Compliance in the spotlight APRA heightens focus on Compliance Risk
28 February 2022
28 February 2022
On 17 February 2022, APRA released a guidance paper highlighting that recent high profile compliance failure headlines reiterate the importance of managing compliance risk to maintain trust in Australia's financial services industry.
While acknowledging the challenges that entities face in establishing and maintaining appropriate compliance arrangements, APRA expects organisations to prioritise the management of compliance risks alongside other key financial risks such as credit, market and cyber risks.
There has been increased regulatory attention on how entities are managing compliance risk since APRA's compliance focused review of the four major banks in 2019. APRA found from these reviews that "there is still room for improvement" in how entities manage compliance risk.
APRA defines compliance risk as an organisation's ability to comply with the laws, rules, regulations and standards relevant to the organisation's industry and the products and services it offers, and the consequences which flow from failing to comply. A distinction is drawn by the regulator between operational risk (which is focused on strategic objectives) and compliance risk (which is focused on meeting minimum requirements).
This is an important distinction which was also considered by the ASIC Corporate Governance Taskforce in the 'Director and officer oversight of non-financial risk report' published by ASIC in October 2019 (ASIC report). The ASIC report focused on oversight of compliance risk and the ASIC Governance Taskforce found that organisations which participated in the review were often operating outside of board-approved appetites, particularly for compliance risk. The ASIC Governance Taskforce found that while operational risks can be mitigated and managed within risk appetite and tolerance, organisations have struggled to clearly articulate their appetite for compliance risk and define compliance risk metrics.
In order to effectively understand the compliance risks that an organisation faces, it must first identify the legal and regulatory obligations which apply to its operations, and the products and services it offers. Because of the diversity of compliance obligations across different organisations and industries, there is not a single source of truth for all of the obligations that are relevant to a specific entity. It is therefore critical that entities put in place robust processes to identify relevant obligations and to monitor for any changes to them over time to ensure they are up to date.
APRA considers that the management of compliance risk starts at the top, with senior management and boards prioritising compliance risk management. An effective approach to managing compliance is a key indicator of the effectiveness of an organisation's overall risk management.
While APRA has a particular interest, given the nature of its regulatory remit, to oversee compliance with prudential standards, the regulator signals that it also has a broader interest, in line with APRA Prudential Standard CPS 220 Risk Management (CPS 220), in how entities meet other obligations, such as privacy, anti-money laundering and counter terrorism financing laws, as this informs the overall suitability of the entity's risk management framework. APRA will consider the impacts of instances of non-compliance with these other types of obligations when assessing the adequacy of risk management frameworks.
As a result of APRA's recent supervisory activity focussed on how larger and more complex entities are managing non-financial risk, it observed there is a need for entities to focus on the following areas:
APRA acknowledges the challenges of entities having a complete view of all obligations which are relevant to them and suggests that obligation subscription services in isolation are not necessarily the answer. There is often a need to supplement subscription services with tailored obligations registers. It is noted that the complexity is particularly exacerbated when entities operate across multiple jurisdictions.
APRA identifies a better practice is a hybrid combination of subscription services and compliance subject matter experts (SMEs). The regulator notes the importance of business, product, process and compliance experts collaborating to ensure regulatory changes are adequately planned for and managed to achieve ongoing compliance.
In practice, it is an ongoing challenge for compliance functions to balance sufficiently the need to identify and summarise obligations in a sufficiently detailed register to support the development of robust compliance arrangements by business teams, with the practicabilities of efficiently and effectively managing and maintaining obligations registers over time.
To optimise the benefits of a detailed summary of compliance obligations, APRA has observed better practice involves understanding end-to-end processes for products and services and overlaying the detailed view of obligations to identify gaps. APRA refers to this approach as: 'compliance by design'.
In a broader compliance management context, this practice is often considered to be a more proactive approach to compliance management. It ensures that systems and processes are designed to achieve compliance and is often referenced alongside innovative approaches to compliance management such as automation and digitisation.
APRA observes that risk teams (Line 2) often carry accountability for the management of obligations and corresponding controls, rather than the business (Line 1) primarily managing compliance risk in line with better practice. The failure of Line 1 to take accountability for compliance management, limits the ability of Line 2 risk teams to step back from day to day compliance activities and to instead provide meaningful oversight and challenge of Line 1.
APRA acknowledges that the banking industry is more progressed in clarifying accountabilities for compliance management as a result of having implemented BEAR. There are further observations of better practices in APRA's BEAR Thematic Review of the Major Banks in December 2020 (link here).
It has long been the case that compliance managers and functions have experienced challenges in ensuring that they have the necessary authority and independence to effectively perform their role. APRA's message on this point is clear: the appointment of a Chief Compliance Officer (CCO) gives a voice to compliance management and supports adherence to the requirement to establish an independent compliance function under CPS 220.
APRA notes that weaknesses in compliance risk management have materially contributed to significant compliance failures.
We have observed that, in practice, there are a number of challenges which need to be overcome to address these weaknesses including:
APRA's key message from this recent publication is that it expects to see compliance risk receiving the same attention and prioritisation that is given to other risks. APRA foreshadows compliance risk management will continue to be a key focus area for the regulator. This is in line with the increased focus on compliance risk management by other regulators such as ASIC and AUSTRAC.
The Board and senior management of regulated entities should take a holistic approach, leveraging combined legal and risk capabilities, to assess the maturity and adequacy of their compliance risk management framework (RMF). This could involve:
We believe that innovation will play a key role in improving compliance risk management. Automation and digitisation of obligations management and other resource intensive compliance management activities enable compliance functions with limited resources to focus on maturing their compliance risk management approaches.
The APRA guidance is directed at APRA regulated entities – banks, insurers and superannuation trustees. However, the principles which underpin this guidance are equally applicable to non APRA regulated institutions. For example, non APRA regulated entities with AFSLs are subject to licence obligations which require them to have in place adequate risk management and arrangements, and a failure in this regard can also be a basis for a contravention of the obligation to do all things necessary to provide services efficiently, honestly and fairly.
It therefore follows that this guidance has application outside of the APRA environment, in setting expectations relating to the management of compliance risk.
Authors: Silvana Wood, Partner; Niki Short, Partner; Samantha Carroll, Counsel; Luke Whitcher, Director - Risk Advisory; Gwladys Ngo Tedga Yagla, Director - Risk Advisory; Wendy Horton, Director - Risk Advisory; Mikaela Wyndham, Specialist - Risk Advisory.