Financial institutions will need to start preparing for firm-specific consumer protection risk assessments ("CPRAs") following the publication of the Central Bank of Ireland's ("CBI's") new framework for assessing how regulated financial services firms ("Firms") deliver fair consumer outcomes. Affected institutions will include credit institutions, non-bank lenders, insurance undertakings, investment firms, large retail intermediaries, payment institutions and e-money institutions.
The CBI expects all Firms to understand the risks faced by their consumers. The CBI assesses conduct risk as part of its Probability Risk and Impact System ("PRISM"). For this purpose, the CBI defines "conduct risk" as the risk a Firm poses to its customers from its direct interaction with them. To date, supervisors have assessed this risk through an examination of the nature and scope of a Firm's products and how the Firm controls the risks its products pose to consumers as well as the risks associated with its other interactions with consumers.
In 2016 the CBI enhanced its model for assessing conduct risk to include the broader concept of "consumer risk". This concept recognises that risks to consumers can stem from a Firm's strategy, business model, culture, governance and other internal structures, its systems and processes or the behaviours of individuals at any level in the Firm.
On 8 March 2017, the CBI published its `Guide to Consumer Protection Risk Assessments', (here) which sets out the CBI's new CPRA model as well as what that model means for Firms.
Overview of Consumer Protection Risk Assessments (CPRAs)
The purpose of the CPRA model is to provide the CBI with a framework to assist supervisors in carrying out an assessment of how consumer protection risk is managed within Firms. The model comprises five modules as follows:
- Module 1 - Governance and Controls: this module considers whether the Firm's organisation structure is appropriately designed to allocate roles and responsibilities in relation to the effective management of consumer protection risks;
- Module 2 - People and Culture: this module considers whether a Firm has a truly consumer- focused culture that is underpinned with strong internal support structures that incentivise the required behaviours and hold people accountable for their behaviours. Among other things, supervisors will assess the risk that the Firm's expected behaviours, specifically in relation to consumer protection risk, are not reinforced in the key stages of the employment lifecycle, including recruitment, induction and promotion;
- Module 3 - Product Development: this module will focus on product governance arrangements, new product development, product monitoring/ existing product reviews; distribution arrangements, product management information and marketing and advertisement;
- Module 4 - Sales/Transaction Process: this module will consider sales/ transactions governance arrangements; operations of the sales/transactions processes; quality assurance and management information; and
- Module 5 - Post Sales Handling: this module will focus on post sales governance arrangements; the operation of the post sales process; quality assurance and management information.
The CPRA will comprise both a design review and an effectiveness review. The design review will assess the overall design of the controls in place to mitigate the risk and the effectiveness review will assess the operational effectiveness of these controls.
CPRAs will be "intrusive" and will include on-site inspections, interactions with executives, senior management and other staff from all levels of the Firm (including interviews). In addition, there will be walk-throughs with CBI staff and testing of systems and key controls, observation of board and committee meetings and requests for documentary evidence and the reviewed policies and procedures which underpin a Firm's approach to managing consumer protection risk. On-site assessments will typically range from two days to one week in duration but may be longer.
Following the CPRA, the CBI will assign a risk-rating to each Firm which will be supported by a written rationale. Where identified risks are deemed unacceptable by the CBI, Firms will receive a risk mitigation programme setting out findings and recommendations for remediation. The full suite of supervisory tools is available to the CBI in ensuring that Firms implement these recommendations. The results of CPRAs will allow the CBI to undertake sector-specific and broader comparisons of the consumer protection risk management frameworks adopted by Firms and understand the key consumer-focused risks posed by any particular Firm.
The CBI intends to use CPRAs in addition to PRISM risk assessments and thematic inspections. The CBI will, in the main, conduct targeted CPRA's selecting specific modules and elements, focusing on priority risks. It will use the model throughout 2017 in a series of targeted assessments across retail sectors, with a particular focus on culture, performance management, sales incentives and product governance.
What do Firms need to do?
The CBI expects each Firm to implement consumer protection risk management frameworks that are proportionate to the Firm's nature, scale and complexity and the risk it is designed to manage. While the CBI recognises that there is no single or one-size-fits all framework for managing consumer protection risks, it is of the view that an appropriate framework will include each of the five modules set out above. According to the CBI, Firms must at a minimum consider the following steps when developing or enhancing their consumer protection risk management frameworks:
- Identify consumer protection risks, which will be specific to each Firm;
- Articulate the Firm's consumer protection risk appetite;
- Document the governance, systems and controls in place to manage and mitigate consumer protection risks;
- Ensure consumer protection risk awareness throughout the Firm;
- Assign clear ownership and accountability for consumer protection risks; and
- Monitor and track the risks using appropriate methodologies, metrics and management information.
A Firm must also ensure that relevant systems and controls are embedded across each of the five modules, that these are being applied as intended and that they are operating effectively in practice.