Earlier this month, the Australian Securities and Investment Commission (ASIC) released its findings from its 2016 surveillance program covering responsible entities' compliance with their legal obligations.
Surveillance Program
ASIC's surveillance program covered 28 responsible entities, each of which were issued with a section 912E notice to provide ASIC with certain requested information. After reviewing this information, ASIC selected four responsible entities for high-intensity broad-based surveillance, focusing on a range of issues, including:
-
use of fund assets;
-
disclosure;
-
the adequacy of and compliance with governance, risk and compliance measures;
-
cyber resilience; and
-
AFSL conditions.
In light of the findings, ASIC required some responsible entities to take specific actions, such as issue revised supplementary disclosure, address the adequacy of their cyber resilience measures and amend and update compliance frameworks and risk management systems.
Shortfalls
ASIC identified a need for improvement in the following areas:
-
professional indemnity coverage;
-
managing conflicts of interest;
-
breach reporting;
-
custody;
-
dispute resolution;
-
risk management systems;
-
compliance;
-
cyber resilience;
-
values and behaviours;
-
rewards and incentives; and
-
whistleblowing.
ASIC Recommendations
In these identified areas, ASIC made the following recommendations:
Professional Indemnity Insurance
ASIC recommended that responsible entities should review their professional indemnity coverage to ensure they understand the various levels of coverage required by the industry and level of cover adequate for the nature, size and complexity of their business.
Conflicts of Interest
ASIC recommended that responsible entities should review and, where necessary, strengthen their conflicts management measures to meet the requirements set out in ASIC Regulatory Guide 181. It is ASIC's expectation that responsible entities be able to demonstrate that the management of conflicts of interests form an integral part of board responsibilities, being a standard agenda item of address at board meetings.
Breach Reporting
ASIC recommended that responsible entities should regularly review their breach reporting measures. During the surveillance program, responsible entities were asked to show reports for incidents recorded within the last 12 months before the surveillance. ASIC found that 19 of the 25 responsible entities identified compliance breaches or control failure incidents in the last 12 months before the surveillance and six identified 10 or more breaches and incidents.
Cyber Resilience
ASIC noted that cyber resilience is now widely regarded as one of the most significant concerns for the financial services industry. To address the growing threat of malicious cyber activity, ASIC recommended that responsible entities consider implementing or strengthening their existing cyber resilience framework and referred to ASIC Report 429, which contains ASIC's good practice framework and the National Institute of Standards and Technology (NIST) Cybersecurity Framework.
Product Approval and Review
ASIC found that the majority of responsible entities did not consider whether their financial products meet or continue to meet the needs of the target investor market as part of their product approval and review measures. ASIC recommended that responsible entities should assess their product approval and review measures to ensure that they include this consideration and have a consumer-focused culture.
Dispute Resolution
ASIC recommended responsible entities review their internal dispute resolution measures against the requirements outlined in Regulatory Guide 165. ASIC also recommended reporting of measures taken to resolve disputes to 'top management', to improve accountability and ensure appropriate oversight of the responsible entity's dispute resolution process.
Values and Behaviours
ASIC recommend that responsible entity boards should influence the culture within the responsible entity to ensure that desired values and behaviours are given appropriate prominence, are implemented and monitored and that management is held accountable where there is a misalignment.
Rewards and Incentives
ASIC recommended that responsible entities should review and integrate incentive governance as part of their overall risk management and compliance measures to ensure the structure of rewards and incentives does not promote unnecessarily risky behaviours.
Whistleblowing
ASIC found that under half of the responsible entities surveyed maintained documented measures specific to whistleblowing. ASIC recommended that responsible entities implement appropriate whistleblowing measures to support an open and transparent culture and implement appropriate training for all staff.
Custody
ASIC recommended that responsible entities review and where necessary, update their custody measures to ensure they meet the requirements outlined in Regulatory Guide 133. ASIC noted that it is crucial that responsible entities have adequate measure to monitor and review the activities of external custodians.
Risk Management Systems
ASIC recommended responsible entities review and, if necessary, amend their risk management systems to take into account ASIC's guidance in Regulatory Guide 259. ASIC noted that the top three risks identified by responsible entities were operational risk, market risk and regulatory risk.
Compliance Measures
ASIC recommended responsible entities should actively monitor and amend their compliance measures to ensure they remain adequate and have been properly implemented. ASIC noted that they had a number of concerns about the quality of compliance plans in particular.
Next Steps
It is important for responsible entities to take note of ASIC's recommendations as set out in ASIC Report 528. The surveillance gives both ASIC and all responsible entities good insight into what the industry is doing well, where improvements can be made and hints at where we can expect greater regulatory focus from ASIC in the future.
