Controls are Queen

3 October 2020 

 

High profile headlines have seen organisations such as Westpac, NAB, State Street and ME Bank face scrutiny as they tango with Australian regulators over compliance failures while negotiating findings and unprecedented financial penalties. This leaves no doubt that ASIC, AUSTRAC and APRA have become more probing and are baring their teeth in response to community expectations and outcomes of the Royal Commission into financial services.  

 

As we reflect on these cases, it’s not difficult to see patterns in these varied situations (even if you aren’t the visual type!). Common threads are clear across the shortcomings identified in the provision of financial advice, management of home loan redraw facilities, regulatory reporting of International Funds Transfer Instructions (IFTIs) and transaction monitoring.  

 

In the case of Westpac, technology resource constraints and the loss of key subject matter experts  without proper handover to BAU impacted successful implementation of the 2009 IFTI program. The impact would be felt years down the track when Westpac identified that it had underreported 19.5m IFTIs to AUSTRAC from 2013 to 2018 within the required 10-day timeframes (and not met record keeping obligations in relation to some of these transactions).  

 

AUSTRAC also alleged that typologies and guidance around potential indicators of child exploitation risk was not implemented by Westpac in a timely and effective manner resulting in inadequate transaction monitoring for 262 customers. 

 

In 2014, ME Bank descoped planned migration of loans from its legacy core banking platform due to complexities and system issues and introduced an interim manual control to  monitor, recalculate and load correct available funds for home loan customers. This became a critical control that failed in 2015 resulting in some customers having accessed redraw funds taking their loan balance above the amortisation curve. The control failure and resulting issue was undetected by ME Bank until 2019. 

 

After NAB transferred customers to its MLC direct business, superannuation fund members continued to be charged fees despite not having a financial adviser from 2013 to 2019. The fee for no service impacted 200,000 customers. This in combination with defective product disclosure statements saw ASIC allege that NAB had not acted efficiently, fairly or honestly and slap the Bank with a $57.5m fine.  

 

Hindsight is a wonderful thing but there are several important learnings that organisations should pay heed to. 

 

1. Invest now, or pay later  

In all of these cases control and compliance failures were caused by seemingly simple technology system changes with unintended consequences, deprioritised data migration or incomplete customer migration activities. Upstream and downstream impacts of these changes to complex plumbing and associated risks were not fully mapped out, understood or risk accepted by senior management. Appropriate post implementation reviews were also not undertaken to ensure changes had been adequately and completely executed. 

There is no better example of the consequence of poor change management than the $1.3bn fine that Westpac has agreed to pay – surpassing CBA’s penalty as the largest fine in corporate history. This is a leaderboard no organisation wants to be at the top of.  

Meaningful investment in rigorous controls requires resources – people, time, money. Investing now will save a world of pain later.  

 

2. Controls are Queen  

Yes, you read right – have you ever played chess? At the core of all these scenarios is poor control design and execution. Controls are the bread and butter of managing operational risk, so much so that we are seeing the emergence of Chief Controls Officers in large organisations. Manual controls are reliant on people to provide checks and balances, day in and day, consistently and completely. When that manual control becomes a critical control, the expectation is that people will execute it perfectly. Each and every time. This is where things start to unravel. Manual controls are generally not sustainable in the long- term, particularly where the reliance extends for years as it has in all these cases.  

For critical controls it is important that a rigorous controls assurance exercise is undertaken to periodically and independently review these controls and assess whether they are both designed and operating effectively and adequately managing the risk. This controls assurance exercise must be performed by those competent in the process they are reviewing. Transparency is important and a reliance on critical manual controls should have Senior Management visibility as it is tantamount to accepting heightened risk.  

 

3. Everyone is accountable for CX  

Customer centricity or customer experience (CX) is no longer a concept owned by marketing teams. It should be embedded in an organisation’s systems, processes, conduct and culture. When ME Bank identified the error with amortisation of amounts available for redraw on home loan facilities, its remediation program saw adjustments made to approximately 21,000 customer home loan redraw facilities before informing customers of its action. In a meeting with ME Bank prior to this occurring ASIC had called out that clear, transparent, timely and effective customer communication is a key inclusion to a client customer remediation program.  

In charging customers fees for services never provided, NAB acknowledged that it was unprofessional and wasn’t putting customers first. They garnered Commissioner Hayne’s intense scrutiny at the Royal Commission who commented that its internal investigation and its negotiations with ASIC appeared primarily directed to minimising the amount that NAB would have to refund to customers.  

While Westpac’s IFTI issue was substantial, its alleged failure to adequately identify and manage the smaller population of customers linked to child exploitation has seen significant reputational damage and judgement from its customers and the community.    

 

These examples show that regulators are not being reticent to take enforcement action for technical compliance issues. The numbers speak for themselves. Take State Street being fined $1.24m for omitting to send 99 IFTIs.   

 

Some controls are under pressure in the COVID-19 remote working environment where, for example, they have historically relied upon original signatures or similar. The remote working response invoked in response to COVID-19 has forced the hand of some firms to improve the operation of controls through better use of technology or elimination of redundant controls. 

 

We are now in an environment where compliance breaches, self-reported or not, can attract a barrage of parallel investigations by multiple regulators, shareholder dissatisfaction and class actions. Executives and Board Chairs are not immune to the aftermath of failures by the organisations they steer and face remuneration impacts, job loss and scrutiny by their customers and community. If that isn’t reason enough, the financial burden of remediation, additional resourcing demands and financial penalties show it just makes good business sense to invest in compliance expertise and get it done right the first time, with the customer at the centre. There is after all something in that old adage – measure twice and cut once.    

 

tanushree@px.partners would love to hear your comments on this piece or to chat further about how PX Partners brings pervasive rigour to support clients with governance, framework design and remediation work.