Planning for 2018: Your Top Three 'Compliance' Priorities
If you’re a Licensee, Compliance Manager or Responsible Manager, you’re forgiven for feeling overwhelmed, fatigued and dispirited.
The rate and extent of regulatory change, consistent and critical media coverage, increasing costs and declining revenues and the constant anticipation of regulatory intervention make a challenging job almost impossible.
Even with the best of intentions, it's often difficult to prioritise activity when your capacity is consumed by reactive responses to unforeseen issues.
We understand. You're not alone.
We appreciate his collegiality because it's a useful tool - but the list of priorities is so overwhelming that it's more depressing than empowering.
So we'll focus on what we think should be your 'Top Three' priorities for 2018.
Understand that in this article we won't be addressing a number of Thomson Reuters' Ten Priorities for 2018, so if you're interested in additional reading:
- Stay current on skills - "We don't need no education" and "The challenge of professionalism"
- Invest in regtech - "Why reg-tech matters so much" and "The reg-tech promise"
- Manage conflicts of interest - "It's the elephant again", "Ineffective compliance: 'best interests' and supervision" and "Compliance Insights: Lessons from REP515"
The environment and our recommendations
In the context of a Royal Commission and an active and successful ASIC, it's prudent to anticipate some level of regulatory intervention. Many licensees are already reporting an increased level of regulatory contact.
One vertically integrated business is currently enjoying regulatory attention that is, at least from its perspective, unwanted, surprisingly intimate and likely to end in tears. As much as they object to the current attention, they're more worried about what will happen when it ends.
Other licensees have been forced to abandon core compliance activities to focus on responding to Notices and preparing for appearances before Commissioner Kenneth Hayne. Smaller licensees, used to being overlooked by ASIC surveillance programs, are suddenly finding themselves noticed by a Regulator driven to enforce a particularly pure interpretation of 'best interests'.
Regardless of your economic model and value proposition, it's certainly 'interesting times' in financial services and few people, if any, have the time and resources to address an extensive work list.
Accordingly, we recommend Compliance Managers focus on the following three topics.
1. Manage personal regulatory risk
Perhaps Scott Morrison was channelling Sam Elliott when he recently wished new CEO Matt Comyn well in his 'challenging' new role.
Although he stopped short of warning Comyn that "sometimes the bear eats you", his references to both the Banking Executive Accountability and related Measures Bill (BEAR) and the Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry were pointed and deliberate.
Increased focus on management responsibility is the hallmark of regulatory strategies formed in the wake of repeated institutional failures. Recognising that the ‘bad apples’ theory is an inadequate and unconvincing explanation for recurring failures caused by conflicted models and group revenue models, more regulatory attention is being directed at those that set goals, execute strategies and drive culture.
Indeed ASIC’s recent report proposed two new strategies for proactively dealing with the ‘barrel-packers’ rather than simply reactively dealing with the inevitable consequences of Management’s choices.
While ASIC's proposed positions fall far short of the UK's Senior Management Regime, it should be recognised as an interim step that signals a likely convergence of APRA's and ASIC's approach to accountability.
In all likelihood, this means more work for Compliance Managers because
In 2018, Compliance Managers will not only need to endure regulatory fatigue but respond, commercially and pragmatically, to regulatory initiatives directed to holding individuals personally accountable for cultural and compliance failures - particularly those that involve customer detriment.
BEAR may be the first step but it will not be the last.
Enforcing personal accountability may not be unreasonable in the wake of significant, and highly publicised, institutional compliance failures. Unfortunately the compliance burden will, I suspect, be disproportionately borne not by the Senior Executives but rather by the staff on whom Senior Executives will rely.
In addition, it's important to acknowledge that in many organisations, Management's 'effective oversight' of the business for which they are accountable is often fragmented, incomplete or illusory.
Unfortunately, this reality poorly suits the Regulator's demands for effective monitoring and supervision.
The immediate challenge for Compliance Managers is therefore to develop a consolidated and comprehensive overarching picture of the business including its culture, risk management and compliance framework.
Developing a single, aggregated view of the business is challenging enough for many Compliance Managers.
Add to that the need to develop clear and comparable metrics and a framework that is capable of consistent examination and reporting and you'll appreciate the critical nature of this task.
Don't dismiss BEAR, and ASIC's declarations of intent, as just issues for institutional licensees. Recognise that these signal the Regulators' shift from Issues to Root Causes and mark a new willingness to hold Management accountable for any decisions that cause detriment to consumers.
Appreciate that instead of focusing on 'rogue agents', Regulators will now, appropriately enough, direct attention at the people responsible for the culture that allowed, encouraged, or embedded the misconduct that disadvantaged consumers.
Your 'To Do' List
- Map 'lines of sight' against the organisational structure and position descriptions and identify gaps;
- Assess the depth and rigour of your approach to monitoring and supervision;
- Review both your Attestation regime and the information available to those signing the Attestations;
- Assess the accuracy and usefulness of the information provided to Management and the Board;
- Implement a process for testing the accuracy and reliability of the Attestations provided;
- Assess your governance framework (including the accessibility and visibility of key persons);
- Honestly assess whether your compliance framework is a generic/'one size fits all' model (or one appropriate for the 'nature, scale and complexity' of your current business);
- Ensure that policies, Attestations, reports and minutes are consistently recorded and retained;
- Prioritise building good regulatory relationships;
- Develop an internal communications plan to ensure that Management regularly promote, and embed, your compliance culture; and
- Develop the habit of keeping contemporaneous records of the decisions you make (and the reasons for those decisions).
2. Manage business data
In most respects these additional responsibilities simply complement their traditional 'supervision and monitoring' mandate. Unfortunately, the ubiquity and prevalence of cloud-storage and file-sharing technology has added a layer of complexity to the collection, use and storage of client information.
ASIC's continued focus on the Licensee's obligations to retain client records [CO 14/923] made the Licensee's record keeping clearer, but much more onerous (particularly for those businesses that had traditionally relied on contracts and goodwill to satisfy this obligation).
The reality is that Compliance Managers now need to have a firm understanding of the technology on which their business relies; its capabilities, vulnerabilities and limitations. While principal accountability may ultimately rest with the CIO or IT Department, the Compliance Manager will need to manage the new mandatory data breach reporting obligations.
Thankfully, the Office of the Australian Information Commissioner has published a range of material that Compliance Managers should reflect in their compliance plans.
Regardless of their traditional foci, Compliance Managers need to ensure that data security issues are effectively identified, mitigated and managed in accordance with the business' corporate governance framework. ASIC have identified cyber security as a critical risk but, unfortunately, it's only one of many - and one considered less likely than misconduct, product failures and consumer detriment.
The challenge for many Compliance Managers is that while Company Directors and Officers are required to discharge their duties with care and diligence, most are effectively oblivious to the threat of cyber security.
In the absence of a clear mandate, it will, in practice, fall to the Compliance Manager to both consider this risk as part of the general governance framework and develop ways to anticipate, detect, mitigate, prevent and recover from these risks.
Your 'To Do' List
- Reconfirm your IT/Data Security policies;
- Review the process by which personal information is collected, retained and disclosed;
- Develop a policy for reporting data breaches;
- Deliver 'Privacy and Data Security' training to all internal staff; and
- Document the systems, applications and database tools currently in use (including their contents, use and vulnerabilities).
3. Interpret and explain data
As a strategic management discipline, Compliance promises to deliver greater transparency, deeper insight and more sustainable business.
In reality, few Licensees appreciate, or even acknowledge, the strategic insights offered by Compliance.
Although, to be fair, few Compliance Managers have the skill, systems or data to deliver on this promise.
However, largely as a consequence of the media's persistent focus on corporate misconduct, Management can no longer avoid their obligation to consider the quality of the management information with which they are provided.
In addition, the widespread availability of data visualisation tools (and the popularisation of applications, algorithms metrics) has imposed, on Compliance Managers, an increased obligation to better interpret and explain the trends, metrics and activities that are fundamental to good risk governance.
In practical terms, this trend requires Compliance Managers to develop, refine and continuously improve qualitative reporting mechanisms and provide Management with an accurate and effective view of the business, its activities and its conduct relative to its risk appetite.
This requires at fundamental understanding of the relevant metrics and benchmarks, analytic capability and proficiency in data visualisation.
In 2018, Compliance Managers will need to possess (or develop) the conceptual and operational skills to synthesise an increasing amount of data. They'll also need to highlight the key information without excluding relevant information, without overloading management and without trivialising or concealing issues.
This may explain why 69% of respondents told Thomson Reuters they anticipated investing in reg-tech solutions.
Your 'To Do' List
- Establish a transparent, objective and consistent risk based methodology (with early warning analytics);
- Assess your existing measures for the effective identification, classification and management of risks;
- Develop consistent consequence management measures;
- Review reg-tech systems and ensure any proposed solution provides:
- A conduct-focussed monitoring and supervision framework;
- An effective risk management framework;
- Granular reporting and benchmarking;
- Integrated remediation and consequence management;
- Embedded advice metrics and trend analysis; and
- Consistent and fully auditable management of complaints, incidents and breaches.
- Refocus reporting to include specific coverage of training, remediation and culture;
- Review your reporting to improve clarity, visual appeal and engagement; and
- Objectively assess whether incidents and contraventions are managed appropriately and efficiently.