Review and remediation: "make it right"
Monitoring and Supervision, Consequence Management and Remediation are three elements of a compliance framework that best highlight, or expose, a Licensee’s capability and competence. Not only do they reveal fundamental aspects of a Licensee’s organisational competence but, more importantly, they expose its values, principles and standards.
You may also have noticed that ASIC has recently increased its use of, and reliance on, licensees’ own compliance frameworks (particularly their internal investigation and remediation processes) to achieve regulatory outcomes.
Although the Royal Commission may comment on the effectiveness and appropriateness of this “outsourcing of the regulatory function”, it is unlikely to challenge the presumption that review and remediation programs should be part of a Licensee’s compliance framework.
In one respect, this seems a logical extension of a Licensee’s obligations under 912A.
From a public policy perspective, the complexity, cost and resource requirements of formal remediation programs may encourage licensees to appropriately invest in compliance to prevent non-compliance and misconduct.
Unfortunately, the complexity, cost and resource requirements may also prove prohibitive for some licensees and drive consolidation that concentrates and increases compliance risks.
To better understand this article, please read
What is review and remediation?
Regardless of the impression created by some Licensees at the Royal Commission, ‘remediation’ is not a mechanism for managing, and minimising, liability. Nor should it be considered an ‘optional extra’ for the compliance team to manage.
In reality, ‘Remediation’ is simply no more than a structured and predictable process for responding to identified problems, underpinned by a commitment to fairly address issues and prevent their recurrence.
In practical terms, a commitment to effective remediation and consequence management simply means that the Licensee will work to correct, mitigate and prevent any compliance failures – particularly any failures that disadvantage, or cause a detriment to, retail clients – and restore or compensate affected clients.
Prevention is better (or at least cheaper) than cure
We’ve previously identified the investments that leading licensees are making in reg-tech.
We’ve also previously asserted that an investment in compliance is, and will be, a source of competitive advantage in highly regulated market.
The Hayne Commission’s attention on Licensees' remediation processes, and ASIC’s unwavering focus on this topic, should reinforce to you the critical importance of your compliance function.
The Commission has emphatically confirmed that licensees do not have, and have never had, the luxury of ignoring systemic issues.
Your 'supervision' framework
As a Licensee, you have (or are expected to have) the 'measures, processes and procedures' required to comply with the financial services laws and your licence conditions. Training, disputes resolution, due diligence, capital adequacy and cashflow monitoring, breach reporting and record keeping are all very important parts of your compliance infrastructure.
In an advice business, the principal source of risk are the advisers themselves. Accordingly, the compliance framework should properly focus on their conduct and identify those acts and omissions that contravene, or do not comply with, the financial services laws. Given the obligations to act 'efficiently, honestly and fairly' and ensure their representatives comply with the law, how the Licensee monitors and supervises its representatives is critically important to the sustainability of its brand and business.
Errors and compliance failures occur in even in the best, well managed businesses. You cannot prevent every failure, or avoid every risk, so early identification, effective management, and swift resolution of compliance failures is the best way for you to satisfy your clients' expectations while minimising your financial liability and the risk of regulatory sanction.
Take a moment and review the policies and procedures that comprise your supervision framework. After you’ve reviewed your internal ‘measures, processes and procedures’, review the reporting provided to you to ensure the compliance reports adequately and explicitly address:
- the nature, frequency and root causes of the complaints received, regardless of source and outcome;
the sampling methodology used for adviser reviews;
recurring or common issues in adviser review reports;
any relevant ASIC surveillance of associates or competitors;
concentration risks (clients, products or submission timing);
commission trends and outliers.
Ensure that you are regularly considering relevant data (complaints, incident and review data) to identify the broader impact of the identified failure.
The limits of Remediation
It’s important to acknowledge that not all failures (or their underlying causes) can be appropriately addressed by a Remediation Plan.
Some conduct risks – such as fraud, theft, misrepresentation and deliberate non-compliance – are behavioural or conduct failures that require an administrative or disciplinary response.
Similarly, it is difficult to effectively remediate issues when an adviser doesn’t acknowledge their responsibility for the failure, or has no interest in remediating it.
ASIC’s RG 256
ASIC’s Regulatory Guide 256 “Client review and remediation conducted by advice licensees” documents the Regulator’s proposed guidance on the scope, design and implementation of remediation processes, communicating with affected clients, governance structures and review mechanisms.
ASIC’s Guide suggests that client review and remediation should occur where “a systemic issue in relation to the advice has been identified” to “place affected clients in the position they would have been if the misconduct had not occurred”.
In our view, it’s important to acknowledge that remediation is a scalable obligation. Many of the principles outlined in RG 256 can be as effectively applied to isolated issues as to systemic ones.
In fact, we’d suggest that an obligation to remediate inevitably follows a Licensee’s identification of an issue and not its formal decision to assume accountability for the resolution of identified issues.
The intention of remediation is to restore the client to the position they would have been in but for the identified issue, incident, act or omission. Essentially, the remediation process should:
- ensure that clients are not be disadvantaged by the Licensee’s failure, act or omission (or the failures, acts or omissions of the Licensee’s representatives);
- provide correction, restitution or compensation; and
- prevent the recurrence of similar or associated issues.
Identifying systemic issues
In RG 256 ASIC defined a “systemic issue” in a manner generally consistent with their breach reporting and dispute resolution policies (RG 139). A “systemic issue”, according to ASIC, is:
an issue causing actual or potential loss or detriment to a number of clients as a result of misconduct or other compliance failure by an advice licensee or its current or former representatives. The impact may be a monetary loss or non-monetary detriment.
Unfortunately, this definition may have limited utility in assisting Licensees to identify systemic issues. So, it’s necessary to move beyond “potential loss or detriment to a number of clients” to identify other relevant characteristics. Unfortunately, neither frequency, materiality nor impact are satisfactorily defined and addressed. This makes the “nature, scale and complexity” of a required review and remediation process difficult to ascertain.
Perhaps more problematically, the obligation appears limitless, open ended and oblivious to statutory limitation periods.
Logically, a systemic issue has to relate to, or affect, the whole of a system or organisation. So, it can’t be an isolated issue, or one that affects just some parts of the Licensee. This seems reasonable enough.
ASIC’s own policy introduces frequency, impact and loss or damage as relevant considerations but doesn’t require either significance or recurrence. Nor does their definition require a single causal factor – root cause – to link otherwise unrelated acts or omissions as a single systemic issue.
In practical terms, to determine whether issues are systemic or isolated, a licensee needs to consider the identified compliance failure in context and consider the following questions:
1. Does the failure affects multiple clients?; (Impact)
2. Is the same error being made by multiple people?; (Consistency)
3. Do multiple failures involve the same product or service? (Frequency)
4. Did multiple clients suffer, or are likely to suffer loss or damage?; (Detriment)
5. Did the multiple failures occur around the same time? (Proximity)
6. Is the failure one that had previously been identified?; (Recurrence)
7. Did the Licensee previously remediate these issues? (Capacity)
We’d suggest that where any of these questions are answered in the affirmative, we’d suggest that you’re dealing with acts and omissions that suggest or prove systemic issues.
To be clear, while some of these points may be logical inferences from ASIC’s position in RG 256, they are not ASIC policy. Nevertheless, they provide a practical framework within which identified issues can managed and resolved.
Proximity is the most problematic aspect of this framework, but it is, in our view, a critical consideration. Without imposing a reasonable timeframe, failures separated by years could be linked to evidence a systemic failure.
Given that continuing professional development is managed on a triennial basis, you may choose to consider that errors and failures, separated by more than three years, do not suggest or prove systemic issues.
ASIC have suggested that, in a personal advice business, the following failures could be, or could suggest, systemic issues:
- failures to act in the best interests of the client;
- failures to give appropriate advice;
- failures to give clients’ interests priority;
- failing to act on a client’s instructions;
- misconduct by an adviser that may affect several clients;
- misconduct by several advisers in relation to giving advice (for example, adequate record keeping);
- failure to provide key disclosure documents;
- fraud or forgery;
- providing false or misleading statements; or
- the licensee not identifying and addressing misconduct in an “efficient, honest and fair” manner.
It’s important to remember that ASIC have clearly stated that not all systemic issues will require review and remediation. As the licensee, you’ll make that call based on:
- the type of failure(s) identified;
- the nature, scale and complexity of your business;
- the size of your client base;
- the impact or potential of the failure; and
- consequences and implications of the failure(s) (including reputation risk and likelihood of regulatory intervention)
The remediation process
Effective remediation is based on a clear understanding of the problems, their implications and consideration of the context in which they occur. While the Licensee determines the appropriate remedial responses to identified incidents, the process can be reduced to four easy steps.
1. Identification and assessment
Remediation should start before, and run independently of, any legal action, consequence management or administrative action. Fixing the issue, and mitigating the client detriment, should be your immediate priority even in the event of theft, fraud or deliberate non-compliance, fixing the problem must be the immediate priority.
A critical element of any remediation program is the speed with which the Licensee responds to the identified failure(s). The early identification of issues, and their efficient and fair resolution, is the best way to prevent the emergence of systemic issues.
While speed is a critical component of effective remediation, it’s more important to properly identify the incident, failure or contravention.
Make a detailed assessment of the failure (including its context and consequences) in enough detail to ensure that your proposed remediation is adequate and sufficient to address the failure and prevent its recurrence.
2. Document the remediation strategy
Material, recurring or systemic failures need different responses to immaterial or isolated process failures.
You not only need identify the cause, consequence and impact of the identified problem but propose actions designed to prevent the recurrence of similar issues.
If you're involved in review and remediation, you should:
- make sure you understand the problem – including its cause, impact and effect
- be confident that you can complete the actions in the required time
- understand the significance of the issue
- have assessed the potential impact on the client(s)
- regularly monitor, and report on, the remediation program.
Remedial actions should be allocated to the person(s) best placed to address the issue. Accountability for successful remediation programs will rest with the Licensee’s management team, but responsibility for the remedial actions should rest with those most competent, or most capable, of successfully executing the strategy.
Remediation (or at least significant progress) should occur within a reasonable time. “Reasonableness” depends on the severity, consequence and impact of the identified failure.
4. Confirm and close
Remediation should not be closed or marked as complete unless, or until, the required tasks are confirmed as having been done. Completed tasks should be verified as complete.
Designing a review and remediation program?
ASIC have suggested that a well-designed review and remediation program will:
- adopt a consumer-focused approach (free, consistent, outcomes-focused, accessible, fair, timely and transparent);
- contemplate, and offer, a range of remediation options (monetary and non-monetary);
- be objective, unbiased and equitable;
- be appropriately resourced by skilled and experienced staff, consistent with s 912A(1)(d);
- be appropriately overseen, monitored and documented (peer reviews are suggested for large projects, complex advice or unusual circumstances);
- open to review by an independent expert or a sufficiently independent person (design and testing, general oversight or quality control);
- have appropriate governance arrangements; and
- operate efficiently, honestly and fairly.