You're right, "Compliance" is (still) the problem
Compromises, conflicts and competency
As easy as it has been to highlight the ignorance and arrogance of some advice ‘leaders’, the reality is that their failings may have been exacerbated by compliance functions that were impotent, ignorant or lacking in courage.
In fact, ASIC might add ‘compromised’ as a defining feature of some of these compliance functions.
REP 515 highlighted the compromised quality and questionable independence of some ‘in-house’ compliance teams. The sad truth is that ASIC was not alone in its criticism of compliance functions; both APRA and the Banking Royal Commission have echoed similar concerns and highlighted a need for the transformation of ‘compliance’.
This is, in our view, a necessary pre-condition for the emergence of a sustainable advice profession.
Beyond developing new methodologies, realising the inherent value of compliance requires an uplift in its capability, proven competence and a push towards professionalism.
To be clear, the need to increase standards must apply beyond those people hastily conscripted into “expert remediation” teams. They must apply to a Licensee’s senior leadership, its compliance function and the Regulators themselves. Being able to spell ‘compliance’, should no longer be enough to qualify for a compliance role.
This may be a radical suggestion, but it’s one that accords with recommendations made in the final report of The Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry.
The final report recommends, at 6.13, that APRA and ASIC should each be subject to regular capability reviews. In addition, it recommends that there should be an increased focus on the management of non-financial risks, including governance, compliance and risk oversight.
ASIC, APRA and Competency
As a consequence, perhaps, of his international regulatory experience, the ASIC chair, James Shipton, connects trust to competence with monotonous regularity.
To his credit, he seldom excludes ASIC from his criticism.
Interestingly, while he seems to define competency as “the right skills and knowledge to do the job”, he insists that real professionals supplement competence with both conscientiousness and honesty.
Echoing the long-held views of advice leaders like Annick Donat, Shipton articulates a clear definition of professionalism where capability and competence are interwoven with ethics, empathy and appropriate objectivity.
Unfortunately, while some Licensees made efforts to apply these standards to their distribution networks, few Licensees made any effort to apply these standards to their compliance and risk management teams.
The importance of capability and competence, and in particular compliance capability, became an inconvenient truth for CBA, when in August 2018, APRA released their Final Report of the Prudential Inquiry into the Commonwealth Bank of Australia (CBA).
The Final Report is a must read for anyone interested in corporate culture and organisational design. Its clear summation included a series of recommendations designed to substantially upgrade the authority and capability of CBA’s operational risk management and compliance functions.
As we’ve previously argued, and as the Royal Commission found, CBA is not the outlier some may have hoped.
You may have noticed that the Royal Commission’s final report also references APRA’s Standard on Risk Management (CPS 220). In particular, it cites paragraph 43 of CPS 220 which requires entities to have ‘a designated compliance function that assists senior management of the institution in effectively managing compliance risks’ and requires that the compliance function ‘must be adequately staffed by appropriately trained and competent persons who have sufficient authority to perform their role effectively, and have a reporting line independent from the business lines.’
Capability, competence and courage
Before we get too far down this particular rabbit hole, let’s start by defining the words ‘capability’ and ‘competence’ and mapping their differences.
It’s tempting to define capability as the quality of being capable, but that’s not particularly helpful.
Capability refers to something a person has the ability or knowledge to do. With time, application and deliberate practice, capabilities can develop into competence. Capability is both the starting point for, and the essential pre-requisite of, eventual mastery. Capability is as central to organisational performance as it is to individual performance.
Competence is the state or quality of an individual’s work. Competence is based on, and derived from, a person’s capability but its based on more than aptitude. It is made up of a person’s knowledge, skills, behaviour, mindset and attitude. All these elements, in conjunction, influence how a person will act in a job or situation. Competence is the real measure of effectiveness and mastery.
Courage reflects an individual’s preparedness to risk disadvantage by resisting opposition and influence to act in a manner consistent with their role and function. As the Royal Commission highlighted, the courage to act with integrity in the face of self-interest is not commonplace.
What does it matter, really, if your compliance function is not capable, competent or courageous?
To the disappointment of many vertically-integrated businesses, the capability and competence of your compliance function matter a lot. In fact, the APRA Inquiry into CBA highlights how much it matters.
Read the report and consider your own business.
An international perspective
Australia lags a little on mandating and enforcing compliance, but both ASIC and APRA would have noted international actions taken against individual compliance officers in respect of capability and competence.
In the UK, the Financial Conduct Authority (FCA) showed how important both capability and competence are. One Compliance Officer was fined £75,000 for failing to exercise due skill, care and diligence in performing his compliance oversight role. Another would-be compliance officer, had his application for CF10 and the money laundering reporting function (CF11) refused on the grounds of ‘competence and capability’.
In the UK Gregory Nathan case, the compliance officer failed to demonstrate a detailed knowledge and understanding of the implications of the Firm’s operating model, the money laundering and financial crime risks faced by the firm and the processes that needed to be put in place to satisfactorily address those risks. Specifically, it was the compliance officers’ failure to satisfy the Authority that he could proactively identify and manage the relevant risks in performing the Refused Controlled Functions which caused the Authority to have concerns about the compliance officers’ competence and capability to perform the Refused Controlled Functions.
Compliance, capability and competence
To most compliance officers, “competency” is a familiar concept embedded in s912A of the Corporations Act and s47 of the National Consumer Credit Protection Act. These laws require the Licensee to maintain the competence to provide the licensed services and also ensure that their representatives are both adequately trained and competent to provide those services.
However, this regulatory definition is not particularly helpful in relation to compliance officers’ competence.
A more helpful definition is enshrined in the National Vocational Education and Training Regulator Act 2011 (the Act) and related Standards for Registered Training Organisations.
These define competency as the consistent application of knowledge and skill to the standard of performance required in the workplace. It embodies the ability to transfer and apply skills and knowledge to new situations and environments.
Given that Compliance Staff operate in a complex and frequently changing environment, it’s unsurprising that the necessary skills for compliance officers are expanding, broadening and deepening.
As well as understanding the rules and regulatory requirements, and their application to the firm’s business, Compliance Officers’ competency has to support an increasing focus on conduct, culture and governance.
Rather than fulfilling bureaucratic functions, Compliance Officers now need to ensure that the “corporate strategy and business model treats customers fairly, meets community expectations, and maintains market integrity”.
It seems obvious that compliance officers should be competent, capable and courageous. They should have practical knowledge, relevant qualifications and an aptitude for the role.
However, many compliance professionals lack the foundation knowledge, forensic training and influencing skills they need to perform the role at the level expected by their employers and the Regulators.
To be fair, there isn’t definitive blue print or career pathway for this emerging profession. Most compliance officers come from a legal, audit, accounting or directly from the business itself and they are seldom equipped with the blend of capability, competence and courage that would be present in a more structured profession.
We’ve long argued that compliance is a source of competitive advantage and the foundation of a Licensee’s sustained and sustainable commercial success. We’ll add another element to this general proposition.
The value of ‘compliance’ depends on the capabilities, the knowledge, the skills and abilities of the employees on whom the Licensee depends. These employees must both perform their roles effectively and be willing and able to do so.
A prudent Licensee focuses on developing the capability, competency and courage of their compliance team, not to minimise regulatory risk but to show a commitment to continual improvement and good governance.
Assured Support is a business focused on developing the skills and competence of compliance officers. Our Capability Framework establishes a consistent approach to assessing knowledge, skills and abilities and a systematic basis for building capability. As you grapple with these increasing expectations, remember that we can help you establish your current capability and future needs to help guide and develop your compliance function.