Author: PX Partners Team

Consistent with practices overseas, the trend of regulators leveraging the industry’s interconnectedness to enable more effective surveillance and oversight has come to Australia. While in some ways this is a positive development for consumers as it could lead to an uplift in standards of conduct across the board, it means a higher compliance burden on issuers and distributors of financial products. 

Background

The financial system plays a key role in supporting broader economic activity in Australia, so it is a system which is of huge value to the community at large. Given this cornerstone role in our society, it is critical that the system operates in a way that meets community expectations. If you deposit your cash into a bank, you should have a high degree of confidence that your cash will be available to you to withdraw in the future. If you invest in a pension scheme, you should have confidence that your funds will not be dissipated by virtue of fraud or theft. Although the latter will be exposed to the normal risks of investing.

The historical approach taken by governments and Regulators to ensure the soundness of the financial system has been threefold:

1. Impose obligations on firms to do certain things or abide by principles set down by legislation or regulation;
2. Subject firms to regular oversight by independent auditors and impose reporting obligations on these auditors; and
3. Hold Boards (and therefore Directors) accountable. And more recently, senior management, under the new accountability regimes.

For the most part, this system of obligations, checks and accountability has been successful in its objective. However, our system is framed to be ‘light touch’. Regulations are mostly principle based, Boards cannot be across all the details of all the firm’s operations, and auditors apply sample testing and various materiality thresholds when reviewing financial statements for accuracy. 

In the last few years, we have observed a new regulatory trend which looks to supplement the traditional approach – the increasing role that clients and counterparties are being asked to play in monitoring conduct and compliance of industry players. In this article, we look at what this means in practice and the important role that RegTech plays in supporting these new obligations. 

Investment Management oversight

Probably the most established and long-standing model is one of institutional clients (pension funds, insurers, etc) performing due diligence on those who manage their funds. The robustness of this framework is reflective of the level of risk posed and some high profile collapses through the years. 

During the 1980’s and 1990’s a focus on performance returns drove a large majority of investors. This attitude changed following the global financial crisis and due diligence increasingly came to the fore as proactive risk management.

In Australia, APRA’s set out its expectations of pension providers in relation to oversight of investment management companies in 2014. And in response, the two industry bodies—the Australian Institute of Superannuation Trustees (AIST), which represents Responsible Superannuation Entities (RSEs), and the Financial Services Council (FSC), which represents fund managers and RSEs in retail superannuation — formalised the approach for operational due diligence which governs oversight arrangements today. 

The model is very well established in Australia and a number of providers supply due diligence services to institutional clients in addition to larger asset owners conducting their own reviews. This has led to a lifting of the bar across the investment management industry with Investment Managers having to meet a number of minimum standards in order to be able to access these institutional mandates.

Breach reporting – dobbing in

The new breach reporting regime introduced in October 2022, introduces an obligation on a licensee to report to ASIC if there are reasonable grounds to believe a ‘reportable situation’ has arisen in relation to a mortgage broker, or individuals who provide personal advice to retail clients in relation to certain financial products.

ASIC has clarified that it does not expect licensees to take proactive steps to investigate potential reportable situations involving other licensees that it deals with in the course of its business. Rather, they are now to be obliged not to turn a blind eye to any facts that come before them through their usual practices or processes that would give them reasonable grounds to conclude that a reportable situation has arisen for another licensee.

This new obligation creates an informal oversight arrangement between issuers and distributors of certain financial products within the chain of financial services.

DDO distributor oversight

With the introduction of the new Design and Distribution (DDO) obligations in October 2021, ASIC has been clear that appropriate arrangements (governance, systems, controls) must be in place to ensure product design and distribution leads to sound consumer outcomes. ASIC has also been clear that the selection and monitoring of distributors forms part of a product issuers reasonable steps obligations. In RG274 ASIC provides that:

“[w]e will consider the steps that an issuer has taken in conducting due diligence in the selection of distribution channels, methods and distributors. Reasonable steps will generally include making an assessment of the capacity of the distributor to comply with the distribution conditions imposed and meet its own obligations as a distributor. We consider that relevant factors would include an assessment of the distributor’s resources, internal controls, past conduct, experience with the target market and competence to distribute the financial product to the target market.”

A useful starting point for product issuers is to consider what processes, systems and controls it would have in place if it were to distribute its products directly to retail clients to ensure the products are sold as intended and in line with the Target Market Determination. This could include controls and processes in relation to product, sales and compliance training, scripts / conversation guides, setting of key performance indicators and appropriate use of incentives. Global firms can also learn from their overseas counterparts who may have implemented KYD and distributor oversight programs for the rollout of MiFID II in Europe or the SFC’s product governance requirements in Hong Kong.

In some segments of the industry, this will be a paradigm shift especially where the product issuer / distributor relationship is one where distributors are seen less as business partners and more as valued clients. In these segments there may be a tension as product issuers look to achieve their reasonable steps obligations without ‘troubling’ distributors. PX Partners is supporting issuers and distributors with the KYD solution for distributor monitoring to take the pain out of the process and reduce costs for all. 

Customer due diligence reliance

Changes introduced by AUSTRAC in June 2021 have created new obligations on Reporting Entities where reliance is placed on customer due diligence (CDD) conducted by a third party. These arrangements can often reduce compliance costs and provide a better customer experience so that CDD is not duplicated or repeated by multiple businesses. 

However, Reporting Entities must manage the risks and regularly assess the arrangement. Entering a CDD arrangement can allow Reporting Entities to take advantage of customer identification and verification performed by a reliable third party on an ongoing basis. These arrangements also provide ‘safe harbour’ from liability for isolated breaches of the customer identification procedures – provided that due diligence has been completed and that the third party’s processes and procedures to be adequate. Reliance can be placed without a CDD arrangement on a case-by-case basis. In these circumstances, the Reporting Entity is liable for any breaches of customer identification procedures when a designated service is provided to a customer. 

The Reporting Entity must ensure the third party has appropriate measures in place to comply with their obligations:

• It must be a reliable third party (as defined).
• CDD arrangements must be recorded in writing with approval from a senior managing official or governing board. 
• The CDD arrangement must include an outline of the responsibilities of each of the parties to the arrangement and provisions to enable the relying reporting entity to obtain all required KYC information relating to the identity and verification details on request.
• Assess CDD arrangements regularly, at least every two years.

When managing risk under a CDD arrangement, it is important to remember that the ML/TF risk assessment of the third party may be different to your own so that the procedures applied by the third party must reflect the risk assessment of the Reporting Entity who is placing reliance. 

Source: AUSTRAC

So what does this mean for me?

• Like it or it not, there is a regulatory trend toward devolved oversight obligations being formally imposed on participants within the chain of financial services. This means that firms will have to establish oversight processes and controls to discharge these new obligations.
• Get ready for more difficult conversations with your Distribution network as the relationship is shifting away from the traditional issuer–distributor sales & relationship focus to one with an oversight and feedback loop.
• Firms should leverage and adapt existing oversight structures and resources which already exist to manage additional compliance without a substantial increase in costs.
• Regulatory technology (RegTech) solutions should be deployed by firms which can assist with efficiency and effectiveness in addition to reducing the associated resourcing costs.

jon@px.partners is passionate about supporting clients with designing fit for purpose oversight arrangements that work. Reach out to learn more about how PX Partners can help. 

On the 6 month anniversary of the introduction of RG274, Design and Distribution Obligations, Jon O’Keeffe hosted a panel of industry experts as they explored:

• What went well in the implementation journey and lessons learned
• Progress on Day 2 deliverables
• The European perspective: 4 years of MiFID II
• The role of RegTech and automation in supporting compliance

Australian Anti-Money Laundering Rules require an Independent Review of the reporting entity’s AML/CTF Part A Program on a regular basis, which in practice is every one to three years depending on the risk profile of the business. Whether you’re new to AML Independent Reviews or it’s been a while since the last one, this article looks to provide you with insights on some of the key components of a Part A Program Independent Review so that you can anticipate and prepare for what is hopefully a quick and painless review.   

Like all reviews / audits / investigations, AML Independent Reviews (Reviews) require key business resources to dedicate precious time to the Review by providing information and responding to sometimes multiple rounds of queries. And while we get excited combing through the details and finding ways to help clients improve their Programs, we recognise that a fast, insightful and efficient Review is much appreciated by compliance officers, Board and senior management.

Below are a few of the key areas the reviewer will assess, and how you can prepare.

1. Risk Assessment

The most important artefact other than the Program itself, is the reporting entity’s ML/TF risk assessment. The reviewer will look at the Program to understand how the entity assesses its ML/TF risk as this will drive their assessment of whether the Program has been designed appropriately given the ML/TF risk exposure of the reporting entity.

The Rules are relatively prescriptive on which factors the entity needs to consider when assessing risk – this includes customer types, types of designated services, foreign jurisdictions, etc. And most-often, these factors are considered and rated individually to inform the overall risk position. AUSTRAC expects that the reporting entity includes all available data in the assessing risk (e.g. trends in usage of a product or channel, transaction monitoring results, suspicious matter raised, relevant AUSTRAC industry assessments).

The reviewer will be verifying that all the factors have been considered and assess the appropriateness of the rating methodology and outcomes.

The reviewer will also consider how the assessment is documented and how often it is updated. Given that the risk assessment is intended to be a living document, the expectation is that it is contained in an easily updatable format (i.e. not solely in the Program documentation) and that it is revisited frequently or when there is significant change in the business. AUSTRAC has provided guidance on its expectations of ML/TF risk assessments.

2. Board Approval of Program

The reviewer will want to see the current version of the Part A Program, as well as any version of the Part A Program that was in place during the review period which is normally 12 months. Therefore, it can be useful to agree a review period where only one version of a Part A Program has been in effect. The reviewer will also ask to see your AML/CTF Policy.

The reviewer will be looking for evidence that the Program was approved by senior management or the Board, usually in the form of Board meeting minutes noting that the Program was approved. They’ll also want to see other supporting policies (e.g. HR policies covering employee screening and on-boarding, risk-rating methodologies) and any standalone process documents or desktop procedures which provide detailed descriptions of processes like transaction monitoring and suspicious matter reporting.

3. Training Content and Delivery

The reviewer will be considering training from a few different angles. Firstly, has the reporting entity considered what levels of training should be provided to which staff (based on their roles and the ML/TF risk arising)? Have all employees completed the AML/CTF training required for their role? Is completion monitored? A training register spreadsheet, or system report showing training completed should be sufficient to demonstrate completion.

The content of the training will also be reviewed. The Rules are prescriptive on what needs to be included (obligations under the Act, consequences of non-compliance, entity-specific risks and consequence and AML related processes and procedures) so the reviewer will want a copy of the training materials provided to verify that the content meets the requirements. In our experience, reporting entities tend to receive findings related to the lack of entity-specific training content.

While there is a plethora of general and generic AML/CTF training available, AUSTRAC expects that employees be trained on how ML/TF risks might present themselves specifically in the organisation they work for, and roles they work in. Risks faced by a fund manager may be greatly different than those face by frontline staff at a large bank. And while some general content is fine, the expectation is that training is tailored to the organisation and to specific roles.

Finally, the frequency of training and training refreshers will be considered. Standard practice is that AML/CTF training should be included in induction training for all employees, and potentially increased or more in-depth training for higher risk-rated roles. An annual re-fresher training for higher risk-rated roles is better practice with all employees having a refresher training at a regular frequency (e.g. every 2 years). Programs should specify the frequency of training so that the reporting entity can clearly demonstrate compliance. Avoid using words like “regular” as this is open to interpretation.

4. Suspicious Matter Reporting

The Act is relatively clear on what matters to report and the timeframes to do so. The reviewer will look to see that these details are outlined in the Program. The reviewer will assess the design of the process which should clearly detail the steps for raising, investigating, and reporting suspicious matters, including forms, systems, roles and responsibilities and timeframes. If any suspicious matters were raised or reported in the period, the reviewer may want to walk through a couple of examples and see the documentation trail to ensure that any matters raised were investigated and reported in line with the Program.

5. Transaction Monitoring Program

While the Program will outline the transaction monitoring process and controls, this area may also have additional process documentation to ensure that those responsible can consistently execute the process. The reviewer will consider how transactions are monitored (i.e. manual vs automated), who is performing the review and its frequency, the logic used to determine which transactions are flagged including how often it is reviewed, and how transactions are investigated and the integration into suspicious matter reporting.

If reports are used, the reviewer will look at how the entity ensures that the reports are complete particularly if no transactions have been identified for further investigation. Likewise, with automated monitoring the reviewer should, at minimum, obtain an understanding as to how the entity ensures that the system is operating as intended and who can setup and change monitoring logic.

6. Ongoing Customer Due Diligence

In addition to performing due diligence on customers at the onboarding stage, the Rules require that some level of review and update of customer identification data is performed throughout the relationship with the customer, particularly in relation to high risk rated customers. We commonly see that this requirement is overlooked, perhaps due to the amount of effort required to update customer data at any frequency.

The reviewer will be considering the risk-based approach to OCDD the reporting entity has applied (which should be documented in the Program or a supporting standard or procedure) and whether the processes and controls are in place to ensure the OCDD program is consistently executed.

We often see high level statements in Programs in relation to keeping customer information up to date. These high-level policy statements cause issues for reporting entities come Review time. By being too vague and open ended, reporting entities can find themselves in a position where they are unable to demonstrate compliance with this aspect of their Program.

7. Employee Due Diligence

The reviewer will want to see written details (whether in the Program itself, or a separate cross-referenced policy) of the reporting entities practices in relation to considering which roles are higher risk from a ML/TF perspective, and what additional due diligence applies to these higher risk roles.

Weaknesses we observe include reporting entities that state the job titles of higher risk roles, without providing any basis for the assessment (e.g. level of influence / seniority, involvement in operating key fraud or ML/TF controls, involvement in relationship management). Another common weakness is Programs that deal with EDD at the onboarding stage but do not have regard to movements of staff from lower risk to higher risk roles.

A quick win here is to ensure alignment between policies and procedures – we sometimes note inconsistencies between the actual onboarding practices of the HR function relative to what is stated in the Program drafted by the Compliance function.

8. Outsourcing and using suppliers

If you use third parties to execute any aspect of your AML/CTF Program, the reviewer will want to see evidence of the usual third party risk management controls being in place e.g. written contracts, risk assessment, due diligence, ongoing monitoring. Screening tools should be vetted to ensure they are fit-for-purpose and that the reporting entity understands the limitations. We have seen examples of the Program relying on certain tools only to later discover that a certain module was never switched on. AUSTRAC has provided useful guidance in relation to reliance on third parties for ongoing CDD arrangements.

If you’re looking to uplift your AML Program, for additional guidance to prepare for your next AML Independent Review, or are interested in speaking to use about performing your next Independent Review, reach out to tanushree@px.partners.

It’s back to school this week signalling that the holiday period is well and truly over. Back to the grind with the addition of rapid antigen testing this year! Over the break, we have been reflecting on the year that was in 2021 and what is to come in 2022.

Without doubt, the past year was almost unprecedented in the amount of regulatory change. This year offers some much-needed reprieve with few changes announced for the year thus far. Government and Regulatory bodies are actively consulting with industry and other stakeholders to shape the next round of changes. And industry is using this time to take a breath, review and iterate what has been done in 2021. Given the confluence of change in October last year, we see a number of deliverables which were deferred to ‘day 2’ rightfully getting attention now. To help out with your planning, we’ve compiled a short list of things consider for the year ahead.

1. File your AML/CTF Compliance report with AUSTRAC

The filing period opened in January so no doubt this is already near the top of your list. We note with interest some of the new sections / questions in the report:

• New questions about outsourcing the development of your AML Program and ensuring it is tailored to the business. This highlights the importance of an entity-specific Program and a sign that AUSTRAC sees this as a current weakness in AML Programs that have been reviewed.
• The mandated independent review is subject to further interrogation this year – whether or not the timeframe for independent reviews is specified in the AML Program (e.g. every two years). If it is not, an explanation as to why is required. This may be data gathering in preparation for a regulatory update mandating specified review timeframes.
• The Regulator is also now seeking details of transaction monitoring in place, querying the level of automation in the process, potentially signaling future guidance over requirements for the testing of automated components as a part of the independent review.

Lastly, you may want to refresh yourself with the changes to the AML/CTF Act that came in to effect in June 2021, particularly around reliance on third party customer identification and verification. Current practices in Europe and Asia see product issuers conducting due diligence on distributors as part of broader distribution governance arrangements (e.g. DDO).

Complete your compliance report before 31 March: AUSTRAC compliance reports | AUSTRAC

2. Review your Whistleblower policy & Modern Slavery Statement

In October 2021, ASIC sent a letter to CEOs detailing findings of its Whistleblower policy review and reminding them of their whistleblower requirements per 2019’s RG 270 Whistleblower Policies. The results of the review of some 100 policies found that the majority of policies provided unclear, incomplete or inaccurate information about how whistleblowers could raise a matter, and what protections they are afforded under the Corporations Act. Additionally, ASIC noted that some policies still referenced obsolete requirements and that others omitted or inaccurately described whistleblower protections.

Fortunately for recipients, ASIC have included detailed observations and commentary as to better practices at the individual requirement level which gives reasonable insights into their expectations of a well-written policy. See the full media release here.

At the end of last year, Monash University released their analysis of the Modern Slavery (MS) Statements of the 100 largest listed companies on the ASX. The results were widely reported in the media and contain some good learnings particularly around the importance of due diligence and remediation. While the importance of a well written policy and robust framework may seem of less importance for unlisted companies, we expect this area to come in for more scrutiny by institutional clients (e.g. superannuation funds) and other gatekeepers in line with the increasing focus on ESG matters. If you have a MS Statement, consider the Monash report and whether enhancements are required.

3. Re-visit the proposed systemic issue analysis and day 2 activities for your Internal Disputes Resolution (i.e. complaints)

RG271 brought about significant changes to the complaint management processes (capturing, responding to, analysing and reporting). Some firms did not treat enhancements to their complaint management processes as day 1 activities so it is worth re-visiting the final decisions on responsibility, frequency, and any details of how these will be performed. Another area that has been left in the day 2 bucket at many firms is settling on how the effectiveness of the IDR process will be monitored, by whom, and at what frequency. Similarly, linking and leveraging analysis performed across both incidents and complaints to ensure systemic issues are identified is key, and an area that may not have been given adequate attention in the scramble leading up to go live in October 2021. We can see these matters becoming issues if left unaddressed for too long, particularly at board reporting time.

4. Perform distributor due diligence and review distributor governance agreements (Regulatory Guide RG 274 Product design and distribution obligations)

We saw a real focus on TMDs as the perceived day 1 critical activity for DDO. But DDO is much more than just TMDs and focus should already have shifted to implementation of governance arrangements including the review and monitoring of distributors. While Programs should already outline how distributors will be monitored (e.g. understanding processes and controls in place via questionnaires, reviews, etc.), they may not consider some of the more practical aspects like what to do with incomplete and inconsistent information from distributors (and exactly who will be making these determinations). In addition, given that some target market determinations will need to be reviewed by October 5, it’s a good time to start formalising the finer details of the review process.

Read more about our views on distributor monitoring here and find out more about our RegTech solution that takes the pain out of due diligence here: Know Your Distributor (KYD)

5. Revisit your controls

The quantity and quality of documented controls varies across firms but it is always a good exercise to give them another look. Time bound review periods can help identify duplicated, obsolete or outdated controls and is an opportunity to document any known, but yet to be documented, controls. If you are looking to enhance your risk and control regime, it is good practice to follow a specific taxonomy ensuring controls are documented in a consistent format and structure helps ensure that controls are applied against the correct risks allowing for a more accurate residual risk assessment. When controls follow a consistent taxonomy and documentation standard, the population of controls can be analyzed to highlight over-reliance on certain types of controls (e.g. manual detective controls) or under-use (e.g. lack of monitoring controls).

6. Get ready for CPS 511

If you want to be on the front foot of one of the next significant regulatory changes, CPS 511 comes into effect from 1 January 2023 for ADI SFIs, with a further staged implementation until 1 January 2024, when it comes into effect for all other APRA regulated entities. Presumably this is being done in conjunction with FAR requirements (where applicable) but this will be new requirements for some. Given that it deals with the often contentious issue of remuneration, we’d suggest allowing additional time for consensus and approval of requirements such as variable vesting, payout schedules and downward adjustment processes.

See the final draft here: Final Prudential Standard CPS 511 Remuneration

7. Get involved with some consultation

We know that it is difficult to find the time to participate in the consultation process but we know that Government and Regulators find these insights invaluable when shaping rules and regulation. It is often more efficient to participate through submissions coordinated by industry bodies (e.g. FSC, FPA) or through services providers which have industry wide reach (e.g. Accounting or Legal firms, custodians) Some to watch for this year:

• regulatory relief for Foreign Financial Service Providers (closed 12 January 2022)
• Implementing Corporate Collective Investment Vehicles (closed 21 January 2022)
• Draft terms of reference of the quality of advice review (due 4 February 2022)
• Financial adviser education standards (due 1 February 2022)
• Employee Share Schemes (due 4 February 2022)
• Consumer remediation draft guidance (due 11 February 2022).

Without the hard deadlines imposed by regulatory change, the to-do list this year has a bit more flexibility but certainly no shortage of action.

Talk to candace@px.partners about how PX Partners is supporting clients with implementation and iteration in 2022.