Who watches the watchers?
Quis custodiet ipsos custodes?
Those familiar with either the Roman satirist Juvenal, Gibbons' Graphic Novel or the Star Trek Next Generation episode would recognise Juvenal's warnings about the practical limitations of trust, monitoring and supervision. These are important limitations and ones too frequently forgotten.
However, in the wake of ASIC Report 515, everyone in the financial services industry should be asking themselves this question.
ASIC Report 515 "Financial advice: Review of how large institutions oversee their advisers" addresses how "effectively Australia’s largest banking and financial services institutions oversee their financial advisers". For this report, ASIC assessed 160 client files that had previously been reviewed by the Licensees themselves and identified the discrepancies.
For those of you with neither the time nor inclination to read the report, #ineffectively or #whatoversight might provide you with the high level summary you require.
As you know, the Law requires Licensees to “do all things necessary to ensure that the financial services covered by the licence are provided efficiently, honestly and fairly; to …. comply with the conditions on its licence and comply with the financial services laws; to take reasonable steps to ensure that its representatives comply with the financial services laws; and ….have adequate resources to provide the financial services covered by the licence and to carry out supervisory arrangements.”
A key way of demonstrating compliance with these requirements, and one on which licensees and advisers rely, is the "adviser audit process".
We've previously written about the common limitations of these processes, and highlighted the compromises and challenges with internal compliance. So, as alarming as REP515 might be to advisers relying on, and vulnerable to, institutional compliance resources, it's not surprising.
In essence, on the basis of their review of ten large institutional licensees, ASIC observed that:
"(a) the audit process was effective in 18% of the sample files—that is, the findings by the licensees’ auditors aligned with our own file review. We observed an effective audit process only on files where no areas of noncompliance were identified by either the licensees’ auditors or our advice reviewers; Note: We did not observe an effective audit process for any of the sample files where our reviewers identified areas of non-compliance. In these cases, the licensees’ auditors did not correctly identify all of the compliance concerns found by ASIC.
(b) the audit process was partially effective in 57% of the sample files— that is, some areas of non-compliance were identified by the licensees’ auditors, but our advice reviewers found additional areas of noncompliance; and
(c) the audit process was ineffective in 25% of the sample files—that is, no areas of non-compliance were identified by the licensees’ auditors, but our advice reviewers found that there were areas of non-compliance."
As compliance professionals, we're naturally optimistic, so let's start with the positives. If ASIC's observations of large licensees are broadly representative, your licensee's audit process is likely to be effective 18% of the time and partially effective 57% of the time. If you are an adviser, there's a good chance that your review could be more or less accurate.
Given that the results of an audit may affect an adviser's confidence, workload, reputation, their ongoing employment or the sustainability of their practice, a 75% chance that the audit might be partially or materially effective might be reassuring.
75% seems like a good result but, if you are a Licensee (or an adviser in that Licensee), how satisfied would you be to learn that even after you had "significantly enhanced [your] monitoring and supervision processes", the audit will be ineffective 25% of the time.
"All of the top 20 licensees conducted some advice audits to examine the appropriateness of advice. Audits check the advice provided meets the obligations under s945A of the Corporations Act. Some licensees informed ASIC, through the recent feedback process, that they had significantly enhanced their monitoring and supervision processes, recognising the importance of this area to their business". - ASIC Report 251 "Review of financial advice industry practice", September 2011
It's the 25% chance that the review might be ineffective that should concern advisers and trouble licensees.
In our view, the 25% ineffective rating is concerning but not unexpected. The competency and capability of some reviewers has always been problematic. The booming industry of compliance has attracted a wide range of experts with vastly different capabilities and competencies. As one Compliance Manager recently complained:
"We're compliance people, not lawyers. You can't expect us to know the law."
What may be even more concerning than reviewers' willingness to accept their own ignorance is that, in our experience, culture and conflicts are much more insidious influences than acknowledged.
To reframe the problem, perhaps compliance is ineffective, in 25% of cases, because it's designed to be so.
Perhaps relying on internal auditors for effective compliance reassurance, misrepresents their motivations, their capability and their purpose.
Perhaps it's an approach based on short-termism, that tragically misleads the licensee as much as it misleads the advisers, management and the Regulators.
Maybe Stigler's concept of regulatory capture applies to internal compliance functions as well as it applies to external bodies. Regulatory Capture describes situations where the 'regulator' protects and advances the interests of the commercial body it's meant to be regulating and mitigating.
While it may apply to ASIC, it's an imperfect explanation for the apparent failures of internal compliance units because the groups are not analogous. Despite their employers' professed commitment to customers' interests, the commercial interests of their employers are often prioritised by compliance staff before their employer's legal obligations. These compromises seldom manifest as reluctant retreats in the face of management pressure. They are, more often than not, motivated instead by the desire to minimise both conflict and friction. This motivation may be one of the key reasons for the ad hoc file "fixing" identified by ASIC in their report.
Perhaps it's unrealistic to expect effectiveness from compliance staff where their effectiveness may jeopardise their own advancement, reputation or ongoing employment. Being an effective compliance expert, often means being difficult and challenging. Independence and effectiveness too often equates to a fractured career progression.
As a Head of Risk and Compliance recently admitted, "if you are in your compliance role for more than four years, you're probably not doing your job".
ASIC's report 515 is too important to be dismissed as unrepresentative, unrealistic or uncommercial. Regulators, shareholders, advisers and consumers all rely on, and are affected by, the way that advisers are monitored and supervised. Too frequently, compliance and management failures are dismissed as the actions of bad apples, the result of poor data or the failures of staff to adequately identify and escalate issues. But if the resources on whom we rely, and by whom we are affected, are inherently compromised or conflicted, can any better outcome be expected?
We're not distressed by ASIC's observations. We interpret REP515 as less a criticism of a Licensee's internal compliance function than a recommendation for its reframing. Notwithstanding the Licensee's loss of control, the monitoring of advisers and their "adviser audit process" would be more effectively performed by an independent third party.
By outsourcing this critical function, the internal compliance function is freed more effectively supervise and to interpret and properly respond to the external party's observations. An independent third party, applying industry standards and reporting benchmarks, should provide a higher level of effectiveness and transparency than ASIC observe in the large institutions. Further, if the large licensees free their internal compliance resources from performing compromised and mechanistic processes, it will allow them to better apply their expertise and more effectively contribute to strategic, remediation and commercial decisions.
If you'd like further information on how engaging an independent expert can increase your capability and improve your business please email us at firstname.lastname@example.org.