What is a good compliance culture?

Be warned that ASIC’s strategic plan for 2014-15 will focus on financial advisers and responsible entities operating managed investment schemes. If you are licensed to give financial advice or operate a managed investment scheme, you may be surprised by a surveillance visit from ASIC. Usually, the main aim of an ASIC surveillance visit is to assess the licensee’s compliance systems and compliance culture. The regulator believes that weak compliance systems or poor cultures may lead to adverse consequences for investors. If ASIC believes that a licensee does not meet their expectations, regulatory action may result. It follows that having a good, but reasonable, compliance culture is a sound investment and it is also an essential part of a sound risk management strategy.

What are the signs of a weak compliance system and poor compliance culture? One indicator is having inexperienced and/or junior compliance personnel who have little knowledge of how to comply or what the regulators require and who have little influence over the licensee’s compliance systems and related core activities. In some organisations, compliance staff are often saddled with a range of tasks which makes it difficult for them to focus on compliance. This type of environment points to an organisation which places a low priority on compliance and which, consequently, has a weak compliance system and a poor compliance culture.

ASIC expects a financial services licensee to have policies, processes and procedures to facilitate compliance with their legal obligations. Policies are high level documents which set out the expectations of the licensee i.e, policies say what the licensee wants to do, whereas the processes and procedures spell out how those policies are to be put into practice. It is important to have detailed, documented operational processes and procedures which are directly relevant to the licensee’s operations where the licensee is relatively larger with more staff.

We have found that some licensees are given off the shelf, general compliance manuals by their compliance consultants or other service providers. They then have to sift through the abundance of material to ascertain what is pertinent to their operations, which poses difficulties especially when they are unfamiliar with the relevant regulatory requirements. In some cases this is all too hard and the compliance manual just sits on the shelf while the licensee just continues on with the practices they have always used, which may, or may not, comply with licence conditions, ASIC policy or the law. Our view is that it is essential to monitor the efficacy of the policies, processes and procedures.

Larger organisations may decide that electronic systems are an effective means of monitoring compliance. We believe that it is a fundamental weakness to rely largely or solely on electronic systems for training and for compliance monitoring, because such systems cannot fully eliminate the human ability to interpret questions and information in a variety of ways. At best, the electronic systems with questionnaires can provide evidence that an organisation is trying to educate, train and monitor its staff. But there is a risk that the selection of multiple choice answers to electronic questionnaires can provide only a superficial view of the state of compliance. Electronic systems may have their place, but they should be complemented by having person-to-person conversations and discussions to verify that staff and service providers understand their obligations and that of the licensee. Such understanding will better enable staff to carry out their duties and responsibilities.

ASIC expects licensees to be prompt in breach reporting and has previously complained that licensees have delayed in reporting actual or likely significant breaches beyond the statutory 10 business days. We have found that some licensees dislike reporting breaches, instead of viewing them as an opportunity to identify areas for improvement. In contrast, there are other licensees who report on operating events which their compliance personnel then classify as significant breaches, breaches or neither. A good compliance culture would support the identification of actions which are inconsistent with company policies and documented procedures, in addition to matters which are breaches of the regulatory requirements. This would enable a company to enhance its operations by improving documented policies, processes and procedures and ensuring that staff receive training on those changes.

Much has been written about the competencies of responsible managers and representatives of a licensee, but little has been said about the skills and competencies of compliance personnel. We do not believe that it is necessary for a person to have a specific type of background to be a compliance person, although it might be helpful to have a business or legal background. Common sense, an inquiring mind, empathy, sound judgement and an ability to communicate well at all levels is important, as is the ability to understand regulatory requirements and the ways of the regulators. A good sense of humour and also helps.

In addition, it can benefit a licensee to have an external party periodically review its compliance systems and processes. An external party is less likely to be captured by internal practices and hierarchies and be more objective. In addition, the external party can supplement the knowledge and experience of internal compliance personnel.

Fund managers offering managed investment schemes to retail investors are required to have a compliance committee with a majority of external members if they do not have boards with at least an equal number of external directors. Where a compliance committee meets only four times a year – a common practice for compliance committees as this seems to be an unspoken ASIC expectation – the compliance committee may be of minimal benefit because the external members have little knowledge of the organisation and its products and services.

In our experience, the better compliance committees meet more often, spend time reviewing the licensee’s compliance practices to gain a better understanding of the state of compliance and ask probing questions. Better compliance committee members are knowledgeable about regulatory requirements so that they can also provide guidance and assess the adequacy and suitability of compliance plans.

Lastly, whether or not an organisation has a good compliance culture is largely driven by the board of directors who basically face an ongoing conflict of interest in balancing the desire to lower costs with complying with regulatory requirements. While keeping costs under control is important, a licensee cannot afford to cut corners and take the risk that ASIC will not be sufficiently resourced to take regulatory action. At worst, a licensee can lose its licence, face fines and banning orders against personnel who engaged in wrongdoing and have its reputation and that of its board of directors forever tarred. Personnel who engage in criminal activities can also be jailed.

It’s far better to implement a good compliance culture which supports good, ethical work practices and to operate ‘efficiently, honestly and fairly’.