Internal control systems
The committee has discussed significant non-compliance issues in one of
Australia's most reputable organisations—the CBA. The previous chapter,
however, concluded with the committee expressing concerns that the financial
services sector needs to draw lessons from the CFPL experience of
non-compliance. In this regard, during the inquiry the committee also
considered non-compliance issues within another major financial
institution—Macquarie Group (specifically Macquarie Equities Limited, a
financial advice and investment service business within Macquarie Group that
carries on its business under the name Macquarie Private Wealth). Moreover, in
its consideration of lending practices between 2002 and 2010, the committee
found that some of Australia's banking institutions turned a blind eye to
irresponsible and unethical conduct, including predatory lending, in breach of
their code of practice and community standards.
In light of what appear to be serious flaws with the internal risk
management processes related to legislative and regulatory compliance in these
the committee believes that this aspect of non-compliance warrants a much
closer look. In this chapter, the committee briefly underlines some of the critical
compliance failings in CFPL and then in greater detail looks at the internal
compliance workings in Macquarie Equities Limited to tease out whether it adds
to or allays the committee's concerns about non-compliance, particularly as it relates
to consumer protection.
The committee also considers the effectiveness of ASIC's role in ensuring that companies
have robust compliance management systems in place. The committee shines a
light on, and considers whether, the system of internal control is adequate as
it relates to compliance risk.
ASIC's chairman, Mr Greg Medcraft, stated that firms' compliance
arrangements played a crucial role in ensuring that the firms do not fail to
meet expected standards, which was 'a very important message that goes to the
heart of companies' compliance arrangements'. He said compliance 'should be
seen as an investment, not as a necessary evil, and if compliance professionals
can ensure they have strong arrangements in place then hopefully we will not have
to pay them a visit'.
The Governance Institute of Australia insisted that the primary responsibility
for corporate misconduct resides with the individuals and companies that carry
out these actions. The regulator's role is 'to provide guidance as to duties and
responsibilities, and undertake enforcement where breaches of those duties and
Commonwealth Financial Planning
A condition of an AFS licence is to 'establish and maintain compliance
measures that ensure, as far as reasonably practicable, that the licensee
complies with the provisions of financial services laws'.
The committee has in great detail chronicled the failings in CFPL. In
this chapter, the committee is concerned predominately with the institution's
compliance regime. The committee understands that as early as 2006, as a result
of its surveillance, ASIC alerted the general manager of the CFPL to key
concerns about CFPL's compliance framework. One such concern was that
representatives rated as critical (the highest risk category) as a result of
serious misconduct were not 'effectively addressed within the current framework'.
In particular, ASIC doubted CBA's 'ability to ensure its representatives were
complying with the law'.
In February 2008, ASIC wrote to CFPL about the inadequacy of its processes and
...we are concerned that your own data suggests that your
compliance framework is not adequately detecting serious misconduct. We are
therefore concerned that you are not adequately using your framework to continuously
ensure you are meeting your licence obligations.
ASIC noted further that only seven of the 38 representatives who were
rated as critical were reported to ASIC under section 912 of the Corporations Act.
It concluded that given the seriousness of the conduct, ASIC had concerns
about CBA's ability to discharge this obligation to report significant breaches
under that section. ASIC informed the CFPL that despite the bank's assurances
May 2006 that it had overhauled its compliance arrangements, ASIC had reason to
believe, on the basis of its surveillance findings, that its concerns were
Soon after this letter and a meeting between CFPL and ASIC, the CFPL implemented
a Continuous Improvement Compliance Program (CICP). After some time, however,
it became evident that this plan was ineffective, which then led to the execution
of an enforceable undertaking in October 2011—five years after ASIC raised its
initial concerns. ASIC conceded that the process between the CICP and the enforceable
undertaking was 'too long'. According to ASIC:
We should have monitored it more closely and put together
tougher time limits on it and tougher testing of the monitoring all along the
way and made a decision earlier to give up on that process and move to the
tougher enforceable undertaking process.
...with the benefit of hindsight we feel we should not have
placed as much reliance on Commonwealth Financial Planning's ability to
identify and rectify all of the problems that started to emerge.
While the committee accepts that ASIC could have insisted on a more
robust process and more carefully monitored the implementation of that process,
questions about the CFPL's own compliance mechanisms remain. As Mr Kirk
explained, ASIC had trusted the CFPL. ASIC believed that the CFPL 'would be able
to uncover all of their own problems and fix them and change their culture'.
This trust was misplaced.
As agreed to in the enforceable undertaking in October 2011, CFPL
undertook to initiate a review that would address ASIC's concerns, including
there were adequate processes and controls in place to deal with ongoing
risks of non-compliance;
representative misconduct had been dealt with in a consistent
recurring themes had been appropriately identified;
data analysis processes and reporting capabilities allow for
early detection of advice process irregularities;
there had been adequate controls over client records; and
there had been consistent application of CFPL's complaints
handling and internal dispute resolution processes.
This list underscores the significant nature of ASIC's concerns. One of
the most troubling aspects of the conduct of some CFPL financial planners was
that it was deliberate and systematic, not negligent or sloppy. The conduct was
targeted at vulnerable and trusting customers who sustained significant losses;
it was a breach of the bank's fiduciary duty and obligation to use reasonable
care. The supervisors who knew of such behaviour failed miserably in their duty
to report such misconduct. Without doubt the compliance culture in and around
CFPL was seriously compromised.
Of grave concern is that weaknesses in this area of compliance are still
evident. As noted in Chapter 10, the independent expert's final report found that
the CFPL needed to improve its breach reporting and ASIC regarded this area as
an ongoing issue. Both assessments, however, were made before 16 May 2014, when
the CBA informed the committee belatedly that the remediation process was 'not
In April 2014, the CBA led the committee to believe that, among other
things, it had implemented 'major changes' in how its compliance and risk
management operations were structured—it spoke of 'enhanced risk and compliance
inside the business'. Yet within five weeks, the CBA wrote to the committee
revealing what it termed inconsistencies in its accounts of the compensation
process. In effect, the CBA's group general counsel, the bank's representative
for this inquiry, had been unaware that he was misleading the committee. His
eleventh hour revelations about the compensation process whereby not all
clients were treated equally suggest that the concerns about risk management
and compliance within CFPL are far from being addressed.
Macquarie Private Wealth
In January 2013, ASIC expressed its concern that Macquarie Equities Limited's
(MEL) management 'may have failed to foster and maintain a proper commitment
to, and culture of, compliance' within the Macquarie Private Wealth business.
ASIC found MEL had failed to address recurring compliance deficiencies that
involved a significant number of advisers. MEL entered an enforceable
undertaking on 29 January 2013.
MEL's compliance deficiencies were initially identified by MEL's own
client file reviews dating back to 2008. Indeed, the enforceable undertaking
noted that between 2008 and March 2010, Macquarie Private Wealth conducted
client file reviews of its representatives, which 'indicated deficiencies
involving a significant number of the Representatives'. These shortcomings were
recurring and not reported to ASIC nor were they rectified in all cases.
Between December 2011 and August 2012, ASIC conducted surveillance checks of
Macquarie Private Wealth. These checks identified similar issues to those
identified by Macquarie Private Wealth's own reviews.
Specifically, the deficiencies included instances of:
client files not containing statements of advice;
advisers failing to demonstrate a reasonable basis for advice
provided to the client;
poor client records and lack of detail contained in advice
lack of supporting documentation on files to determine if there
was a reasonable basis for the advice provided to the client; and
failing to provide sufficient evidence that clients were
Again, as with the CFPL, these identified deficiencies were of
considerable significance and go to serious breaches of duty of care to
customers. ASIC stated that these five areas of deficiencies were not reported
to ASIC. Unequivocally, it described these deficiencies as 'serious' and noted that
'any remediation initiatives attempted by MEL over a four year period had been
ASIC was concerned that MEL may have failed to address satisfactorily
weaknesses in the Licensee Risk Framework. Among the numerous areas of concern,
there had been effective licensee risk policies, processes,
controls and systems having regard to the nature, size and complexity of its
there had been compliance with the obligations regarding the
provision of personal advice, general advice and execution-only dealing
transactions, including necessary detail in advice documents to enable retail
to make informed decisions;
representative conduct had been dealt with in a consistent and
appropriate manner, including having robust consequences or non-compliant representatives;
recurring issues had been effectively identified and addressed
over a period of time; and
effective compliance training and education had taken place.
On 15 March 2013, ASIC's deputy chairman, Mr Peter Kell, informed the Parliamentary
Joint Committee on Corporations and Financial Services (PJCCFS) that one aspect
of ASIC's concerns with Macquarie Private Wealth's operations was that Macquarie
had identified a range of compliance problems within its business, but not
reported them to ASIC. He explained this issue of failing to report was
something that ASIC wanted to highlight more broadly across the financial
We have seen inconsistencies in the approach of different
firms in terms of how they report breaches. We have been highlighting recently
that we expect firms to, if you like, err on the side of caution and come to us
if they have identified a problem within their own operations, rather than make
an assumption that this can fly under the radar and is not a concern. We are
highlighting that as an area where we expect to see stronger action from the
industry as a whole.
...Perhaps in some firms there are issues around the compliance
staff, compliance units and compliance functions within the firms' operations.
It has been a longstanding issue that they are not always dealt with as
seriously as we would like, but we are seeing that change across the industry.
According to Mr Kell, ASIC continues to emphasise that reporting non‑compliance
was 'an important part of a well-functioning system'. He said:
...where firms identify problems with their own
operations—advisers who have behaved inappropriately or provided inappropriate
advice; systems errors that have caused significant issues for consumers—we
expect to hear about that sooner rather than later.
Fellow commissioner, Mr John Price, stated that the enforceable
undertaking required Macquarie 'to rethink significantly the way it monitors
its representatives and to create a culture where compliance is central to
getting that advice'.
Importantly, Ms Joanna Bird of ASIC told the committee that Macquarie
Private Wealth had 'systemic failings of compliance and it had a poor
compliance culture'. Mr Medcraft told that committee that he gets
annoyed 'when basically there is not that self‑reporting'. He noted
further that the troubling thing was when ASIC finds something and it asks the
question, 'Well, there's a problem there; what else is there?' He stated
But I think for Australians to be confident in participating
in the financial system it is actually really important that those that are
part of that system do self-report where there is a problem. Transparency is, I
think, really important. It is not a systemic problem, but there is a broad
spread of behaviour, and some of it is at the very top end of our system...that
some of the issue about self-reporting relates to some very large financial
services holders. It is not just maybe at the bottom end. It is at the top end.
It should be noted that the CFPL and Macquarie Private Wealth are not
the only highly regarded institutions that have come to public attention. ASIC
found in 2009 that ANZ Custodians had failed to report significant breaches of
its obligations to ASIC and demonstrated a poor compliance culture. In 2011,
the regulator also questioned whether UBS Wealth Management Australia had
appropriate compliance risk management policies, although ASIC did acknowledge
that UBS informed it of possible breaches.
Professor Justin O'Brien and Dr George Gillian underscored the need
to have 'substantive rather than technical compliance'.
The question remains, considering the repeated instances of non‑compliance,
have the institutions now put in place risk management mechanisms that would
prevent any repeat of the mistakes of the past?
ASIC noted that AFS licensees have obligations under subsection 912A(1)
of Corporations Act, among other things, to:
do all things necessary to ensure that the financial services
covered by their licence are provided efficiently, honestly and fairly;
have adequate arrangements in place for managing conflicts of
comply with the conditions on their licence;
comply with the financial services laws;
take reasonable steps to ensure that their representatives comply
with the financial services laws;
unless regulated by APRA, have adequate financial,
technological and human resources to provide the financial services covered by
their licence and
to carry out supervisory arrangements;
- maintain the competence to provide the financial services covered
by the licence;
- ensure that their representatives are adequately trained and
to provide those financial services;
- if they provide financial services to retail clients, have a
dispute resolution system; and
- unless they are regulated by APRA, establish and maintain
adequate risk management systems.
According to ASIC, it has not undertaken a specific assessment of the
effectiveness of the internal compliance arrangements of AFS licensees. It had,
however, undertaken a review of the business and risk practices of the top
50 AFS licensees that provide financial product advice to retail
In 2011, ASIC found in respect of the top 20 licensees that, while they were focused
on risk management and compliance, there were a number of issues, including:
proactive licensee monitoring, which should be instrumental in
detecting incidents and breaches; and
risk profiling tools, whereby advisers should not rely on risk
profiling tools without also considering if the outcomes are appropriate for
their clients' circumstances.
ASIC found in 2013 that most of the top 21 to 50 of these AFS licensees
were taking steps to mitigate key risks, although a number of issues were
monitoring and supervision of advisers, whereby licensees:
must ensure their advisers comply with their stated procedures;
must check references of new advisers to exclude 'bad apples';
must report breaches and demonstrate remediation plans are in
should retain access to client records at all times; and
product and strategic advice, whereby conflicts of interest need
to be managed and clients educated about risk and return so that their
expectations are more realistic.
According to ASIC, effective internal compliance arrangements were 'crucial
to meeting these statutory obligations'. In keeping with the principles-based
nature of the financial services legislation, however, ASIC does not prescribe
how licensees should meet these obligations but has released a number of
Industry associations have also published a number of standards and codes.
ASIC noted that self-regulation involved industry developing and enforcing
its own regulatory rules, with no or minimum government intervention. ASIC went
on to explain:
Ideally, self-regulation should be initiated by industry,
rather than imposed upon it. However, Government can create environments that
encourage self-regulatory initiatives, for example, by recognising a
self-regulatory regime in legislation and providing incentives to comply with
Although ASIC supported self-regulatory measures, especially where
industry standards or requirements exceeded legal requirements, it stated that
based on its experience:
...self-regulatory models are rarely an effective or acceptable
alternative to explicit regulation in the context of retail financial markets
because currently pre-conditions for effective self-regulation are rarely
present in a fully developed state.
Mr Tregillis, a long-term regulator who understands that regulators have
a very difficult job in meeting the demands placed upon them, cited the
approach being taken in the UK toward compliance. He noted:
The UK regulator, for example, has a special-person sort of
regime whereby they can, where they are concerned about compliance failings,
not wait until there is a breach but actually require an expert person or a
special person to do a review and report to the regulator. That is double
edged, but it is a proactive mechanism. It is useful in the sense that it does
not mean that the regulator has to have permanent resources; you can get people
with expertise to do it. That is something that could be considered.
ASX corporate governance principle 3
In this chapter, the committee has focused simply on the internal risk
management systems that cover compliance with applicable laws and regulations. However,
the ASX sets the bar higher. Commentary accompanying its corporate governance
principle 3 states:
Acting ethically and responsibly goes well beyond mere
compliance with legal obligations and involves acting with honesty, integrity
and in a manner that is consistent with the reasonable expectations of investors
and the broader community. It includes being, and being seen to be, a 'good
The board of a listed entity should lead by example when it
comes to acting ethically and responsibly and should specifically charge
management with the responsibility for creating a culture within the entity
that promotes ethical and responsible behaviour.
The committee found that two major companies fell far short of the expected
standard of compliance. Clearly, more effective internal systems of self-regulation,
monitoring and reporting within companies to address cultural issues dealing
with non-compliance need to be devised and implemented. Having a compliance
model that is able to detect corporate breaches, recognise their significance,
and promptly report on and rectify any deficiencies is vital to the health of
It may be time for the ASX and ASIC to review their guidance on risk
management, placing an emphasis on the adequacy of internal compliance
arrangements and appropriate reporting obligations for non-compliance.
The government should also look more closely as to whether the legislation
needs to be strengthened to require companies to have more robust systems in place
to help them comply with applicable laws and regulations to foster a culture of
It should be noted that the maximum penalty for not reporting a
significant breach (or likely breach) within ten business days of becoming
aware of the breach (or likely breach) is:
for an individual, $8,500 or imprisonment for one year, or both;
for a company, $42,500.
ASIC should also bear in mind the lessons to be learnt from the CFPL and
Macquarie Private Wealth cases and ensure that its surveillance of companies
for compliance is far more intrusive and less trusting. Further, in light of
the poor performance of the internal compliance regime in CFPL and Macquarie
Private Wealth, the committee is also inclined to share Mr Medcraft's
scepticism and ask 'what else is there?' The committee is concerned with
Macquarie's failure to report and particularly the breakdown in its compliance
regime. Indeed, as noted previously, Ms Bird told the committee that
Macquarie Private Wealth had 'systemic failings of compliance and it had a poor
compliance culture'. The committee is concerned with the efficacy
of the enforceable undertaking entered into as a result of serious compliance
deficiencies within Macquarie Private Wealth. Given that ASIC did not, until
recently, fully understand how the CBA was implementing its compensation schemes
for clients affected by the CFPL scandal, the committee doubts ASIC is fully
aware of the Macquarie business and remediation process. While the enforceable
undertaking remains in place, ASIC should undertake intensive surveillance of
Macquarie Private Wealth to ensure that ASIC's concerns are in fact being
addressed and that a culture of compliance is being adopted.
The committee recommends that ASIC establish a pool of approved
independent experts (retired experienced and hardened business people with
extensive knowledge of compliance) from which to draw when concerns emerge
about a poor compliance culture in a particular company. The special expert
would review and report to the company and ASIC on suspected compliance
failings with the process funded by the company in question.
The committee recommends that the government consider increased
penalties and alternatives to court action, such as infringement notices, for Australian
financial services licensees that fail to lodge reports of significant breaches
to ASIC within the required time.
The committee recommends that ASIC review its surveillance activity with
a view to making it more effective in detecting deficiencies in internal
In light of the Commonwealth Financial Planning matter, the committee
recommends that ASIC undertakes intensive surveillance of other financial
advice businesses that have recently been a source of concern, such as
Macquarie Private Wealth, to ensure that ASIC's previous concerns are being
addressed and that there are no other compliance deficiencies. ASIC should make
the findings of its surveillance public and, in due course, provide a report to
Navigation: Previous Page | Contents | Next Page