Consultation Paper 263
facebook Twitter LinkedIn RSS
In March 2013 ASIC published Consultation Paper 204 (CP 204) and draft Regulatory Guide seeking feedback on new proposals which would introduce more targeted requirements for the risk management systems of responsible entities (REs) not regulated by the Australian Prudential Regulation Authority (APRA). The proposals outlined in CP 204 were not implemented as ASIC continued to await the outcome of the 2014 Financial System Inquiry Final Report (Report). In response to the release of CP 204 in 2013, CompliSpace published a summary of the principal requirements.
A lot of time has passed since the anticipated start date of these RE risk requirements (we have seen four different Prime Ministers for a start), and after much debate these proposals have still not been implemented.
ASIC’s reason for the delay was the outcome of the Final Report but there has also been plenty of resistance from the RE industry. In particular, serious issues were raised with the instrument itself (CP 204), with REs arguing that it seemed unnecessary and not appropriate to use a Class Order instrument to record ASIC guidance and expectations on risk management.
CompliSpace will be producing a series of blogs and whitepapers on the practical implications of how to meet these revised RE risk requirements. This article focuses on the initial key changes between CP 204 and CP 263. Those changes include:
Regulatory Guidance only: the removal of the proposed Class Order, which would have imposed more prescriptive risk management requirements on top of the existing s 912(A)(1)(h) Corporations Act requirement (although ASIC will adopt a facilitative approach to compliance with the proposed Regulatory Guide changes over the initial 12-month period once established).
Not just an RE requirement: the guidance is now designed to apply to:
- AFS licensees authorised (but not currently operating) registered schemes;
- investor directed portfolio service (IDPS) and managed discretionary account (MDA) operators; and
- entities operating unregistered managed investment schemes, such as wholesale fund managers.
Risk culture: ASIC will expect at least annual reviews by the board or its delegate at appropriate intervals to ensure the risk system has been complied with.
Updated best practice expectations including:
- conducting independent reviews to determine whether the risk management systems have been complied with and are operating effectively (at least annually);
- more comprehensive independent reviews of the appropriateness, effectiveness and adequacy of the risk management system (at least every three years);
- publicly disclosing appropriate details of the RE’s risk management system; and
- the establishment of a designated risk management function and/or risk management committee with the appointment of a chief risk officer.
So, the overall regulatory approach takes a softer tone with ASIC confirming the removal of the proposed Class Order instrument as well as a welcome re-draft of some of the more prescriptive, and often confusing, requirements outlined in the previous releases. Importantly, the removal of the proposed ASIC Class Order means that previous ASIC requirements now become ‘expectations’ within the new Regulatory Guide.
As risk management is not about black and white compliance, it was inherently problematic for ASIC to adopt an overly prescriptive approach to the way in which any entity must manage its enterprise risks. While problem areas like the consideration of ‘material business risks’ and risk tolerance ratings remain, the regulatory approach and the overall tone of the revised Regulatory Guide makes these less prescribed as well as slightly clearer in terms of practical application.
The revised Regulatory Guide also takes a more structured format, aligning itself closer to the general steps included within the AS/NZS ISO 31000:2009 Risk Management Standard (ISO 31000). With the removal of the Class Order requirements, and by broadly following the ISO 31000 risk standard the revised Regulatory Guide is slightly easier to read, is more useful as a guidance document and removes some of the issues raised in the previous Regulatory Guide.
Aside from the main changes highlighted above, the updated Regulatory Guide contains a few further changes, particularly in relation to the identification of risks where ASIC will still expect REs to consider risks at both an RE and scheme level and maintain one or more risk registers as part of this process. To assist REs to further populate these risk registers, ASIC has also included within the Regulatory Guide some examples of risks and risk treatments that it considers are particularly relevant to REs, based on regulatory experience.
Overall, these changes will be welcomed by industry – particularly as the introduction of some of the previous requirements would only serve to impose significant compliance costs for smaller operations – which were deemed disproportionate to the regulatory benefit ASIC would have achieved.
That said, it seems that ASIC intends to enforce these changes, emanating from the existing s 912(A)(1)(h) obligation, albeit with a facilitative approach to compliance for the initial 12-month period once the Regulatory Guide is established.
Finally, and of note, wholesale fund managers may be surprised to see that ASIC now may include them within these RE risk management expectations, although this possibility was actually mooted in CP 204. While ASIC acknowledges that a large chunk of the proposed Regulatory Guide may not be relevant to entities operating unregistered managed investment schemes, it is interesting to see wholesale funds now being referenced within this Regulatory Guide, particularly as ASIC recommends that such operators consider this guidance when establishing and reviewing their risk management systems.
Summary of Key Proposals
In summary, CP 263 makes 7 key proposals. These require REs to:
- establish and maintain risk management systems with documented processes, including liquidity risk management processes (B3 (c)), review processes (B3 (d)) and the independent monitoring of external service providers (B3 (e));
- ensure risk management systems address all material risks at both the RE and scheme level (B4 (b));
- have documented processes in place to identify and assess risks (B4 (a));
- have effective control monitoring and assurance processes (B5 (a)) and further manage risks by conducting stress testing and/or scenario analysis of liquidity risks (B5 (b)); and
- implement regular reporting of issues to the board, risk committee and compliance committee as appropriate (B5 (d)).
ASIC has also provided draft guidance on good practice in relation to the:
- conduct of an independent review to determine the effectiveness of risk management system;
- establishment of a risk management committee;
- appointment of a chief risk officer;
- public disclosure of appropriate details of the RE’s risk management system;
- use of risk indicators in identifying and assessing risk;
- conduct of regular stress testing and scenario analysis;
- use of written plans for treating risks; and
- inclusion of compliance plan procedures for ensuring that key risks are managed on an ongoing basis.
How CompliSpace can help
Australian Financial Services Licence holders are inundated with a raft of corporate governance obligations and an ever-growing compliance burden, which can easily distract focus away from core business activities.
CompliSpace delivers industry specific web-based policies, programs and procedures that can be quickly tailored and configured to suit an organisation’s needs and are kept up-to-date with legal and regulatory changes by our team of specialists.
Our team of compliance professionals and lawyers combine extensive expertise with practical technology-enabled solutions to simplify the complexity of the regulatory environment and allow our clients to focus on allocating resources toward improving financial performance.
Please contact James Cozens to discuss your AFSL requirements further.
This blog is a guide to keep readers updated with the latest information. It is not intended as legal advice or as advice that should be relied on by readers. The information contained in this blog may have been updated since its posting, or it may not apply in all circumstances. If you require specific or legal advice, please contact us on (02) 9299 6105 and we will be happy to assist.
Compliance with Current and Future Child Protection Laws – Embedding a Child Protection Culture. How can this be achieved?