Chapter 13


Chapter 13

Internal control systems

13.1      The committee has discussed significant non-compliance issues in one of Australia's most reputable organisations—the CBA. The previous chapter, however, concluded with the committee expressing concerns that the financial services sector needs to draw lessons from the CFPL experience of non-compliance. In this regard, during the inquiry the committee also considered non-compliance issues within another major financial institution—Macquarie Group (specifically Macquarie Equities Limited, a financial advice and investment service business within Macquarie Group that carries on its business under the name Macquarie Private Wealth). Moreover, in its consideration of lending practices between 2002 and 2010, the committee found that some of Australia's banking institutions turned a blind eye to irresponsible and unethical conduct, including predatory lending, in breach of their code of practice and community standards.

13.2      In light of what appear to be serious flaws with the internal risk management processes related to legislative and regulatory compliance in these companies, the committee believes that this aspect of non-compliance warrants a much closer look. In this chapter, the committee briefly underlines some of the critical compliance failings in CFPL and then in greater detail looks at the internal compliance workings in Macquarie Equities Limited to tease out whether it adds to or allays the committee's concerns about non-compliance, particularly as it relates to consumer protection. The committee also considers the effectiveness of ASIC's role in ensuring that companies have robust compliance management systems in place. The committee shines a light on, and considers whether, the system of internal control is adequate as it relates to compliance risk.[1]

Compliance

13.3      ASIC's chairman, Mr Greg Medcraft, stated that firms' compliance arrangements played a crucial role in ensuring that the firms do not fail to meet expected standards, which was 'a very important message that goes to the heart of companies' compliance arrangements'. He said compliance 'should be seen as an investment, not as a necessary evil, and if compliance professionals can ensure they have strong arrangements in place then hopefully we will not have to pay them a visit'.[2] The Governance Institute of Australia insisted that the primary responsibility for corporate misconduct resides with the individuals and companies that carry out these actions. The regulator's role is 'to provide guidance as to duties and responsibilities, and undertake enforcement where breaches of those duties and responsibilities occur'.[3]

Commonwealth Financial Planning

13.4      A condition of an AFS licence is to 'establish and maintain compliance measures that ensure, as far as reasonably practicable, that the licensee complies with the provisions of financial services laws'.[4]

13.5      The committee has in great detail chronicled the failings in CFPL. In this chapter, the committee is concerned predominately with the institution's compliance regime. The committee understands that as early as 2006, as a result of its surveillance, ASIC alerted the general manager of the CFPL to key concerns about CFPL's compliance framework. One such concern was that representatives rated as critical (the highest risk category) as a result of serious misconduct were not 'effectively addressed within the current framework'.[5] In particular, ASIC doubted CBA's 'ability to ensure its representatives were complying with the law'.[6] In February 2008, ASIC wrote to CFPL about the inadequacy of its processes and controls:

...we are concerned that your own data suggests that your compliance framework is not adequately detecting serious misconduct. We are therefore concerned that you are not adequately using your framework to continuously ensure you are meeting your licence obligations.[7]

13.6      ASIC noted further that only seven of the 38 representatives who were rated as critical were reported to ASIC under section 912 of the Corporations Act. It concluded that given the seriousness of the conduct, ASIC had concerns about CBA's ability to discharge this obligation to report significant breaches under that section. ASIC informed the CFPL that despite the bank's assurances back in May 2006 that it had overhauled its compliance arrangements, ASIC had reason to believe, on the basis of its surveillance findings, that its concerns were still 'ongoing'.[8]

13.7      Soon after this letter and a meeting between CFPL and ASIC, the CFPL implemented a Continuous Improvement Compliance Program (CICP). After some time, however, it became evident that this plan was ineffective, which then led to the execution of an enforceable undertaking in October 2011—five years after ASIC raised its initial concerns. ASIC conceded that the process between the CICP and the enforceable undertaking was 'too long'. According to ASIC:

We should have monitored it more closely and put together tougher time limits on it and tougher testing of the monitoring all along the way and made a decision earlier to give up on that process and move to the tougher enforceable undertaking process.[9]

...with the benefit of hindsight we feel we should not have placed as much reliance on Commonwealth Financial Planning's ability to identify and rectify all of the problems that started to emerge.[10]

13.8      While the committee accepts that ASIC could have insisted on a more robust process and more carefully monitored the implementation of that process, questions about the CFPL's own compliance mechanisms remain. As Mr Kirk explained, ASIC had trusted the CFPL. ASIC believed that the CFPL 'would be able to uncover all of their own problems and fix them and change their culture'.[11] This trust was misplaced.

13.9      As agreed to in the enforceable undertaking in October 2011, CFPL undertook to initiate a review that would address ASIC's concerns, including whether:

  • there were adequate processes and controls in place to deal with ongoing risks of non-compliance;
  • representative misconduct had been dealt with in a consistent manner;
  • recurring themes had been appropriately identified;
  • data analysis processes and reporting capabilities allow for early detection of advice process irregularities;
  • there had been adequate controls over client records; and
  • there had been consistent application of CFPL's complaints handling and internal dispute resolution processes.[12]

13.10         This list underscores the significant nature of ASIC's concerns. One of the most troubling aspects of the conduct of some CFPL financial planners was that it was deliberate and systematic, not negligent or sloppy. The conduct was targeted at vulnerable and trusting customers who sustained significant losses; it was a breach of the bank's fiduciary duty and obligation to use reasonable care. The supervisors who knew of such behaviour failed miserably in their duty to report such misconduct. Without doubt the compliance culture in and around CFPL was seriously compromised.

13.11         Of grave concern is that weaknesses in this area of compliance are still evident. As noted in Chapter 10, the independent expert's final report found that the CFPL needed to improve its breach reporting and ASIC regarded this area as an ongoing issue. Both assessments, however, were made before 16 May 2014, when the CBA informed the committee belatedly that the remediation process was 'not applied consistently'.[13]

13.12         In April 2014, the CBA led the committee to believe that, among other things, it had implemented 'major changes' in how its compliance and risk management operations were structured—it spoke of 'enhanced risk and compliance inside the business'. Yet within five weeks, the CBA wrote to the committee revealing what it termed inconsistencies in its accounts of the compensation process. In effect, the CBA's group general counsel, the bank's representative for this inquiry, had been unaware that he was misleading the committee. His eleventh hour revelations about the compensation process whereby not all clients were treated equally suggest that the concerns about risk management and compliance within CFPL are far from being addressed.

Macquarie Private Wealth

13.13         In January 2013, ASIC expressed its concern that Macquarie Equities Limited's (MEL) management 'may have failed to foster and maintain a proper commitment to, and culture of, compliance' within the Macquarie Private Wealth business.[14] ASIC found MEL had failed to address recurring compliance deficiencies that involved a significant number of advisers. MEL entered an enforceable undertaking on 29 January 2013.

13.14         MEL's compliance deficiencies were initially identified by MEL's own client file reviews dating back to 2008. Indeed, the enforceable undertaking noted that between 2008 and March 2010, Macquarie Private Wealth conducted client file reviews of its representatives, which 'indicated deficiencies involving a significant number of the Representatives'. These shortcomings were recurring and not reported to ASIC nor were they rectified in all cases. Between December 2011 and August 2012, ASIC conducted surveillance checks of Macquarie Private Wealth. These checks identified similar issues to those identified by Macquarie Private Wealth's own reviews.[15] Specifically, the deficiencies included instances of:

  • client files not containing statements of advice;
  • advisers failing to demonstrate a reasonable basis for advice provided to the client;
  • poor client records and lack of detail contained in advice documents;
  • lack of supporting documentation on files to determine if there was a reasonable basis for the advice provided to the client; and
  • failing to provide sufficient evidence that clients were sophisticated investors.

13.15         Again, as with the CFPL, these identified deficiencies were of considerable significance and go to serious breaches of duty of care to customers. ASIC stated that these five areas of deficiencies were not reported to ASIC. Unequivocally, it described these deficiencies as 'serious' and noted that 'any remediation initiatives attempted by MEL over a four year period had been ineffective'.[16] ASIC was concerned that MEL may have failed to address satisfactorily weaknesses in the Licensee Risk Framework. Among the numerous areas of concern, were whether:

  • there had been effective licensee risk policies, processes, controls and systems having regard to the nature, size and complexity of its business;
  • there had been compliance with the obligations regarding the provision of personal advice, general advice and execution-only dealing transactions, including necessary detail in advice documents to enable retail investors to make informed decisions;
  • representative conduct had been dealt with in a consistent and appropriate manner, including having robust consequences or non-compliant representatives;
  • recurring issues had been effectively identified and addressed over a period of time; and
  • effective compliance training and education had taken place.

13.16         On 15 March 2013, ASIC's deputy chairman, Mr Peter Kell, informed the Parliamentary Joint Committee on Corporations and Financial Services (PJCCFS) that one aspect of ASIC's concerns with Macquarie Private Wealth's operations was that Macquarie had identified a range of compliance problems within its business, but not reported them to ASIC. He explained this issue of failing to report was something that ASIC wanted to highlight more broadly across the financial services industry:

We have seen inconsistencies in the approach of different firms in terms of how they report breaches. We have been highlighting recently that we expect firms to, if you like, err on the side of caution and come to us if they have identified a problem within their own operations, rather than make an assumption that this can fly under the radar and is not a concern. We are highlighting that as an area where we expect to see stronger action from the industry as a whole.

...Perhaps in some firms there are issues around the compliance staff, compliance units and compliance functions within the firms' operations. It has been a longstanding issue that they are not always dealt with as seriously as we would like, but we are seeing that change across the industry.[17]

13.17         According to Mr Kell, ASIC continues to emphasise that reporting non‑compliance was 'an important part of a well-functioning system'. He said:

...where firms identify problems with their own operations—advisers who have behaved inappropriately or provided inappropriate advice; systems errors that have caused significant issues for consumers—we expect to hear about that sooner rather than later.[18]

13.18         Fellow commissioner, Mr John Price, stated that the enforceable undertaking required Macquarie 'to rethink significantly the way it monitors its representatives and to create a culture where compliance is central to getting that advice'.[19] Importantly, Ms Joanna Bird of ASIC told the committee that Macquarie Private Wealth had 'systemic failings of compliance and it had a poor compliance culture'.[20] Mr Medcraft told that committee that he gets annoyed 'when basically there is not that self‑reporting'. He noted further that the troubling thing was when ASIC finds something and it asks the question, 'Well, there's a problem there; what else is there?' He stated further:

But I think for Australians to be confident in participating in the financial system it is actually really important that those that are part of that system do self-report where there is a problem. Transparency is, I think, really important. It is not a systemic problem, but there is a broad spread of behaviour, and some of it is at the very top end of our system...that some of the issue about self-reporting relates to some very large financial services holders. It is not just maybe at the bottom end. It is at the top end.[21]

13.19         It should be noted that the CFPL and Macquarie Private Wealth are not the only highly regarded institutions that have come to public attention. ASIC found in 2009 that ANZ Custodians had failed to report significant breaches of its obligations to ASIC and demonstrated a poor compliance culture. In 2011, the regulator also questioned whether UBS Wealth Management Australia had appropriate compliance risk management policies, although ASIC did acknowledge that UBS informed it of possible breaches.[22]

13.20         Professor Justin O'Brien and Dr George Gillian underscored the need to have 'substantive rather than technical compliance'.[23] The question remains, considering the repeated instances of non‑compliance, have the institutions now put in place risk management mechanisms that would prevent any repeat of the mistakes of the past?

ASIC's response

13.21         ASIC noted that AFS licensees have obligations under subsection 912A(1) of Corporations Act, among other things, to:

  • do all things necessary to ensure that the financial services covered by their licence are provided efficiently, honestly and fairly;
  • have adequate arrangements in place for managing conflicts of interest;
  • comply with the conditions on their licence;
  • comply with the financial services laws;
  • take reasonable steps to ensure that their representatives comply with the financial services laws;
  • unless regulated by APRA, have adequate financial, technological and human resources to provide the financial services covered by their licence and to carry out supervisory arrangements;
  • maintain the competence to provide the financial services covered by the licence;
  • ensure that their representatives are adequately trained and competent to provide those financial services;
  • if they provide financial services to retail clients, have a dispute resolution system; and
  • unless they are regulated by APRA, establish and maintain adequate risk management systems.[24]

13.22         According to ASIC, it has not undertaken a specific assessment of the effectiveness of the internal compliance arrangements of AFS licensees. It had, however, undertaken a review of the business and risk practices of the top 50 AFS licensees that provide financial product advice to retail clients.[25] In 2011, ASIC found in respect of the top 20 licensees that, while they were focused on risk management and compliance, there were a number of issues, including:

  • proactive licensee monitoring, which should be instrumental in detecting incidents and breaches; and
  • risk profiling tools, whereby advisers should not rely on risk profiling tools without also considering if the outcomes are appropriate for their clients' circumstances.[26]

13.23         ASIC found in 2013 that most of the top 21 to 50 of these AFS licensees were taking steps to mitigate key risks, although a number of issues were highlighted, including:

  • monitoring and supervision of advisers, whereby licensees:
  • must ensure their advisers comply with their stated procedures;
  • must check references of new advisers to exclude 'bad apples';
  • must report breaches and demonstrate remediation plans are in place;
  • should retain access to client records at all times; and
  • product and strategic advice, whereby conflicts of interest need to be managed and clients educated about risk and return so that their expectations are more realistic.[27]

13.24         According to ASIC, effective internal compliance arrangements were 'crucial to meeting these statutory obligations'. In keeping with the principles-based nature of the financial services legislation, however, ASIC does not prescribe how licensees should meet these obligations but has released a number of regulatory guides.[28] Industry associations have also published a number of standards and codes.

13.25         ASIC noted that self-regulation involved industry developing and enforcing its own regulatory rules, with no or minimum government intervention. ASIC went on to explain:

Ideally, self-regulation should be initiated by industry, rather than imposed upon it.  However, Government can create environments that encourage self-regulatory initiatives, for example, by recognising a self-regulatory regime in legislation and providing incentives to comply with the regime.[29]

13.26         Although ASIC supported self-regulatory measures, especially where industry standards or requirements exceeded legal requirements, it stated that based on its experience:

...self-regulatory models are rarely an effective or acceptable alternative to explicit regulation in the context of retail financial markets because currently pre-conditions for effective self-regulation are rarely present in a fully developed state.[30]

13.27         Mr Tregillis, a long-term regulator who understands that regulators have a very difficult job in meeting the demands placed upon them, cited the approach being taken in the UK toward compliance. He noted:

The UK regulator, for example, has a special-person sort of regime whereby they can, where they are concerned about compliance failings, not wait until there is a breach but actually require an expert person or a special person to do a review and report to the regulator. That is double edged, but it is a proactive mechanism. It is useful in the sense that it does not mean that the regulator has to have permanent resources; you can get people with expertise to do it. That is something that could be considered.[31]

ASX corporate governance principle 3

13.28         In this chapter, the committee has focused simply on the internal risk management systems that cover compliance with applicable laws and regulations. However, the ASX sets the bar higher. Commentary accompanying its corporate governance principle 3 states:

Acting ethically and responsibly goes well beyond mere compliance with legal obligations and involves acting with honesty, integrity and in a manner that is consistent with the reasonable expectations of investors and the broader community. It includes being, and being seen to be, a 'good corporate citizen'...

The board of a listed entity should lead by example when it comes to acting ethically and responsibly and should specifically charge management with the responsibility for creating a culture within the entity that promotes ethical and responsible behaviour.[32]

13.29         The committee found that two major companies fell far short of the expected standard of compliance. Clearly, more effective internal systems of self-regulation, monitoring and reporting within companies to address cultural issues dealing with non-compliance need to be devised and implemented. Having a compliance model that is able to detect corporate breaches, recognise their significance, and promptly report on and rectify any deficiencies is vital to the health of the corporation.

13.30         It may be time for the ASX and ASIC to review their guidance on risk management, placing an emphasis on the adequacy of internal compliance arrangements and appropriate reporting obligations for non-compliance. The government should also look more closely as to whether the legislation needs to be strengthened to require companies to have more robust systems in place to help them comply with applicable laws and regulations to foster a culture of compliance.

13.31         It should be noted that the maximum penalty for not reporting a significant breach (or likely breach) within ten business days of becoming aware of the breach (or likely breach) is:

  • for an individual, $8,500 or imprisonment for one year, or both; and
  • for a company, $42,500.[33]

13.32         ASIC should also bear in mind the lessons to be learnt from the CFPL and Macquarie Private Wealth cases and ensure that its surveillance of companies for compliance is far more intrusive and less trusting. Further, in light of the poor performance of the internal compliance regime in CFPL and Macquarie Private Wealth, the committee is also inclined to share Mr Medcraft's scepticism and ask 'what else is there?' The committee is concerned with Macquarie's failure to report and particularly the breakdown in its compliance regime. Indeed, as noted previously, Ms Bird told the committee that Macquarie Private Wealth had 'systemic failings of compliance and it had a poor compliance culture'.[34] The committee is concerned with the efficacy of the enforceable undertaking entered into as a result of serious compliance deficiencies within Macquarie Private Wealth. Given that ASIC did not, until recently, fully understand how the CBA was implementing its compensation schemes for clients affected by the CFPL scandal, the committee doubts ASIC is fully aware of the Macquarie business and remediation process. While the enforceable undertaking remains in place, ASIC should undertake intensive surveillance of Macquarie Private Wealth to ensure that ASIC's concerns are in fact being addressed and that a culture of compliance is being adopted.

Recommendation 8

13.33         The committee recommends that ASIC establish a pool of approved independent experts (retired experienced and hardened business people with extensive knowledge of compliance) from which to draw when concerns emerge about a poor compliance culture in a particular company. The special expert would review and report to the company and ASIC on suspected compliance failings with the process funded by the company in question.

Recommendation 9

13.34         The committee recommends that the government consider increased penalties and alternatives to court action, such as infringement notices, for Australian financial services licensees that fail to lodge reports of significant breaches to ASIC within the required time.

Recommendation 10

13.35         The committee recommends that ASIC review its surveillance activity with a view to making it more effective in detecting deficiencies in internal compliance arrangements.

Recommendation 11

13.36         In light of the Commonwealth Financial Planning matter, the committee recommends that ASIC undertakes intensive surveillance of other financial advice businesses that have recently been a source of concern, such as Macquarie Private Wealth, to ensure that ASIC's previous concerns are being addressed and that there are no other compliance deficiencies. ASIC should make the findings of its surveillance public and, in due course, provide a report to this committee.

Navigation: Previous Page | Contents | Next Page