Oversight of compliance risk by boards of financial services organisations continues to be targeted by Australian regulators as a key focus area. This trend has accelerated since the Financial Services Royal Commission concluded in 2019, starting with the establishment of ASIC’s Corporate Governance Taskforce which conducted a review of Director and Officer Oversight of Non-Financial Risk in October 2019 and highlighted the importance of management of compliance risk by boards.
More recently, APRA has reiterated this message by setting out expectations for its regulated entities in a February 2022 Insight that boards should ensure that systems are in place to monitor and manage compliance risk at an operational level.
What is compliance risk?
Compliance risk is the risk of legal or regulatory sanctions, material financial loss, or loss to reputation an organisation may incur should it fail to comply with laws, regulations, rules, related self-regulatory organisation standards and codes of conduct applicable to its activities.
Effective compliance risk management necessarily involves an organisation’s:
a. awareness and understanding of applicable laws, regulations, standards and rules – including an awareness of when those laws, regulations, standards and rules change; and
b. ability to designate hierarchies and establish processes designed to meet the minimum requirements identified by those laws, regulations, standards and rules.
Historically, consideration of compliance risk has trailed far behind financial risks such as credit and market risk. However, compliance risk has been increasing in prominence on the radar of boards of companies in the Australian financial services industry due to shifts in the Australian regulatory landscape over the last few years.
The fallout from the Financial Services Royal Commission caused significant reputational damage to a number of Australian financial services organisations, due to the misconduct and compliance failures which were uncovered by Commissioner Hayne and investigated by ASIC and APRA.
The ramifications of these investigations continue to be felt by the financial services industry. This has manifested in increased compliance burdens arising from the wave of regulatory reform implemented by the Australian government since 2019, based on Commissioner Hayne’s recommendations in the Financial Services Royal Commission Final Report. Commissioner Hayne’s recommendations covered such areas of concern as unfair contract terms, product design and distribution obligations, breach reporting, as well as updates to APRA's prudential standards relating to governance and remuneration.
In this regulatory climate, boards of Australian financial services organisations can no longer afford to ignore or trivialise compliance risk due to the potential for substantial reputational and financial damage in the form of customer remediation arising from mismanagement of compliance with the law.
Recommendations from the Australian Regulators
The overarching recommendations from ASIC and APRA for boards seeking to enhance their organisation’s systems and processes for overseeing compliance risk can be summarised as follows:
a. Development of a Defined Approach to Managing Compliance Risk
Organisations should develop and maintain a complete and holistic view of obligations that apply to their business operations. This is particularly important in light of the numerous regulatory reforms to the Australian financial services industry in the last few years, and the continued evolution of these reforms in the future.
APRA recommends that the best practice to achieve this is by maintaining regulatory compliance subscription services as well as seeking input from compliance subject matter experts.
b. Establishment of Clear Processes to Support Compliance Risk Management Processes
Organisations should develop a complete and detailed understanding of end-to-end processes associated with their product and service offerings, in order to overlay compliance obligations. APRA recommends documenting end-to-end processes and overlaying a detailed understanding of product and services processes with compliance obligations in order to identify and fill any gaps between business process and applicable regulations and laws, including any regulatory changes.
Such processes should be supported by ongoing monitoring and business unit reporting to senior management and the board regarding the complete view of compliance obligations as against the end-to-end process.
Both ASIC and APRA have emphasised the importance of creating and maintaining structures which hold management accountable to operate within the relevant rules, regulations and obligations which apply to their organisation.
ASIC recommends that boards actively position themselves to hold management accountable to operate within the board-approved risk appetites for compliance risk.
APRA recommends that organisations specify clear accountability for managing compliance risk by adopting a “Three Lines of Accountability” model to ensure a proactive approach to managing compliance risk, and to engender a top-down culture of treating compliance risk with utmost importance:
a. Line 1: The business, which is responsible for compliance risk;
b. Line 2: Risk management, which provides oversight and challenge; and
c. Line 3: Internal audit, which provides independent assessment and assurance.
Additionally, APRA also recommends the appointment of a Chief Compliance Officer, to emphasise the importance of compliance management and to provide a voice for compliance risk concerns at a senior leadership level.
d. Reporting to Boards by Management
Lastly, organisations should ensure that the reporting of compliance risk and the organisation’s risk position by management to the board is accurate, clear, concise and timely, rather than buried in voluminous board packs.
ASIC recommends that clear avenues for the reporting of compliance risk issues and subsequent strategies for their management should be developed by the organisation for reporting from management to the board. This may include the establishment and maintenance of Board Risk Committees which meet regularly, devote the requisite time to identify and discuss strategies to manage compliance risks, and actively engage in overseeing the management of material risks in a timely manner.
Moving forward – Compliance Risk in 2022 and beyond
Both ASIC and APRA have made it clear that management and oversight of compliance risk by boards will remain in the crosshairs of both Australian regulators. In particular, APRA has stated that where an organisation has inadequate compliance risk management, APRA will pay particular attention to the people, systems and processes that have contributed to the issue.
Moving forward, boards of Australian financial services organisations should prioritise the management and oversight of compliance risk by enhancing their systems and processes to align with the recommendations from the Australian regulators and by dedicating resources to stay up to date with the various legislative and regulatory changes in the industry.