In the aftermath of Covid-19, what are the main conduct considerations in financial services, and how do we need to evolve as compliance professionals to meet these new challenges?
|WATCH THE RECORDING|
In the aftermath of Covid-19, what are the main conduct considerations in financial services, and how do we need to evolve as compliance professionals to meet these new challenges?
|WATCH THE RECORDING|
We’re slowly but surely moving out of the pandemic, but the changes that came with it are permanent, particularly for industry and workplace environments.
As we get closer to the light at the end of the tunnel, what key regulatory considerations should businesses be discussing?
30 March 2021
Distributor selection and monitoring is a vital part of achieving meaningful compliance with the Design and Distribution Obligations. In this post we shine a light on what this means for firms.
We all know how we got here. And why. The 2014 Financial System Inquiry found that the current regime for financial products was inadequate for consumer protection because it relied too heavily on disclosure, general advice and financial literacy. In response, the government introduced the Design and Distribution Obligations (DDO) and Product Intervention Powers (PIP) in 2017. More than ‘a few’ banking and financial advice scandals and a Royal Commission later, DDO and PIP legislation were passed in April 2019 with PIP coming into effect immediately. The extended deadline for DDO is looming with the industry working frantically to achieve compliance by 5 October 2021. ASIC has publicly stated that it expects meaningful compliance from day one.
From our observations, the industry is laser focussed on documenting target market determinations (TMD). And understandably so. Product issuers must make TMDs public, providing a visible sign of compliance with one aspect of DDO.
But let’s be clear – it is only one aspect. DDO is much more than a TMD.
The disclosure trap
The current focus on TMDs is understandable. Firstly, one has to start somewhere. And starting by defining the target market for each product is a good place to begin work. Secondly, the mandatory content in the TMD will tease out thinking in a number of other areas such as distribution conditions and review triggers. Thirdly, not having a TMD means the product cannot be sold and non-compliance will be visible to the market. Lastly, and this is the one to watch out for, writing a document is in our collective comfort zone. The financial services industry has been seeking to achieve compliance through disclosure for years. The machinery in firms for putting a public-facing document in place is well oiled. (ICYMI: ASIC’s research has shown that disclosure and warnings can be ineffective in influencing consumer behaviour and in some instances can contribute to consumer harm.)
However, the TMD is not a disclosure document. Albeit mandatory, it is just one of the documented outputs of the internal interrogation of product design and distribution through the lens of achieving sound consumer outcomes. The TMD is the visible tip of the iceberg under which must lie robust and documented internal processes, systems and controls that come together to achieve compliance with DDO.
Know your distributors
At first, this seems so obvious that it doesn’t need to be said. But across the financial services and credit industry in Australia, the extent to which financial product issuers and credit providers seek to know their distributors varies. As does the power / influence dynamic. In our view, this aspect of DDO compliance could prove to be the most challenging because, in many cases, it represents a step change in the relationship. Plans for data gathering and oversight should be an early part of DDO planning. We recommend that product issuers start engagement with distributors now rather than further down their implementation plans.
What do we mean by “know your distributors” (KYD) and how this is part of DDO? ASIC has been clear that DDO is a principles-based regime that is focussed on having appropriate arrangements (governance, systems, controls) in place to ensure product design and distribution leads to sound consumer outcomes. ASIC has also been clear that the selection and monitoring of distributors forms part of a product issuers reasonable steps obligations. In RG274 ASIC provides that:
“[w]e will consider the steps that an issuer has taken in conducting due diligence in the selection of distribution channels, methods and distributors. Reasonable steps will generally include making an assessment of the capacity of the distributor to comply with the distribution conditions imposed and meet its own obligations as a distributor. We consider that relevant factors would include an assessment of the distributor’s resources, internal controls, past conduct, experience with the target market and competence to distribute the financial product to the target market.”
What does it mean to assess the distributor’s internal controls? A useful reference point, especially for product issuers that also self-distribute, is to consider what processes and controls they have in place internally to ensure the product is sold as intended and then assess whether the distributor has similar controls in place. This could include controls and processes in relation to product, sales and compliance training, scripts / conversation guides, setting of key performance indicators (KPIs) and appropriate use of incentives. Global firms can also learn from their overseas counterparts who may have implemented KYD and distributor oversight programs for the rollout of MiFID II in Europe or the SFC’s product governance requirements in Hong Kong.
In some segments of the industry, this will be a paradigm shift especially where the product issuer / distributor relationship is one where distributors are seen less as business partners and more as valued clients. In these segments there may be a tension as product issuers look to achieve their reasonable steps obligations without ‘troubling’ distributors.
Get the conversation started now
Our strong advice for product issuers and distributors is to get the conversation on information sharing / reporting (e.g. complaints) and distributor oversight started now. Don’t wait until the TMD template is finalised – product issuers should engage with distribution partners and work through the real life practical scenarios and use cases around information sharing. This ensures that the end solution not only achieves compliance for both parties, but ensure that compliance supports end-consumer outcomes. Technology will have to play a key role in providing a lower risk, less manual and more cost effective outcome for issuers and distributors alike.
Six months to go. Watch out for the iceberg.
email@example.com has extensive experience supporting firms in Australia and overseas with distribution oversight and is happy to share her experience.
31 December 2020
As some light appears at the end of the tunnel with the development of a vaccine for the coronavirus, businesses are beginning to reflect on the lessons learned from the crisis. At PX Partners, we have been listening to our clients and others as they tell their stories from the pandemic. Generally speaking, business have found novel and creative ways to get things done. And this question really resonated with us: How best to get things done?
Upending of traditional business and operating models was underway before the pandemic took hold. But the pace has accelerated with incredible outcomes. Established industry players have struggled as new participants have disrupted business models and challenged traditional thinking. It is not just a competition for market share but a fight for survival in some cases. It is mind blowing that Tesla’s market capitalisation is larger than the nine largest carmakers combined. And the rally in the Airbnb share price following its recent listing means that it is now more valuable than the collective of the seven largest US hotel chains (figures as at December 2020).
This is a time for thinking differently. But where to from here?
Play to your strengths
Accept that you cannot be excellent in all things. This acceptance will serve you well. By leveraging specific expertise in supporting core business activity, centres of excellence are developed. Support actors can invest in systems, process and people to continually improve without diverting funds from business growth initiatives as these are the business growth initiatives. Clients benefit from best practice and benchmarking.
The traditional model of having an office which organised people into different teams to perform functions has been challenged by COVID. Less people to organise allows the firm to focus on its core activities.
Do you need a problem solved or do you need an FTE?
It can be a natural instinct to throw bodies at problems. But are they the bodies needed when the dust settles? Since the Global Financial Crisis there has been much investment in governance, risk and compliance (GRC) resourcing. But it is now obvious that there is more to be done in how these functions operate efficiently and effectively. Traditionally, firms have always been comfortable outsourcing distribution, operations and legal services but until recently, less so with GRC. At the same time, businesses are faced with growing uncertainty on many fronts – technological disruption, growing community expectations, regulatory and political scrutiny to name a few.
To meet this uncertainty successfully, GRC teams must be more elastic with the ability to dynamically augment capability when required. Having the right people at the right time enables success; and what is “right” can change tomorrow.
Quantify the cost
The impact of COVID-19 has proven that employees don’t need to physically be in an office to achieve the same or even greater levels of output. Outsourcing of non-core functions reduces payroll costs while bringing the benefit of having qualified experts available with a pool of resources. This is especially relevant in times of stress when more may be required at short notice, such as when the early impacts of the COVID-19 pandemic were being felt by businesses.
When considering the right mix of resourcing, it is important to consider the cost of an employee is not limited to a salary but extends to all the related costs such as recruitment fees, superannuation contributions, insurance, benefits, training, desk space and technology. So, in reality, the ongoing cost of an employee can be multiples of a base salary.
The insource / outsource trade off
A common argument used against outsourcing is the perceived loss of control. Tightly drafted agreements with suppliers, clear service level agreements and measurable performance indicators put paid to that argument. Meaningful reporting from service providers in a standardised format makes for more efficient and impactful management and Board meetings. Issues are easily identified and actions quick to implement.
Outsource the ‘people risk’. There is much time spent by managers dealing with the disruption caused by turnover in teams, including difficult performance conversations, resignations, recruitment and induction. Time is better spent on revenue generating activities.
By having access to a pool of outsourced on-demand talent, firms can dynamically augment their workforce without the need to hire additional full-time employees. In addition to management time, this saves on fixed overheads.
Security of data
The ability of businesses to stand up remote and virtual models to continue business as usual operations has been incredible. There is now an opportunity to build on that success by further exploring options to support business growth by identifying core and non-core functions. Selecting partners with industry leading technology platforms and Software as a Service (“SaaS”) to provide support to non-core functions can enhance rather than detract from the technology security risk profile of a business.
Applying this to your GRC capability
A survey carried out by PX Partners in November 2020 found that over 90% of senior executives see a shortage of governance, risk and compliance (“GRC”) practitioners as ‘limiting business success’. In addition, 94% agreed that accessing variable or scalable GRC teams would ‘better support their business’.
Some small – medium sized firms may have real need for a senior compliance resource (Head of / CCO level) at the management table day in and day out to provide advice. But when the compliance function is a (senior) 1-person-band, this resource can be underutilised by spending time on ‘compliance hygiene’ activities such as maintaining policies and monitoring obligations. These firms could benefit from outsourcing core, ongoing GRC activities and benefit from the scale and benchmarking an outsourced GRC provider can offer.
Boutiques and start-ups often give functional GRC responsibility to their CEO or COO. These firms may not require, or cannot justify hiring, a senior GRC resource. A frequent mistake is to hire too junior for an environment where quick decisions and exercise of experienced judgement are vital (with no “committee” to hide behind!). A solution is to engage an outsourced CRO who can provide the judgment and advice required but without the FTE cost. Distinct from a consultant, this outsourced CRO benefits from a pan industry view but retains an ongoing and deep relationship with the firm and proactively helps identify risks and opportunities from within.
firstname.lastname@example.org is keen to hear more stories of learnings for business from the experience of the pandemic in 2020. Please reach out to discuss.
Post the Royal Commission there has been pressure on the regulators to step up, we’ve seen that with the unprecedented level of action that ASIC has taken; AUSTRAC has come out swinging. In the clients we’re speaking to now, people are more concerned than they’ve ever been before.
Watch the full video here:
10 November 2020
In this post we shine a spotlight on the unassuming, seemingly unsexy checklist and why it is a powerful tool for reducing errors by dealing with the limitations of our brain.
Whether you’re launching a rocket, flying a Boeing, or building a skyscraper, checklists have become an essential ingredient for error reduction and have been proven to literally save lives. Books and a podcast (which is the source of inspiration for this piece!) have been devoted to lauding the checklist.
Even experts need checklists
Checklists are at their most powerful when they are used by experts. They mitigate the mental bias in humans where repetitive activities become routine, leading to the risk that small, but critical, steps are missed.
A case study and modern rebirth story about the power of the checklist is the story of the Flying Fortress. The 1935 crash of this Boeing aircraft was caused by the pilots forgetting to unlock the elevator before take off resulting in the aircraft pitching upward. The pilots were unable to level off and the aircraft crashed. The US military insightfully responded to the event not with additional training, but with a tool that would be instrumental in changing aviation safety – the checklist.
The military recognised that providing more training to expert pilots would not address the root cause of the error. The pilots involved in this crash were highly trained, highly experienced and competent. They were so experienced and sure of what they were doing that they missed routine steps. This is the exact situation where the checklist is a hero.
Atul Gawunde, author of The Checklist Manifesto, speaks of a study he conducted that involved developing a basic surgical checklist. He was motivated to conduct this study after examining data that indicated that the major cause of disability or death in surgical patients was related to a problem where the answer was known, however not executed upon. Gawunde finds that only a small percentage of disability or death in surgical patients was due to a problem where the answer was unknown. The failure was in the execution, not the knowledge. Gawunde and his team developed a basic surgical checklist and trialed it with surgical teams in 8 cities around the world. The average reduction in complications was 35 percent. The reduction in deaths was 47 percent.
The steps in the surgical checklist were elegant in their simplicity; Has the patient confirmed their identity and the procedure prior to the induction of anaesthesia? Has the surgical team introduced themselves to one another by name and role before making an incision? These small steps may be obvious and easily overlooked. A checklist helps to ensure these small, important steps occur each and every time.
Involve the experts
Checklists are most effective when they are designed and implemented in parallel with the teams who will be using them to ensure they are practical.
Anaesthesiologist Peter Pronovost, upon seeing the number of people dying from infections despite existing checklists, sought to understand the root causes for non-compliance at John Hopkins Hospital in Maryland. While the existing checklist required medical staff to use PPE, alcohol swabs and drapes, a key pain point he identified was that supplies were stocked in eight different places adding precious time to operation preparation. Medical teams were choosing timeliness over managing an “invisible” risk of infection that may not manifest. Supplies were located to a centralised and accessible cart and replenished regularly. This action saw checklist compliance improve from 30% to 75%.
In his book, Peter Pronovost identified that a power dynamic was also impacting checklist adherence. Doctors did not want to be called out for not following agreed procedures in the operating theatre and nurses were reluctant to challenge the doctors they were working with. Pronovost brought the teams together to agree one central principle – ensuring patient safety and care. In getting this buy-in and addressing culture, checklist compliance increased from 75% to 98% and infection rates more than halved.
Gawunde’s research identified similar cultural considerations. Introducing surgical checklists was only part of the solution, another part was understanding the culture of the workplace. Differing approaches were taken by hospitals in Ottawa and South Carolina. In Ottawa the checklist was mandated by law with hospitals attesting that they had followed the checklist. A change management program was not put in place. The result was little improvement in patient death outcomes. In South Carolina extensive consultation was undertaken including one on one sessions to ensure teams understood why the checklist was being implemented and encouraging hospitals to make the checklist their own. South Carolina hospitals involved in the program saw a 22% reduction in patient deaths.
The makings of a good checklist
A good checklist should:
The learnings from the experiences of Pronovost and Gawunde are equally relevant outside of the medical sector. Again, culture comes to the fore when seeking to manage risk. And an agreed shared purpose helps underscore the importance for all members of the team. The local environment and context need to be understood. With changes in business practices and advancements in technology, it is worthwhile remembering the humble checklist still has pride of place when it comes to managing risk.
email@example.com is an avid fan of the checklist and has applied the pervasive rigour of PX Partners to support clients with framework & control design and implementation.
3 October 2020
High profile headlines have seen organisations such as Westpac, NAB, State Street and ME Bank face scrutiny as they tango with Australian regulators over compliance failures while negotiating findings and unprecedented financial penalties. This leaves no doubt that ASIC, AUSTRAC and APRA have become more probing and are baring their teeth in response to community expectations and outcomes of the Royal Commission into financial services.
As we reflect on these cases, it’s not difficult to see patterns in these varied situations (even if you aren’t the visual type!). Common threads are clear across the shortcomings identified in the provision of financial advice, management of home loan redraw facilities, regulatory reporting of International Funds Transfer Instructions (IFTIs) and transaction monitoring.
In the case of Westpac, technology resource constraints and the loss of key subject matter experts without proper handover to BAU impacted successful implementation of the 2009 IFTI program. The impact would be felt years down the track when Westpac identified that it had underreported 19.5m IFTIs to AUSTRAC from 2013 to 2018 within the required 10-day timeframes (and not met record keeping obligations in relation to some of these transactions).
AUSTRAC also alleged that typologies and guidance around potential indicators of child exploitation risk was not implemented by Westpac in a timely and effective manner resulting in inadequate transaction monitoring for 262 customers.
In 2014, ME Bank descoped planned migration of loans from its legacy core banking platform due to complexities and system issues and introduced an interim manual control to monitor, recalculate and load correct available funds for home loan customers. This became a critical control that failed in 2015 resulting in some customers having accessed redraw funds taking their loan balance above the amortisation curve. The control failure and resulting issue was undetected by ME Bank until 2019.
After NAB transferred customers to its MLC direct business, superannuation fund members continued to be charged fees despite not having a financial adviser from 2013 to 2019. The fee for no service impacted 200,000 customers. This in combination with defective product disclosure statements saw ASIC allege that NAB had not acted efficiently, fairly or honestly and slap the Bank with a $57.5m fine.
Hindsight is a wonderful thing but there are several important learnings that organisations should pay heed to.
1. Invest now, or pay later
In all of these cases control and compliance failures were caused by seemingly simple technology system changes with unintended consequences, deprioritised data migration or incomplete customer migration activities. Upstream and downstream impacts of these changes to complex plumbing and associated risks were not fully mapped out, understood or risk accepted by senior management. Appropriate post implementation reviews were also not undertaken to ensure changes had been adequately and completely executed.
There is no better example of the consequence of poor change management than the $1.3bn fine that Westpac has agreed to pay – surpassing CBA’s penalty as the largest fine in corporate history. This is a leaderboard no organisation wants to be at the top of.
Meaningful investment in rigorous controls requires resources – people, time, money. Investing now will save a world of pain later.
2. Controls are Queen
Yes, you read right – have you ever played chess? At the core of all these scenarios is poor control design and execution. Controls are the bread and butter of managing operational risk, so much so that we are seeing the emergence of Chief Controls Officers in large organisations. Manual controls are reliant on people to provide checks and balances, day in and day, consistently and completely. When that manual control becomes a critical control, the expectation is that people will execute it perfectly. Each and every time. This is where things start to unravel. Manual controls are generally not sustainable in the long- term, particularly where the reliance extends for years as it has in all these cases.
For critical controls it is important that a rigorous controls assurance exercise is undertaken to periodically and independently review these controls and assess whether they are both designed and operating effectively and adequately managing the risk. This controls assurance exercise must be performed by those competent in the process they are reviewing. Transparency is important and a reliance on critical manual controls should have Senior Management visibility as it is tantamount to accepting heightened risk.
3. Everyone is accountable for CX
Customer centricity or customer experience (CX) is no longer a concept owned by marketing teams. It should be embedded in an organisation’s systems, processes, conduct and culture. When ME Bank identified the error with amortisation of amounts available for redraw on home loan facilities, its remediation program saw adjustments made to approximately 21,000 customer home loan redraw facilities before informing customers of its action. In a meeting with ME Bank prior to this occurring ASIC had called out that clear, transparent, timely and effective customer communication is a key inclusion to a client customer remediation program.
In charging customers fees for services never provided, NAB acknowledged that it was unprofessional and wasn’t putting customers first. They garnered Commissioner Hayne’s intense scrutiny at the Royal Commission who commented that its internal investigation and its negotiations with ASIC appeared primarily directed to minimising the amount that NAB would have to refund to customers.
While Westpac’s IFTI issue was substantial, its alleged failure to adequately identify and manage the smaller population of customers linked to child exploitation has seen significant reputational damage and judgement from its customers and the community.
These examples show that regulators are not being reticent to take enforcement action for technical compliance issues. The numbers speak for themselves. Take State Street being fined $1.24m for omitting to send 99 IFTIs.
Some controls are under pressure in the COVID-19 remote working environment where, for example, they have historically relied upon original signatures or similar. The remote working response invoked in response to COVID-19 has forced the hand of some firms to improve the operation of controls through better use of technology or elimination of redundant controls.
We are now in an environment where compliance breaches, self-reported or not, can attract a barrage of parallel investigations by multiple regulators, shareholder dissatisfaction and class actions. Executives and Board Chairs are not immune to the aftermath of failures by the organisations they steer and face remuneration impacts, job loss and scrutiny by their customers and community. If that isn’t reason enough, the financial burden of remediation, additional resourcing demands and financial penalties show it just makes good business sense to invest in compliance expertise and get it done right the first time, with the customer at the centre. There is after all something in that old adage – measure twice and cut once.
firstname.lastname@example.org would love to hear your comments on this piece or to chat further about how PX Partners brings pervasive rigour to support clients with governance, framework design and remediation work.
27 September 2020
Good customer outcomes are premised on the right information, the right structures and the right controls being in place. In this post, we look at product names and the importance of being true to label.
“Ollie? James? Something Gaelic?”
“Nobody can spell or pronounce Gaelic names. And we don’t know that we’re having a boy.”
And on it went.
The last few months at home has been filled with conversations like this. Choosing a baby name is tough. Made tougher when one party is convinced it’s a boy and the other a girl. Watch this space. Not long to go.
So, it was interesting to see that we weren’t alone with our struggle. ASIC has had a well-publicised engagement with the funds management sector regarding names. Cash? Cash Plus? Short term? Balanced? Conservative? Though I’m sure the path to resolution for affected issuers will be quite a bit different to the resolution of our little family squabble!
We understand that ASIC began this review at the end of 2019 and was driven by concerns at the Regulator that investors could be exposed to misleading promotion when seeking better returns in a period of low interest rates and market volatility. ASIC found that some investment products in the market were being spruiked as ‘cash’ or ‘term deposit’ like but were, in fact, much higher risk products.
This action from ASIC and associated media statements have led to some interesting reflections at PX Partners. What initially appears to be a straightforward piece of regulatory action on product labelling has caused us to look deeper, at some more fundamental product governance questions.
Who decides the name?
Different organisations have different ways of approaching it. We know of one who made it a competition amongst employees at their office. Ultimately, the responsibility sits with the Board or governance authority who approves issuing of the disclosure document. The Due Diligence Committee plays a critical role. As does the Product Manager and Compliance team. But have we paid enough attention to naming in the past? And what about the passage of time? A fund name in 2000 may have been very much in vogue, in line with regulator and community expectations. But its 2020. We have had a Royal Commission in to misconduct in financial service. Times have changed. Have the labels moved with the times?
Does it matter?
It does. The funds industry relies on advisers, gatekeepers and Approved Product Lists (APLs) to help retail investors navigate their options.
Screening of funds and bucketing of investment options is a well-established practice in the funds industry in Australia. Those with responsibility for categorising different investment products pay more attention to what is ‘under the hood’ than simply relying on the label.
But, that being said, many retail investors do not rely on financial advisers and are choosing investment products themselves. ASIC has ‘called time’ on disclosure reliance with their research indicating that only 20 out of 100 people read disclosure documents. This means it is critically important for responsible product issuers to be transparent with their product labels.
What is required of product issuers?
The answer is the same to most questions faced by the industry – do the right thing, be transparent and care about your customer outcomes. In this case – if you’re not running a cash fund, then don’t call it a cash fund.
From the Regulator’s perspective, this matter goes to some fundamental obligations – are you being misleading and deceptive? Are you providing financial services efficiently, honestly and fairly?
What action is needed now?
This depends on the maturity of your product governance framework. If you have not started work on your firm’s response to the new design and distribution obligations yet, it is time!
Product governance is a broad framework which spans disclosure, labels, operations, customer outcomes, target market, distribution channels, marketing, investments, risk and everything in between. Management and Boards should be asking:
While Juliet might’ve argued that names should not matter, recent regulatory action serves as an important reminder that they do.
email@example.com would appreciate any (helpful!) baby name suggestions and would be happy to chat more about how PX Partners supports clients through regulatory change and interactions.