A great indicator of the health of your compliance arrangements is the quantity and quality of data in your compliance registers.
No data or limited data, could indicate issues with your people and/or authorised representatives and the adequacy and effectiveness of your compliance arrangements.
So what registers should you have and what should you expect to see?
Risk register
The risk register should include the 10-15 risks that could seriously impact your business operations. They should cover (as relevant) strategic risk, reputational risk, financial risk, people risk, legal risk, regulatory risk, compliance risk, conduct risk, technology risk, data risk and change management risk.
The risk register should include accountability, key controls, control testing & action plans to close out any gaps arising from control testing.
The risk register (plus all other registers) should be a standing agenda item at your quarterly Risk & Compliance Committee meeting where control testing outcomes, action plans, the internal & external business environment and emerging risks are discussed.
Obligations register
This register is similar to the risk register but manages your compliance obligations. The register can be a stand-alone register or, for most underwriting agencies, TPA’s and insurance brokers, included as part of your Risk & Compliance Manual.
The register should capture AFS Licence obligations, financial service laws (including Prudential Standards for insurers), industry Codes & obligations arising from binder & other agreements.
Typically an APRA regulated insurer will have ~300 material obligations, underwriting agencies & TPAs ~130 & insurance brokers ~80. The obligations register enables a shift in focus from the large number of obligations to 20-40 key controls.
You can’t manage what you don’t know, an obligations register is critical.
Conflict of interest register
Conflicts arise in many situations and are a normal part of conducting business.
Conflicts may arise from:
- family or personal relationships
- other business interests
- gifts & entertainment
- commission & fee arrangements
- related companies
- multiple directorships
- roles within an organisation – operational role v member of a risk committee
Financial service laws require licensees to adquately manage conflicts. This is usually by disclosure, controlling or avoiding. The conflict and the signed-off management of the conflict must be recorded in the conflicts register.
Incident & breach register
This register is the lifeblood of your business. People make mistakes, often. A well populated incident & breach register, covering a wide range of incidents, from a wide range of people across the business, is a sure sign of a continuous improvement culture.
Incidents should be raised across all risk categories (refer risk register) just not compliance incidents. However, a compliance specialist must review the register to further investigate incidents & be on the look out for breaches or likely breaches of financial service laws or Code.
Typically, APRA regulated insurers should be capturing 200-300 incidents per quarter, Underwriting agencies & TPA’s 50 -75 & insurance brokers 40 – 50. The number of incidents per quarter will be a factor of the nature, complexity & scale of your business.
Complaints register
If an incident & breach register is the ‘voice of your people’, then a complaints register is the ‘voice of your customers’.
Your people need to adopt a conservative approach and raise anything that potentially looks like/feels like/sounds like, a complaint. An IDR person with appropriate skills can then review the data in terms of RG 271 and Code obligations.
A well-maintained & current complaints register facilitates IDR data reporting to ASIC and identifies the status of all complaints, at a glance. The complaints register also enables complaints data to be interrogated and root-cause analysis, themes, insights & impacts to be reported to the board, senior management & teh Risk & Compliance Committee.
Training register
Financial service laws require AFS Licensees to maintain a training register.
The register must contain evidence of training covering:
- financial service laws;
- Code; and
- the firms products & services
Typically, firms adopt CPD or CIP methodology however the key is that after 6 months most peopel should have completed 50% of their training requirements.
Having trained and competent representatives (employees, AR’s & others providing financial servcies on your behalf) is an AFS Licence general obligation. A training register (with relevant content) provides evidence of compliance.
Material Service Provider register
APRA-regulated insurers must must identify and maintain a register of its material service providers and manage the material risks associated with using these providers. Material service providers are those on which the insurer relies to undertake a critical operation or that expose it to material operational risk. Material arrangements are those on which the insurer relies to undertake a critical operation or that expose it to material operational risk.
APRA has provided a template register. An APRA-regulated insurer must submit its register of material service providers to APRA on an annual basis.
Underwriting agencies, TPA’s and other suppliers of services to APRA-regulated insurers should consider maintaining their own service supplier registers as a means of managing outsourcing risk.
Attestations
Registers should be updated in a timely fashion, often ‘time is of the essence’ especially in respect of incidents, breaches, complaints and certain risks & conflicts.
Registers should be updated immediately, however a monthly attestation from all your people and authorised representatives (& material service providers) provides a great safety net. Attestations allow people the opportunity, in a quiet moment, to reflect upon the prior month ensuring that they have raised and declared all incidents, complaints, training, conflicts and any other issues.
Attestations are only as good as the culture of the firm in understanding their importance and how they are implemented.
Ask yourself these questions:
- do your people understand their critical role as an early warning system?
- do your people understand how compliance protects and the importance of attestations in being part of this protection?
- are there consequences when something was detected at a later date that should have been self-reported and raised immediately, or failing that, in an attestation?
- is there evidence of people taking the time to complete attestations or do people complete attestations within 5 minutes of receipt or continually provide blank attestations?
Compliance assistance
If you need assistance with implementing your compliance registers or attestations please reach out to me.
It may be timely to have an independent compliance review conducted of your compliance arrangements. My compliance reviews ensure that your arrangements are producing adequate data for the board, senior management & Risk & Compliance commitee. I can provide support with a top-down risk and compliance review of your business.
I only provide compliance specialist services to the General Insurance industry. I therefore have deep knowledge of the GI sector and its compliance, risk & regualtory requirements.
My clients include APRA regulated insurers, licensed underwriting agencies, TPAs, insurance brokers and other material service providers.