Extract from submission on the Interim Report by the Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry:-
The Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry (the Commission) issued an Interim Report dated 28th September 2018 (the Interim Report). In the Interim Report the Commission expresses a view that, by and large, the current situation in the financial services industry has not come about due to a regulatory deficiency and that “much more often than not, the conduct now condemned was contrary to law”. We agree with this view. Notwithstanding the subsequent restatement of issues contained in Section 8 of Chapter 10 of the Interim Report, we believe that this observation regarding the prevalence of conduct contrary to existing law goes to the heart of the matter at hand, i.e. there has been an industry-wide failure to adequately manage regulatory risk. And yet, as per Chapter 10 of the Interim Report, the management of compliance risk (i.e. regulatory risk) is not specifically regarded as an issue (Section 8.1) or a possible cause (Section 8.2) and is presented as only one of several possible responses (Section 8.3).
We believe the Commission should place greater emphasis on understanding the role ineffective compliance oversight played in allowing the current culture to develop. This is due to the fact that effective compliance oversight will be crucial to ensuring future financial services industry activities are consistent with regulatory expectation and community standards. Identifying and fixing the problems with the existing compliance functions will be an important part in fixing the problems within the financial services industry.
In financial services entities, it is the compliance function, in its role as subject matter expert and second line risk control function, that is responsible for activities such as:
- interpreting and advising on the application of relevant regulations relating to conduct and the treatment of clients,
- designing polices and procedures to give effect to regulatory requirements,
- designing and overseeing the delivery of relevant compliance/regulatory training, and
- generating compliance assurance data for senior management by monitoring the entity’s compliance with policies and procedures.
We believe that much of the evidence presented to the Commission, including:
- the failures to report breaches,
- the failure to act in the best interests of the client,
- the failure to resolve conflicts of interest,
- the poor remuneration arrangements for sales teams and intermediaries,
- the poorly resourced compliance monitoring teams, and
- the lack of training and awareness of regulatory risk control procedures,
are exactly the types of events that one would expect to see in institutions where effective regulatory compliance oversight is lacking. The Interim Report says as much when it observes that “the evidence led in the first round of hearings pointed towards:
- the entities concerned preferring profit to pursuit of any other purpose; and
- the entities treating regulatory compliance as a cost of doing business rather as a foundation that informs and underpins how the business must be conducted.”
Currently, the term “compliance risk” is mentioned only three times in the Interim Report and “regulatory risk” only once. This lack of focus on the failure of a key component in the management of regulatory risk is curious given that the Interim Report identifies a similar deficiency in APRA’s Prudential Practice Guide PPG511 (30th November 2009). We note the Commission makes no comment on how APRA’s Prudential Practice Guide CPG220 (April 2018) addresses compliance risk (via the compliance function) as a relatively minor subset of a wider risk framework.
Compliance teams face unique challenges in industries regulated by a principles-based regime. In these situations, in the absence of clear direction from regulatory authorities, a tension is created between those who advocate for regulatory prudence and those who (with the best of intentions) wish to adopt a less onerous and more profitable interpretation of the regulations. To be effective, the compliance staff must have sufficient standing within the institution to properly advise senior business management on the application of the regulations and to overrule senior business management where this is necessary to ensure the institution complies with the spirit and letter of the regulatory requirements.
At present none of the CBA, ANZ, Westpac and NAB has the compliance function as a named responsibility at the senior management committee level. The management agenda has evidently not benefited from the presence of a dedicated spokesperson on compliance and regulatory risk. Instead, the compliance function is typically represented as part of the risk function where it is grouped together with risks such as credit and market risk. Inherent in the management of these other risk types is a pricing calculus involving a risk-reward trade off. Such a risk-reward approach is an anathema to regulatory compliance where compliance is expected in both the letter and spirit of the regulation, even if this is to the financial detriment of the institution.
We believe therefore that the compliance function in financial services entities should not be aligned with the risk function but should instead report directly to the CEO and participate as a named function in senior management committees.
We believe the Commission should be placing greater emphasis on the evidently ineffective compliance functions within financial services entities beyond simply asking ‘how should entities conduct and manage compliance risk’. We believe the Commission should be asking questions such as, why were the compliance functions so ineffective; were they excluded from the discussions; were they involved but offered poor advice; or were they overruled and ignored? In any event, evidently, sound compliance advice was either lacking or not given the weight it should have been. To avoid a re-occurrence, in addition to any likely changes to penalties and regulations, the quality of the internal compliance risk discussions and decision making needs to improve. This will only happen when the compliance functions, as the subject matter experts, have the necessary expertise and standing within the entity and within the financial services industry as a whole, to carry the argument against those advocating for poor regulatory decisions.
Accordingly, we recommend that for the next round of hearings, and in consideration of those provisions of the Commission’s Letters Patent that relate to the internal systems, culture and practices of financial services entities (specifically items (d)(i) and (d)(ii), item (f)(ii) and item (h)(ii)), the Commission consider in detail how the existing role and mandate of compliance functions in financial services entities might be enhanced to promote and ensure a culture of regulatory compliance.