ASIC has released Report 528: Responsible Entities’ compliance with obligations as part of its continued focus on the conduct of the Asset Management industry. ASIC's Report focused on 11 Key Areas which relate directly to the general obligations outlined in s 912A.
The key areas were:
- PI insurance;
- managing conflicts of interest;
- breach reporting;
- dispute resolution;
- risk management systems;
- cyber resilience;
- values and behaviours;
- rewards of incentive; and
A common theme throughout ASIC's Report is the need for the RE board and senior leadership to take more responsibility and increase their oversight over, and involvement in, key risk areas affecting the entity's operations. This theme aligns with ASIC's focus on culture and the importance of having leadership from the top, in terms of developing and implementing an effective culture.
Some of the surveyed entities had less than the minimum level of cover required. REs should review their PI insurance policies to ensure an appropriate level of coverage is in place.
Managing conflicts of interest
Last year we published a two-part series on how to manage conflicts of interest in practice:
- Financial Services Update: Conflicts of Interest in Practice – Part 1 identification and examples; and
We noted that as ASIC is increasing its attention on conduct, culture and conflicts of interest, the identification and management of conflicts of interest is critical. A key area where conflicts arise is from the different capacities in which financial services businesses operate.
ASIC found that the majority of REs identified compliance breaches or control failure incidents within their organisation. In response to these breaches and failures, ASIC suggested that REs should regularly review their breach reporting measures to ensure they remain effective to identify, manage and report breaches.
The majority of REs surveyed relied upon the services of external custodians to safeguard assets. Only around half of the entities had established standalone documented measures for monitoring custodial arrangements. ASIC also found that board oversight of the continual review process was generally lacking. ASIC recommended that REs should review their custody measures to ensure they comply with the requirements of RG 133 and update measures where necessary.
When it came to dispute resolution, ASIC noted that it was common for the assessment and decision of disputes to fall on a single staff member, such as a director, head of compliance or complaints officer. Only three of the REs identified a board member as having the role of reviewing all complaints or escalated matters.
To help ensure accountability, ASIC said that the top management of an RE should be provided with reports about disputes, including any information on the actions taken and the decisions made. REs should also review RG 165 to see what measures should be in place or updated so an effective dispute resolution process is in place.
ASIC found that most REs it surveyed, except for two, had risk management systems in place. Top risks that were faced by REs were operational, market and regulatory risks. Other common risks faced by REs included governance, capital, personnel and liquidity risks. As part of their legislative requirements, all AFS licence holders and REs must have adequate risk management systems in place. ASIC proposed that REs should regularly review and amend their risk management systems to take into account guidance in RG 259. For more information on risk management systems and RG 259, please refer to our previous article: ASIC RG 259: Risk Management … It’s Finally Here
ASIC's Report found that most REs had reviewed their compliance measures so they addressed any risks identified through their risk management systems. All REs had at least one person who was delegated the responsibility of managing their compliance function and larger organisations had on average three compliance personnel.
ASIC raised many concerns about the quality of compliance plans. ASIC noticed that where REs did not have any documented standalone measures, some compliance plans did not contain sufficient details on legal concepts and obligations, tasks that must be carried out, the person responsible for maintaining the plan, how the obligations will be met and how the tasks were monitored. ASIC was concerned that some compliance plans required that one person monitor a number of, if not all, measures or plans, where delegated persons have other significant or conflicting duties.
ASIC recommended that REs should actively monitor and amend compliance measures, and make sure that adequate resources are given to the compliance function so REs remain compliant.
One of the significant risks that ASIC identifies as a 'growing and ongoing' concern for the financial services industry is cyber resilience. One of ASIC’s observations was that the degree of sophistication and robustness in cyber risk management practices varies among REs. ASIC also noted that a 'significantly high proportion' of agreements that REs had with third party providers did not address this risk. To address any issues of malicious cyber attacks, ASIC recommended that REs need to strengthen their cyber resilience measures by reviewing and implementing measures to counter such attacks. ASIC suggested that REs read the NIST Cybersecurity Framework referred to in Report 429 Cyber resilience: Health check to help implement and improve cyber resilience measures.
Values and behaviour
ASIC found that the majority of REs had documented measures in place to address areas of cultural values within their organisation. That said, the minority had had those measures approved or endorsed by the RE's board.
We have previously written about the importance of 'leading from the top' so that positive cultural values will cascade down to the rest of the organisation and translate into actual business practices.
ASIC recommended that boards should influence the culture within REs by:
- setting the tone from the top, to ensure that desired values and behaviours are given appropriate prominence;
- putting in place governance structures to ensure this tone is implemented in an effective way throughout the entity;
- monitoring the management team’s alignment with the entity’s values and behaviours; and
- making sure the management team are held accountable where there is a misalignment.
Refer to our blog for information on understanding what 'culture' means in practice and why it is so important.
Rewards and incentives
From ASIC's findings, the majority of the REs had mechanisms in place to review the conduct of directors and employees. However, when it came to documented measures to address rewards and incentives within an entity, less than half of REs had measures in place. ASIC recommended that REs should align rewards and incentives with the RE's values and the provision of remuneration rewards and incentives to employees should reinforce positive behaviours and not promote any unnecessarily risky behaviours.
ASIC found that under half of the REs had whistleblowing policies and procedures that address employees' rights to report any misconduct within an organisation, and that less than a third of REs had established or maintained specific whistleblowing measures. Those REs who did have whistleblowing policies and procedures in place had generally reviewed or approved them in the 12 months prior to surveillance. ASIC recommended REs implement appropriate whistleblowing practices to protect employees’ rights to express concerns about RE activities. As part of a successful whistleblowing program, REs must periodically review and train staff on whistleblowing practices.
Product Approval and Review
ASIC found that among REs there was a general lack of consumer-focused culture. ASIC found that board involvement in reviewing measures of product design and approval were very low, and that there were only three REs' boards that were involved in reviewing these measures. To improve this, ASIC suggested that product testing and approval needs to be carried out so that consumers are satisfied with the product, and to maintain the best interests and confidence of investors.
How CompliSpace can help
CompliSpace delivers industry specific web-based programs to manage your risk and compliance requirements that can be quickly tailored and configured to suit an organisation’s needs and are kept up to date with legal and regulatory changes by our team of specialists. CompliSpace also offers consulting services, to help financial service providers through their compliance and risk management requirements.
CompliSpace Assurance is a secure online governance, risk and compliance workflow management tool that integrates with CompliSpace Fundamentals. Assurance reduces the complexity of managing your legal and regulatory obligations and provides you with a platform for continuous improvement.
Our team of compliance professionals and lawyers combine extensive expertise alongside practical technology-enabled solutions to simplify the complexity of the financial services regulatory environment to allow clients to focus on allocating resources toward improving financial performance.
Please contact Brooke Benson to discuss your compliance and risk management requirements further.