“Over the course of 13 years, more than 70,000 customers have been affected by these failures, either by being incorrectly charged or given the wrong information. The sheer scale of this impact suggests that, at the time, Westpac had a culture that did not prioritise compliance.”
— 22-097MR Westpac penalised $113 million after multiple ASIC legal actions
113 million reasons to care
If you’ve any appetite for schadenfreude, you probably appreciate that the Federal Court recently ordered Westpac to pay penalties in the amount of $113 million for widespread compliance failures across multiple businesses, including Westpac’s banking (De-registered company accounts), superannuation (insurance in super), wealth management (Inadequate Fee Disclosure) and insurance brands (Duplicate cover and lack of consent).
As Lady Bracknell observed in Oscar Wilde’s “The Importance of Being Earnest”
“’To lose one matter, Mr King, may be regarded as a misfortune; to lose multiple matters looks like cultural failures.”
Oscar Wilde certainly had a firm grasp on compliance. Westpac’s current misfortunes, identified by ASIC as the result of poor culture, should call to mind Former ASIC Commissioner John Price description of culture as “a set of shared values or assumptions .. the mindset of an organisation.”
It’s a reasonable definition if one ignores the reality that organisational culture is not monolithic; most large institutions are collections of disparate and disconnected cultures. Unfortunately, the Royal Commission introduced the idea of cultural contagion and highlighted that the ‘mindset’ of most licensees demonstrates faulty perception, inappropriate actions, delusion and mental fragmentation.
We’ve previously argued that despite ASIC’s focus on “shared values and assumptions”, most institutional licensees, conflicts, associations and commercial imperatives prevent the emergence of a dominant, consistent and ethical corporate mindset. The cultures of smaller licensees, as we’ve seen recently, are too often undermined by defective advice, confidently given, by former institutional executives and software providers.
Don’t interpret this observation as a general criticism of the industry; the micro, small and medium licensees that have evolved to replace their lumbering predecessors demonstrate, on balance, a far greater focus on their clients and a more demonstrable commitment to acting efficiently, honestly and fairly.
The importance of culture
“Consumer harm caused by systems failures is unacceptable. Financial institutions must invest in systems that allow them to meet their obligations to customers. . Consumers are entitled to be confident that the compliance systems of the financial services firms they trust with their financial security are up to standard”
— ASIC Deputy Chair Sarah Court, 22-097MR Westpac penalised $113 million after multiple ASIC legal actions
ASIC consider that culture “is a key driver of conduct”. They also suggest that “poor culture often leads to poor outcomes for investors and consumers”.
It’s a logical argument but we’d suggest that the concept of ‘poor culture’ is so vague, ill-defined and imprecise that it has limited utility. Culture is a comfortable short-hand designation that encompasses a wide range of choices, contexts and conduct. While conduct (acts or omissions) can be positively identified and objectively verified, ‘culture’ (or corporate intent) needs to be inferred – often from choices, policies, public statements and management assurances. Unfortunately, in the absence of identified misconduct, these assessments are often inaccurate, misleading and subjective.
“Management consciously failed to invest in necessary technology, people and safeguards that it knew it needed, leaving these areas understaffed, under-skilled, under-supported and in disarray.”
— Simon Watkins, “Exposed: The regime of fear inside Barclays”, Daily Mail
As difficult as it may be to define ‘good culture’, international regulators continue to emphasise it.
The reasoning seems to be that focusing on conduct (the ‘what’) without any consideration of the context and culture (the ‘why’) addresses the symptoms of the failures, but not their underlying causes.
Thankfully the consideration of environmental concerns (structures, incentives, associations, values and ethics) provides a more complete and convincing explanation of misconduct than the ‘bad apples’ philosophy so beloved of institutional licensees.
In truth, any examination of misconduct needs to consider Context, Culture and Choices. As limiting as it may be, focusing on culture at least encourages systemic analysis, facilitates general observations and allows for simpler causal relationships.
In 2015, ASIC volunteered that Communication, Challenge and Complacency were three elements by which an organisation’s risk culture could be assessed. Unfortunately, the Banking Royal Commission has disabused the community that there’s any relationship between regular, consistent and clear communication of expectations and licensee conduct.
Defining, and assessing, your culture
“Why should I do anything more than the bare minimum?”
— Mr C, Licensee Head
Mr C’s question is a variation of one we’re frequently asked by advisers and licensees; in a complex regulatory environment, where failures can have significant consequences, why should anyone do more than the absolute minimum?
“Compliance”, as we’ve frequently argued, is only about meeting minimum legal and regulatory standards. While we don’t think advice professionals, or professional firms, build their brand or reputations on “doing just enough (and no more)”, we understand why some advisers (and service providers) cleave to that position.
It seems easy but, in reality, those that aim to do “just enough” generally fail to hit even that modest goal.
Competence, conscientiousness, ethics and accountability – the cornerstones of professionalism – are the clearest way to differentiate advisers and Licensees. The way in which these values are translated and applied within their own businesses, is the best way to assess their compliance culture.
If you’re trying to assess the compliance culture of your own business, start by asking
- What proactive steps do you take to identify misconduct, errors or failures?
- How do you encourage staff to feel, and be, responsible for their choices (and the conduct of your business)?
- What support do you provide to help people make better, and better informed choices (or improve the conduct of your business)?
- How do you oversee their conduct, their choices and the conduct of business?
- Do you consider the cultural implications of management decisions?
- How do you ensure that you’re improving conduct?
These questions may seem simple but by focusing on mechanics (structures, frameworks and policies) you’ll identify your ‘compliance culture’ far more effectively than by focusing on principles, intent and aspirations. Better yet, this approach provides the foundation for consistent and predictable approach to assessing compliance culture.
Take the initiative to identify misconduct
We’ve addressed this topic on numerous occasions, but start by reading REP 515, industry analysis and ASIC’s releases about their Advice Compliance Project.
Embrace reg-tech, data analytics and key risk indicators. If you lack the internal capability to build interrogable and interconnected systems, use a platform like OpenAFSL to drive your monitoring and supervision processes, manage remediation and flag ‘root causes’.
Analyse financial, client and complaint data. The frequency, timing and volume of transactions should be considered. Consider whether your advisers are inappropriately focused on a particular strategy or product. Assess concentration risk. Compare growth in activity against their internal resources.
Verify any remediation undertaken (and assess its effectiveness). Where remediation was required how did you respond? Was remediation completed within the required timeframes? Have the identified issues (or related issues) recurred?
Move beyond compliance to explicitly consider Competency and Character. Are representatives meeting, or exceeding, current requirements?
Encourage (and reward) personal responsibility
Review your Employee Handbook, Induction material and Role Descriptions. Ensure that these establish that “compliance is everyone’s responsibility” and that there are consequences for failing to act. Review your KPI to include ‘compliance’ as both an essential pre-requisite for any bonus or reward AND as ‘discretionary effort’ that may qualify for additional bonuses or rewards.
Check your Remediation and Consequence Management Policies. Confirm that consequences for non-compliance are clear. Investigate to confirm that these policies are consistently and predictably applied. Require any proposed exception to obtain Board approval.
Develop a Code of Conduct. Publish it. Support it. Enforce it.
Implement a ‘CEO award’ for Professionalism. Award this to staff, and advisers, that demonstrate consistent and considered efforts to exceed compliance requirements.
Support positive change
Catalogue and list the systems and platforms available to staff and advisers.
Review your Organisation Chart to clearly and effectively identify key support units. Document their scope and capability.
Nominate a Senior Executive with clear responsibility for ‘culture’. This appointment should demonstrate real commitment to culture and sustainability. It’s an expansive role with cross-department responsibilities that should be differentiated from both Compliance and Governance.
Review your Employee Handbook, Induction material and Role Descriptions. Ensure that these establish that “compliance is everyone’s responsibility”. Clarify that there are consequences for failing to identify and escalate issues. Recognise and reward ‘fixes’.
Review your Compliance Plan and controls. Make sure the arrangements are clearly and effectively detailed. Cover these in your Induction and Training material.
Create open communication channels. Create a simple (and anonymous) way for staff and advisers to identify problems or raise concerns. Implement a ‘no blame’ approach to identified issues.
Make informed, and considered, decisions.
Create open communication channels. Invite business representatives (or advisers) to attend one or more Board Meetings to provide their perspective and insights. Encourage the Board/Management to sit in/work with the business units affected by their decisions.
Embrace reg-tech, data analytics and key risk indicators. Give Management direct access to your interrogable and interconnected systems. Allow them to explore the data (and test their decisions) without the assistance and intervention of conflicted staff.
Introduce client surveys.
Reflect and adapt.
Link values and standards to your reward framework. Any bonus, reward or promotion depends on alignment with your values.
Increase your investment in Compliance and technology.