into a standalone professional fee-for-service model, but margins are still tighter for licensees, and licensing has really just turned into a loss leader in another way. Licensees can use licensing as a gateway to sell profitable services and establish equity partnerships, to boost margins.
AZ NGA’s Paul Barrett long ago recognised that the real value in advice lay in advice practices, no licenses, and that taking equity partnerships in advice firms without the risk of licensing was the way to go; and the Principal’s Community has developed into a community for self-licensed practitioners, again without taking on the risk of licensing.
The major institutions have largely abandoned the licensing field, and if licensees are penalised for taking on the risk of third parties, such as for no financial benefit, then the future of the licensing regime will once again be thrown up in the air.
