Lessons learned from Report 515

Laura Sullivan and Grant Holley compile seven lessons that will ensure financial firms comply with financial services laws.

Does your firm:

Act professionally, avoid conflicts of interest and treat customers fairly?

Deliver strategic financial advice that is aligned with customers’ needs and preferences; and

VIEW ALL

View all

Ensure that customers are fully compensated when loss or detriment results from poor conduct? 

These are the elements that the Australian Securities and Investments Commission (ASIC) deems necessary to promote investor and consumer trust and confidence and market integrity in the financial advice industry. 

Perhaps your firm does all of the above. However, ASIC’s review of five of Australia’s largest banking and financial institutions between 1 January 2009 and 30 June 2015 showed many instances of the above elements not being met. The review resulted in serious compliance concerns of about 185 advisers and ultimately, a total of $30 million in compensation to approximately 1,347 customers. 

In July 2015, ASIC commenced a project to review how effectively these large financial services institutions were overseeing their financial advisers. In March 2017, ASIC released Report 515 which outlines its observations and findings from the project. 

The report sets out ASIC’s expectations around compliance in areas such as breach reporting, adviser file audits, supervision and monitoring through data analytics, background checks, remediation and culture in financial advice business. 

It is ASIC’s aim that the report will assist the financial advice industry as a whole to raise its standards and reduce the risk of current customers receiving non-compliant advice in the future. 

So, if you have any doubts that your firm is not doing all of the above or if you simply want to strive to achieve even higher standards, read on. There are always lessons to be learned. 

Lesson 1: Check who you are on-boarding 

The Corporations Act requires advice licensees to implement adequate monitoring and supervision processes to provide financial services efficiently, honestly and fairly, and to ensure their representatives provide financial services that comply with the financial services laws.

One of the elements that ASIC considers to be integral to an effective monitoring and supervision framework is a firm’s background and reference-checking process. 

As part of the project, ASIC used its compulsory notice powers to direct licensees to provide information about their background and reference-checking processes. ASIC observed that, most often the deficiencies related to the extent to which the former licensees followed the guidance in Standards Australia’s handbook on the provision of information to a recruiting licensee. 

In particular, ASIC found that there was widespread failure by former licensees to respond adequately to requests for information about an adviser’s compliance history and previous audit reports. 

This was often due to concerns about e.g. (potential breaches of the privacy legislation, perceptions that a defamation action may be pursued by the adviser and procedural fairness in circumstances where the adviser had resigned before investigations into their conduct had been completed). ASIC also observed instances of recruiting licensees failing to make appropriate further inquiries where information was provided and concerns were raised. 

What you can do 

When recruiting advisers, ensure that you obtain the adviser’s compliance history from an appropriately qualified and authorised person within the former licensee. You should also review Appendix 2 of the report which contains a checklist of issues for advice licensees toconsider when conducting background checks on advisers. ASIC also encourages licensees to subscribe to the Australian Bankers’ Association’s protocol on reference checking. 

Lesson 2: Develop Key Risk Indicators 

ASIC observed that the institutions have been developing increasingly sophisticated key risk indicators (KRIs) using data analytics to identify high-risk advisers as part of their monitoring and supervision processes. 

ASIC considers this method to be a useful and efficient method to improve the identification of high risk advisers and non-compliant advice and expects that KRIs developed using data analytics will be subject to continuous review and improvement as new industry and product risks emerge. 

What you can do

Review Appendix 4 of the report which provides a list of possible KRIs for advice licensees to consider when developing and implementing their review and monitoring programs. Appendix 4 also provides a list of issues that licensees should consider before adopting KRIs.

For example, in developing KRIs, a licensee should consider the nature, scale and complexity of the particular advice business. 

Lesson 3: Maintain proper records 

As part of the review, ASIC asked the institutions whether they retained a full copy of the customer file at the time it was audited (point-in-time copy). ASIC considers retaining a point-in-time copy of the customer file to be an important part of an advice licensee’s audit process because the file forms the source documentation for any subsequent audit of the licensee’s control testing environment. 

If a point-in-time copy of the customer file is not retained, ASIC considers that the licensee’s ability to test the effectiveness of the adviser audit process itself is likely to be impeded. ASIC also expects all relevant information to be contained in the file and expects to see positive evidence that the adviser has discharged its obligations. 

ASIC considers the practice of amending a customer file to make it compliant is undesirable because it is inconsistent with the obligation for the adviser to maintain records to demonstrate they have complied with the best interests duty and related obligations. 

What you can do 

Make file notes at the same time as the events that they record. If you do amend a customer’s file, consult with the customer first and keep a point-in-time copy of the file at the time of an audit.

Lesson 4: Consider these factors when auditing advisers

ASIC reviewed a sample of files that had been subject to the licensee’s “business as usual” audit. ASIC observed a wide variety of adviser audit processes – sometimes even between licensees within the same institution. 

Overall, ASIC’s review showed that there were deficiencies in the effectiveness of the licensee’s audit processes. ASIC found that the audit process was effective in only 18 per cent of files reviewed – that is, the findings by the licensees’ auditors aligned with ASIC’s own file review. 

ASIC observed that the auditor often failed to identify advisers who had not:

• Demonstrated compliance with the best interests duty or satisfied the safe harbour steps; 
• Provided advice that was appropriate for the customer; and 
• Prioritised the customer’s interests over those of the adviser or related parties.

ASIC also observed that auditors commonly assessed advisers as demonstrating compliance with the best interests’ duty and related obligations, despite the customer file containing incomplete documentation. 

What you can do

Review Appendix 3 of the report which contains a checklist which sets out the factors for advice licensees and compliance consultants to consider when auditing advisers to determine whether they have demonstrated compliance with the best interests duty and related obligations when providing personal advice.

Lesson 5: Report breaches in a timely manner

ASIC directed that each institution identify the advisers about whom they had compliance concerns. As part of the project the institutions notified ASIC of 149 advisers however out of this number, 73 advisers had not been the subject of a breach report or other notifications to ASIC. Where breach reports were provided, they were often late. 

Not every instance of adviser non-compliance will trigger the need to lodge a breach report with ASIC. However, when adviser non-compliance is identified, and results in a significant breach or likely breach of the licensee’s obligations, it must be reported to ASIC in a timely manner. ASIC is concerned that any delay may affect the breach report to ASIC and increase the risk of customer loss or detriment. 

What you can do

Establish a healthy breach reporting environment. In a healthy compliance culture, you’ll find lots of breaches that have been identified and handled properly. If you identify a breach and that breach is ‘significant’ according to the test in s912D of the Corporations Act, you need to report it to ASIC as soon as practicable, and no later than 10 business days, after the licensee becomes aware of the breach, or likely breach. 

Also keep in mind that ASIC’s Enforcement Review Task Force is currently reviewing breach reporting requirements generally, with a view to appropriate regulatory reform being considered.

Lesson 6: Communicate clearly about remediation

ASIC engaged with each of the institutions to oversee the development and implementation of a customer review and remediation framework consistent with the principles in RG 256 client review and remediation conducted by advice licensees. 

Since July 2015, ASIC held regular meetings with each of the institutions to oversee the development and implementation of their review and remediation framework and provide feedback. During this phase of the project ASIC consistently found that there was room for improvement in the quality of the communications with customers. 

Common areas in which ASIC required improvement included being clear about the purpose of the communication and setting out clearly the steps the customer can take to assist the progress of their remediation assessment. 

What you can do

Consider developing a customer information brochure to be sent with the initial customer communication. ASIC has been encouraging each of the reviewed institution to develop this as part of their finalised customer communication documents.

Lesson 7: Culture is key

Finally, ASIC is concerned about culture because it is a key driver of conduct within the Australian financial services (AFS) licensees it regulates. It is an issue that ASIC has highlighted for the financial services industry in general, and not just for large banking and financial services institutions. 

Where there are systemic failures in an organisation, the culture of that organisation is very likely to have been a contributing factor. This is because ASIC sees culture as a driver of conduct. 

All of the institutions reviewed publicly stated that their core values included being customer focused, ‘doing what is right’ for customers, and acting with integrity. ASIC however found that despite these stated values, cultural factors in the institutions contributed to the failures it observed. 

ASIC recognises that there is no single measure or action that will raise standards and improve culture across the financial advice industry. Rather, it is the combination of broad industry reforms as well as the work within advice firms that will improve consumer trust and confidence. 

What you can do

A key starting point for a good compliance culture is developing your firm’s values, and ensuring that these are implemented in practice. Decisions about an organisation’s values begin at the top. Leaders need to ensure that firm values are understood throughout the organisation, and are “lived” by employees as part of their day-to day-roles.

Next steps

It is likely that ASIC will in future refer back to this report when engaging with licensed advisers, with a view to identifying the extent to which advisers have taken on board the key messages ASIC has sought to deliver. 

So, make sure that you are prepared by reading the report and using the checklists and guidance to develop and improve your processes. If you have any doubts as to whether your compliance processes are adequate, seek legal advice.