Once more unto the breach (register), dear friends, once more
How are compliance breaches identified, managed and reported?
Only time will tell whether the Hayne Royal Commission is all "sound and fury, signifying nothing". At this point in time, the institutional licensees seem to be lurching between threatened litigation and PR disasters, while the smaller licensees (and many others) incredulously wonder how mandatory compliance requirements can be observed so flexibly (if observed at all) at the big end of town.
Our clients, in particular, question whether any other Licensee would be permitted to retain their AFSL if they handled breach reporting in the same way.
Despite the admissions made at the Royal Commission, ASIC value breach reporting and see it as "an important part of the regulatory framework". ASIC like to be notified but they don't take action on all matters reported to them. Instead, they consider the information in the breach report and use it to inform their decision about whether it is necessary or appropriate to take further action.
REMINDER: Licensees are required to notify ASIC in writing of any “significant” breach (or likely breach) of their licence conditions or compensation arrangements or the financial services laws, as soon as practicable, and in any event within 10 business days of becoming aware of the breach or likely breach.
Even if these failures recede into the background in light of more dramatic contraventions, it has sparked a renewed focus on Incident Management and Breach reporting.
What is Incident Management?
Let's start with the basics.
If you're a Licensee, or a representative of a Licensee, you probably understand the importance of recognising (and remediating) your contraventions of the laws, standards, policies or practices. Whether a contravention is an Incident or a Breach is a matter of legal judgment but, practically, the more profound the impact of the contravention, the more likely it's a breach. It's best not to leap to that conclusion at the outset though because formally recognising an incident as a breach has some important consequences.
Licensees have statutory obligations to promptly report significant or repeated failures (breaches) to ASIC as soon as they become aware of them.
Unfortunately, not all Licensees deal with Incidents and Breaches in the same way.
In reality, problems will occur in any large, complex and diverse business. The Regulators understand this. They expect that incidents will occur and they expect, reasonably enough, that Licensees will identify and adequately manage them; not only to prevent their recurrence but also to use the experience to improve their business and the services they offer to their clients.
From a commercial perspective, the accurate identification and analysis of incidents provides you with a useful gauge of your performance and the effectiveness of your controls.
From a governance perspective, one of the most effective indicators of a Licensee's 'compliance culture' is not the way they respond to incidents, but the way they proactively identify them. Competent Licensees can react to identified failures; Capable licensees search for them and ensure that their staff understand that everyone in their business is responsible for identifying and reporting incidents. (How they reward staff that identify and report incidents highlights their real values).
Not all incidents are breaches
If you consider that an Incident is any failure of your internal controls, it's easy to imagine that some failures are going to be more significant than others.
Isolated or one-off errors (that are quickly remediated) are less of a problem for your business than significant or recurring issues. These latter types of incidents or failures are commonly considered to be Breaches.
Logically, not all failures are the same. In fact, the context, consequence and impact of the failures is critically important for determining your required response.
It should not surprise any competent Licensee to learn that ASIC expect you to adequately respond to identified breaches (ASIC 15-003MR).
What 'failures of internal controls' that amount to breaches is contextual in that it depends on the significance of the failure and it's impact on your business and your clients.
This is clearly an over-simplification, but it's reasonable that size of your business and the number of your clients will influence your assessment of whether the incident is a breach.
Incidents (and potential breaches) include, but aren't limited to:
Failure(s) to produce Statements of Advice or provide Financial Services Guides;
A contravention of an applicable law, regulatory requirements, or a licence condition;
Charging clients for services that aren't provided;
An inability to meet, or continue to meet a licence condition;
Misrepresentation of a products benefits or features;
A breakdown of a key control, system or process;
Signing a document on behalf of your client (without legal authority);
A recurring event, or combination of events, that considered together indicate a systemic internal control failure;
A breach of contractual arrangements (including client agreements, outsourced service providers, mandates, guidelines);
Failures of your Internal Dispute Resolution processes;
Failure to notify ASIC of significant breaches; and
Representative misconduct such as breaches of their Best Interest Duty.
Identifying a 'significant' breach
In some respects, anyone asked to define 'significance' is forced to either admit that "it depends" or else mirror Justice Stewart's legal definition of pornography and assert that they'll recognise it when they see it.
As unsatisfying as this response may be, it's less an equivocation than a recognition that 'significance' is a subjective and contextual determination.
Consequence and regularity are important factors for you to consider. We'd add that when you're assessing significance you should also explicitly consider:
- Frequency or similarity. As a general rule, the larger the number of similar failures, the more likely the new failure will be significant. Appreciate that frequent or as repetitive failures suggest systemic issues.
- The impact of the breach on your organisational competence. If the failure impairs, or is likely to impair, your capacity to provide financial services, it's likely to be a significant breach. For example, your failure to meet your financial requirements indicates an in ability to continue to provide financial services.
- The adequacy of your controls. A failure to effectively monitor and supervise your representatives, for example, would generally be considered a significant breach because it indicates the inadequacy of your compliance arrangements. The fact that CBA took two-years to determine whether their Fee-for-Service issues were significant, should have been enough to indicate they were - the length of time it takes to discover and resolve breaches highlights the effectiveness of the Licensee's compliance arrangements.
- The actual or potential financial loss to clients. If a breach results in financial losses for clients of the Licensee, this could indicate a significant breach. The larger the losses (either individually or in aggregate) the more likely the incident is a significant breach.