Neal Hornsby gives his insights into how financial institutions can – with a minimum of effort – ensure their compliance plan stays relevant
Monitoring a compliance plan within a well constructed compliance program should be almost effortless. But to make it that easy, the compliance program of the organisation must be as complete as possible, as well as being robust and effective.
Compliance programs, in the context of this article, “ensure that the requirements of laws, regulations, industry codes, organisational standards, management policies, procedures and practices and operational risks are met”. This definition is aligned to the AS:3806 and AS:4360 definitions of “Compliance” and “Risk Management Procedures” respectively.
Confirming that the controls have been effective in the overall business compliance program should also confirm that the obligations of the compliance plan have been met.
This doesn’t imply that the level at which the business records and documents its operational and regulatory risk control sets should be identical to those detailed within the compliance plan.
Although it depends on the type of organisation, the compliance plan obligations and controls should generally be set at a higher level than the operations of the business and any service providers’ set of risk and obligation controls.
By doing this the underlying processes and controls of the business or service provider are able to change without affecting the adequacy and effectiveness of the compliance plan.
Tailored programs
Compliance programs take various forms and should match the structure of the organisation or that of its parent.
For instance, a responsible entity (RE) acting as a product issuer to several external fund managers’ compliance programs will not look the same as a fund manager which has become an RE in order to issue its own scheme. However, although each organisation may be structurally different, compliance programs tend to be similar.
Having identified and assessed its key risks, the business should apply a layer of compliance monitoring and testing. This is described in AS4360 as “control self assessment” or CSA.
The business may even assign its own “compliance officers”. These people are generally responsible for key business risks and obligations.
The compliance manager, and, in the case of larger entities, a separate compliance function will monitor and review the CSA affirmations of the business and test that these affirmations have been carried out.
Weaknesses and control breakdowns should be identified, reported and, where required, more effective controls designed and implemented by the business.
Those that are responsible entities are required to have an external audit function. Some larger organisations also have an internal audit function. Paragraphs i) and ii) below describe how these audit functions fit within the business:
i) Internal audit generally does not test directly against the compliance plan. Internal audits are usually performed on the business process controls within each business area. The compliance function of the RE will review these audit reports and work with the business to manage any weaknesses identified.
The completed audit report is reviewed against the compliance plan. Any weakness or breakdown affecting the obligations and controls of the compliance plan is reported to the compliance committee (where it exists) and or the board.
Where an internal audit function exists, it should work with the compliance team to identify and close off weaknesses, and continuously improve the business controls.
ii) External audit will confirm whether the compliance plan has been monitored effectively and that the described controls have been executed and have been effective. The audit report will be issued to the board audit committee (if one exists) and the board of the RE and is generally available to the compliance committee . The external audit report is also provided to ASIC.
Compliance plan construction
Generally the compliance plan should not detail operational process control descriptions at too low a level. These should instead reside within the business’s control set.
Embedding detailed controls within the compliance plan will mean that any change in process affecting these controls may result in the compliance plan needing to be reworked, resubmitted to the compliance committee and to the board for sign-off, as well as resubmission to ASIC.
It is good practice to have the underlying legislation and corresponding business risks reflected in the compliance plan.
However, for the reasons given above, embedding specific regulatory policy should be avoided in case there is a change in regulator policy.
For example, ASIC Policy Statements (PS) have recently been replaced by Regulatory Guides (RG). If, say, PS164 had been embedded within a compliance plan, this plan may have required a change, when RG104 and RG105 replaced PS164 in 2007.
The statement: “you should not have low-level process controls within the compliance plan” is especially valid for the entities of types 2 and 3 described in the table opposite.
The reason for this is simple. In examples 2 and 3, there is a disconnect between the RE and some or all of the operational parts and functions. In these cases it is not wise, or in some cases even possible, to try to prescribe precise controls that are once or even twice removed from the RE’s operations. This is especially true where the RE acts as a RE for hire and issues products on behalf of external fund managers.
What are the controls when there are disconnects?
In Types 2 and 3, the control exists through the administrative and service level agreements between the RE and the fund manager or its delegate, and any other outsourced function covered by the compliance plan.
These agreements are the “map” or “junction” between the outsourced service provider’s compliance program and the RE’s compliance plan.
It is the responsibility of the RE to ensure that the agreements specifically cover off the obligations of their compliance plan and it should be structured in such a way that these obligations are embedded.
It should be remembered that although a function may be outsourced, it remains the responsibility of the RE. Therefore, these agreements need to detail the operations being carried out by the service provider, and how the operational and regulatory risk controls being applied will be reported. Performance metrics will also need to be considered, agreed upon and reported on regularly.
When the product issuer is the fund manager
Type 1 may have detailed operational control descriptions. This RE has its own staff, is also the fund manager and has no schemes with external managers where it acts as the product issuer.
That is, the RE only issues its own schemes and is, or has, its own fund manager managing those assets under the same Australian Financial Services Licence. With this type of RE, no disconnect between the RE and its underlying operations exist.
Many businesses see the compliance plan as a separate compliance object requiring a separate monitoring and assurance regime disconnected from the rest of the compliance program. This should never be the case.
Ideally, a compliance plan should be developed after or while the complete set of business risks are being assessed and effective process controls designed and implemented throughout the operation.
The obligations of the compliance plan should then describe and point to the various control objects within the business, some of these objects being the external fund manager and outsourced service provider agreements.
If the compliance plan has been constructed in the manner described, then the actions of monitoring and reporting for a compliance plan should be almost effortless.
Neal Hornsby is Executive Manager – Regulatory Risk, Compliance and Reporting in Wealth Management at the Commonwealth Bank
News