Risk Management « Australian Regulatory Compliance Review from Langes+ Lawyers

May 13, 2013

Chief Risk Officer requirement for ADIs and insurers

APRA has released for consultation a proposed cross-industry prudential standard to harmonise and consolidate its risk management requirements for ADIs and insurers– Prudential Standard CPS 220 Risk Management (CPS 220).

The proposed CPS 220 will replace the existing industry-specific risk management standards for general insurers and life insurers, and will include the risk management requirements for ADIs that are currently spread across a number of ADI prudential standards.

CPS 220 will not apply to the superannuation industry. Instead, RSE licensees must comply with the superannuation-specific risk management prudential standard due to commence on 1 July 2013.

The most important changes contained in CPS 220 are the requirements for:

a Chief Risk Officer (CRO) who is independent from business lines, the finance function and other revenue-generating capabilities. The CRO must not be the Chief Executive Officer, the Chief Financial Officer, Appointed Actuary or Head of Internal Audit; and
the establishment of a separate Board Risk Committee that provides objective non-executive oversight of the implementation and on-going operation of the institution’s risk management framework. The Committee must be chaired by an independent director who is not the chair of the Board.The chair of the Board Audit Committee may also chair the Board Risk Committee.

APRA is proposing that the Risk Committee must operate under a different charter than the Board Audit Committee, although APRA’s composition requirements will not prohibit the same people sitting on both committees.

The Board Risk Committee is required to provide prior endorsement for the appointment or removal of the CRO. If the CRO is removed from their position, the reasons for removal must be discussed with APRA as soon as practicable, and no more than 10 business days, after the Committee’s endorsement is agreed upon.

The Board Risk Committee must invite the CRO to attend all relevant sections of meetings of the Committee.

APRA proposes that the chair of the Board and the chair of the Board Risk Committee make an annual attestation as to the adequacy and effectiveness of its risk management framework.

Prudential Standard CPS 510 Governance will also be changed to require the Board Audit Committee to provide prior endorsement for the appointment or removal of the APRA-regulated institution’s auditor and Head of Internal Audit. If the auditor or Head of Internal Audit is removed from their position, the reasons for removal must be discussed with APRA as soon as practicable, and no more than 10 business days, after the Committee’s endorsement is agreed upon.

APRA expects to finalise the proposed CPS 220, updated CPS 510 and a prudential practice guide prior to their implementation date of 1 January 2014.

Print This Post

Posted 13th May 2013 by David Jacobson in Financial Services, Insurance, Risk Management, Superannuation

Privacy law reforms: what you need to do

As the 12 March 2014 commencement date for the Privacy Act amendments approaches it is important for every business (unless they are a “small business”) to put a privacy review project in place.

What do you need to do?

Review your policies, notices and consents
Adopt a timetable which allows for printing and IT changes

You will need to change your privacy policy to:

include details of how a person can seek access to their personal information and correction of the information;
explain how a person can complain about a breach of the APPs and how you will deal with privacy complaints;
specify if you are likely to disclose personal information to recipients overseas and, if so, the countries in which such recipients are likely to be located; and
Remove references to “NPPs”.

You will need to provide more information to individuals when you collect their personal information:

if you are likely to disclose their personal information to recipients overseas and, if so, the countries in which such recipients are likely to be located;
that your privacy policy includes details of how to seek access to their personal information and correction of the information; and
that your privacy policy includes details of how to complain about a breach of the APPs and how you will deal with privacy complaints.

You will also need to implement a privacy compliance program that:

ensures your organisation complies with the APPs;
enables your organisation to deal with inquiries or complaints about compliance with the APPs; and
establishes procedures to identify and manage privacy risks and compliance issues.

Change your direct marketing practices for materials sent in hard copy and social media mechanism allowing individuals to “opt out” of further direct marketing:

include a statement that a request to “opt out” can be made;
obtain an individual’s consent before using their sensitive information for direct marketing; and
maintain details of the source of the personal information you use for direct marketing.

Review your current arrangements for offshore data storage or processing:

Draft new standard offshore outsourcing terms
Review storage and security
Train your staff

Credit: review your commercial and consumer credit applications and credit check and default reporting procedures.

The OAIC has not yet authorised a Credit Reporting Code of Conduct.

The OAIC has published an APP Checklist.

Print This Post

Posted 13th May 2013 by David Jacobson in Privacy, Risk Management

Data risk and privacy

The OAIC’s comments on APRA’s draft Draft Prudential Practice Guide (PPG 235) Managing Data Risk is a useful guide to analysing an organisation’s data security procedures from a privacy perspective:

does the procedure concern the collection, disclosure, use and storage of “personal information” (as defined in the Privacy Act?)
does “confidentiality” include “privacy”?
are the obligations regarding the handling of personal information set out in the Privacy Act (including the Privacy Principles) considered?

NPP 1 (which will be replaced by APP 2 which deals with the collection of solicited personal information) requires that:

personal information may only be collected where necessary for a function or activity of the organisation
collection must not be by unfair or unlawful means, and
reasonable steps must be taken to provide the individual to which the information relates with notice of specified matters, including the identity of the organisation collecting the information, the purpose of the collection, and the contact details of the organisation.

NPP 2 (which will be replaced by APP 6) provides that personal information may only be used or disclosed for the purpose for which it was collected (the ‘primary purpose’), unless a specified exception applies. This requires an organisation to have a clearly defined purpose for the initial collection of personal information, which is also consistent with the requirements of NPP 1.

NPP 4 (which will be replaced by APP 11) relates to data security and requires organisations to take ‘reasonable steps’ to protect the personal information that they hold from misuse or loss and from unauthorised access, use, modification or disclosure.

The OAIC is currently developing guidance on the reasonable steps with respect to information security that organisations are required to take under the Privacy Act.

The OAIC has also published a voluntary Data Breach Notification Guide which outlines steps that organisations should consider in preparing for and responding to information security breaches, including notifying affected individuals. The Government is considering mandatory data breach notification provisions.

NPP 9, which relates to trans-border data flows, currently provides that organisations cannot avoid their Privacy Act obligations by sending personal information offshore.

NPP 9 generally prohibits an organisation from disclosing personal information to someone in a foreign country who is not subject to a comparable information privacy scheme, unless the individual has consented.

NPP 9 will be replaced by APP 8 which deals with cross-border disclosures of personal information: this principle will not prohibit cross-border disclosures of personal information but organisations will be accountable for any disclosure of personal information outside Australia, unless one of a number of exceptions applies. Before any actual cross border disclosure of personal information occurs, an organisation must have put into place appropriate arrangements in relation to the information.

The Tax File Number Guidelines 2011 (TFN Guidelines) issued under the Privacy Act regulate the collection, storage, use, disclosure, security and disposal of individuals’ TFN information.

Guideline 6 of the TFN Guidelines states that TFN recipients must take ‘reasonable steps’ to safeguard TFN information. This includes protecting TFN information from misuse and loss, and from unauthorised access, use, modification or disclosure, and ensuring that access to records containing TFN information is restricted to individuals who need to handle that information for legal purposes.

Part IIIA of the Privacy Act governs the handling of credit information files, credit reports and other credit worthiness information about individuals by credit reporting agencies and credit providers. CRAs and credit providers must also ensure that credit information files and credit reports are subject to security safeguards as are ‘reasonable in the circumstances’.

The OAIC suggests that the Draft APRA Practice Guide also refer to de-identification as a tool for managing data risks.

Print This Post

Posted 13th May 2013 by David Jacobson in Financial Services, Privacy, Risk Management, Web/Tech

April 16, 2013

De-identification of personal information held by businesses

The Office of the Australian Information Commissioner (OAIC) is seeking comment on Privacy Business Resource 2 — De-identification of data and information which will provide guidance to businesses and researchers about why, when and how to de-identify personal data and information held by a business.

Organisations are required under National Privacy Principle (NPP) 4 to take reasonable steps to destroy or permanently de-identify personal information that is no longer needed for any purpose for which the information may be used or disclosed under NPP 2. From 12 March 2014 the NPPs will be replaced by the Australian Privacy Principles (APPs), which include new de-identification obligations in APPs 4 and 11. New de-identification obligations for credit reporting bodies will also apply from this date.

As a general rule an information asset that does not need to include personal identifiers should be de-identified.

De-identifying information in an information asset may enable the business or researcher to share or publish it without compromising individual privacy.

Before releasing information or data, organisations and researchers should confirm whether de-identification has been successful by using two suggested tests:
•Apply the ‘motivated intruder’ test — this test considers whether a reasonably competent motivated person with no specialist skills would be able to identify the data or information (the specific motivation of the intruder is not relevant). It assumes that the motivated intruder would have access to resources such as the internet and all public documents, and would make reasonable enquiries to gain more information.
•Look at re-identification ‘in the round’ — that is, assess whether any agency, organisation or member of the public could identify any individual from the data or information being released — either in itself or in combination with other available information or data.

Print This Post

Posted 16th April 2013 by David Jacobson in Privacy, Risk Management

Bank IT operational risk and regulatory compliance

Information technology research and advisory company Gartner has published a report “Banks That Are ‘Too Big to Fail’ Are Also Too Big to Succeed.”

Gartner cites higher levels of regulatory compliance, increased investment in risk management and technology advancements as stress points.

The report concludes that increased size and operational complexity as banks change focus from agility in response to external conditions to risk control creates performance drags by accelerating demand and complexity.

It says there is a “law of diminishing IT returns” under which any technological progress that increases the efficiency with which a resource is used tends to increase (rather than decrease) the rate of consumption of that resource.The paradox is that increased efficiency leads to increased demand.

As demand continues to rise, Gartner says the critical factor is not the number of devices, but rather the number of digital services offered via the Internet. These in turn, will continue to mean that efficiency gains in supply are overwhelmed by consumption.

For all financial service providers, new technologies, customer expectations and market conditions require closer attention to IT governance to maintain continuity of customer services.

Print This Post

Posted 16th April 2013 by David Jacobson in Financial Services, Risk Management, Web/Tech

April 10, 2013

ASIC argues the benefits of co-operation

ASIC has released Information Sheet 172 Cooperating with ASIC (INFO 172) explaining the benefits of co-operating with ASIC investigations and the factors ASIC takes into account when assessing co-operation.

ASIC says that co-operating with it may benefit a person or company in many ways including the type of enforcement action it pursues and whether ASIC will give credit for cooperation in proceedings it commences.

There is no doubt a good working relationship between businesses and ASIC is of benefit to both sides. Although ASIC has a significant budget it does not have unlimited resources.

Co-operation and communication with ASIC can be difficult in a national or international business involving multiple groups where they may not be a single point of contact for all regulatory issues.

Who is responsible for ASIC requests for information or unscheduled visits?

Businesses need to develop a policy on these issues as part of their compliance framework.

Of course businesses may have a valid different interpretation of the law from ASIC. But often those disputes can be resolved on a practical co-operative basis without waiving important rights.

INFO 172 follows releases on ASIC’s information gathering powers (refer 11-194AD), public comment and enforceable undertakings (refer 12-29MR), surveillance work (refer 12-224MR), and claims of legal professional privilege (refer 12-314MR).

ASIC’s enforcement report for the period 1 July 2012 to 31 December 2012 summarises ASIC’s actions against a range of gatekeepers in the Australian financial system, such as credit licensees, insurance representatives, financial advisers, auditors and directors. ASIC focuses on four key attributes of gatekeepers: competence, diligence, honesty and independence.

During the period, 44 of the 88 enforcement outcomes in the market integrity, corporate governance and financial services areas involved cooperation between the person concerned and ASIC.

Print This Post

Posted 10th April 2013 by David Jacobson in Compliance, Corporations Act, Risk Management

March 28, 2013

Conduct risk: UK identifies product design and culture as solution to consumer protection

Is the well-being of your customers at the heart of how you run your business?

The new UK Financial Conduct Authority will look at the financial services product lifespan, from the boardroom to the point of sale and the way products are developed and not just point of sale disclosure, in an effort to improve consumer protection.

The Financial Conduct Authority which commences operations on 1 April 2013 will be responsible for regulation of conduct in retail and wholesale financial markets and the infrastructure that supports those markets. Its role is, amongst other things, to intervene earlier to tackle potential risks to consumers and market integrity before they crystallise.

Explaining the FCA’s goals the FCA Chief Executive said:

“there are two sides to the risk equation – consumer detriment arising from the wrong products ending up in the wrong hands, and the detriment to society of people not being able to get access to the right products….

Our approach to risk will enable us to become more proactive and intervene earlier, focusing on the sources of detriment such as product design, governance and incentives….

Poor incentive structures that reward high-risk, short term strategies are a clear indicator of a culture where the customer is not at the centre of how the business is run. Culture change within firms is essential if we are to restore trust and integrity to the financial sector and the FCA will continue to focus on how firms are managed and structured so that every decision they make is in the best interests of their customers..”

The FCA has issued a Risk Outlook 2013 report identifying its top 5 priority risks for 2013/14:

1. Firms do not design products and services that respond to real consumer needs or are in consumers’ long-term interests.

a) There are unfair obstacles to consumers’ ability to exit or enter a product or service due to changing consumers’ needs or environmental conditions.

b) In responding to environmental or changing business conditions, firms adopt strategies that support their own interests but may not be in the long-term interests of their consumers.

c) Firms are over-exploiting their existing consumer base due to limited new business. For example firms targeting existing consumers with cash-generating products they do not need to improve margins.

d) Firms are developing complex, opaque and overpriced products that are not in the long-term interests of consumers and are difficult to compare.

e) Consumers are not fully aware of their financial needs and what products or product features would adequately serve these needs.

f) Consumers do not have access to products that meet real needs within regulated markets, due to a lack of competition and resulting shortfall in product availability and innovation.

2.Distribution channels do not promote transparency for consumers on financial products and services.

a) Consumers are prevented from being able to make well-informed financial decisions or compare product because features, costs and incentives are not transparent.

b) Information asymmetries and conflicts of interest are not managed and consumers may be using misleading information

c) Firms fail to re-assess the suitability of using existing distribution channels to push additional products onto consumers.

3. Over-reliance on, and inadequate oversight of, payment and product technologies.

a) Systems may be unable to withstand growing transaction volumes and adapt to new consumer/user demands.

b) Consumers may not be aware of risks associated with online or mobile platforms, including financial crime risks (such as breach or theft of personal information, fraud or scams).

c) Technology reduces consumer choice and access due to online interfaces having an adverse impact on the framing of products.

d) Firms have not developed suitable controls around technologies that use Big Data to build intelligence and to inform decisions around pricing and access to products.

4. Shift towards more innovative, complex or risky funding strategies or structures that lack adequate oversight, posing risks to market integrity and consumer protection.

a) Firms’ funding structures or sources of funding may adversely affect market integrity

b) Firms’ funding structures

c) Firms’ governance and oversight arrangements may not have been developed, and therefore may not be compatible with new sources of funding

5. Poor understanding of risk and return, combined with the search for yield or income, leads consumers to take on more risk than is appropriate.

a) Low consumer awareness of the risks associated with high-yielding products

b) Consumer focus on brand

c) Firms that provide inaccurate or misleading assessments of risk and return to consumers

Background: The Guardian

Print This Post

Posted 28th March 2013 by David Jacobson in Financial Services, Risk Management

March 22, 2013

Risk management of responsible entities

ASIC has released Consultation Paper 204 Risk management systems of responsible entities (CP 204) containing proposed regulatory guidance on risk management practices for responsible entities in the managed funds sector that are Australian financial services (AFS) licensees that are not regulated by the Australian Prudential Regulation Authority (APRA).

Subject to the passage of the Superannuation Legislation Amendment (Service Providers and other Governance Measures) Bill 2012, the proposed requirements would also apply to APRA-regulated registrable superannuation entity licensees (RSEs) that manage non-superannuation registered managed investment schemes (dual-regulated entities).

The proposals deal with:

ensuring risk management systems comprise processes to identify, assess and treat risks
ensuring these processes are suitable for individual business objectives and operations
ensuring that risk management systems address all material risks, including strategic, governance, operational, investment and liquidity risks, and
reviewing risk management systems regularly, and no less than annually, for appropriateness, effectiveness and relevance to individual businesses.

Print This Post

Posted 22nd March 2013 by David Jacobson in Compliance, Corporations Act, Investments, Risk Management, Superannuation

Commonwealth whistleblowers bill

The Government has introduced the Public Interest Disclosure Bill 2013 into the House of Representatives.

The provisions of the Bill:

establish a framework to encourage and facilitate reporting of wrongdoing by public officials in the Commonwealth public sector;
ensure that Commonwealth agencies properly investigate and respond to public interest disclosures; and
provide protections to public officials who make qualifying public interest disclosures.

The Bill will not protect disclosures made before commencement. However, once the measures in the Bill have commenced, a public official will be able to make a public interest disclosure in relation to conduct which occurred before or after commencement.

Principal officers of agencies are obliged to investigate a disclosure unless there is a basis for not doing so under certain grounds. An investigation must be completed within 90 days after being allocated to an agency, although this period may be extended by the Ombudsman if considered appropriate. A principal officer is obliged to notify a discloser who is readily contactable of certain matters relating to the handling of a disclosure, so that disclosers are kept informed of the status of their disclosures and what actions, if any, are proposed to be taken to address their concern.

The Bill provides broad protections for a public official who has made a qualifying public interest disclosure within the terms of the legislation. In addition to providing immunity from criminal, civil and administrative liability for making a public interest disclosure as defined in the Bill, the Bill would make it an offence for a person to take reprisal action against any person as a result of a person making, or proposing to make, a public interest disclosure.

The Bill has already been criticised for not allowing complaints to be lodged against ministers or for making provision for those in the intelligence community or for political staffers to be protected when they disclose wrongdoing to the media.

The Senate Legal and Constitutional Affairs Legislation Committee has an inquiry into the Bill.

January 7, 2013

Looking ahead to 2013: can you improve your risk management?

Just as athletes need to refine their techniques in order to perform better, businesses won’t get better at dealing with governance, risk and compliance by doing the same things as last year. You need to improve your processes and systems to be able to make more informed decisions and be more efficient.

In part what you will be doing in 2013 will be the result of events that occurred in 2012: changes to prudential requirements and laws such as the Corporations Act (FOFA), unclaimed money, the National Credit Act and the Privacy Act will require you to implement those changes.

And you will have to file the usual annual reports and compliance certificates.

So what will be different?

Assuming you are already attending to the “corporate hygiene” essentials, then by improving the way you explain these issues to your staff and by improving your processes you will perform better.

Compliance checklists can be helpful for repetitive tasks. The problem with checklists is making sure they do not become a mere “tick the box” exercise. Staff need to understand why they are being checked on. And some compliance obligations require “professional scepticism” to interpret the checklist answers.

Here’s a quick checklist to see if you have room for improvement.

When was the last time you met with staff to try and solve repetitive problems?
How do you share awareness of regulatory developments with staff?
Do your staff have a clear understanding of their responsibilities?
Have you budgeted both time and money for staff to meet their responsibilities?
When was the last time you reviewed induction procedures?
Do you have adequate reporting procedures?
Do you review your procedures following a complaint?
Do staff understand which obligations have the highest risks?

When was the last time you reviewed your:

privacy policy
commission arrangements
conflicts of interest policy
D&O Insurance
marketing clearance procedures
outsourcing arrangements
IT contracts
crisis management policy

If you don’t know the answers or it’s been a while since you checked, then despite the pressures for short-term performance, addressing these issues will improve your long term success.

Here’s our updated regulatory timeline.

Talk to your local Langes representative to see how we can help you get better value from your budget.

Print This Post

Posted 7th January 2013 by David Jacobson in Compliance, Financial Services, Risk Management