Blog

The white noise associated with APRA Prudential Standard CPS 230 in connection with material service providers has tended to distract from the benefits of CPS 230. It should be remembered that CPS 230 includes an amalgamation of 2 existing prudential standards: CPS 231 Outsourcing; and CPS 232 Business continuity management With effect from July 2025, outsourcing and business continuity management for general insurers will be governed by CPS 230. CPS 230 requirements only apply to General Insurers who are authorised by APRA under section 12 of the Insurance Act. However, CPS 230 and the asssociated Prudential Practice Guide CPG 230 (PPG CPG 230) provides very useful guidance and information for anyone operating a business in general insurance including Underwriting Agencies, TPAs, Insurance Brokers and service providers. It should be remembered that holders of an AFS Licence must have adequate risk management systems. Business continuity and outsourcing is a critical part of risk management. Process mapping material business processes APRA expects that, in implementing CPS 230, a prudent general insurer would start with the identification of its critical operations. A general insurer would (see paragraph 2 PPG CPG 230): a) identify its critical operations (note that claims processing is a deemed critical business operation for an insurer however any other critical operation must also be identified); b) set tolerance levels for disruption of these critical operations; and c) identify the processes and resources needed to deliver these critical operations, including material service providers. Identification of critical (or material) business operations is a very sensible starting point. Business continuity steps As mentioned, business continuity not only applies to general insurers and is relevant for Underwriting Agencies, TPAs, Insurance brokers and anyone providing general insurance products or services. Here are some simple steps to get you started: Identify, at an enterprise level, material business activitiessuch as distribution, underwriting, claims, broking, complaints, information management, marketing etc for each of the material business activities, map out the end-to-end, 5-10 key sub-activitiesthat combined, enable the material business activity to be delivered. As an example, think about the end-to-end process for claims: FNOL, assessment, claim decision etc consider each of the sub-activities in terms of people, IT, process, outsourcing & information (collectively resources). This provides a matrix of sub-activities x resourcesneeded to deliver your material business activities. This information alone provides very useful insights into managing your business and business risks. Consider the tolerance level for each of the sub-activities in the event of a disruption to any of the identified resources. Tolerances should be set based on (refer PPG 230 paragraph 32): – the impact on customers and other stakeholders of a disruption; – the financial and reputational impact on your business from a prolonged or material disruption; – the financial and reputational impact on the broader financial system, including any flow-on effects or contagion; – legal or regulatory requirements; and – recovery objectives. Factors to consider when setting tolerances include (refer Table 4 PPG CPG 230): (i) the maximum allowable disruption period; (ii) the minimum […]

Compliance never sleeps however it may slow down while we take a well-deserved break. How do you kick-start compliance to ensure that compliance is protecting what matters – your business, people, customers, business partners and other key stakeholders? There’s a few simple steps that you should take. Incidents are a critical source of information including as an early-warning system for potential breaches, its important that staff, authorised representatives and material service providers are reminded of their obligations to raise and report incidents. This could be as simple as an email with a FAQ, checklist, link to the incident management system etc and through leader-led team meetings complaints go hand-in-hand with incidents as a critical source of information and business continual improvement in addition to meeting obligations under RG 271 and Code. A quick refresher to staff and representatives in combination with incidents is all that is needed to get complaints back to front-of-mind. Storm season, most teams are returning to full resourcing during the middle of storm season in Australia therefore transitioning back to sense of heightened alert is critical. A reminder of event plans at a team morning tea is a great refresher to shift minds from holiday mode to event readiness mode. This includes IDR teams and service providers. Regulatory change projects – it’s likely that CPS 230, Privacy Act amendments and other regualtory changes were paused over the break. It’s time to reignite the projects and enthuse the teams. A workshop to recap the purpose, the plan & timeframe, the successes achieved to date and what lies ahead, is an awesome way to get the wheels of the project team spinning again and moving the project ahead with a sense of urgency. Monitoring, of internal teams, authorised representatives, material service providers and any other person providing insurance services or products on your behalf is essential to ensure that onbligations are being met and that compliance measures are operating effectively to protect the business & customers. January is a great time to revisit your Monitoring program and pause to reflect on its effectiveness in meeting AFSL, Code and upcoming CPS 230 requirements. Don’t have a Monitoring Program? January is also a great time to develop and implement a tailored monitoing program (contact me for assistance) ASIC IDR data reporting, its time to submit an IDR report to ASIC for the reporting period 1 July to 31 December. A two-month submission window is now open and closes end of February. Failure to report IDR data is a reportable situation to ASIC. Contact me for assistance or read more about your IDR data reporting obligations here Training, if you are half-way through your financial year or at the end of your calendar year it’s nevertheless a good time to review how your staff are progressing with their training. It’s mandatory for AFS Licensees to maintain a training register so it should be a relatively easy exercise to see who is lagging and needs a gentle requirement about the importance of […]

Financial services relevant for general insurance are: providing financial product advice; dealing in a financial product; and providing a claims handling and settling service. Section 912A(1) Corporation Act (also refer RG 104) sets out the general obligations that a AFS licensee in general insurance must comply with: (a) A licensee must do all things necessary to ensure that the financial services covered by the licence are provided efficiently, honestly and fairly. This is a broad and overarching obligation. Generally speaking an insurer who fails to act with the utmost good faith (under the Insurance Contract Act) would also be a failure to provide the financial services efficiently, honestly and fairly. Subscribing to and complying with the standards and timeframes of the General Insurance Code of Practice or Insurance Brokers Code of Practice are typically a strong indicator of a commitment to providing the financial services efficiently, honestly and fairly (refer ASIC INFO 253). (aa) A licensee must have in place adequate arrangements for the management of conflicts of interest that may arise wholly, or partially, in relation to activities undertaken by the licensee or a representative of the licensee in the provision of financial services as part of the financial services business of the licensee or the representative. The 3 ways to manage conflicts are (refer RG 181): – disclosing the conflict; – managing the conflict through controls; and/or – avoiding the conflict (b) A licensee must comply with the conditions on the licence (c) A licensee must comply with the financial services laws. These laws include: – Corporations Act – ASIC Act – Insurance Contracts Act – Insurance Act (plus a number of other Acts applying specifically to general insurers) – Privacy Act (ca) A licensee must take reasonable steps to ensure that its representatives comply with the financial services laws. Representatives include employees or directors of the licensee or of a related body corporate of the licensee , authorised representatives and any other person acting on behalf of the licensee. This is often referred to as the ‘monitoring obligation’ and should be incorporated in a Monitoring program that also includes CPS 230 (for general insurers in context of material service providers) and under the GI Code & Brokers Code responsibilites for the conduct of employees, authorised representatives, distributors and sevice suppliers (d) A licensee must have available adequate resources (including financial (refer RG 166), technological and human resources (refer RG 104)) to provide the financial services covered by the licence and to carry out supervisory arrangements. Note that this requirement does not apply to APRA regulated insurers. General insurers authorised under section 12 of the Insurance Act (including foreign general insurers) must comply with APRA Prudential Standards such as CPS 220, CPS 230 and CPS 234 while Lloyds underwriters (authorised under section 93 of the Insurance Act) must comply with the FCA UK Prudential Standards. (e) A licensee must maintain the competence to provide those financial services. This obligation requires that the licensee must have sufficient Responsible Managers […]

ASIC’s investigation into Sanlam Private Wealth Pty Ltd (Sanlam) uncovered concerns that the AFS licensee had breached its general obligations, including by failing to adequately supervise its many authorised representatives and corporate authorised representatives. (ASIC Media Release MR 24-290) ASIC Deputy Chair Sarah Court said, ‘At one point, Sanlam had 42 CARs and 71 authorised representatives operating under its licence. Despite this, it had plainly inadequate resources and processes to ensure its diverse cohort of authorised entities complied with the law and to oversee those who used its licence to offer risky financial products to retail clients. ‘Licensees like Sanlam must have robust compliance processes that are fit-for-purpose to ensure that those who operate under their licence comply with the law and don’t place Australian investors at risk.’ Sanlam admitted to breaching its licensee obligations and provided a court enforceable undertaking to ASIC. Under section 93AA of the ASIC Act, Sanlam has offered, and ASIC has agreed to accept as an alternative to pursuing civil penalty proceedings, the undertakings. Insurance brokers Insurance brokers often use a network of authorised representatives as a viable business model. An insurance broker, as an AFS licensee, must monitor its authorised representatives and ensure they comply with financial service laws & are trained & competent. Additionally, under the NIBA Code of Practice, brokers must ensure authorised representatives comply with the Code. The undertakings to ASIC in the Sanlam case provide some useful insights for insurance brokers: Due diligence must be undertaken and continue on an ongoing basis to review the ARs’ suitability to operate under the brokers AFSL; A formalised & systematic review process must be implemented to assess whether employees and AR’s are complying with financial service laws; Informal processes and self-reporting by AR’s, of itself, is not adequate as a supervisory mechanism; Brokers must have adequate human resources directed to risk management or overseeing an effective review programme to monitor ARs (my observation – the ‘adequacy of human resources’ should be included as a standing agenda item for the brokers Risk & Compliance Committee); Brokers should develop a human resourcing plan consistent with its current and future needs; Brokers should have an adequate, documented succession plan when heavily dependent on 1 or 2 people and especially when a ‘key person’ requirement’ condition is included on their licence; Brokers must have an adequate number of Responsible Managers for the number and breadth of ARs and must devote sufficient time to effectively discharge their duties as a responsible manager; Brokers must also adequately document and implement processes to ensure they have the appropriate number of suitably qualified RMs having regard to the financial services provided, the complexity of those services, as well as the number and breadth of ARs authorised. There also needs to be an adequate and structured process to assess the ongoing suitability of its RMs. (my observation – the ‘suitability of responsible managers’ should be included as a standing agenda item for the brokers Risk & Compliance Committee) Brokers must implement a […]

Compliance in General Insurance can be complex. Over the years I have developed Paul’s ‘Rules of Thumb’, to assist simplying compliance for my clients. Naturally, when considering compliance arrangements the complete obligation needs to be considered however, the following can be adopted by front end staff as a mantra. Start with Codes – when designing compliance arrangements, start with the GI Code and/or Insurance Brokers Code. Codes go beyond the law and are customer friendly, the end result is a more dynamic and customer experience based compliance approach. It is still necessary to bring in financial service laws however starting with Codes assists in developing a customer centric approach to compliance. Align dislosures with the customer experience – aligned with Rule of Thumb 1, General Advice Warnings, FSG, PDS and many other obligations for Retail Clients have timing requirements (when to provide the notice or warning). Aligning these compliance requirements with the customer sales experience provides a more meaningful & contextual approach for front-end staff. APRA or ASIC– APRA is primarily focused on policyholder protection (carrying on insurance business in Australia) while ASIC is primarily concerned with consumer protection (carrying on a financial services business in Australia). Advice – when a sales person or distributor or broker or underwriter talks to a client/customer, assume they are providing advice. Cash Settlement Fact Sheet (CSFS) – If a PDS has been provided to a client, & that PDS states that claim settlement options include repair or replace, a CSFS will be required to be provided when settlement is to be via a cash settlement. An incident is where something has happened that wasn’t supposed to happen. The intention is for front-end staff to report as many incidents as possible. A trained person can then filter/triage as necessary. A complaint is where a customer is not satisfied with an outcome. The intention is for front-end staff to report as many complaints as possible. A trained person can then filter/triage as necessary. Commissions are an inherent conflict of interest, and must be managed accordingly through disclosure, control(s) or avoiding. Financial Service laws are technology-neutral, the obligation applies irrespective of whether performed by a human or technology (including AI). If in [compliance] doubt, speak to Paul. The key theme from my ‘Rules of Thumb’ is to create simple, meaningful messages for front-end staff as a quick reminder of important compliance obligations. Engaging with customers and clients can be challenging with complex problems requiring a solution. Simple tips and messaging enables compliance to be part of the solution.

ASIC Report 798, Beware the gap: Governance arrangements in the face of AI innovation, identified the most common uses of AI for insurance claims as: Supporting the claims process: Claims triaging, decision engines to support claims staff, document indexation, identifying claims for cost recovery; and Automating a component of the claims decisioning process, but humans remain responsible for overall claims decision. and emerging uses as: The use of generative Al and natural language processing techniques to extract and summarise key information from claims, emails and other key documents. Financial service laws are technology neutral therefore when providing claims handling and settling services using AI, the general obligation to provide those services ‘efficiently, honestly and fairly’, remains. Providing claims handling and settling efficiently, honestly and fairly ASIC INFO 253 provides guidance on providing claims handling and settling efficiently, honestly and fairly. To satisfy this obligation, you will generally need to handle and settle insurance claims: in a timely way; in the least onerous and intrusive way possible; fairly and transparently; and in a way that supports consumers, particularly ones who are experiencing vulnerability or financial hardship Australia’s AI Ethics Principles The incorporation of the eight Australian AI Ethics Principles in AI policies and procedures is supported by ASIC, and should be used when adopting AI in claims processing. The 8 AI Ethics Principles are: Human, societal and environmental wellbeing: AI systems should benefit individuals, society and the environment. Human-centred values: AI systems should respect human rights, diversity, and the autonomy of individuals. Fairness: AI systems should be inclusive and accessible, and should not involve or result in unfair discrimination against individuals, communities or groups. Privacy protection and security: AI systems should respect and uphold privacy rights and data protection, and ensure the security of data. Reliability and safety: AI systems should reliably operate in accordance with their intended purpose. Transparency and explainability: There should be transparency and responsible disclosure so people can understand when they are being significantly impacted by AI, and can find out when an AI system is engaging with them. Contestability: When an AI system significantly impacts a person, community, group or environment, there should be a timely process to allow people to challenge the use or outcomes of the AI system. Accountability: People responsible for the different phases of the AI system lifecycle should be identifiable and accountable for the outcomes of the AI systems, and human oversight of AI systems should be enabled. Licensees must consider their existing regulatory obligations What licensees need to do to comply with their existing regulatory obligations when using AI depends on the nature, scale and complexity of their business. It also depends on the strength of their existing risk management and governance practices. This means there is no one-size-fits-all approach for the responsible use of AI. (ASIC REP 798) ASIC provides the following examples in REP 798: Licensees must do all things necessary to ensure that financial services or credit services are provided in a way that meets all of […]

Much has been said and written about CPS 230 however, the time for talking and planning is rapidly coming to an end (& has probably passed for the large insurers). It’s time for implementation! Debunking the CPS 230 myths There continues to be some misinformation circulating about CPS 230, what it is and what it isn’t. Let’s deal with these first: What are the facts? CPS 230 (i) only applies as an obligation for insurers & (ii) only for those authorised by APRA under section 12 of the Insurance Act 1973 (Act); this means CPS 230 applies to general insurers in Australia including foreign general insurers, and does notapply to Lloyds underwriters. Lloyds underwriters are authorised under section 93 of the Act and do not come within the definition of General Insurers (s11 of the Act). Lloyds underwriters (and Coverholders) do not get a ‘free ride’. FCA UK Operational resilience rules come into effect in the UK in March 2025. Also refer to LLoyds Principle 12 Operational Resilience. The FCA rules are similar to CPS 230. CPS 230 compliance is not a complex technical issue per se. Much should already exist. It’s a resourcing issue especially the work around critical operations, process mapping, controls testing, material service providers and updating existing or creating new risk artefacts. A risk person within the CRO team of an APRA regulated insurer would be very familiar with the key CPS 230 requirements: operational risk; tolerance levels, criticial operations (& disruption thereof), outsourcing, business continuity, risk profile, control testing and scenarios. Service providers do nothave any obligations under CPS 230. CPS 230 is the insurers responsibility. The obligations for service providers manifest when they perform critical operations for the insurer (for general insurance this is claim processing) or expose the insurer to material operational risk (at a minimum, for general insurance unless justified otherwise: underwriting, claims management, insurance brokerage and reinsurance). The Service Provider obligations would be reflected in the Binder Agreement and/or Service Provider Agreement as obligations imposed on the Service Provider by the insurer. Non-compliance with CPS 230 does have significant consequences. Section 38AA of the Act requires insurers to notify APRA of certain matters. These include immediate notification of a breach of a Prudential Standard that relates to financial obligations the general insurer has to its policy holders or to the general insurer’s minimum capital requirements & for other breaches of a Prudential Standard within 10 Business Days where the breach is significant within the meaning of s 38AA(5). What should insurers be doing? As I mentioned earlier, compliance with CPS 230 requires some ‘risk-thinking’ [within risk appetite]. However, CPS 230 is more of a resource and project management challenge. There are a number of risk ‘task-based’ activities that insurers should be doing now: identify critical operations; set tolerance levels; process mapping – identify the processes and resources needed to deliver these critical operations, including material service providers; updating risk artefacts: RMF, Operational risk profiles, BCP, controls and control testing including scenario […]

A great indicator of the health of your compliance arrangements is the quantity and quality of data in your compliance registers. No data or limited data, could indicate issues with your people and/or authorised representatives and the adequacy and effectiveness of your compliance arrangements. So what registers should you have and what should you expect to see? Risk register The risk register should include the 10-15 risks that could seriously impact your business operations. They should cover (as relevant) strategic risk, reputational risk, financial risk, people risk, legal risk, regulatory risk, compliance risk, conduct risk, technology risk, data risk and change management risk. The risk register should include accountability, key controls, control testing & action plans to close out any gaps arising from control testing. The risk register (plus all other registers) should be a standing agenda item at your quarterly Risk & Compliance Committee meeting where control testing outcomes, action plans, the internal & external business environment and emerging risks are discussed. Obligations register This register is similar to the risk register but manages your compliance obligations. The register can be a stand-alone register or, for most underwriting agencies, TPA’s and insurance brokers, included as part of your Risk & Compliance Manual. The register should capture AFS Licence obligations, financial service laws (including Prudential Standards for insurers), industry Codes & obligations arising from binder & other agreements. Typically an APRA regulated insurer will have ~300 material obligations, underwriting agencies & TPAs ~130 & insurance brokers ~80. The obligations register enables a shift in focus from the large number of obligations to 20-40 key controls. You can’t manage what you don’t know, an obligations register is critical. Conflict of interest register Conflicts arise in many situations and are a normal part of conducting business. Conflicts may arise from: family or personal relationships other business interests gifts & entertainment commission & fee arrangements related companies multiple directorships roles within an organisation – operational role v member of a risk committee Financial service laws require licensees to adquately manage conflicts. This is usually by disclosure, controlling or avoiding. The conflict and the signed-off management of the conflict must be recorded in the conflicts register. Incident & breach register This register is the lifeblood of your business. People make mistakes, often. A well populated incident & breach register, covering a wide range of incidents, from a wide range of people across the business, is a sure sign of a continuous improvement culture. Incidents should be raised across all risk categories (refer risk register) just not compliance incidents. However, a compliance specialist must review the register to further investigate incidents & be on the look out for breaches or likely breaches of financial service laws or Code. Typically, APRA regulated insurers should be capturing 200-300 incidents per quarter, Underwriting agencies & TPA’s 50 -75 & insurance brokers 40 – 50. The number of incidents per quarter will be a factor of the nature, complexity & scale of your business. Complaints register If an incident […]

The obligation to have trained, competent and experienced employees arises from many different sources of obligations: AFS Licence general obligations: employees must be trained & competent and comply with financial services laws. These laws include financial service obligations in the Corporations Act, misleading & deceptive & Unfair Contract terms in the ASIC Act, APRA Prudential Standards including CPS 230 & 234, Insurance Contracts Act and Privacy Act; A person providing financial product advice must have RG 146 training. Tier 2 is sufficient for general insurance products unless the person provides product advice for sickness and accident insurance; Responsible Managers, Directors & Officers, Accountable Persons and Fit & Proper People should receive specific training based upon the requirements of each regulatory role; Under the GI Code of Practice, a requirement that employees, Distributors and Claim Service Suppliers are trained to provide their services competently; In addition, its a GI Code obligation to ensure employees are trained in respect of supporting customers experiencing vulnerability. This will most likely include trauma-based training going forward. Under the Insurance Brokers Code of Practice, a professional commitment that employees maintain & improve competency through relevant qualifications, continued education & training Also, Insurance Brokers under the Code must ensure that their employees, Authorised Representatives and agents receive appropriate education and training. ANZIIF CIP and NIBA CPD points A number of organisations use ANZIIF & NIBA methodology and points as evidence of compliance with the various training obligations. This is a great start however ANZIIF & NIBA points are part of the membership requirements for those industry bodies. By themselves, they may not meet the various regulatory obligations. Firms within General Insurance must stipulate specific training A requirement to annually achieve 20/25 hours of training for CIP or CPD purposes is a a good starting point however in order to meet the various training obligations, the training must be specific enough to meet each individual obligation. For example, a firm may mandate that employees must successfully complete 25 hours of training per year, allocated as follows: 7 hours for financial service laws An additional 3 hours for regulatory roles (responsible managers etc) 5 hours for the relevant GI or Insurance Brokers Code of Practice 3 hours on customers supporting vulnerability 5 hours on the products and services provided by the firm. The remaining hours can be left to the choice of the employee noting that ’25 hours’ is not a magical competency figure. Competency is both a subjective and objective test. Some employees, due to the complexity of their role or their inexperience, may require additional hours beyond mandatory requirements The point is that general insurance firms must mandate the nature, quality and quantity of training to be undertaken, in order to meet the various regulatory & Code obligations. Additional obligations It is a regulatory requirement that training must be recorded in a training register. This provides evidence of meeting the AFSL general obligation therefore the register should be maintained and current. Training should be provided during induction […]

More than 10,000 members and claimants of the Construction and Building Unions Superannuation Fund (Cbus) were impacted by death benefits and total and permanent disability (TPD) insurance claims taking more than 90 days to be processed, according to allegations contained in documents lodged by ASIC in the Federal Court (Media Release 24-251MR). ASIC alleges that Cbus may have contravened the following provisions of the Corporations Act: ss 912A(1)(a) & (5A) by failing to act efficiently, honestly and fairly in the handling of its members’ claims for death benefit payments and TPD insurance payments; section 912DAA(1) and (7) for failing to lodge a reportable situation report within 30 days of becoming aware of a reportable situation; and Section 1308(5) for failing to take reasonable steps to ensure the breach report lodged on 5 August 2023 was not false or misleading in a material particular. ASIC is seeking penalties, declarations, adverse publicity orders and orders for compliance matters to be implemented. What does this mean for General Insurance claims handling? There are 3 takeaways: providing claims handling efficiently, honestly & fairly; adequate resourcing & adequately trained staff; and failure to take appropriate action. Providing claims handling efficiently, honestly and fairly. As set out in ASIC INFO 253, ASIC considers that timeliness is a critical component of meeting the AFSL general obligations to provide claims handling & settling services efficiently, honestly & fairly. ASIC also consider that industry Code timeframes are useful indicators of what industry considers to be appropriate standards. In the CBUS matter, ASIC alleges that CBUS management had received reports from their outsourced material service provider that very large numbers of death & TPD claims were (1) older than 90 days & (2) even older than 365 days. Nothwithstanding this data the Board committees did not suggest any cause for alarm. Takeaway: General Insurers, Underwriting Agencies and their claim service suppliers must not only monitor timeframes under the GI Code of Practice but also take appropriate action when data shows that timeframes are consistently not being met. Adequate resourcing & adequately trained staff ASIC allege that the CBus Risk Committee were aware that the material service provider had significant staff turnover & that the provider’s claims processing staff were not adequately trained. ASIC further allege that Cbus failed to implement or adequately implement measures that would address the delays in processing death and TPD benefit claims. Insurers were on notice from ASIC ASIC wrote to insurers on 6 March 2024 ‘Obligations of general insurers: Insurance claims and severe weather events‘. In that letter, ASIC set out their expectations of insurers including Insurers are required to sufficiently resource claims handling and dispute resolution functions, and ensure staff are adequately trained. This is a general obligation for AFSL holders. Relevantly, ASIC also advised insurers our message is that ASIC is watching how insurers support their customers very closely. Evidence of significant misconduct identified through these channels may result in enforcement action. Takeaway: General Insurers, Underwriting Agencies and their claim service suppliers such […]

The requirement of CPS 230 for general insurers is that they must effectively manage operational risks, maintain critical operations through disruptions, and manage the risks arising from service providers. It’s the latter requirement that has caused recent tension, with APRA expressing concern with Insurers use of Underwriting Agencies, reminding insurers that they can outsource critical underwriting & claims functions, but not accountability. Underwriting Agencies as an AFS Licensee It’s all well & good for insurers to impose their requirements on agencies (& rightly so, to a degree) however, among all this, it should be remembered that an Agency who holds an AFSL must comply with its obligations or face severe consequences including reputational harm & civil penalties. Somewhat ironically this may potentially also ‘severly disrupt’ the insurer’s operations. An Agency, holding an AFSL must have adequate risk management systems. The requirement for risk management systems ensures that agencies explicitly identify the risks they face and have measures in place to keep those risks to an acceptable minimum. This requirement sounds remarkably similar to the CPS 230 requirement on insurers. Therein lies the answer ( lightbulb moment – I feel like a ‘tahdah’ is warranted at this point), the insurer meets its CPS 230 requirement to manage the risks arising from material service providers and the agency meets its AFSL obligation to have an adequate risk management system & manage its own risks. ASIC (in RG 104) states that a licensee’s risk management systems will depend on the nature, scale and complexity of its business and risk profile. ASIC also states that the licensee’s risk management systems will need to adapt as their business develops and business risk profile changes over time. This would include enhancing the agency’s risk management system to enable it to meet the risk of their binder agreement being terminated. Taking a step back, an insurer would eventually terminate the agencies binder agreement if they presented an unmanageable CPS 230 risk (or any risk for that matter including in respect of CPS 234 Security Information). What does an adequate risk management system look like for an insurance Underwriting Agency? The risk management system must not only cover the risks of the Agency but also, any of its representatives (such as authorised reps or distributors acting under an ASIC instrument). Risk management components: A risk identification (risk profiling) brainstorming session including relevant stakeholders (potentially the insurer(s)) assists in identifying material risks to the business; to ensure nothing is missed, risks are catergorised. CPS 230 provides assistance defining operational risk as legal risk, regulatory risk, compliance risk, conduct risk, technology risk, data risk and change management risk. To this you would add strategic/reputational risk and financial risk. Risk appetite statement (RAS) – a board/senior management approved RAS is critical to define the amount of risk the Underwriting agency is willing to accept in pursuit of its objectives, expressed against each risk category. This can be a simple 1 pager for a typical Underwriting Agency. Risks should be recorded in […]

One of the compliance services that I provide is a fit-for-purpose & tailored risk & compliance manual All Manuals are personally designed by myself. 𝙏𝙝𝙚 𝙗𝙚𝙣𝙚𝙛𝙞𝙩𝙨 – governance, risk & compliance is maintained in a single place (~30-40 pages) – documented evidence of your arrangements that can be easily shared with others. This is particularly useful for CPS 230 & FAR when dealing with APRA regulated insurers – the manual is an accessible, learning tool for your staff – at a glance you can view your key controls – the manual provides you with an operating rhythm for risk & compliance 𝙏𝙝𝙚 𝙛𝙚𝙖𝙩𝙪𝙧𝙚𝙨 – your manual is crafted based on what you do. If you are a Licensee, Auth Rep, Code subscriber, Lloyds coverholder etc your manual talks about the uniqueness of your business based upon the nature & scope of what you do & how you do it – the manual is a source of staff training. Written in plain english, the manual provides easy-to-understand & concise guidance. Sources of law, Code & regulatory guidance are included as footnotes for when you need to know a little bit more. If something does not apply to your business, its not included. This reduces complexity, uncertainty & confusion. – the manual includes the context for each obligation & incorporates your key controls. This joins the dots for your people, key stakeholders & partners in understanding how your control environment manages your obligations. – the manual provides an operating rhythm for: a) governance including oversight by your board/senior management & your risk & compliance committee; b) roles & responsibilities c) risk management process d) licence management e) control testing f) monitoring of your people, Auth Reps & material servcie providers g) incident management & breach reporting h) dealing with regulatory change. – the Manual reflects your business. Its branded with your Corporate logo & colours, it talks about your AFS Licence or your Auth Rep scope, your AFCA responsibilities, your obligations under Code, your obligations as a member of a group network or industry body If you are a Steadfast broker & use CCX 360, the manual includes that. If you are a Lloyds coverholder, the manual includes Lloyds market bulletins If you have a binder, the manual includes your key binder obligations. If you are a material service provider, the manual assists in managing the expectations of your partners. 𝘼𝙨𝙨𝙪𝙧𝙖𝙣𝙘𝙚 Importantly, your Risk & Compliance Manual provides assurance of the adequacy of your compliance arrangements to your key stakeholders The Manual clearly shows: the sources of your obligations =>your obligations => your key controls. If you are interested in understanding how a tailored, fit-for-purpose Risk & Compliance Manual can benefit your business, contact me.

I have worked with more than 175 firms in general insurance, providing compliance assistance. I’ve found that the best leaders consistently possess certain fundamental qualities & skills when viewed through a compliance lens. 𝗛𝗼𝘄 𝗱𝗼 𝘆𝗼𝘂 𝗰𝗼𝗺𝗽𝗮𝗿𝗲 𝗮𝗴𝗮𝗶𝗻𝘀𝘁 𝘁𝗵𝗲𝘀𝗲 𝟭𝟬 𝗰𝗼𝗺𝗽𝗹𝗶𝗮𝗻𝗰𝗲 𝗹𝗲𝗮𝗱𝗲𝗿𝘀𝗵𝗶𝗽 𝗮𝘁𝘁𝗿𝗶𝗯𝘂𝘁𝗲𝘀? 1. 𝘿𝙤𝙣’𝙩 𝙙𝙚𝙛𝙚𝙧 𝙖𝙘𝙘𝙤𝙪𝙣𝙩𝙖𝙗𝙞𝙡𝙞𝙩𝙮 Good leaders don’t say ‘compliance is someone elses job’. They own responsibility for compliance in their business area & are accountable & take ownership for control-breakdowns, issues & breaches & resultant customer remediation. 2. 𝙋𝙧𝙤𝙩𝙚𝙘𝙩 𝙮𝙤𝙪𝙧 𝙩𝙚𝙖𝙢 𝙢𝙚𝙢𝙗𝙚𝙧𝙨 They protect the careers of their team members. They ensure that compliance arrangements provide a safe environment for team members to perform their work. Good leaders make staff aware of their compliance obligations through training &, consistently, through team meetings. Good leaders protect team members from the team members ‘compliance ignorance’ through adopting Sandard operating procedures, implementing sales, underwriting & claims guidelines & through business documented business practices, systems & ongoing training. 3. 𝘾𝙧𝙚𝙖𝙩𝙚 𝙖 𝙨𝙖𝙛𝙚 𝙚𝙣𝙫𝙞𝙧𝙤𝙣𝙢𝙚𝙣𝙩 Leaders create a safe environment for team members to self-report incidents, breaches & complaints quickly. They accept that team members are human & make mistakes. They are fair & equitable in their responses to compliance incidents. They remain calm & focused on facts when presented with potential customer or business harm arising from something going wrong within their team. They remain focused on remediation & rectification and not retribution. 4. 𝘽𝙚 𝙞𝙣𝙛𝙤𝙧𝙢𝙚𝙙 𝙖𝙣𝙙 𝙖𝙬𝙖𝙧𝙚 𝙤𝙛 𝙞𝙣𝙙𝙪𝙨𝙩𝙧𝙮 𝙘𝙤𝙢𝙥𝙡𝙞𝙖𝙣𝙘𝙚 𝙝𝙖𝙥𝙥𝙚𝙣𝙞𝙣𝙜𝙨 Leaders stay on top of compliance change, they are curious & seek to understand how upcoming changes (such as CPS 230, FAR, Code review, flood inquiry) may impact their area of accountability & risk profile. They seek out the advice & counsel from compliance & legal specialists to fully understand the impacts of regulatory (& Code) change. They openly discuss with their team news headlines (commission payments, premium affordability & availablity) even when those conversations may be difficult due to potential business impacts. 5. 𝙊𝙗𝙩𝙖𝙞𝙣 𝙙𝙖𝙩𝙖 𝙛𝙤𝙧 𝙮𝙤𝙪𝙧 𝙖𝙧𝙚𝙖 𝙤𝙛 𝙧𝙚𝙨𝙥𝙤𝙣𝙨𝙞𝙗𝙞𝙡𝙞𝙩𝙮 They obtain data (incidents, breaches, complaints, control testing, QA etc) to inform them of the adequacy of compliance arrangements for their area of accountability. They drill-down & ask questions including when there is a lack of data They compare their area’s data with other business areas from a learning perspective not from a competition perspective. 6. 𝙒𝙖𝙡𝙠 𝙩𝙝𝙚 𝙩𝙖𝙡𝙠 – 𝙖𝙩𝙩𝙚𝙣𝙙 𝙖𝙣𝙙 𝙚𝙢𝙗𝙧𝙖𝙘𝙚 𝙮𝙤𝙪𝙧 𝙤𝙬𝙣 𝙩𝙧𝙖𝙞𝙣𝙞𝙣𝙜 They are mindful of the compliance shadow they cast. Good leaders enthusiastically inform team members about upcoming compliance training the leader is attending & share the outcomes & learnings back with the team. They consistently demonstrate through their actions how compliance protects the business, their team members, customers & business partners 7. 𝙐𝙨𝙚 𝙘𝙤𝙢𝙥𝙡𝙞𝙖𝙣𝙘𝙚 𝙞𝙨𝙨𝙪𝙚𝙨, 𝙗𝙧𝙚𝙖𝙘𝙝𝙚𝙨 𝙖𝙣𝙙 𝙘𝙤𝙢𝙥𝙡𝙖𝙞𝙣𝙩𝙨 𝙖𝙨 𝙖 𝙡𝙚𝙖𝙧𝙣𝙞𝙣𝙜 𝙚𝙭𝙥𝙚𝙧𝙞𝙚𝙣𝙘𝙚 They use data from their own area together with other business areas to provide learnings & business continuous improvement. They use story-telling from their lived experience to bring compliance to life for the team. They use practical business examples to create […]

Your people are a critical part of your compliance arrangements and serve the purpose of being your early warning system. In addition to employees, this includes Authorised Representatives, Material Service Providers and anyone acting on your behalf to provide your financial services and general insurance products. Your compliance arrangements provide a safe place to do business. Your Compliance arrangements are the (1) governance & frameworks, (2) people & culture, (3) processes & procedures & (4) systems & reporting, that collectively operate together and provide a fortress, protecting what matters – the business & its customers, people, partners & stakeholders. What is an incident However, stuff happens and things go wrong. Technically, this means there has been a break-down in your control envirronment. When this happens, an incident has escaped from within the safe harbour of your compliance arrangements. The sole purpose of an incident is to cause as much harm and chaos in the shortest time possible. Incidents act stealthily. They lurk in the shadows causing loss, harm and detriment until detected. An incident may or not not be a breach, however, if left undetected they will exponetially grow until they are so big that they have manifested into a breach of obligations/code or a complaint & become visible to customers and regulators It is critical to identify incidents as early as possible. An incident, self-identified & reported on day 1, may cost the business $1,000; 4 years later, the same incident may have matured into a breach & cost $xx million + interest + lost management time + reputational impacts + regualtory enforcement action. Your people as an early warning system Your compliance arrangements are the first layer of protecting what matters. Your people are the 2nd layer. Your people vigilantly survey the landscape waiting to identify & self-report when ‘something has happened that shouldn’t have or hasn’t happened that should have’ (the definition of an incident). In this context, incidents are those being self-identified & reported & not incidents discovered through other mechanisms such as quality assurance monitoring, 2nd line oversight, customer complaints or regulatory activity. The golden rules of incident management The quicker an incident is identified & raised, the less likelihood of harm or detriment being caused Provide a safe environment to raise incidents Be conservative & raise everything. Look at the root cause and review the control environment Use AIRR Awareness Identify Raise Report Awareness Train your people on what an incident is (identify) and what to do when detected (report). Your training should not focus on the 10,000+ laws & Code that governs our industry. Provide examples of what an incident in each area of the business looks like – sales, underwriting, claims, finance, broking etc An incident, something has happened that shouldn’t have, is: a pool of water on the staff kitchen floor my IT system is down for 30 minutes I didn’t send out an FSG or PDS I haven’t completed my training I think I provided the customer some incorrect information […]

In a speech to the ICA Annual Conference in Brisbane yesterday, APRA Executive Board member, Suzanne Smith said, ‘a focus for APRA over the coming year: [is] the risk associated with outsourced underwriting to agencies.’ Ms Smith continued Partnering with experts to underwrite hard-to-place risks or to reduce operational and distribution costs can be a strategy. However, it is important to remember that the responsibility for core underwriting decisions always remains with the licensed insurer, as insurance risk and accountability are the very reason why insurers hold licences in the first place. Strong governance practices are crucial here, including robust on-boarding and exit plans, elimination or clear management of conflicts of interest, adequate governance resources, and sound data security. This also extends to scaling operations, such as ramping up claims handling during a crisis. The key takeaway is that while authority can be delegated, the ultimate responsibility remains solely with the insurer. The intersection between Prudential Standard CPS 230 & AFS Licence obligations I asked the question from the floor, ‘how should the dichotomy between the obligations of an APRA regulated insurer in respect of CPS 230 for underwriting agencies be managed, given the independent obligations of an agency holding an AFS Licence?‘ Let me answer my own question. CPS 230 requirements An APRA-regulated entity must … manage the material risks associated with using [material service] providers. Material service providers are those on which the entity relies to undertake a critical operation or that expose it to material operational risk. (paragraph 49 CPS 230) Underwriting Agencies, TPA’s (insurance claim managers) & insurance brokers with delegated underwriting authority are deemed to be material servcie providers, unless the insurer can justify otherwise (p 50). Operational risk is defined to include but not limited to legal risk, regulatory risk, compliance risk, conduct risk, technology risk, data risk and change management risk. (p24) AFSL requirements Underwriting agencies (& TPAs & brokers), who hold an AFS Licence, have general obligations (refer section 912A(1) Corporations Act) including the obligation to have adequate risk management systems (s912A(1)(h)). ASIC expects that Licensee’s risk management system will be: (a) be based on a structured and systematic process that takes into account your obligations under the Corporations Act; (b) identify and evaluate risks faced by your business, focusing on risks that adversely affect consumers or market integrity (this includes risks of non-compliance with the financial services laws); (c) establish and maintain controls designed to manage or mitigate those risks; and (d) fully implement and monitor those controls to ensure they are effective. (refer RG 104.62) Importantly, ASIC also notes that [the licensees] risk management systems will depend on the nature, scale and complexity of their business and their risk profile (my emphasis). They will be different for each licensee. (RG 104.63) So what does this mean for insurers and their underwriting agencies? It follows from the above, that: Underwriting Agencies holding an AFS Licence must have a fit-for-purpose system of managing risk, including operational risk Insurers must manage the risk, […]

I was honoured to be part of the three-person panel to have undertaken an independent review of the GI Code of Practice, as part of the regular 3-year Code continuous improvement cycle. The panel was chaired by former APRA Deputy Chair Helen Rowell & consumer expert Gerard Brody We made 101 recommendations, reflecting the rapid change in consumer standards and expectations since the 2020 Code. The Insurance Council of Australia will undertake a detailed review of the recommendations & engage with members & key stakeholders to prepare a whole-of-industry response in coming weeks. Some of the recommendations include: – the expansion of financial hardship support to include people who need help maintaining premium payments – redrafting of Code language to avoid consumers having to identify as being in vulnerable circumstances to access support – a broader definition of vulnerability – a range of protections for customers affected by family violence – overarching obligation for education & training requirements for employees, distributors & service suppliers & must include the Code, vulnerability & complaint management – all parts of the Code applying to small business, adopting the AFCA definition of small business – a decoupling of the Code from legal definitions of retail client, wholesale client & general insurance products – insurers having effective systems to monitor the conduct of distributors & service suppliers in respect of Code compliance – unanticipated additional costs (removal of debris & architectural fees) provided as policy benefits & not as part of sum insured – meaningful updates on claims progress to be provided every 20 days – additional requirements for cash settlements – minimum standards for experts – an increase in the maximum Community Benefit Payment to $200,000 (indexed annually) – the Code be incorporated into customer contracts so that they are contractually enforceable The full report can be accessed from the Code of Practice Review website.

Not adequately managing conflict of interests (CoI) is a breach of AFS Licence obligations &, in the more serious cases, can lead to individuals being banned or disqualified by ASIC & or civil/criminal penalties. 𝙒𝙝𝙖𝙩 𝙞𝙨 𝙖 𝙘𝙤𝙣𝙛𝙡𝙞𝙘𝙩 𝙤𝙛 𝙞𝙣𝙩𝙚𝙧𝙚𝙨𝙩 𝙞𝙣 𝙂𝙄? A CoI occurs when your Interests (direct or indirect), or a duty you owe to a person (such as a broker to a client), conflicts, or may reasonably be thought to conflict, with the proper performance of your functions & duties at your company or to the client. Licensee’s obligations extend to the conduct of employees, Directors & Authorised Reps. I use the term employee however the examples also relate to ARs & Directors Typical GI examples are: – an employee is employed by or gains remuneration from a competitor or supplier (such as a claims service supplier) – an employee receives gifts or entertainment from other companies who the licensee does business with (such as a broker being entertained by an insurer at an event) – an employee having interests or investments in competitors, customers or suppliers (such as insurers or brokers in underwriting agencies) – engaging in transactions where a personal relationship exists. Such as managing the claim of a family member – conducting business with a related company – making use of confidential information. Such as an underwriter being advised of a potential M&A for an insured & using that information to trade shares on the ASX (or telling others who then trade) – bribery, inducements etc especially where to gain a business advantage – an employee having multiple roles in the licensee – Director, shareholder, Responsible Manager, CRO etc 𝙈𝙖𝙣𝙖𝙜𝙞𝙣𝙜 𝙘𝙤𝙣𝙛𝙡𝙞𝙘𝙩𝙨 𝙤𝙛 𝙞𝙣𝙩𝙚𝙧𝙚𝙨𝙩 The 3 mechanisms for managing CoI are: – disclosing the conflict – controlling the conflict & – avoiding the conflict Disclosure should be clear & transparent & not just hidden in a FSG 𝘾𝙤𝙢𝙥𝙡𝙞𝙖𝙣𝙘𝙚 𝙖𝙧𝙧𝙖𝙣𝙜𝙚𝙢𝙚𝙣𝙩𝙨 At a minimum, a Licensee should implement: – due diligence for new employees, companies etc – a tailored CoI policy (including gifts & entertainment, bribery, insider trading) – a CoI register – CoI training – Monthly attestations – Monitoring Contact me for assistance in reviewing your approach to adequately managing Conflict of interests.

Referral arrangements continue to be a very popular mechanism to promote & distribute insurance products & services. Where a financial service is only a referral you do not need to hold an AFS Licence. A typical referral arrangement consists of: 1. informing a person (customer) that a licensee (or its AR) is able to provide a particular financial service; & 2. giving that person the contact details for the licensee or representative. A simple example is an industry association referring members to an insurance broker or underwriting agency, to meet the insurance needs & requirements of its members. If the referrer receives any benefits for the referral, these must be disclosed to the person, by the referrer. 𝘼𝙧𝙧𝙖𝙣𝙜𝙞𝙣𝙜 𝙜𝙚𝙣𝙚𝙧𝙖𝙡 𝙞𝙣𝙨𝙪𝙧𝙖𝙣𝙘𝙚 A problem arises, when the referrer is doing more than 1 & 2 above. They may also: – assist the customer to complete a proposal/application form; – display brochures for the broker or underwriting agency; – co-brand the on-line quote/marketing tool; – receive a percentage of the commission; or – offer premium payment facilities. Some or a combination of these activities may constitute ‘arranging’. Arranging is a form of dealing & is an AFS licensed activity. Arranging occurs when a person brings into effect the issue, variation, disposal or acquisition of, or application for, a financial product. Conduct may constitute arranging if the ‘referrers’ involvement in the chain of events leading to the relevant general insurance transaction, was of sufficient importance that without their involvement the transaction would probably not take place. Arranging is a question of fact & requires careful legal analysis. It is an offence to provide unlicensed financial services. ‘Referring’ is not a financial service, ‘arranging’ is. The line between the 2 can be blurred with significant consequences. 𝙈𝙖𝙣𝙖𝙜𝙞𝙣𝙜 𝙩𝙝𝙚 𝙘𝙤𝙢𝙥𝙡𝙞𝙖𝙣𝙘𝙚 𝙧𝙞𝙨𝙠 𝙤𝙛 𝙧𝙚𝙛𝙚𝙧𝙧𝙖𝙡 𝙖𝙧𝙧𝙖𝙣𝙜𝙚𝙢𝙚𝙣𝙩𝙨 There are a number of steps that should be taken to protect everyone involved in a referral arrangement. 1. Conduct due diligence on your proposed referrer – are they of good standing & character? 2. Obtain legal advice & be aware of the guardrails 3. Execute a legally binding agreement clearly setting out what the referrer can & can’t do. 4. Understand remuneration & conflict of interests. Is the payment to the referrer commensurate with the value they are adding? 5. Provide training & support materials to ensure the referrer is aware of & understands the boundaries, the consequences of non-compliance & how to report incidents & complaints 6. Ongoing monitoring is critical, care must be taken that they don’t morph to ‘arranging’ ASIC RG 36 provides information on ‘referrals’ & ‘arranging’. Contact me if you have any questions.

𝟭𝟳 𝗦𝗲𝗽𝘁𝗲𝗺𝗯𝗲𝗿 𝟮𝟬𝟮𝟰 ASIC Chair Joe Longo has provided some great insights talking about the role of the compliance professional. Key points: – the role of a compliance professional is a critically important one. You are part of the fabric of the business – not only to help your organisation meet its legal obligations, but to help create an ethical culture, where employees act in the best interests of its customers – It’s the role of the directors of a company to set the tone, establish & lead a culture of compliance. This includes monitoring the arrangements the company has in place to ensure compliance with regulatory obligations. But it’s the compliance professionals who are closer to the nuts & bolts of how the business runs. They actually do the work to support & implement those arrangements. – An effective regulatory compliance program must reflect the organisation’s key values & ethos – & focus on putting customers at the centre of how the organisation operates. – A compliance professional is, in essence, a gatekeeper – a trusted adviser to the board, relied on for well-thought-out advice. – Written policies & procedures provide the framework for compliance. Systems, processes, & technology can be used to underpin & support compliance. But compliance in practice requires a culture of integrity, ethics, & trust. – What’s needed is an attitude of compliance, based on a curious mind that asks the right questions. Questions like: What are our obligations? What are the risks? How can we manage them? What systems & controls should be in place to ensure we meet our obligations? Is what we are doing both legal & ethical? How can we make sure they’re being followed? Do I have an open line to the board? Am I keeping them informed? – Your role (as a compliance professional) is to refine the systems & controls, & to call out what’s working & what can be improved. That will enable the board to look ahead to spot the risks, think about how to balance the legal & commercial perspectives, & monitor the compliance arrangements that the company has in place. – And so, more than ever, you play an influential & strategic role in the boardroom – a role that is critical in ensuring effective compliance.

In General Insurance, Authorised Representative (AR) models continue to be popular for Insurance brokers & to a lesser degree for Underwriting Agencies & TPAs. 𝘼𝙥𝙥𝙤𝙞𝙣𝙩𝙞𝙣𝙜 & 𝙘𝙚𝙖𝙨𝙞𝙣𝙜 𝙖𝙣 𝘼𝙪𝙩𝙝𝙤𝙧𝙞𝙨𝙚𝙙 𝙍𝙚𝙥 Sections 916A-F of the Corps Act, as modified by Corps regs 7.6.04AA & 7.6.08, relate to the appointment & cessation of ARs by AFS licensees. Licensees must notify ASIC within 30 business days of the date an authorisation is issued. 𝗢𝗯𝗹𝗶𝗴𝗮𝘁𝗶𝗼𝗻𝘀 𝗼𝗳 𝘁𝗵𝗲 𝗟𝗶𝗰𝗲𝗻𝘀𝗲𝗲 𝗳𝗼𝗿 𝘁𝗵𝗲𝗶𝗿 𝗔𝗥’𝘀 Licensees must ensure that their AR’s have, & the AR’s must have, compliance measures to: – provide the financial services efficiently, honestly & fairly – adequately manage conflicts of interest – comply with the financial service laws – have adequate resources (human, IT & financial) to provide the services – ensure its people are adequately trained & are competent – have adequate risk management systems – identify complaints, incidents & breaches & report those to the licensee – the trust account for client money must be in the name of the Licensee however the AR may be involved in directing the money into that account 𝙊𝙗𝙡𝙞𝙜𝙖𝙩𝙞𝙤𝙣𝙨 𝙤𝙛 𝙖𝙣 𝘼𝙍 AR’s have independent obligations: – must not hold out they have an AFS Licence – can only sub-authorise individuals with the licensees consent – include its AR number in business documents & website – provide a copy of its authorisation on-request, free of charge within 10 business days – provide retail clients with a FSG – provide a general advice warning when providing general advice – comply with the hawking prohibtion – when engaging in retail product distribution comply with TMD requirements – must not make false statements or engage in dishonest, misleading or deceptive conduct 𝘼𝙍 𝙤𝙗𝙡𝙞𝙜𝙖𝙩𝙞𝙤𝙣𝙨 𝙪𝙣𝙙𝙚𝙧 𝙞𝙣𝙙𝙪𝙨𝙩𝙧𝙮 𝙘𝙤𝙙𝙚𝙨 𝘎𝘐 𝘊𝘰𝘥𝘦 – 𝘜𝘯𝘥𝘦𝘳𝘸𝘳𝘪𝘵𝘪𝘯𝘨 𝘈𝘨𝘦𝘯𝘤𝘪𝘦𝘴 𝘰𝘳 𝘛𝘗𝘈𝘴 – deal with customers in a honest, efficient, fair, transparent & timely manner – be trained & have relevant expertise – advise the customer of what they are authorised to do – notify the insurer of complaints & breaches within 2 business days – generally comply with the Code 𝘕𝘐𝘉𝘈 𝘉𝘳𝘰𝘬𝘦𝘳𝘴 𝘊𝘰𝘥𝘦 – 𝘐𝘯𝘴𝘶𝘳𝘢𝘯𝘤𝘦 𝘣𝘳𝘰𝘬𝘦𝘳𝘴 𝘸𝘩𝘰 𝘢𝘳𝘦 𝘈𝘙𝘴 – comply with the Code when acting on behalf of the licensee – have the expertise, skills & experience to provide the services – receive appropriate education & training – be reviewed annually by the Licensee for Code compliance 𝗖𝗼𝗺𝗽𝗹𝗶𝗮𝗻𝗰𝗲 𝘀𝗲𝗿𝘃𝗶𝗰𝗲𝘀 To assist Licensees & their AR’s, I provide the following compliance services: 1) design tailored & fit-for-purpose Monitoring Programs for AFS Licensees; & 2) design tailored & fit-for-purpose compliance arrangements for ARs

ASIC’s Corporate Plan 2024–25 outlines the projects ASIC will undertake to deliver on their important mandate. ASIC makes a crucial contribution to maintaining Australia’s fair, strong and efficient financial system. The priortites relevant for General Insurance have a focus on claims handling practices including enforcement actions. 1. 𝙄𝙢𝙥𝙧𝙤𝙫𝙚 𝙘𝙤𝙣𝙨𝙪𝙢𝙚𝙧 𝙤𝙪𝙩𝙘𝙤𝙢𝙚𝙨 – undertake a cross-sector surveillance of compliance with the requirements outlined in Regulatory Guide 271 Internal dispute resolution (RG 271). – In 2024, ASIC will publish observations from the first year of IDR data reported by all firms, while in 2025 ASIC will publish firm-level IDR data. – take action against insurers in relation to claims handling, especially in relation to home insurance claims. – take action in response to harmful product design and distribution practices, including conduct that results in consumers receiving unsuitable products. – monitor general insurers’ improvements to claims handling and engage with the independent review of the 2020 General Insurance Code of Practice. 2. 𝘼𝙙𝙙𝙧𝙚𝙨𝙨 𝙛𝙞𝙣𝙖𝙣𝙘𝙞𝙖𝙡 𝙨𝙮𝙨𝙩𝙚𝙢 𝙘𝙡𝙞𝙢𝙖𝙩𝙚 𝙘𝙝𝙖𝙣𝙜𝙚 𝙧𝙞𝙨𝙠 ASIC will review how general insurers are handling customer complaints and responding to recommendations from previous reviews about their handling of claims following severe weather events. 3. 𝘼𝙙𝙫𝙖𝙣𝙘𝙚 𝙙𝙞𝙜𝙞𝙩𝙖𝙡 𝙖𝙣𝙙 𝙙𝙖𝙩𝙖 𝙧𝙚𝙨𝙞𝙡𝙞𝙚𝙣𝙘𝙚 𝙖𝙣𝙙 𝙨𝙖𝙛𝙚𝙩𝙮 ASIC will continue to monitor how retail financial services use AI and advanced data analytics. ASIC will also assess their risk management and governance processes. 𝙊𝙩𝙝𝙚𝙧 𝙠𝙚𝙮 𝙖𝙘𝙩𝙞𝙫𝙞𝙩𝙞𝙚𝙨 1. ASIC will continue to work closely with APRA to implement the FAR by providing guidance, engaging with industry and developing effective registration and other processes 2. ASIC will work with the Australian Government to support the introduction of the Regulatory Initiatives Grid (RIG). The RIG will provide industry with information, in a single location and from across multiple agencies, about upcoming reforms and regulatory actions that will materially affect the financial sector.

A new standard agreed by general insurers will provide additional clarity & certainty for customers when independent expertise is required to help determine a claim. The Expert Report Best Practice Standard has been developed by the Insurance Council of Australia to provide consistency when insurers are using reports by experts such as hydrologists, engineers, builders, or specialist tradespeople. The best practice standard has been developed using feedback provided by consumer advocates and AFCA. An Expert Report is a report produced by an External Expert as defined in the GI Code of Practice. The ICA will be recommending to the independent Code Review Committee that the Standard is referenced in the next version of the Code to provide additional certainty and rigour around the use of Expert Reports. The Standard contains the following requirements: 𝙋𝙧𝙚-𝙧𝙚𝙥𝙤𝙧𝙩 𝙘𝙤𝙢𝙢𝙞𝙨𝙨𝙞𝙤𝙣𝙞𝙣𝙜 1. Relevant expertise – prior to an expert report being commissioned, insurers must ensure the expert being briefed is relevant, qualified, & objective 2. Capacity – The insurer should confirm that for each report commissioned the expert has the capacity to provide an expert report to the highest possible standard. 3. Briefing – The insurer should ensure that the expert has been fully briefed on relevant matters relating to the claim. 4. Advice to customers – The insurer should ensure that the customer is informed about the need to seek an expert report, the intended scope & use of the report, & is provided an opportunity to consider the need to submit any evidence to the insurer or expert in the commissioning process. 5. Exclusions – the insurer should make it clear to the expert exactly what they want the expert to provide an opinion on by including specific questions 𝙏𝙝𝙚 𝙧𝙚𝙥𝙤𝙧𝙩 𝙞𝙩𝙨𝙚𝙡𝙛 Insurers should ensure that reports: – are neutral & in plain english – formatted with conclusions – consider all relevant matters – rely only on facts – provide clear & cogent reasoning – clear on whether an opinion is tenative or firm – identify the cause(s) contributing to the loss – provide a statement of objectivity – provide the expert’s qualifications 𝙐𝙨𝙚 𝙤𝙛 𝙩𝙝𝙚 𝙧𝙚𝙥𝙤𝙧𝙩 – the expert report should be considered by claims managers & critically examined – provided to the customer & the insurer should explain which parts of the report have been relied on for the claim decision & why – disregard any statements or opinions outside of the scope or expert’s expertise

Underwriting Agencies continue to play an important role in the Australian GI market. Underwriting Agencies (UA) provide specialist skills & services, often filling gaps with niche products. By nature, UA are agile & provide a mechanism for the industry to innovate through technology. UA can also assist in the growth & development of people competencies & skill-sets 𝘾𝙤𝙢𝙥𝙡𝙞𝙖𝙣𝙘𝙚 𝙘𝙤𝙣𝙨𝙞𝙙𝙚𝙧𝙖𝙩𝙞𝙤𝙣𝙨 UA are a core client segment for me. I provide AFS Licensing, risk & compliance frameworks, training & education together with general compliance advice. There are some unique compliance considerations for UA: 1. A UA may initially focus on underwriting & defer claims to their insurer partner or TPA. This brings benefits by being able to tap into wider expertise however it’s important that dedicated claims staff are appointed to manage the UA claims so that the UA market proposition & brand values are not compromised 2. Complaints. It’s important to triage new complaints to understand whose licence(s) the complaint falls under. If the UA has all AFSL authorisations (advice, issuing & claims) the complaint will be against the UA, & any referral to insurers, claim managers or Lloyds Australia (to tap into their skill-set) is done so on an outsourced basis. 3. Insurers have various obligations to monitor a UA (under AFSL, Code & CPS 230). This should be through initial due-diligence & the ongoing provision of data rather than constantly looking over the shoulder of the UA. 4. UA should push back when insurers try to implement an APRA regulated risk management system on the UA. UA compliance arrangements must be tailored & based on the nature, scale & complexity of the UA. 5. A UA should be a member of Underwriting Agencies Council (UAC), ensuring that they have a strong voice at the table to provide input for regulatory change & GI Code issues. 6. Excel spreadsheets & word docs are more than adequate to manage compliance at smaller UA. Automation & complex risk management practices are a factor of size & should be considered as the UA grows. 7. UA should adopt 3 lines of defence, risk maturity matrix & risk appetite statements to enable management to better manage risks. However, adopt the principle & tailor to the size of the UA 8. Unless large, most UA will default compliance to the COO or similar. It’s critical that business leaders manage compliance, with the COO providing support. Usually the COO will tap into someone like myself for more specialised compliance expertise 𝑼𝒏𝒊𝒒𝒖𝒆 𝒄𝒐𝒎𝒑𝒍𝒊𝒂𝒏𝒄𝒆 𝒄𝒉𝒂𝒍𝒍𝒆𝒏𝒈𝒆𝒔 𝒇𝒐𝒓 𝑼𝒏𝒅𝒆𝒓𝒘𝒓𝒊𝒕𝒊𝒏𝒈 𝑨𝒈𝒆𝒏𝒄𝒊𝒆𝒔 Underwriting Agencies are a critical part of our General Insurance industry & are very exciting to be part of. However, they present unique compliance challenges that must be understood & managed.

Today’s list covers the top 5 groups that influenced compliance for the insurance industry during 2023. 𝗡𝗼. 𝟱 𝗜𝗻𝘀𝘂𝗿𝗲𝗿𝘀 APRA-regulated insurers make it onto my list due to a number of factors. With substantial resources (particularly the larger insurers), insurers have the internal numbers to implement complex & robust compliance arrangements, this sets expectations & a benchmark for best practice; Given insurers dominate the insurance landscape, especially retail insurance, the focus of regulators & industry bodies is always on Suncorp, IAG, QBE, Allianz, Hollard et al Insurers in turn drive the compliance measures at MGAs & TPAs. Due to FAR & CPS 230, this will continue into 2024/25 extending to insurance brokers. 𝗡𝗼 𝟰. 𝗜𝗻𝗱𝘂𝘀𝘁𝗿𝘆 𝗯𝗼𝗱𝗶𝗲𝘀 The Insurance Council of Australia, CGC, National Insurance Brokers Association (NIBA) & IBCCC continue to heavily influence & drive compliance positions across the industry. In addition, Insurtech Australia & Underwriting Agencies Council (UAC) have also been leading the way in respect of technology & the emergence of underwriting agencies. 𝗡𝗼 𝟯. 𝗜𝗻𝗱𝘂𝘀𝘁𝗿𝘆 𝗖𝗼𝗱𝗲𝘀 The GI Code of Practice has always been a heavy influence on the compliance programs for insurers (& MGAs & TPA’s) however the Insurance Brokers Code of Practice has been remarkable in driving the compliance focus for insurance brokers. This has been particularly evident for brokers with large Authorised Representative networks. 𝗡𝗼 𝟮. 𝗥𝗲𝗴𝘂𝗹𝗮𝘁𝗼𝗿𝘀 ASIC, Australian Prudential Regulation Authority &, while technically not a regulator, Australian Financial Complaints Authority have continued to have a strong influence on compliance across the insurance industry. From taking Federal Court action on pricing promises to shutting down an insurer & its underwriting agency partners for 24 hours due to a defective TMD to CPS 230 & AFCA determinations, the regulators continue to set the direction & focus on compliance for the insurance industry. 𝗡𝗼 𝟭 𝗖𝗼𝗺𝗽𝗹𝗶𝗮𝗻𝗰𝗲 𝗣𝗲𝗼𝗽𝗹𝗲 🏆 🥇 The Gold Medal for 2023 in successfully driving compliance are the unsung heroes – people, specifically the person(s) within each organisation who drives & champions compliance. The better compliance people manage to find the right balance between compliance & business & focus their efforts on raising internal awareness, training & education. The Compliance Champions for 2023 and the top influencers on Compliance within the Insurance industry for 2023 are our wonderful compliance people.

Insurance brokers – Tidying up after a busy June: a compliance perspective You’ve had a hectic June but feel satisfied because you assisted so many clients There is an alarming amount of paperwork that you need to clear & you’re desperately trying to remember all the compliance stuff that you’re supposed to do. I’m not condoning non-compliance however you have a small window to rectify. We are only human after all & we all make mistakes. Don’t forget to raise any non-compliance as an incident in either CCX 360 or similar register & declare on your attestation. 𝗬𝗼𝘂𝗿 𝗵𝗶𝗻𝗱𝘀𝗶𝗴𝗵𝘁 𝗰𝗼𝗺𝗽𝗹𝗶𝗮𝗻𝗰𝗲 𝗰𝗵𝗲𝗰𝗸𝗹𝗶𝘀𝘁 Over the past 4 weeks 1 Did you provide Terms of engagement to prospective clients? Did you provide an FSG? If the client is a retail client did you disclose your actual $ remuneration? Was any client dissatisfied with your service? If so, raise as a complaint, give the client a call to check in, apologise & advise of your IDR process Did you provide support to any client experiencing vulnerability? Did you correctly identify consumer insurance contracts & comply with your client’s duty to take reasonable care not to make a misrepresentation? In all other cases did your client comply with their duty of disclosure? Did you contact your client at least 14 days before the policy expiry date? Did you bind terms for your client? If the insurer or underwriting agency did not provide renewal terms or non-renewal notice to you 14 days prior to the due date your client has the benefit of statutory cover for renewals. Did you ensure that your retail client fell within the Target Market Determination? Did you send your retail client the PDS? (Which also includes the policy schedule). If you are a NIBA member & won the account but the previous broker did all the renewal work. Did you send the commission to the previous broker? In your client dealings, did you act honestly & with integrity? Did you act with commercial decency? Did you provide a duty of care to your client that a reasonable broker in your circumstances would? Was all client money paid into your trust account? Any E&O matters that you need to disclose to your PI insurer? 𝙋𝙤𝙨𝙩 𝙅𝙪𝙣𝙚 𝙞𝙨 𝙖 𝙜𝙧𝙚𝙖𝙩 𝙩𝙞𝙢𝙚 𝙛𝙤𝙧 𝙖 𝙘𝙤𝙢𝙥𝙡𝙞𝙖𝙣𝙘𝙚 𝙝𝙚𝙖𝙡𝙩𝙝-𝙘𝙝𝙚𝙘𝙠 As the dust settles in June, now is a great time to think about a compliance health check. When conducting a compliance health check of your broking business I consider: 1. Financial service laws 2. Your AFSL authorisations & conditions 3. Your obligations as an Authorised Rep 4. Your monitoring of your staff, ARs & referrers 5. If you’re a Steadfast member – Steadfast Broker Code of conduct 6. If you’re a NIBA member – the Code of Practice 7. CCX 360 or equivalent (evidence of compliance)

ASIC has issued a letter reminding general insurers of their obligations as Australian financial services (AFS) licensees when handling insurance claims, especially in response to severe weather events. (ASIC’s letter was published on 6th March 2024). The letter sets out the obligations general insurers have as AFS licensees under the Corporations Act 2001 (Cth). General insurers are required to act efficiently, honestly, & fairly when providing claims handling services: see section 912A. This includes resolving claims in a timely manner, especially when responding to claims relating to severe weather events. Insurers are required to: – communicate transparently, clearly & in a timely way with consumers regarding their claims – effectively project manage third parties, including assessors & tradespeople – identify complaints and expressions of dissatisfaction at the earliest opportunity – recognise consumers experiencing vulnerability & tailor their claims handling service accordingly, & sufficiently resource claims handling & dispute resolution functions, & ensure staff are adequately trained. Insurance claims handling is an enforcement priority for ASIC in 2024. ASIC is monitoring claims handling through reports of misconduct made directly to ASIC, any systemic issues reported by AFCA, and regular contact with consumer groups assisting people with claims & related disputes. ASIC’s message is they are watching how insurers support their customers very closely. Evidence of significant misconduct identified through these channels may result in enforcement action. 𝘾𝙤𝙢𝙥𝙡𝙞𝙖𝙣𝙘𝙚 𝙧𝙚𝙫𝙞𝙚𝙬 𝙤𝙛 𝙘𝙡𝙖𝙞𝙢𝙨 𝙝𝙖𝙣𝙙𝙡𝙞𝙣𝙜 𝙥𝙧𝙖𝙘𝙩𝙞𝙘𝙚𝙨 It may be prudent to conduct a compliance review of your claims handling & settling practices including service suppliers. The review should also cover GI Code of Practice obligations. A compliance review assesses the adequacy of your compliance arrangements to manage AFSL & Code obligations & provides solutions adopting a risk-based approach. Underwriting Agencies with AFSL claims authorisation & Insurance Claims Managers (TPA) should also consider a compliance review. Contact me to explore how I can assist.

As a compliance specialist, I always read adverts from insurers, underwriting agencies, insurance brokers etc I analyse the inherent compliance risk arising from the advertisement. 𝙈𝙞𝙨𝙡𝙚𝙖𝙙𝙞𝙣𝙜 𝙤𝙧 𝙙𝙚𝙘𝙚𝙥𝙩𝙞𝙫𝙚 𝙘𝙤𝙣𝙙𝙪𝙘𝙩 Advertising gives rise to the risk of engaging in misleading or deceptive conduct. Generally speaking, misleading or deceptive conduct leads a person into error. Engaging in Misleading or deceptive conduct is a reportable situation to ASIC. ASIC’s regulatory guide RG 234, helps licensees & promoters comply with their legal obligations to not make false or misleading statements or engage in misleading or deceptive conduct. 𝙂𝙤𝙤𝙙 𝙋𝙧𝙖𝙘𝙩𝙞𝙘𝙚 𝙂𝙪𝙞𝙙𝙖𝙣𝙘𝙚 RG 234.16 contains an overview of ASIC’s good practice guidance for advertising in all media: Returns, features, benefits & risks – a balanced message between benefits & risks should be provided. Benefits should not be given undue prominence compared with risks; Warnings, disclaimers, fine print & qualifications should not be inconsistent with other content in an advertisement, including any headline claims; Where a fee or cost is referred to in an advertisement, it should give a realistic impression of the overall level of fees & costs a consumer is likely to pay, including any indirect fees or costs; Comparisons should only be made between products that have sufficiently similar features or, where an advertisement compares different products, the differences should be made clear in the advertisement; Past performance information should be accompanied by a warning that past performance is not indicative of future performance; Terms and phrases should not be used in a particular way by industry where these are not consistent with the ordinary meaning commonly recognised by consumers (e.g. ‘free’, ‘secure’ & ‘guaranteed’); Advertisements should be capable of being clearly understood by the audience that might reasonably be expected to see the advertisements; Where an advertisement draws attention to specific product features, the advertisement should be consistent with information contained in any disclosure document (such as a PDS); Photographs & images should not contradict, detract from or reduce the prominence of any warnings, disclaimers or qualifications; & Advertisements for a financial advice service should not create unrealistic expectations about what the service can achieve. In certain media, adverts must refer to the PDS & TMD 𝙊𝙫𝙚𝙧𝙖𝙡𝙡 𝙞𝙢𝙥𝙧𝙚𝙨𝙨𝙞𝙤𝙣 𝙤𝙛 𝙩𝙝𝙚 𝘼𝙙𝙫𝙚𝙧𝙩 Assessing the overall impression is important. ASIC considers the following factors: a) the subject; b) the content; c) the format; d) the audience; e) the media used; & f) the likely effect of the advertisement

A common question I’m asked is the timing to provide disclosure documents & other notices. The source of the obligation – Act, Regs or Code includes the timing & content requirements for each document & by whom & to whom provided. The requirements depend on the type of client (retail or wholesale), what you do & who you represent (broker representing an insured or MGA/TPA representing an insurer, or an insurer). 𝗦𝘂𝗺𝗺𝗮𝗿𝘆 𝑭𝑺𝑮 An AFS Licensee or their AR must give a FSG to a retail client as soon as practicable after it becomes apparent that a financial service will be provided to that client & before a financial service is provided. It is industry best practice to provide an FSG to wholesale clients. Insurance brokers should be aware that an FSG may be given after the services have been provided in ‘time critical’ cases such as an impending policy due date (4pm). Brokers can also provide the ‘Terms of engagement’ (part 4.2 Brokers Code) at the same time as providing an FSG. Insurance Claims Managers do not need to provide an FSG (as they act for insureds) but Claimant Intermediaries must. 𝗦𝗢𝗔 A Statement of Advice must be provided where personal advice is provided to a retail client for sickness & accident & CCI insurance products. The SOA must be provided when or as soon as practicable after providing the advice. 𝗚𝗲𝗻𝗲𝗿𝗮𝗹 𝗮𝗱𝘃𝗶𝗰𝗲 𝘄𝗮𝗿𝗻𝗶𝗻𝗴 A GAW must be provided at the same time & in the same format as when general advice is provided to retail clients. If the GA is provided on a website or in a document the GAW must be included. 𝑷𝑫𝑺 Generally, a product issuer (insurer or MGA) must provide a PDS to a retail client when making an offer (quote) or sale. A broker should ensure a PDS is provided when making a recommendation to a retail client to buy an insurance product. 𝑻𝑴𝑫 A TMD must be made publicly available before any person distributes a financial product that is subject to the design & distribution obligations ie ‘retail product distribution’. Generally the TMD is available on issuers websites with links provided in relevant documents. 𝑪𝒂𝒔𝒉 𝑺𝒆𝒕𝒕𝒍𝒆𝒎𝒆𝒏𝒕 𝑭𝒂𝒄𝒕 𝑺𝒉𝒆𝒆𝒕 & 𝑪𝒐𝒏𝒇𝒊𝒓𝒎𝒂𝒕𝒊𝒐𝒏 𝒐𝒇 𝑻𝒓𝒂𝒏𝒔𝒂𝒄𝒕𝒊𝒐𝒏𝒔 A CSFS must be provided by insurers (or TPA) to retail clients before a cash payment is made where there are other legally available options to settle the claim. A CoT must be provided as is reasonably practicable after the transaction with the retail client occurs & includes acceptance & settlement of an insurance claim. A CSFS may be provided up to 5 days after the payment in cases of ‘immediate need’. A CSFS or CoT is not required in family violence situations. 𝑼𝑭𝑰 Brokers must provide a written notice to a client when placing business with an Unauthorised Foreign Insurer when relying upon 1 of the 4 exceptions. Contact me to understand all your disclosure & notices obligations.

The regulatory regime for providing insurance products & services in Australia is complex. Financial services laws, ASIC Reg Guides, APRA Prudential Standards, GI & Brokers Code of Practice, and Agreements (binder, agency, distribution & claims) create a plethora of obligations with severe consequences for non-compliance. The primary purpose of compliance is to protect. Protect the business, its people, customers & other key stakeholders. How do you ensure that you achieve this purpose & not get pulled down the ‘tick-a-box checklist’ pathway that creates a multitude of rules, instructions & documents? Here are some tips to effectively & efficiently manage the complexities of compliance: 𝙎𝙮𝙨𝙩𝙚𝙢𝙖𝙩𝙞𝙘 𝙖𝙥𝙥𝙧𝙤𝙖𝙘𝙝 Compliance management requires an operating rhythm. Adopting a systematic approach to compliance ensures that your compliance measures provide optimum protection to the business, its people & customers. 𝘾𝙡𝙚𝙖𝙧 𝙧𝙤𝙡𝙚𝙨 & 𝙧𝙚𝙨𝙥𝙤𝙣𝙨𝙞𝙗𝙞𝙡𝙞𝙩𝙞𝙚𝙨 Clarity around roles & responsibilities creates accountability. It also drives efficiencies & avoids gaps or duplication. Typically, the business performs the compliance task & activities while risk & compliance functions (or a risk & compliance committee) provide monitoring & oversight. 𝙀𝙙𝙪𝙘𝙖𝙩𝙞𝙤𝙣 & 𝙖𝙬𝙖𝙧𝙚𝙣𝙚𝙨𝙨 Compliance is complex, and training is essential. The training for employees & Authorised Reps must be practical, business-focused & lead people to understand why they should care. Caring results in doing. 𝙏𝙝𝙚 𝙙𝙤𝙞𝙣𝙜 A well-crafted document doesn’t provide protection. The protection comes from people reporting incidents, breaches & complaints; from undertaking compliance training in a timely fashion; from following systems & procedures & with a genuine desire to play their part in protecting the business, colleagues & customers. 𝙈𝙤𝙣𝙞𝙩𝙤𝙧𝙞𝙣𝙜 & 𝙨𝙪𝙥𝙚𝙧𝙫𝙞𝙨𝙞𝙤𝙣 ‘You can’t see the forest for the trees’. Successful compliance arrangements include those who are doing with an added layer of protection provided by monitoring & supervision. There needs to be a degree of independence between doing & oversight. 𝘿𝙖𝙩𝙖 & 𝙧𝙚𝙥𝙤𝙧𝙩𝙞𝙣𝙜 A systematic approach to compliance produces data, lots of data. To be meaningful, this data must be analysed. To be valuable, this data must be reported. A systematic approach to compliance includes the use of data to validate the health of the compliance arrangements. 𝙀𝙫𝙞𝙙𝙚𝙣𝙘𝙚 𝙗𝙖𝙨𝙚𝙙 Effective documentation helps to educate, raise awareness & demonstrate whether or not you are complying with your obligations. Documentation also provides a transparent benchmark for accountability. 𝙍𝙞𝙨𝙠 & 𝘾𝙤𝙢𝙥𝙡𝙞𝙖𝙣𝙘𝙚 𝙂𝙤𝙫𝙚𝙧𝙣𝙖𝙣𝙘𝙚 The combination of the above elements provides good Governance ensuring that compliance is protected. Contact me should you need assistance with your Compliance measures.

𝑻𝒉𝒆 𝒐𝒃𝒍𝒊𝒈𝒂𝒕𝒊𝒐𝒏 AFS Licensees must have in place adequate arrangements for the management of conflict of interest (s912A(1)(aa) Corps Act). Conflicts of interest are circumstances where some or all of the interests of people (clients) to whom a licensee (or its representative) provides financial services are inconsistent with, or diverge from, some or all of the interests of the licensee or its representatives. This includes actual, apparent & potential conflicts of interest. (RG 181.15) 𝙏𝙮𝙥𝙞𝙘𝙖𝙡 𝙘𝙤𝙣𝙛𝙡𝙞𝙘𝙩𝙨 𝙤𝙛 𝙞𝙣𝙩𝙚𝙧𝙚𝙨𝙩 𝙩𝙝𝙖𝙩 𝙢𝙖𝙮 𝙖𝙧𝙞𝙨𝙚 𝙬𝙞𝙩𝙝𝙞𝙣 𝙩𝙝𝙚 𝙞𝙣𝙨𝙪𝙧𝙖𝙣𝙘𝙚 𝙞𝙣𝙙𝙪𝙨𝙩𝙧𝙮 Some of the typical conflicts that may arise include: – commissions & non-monetary remuneration paid by the issuer of the products (insurers/MGAs) to insurance brokers. Insurance Brokers act on behalf of the insured (refer s11 Insurance Contracts Act & Part 6.0 Insurance Brokers Code of Practice) – having equity or common directors in a brokerage & underwriting agency; – a claims handler or underwriter having a family or personal relationship with the claimant/broker/insured; – having an interest in an outsourced provider; – providing insurance broking services to 2 clients who contract with each other; – receiving gifts or entertainment from a service supplier, insurer etc 𝙈𝙖𝙣𝙖𝙜𝙞𝙣𝙜 𝙩𝙝𝙚 𝙘𝙤𝙣𝙛𝙡𝙞𝙘𝙩 The requirement is to adequately manage the conflict. The three mechanisms that licensees would generally use to manage conflicts of interest are: (a) controlling conflicts of interest; (b) avoiding conflicts of interest; & (c) disclosing conflicts of interest Controlling conflicts of interest include: – passing the file to a colleague or another firm to manage & putting in place ‘ethical walls’; – adhering to the firms policies & procedures. This means an underwriter would follow their underwriting guidelines when managing a conflict for eg with a broker; similarly a claims handler would follow the claim guidelines where there is a personal relationship & a broker adhering to internal guidelines for commissions; – dealings with related companies would be conducted at arms-length & on commercial terms. Disclosing (to the parties) – this is commonly via a disclosure document (FSG) or on the website (stating who you act for); – raising & recording on the conflicts or gifts & entertainment register with a senior person sign-off; Avoiding If the conflict can’t be adequately managed through controls or disclosure then it must be avoided. 𝘿𝙤𝙘𝙪𝙢𝙚𝙣𝙩𝙚𝙙 𝙚𝙫𝙞𝙙𝙚𝙣𝙘𝙚 It is best practice to document your approach to managing conflicts in a manual or policy & maintaining a conflicts of interest &/or gifts & entertainment register. Staff & representatives must be trained If you would like assistance in implementing mechanisms to manage your conflicts reach out to me.

When speaking to clients who are concerned about the complexity of compliance, I advise aligning compliance obligations with the customer experience. This enables us to think about compliance in a logical, systematic manner. The risk of non-compliance, regulatory enforcement action & customer detriment is managed. 𝙏𝙝𝙚 𝙞𝙣𝙨𝙪𝙧𝙖𝙣𝙘𝙚 𝙨𝙖𝙡𝙚𝙨 𝙥𝙧𝙤𝙘𝙚𝙨𝙨 – 3 𝙥𝙧𝙚𝙡𝙞𝙢𝙞𝙣𝙖𝙧𝙮 𝙦𝙪𝙚𝙨𝙩𝙞𝙤𝙣𝙨 Answering 3 simple questions sets the signage for the customer sales pathway. 1. Is the client retail or wholesale? It is important to understand the disclosure documents & warnings that must be provided. This is a 2 step process. a) is the customer an individual or small business (as defined)? If yes, keep going, no = wholesale client b) does the product fall within s761G(5)(b) Corps Act as defined in Regs 7.1.11 – 7.117A? if yes = retail, if no = wholesale. 2. Is this a consumer insurance contract? This is important to determine whether the duty to take reasonable care not to make a misrepresentation or the Duty of disclosure applies. Either: a) falls within the definition of s11AB Insurance Contracts Act; or b) is deemed to be a consumer insurance contract by the insurer giving a written notice to that effect 3. Are you a Distributor (GI Code) or a [NIBA member] Insurance broker or AR of a broker (Brokers Code). This determines whether the standards & obligations of the relevant industry Codes apply to you during the sales process 𝙏𝙝𝙚 𝙘𝙪𝙨𝙩𝙤𝙢𝙚𝙧 𝙞𝙣𝙨𝙪𝙧𝙖𝙣𝙘𝙚 𝙨𝙖𝙡𝙚𝙨 𝙥𝙧𝙤𝙘𝙚𝙨𝙨 Once you have the information, it is relatively easy to map compliance obligations to each stage of the customer insurance sales process As an example – a retail client for a consumer insurance contract & you are an insurance broker acting for an insured or in plain language, a new client asks about insurance for their home. 𝘼𝙩 𝙚𝙣𝙜𝙖𝙜𝙚𝙢𝙚𝙣𝙩 provide the client with: 1. Terms of engagement (Brokers Code) 2. FSG (AFSL requirement) 𝙉𝙚𝙚𝙙𝙨 𝙖𝙣𝙖𝙡𝙮𝙨𝙞𝙨 1. provide a warning – general or personal advice [AFSL] 2. understand the insurers or underwriting agency’s underwriting questions to respond to the insured’s duty to take reasonable care not to make a misrepresentation [Insurance Contracts Act] 3. Disclose $$ remuneration (or an estimate & the actual amount as soon as reasonably practicable) [Code] 4. ensure the client falls within the relevant TMD [AFSL] 𝙌𝙪𝙤𝙩𝙞𝙣𝙜 𝙨𝙩𝙖𝙜𝙚 1. Provide the PDS [AFSL] 𝙈𝙖𝙥𝙥𝙞𝙣𝙜 𝙩𝙝𝙚 𝙨𝙖𝙡𝙚𝙨 𝙥𝙧𝙤𝙘𝙚𝙨𝙨 There may be other obligations that arise during the sales process such as misleading or deceptive conduct, hawking etc however you can see that this is merely a case of mapping out the sales process & assigning the compliance obligation at each stage

AFS Licensees have an obligation to ensure that their 𝒓𝒆𝒑𝒓𝒆𝒔𝒆𝒏𝒕𝒂𝒕𝒊𝒗𝒆𝒔 are adequately trained & are competent (s912A(1)(f) Corps Act) 𝗪𝗵𝗼 𝗶𝘀 𝗮 𝗿𝗲𝗽𝗿𝗲𝘀𝗲𝗻𝘁𝗮𝘁𝗶𝘃𝗲? Representative means (s9): – an authorised representative of the licensee; – an employee or director of the licensee; – an employee or director of a related body corporate of the licensee; & – any other person acting on behalf of the licensee. 𝘼𝙎𝙄𝘾’𝙨 𝙚𝙭𝙥𝙚𝙘𝙩𝙖𝙩𝙞𝙤𝙣𝙨 ASIC expects licensees to: (a) identify the knowledge & skills your representatives need to competently provide the financial services; (b) ensure they have the necessary knowledge & skills; (c) ensure they undertake continuing training programs to maintain & update their knowledge & skills; & (d) maintain a record of the training they have undertaken (this is required under reg 7.6.04(1)(d)). As you will observe, training is an ongoing obligation. 𝙏𝙧𝙖𝙞𝙣𝙞𝙣𝙜 Most firms adopt a CPD approach to training. However, in order to meet the obligation, representatives must be trained in financial services laws & in the specific financial services & insurance products offered. Simply attending functions or events to obtain CPD points may not satisfy the AFSL obligation. The training must have a connection with your authorised financial services. ASIC has specified minimum training for representatives who provide financial product advice to retail clients (RG 146): Tier 1 products – personal sickness & accident, CCI; Tier 2 – all other general insurance products. 𝘾𝙤𝙢𝙥𝙚𝙩𝙚𝙣𝙘𝙚 Competence includes skill, knowledge & experience. The competence must be aligned to the financial services (such as claims handling or insurance broking) & the products provided. Generally role descriptions, qualifications, short industry courses, on the job training & professional membership (ANZIIF, NIBA) are indicators of competence however on-going training is required to ensure professional development & remaining relevant. 𝙏𝙧𝙖𝙞𝙣𝙞𝙣𝙜 𝙨𝙥𝙚𝙘𝙞𝙛𝙞𝙘𝙖𝙡𝙡𝙮 𝙛𝙤𝙧 𝙥𝙚𝙤𝙥𝙡𝙚 𝙬𝙤𝙧𝙠𝙞𝙣𝙜 𝙞𝙣 𝙜𝙚𝙣𝙚𝙧𝙖𝙡 𝙞𝙣𝙨𝙪𝙧𝙖𝙣𝙘𝙚 I have developed training options, specifically for general insurance, to assist in meeting your AFSL obligations: I provide training services to businesses: a) Facilitated training on financial services laws, Industry Codes, Responsible Managers; & b) Design of in-house tailored compliance training modules. Check out ‘Compliance Education & Training’ under the ‘Services’ tab on my website (link below) I provide training services to individuals: a) Compliance workshop in Brisbane 21st Mar b) Monthly virtual financial laws training: next course 14th Mar c) Membership subscription Click below & go the tabs ‘Training’ & ‘Membership’ to learn more & register Compliance Advocacy Solutions

Under-reporting of breaches continues to be an industry-wide issue A business focus on incidents is key to successfully managing breaches 𝙁𝙤𝙘𝙪𝙨 𝙤𝙣 𝙞𝙣𝙘𝙞𝙙𝙚𝙣𝙩𝙨 An incident is something that has happened that shouldn’t have (this includes inaction) All people across the business, Authorised Reps, distributors & anyone acting on your behalf should be trained in understanding, identifying & raising incidents If you focus on breaches then you are expecting your people to know ‘000’s laws Your obligations should be linked to key control(s) therefore control breakdowns are automatically an incident. The training should include practical examples of what an incident(s) looks like within your business & for each business area. If your incident management is inadequate, the incident will continue to grow & cause harm & detriment until such time that it manifests into a breach or a significantly larger breach than if immediately detected. There is also the risk that the breach will be identified by a customer. This suggests that your compliance arrangements are inadequate & may lead to a systemic issue investigation by ASIC or AFCA. An incident & breach register should be maintained. 𝙏𝙧𝙞𝙖𝙜𝙚 𝙤𝙛 𝙞𝙣𝙘𝙞𝙙𝙚𝙣𝙩𝙨 It is important that you don’t allow the business to determine whether an incident is a breach. This analysis requires expertise. An experienced compliance person should review all incidents periodically (frequency based on the size of the organisation) & determine whether (1) additional information is required (2) the incident is a breach & if so, (3) the law &/or Code that has been breached & (4) comply with breach reporting requirements 𝙎𝙤𝙪𝙧𝙘𝙚𝙨 𝙤𝙛 𝙗𝙧𝙚𝙖𝙘𝙝 𝙤𝙗𝙡𝙞𝙜𝙖𝙩𝙞𝙤𝙣𝙨 Each Law/Code has its own requirements on what needs to be reported, to who & the timing Chp 7 Corporations Act (AFS Licensees) – Section 912DAA – note that ‘financial services laws’ is defined widely (s761A) & include, for example, breaches of the Insurance Contracts Act & the ASIC Act. Insurance Act (APRA regulated insurers) – Section 38AA Privacy Act – Division 3 (notifiable data breaches) GI Code of Practice – paragraph 181 Insurance Brokers Code of Practice – paragraph 11.2 Having separate processes for each law/code is impractical, adds complexity & creates gaps. A single breach management process is paramount 𝘽𝙧𝙚𝙖𝙘𝙝 𝙢𝙖𝙣𝙖𝙜𝙚𝙢𝙚𝙣𝙩 𝙥𝙧𝙤𝙘𝙚𝙨𝙨 Your breach management process should incorporate RG 78 with pathways to incorporate the breach reporting requirements of all other laws/industry Codes. The process should include: timeframes roles & responsibilities information gathering analysis breach committee or similar breach reporting remediation & rectification learning from the breach & continual improvement Contact me for assistance with your incident & breach management process.

I’ve been sorting out banking & accounting issues. While frustrating, & taking me away from my client work, I appreciate that as a small business owner such work is necessary. Without banking & accounting my business simply can’t function. I appreciate that many people see compliance in the same way. Frustrating & time-consuming, however a necessity for the business. Unfortunately, this approach can diminish the importance of compliance & not truly embed compliance within the business & each role. The purpose of compliance is to protect – your business, clients, people & partners. Think about how important your car is to you. Yes, you can arrange for other, more skilled people to service the car & attend to repairs & the like however, you have accountability to ensure the car is roadworthy & that you know the road rules. You can outsource certain tasks that require a specialist skill set however, at the end of the day, you are accountable for your car when you drive it on a public road. Compliance is no different. The FAR regime [for insurers] creates the concept of Accountable Persons & [for enhanced entities] the requirement for Accountability maps. These concepts are sound & can be scaled down & tailored to a business of any size so that compliance is role-based & part of day-to-day business activities. Let’s see how this works for underwriting agencies, Insurance claim managers & Insurance brokers [& insurers]. 𝘾𝙤𝙢𝙥𝙡𝙞𝙖𝙣𝙘𝙚 𝙖𝙘𝙘𝙤𝙪𝙣𝙩𝙖𝙗𝙞𝙡𝙞𝙩𝙮 𝙖𝙨 𝙥𝙖𝙧𝙩 𝙤𝙛 𝙮𝙤𝙪𝙧 𝙗𝙪𝙨𝙞𝙣𝙚𝙨𝙨 𝙧𝙤𝙡𝙚 1. Ensure that your risk & compliance manual includes an obligation table or you have a stand-alone register. This simply captures your AFSL, Code & other obligations at an operational level; 2. For each business leader/manager identify the obligations that fall within their area of business responsibility (sales, underwriting, claims, finance). Each manager now has their own compliance plan; 3. Assign key controls to each of the obligations. This ensures the obligation is being managed; 4. Periodically (at least annually), each manager tests the control(s) to ensure it is designed & operating effectively; 5. Each manager receives complaints, incidents, QA & other data, for their area, to validate the control testing results; 6. The manager oversights action plans to rectify any control that is ineffective 7. The manager provides reporting for their area that is consolidated into an enterprise report. 𝘼𝙘𝙘𝙤𝙪𝙣𝙩𝙖𝙗𝙞𝙡𝙞𝙩𝙮 𝙛𝙤𝙧 𝙘𝙤𝙢𝙥𝙡𝙞𝙖𝙣𝙘𝙚 𝙞𝙨 𝙥𝙖𝙧𝙩 𝙤𝙛 𝙮𝙤𝙪𝙧 𝙧𝙤𝙡𝙚 Adopting a systematic approach to compliance within each business area of responsibility & accountability will ensure that compliance is something that is done as part of each role. If you need assistance in setting up compliance arrangements that work for you, provide business value & protect your business, people, customers, partners & YOU, contact me.

I was chatting to some Lloyd’s underwriters last night & they mentioned the complexity of the Australian regulatory landscape for general insurance. I agree that the landscape is complex however, I also made the point, of how a systematic approach to compliance enables that complexity to be adequately managed. 𝘼 𝙨𝙮𝙨𝙩𝙚𝙢𝙖𝙩𝙞𝙘 𝙖𝙥𝙥𝙧𝙤𝙖𝙘𝙝 𝙩𝙤 𝘾𝙤𝙢𝙥𝙡𝙞𝙖𝙣𝙘𝙚 Identify the sources of your obligations. Obligations will arise from (i) what you do (& the licences & authorisations you need/hold); different obligations apply to insurers, Underwriting Agencies, brokers & TPAs & (ii) how you provide your services e.g., different distribution channels & use of claim service suppliers Record your material obligations. Larger firms may do this through a stand-alone register while smaller firms should incorporate it within their risk & compliance manual Adopt a risk appetite statement (RAS) position for regulatory/compliance risk. Assign key control(s) to each obligation until the obligation is within your RAS. Periodically test the control to ensure that it is designed effectively & operating effectively. Take action to close out any identified gaps Train your people (& ARs) on how compliance protects, the importance of a systemic approach to compliance & their role in control testing & self-reporting by promptly identifying & reporting incidents, breaches & complaints Use data generated by the systematic approach to compliance (incidents, breaches, complaints, self-reports, file reviews, QA etc) to validate the control test results & to report breaches to regulators or Code committees Use external information such as regulatory/Code reviews, ASIC letters, Court cases, regulator speeches & media releases & the like to question ‘could this happen to us?’ or ‘How are we managing this?’ Report the control test results & data & external information to your risk & compliance committee. The data should be analysed, connections & insights provided & decisions made. Incorporate regulatory change mechanisms into your systematic approach. Use the data that the systematic approach generates as a continuous improvement mechanism so that compliance continues to protect & adds value to your business. 𝙂𝙚𝙣𝙚𝙧𝙖𝙡 𝙞𝙣𝙨𝙪𝙧𝙖𝙣𝙘𝙚 𝙞𝙨 𝙘𝙤𝙢𝙥𝙡𝙚𝙭 A systematic approach to compliance results in an ecosystem that continually evolves to respond to & manage the risks associated with business growth & regulatory change & increasing complexity. The regulatory landscape for general insurance is complex. However, a systematic approach to compliance enables this complexity to be understood & managed in a way that protects your business, people, customers & stakeholders.

The recent Federal Court decision in Australian Securities and Investments Commission v Lanterne Fund Services Pty Limited [2024] FCA 353 provides the elements that an effective monitoring & supervision program should contain. I have expanded these elements based on my experience in working with clients in the insurance industry. 𝙄𝙢𝙥𝙡𝙚𝙢𝙚𝙣𝙩𝙞𝙣𝙜 𝙖𝙣 𝙚𝙛𝙛𝙚𝙘𝙩𝙞𝙫𝙚 𝙈𝙤𝙣𝙞𝙩𝙤𝙧𝙞𝙣𝙜 & 𝙎𝙪𝙥𝙚𝙧𝙫𝙞𝙨𝙞𝙤𝙣 𝙥𝙧𝙤𝙜𝙧𝙖𝙢 A robust due diligence process of all representatives pre-appointment Agreements with new CARs (& employees) containing requirements & obligations Supervisory arrangements – comprising monthly attestations, self-audits & risk-based audits by the licensee, formal & informal meetings with comprehensive note-taking, robust reporting of incidents, breaches & complaints Risk management & compliance systems – must be formal, systematic & documented & cover the risks faced by the firm. Risk & Compliance manuals must be tailored & current. The licensee should provide clear guidance & instructions to its CARs & ARs about their obligations regarding compliance with the financial services laws Training – must be provided & cover financial services laws including AR obligations & the relevant industry Codes. Conducted during induction & annually thereafter Human resources – the licensee must have enough people to conduct the monitoring & supervision activities. This includes regular performance reviews of the representatives & consequence management Technological resources – an adequate IT infrastructure to keep abreast of issues such as IT security or cyber security The Licensee must have enough responsible managers who are qualified, skilled & experienced in general insurance with sufficient time to conduct their role effectively Governance should include a risk & compliance committee meeting quarterly & receiving data, information & insights to oversight the licensee & their representatives The Monitoring & Supervision program must include self-checking mechanisms so that your compliance arrangements continue to evolve with regulatory changes & business growth.   I can work with you to: 1. Conduct a compliance review of your current compliance arrangements identifying gaps and adopting a risk-based approach. My reviews adopt a top-down approach not a file-by-file audit approach; 2. Design a fit-for-purpose, tailored AR program for your business; 3. Provide training for your representatives.

In the wake of the recent public hearings and the release of transcripts, there’s been a surge of discussions, particularly among clients in Queensland. These conversations are honing in on several key areas highlighted during the hearings. One significant topic of interest is ‘claims handling including delays’. People are keen to delve into how insurers are managing claims, especially in terms of timeliness and efficiency. Another focal point is ‘the role of experts such as assessors & builders’. This aspect delves into the expertise involved in assessing claims and the impact it has on the overall process. Lastly, there’s a spotlight on ‘customers experiencing vulnerability’. The discussions are examining how insurers are addressing the needs of vulnerable customers and ensuring they receive fair treatment throughout the claims process. These discussions are driven by submissions and the line of questioning from the Committees during the hearings. As we continue to analyse and reflect on these topics, we aim to gain deeper insights into the dynamics of insurance practices and how they affect clients, particularly in Queensland.

A term requiring insureds to notify A&G of any changes to their home & contents was not unfair under the ASIC Act 1. The proceedings concern home/contents insurance which contained certain notification obligations on the part of the insureds. 2. The PDS contained a number of references that explained certain matters relevant to the notification obligations (see paras 4-11 of the judgment). 3. Relevantly, the PDS contained 11 examples of changes A&G wanted the insured to tell them about 4. The offending clause, which preceded the 11 examples stated, ‘you need to tell us if 𝗮𝗻𝘆𝘁𝗵𝗶𝗻𝗴 changes about your home & contents.’ This Notification Clause was the focus of ASIC’s claim 5. Evidence concerning the processes for applying for cover (p12-22) & claim assessment (p23-30) was led by A&G 6. The Crt considered relevant provisions of Unfair Contract Terms (ASIC Act) & Utmost Good Faith (ICA) 7. The Crt rejected the literal meaning of 𝗮𝗻𝘆𝘁𝗵𝗶𝗻𝗴. 8. The Crt accepted that the requirement in the Notification Clause was restricted to notify A&G “if anything changes” concerned the information already provided by the insured to A&G. (refer 2 & 3 above) 9. The Crt held that the duty of UGF operates to limit what A&G can do under the Notification Clause in response to an insured’s failure to notify it of the relevant changes. 10. The Crt determined, upon the proper construction of the Notification Clause, the contracts of insurance contained a term that: (a) the insured must notify A&G if, during the term of the policy, there was any change to the information about the insured’s home or contents that the insured had disclosed to A&G prior to entry into the contract; & (b) if the insured failed to notify A&G of such changes, it had the right to refuse to pay a claim, reduce the amount it paid, cancel the contract or not offer to renew the contract if & to the extent that it would be consistent with commercial standards of decency & fairness for A&G to do so 11. The Crt applied the 3 limb test for ‘unfair clauses’ & held a. s54 (ICA) operates to ensure that A&G’s powers to refuse or reduce claims would not cause a 𝙨𝙞𝙜𝙣𝙞𝙛𝙞𝙘𝙖𝙣𝙩 𝙞𝙢𝙗𝙖𝙡𝙖𝙣𝙘𝙚 in the rights & obligations of the parties arising under the contract b. 𝙋𝙧𝙤𝙩𝙚𝙘𝙩𝙞𝙣𝙜 𝙡𝙚𝙜𝙞𝙩𝙞𝙢𝙖𝙩𝙚 𝙞𝙣𝙩𝙚𝙧𝙚𝙨𝙩𝙨 of A&G – s54 & UGF constrains A&G to the extent that only a failure to notify a change in information that has prejudiced its interests is relevant c. The Crt accepted ASIC’s submission that the lack of clarity in the Notification Clause 𝙘𝙖𝙪𝙨𝙚𝙙 𝙙𝙚𝙩𝙧𝙞𝙢𝙚𝙣𝙩 to the insured 𝘾𝙤𝙣𝙘𝙡𝙪𝙨𝙞𝙤𝙣 The Crt found that as only 1 of the 3 criteria of an unfair term was met, ASIC failed to establish that the Notification Clause is unfair

As the industry continues to be under scrutiny, it’s timely to revisit the overarching obligations in the GI Code & Insurance Brokers Code of Practice. 𝙂𝙄 𝘾𝙤𝙙𝙚 𝙤𝙛 𝙋𝙧𝙖𝙘𝙩𝙞𝙘𝙚 Part 3 of the GI Code requires insurers & their distributors & claim service suppliers to be 𝘩𝘰𝘯𝘦𝘴𝘵, 𝘦𝘧𝘧𝘪𝘤𝘪𝘦𝘯𝘵, 𝘧𝘢𝘪𝘳, 𝘵𝘳𝘢𝘯𝘴𝘱𝘢𝘳𝘦𝘯𝘵 & 𝘵𝘪𝘮𝘦𝘭𝘺 𝘪𝘯 𝘥𝘦𝘢𝘭𝘪𝘯𝘨𝘴 𝘸𝘪𝘵𝘩 𝘤𝘶𝘴𝘵𝘰𝘮𝘦𝘳𝘴. Let’s unpack this: – the obligation extends to underwriting agencies & external insurance claim managers; – the obligation applies to both retail & wholesale insurance. – the obligation applies to all dealings including buying insurance, making a claim, dealing with customers experiencing vulnerability & complaints. – You may ask, how does Part 3 apply to claims for wholesale insurance when, for example ‘Part 8 Making a Claim’ (& Parts 5,6,7,9 & 11), does not apply to wholesale insurance? The individual requirements of Part 8 would not apply to wholesale insurance claims however the insurer & their claim service suppliers must continue to be ‘honest, fair etc..’ – it would be a reasonable interpretation of Part 3 to suggest that each component is a separate obligation. Therefore a failure to act timely (such as in claim delays) would be a breach of the Code. 𝙄𝙣𝙨𝙪𝙧𝙖𝙣𝙘𝙚 𝘽𝙧𝙤𝙠𝙚𝙧𝙨 𝘾𝙤𝙙𝙚 𝙤𝙛 𝙋𝙧𝙖𝙘𝙩𝙞𝙘𝙚 The Brokers Code, requires NIBA members to have 𝙥𝙧𝙤𝙛𝙚𝙨𝙨𝙞𝙤𝙣𝙖𝙡 𝙘𝙤𝙢𝙢𝙞𝙩𝙢𝙚𝙣𝙩, 𝙖𝙘𝙩 𝙚𝙩𝙝𝙞𝙘𝙖𝙡𝙡𝙮 & 𝙗𝙚 𝙩𝙧𝙖𝙣𝙨𝙥𝙖𝙧𝙚𝙣𝙩 & 𝙖𝙘𝙘𝙤𝙪𝙣𝙩𝙖𝙗𝙡𝙚. Due to Part 8.0, these obligations extend to the brokers employees, agents & authorised representatives. The Ethical behaviour commitment requires brokers, their staff & [authorised] representatives to act honestly & with integrity in all dealings with clients. 𝘼𝙁𝙎𝙇 𝙜𝙚𝙣𝙚𝙧𝙖𝙡 𝙤𝙗𝙡𝙞𝙜𝙖𝙩𝙞𝙤𝙣 𝙩𝙤 𝙥𝙧𝙤𝙫𝙞𝙙𝙚 𝙛𝙞𝙣𝙖𝙣𝙘𝙞𝙖𝙡 𝙨𝙚𝙧𝙫𝙞𝙘𝙚𝙨 𝙚𝙛𝙛𝙞𝙘𝙞𝙚𝙣𝙩𝙡𝙮, 𝙝𝙤𝙣𝙚𝙨𝙩𝙡𝙮 & 𝙛𝙖𝙞𝙧𝙡𝙮 The overarching obligations of the Codes complement the AFS Licence obligation to provide financial services efficiently, honestly & fairly, but with one important distinction. The AFSL obligation only applies to financial services (which of itself is still far-reaching) while the Code obligation apply to all dealings, including administrative or clerical processes. 𝙃𝙤𝙬 𝙩𝙤 𝙞𝙢𝙥𝙡𝙚𝙢𝙚𝙣𝙩 The Code overarching obligations should be viewed as a lens after specific controls are applied. For example, the obligation to update the customer every 20 business days about the progress of their claim may receive a tick, however the question then needs to be asked, where we ‘𝘩𝘰𝘯𝘦𝘴𝘵, 𝘦𝘧𝘧𝘪𝘤𝘪𝘦𝘯𝘵, 𝘧𝘢𝘪𝘳, 𝘵𝘳𝘢𝘯𝘴𝘱𝘢𝘳𝘦𝘯𝘵 & 𝘵𝘪𝘮𝘦𝘭𝘺’? It is possible to comply with individual Code paragraphs but still be in breach of the overarching Code obligations.

Compliance is only effective when you have all people engaged. This includes staff, authorised representatives, claim service suppliers & business partners. Thinking about compliance in terms of rules & regs is generally not exciting & certainly not engaging. This is one of the things I learnt very early in my compliance career. Not many people really care about the intricacies of section 912A(1) or Part 3 of the GI code or part 8 of the Brokers Code – personally, I love this stuff. Here’s a simple test. If you can’t answer the question ‘why should I care [about compliance]’? or you think the answer is ‘because we must’, then you need to change how you position & see compliance. The true purpose of compliance is to protect. The image below shows who we should protect & from what. Let me explain how compliance protects. Your compliance arrangements are the combination of your people, IT systems, manuals, policies, guidelines & processes. Think about this another way, your compliance arrangements are the controls that you have in place to manage your financial services & industry code obligations. These compliance arrangements provide a safe environment for your people to work within. By staying within these boundaries your compliance arrangements operate to protect your customers, business, partners & people from harm. As we know, mistakes happen; systems, people & processes fail. This is when your people become your early warning system. By identifying ‘something has happened that should not have happened’ at an early stage (aka an incident) your people can quickly identify when the perimeter of your compliance arrangements have been breached. This serves to minimise any harm & enables the control(s) to be quickly rectified. Thus securing the business, its customers & people. The importance of the concept of ‘compliance protects’ has never been more evident as the insurance industry moves into the era of accountability. If something happens, under your watch, in your area of accountability there will be personal consequences – both financial & reputational. FAR & CPS 230 are examples of where accountability is heading & casting a wide net. This is why compliance protects. Robust compliance arrangements provide a mechanism & infrastructure to support & protect your business, your customers & you from harm & detriment. I will be exploring the theme of ‘compliance protects’ at my Compliance workshop in Brisbane on Thursday 21st March at Lightspace, Brisbane’s unique event venue and co-working warehouse. I will be providing you with the tools & insights to develop compliance arrangements that operate to support & protect the things that matter to you. Registration for the workshop is now open & can be accessed via the link below. See you in Brisbane Managing Compliance in the insurance industry

An Australian financial services licensee may appoint ‘authorised representatives’ to provide specified financial services on its behalf. Acting as an AR can be a cost effective way of operating a financial services business although most insurers require their MGAs & TPAs to hold their own AFSL. This is due to the risk that the AR presents to the insurer’s Licence. AR networks continue to be used within the Insurance Broking community however due diligence & compliance monitoring is being strengthened. There are regulatory requirements for appointing ARs & notifying ASIC. There are also rules & limitations in appointing sub-authorised representatives. Notification requirements also apply in respect of when an AR ceases to be authorised. These requirements should be captured in the Licensee’s compliance manual. In addition, the Licensee, if a subscriber to the GI Code or Insurance Brokers Code, will also have Code obligations in respect of the conduct of its ARs (GI Code see Parts 3-5 & Brokers Code see Part 8). Generally, the Licensee is responsible for the training, competency & conduct of its ARs & therefore should have a Monitoring & Supervision Program in place. This benefits & protects both the Licensees & Authorised Reps business. 𝑶𝒃𝒍𝒊𝒈𝒂𝒕𝒊𝒐𝒏𝒔 𝒐𝒇 𝒂𝒏 𝑨𝒖𝒕𝒉𝒐𝒓𝒊𝒔𝒆𝒅 𝑹𝒆𝒑𝒓𝒆𝒔𝒆𝒏𝒕𝒂𝒕𝒊𝒗𝒆 In addition to meeting the obligations of the Licensee, ARs have a number of independent obligations, including: Be appointed in writing as an Authorised Representative of the Licensee ; Not hold out that they have an AFS Licence. In this regard, the AR should include their AR number & disclose the relationship with the Licensee in all business documents & on their website; Provide disclosure documents (FSG, PDS) as required when the General Insurance Products are provided to Retail clients; Provide details of remuneration in an FSG; Keep records of insurance transactions; Comply with hawking prohibitions (retail clients) & misleading & deceptive conduct provisions; Ensure they act within the scope of authority given; & Comply with Product design & distribution requirements & TMD (when financial services are provided to retail clients). 𝘼𝙪𝙩𝙝𝙤𝙧𝙞𝙨𝙚𝙙 𝙍𝙚𝙥𝙧𝙚𝙨𝙚𝙣𝙩𝙖𝙩𝙞𝙫𝙚 𝙘𝙤𝙢𝙥𝙡𝙞𝙖𝙣𝙘𝙚 𝙢𝙚𝙖𝙨𝙪𝙧𝙚𝙨 It follows from the above, that the best practice is for the Authorised Representative to have its compliance measures captured in a Compliance Manual. The Manual should be tailored to the ARs business model & way of working & dovetail with the Licencee’s compliance requirements. Speak to me if you are an Authorised Representative requiring assistance with your compliance requirements or if you are an AFS licensee requiring assistance with your AR monitoring & supervision program.

APRA has mandated an insurer to undertake a risk remediation program & has increased its capital requirements in response to concerns about its risk governance. APRA’s decision follows a prudential review that identified significant weaknesses in the insurer’s risk governance, risk management & compliance practices. These included capability & capacity weaknesses in the risk function, ineffectiveness of the “three lines of defence” model, & weak risk reporting. The review also revealed unclear accountabilities and responsibilities across the business, & overall, an immature risk culture. Given the heightened prudential risk arising from the identified weaknesses, APRA has also imposed an additional $50 million capital requirement in the form of an operational risk charge. 𝙈𝙚𝙖𝙨𝙪𝙧𝙞𝙣𝙜 𝙘𝙤𝙢𝙥𝙡𝙞𝙖𝙣𝙘𝙚 𝙧𝙞𝙨𝙠 𝙢𝙖𝙩𝙪𝙧𝙞𝙩𝙮 There are many benefits in measuring compliance risk maturity: Identification of gaps & weaknesses in your compliance arrangements; A prioritised action plan to close out gaps by adopting a risk-based approach; Enables the allocation of resources (including human, technology & financial) to those areas of strategic, customer or regulatory importance; Provides transparent criteria to benchmark progress & facilitate board reporting; & Enables different maturity levels to be set as targets for each of the 4 components. 𝙃𝙤𝙬 𝙩𝙤 𝙘𝙤𝙣𝙙𝙪𝙘𝙩 𝙖𝙣 𝙖𝙣𝙖𝙡𝙮𝙨𝙞𝙨 𝙤𝙛 𝙘𝙤𝙢𝙥𝙡𝙞𝙖𝙣𝙘𝙚 𝙧𝙞𝙨𝙠 𝙢𝙖𝙩𝙪𝙧𝙞𝙩𝙮 (𝙞𝙣 𝙩𝙝𝙚 𝙞𝙣𝙨𝙪𝙧𝙖𝙣𝙘𝙚 𝙞𝙣𝙙𝙪𝙨𝙩𝙧𝙮) Step 1 – there are 4 components or categories that are assessed from a compliance risk perspective – (1) governance, (2) process & procedures, (3) people and (4) systems & reporting. A compliance review is conducted to determine the firm’s current state against each of these components; Step 2 – the current state is assessed as either ‘basic, evolving, established, advanced or optimised’. Pre-agreed criteria is used to describe each phase of maturity enabling a robust conversation to take place so that a realistic current state is determined. The current state is plotted on the matrix for each category; Step 3 – recognising the cost-benefit trade-off, the board sets the desired level of risk maturity to be achieved over a defined period for each component. For example, the Board may set a target that within 18 months: systems will be ‘Advanced’ while people will be ‘Optimised’. This enables a strategic allocation of resources & a plan that can be shared with key stakeholders; Step 4 – actions are developed, cost & approved to achieve the target level of risk maturity for each of the 4 components; Step 5 – Progress to plan is monitored & included in board reporting. Please contact me if you would like to explore the compliance reviews & risk maturity assessments I provide.

APRA Prudential Standard CPS 230 ‘Operational Risk Management’ comes into force July 2025. CPS 230 applies to APRA-regulated insurers (including both local insurers & Category C insurers) however there are indirect or downstream impacts on Underwriting Agencies, Claim Managers (Service Suppliers) & Insurance Brokers. These impacts arise in respect of insurers’ critical operations & material service providers. 𝙘𝙧𝙞𝙩𝙞𝙘𝙖𝙡 𝙤𝙥𝙚𝙧𝙖𝙩𝙞𝙤𝙣𝙨 An APRA-regulated entity must maintain its critical operations within tolerance levels through severe disruptions & manage the risks associated with the use of service providers (para 12 CPS 230). For an insurer, claims processing is a critical operation unless the insurer can justify otherwise. 𝙈𝙖𝙩𝙚𝙧𝙞𝙖𝙡 𝙨𝙚𝙧𝙫𝙞𝙘𝙚 𝙥𝙧𝙤𝙫𝙞𝙙𝙚𝙧𝙨 An APRA-regulated entity must, at a minimum, classify a provider of the following services as a material service provider, unless it can justify otherwise: for an insurer (general, life, private health): underwriting, claims management, insurance brokerage & reinsurance (p50) 𝘔𝘢𝘯𝘢𝘨𝘦𝘮𝘦𝘯𝘵 𝘰𝘧 𝘴𝘦𝘳𝘷𝘪𝘤𝘦 𝘱𝘳𝘰𝘷𝘪𝘥𝘦𝘳 𝘢𝘳𝘳𝘢𝘯𝘨𝘦𝘮𝘦𝘯𝘵𝘴 An APRA-regulated insurer must: Maintain a comprehensive service provider management policy (p47); Identify & maintain a register of its material service providers & manage the material risks associated with using these providers (p49) & submit the register to APRA on an annual basis; Before entering into or modifying a material arrangement undertake due diligence assessing the financial & non-financial risks (p53) Maintain a formal legally binding agreement covering the matters listed in p54 (a) – (g); Monitor the arrangement (p58); Meet the APRA notification requirements (p59); & Have the arrangements reviewed by its internal audit function (p60). 𝙎𝙤 𝙬𝙝𝙖𝙩 𝙙𝙤𝙚𝙨 𝙩𝙝𝙞𝙨 𝙢𝙚𝙖𝙣 𝙛𝙤𝙧 𝙢𝙖𝙩𝙚𝙧𝙞𝙖𝙡 𝙨𝙚𝙧𝙫𝙞𝙘𝙚 𝙥𝙧𝙤𝙫𝙞𝙙𝙚𝙧𝙨? Material service providers who are well prepared for the impacts of CPS 230 will achieve a competitive advantage in their partnering with insurers. Providers of material services must: Incorporate the requirements of CPS 230 into their risk & compliance arrangements including referencing APRA’s Prudential Practice Guide (CPG 230); Engage early with insurer(s) to understand the insurer(s) project plan in respect of timeframes & any unique requirements they have; & Arrange for a compliance review in early 2024 (due diligence) to fully understand the impact of the proposed changes to ensure a seamless transition to the new arrangements. Do not hesitate to contact me to assist in being prepared for the impacts of CPS 230 on your business.

A common issue I observe when reviewing risk & compliance frameworks is the absence of a logical flow. Risk & compliance should be managed in a systematic manner ensuring that nothing is missed & no gaps emerge. The purpose of compliance is to protect. Protect the business, its people, stakeholders & customers. To do this, all component parts must work in sync. 𝙏𝙝𝙚 𝙘𝙤𝙢𝙥𝙤𝙣𝙚𝙣𝙩𝙨 𝙤𝙛 𝙖 𝙨𝙮𝙨𝙩𝙚𝙢𝙖𝙩𝙞𝙘 𝙖𝙥𝙥𝙧𝙤𝙖𝙘𝙝 𝙩𝙤 𝙧𝙞𝙨𝙠 & 𝙘𝙤𝙢𝙥𝙡𝙞𝙖𝙣𝙘𝙚 1. What you do & how you do it. Within the insurance industry, the services & products you provide & on whose behalf, determine the need for you to be APRA authorised, AFS Licensed, Authorised Rep, Code subscriber, Distributor, Service Supplier etc. This in turn shapes your risk profile. Unpacking what you do & how you do it, is always the starting point in any risk & compliance framework. 2. Governance Roles & responsibilities: whose doing what, who provides oversight & the mechanics of ‘doing & oversight’, is the next step & creates an environment within which business can be safely conducted & layers of protection. 3. Risk management Understanding your risks & managing those risks [in 6 simple steps] within the boundaries of the firm’s risk appetite provides an internal mechanism for decision-making. 4. Licence management For AFS Licensees, I call out licence management as a separate component. Your Licence, is, after all, your ticket to play [including any Authorised Reps]. 5. Material obligations. AFS Licence, APRA authorisation, Code & AFCA membership, Binder & Authorised Rep Agreements, Distribution & Claim service supplier arrangements all create obligations. These obligations must be identified. You can’t manage what you don’t know. Depending on the size of the firm, I include the key control(s) within the obligations section. I find its best to have a single source of truth [manual] rather than multiple referenced documents. 6. Obligations management This sets in place a systematic approach to managing the obligations including the sources of new/amended obligations & how these are incorporated into the framework. 7. Control testing A control that is not tested (design & operational) is no control. 8. Monitoring & supervision This extends to staff & AR’s & forms another layer of protection. The M&S needs to be independent, fit-for-purpose & risk-based. 9. Reporting Data from risk & compliance registers, control testing, monitoring & supervision provides an indication of the health of the compliance system. 10. Incident & breach management Things do go wrong. The quicker they are identified the less harm caused. 𝙍𝙞𝙨𝙠 & 𝙘𝙤𝙢𝙥𝙡𝙞𝙖𝙣𝙘𝙚 𝙖𝙨𝙨𝙞𝙨𝙩𝙖𝙣𝙘𝙚 Contact me to understand how a systematic approach to risk & compliance protects your business, people & customers.

Financial services laws are designed to protect consumers. The 1st layer of protection is the need to hold an AFS Licence. Unless you are an AR of a Licensee or can rely upon an exemption you need to hold an AFS Licence to provide general insurance financial services: 𝙇𝙞𝙘𝙚𝙣𝙘𝙚 𝙖𝙪𝙩𝙝𝙤𝙧𝙞𝙨𝙖𝙩𝙞𝙤𝙣𝙨 The 3 authorisations relevant for GI are: 1 Providing financial product advice, this may be restricted to general product advice; 2. Dealing in general insurance products by: Issue, apply for, acquire, vary or dispose of; and/or Apply for, acquire, vary, or dispose of on behalf of another. 3. Provide a claims handling & settling service. to Retail &/or Wholesale clients. 𝙒𝙝𝙖𝙩 𝙖𝙪𝙩𝙝𝙤𝙧𝙞𝙨𝙖𝙩𝙞𝙤𝙣 𝙙𝙤 𝙮𝙤𝙪 𝙣𝙚𝙚𝙙? APRA-regulated insurers – although authorised by APRA to carry on insurance business in Australia, insurers require an AFS Licence when providing financial services unless relying upon the Wholesale client exception. Insurers generally need all 3 authorisations although dealing is limited to the issuing authority & the claims authorisation does not include representing a person making a claim. Underwriting Agencies – depending on their binder/agency agreement will generally require the same authorisations as insurers. If the MGA places the business in the open market (ie not under a binder) they will require the dealing authorisation ‘on behalf of another’. Insurance brokers – require financial product advice & dealing on behalf of another authorisation only. Brokers can rely on the claims exemption provided they arranged the contract of insurance or are acting under a letter of appointment. Brokers also require the Licence condition permitting them to use the restricted terms associated with insurance broking. TPAs – will require the same claim authorisations as insurers, as the TPA acts on behalf of insurers as an ‘Insurance claims Manager’. Claimant Intermediaries act on behalf of insureds & will require a Claims authorisation limited to making a recommendation; assisting & representing a person making a claim. Claim Service Suppliers & insurance fulfilment providers, acting on behalf of insurers, generally do not require a licence as they can rely on exemptions. In these cases it’s necessary to examine the authority they have from insurers/MGA. 𝙒𝙝𝙖𝙩 𝙝𝙖𝙥𝙥𝙚𝙣𝙨 𝙞𝙛 𝙮𝙤𝙪 𝙥𝙧𝙤𝙫𝙞𝙙𝙚 𝙛𝙞𝙣𝙖𝙣𝙘𝙞𝙖𝙡 𝙨𝙚𝙧𝙫𝙞𝙘𝙚𝙨 𝙬𝙞𝙩𝙝𝙤𝙪𝙩 𝙖 𝙇𝙞𝙘𝙚𝙣𝙘𝙚? It is an offence to provide financial services without a licence (or acting as an AR or relying on an exemption). It is also an offence to hold out that you hold an AFS Licence if you do not. Ensuring that you hold the correct AFS Licence authorisations & conditions is critical when providing (or intending to provide) financial services in Australia.