Compliance Insights: Lessons from REP515
ASIC Report 515 "Financial advice: Review of how large institutions oversee their advisers" addressed how "effectively Australia’s largest banking and financial services institutions oversee their financial advisers". For this report, ASIC assessed 160 client files that had previously been reviewed by the Licensees themselves and identified the discrepancies.
In a previous article "Who watches the watchers" we covered possible cultural and structural reasons for the reasons why only 18% of reviews were effective. These are important issues to consider, but, as practitioners, are there more practical lessons we can extract from REP515?
The answer is Yes.
In their comprehensive report, ASIC identified a number of issues that they suggest may have affected the effectiveness of the audit including:
- the adequacy of the audit questionnaire;
- ad hoc file amendments to resolve identified issues; and
- inadequate record keeping.
1. The Review Questionnaire
We've previously written about the common limitations of these processes, and highlighted the compromises and challenges with internal compliance. Over the last seventeen years we've seen numerous iterations of audit questionnaires - from "CAR checking questionnaires" to "Advice Assurance" - so we can categorically endorse ASIC's views. As one financial services expert recently told us "there is a wide gap between the best and the rest".
Too often, bad advice complies with the law. Too often, great advice fails for technical or petty reasons.
The better Review questionnaires look beyond the formal requirements to the substance of the advice and the intent of the law. They incorporate qualitative checks, granular analysis and a purposive consideration.
An effective review questionnaire should be firmly rooted in the law; but it must move beyond formalism and embrace a substantive approach. In too many institutional licensees, the questionnaire is a formal checklist designed to manage risk, control advisers and influence the nature and scope of the recommendations made.
Where Licensees conduct reviews for no other purpose than to demonstrate, to the Regulator, that they are conducting reviews the intent of the law has been frustrated. In these circumstances, both the interests of our clients and the interests of the emerging advice profession have been critically compromised.
We believe that context, intent and consequences should frame the scope and depth of any adviser review. It must address the "black and white" requirements but it should also place as much as emphasis on qualitative and indicative factors. For this reason, our Advice Assurance review is a risk and conduct focused review that provides deeper, clearer and more meaningful questions from which better observations can be drawn.
A deeper, more contextual review, both assists the Licensee to accurately identify problems (and their root causes) and helps the adviser to improve their advice (and advice process). We also believe that benchmarking, contrast and comparability are essential elements of an effective review methodology.
If Licensees wish to ensure that their review methodology is robust and comparable to ASIC standards then they need to invest their time and energy in developing a similar process. Unfortunately, most institutional licensees prefer the 'tick a box' approach to compliance to a review methodology that provides granularity, context and comparability. Hopefully, Appendix 3 of REP515 will disabuse them of this short-sighted approach.
A few years ago, an internal auditor asserted that an SoA provided by one of our advisers omitted the mandatory elements required by the law. The Compliance Expert had marked the SoA as a critical failure. The auditor was concerned that, as the Responsible Manager, I wasn't appropriately concerned about this critical compliance failure. I opened the SoA and suggested the internal auditor read the pages I presented. The mandatory elements were clearly and effectively presented. The internal auditor apologised, removed the issue and offered, in the Expert's defence, that the documents issued by the Bank for whom the Expert worked, included these elements in the first few pages of the SoA. Thankfully, the internal auditor accepted my constructive suggestion that, notwithstanding the Bank's position, the Expert should understand the legal requirements that apply (and actually review the content of the SoA). - Name Withheld, Responsible Manager
The review scope
Ideally, each adviser review should be tailored to the Adviser's practice and focus on the nature and character of the Adviser's activity and authorisation. It seldom is, but REP515 explicitly requires that Licensees embrace flexibility and embed the "best interests" duty at the heart of each review. In our view, REP515 requires the Reviewer to ascertain whether:
- the Client's professed or identified needs will be satisfied by the recommendations made;
- the recommendation made exceeds the Client's needs and objectives;
- the Adviser had enough information to make the recommendation they did;
- the Adviser appropriately exercised their professional judgment and skill;
- adequate enquiries were made to address identified (or reasonably apparent) errors or information gaps;
- the Client received, or is reasonably likely to receive, benefits or advantages that exceed the benefits and advantages received, or likely to be received, by the Adviser;
- the Client's interests were given priority;
- the advice is reasonable and appropriate given the Client's circumstances, capacity and knowledge;
- the Adviser had the skill, knowledge and training to provide they recommendation they did;
- the advice is tailored to the Client's specific needs and circumstances;
- the likely consequences from implementing the recommendation are trivial;
- the benefits and advantages of implementing the recommendation are, in qualitative or quantitative terms, greater than costs and consequences of not doing so (and greater than the benefits received by the Adviser);
- the Client's information, or their instructions, were adapted or manipulated to suit the recommendation the Adviser chose to make;
- the Adviser properly considered the Client's current position, a range of strategies and options and realistically assess their objectives;
- it was appropriate to recommend financial products (and the financial products recommended were appropriate);
- the strategy recommended is sustainable;
- additional steps were required in the circumstances; and
- the file (and the documents maintained by the adviser) adequately and appropriately demonstrate compliance with good practice and the law.
While ASIC may be critical of the large Licensees approach to "overseeing" their advisers, it's important to recognise that ASIC endorse a principles-based approach. Some argue that this flexibility is unhelpful and simply promotes complexity, confusion and over-abundant caution. Capable Licensees in contrast, recognise the significant commercial benefits of allowing competent professionals the discretion to exercise their skill and training. For these Licensees, the adviser review more about cultural alignment and client satisfaction than compliance and control. These Licensees also recognise that the way they view the adviser review (their intent, focus and consistency) determines the outcomes and influences stakeholder conduct.
I was amused to learn that the Reviewer, who had failed an SoA he clearly hadn't read, was appointed as the Compliance Manager at another large institution. His mission was to reduce the review to less than 20 questions. He never learnt that the number of questions was irrelevant; having the right approach to compliance is far more important than having the right number of questions. - Name Withheld, Responsible Manager
2. ad hoc file fixes
After identifying compliance issues, the Reviewer is ideally placed to suggest appropriate remediation. Their suggestions are immediate, often practical and occasionally ideal strategies for addressing the identified issues and preventing their recurrence. Combine this with the Reviewer's capacity and willingness to properly investigate the frequency and scope of the identified failures and you have an effective review process.
Unfortunately, your adviser audit is far less effective if compliance issues are resolved by the Reviewer before they are formally identified (or as an alternative to formal identification).
This particular form of assistance is problematic for a number of reasons. First, it compromises the data on which the Licensee depends to make accurate assessments of their ongoing compliance with the financial services laws. Second, suggesting ‘fixes’ the file during the review process suggests that the Reviewer is trying to conceal failures and minimise their own post-review workload (both of which raise questions about the Licensee's compliance framework). Third, this behaviour reduces "failure rates" and creates, or perpetuates, a misleading view of adviser activity and advice quality. Fourth, it suggests that internal conflicts are being inadequately managed.
A better solution would be to integrate your remediation solution with your review questionnaire. Solutions like openAFSL use rules-engines and machine learning to structure, organise and automate these functions. Issues are identified, recorded and remediated in a consistent and predictable manner without being subject to the Reviewer's discretion. Even better, internal checks and balances and comparative reporting enable Licensees to identify, and respond to, the Reviewers' non-compliant conduct.
3. Inadequate record keeping
ASIC have long advocated for the need for adequate record keeping but competently managed licensees have always understood that quality data capture is essential; unfortunately, they've been handicapped by the poor technological solutions available to them.
After years of subtly nudging Licensees towards better systems and processes, ASIC's gentle nudges seem to be evolving into recommendations backed by the threat of regulatory focus. In fact, REP515 suggests that the time for Licensees to invest in these systems is now.
Proper record keeping and effective internal compliance audits of financial advice files are also necessary. A lack of robust systems in this area is likely not only to attract the regulator's attention, but also investor outrage if they can't get access to relevant data." ASIC Commissioner John Price "What good looks like"
Good data capture starts with the Reviewer and depends on the tools to which they have access. Quality checklists may be adequate for some small licensees, but their limitations need to be recognised - the data they collect will often be subjective, inconsistent and incapable of interrogation. Technology empowers Licensees to keep better records and to utilise their recorded and retained data more effectively. Better than good, it increases their likelihood of detecting non-compliant advisers who may otherwise slip through the cracks.
REP515 is a compelling reason why Licensees need to invest in robust and effective compliance systems. Without the ability to interrogate, analyse and model the data your Reviewers collect, the Review process has limited utility. Analytics, visualisation, comparison and root-cause investigation are core management tasks that are difficult, if not impossible, to do without sophisticated compliance systems. By adding visualisation tools and analytics to their Review process, Licensees will significantly improve the reach and effectiveness of their supervision regime and, hopefully, avoid the Regulator's attention.