Categories
Uncategorized

PX Partners continues expansion with senior hire

16th May 2022, Sydney Australia: Bill Wong joins PX Partners today as a Practitioner and Principal to lead technology innovation and partnerships. This senior appointment adds further capability to meet the growing client appetite for support from real life practitioners rather than career consultants.

 

Bill brings a wealth of experience across risk, strategy and innovation. Most recently, as an Executive Manager, Portfolio & Integration, he led the design and implementation of a new value chain risk management framework for Westpac Group. Before this, Bill worked with PwC and KPMG, in risk and strategy at the Commonwealth Bank and in strategy and implementation at the exited start-up Red Marker. He has also supported academic research publications at UNSW and UTS.

Co-founder and Co-CEO, Tanushree Dabral commented: “We are delighted to welcome Bill to the PX Partners family. Bill’s strong track record of solving complex issues and leading change across organisations which enables him to have real conversations that cut to the heart of what our clients need.

Fellow Co-founder and Co-CEO, Jon O’Keefe added: “We’re really excited to be joined by another senior practitioner – people are at the centre of everything we do at PX Partners. Bill’s unique experience from academia to novel Regtech lends itself perfectly to continue to drive innovation in governance, risk and compliance for our clients.”

Bill commented: “I’m thrilled to join the team at PX Partners and by the opportunity to lead technology innovation and partnerships. I’ve watched the business grow over the past two years and have been impressed how PX Partners uses hands-on “lived experience” to deliver and innovate for clients. I am passionate about making an impact, whether to people, organisations or society so was really drawn to the PX for Good commitment to corporate social responsibility.”

“Looking across the industry, I think we are at an inflexion point where there is a real opportunity to think about how and why we utilise governance, risk and compliance functions and how we can deliver enhanced outcomes through GRC by design and technology. I’m invigorated by the chance to be at the forefront of this both for PX Partners and our clients.”

– ENDS –

For more information on this story, or the opportunity to interview the co-founders, please contact Jon O’Keeffe on jon@px.partners or +61 424 299 675.
Categories
Uncategorized

DDO: 6 months in [WEBINAR]

On the 6 month anniversary of the introduction of RG274, Design and Distribution Obligations, Jon O’Keeffe hosted a panel of industry experts as they explored:

  • What went well in the implementation journey and lessons learned
  • Progress on Day 2 deliverables
  • The European perspective: 4 years of MiFID II
  • The role of RegTech and automation in supporting compliance

 
 

Categories
Uncategorized

AML/CTF Independent Reviews – 8 areas to focus on before your next review

Australian Anti-Money Laundering Rules require an Independent Review of the reporting entity’s AML/CTF Part A Program on a regular basis, which in practice is every one to three years depending on the risk profile of the business. Whether you’re new to AML Independent Reviews or it’s been a while since the last one, this article looks to provide you with insights on some of the key components of a Part A Program Independent Review so that you can anticipate and prepare for what is hopefully a quick and painless review.   

 

Like all reviews / audits / investigations, AML Independent Reviews (Reviews) require key business resources to dedicate precious time to the Review by providing information and responding to sometimes multiple rounds of queries. And while we get excited combing through the details and finding ways to help clients improve their Programs, we recognise that a fast, insightful and efficient Review is much appreciated by compliance officers, Board and senior management.

 

Below are a few of the key areas the reviewer will assess, and how you can prepare.

 

1. Risk Assessment

The most important artefact other than the Program itself, is the reporting entity’s ML/TF risk assessment. The reviewer will look at the Program to understand how the entity assesses its ML/TF risk as this will drive their assessment of whether the Program has been designed appropriately given the ML/TF risk exposure of the reporting entity.

The Rules are relatively prescriptive on which factors the entity needs to consider when assessing risk – this includes customer types, types of designated services, foreign jurisdictions, etc. And most-often, these factors are considered and rated individually to inform the overall risk position. AUSTRAC expects that the reporting entity includes all available data in the assessing risk (e.g. trends in usage of a product or channel, transaction monitoring results, suspicious matter raised, relevant AUSTRAC industry assessments).

The reviewer will be verifying that all the factors have been considered and assess the appropriateness of the rating methodology and outcomes.

The reviewer will also consider how the assessment is documented and how often it is updated. Given that the risk assessment is intended to be a living document, the expectation is that it is contained in an easily updatable format (i.e. not solely in the Program documentation) and that it is revisited frequently or when there is significant change in the business. AUSTRAC has provided guidance on its expectations of ML/TF risk assessments.

 

2. Board Approval of Program

The reviewer will want to see the current version of the Part A Program, as well as any version of the Part A Program that was in place during the review period which is normally 12 months. Therefore, it can be useful to agree a review period where only one version of a Part A Program has been in effect. The reviewer will also ask to see your AML/CTF Policy.

The reviewer will be looking for evidence that the Program was approved by senior management or the Board, usually in the form of Board meeting minutes noting that the Program was approved. They’ll also want to see other supporting policies (e.g. HR policies covering employee screening and on-boarding, risk-rating methodologies) and any standalone process documents or desktop procedures which provide detailed descriptions of processes like transaction monitoring and suspicious matter reporting.

 

3. Training Content and Delivery

The reviewer will be considering training from a few different angles. Firstly, has the reporting entity considered what levels of training should be provided to which staff (based on their roles and the ML/TF risk arising)? Have all employees completed the AML/CTF training required for their role? Is completion monitored? A training register spreadsheet, or system report showing training completed should be sufficient to demonstrate completion.

The content of the training will also be reviewed. The Rules are prescriptive on what needs to be included (obligations under the Act, consequences of non-compliance, entity-specific risks and consequence and AML related processes and procedures) so the reviewer will want a copy of the training materials provided to verify that the content meets the requirements. In our experience, reporting entities tend to receive findings related to the lack of entity-specific training content.

While there is a plethora of general and generic AML/CTF training available, AUSTRAC expects that employees be trained on how ML/TF risks might present themselves specifically in the organisation they work for, and roles they work in. Risks faced by a fund manager may be greatly different than those face by frontline staff at a large bank. And while some general content is fine, the expectation is that training is tailored to the organisation and to specific roles.

Finally, the frequency of training and training refreshers will be considered. Standard practice is that AML/CTF training should be included in induction training for all employees, and potentially increased or more in-depth training for higher risk-rated roles. An annual re-fresher training for higher risk-rated roles is better practice with all employees having a refresher training at a regular frequency (e.g. every 2 years). Programs should specify the frequency of training so that the reporting entity can clearly demonstrate compliance. Avoid using words like “regular” as this is open to interpretation.

 

4. Suspicious Matter Reporting

The Act is relatively clear on what matters to report and the timeframes to do so. The reviewer will look to see that these details are outlined in the Program. The reviewer will assess the design of the process which should clearly detail the steps for raising, investigating, and reporting suspicious matters, including forms, systems, roles and responsibilities and timeframes. If any suspicious matters were raised or reported in the period, the reviewer may want to walk through a couple of examples and see the documentation trail to ensure that any matters raised were investigated and reported in line with the Program.

 

5. Transaction Monitoring Program

While the Program will outline the transaction monitoring process and controls, this area may also have additional process documentation to ensure that those responsible can consistently execute the process. The reviewer will consider how transactions are monitored (i.e. manual vs automated), who is performing the review and its frequency, the logic used to determine which transactions are flagged including how often it is reviewed, and how transactions are investigated and the integration into suspicious matter reporting.

If reports are used, the reviewer will look at how the entity ensures that the reports are complete particularly if no transactions have been identified for further investigation. Likewise, with automated monitoring the reviewer should, at minimum, obtain an understanding as to how the entity ensures that the system is operating as intended and who can setup and change monitoring logic.

 

6. Ongoing Customer Due Diligence

In addition to performing due diligence on customers at the onboarding stage, the Rules require that some level of review and update of customer identification data is performed throughout the relationship with the customer, particularly in relation to high risk rated customers. We commonly see that this requirement is overlooked, perhaps due to the amount of effort required to update customer data at any frequency.

The reviewer will be considering the risk-based approach to OCDD the reporting entity has applied (which should be documented in the Program or a supporting standard or procedure) and whether the processes and controls are in place to ensure the OCDD program is consistently executed.

We often see high level statements in Programs in relation to keeping customer information up to date. These high-level policy statements cause issues for reporting entities come Review time. By being too vague and open ended, reporting entities can find themselves in a position where they are unable to demonstrate compliance with this aspect of their Program.

 

7. Employee Due Diligence

The reviewer will want to see written details (whether in the Program itself, or a separate cross-referenced policy) of the reporting entities practices in relation to considering which roles are higher risk from a ML/TF perspective, and what additional due diligence applies to these higher risk roles.

Weaknesses we observe include reporting entities that state the job titles of higher risk roles, without providing any basis for the assessment (e.g. level of influence / seniority, involvement in operating key fraud or ML/TF controls, involvement in relationship management). Another common weakness is Programs that deal with EDD at the onboarding stage but do not have regard to movements of staff from lower risk to higher risk roles.

A quick win here is to ensure alignment between policies and procedures – we sometimes note inconsistencies between the actual onboarding practices of the HR function relative to what is stated in the Program drafted by the Compliance function.

 

8. Outsourcing and using suppliers

If you use third parties to execute any aspect of your AML/CTF Program, the reviewer will want to see evidence of the usual third party risk management controls being in place e.g. written contracts, risk assessment, due diligence, ongoing monitoring. Screening tools should be vetted to ensure they are fit-for-purpose and that the reporting entity understands the limitations. We have seen examples of the Program relying on certain tools only to later discover that a certain module was never switched on. AUSTRAC has provided useful guidance in relation to reliance on third parties for ongoing CDD arrangements.

 

 

If you’re looking to uplift your AML Program, for additional guidance to prepare for your next AML Independent Review, or are interested in speaking to use about performing your next Independent Review, reach out to Candace@px.partners.

Categories
Uncategorized

Planning for 2022 – The long day 2

It’s back to school this week signalling that the holiday period is well and truly over. Back to the grind with the addition of rapid antigen testing this year! Over the break, we have been reflecting on the year that was in 2021 and what is to come in 2022.

 

Without doubt, the past year was almost unprecedented in the amount of regulatory change. This year offers some much-needed reprieve with few changes announced for the year thus far. Government and Regulatory bodies are actively consulting with industry and other stakeholders to shape the next round of changes. And industry is using this time to take a breath, review and iterate what has been done in 2021. Given the confluence of change in October last year, we see a number of deliverables which were deferred to ‘day 2’ rightfully getting attention now. To help out with your planning, we’ve compiled a short list of things consider for the year ahead.

 

1. File your AML/CTF Compliance report with AUSTRAC

The filing period opened in January so no doubt this is already near the top of your list. We note with interest some of the new sections / questions in the report:

  • New questions about outsourcing the development of your AML Program and ensuring it is tailored to the business. This highlights the importance of an entity-specific Program and a sign that AUSTRAC sees this as a current weakness in AML Programs that have been reviewed.
  • The mandated independent review is subject to further interrogation this year – whether or not the timeframe for independent reviews is specified in the AML Program (e.g. every two years). If it is not, an explanation as to why is required. This may be data gathering in preparation for a regulatory update mandating specified review timeframes.
  • The Regulator is also now seeking details of transaction monitoring in place, querying the level of automation in the process, potentially signaling future guidance over requirements for the testing of automated components as a part of the independent review.

 

Lastly, you may want to refresh yourself with the changes to the AML/CTF Act that came in to effect in June 2021, particularly around reliance on third party customer identification and verification. Current practices in Europe and Asia see product issuers conducting due diligence on distributors as part of broader distribution governance arrangements (e.g. DDO).

Complete your compliance report before 31 March: AUSTRAC compliance reports | AUSTRAC

 

2. Review your Whistleblower policy & Modern Slavery Statement

In October 2021, ASIC sent a letter to CEOs detailing findings of its Whistleblower policy review and reminding them of their whistleblower requirements per 2019’s RG 270 Whistleblower Policies. The results of the review of some 100 policies found that the majority of policies provided unclear, incomplete or inaccurate information about how whistleblowers could raise a matter, and what protections they are afforded under the Corporations Act. Additionally, ASIC noted that some policies still referenced obsolete requirements and that others omitted or inaccurately described whistleblower protections.

Fortunately for recipients, ASIC have included detailed observations and commentary as to better practices at the individual requirement level which gives reasonable insights into their expectations of a well-written policy. See the full media release here.

At the end of last year, Monash University released their analysis of the Modern Slavery (MS) Statements of the 100 largest listed companies on the ASX. The results were widely reported in the media and contain some good learnings particularly around the importance of due diligence and remediation. While the importance of a well written policy and robust framework may seem of less importance for unlisted companies, we expect this area to come in for more scrutiny by institutional clients (e.g. superannuation funds) and other gatekeepers in line with the increasing focus on ESG matters. If you have a MS Statement, consider the Monash report and whether enhancements are required.

 

3. Re-visit the proposed systemic issue analysis and day 2 activities for your Internal Disputes Resolution (i.e. complaints)

RG271 brought about significant changes to the complaint management processes (capturing, responding to, analysing and reporting). Some firms did not treat enhancements to their complaint management processes as day 1 activities so it is worth re-visiting the final decisions on responsibility, frequency, and any details of how these will be performed. Another area that has been left in the day 2 bucket at many firms is settling on how the effectiveness of the IDR process will be monitored, by whom, and at what frequency. Similarly, linking and leveraging analysis performed across both incidents and complaints to ensure systemic issues are identified is key, and an area that may not have been given adequate attention in the scramble leading up to go live in October 2021. We can see these matters becoming issues if left unaddressed for too long, particularly at board reporting time.

 

4. Perform distributor due diligence and review distributor governance agreements (Regulatory Guide RG 274 Product design and distribution obligations)

We saw a real focus on TMDs as the perceived day 1 critical activity for DDO. But DDO is much more than just TMDs and focus should already have shifted to implementation of governance arrangements including the review and monitoring of distributors. While Programs should already outline how distributors will be monitored (e.g. understanding processes and controls in place via questionnaires, reviews, etc.), they may not consider some of the more practical aspects like what to do with incomplete and inconsistent information from distributors (and exactly who will be making these determinations). In addition, given that some target market determinations will need to be reviewed by October 5, it’s a good time to start formalising the finer details of the review process.

Read more about our views on distributor monitoring here and find out more about our RegTech solution that takes the pain out of due diligence here: Know Your Distributor (KYD)

 

5. Revisit your controls

The quantity and quality of documented controls varies across firms but it is always a good exercise to give them another look. Time bound review periods can help identify duplicated, obsolete or outdated controls and is an opportunity to document any known, but yet to be documented, controls. If you are looking to enhance your risk and control regime, it is good practice to follow a specific taxonomy ensuring controls are documented in a consistent format and structure helps ensure that controls are applied against the correct risks allowing for a more accurate residual risk assessment. When controls follow a consistent taxonomy and documentation standard, the population of controls can be analyzed to highlight over-reliance on certain types of controls (e.g. manual detective controls) or under-use (e.g. lack of monitoring controls).

 

6. Get ready for CPS 511

If you want to be on the front foot of one of the next significant regulatory changes, CPS 511 comes into effect from 1 January 2023 for ADI SFIs, with a further staged implementation until 1 January 2024, when it comes into effect for all other APRA regulated entities. Presumably this is being done in conjunction with FAR requirements (where applicable) but this will be new requirements for some. Given that it deals with the often contentious issue of remuneration, we’d suggest allowing additional time for consensus and approval of requirements such as variable vesting, payout schedules and downward adjustment processes.

See the final draft here: Final Prudential Standard CPS 511 Remuneration

 

7. Get involved with some consultation

We know that it is difficult to find the time to participate in the consultation process but we know that Government and Regulators find these insights invaluable when shaping rules and regulation. It is often more efficient to participate through submissions coordinated by industry bodies (e.g. FSC, FPA) or through services providers which have industry wide reach (e.g. Accounting or Legal firms, custodians) Some to watch for this year:

  • regulatory relief for Foreign Financial Service Providers (closed 12 January 2022)
  • Implementing Corporate Collective Investment Vehicles (closed 21 January 2022)
  • Draft terms of reference of the quality of advice review (due 4 February 2022)
  • Financial adviser education standards (due 1 February 2022)
  • Employee Share Schemes (due 4 February 2022)
  • Consumer remediation draft guidance (due 11 February 2022).

 

Without the hard deadlines imposed by regulatory change, the to-do list this year has a bit more flexibility but certainly no shortage of action.

 

Talk to candace@px.partners about how PX Partners is supporting clients with implementation and iteration in 2022.

Categories
Uncategorized

Meaningful information, not just data

Data is in abundance these days. Companies are hungry for even the most mundane data points in a quest to glean insights to transform customer experience and product offerings. While many organisations are challenged with how to turn this data into usable insights, it’s clear that ASIC remains ready to welcome data with open arms. 

 

True to their 2017-2020 data strategy, ASIC is preparing to receive large quantities of standardised, searchable data sets from regulated entities thanks to prescriptive requirements in impending legislation (e.g. RG 271’s complaints data pilot, reportable situation form supporting RG 78). Recent notices have also shifted away from ‘Please explain’ language to targeted data requests, further feeding ASIC’s ravenous data repository. In recent years there have been numerous examples of ASIC’s data-driven approach to information gathering leading to ASIC gleaning insights that may have taken some in the industry by surprise. Reverse mortgages, add on insurance sales, breach reporting and the labelling of cash funds to name a few. 

 

Although ASIC’s full analytics capability is yet to be revealed, entities big and small are scrambling to configure existing systems or implement entirely new systems to produce all the different data requirements to achieve compliance and enhance their own capabilities.  However, it may be time to take a step back and consider the following points on data. 

All data provided to ASIC is fair game

In their data strategy, ASIC outlines that ‘Where regulated entities already provide substantial amounts of data to us and other regulators, we endeavour to make better use of this data.’ It’s of course too early to tell how enthusiastic ASIC will be with this. However, the intent may well be to use analytical tools across historic data to identify long-running trends, previously undetectable non-compliance, and to support extensive multi-year investigations. While there’s little that can be done about retracting any previously submitted data, this should act as a reflection point for future submissions. The ‘Just give them everything and they can work out what they need’ approach is a tempting, quick option but is certainly now (more than ever!) ill-advised. Likewise, the ‘inundate them with data’ approach should continue to be avoided. 

Don’t be the last to know

It’s always a bad look when an outsider finds problems in a business, especially when the outsider is a regulator and the problem is non-compliance or conduct harmful to end customers. Without investing in analytics resources and capabilities that routinely interrogate and analyse data, businesses risk the possibility that the regulator will uncover an issue that the business itself has not, leading to the inevitable scramble to create an analysis to demonstrate why there is no issue or to demonstrate that it’s all under control. Ideally businesses will invest in the capability to be the first to detect any potential areas of non-compliance or harmful conduct and to self-correct. The data will be there thanks to the new requirements, but it won’t turn itself into information.

It’s not all about the numbers

Nothing beats the tangible, objective facts, particularly when it’s a number or percent. The eye seems to be drawn to them as an easy representation of an often-complex issue. Customers impacted, dollar value of loss, complaints per product. These are examples of actual requirements but providing or receiving this data alone does not ensure compliance with the form or spirit of regulations. 

 

Looking at the requirements under the Design and Distribution Obligations (DDO) for example, issuers and distributors need to take ‘reasonable steps’ to help ensure that a product reaches the intended customer. Part of these reasonable steps include having appropriate processes and controls in place at the distribution stage. If you’re a product issuer this means understanding the systems and controls in place at the distributors that are selling your products (RG274.146). Data (complaints, significant dealings) might get you part of the way. But even if data does make it to you from all the parties in the distribution chain, and if you analyse it frequently and meaningfully, it still remains a lagging indicator of potential issues within the distribution chain and is no replacement for proactive and meaningful distributor monitoring

 

There’s no doubt that data is the way of now. But it’s important to remember that data can have inherent limitations and is only useful when converted to information. 

 

Candace@px.partners is an accountant by trade and at heart (really) and loves turning numbers into information. Talk to Candace, Tanushree@px.partners or Jon@px.partners about how PX Partners can help you with finding meaningful information in your business. 

 

Categories
Uncategorized

Why trees?

We are surrounded by talking forests. Within them, trees are involved in dramatic fights for survival as they rescue one another from danger, share vital nutrients and communicate.  If you’ve seen our website and LinkedIn page, you may have noticed our heavy use of tree imagery. Today, we’d like to explain why. 

Trees have a marvellous yet little known talent 

Imagine a plague of insects ripping through the forest. Did you know the air is rife with trees calling for help? At first, we didn’t believe trees could talk either. It turns out that trees communicate and share resources to strengthen the entire forest. Carbon and essential nutrients are pumped across the forest network to support trees at risk of death. Young saplings also struggle to survive on their own when growing in dark areas of the forest. Older trees offer a lifeline by pumping sugar through their own roots into the youngs’.

 

Trees are not lonely. Underneath the soil there is noisy chatter and relationship developing. Trees of other species may negotiate alliances or form symbiotic relationships, and trees of the same species form communal bonds.

 

In times of danger trees emit distress signals across the entire forest so that other trees can prepare. This communication increases their chance of survival during times of disease, droughts and insect attacks and strengthens the entire forest.

What’s the science?

These fascinating insights are based on the ecologist Suzanne Simard’s 30 yearlong research project conducted in Canadian forests.  Simard found that trees possess hair like roots which connect and form expansive fungal networks. These pathways form a communication channel and mechanism to exchange nutrients. ‘Hub trees’ act as mothers to encourage the sharing of resources when trees are in danger or young saplings need support, strengthening the entire forest. You can learn more on her TED Talk ‘How trees talk to each other’.

 

We were also intrigued by the research of German forester, Wohlleben, author of ‘The Hidden Life of Trees’ as described in this article by Richard Grant.  Wohlleben discusses how chemical and hormonal electrical signals which replicate animal nervous systems allow trees to talk. Trees also communicate through pheromones and other scents released in the air, such as when a giraffe is munching on tree leaves. These scents lead to other trees protecting themselves through pumping leaves with tannin, which can kill even large herbivores.

Like trees, we share

We were inspired by what goes on underneath forest soils. Through sharing knowledge and resources the entire forest is strengthened. This resonates with our core purpose of innovating governance, risk and compliance to benefit everyone. And we mean, everyone.

 

For our clients, our knowledge is our asset and we openly share it to make it our clients advantage. Trees are a true representation of ‘strength in numbers’ and demonstrate how an entire ecosystem can benefit from the sharing of resources. We are deliberate and relentless about bringing our real-life practitioner experience to everything we deliver for clients.

 

For our community, we know that, like trees, our existence is not lonely. We aim to do our part to protect, promote and progress those around us.

 

We decided that we wanted to have an impact from day one. So since the inception of PX Partners, 10% of profits are directed to charities and social enterprises which support and strengthen our community and environment. We prioritise working with First Nations suppliers, source in a way which minimises environmental impact and donate our knowledge and time pro bono to organisations who share our values.

Trees have reminded us that we are responsible for giving back to the world just as it gives to us. And the world gives a lot.

 

More information on our approach to corporate social responsibility is available in ‘PX for Good’.

Categories
Uncategorized

Conduct – the evolving landscape

In the aftermath of Covid-19, what are the main conduct considerations in financial services, and how do we need to evolve as compliance professionals to meet these new challenges?

Listen to this webinar hosted by the International Compliance Association to hear Tanushree Dabral and other with leading industry professionals discuss the ever-changing landscape for conduct.

WATCH THE RECORDING
Categories
Uncategorized

What’s the conduct and regulatory focus for the recovery?

Hear Jon O’Keeffe of PX Partners speak to ausbiz about conduct and regulatory themes as our economies reopen and we embrace innovation.

We’re slowly but surely moving out of the pandemic, but the changes that came with it are permanent, particularly for industry and workplace environments.

As we get closer to the light at the end of the tunnel, what key regulatory considerations should businesses be discussing?

Categories
Uncategorized

Distributor oversight: the hidden part of the iceberg

30 March 2021

 

Distributor selection and monitoring is a vital part of achieving meaningful compliance with the Design and Distribution Obligations. In this post we shine a light on what this means for firms.  

 

We all know how we got here. And why. The 2014 Financial System Inquiry found that the current regime for financial products was inadequate for consumer protection because it relied too heavily on disclosure, general advice and financial literacy. In response, the government introduced the Design and Distribution Obligations (DDO) and Product Intervention Powers (PIP) in 2017. More than ‘a few’ banking and financial advice scandals and a Royal Commission later, DDO and PIP legislation were passed in April 2019 with PIP coming into effect immediately. The extended deadline for DDO is looming with the industry working frantically to achieve compliance by 5 October 2021. ASIC has publicly stated that it expects meaningful compliance from day one.

 

From our observations, the industry is laser focussed on documenting target market determinations (TMD). And understandably so. Product issuers must make TMDs public, providing a visible sign of compliance with one aspect of DDO.

 

But let’s be clear – it is only one aspect. DDO is much more than a TMD.

 

The disclosure trap

The current focus on TMDs is understandable. Firstly, one has to start somewhere. And starting by defining the target market for each product is a good place to begin work. Secondly, the mandatory content in the TMD will tease out thinking in a number of other areas such as distribution conditions and review triggers. Thirdly, not having a TMD means the product cannot be sold and non-compliance will be visible to the market. Lastly, and this is the one to watch out for, writing a document is in our collective comfort zone. The financial services industry has been seeking to achieve compliance through disclosure for years. The machinery in firms for putting a public-facing document in place is well oiled. (ICYMI: ASIC’s research has shown that disclosure and warnings can be ineffective in influencing consumer behaviour and in some instances can contribute to consumer harm.)

 

However, the TMD is not a disclosure document. Albeit mandatory, it is just one of the documented outputs of the internal interrogation of product design and distribution through the lens of achieving sound consumer outcomes. The TMD is the visible tip of the iceberg under which must lie robust and documented internal processes, systems and controls that come together to achieve compliance with DDO.

 

Know your distributors

At first, this seems so obvious that it doesn’t need to be said. But across the financial services and credit industry in Australia, the extent to which financial product issuers and credit providers seek to know their distributors varies. As does the power / influence dynamic. In our view, this aspect of DDO compliance could prove to be the most challenging because, in many cases, it represents a step change in the relationship. Plans for data gathering and oversight should be an early part of DDO planning. We recommend that product issuers start engagement with distributors now rather than further down their implementation plans.

 

What do we mean by “know your distributors” (KYD) and how this is part of DDO? ASIC has been clear that DDO is a principles-based regime that is focussed on having appropriate arrangements (governance, systems, controls) in place to ensure product design and distribution leads to sound consumer outcomes. ASIC has also been clear that the selection and monitoring of distributors forms part of a product issuers reasonable steps obligations. In RG274 ASIC provides that:

 

[w]e will consider the steps that an issuer has taken in conducting due diligence in the selection of distribution channels, methods and distributors. Reasonable steps will generally include making an assessment of the capacity of the distributor to comply with the distribution conditions imposed and meet its own obligations as a distributor. We consider that relevant factors would include an assessment of the distributor’s resources, internal controls, past conduct, experience with the target market and competence to distribute the financial product to the target market.

 

What does it mean to assess the distributor’s internal controls? A useful reference point, especially for product issuers that also self-distribute, is to consider what processes and controls they have in place internally to ensure the product is sold as intended and then assess whether the distributor has similar controls in place. This could include controls and processes in relation to product, sales and compliance training, scripts / conversation guides, setting of key performance indicators (KPIs) and appropriate use of incentives. Global firms can also learn from their overseas counterparts who may have implemented KYD and distributor oversight programs for the rollout of MiFID II in Europe or the SFC’s product governance requirements in Hong Kong.

 

In some segments of the industry, this will be a paradigm shift especially where the product issuer / distributor relationship is one where distributors are seen less as business partners and more as valued clients. In these segments there may be a tension as product issuers look to achieve their reasonable steps obligations without ‘troubling’ distributors.

 

Get the conversation started now

Our strong advice for product issuers and distributors is to get the conversation on information sharing / reporting (e.g. complaints) and distributor oversight started now. Don’t wait until the TMD template is finalised – product issuers should engage with distribution partners and work through the real life practical scenarios and use cases around information sharing. This ensures that the end solution not only achieves compliance for both parties, but ensures that compliance supports end-consumer outcomes. Technology will have to play a key role in providing a lower risk, less manual and more cost effective outcome for issuers and distributors alike.

 

Six months to go. Watch out for the iceberg.

 

Update 16 September 2021:

PX Partners has launched a solution that benefits product issuers and distributors by reducing the time, cost and pain often associated with distributor monitoring and due diligence. Go to KYD’s website to learn more and ask for a demo. In the meantime, you can follow us on our LinkedIn.

 

tanushree@px.partners has extensive experience supporting firms in Australia and overseas with distribution oversight and is happy to share her experience. 

Categories
Uncategorized

The compelling case for outsourcing GRC

It has been a gruelling couple of years for most businesses meeting the challenges presented by the COVID-19 pandemic. It has also represented an opportunity to break with old ways and embrace change. At PX Partners, we have been listening to our clients and others as they tell their stories from the pandemic. Generally speaking, business have found novel and creative ways to get things done. And this question really resonated with us: How best to get things done?

 

Upending of traditional business and operating models was underway before the pandemic took hold. But the pace has accelerated with incredible outcomes. Established industry players have struggled as new participants have disrupted business models and challenged traditional thinking. It is not just a competition for market share but a fight for survival in some cases. It is mind blowing that Tesla’s market capitalisation is larger than the nine largest carmakers combined. And the rally in the Airbnb share price following its recent listing means that it is now more valuable than the collective of the seven largest US hotel chains (figures as at December 2020).

 

This is a time for thinking differently. But where to from here?

 

Play to your strengths
Accept that you cannot be excellent in all things. This acceptance will serve you well. By leveraging specific expertise in supporting core business activity, centres of excellence are developed. Support actors can invest in systems, process and people to continually improve without diverting funds from business growth initiatives as these are the business growth initiatives. Clients benefit from best practice and benchmarking.

 

The traditional model of having an office which organised people into different teams to perform functions has been challenged by COVID. Less people to organise allows the firm to focus on its core activities.

 

Do you need a problem solved or do you need an FTE?
It can be a natural instinct to throw bodies at problems. But are they the bodies needed when the dust settles? Since the Global Financial Crisis there has been much investment in governance, risk and compliance (GRC) resourcing. But it is now obvious that there is more to be done in how these functions operate efficiently and effectively. Traditionally, firms have always been comfortable outsourcing distribution, operations and legal services but until recently, less so with GRC. At the same time, businesses are faced with growing uncertainty on many fronts – technological disruption, growing community expectations, regulatory and political scrutiny to name a few.

 

To meet this uncertainty successfully, GRC teams must be more elastic with the ability to dynamically augment capability when required. Having the right people at the right time enables success; and what is “right” can change tomorrow.

 

Quantify the cost
The impact of COVID-19 has proven that employees don’t need to physically be in an office to achieve the same or even greater levels of output. Outsourcing of non-core functions reduces payroll costs while bringing the benefit of having qualified experts available with a pool of resources. This is especially relevant in times of stress when more may be required at short notice, such as when the early impacts of the COVID-19 pandemic were being felt by businesses.

 

When considering the right mix of resourcing, it is important to consider the cost of an employee is not limited to a salary but extends to all the related costs such as recruitment fees, superannuation contributions, insurance, benefits, training, desk space and technology. So, in reality, the ongoing cost of an employee can be multiples of a base salary.

 

The insource / outsource trade off
A common argument used against outsourcing is the perceived loss of control. Tightly drafted agreements with suppliers, clear service level agreements and measurable performance indicators put paid to that argument. Meaningful reporting from service providers in a standardised format makes for more efficient and impactful management and Board meetings. Issues are easily identified and actions quick to implement.

 

Outsource the ‘people risk’. There is much time spent by managers dealing with the disruption caused by turnover in teams, including difficult performance conversations, resignations, recruitment and induction. Time is better spent on revenue generating activities.

 

By having access to a pool of outsourced on-demand talent, firms can dynamically augment their workforce without the need to hire additional full-time employees. In addition to management time, this saves on fixed overheads.

 

Security of data
The ability of businesses to stand up remote and virtual models to continue business as usual operations has been incredible. There is now an opportunity to build on that success by further exploring options to support business growth by identifying core and non-core functions. Selecting partners with industry leading technology platforms and Software as a Service (“SaaS”) to provide support to non-core functions can enhance rather than detract from the technology security risk profile of a business.

 

Applying this to your GRC capability
A survey carried out by PX Partners in November 2020 found that over 90% of senior executives see a shortage of governance, risk and compliance (“GRC”) practitioners as ‘limiting business success’. In addition, 94% agreed that accessing variable or scalable GRC teams would ‘better support their business’.

 

Some small – medium sized firms may have real need for a senior compliance resource (Head of / CCO level) at the management table day in and day out to provide advice. But when the compliance function is a (senior) 1-person-band, this resource can be underutilised by spending time on ‘compliance hygiene’ activities such as maintaining policies and monitoring obligations. These firms could benefit from outsourcing core, ongoing GRC activities and benefit from the scale and benchmarking an outsourced GRC provider can offer.

 

Boutiques and start-ups often give functional GRC responsibility to their CEO or COO. These firms may not require, or cannot justify hiring, a senior GRC resource. A frequent mistake is to hire too junior for an environment where quick decisions and exercise of experienced judgement are vital (with no “committee” to hide behind!). A solution is to engage an outsourced CRO who can provide the judgment and advice required but without the FTE cost. Distinct from a consultant, this outsourced CRO benefits from a pan industry view but retains an ongoing and deep relationship with the firm and proactively helps identify risks and opportunities from within.

 

jon@px.partners is supporting clients with GRC model and framework reviews. Please reach out to discuss.