All Australian Financial Service Licence (AFSL) and Australia Credit Licence (ACL) holders have certain responsibilities. These obligations are listed under section 912A of the Corporations Act, as enforced by the Australian Securities and Investments Commission (ASIC). 

Generally speaking, you must:

  • Demonstrate compliance with these obligations.
  • Ensure you have adequate financial, technical and human resources to perform your duties.
  • Carry out supervisory arrangements.

It may seem easy enough to comply with these general obligations — but as our very own Amanda Mark explains, there’s more to the story. Here are a few of her top tips for understanding and navigating annual compliance reviews.

The importance of annual compliance reviews

‘In recent months, we’ve seen many firms with compliance failures being named and penalised,’ says Mark. ‘Sometimes this involves independent experts being appointed to review compliance arrangements and make remediation recommendations.’ She adds that, in some cases, ASIC has even cancelled or suspended a firm’s licence for compliance failures.

According to Mark, such licence conditions can ‘damage a firm’s reputation, impact client trust and cost a fortune to remediate.’ Fortunately, there is a solution that may prevent these adverse outcomes: an annual compliance review.

‘These reviews look at a firm’s arrangements for compliance with their general obligations and make recommendations for improvement if necessary,’ says Mark. The process generally involves:

  • Reviewing policies.
  • Analysing relevant supporting documentation.
  • Sample testing processes.
  • Interviewing key staff.

This all culminates in a report or road map that helps ‘improve compliance and ensure that supervisory arrangements fit the nature, scale and complexity of the business.’ 

 

Amanda’s Tips for your next compliance review

Compliance reviews can take different forms. In her years of experience, Mark has identified common themes — and some, she says, are particularly relevant for all of today’s licence holders:

Catching passé policies

Some policies — particularly around new products, regulations and systems — can introduce risk if they don’t keep pace with regulatory or business changes. 

Amanda’s Tip: Add an agenda item to your compliance meeting: ‘policy impact.’ Do any of the new business, system or regulatory changes require a policy update?

 

Creating beautiful policies/procedures

Policies and procedures can look amazing — but do they capture the actual processes? Does the policy match your risk appetite? Do you need a 32-page policy on staff trading when you don’t do underwriting, don’t handle material non-public information, don’t provide research and don’t execute or settle trades?

Amanda’s Tip: Think about the nature, scale and complexity of your business to determine whether your policy is fit for purpose. 

 

Analysing compliance committee reports

When you compile compliance reports, it’s important to consider thematic and systemic issues. For example, ensure that all incidents are captured, reported and escalated — that way, you can identify the root cause.

Amanda’s Tip: Look for themes. If you have human errors, consider training or process improvements; if you have system errors, implement a relevant fix.

 

Establishing adequate resourcing

Firms need to periodically assess their resourcing, particularly during times of growth and rapid hiring. Monitor key elements on an ongoing basis, including risk management, capital, tech systems, resourcing for supervisory obligations and more.

Amanda’s Tip: Boards must consider the adequacy of their resources at every board meeting. Include the comments in the minutes.

 

Managing conflicts of interest

Conflicts can arise for employees/representatives and in the business itself. To manage these conflicts, consider the activities you’re involved in. Consider the scope of opportunity for misconduct and what you’re doing to mitigate risks. Remember to manage individual conflicts based on a person’s role and the information they have access to.

Amanda’s Tip: If your mitigation strategy is restricted access, then make sure access really is restricted. If you’re wall-crossing employees/representatives, make sure you include the date/time the restriction is put in place and removed. 

 

Timeliness of notifications to regulators

Often, firms fail to notify regulators when changes have occurred within the required timeframes. This includes everything from resignations to moving premises. 

Amanda’s Tip: Know what changes need to be notified to whom and by when.

 

Classifying wholesale or retail clients

Develop a process to identify wholesale and retail clients. Always record necessary information — and if a wholesale certificate expires, stop providing services.

Amanda’s Tip: If a wholesale certificate expires, develop a process to move them to ‘retail’ and stop providing wholesale services. 

 

Making supervisory arrangements

Consider what supervisory arrangements are appropriate for the nature, scale and complexity of your business — and then document them. Many firms perform supervisory activities but don’t capture the tasks, frequency or results.

Amanda’s Tip: Consider which current processes can be adjusted to capture new supervisory activities:

  • Sending emails and saving those emails in a folder for easy retrieval.
  • Checking access logs monthly via a report for restricted areas.
  • Documenting a conversation around an incident or a conflict of interest.

 

Retaining documents

Establish a process for storing and naming files. Keep in mind that documents stored in desk drawers or on private computers make it very challenging to demonstrate compliance. 

Amanda’s Tip: Consistent file management minimises security risks, helping ensure documents can be retained and deleted at the appropriate time. 

 

Looking for more tips for your annual compliance review? Need help managing regulatory change and keeping up with ASIC requirements? Schedule a meeting with Amanda today. 

Image by pch.vector on Freepik

Back to Blog