“Bupa did not have sufficient compliance systems and controls in place during the relevant period to ensure that the extra services would be provided. It therefore did not have reasonable grounds for believing that it would provide those services.”
— Mortimer J, Australian Competition and Consumer Commission v Bupa Aged Care Australia Pty Ltd  FCA 602
How Bupa was saved by the Compliance bell
The ACCC v Bupa Aged Care case demonstrates the value of implementing a comprehensive and effective compliance program. Reducing your penalty because you can rely on a comprehensive compliance program is no mean feat.
As a compliance officer, I am driven not by what I can save for the company but rather, that I can make this world a better place for the customer. Granted this ideal must be balanced with ensuring we can also deliver on commercial objectives.
I rejoiced when reading this case. Compliance is so often seen as a cost and burden. Often as a compliance officer, it is hard to demonstrate the value you bring to the organisation. This case goes some way in quantifying the value of compliance.
The ACCC v Bupa Aged Care case gave our long-suffering profession, a break, as Bupa could rely on their comprehensive compliance program to inform a lower penalty being awarded. Justice Mortimer in this case considered that the agreed penalty of $6million was on the ‘low end’ of the appropriate range, Her Honour was ultimately persuaded to approve the amount due in large part to the breadth of the customer remediation, the compliance measures that Bupa had undertaken and agreed to undertake, and its early admission and ongoing cooperation with the ACCC.
How would your compliance program stack up?
Is it sufficient to prevent or effectively respond to a contravention?
Can you quickly improve or implement a compliance program once a contravention is identified so that it could lead to lower penalties?
Or are your compliance arrangements similar to the insights ASIC uncovered when conducting an investigation into breach reporting , which saw the big banks taking:
- 1,517 days to identify an incident
- 28 days to investigate the incident
- 128 days to lodge a breach report with ASIC
- 226 days to pay remediation payments to affected clients.
When the rubber hits the road, and an issue occurs, your compliance framework seriously gets tested. In the case of Bupa, we saw a culture of accountability, cooperation with the ACCC, production of an implemented compliance program and commitment to improving their compliance program and most importantly remediating their customers.
Lessons for Licensees
When we conduct a Licensee review, we objectively assesses your compliance arrangements and provide you with an insightful assessment of your compliance arrangements, culture, and controls.
Our technology and algorithms base your overall rating in a consideration of both your compliance arrangements and if we conduct advice reviews, your advice quality.
Often our clients will engage us for both a Licensee and Advice Review, as by including a risk-based review of the advice produced by their representatives, the review will highlight how, and to what extent, their culture and compliance arrangements affect the conduct of their advisers, their ethical decision-making and the quality of their advice.
In addition, our vast database allows us to see more, and enhance the information we provide to you, as well benchmark results against the industry.
On occasion we see compliance programs that are not fit for purpose, whether they have been inherited from a large institution and retro fitted to a small to medium Licensee. Where compliance programs have been purchased off-the-shelve and not customised, with fields left blank <insert here>. Or perhaps a system solution has been purchased and not customised or kept up to date.
As we saw in the Royal Commission and subsequent cases, satisfying your compliance obligations does not equal the production of a fancy document or system. It must be fit for your purpose and operational.
We thought we would provide some insights from the many reviews we have conducted to date and highlight some of the areas for improvement.
An analysis of activities includes reviewing regulated documents, websites and social media activity, registers, policies, and procedures dealing with research and investment; marketing material and governance of your regulated documents. Some insights include:
- Registers not being kept up to date and in sync with the compliance committee minutes
- Inadequate governance of promotional and marketing materials and activities
- Websites and social media posts not actively managed
- Regulated documents not compliant with FASEA Code of Ethics
Here we look to your competence when providing financial services, engagement with compliance and board and committees.
Some insights include:
- Inadequate processes and procedures to monitor Authorised Representatives
- Compliance Committee Meetings not regularly scheduled and inadequate records maintained, with actions not actively managed
An analysis of your framework goes to your AML/CTF program, outsourcing policies, Risk Management Framework, disclosure obligations and monitoring compliance obligations.
Some insights include:
- Out of date documents which also include fields that have been left blank
- Inadequate processes and procedures to manage outsourced arrangements
- Inadequate Risk Frameworks
- Lack of detailed and practical guidance for Authorised Representatives to assist with the interpretation of the legislation as well as the regulations and the inclusion of a Licensees’ house view
- Inadequate policies to manage privacy, data breaches and cyber security issues
- Lack of business continuity and disaster recovery plans
- Fee Disclosure procedures in relation to monitoring compliance with the obligations
- Lack of detailed guidance for Authorised Representatives
- Some areas for improvement relate to processes and up to date registers
- Inadequate consequence management framework
- Policies and procedures not up to date with FASEA Code of Ethic requirements
- Policies and procedures not up to date with FASEA Professional Standards
- Adequate training records not maintained
- Inadequate supervision framework
Lucky for us, we see a lot of Licensees who are committed, have the right attitude towards compliance and willingly engage in maintaining and enhancing their compliance frameworks.
When we identify areas for improvement as a result of conducting a Licensee Review, and present the Management Action Plan, most of our clients accept and actively manage the actions.
These are the Licensees best prepared for regulatory pop-quizzes.