Blog

Change is constant – none moreso the case in General Insurance – regulatory change, upcoming Code changes, changes due to regulator reviews, Court decisions, Code compliance reviews, the list is endless, add to that internal change due to binder & capacity changes, service supplier changes and the list goes on. Large insurers manage change through project management teams & change pipelines however what do you do if your resources are limited? This article has been written for Underwriting Agencies, Lloyds coverholders, Insurance Brokers, TPAs, Service Suppliers & small to medium sized insurers who must manage regulatory change and remain compliant through the complexity created by change. 1. The importance of a compliance operating rhythm The starting point is to have a tailored to your business, Risk & Compliance Manual that describes your compliance measures and provides you with an operating rhythm to managing risk & compliance. The Manual must include your obligations (financial services laws, GI or NIBA Code, binder agreement(s), service supplier agreements etc) and the key controls that are assigned to manage the obligations. A seperate Obligations register is suitable for larger firms provided the register is referenced in the Manual including how the register is managed. 2. The source of regulatory change Your manual must identify your sources of regulatory change. They are numerous and generally include (for non-lawyers) signing up to receive email feeds from regulators such as ASIC, APRA, OAIC, Austrac, ACCC AFCA Industry Associations such as ICA, NIBA, UAC and Insurtech Australia Financial services legal firms Insurance news services me via my Linkedin posts and my monthly Newsletter Navigating Compliance in General Insurance Also be mindful of internal change or change from your business partners. 3. High level review You’ve identified the regulatory change. What next? At this stage ask 3 questions: does this change apply to General Insurance? and, if so, does this change apply to the cohort I’m part of? (brokers, underwriting agency, TPA, service suppliers, insurers); and/or will this change impact me upstream/downstream (eg a Prudential Standard or the GI Code of Practice that applies to an insurer)? If yes to these questions proceed with step 4 otherwise ignore the change. 4. Deep analysis You need to work out the impact of the regulatory change to your business. It is useful to engage with your Industry Association, peers or your risk & compliance advisor (I’m happy to assist with any queries) to understand the common approaches that are being adopted across the industry to the regulatory change. Adopting the Who, What, When, Where, Why, and How approach is useful start with ‘why’ and understand the underlying rationale and purpose of the change ‘what’ is about the details. What does the new law require me to do? ‘when’ does the regulatory change take effect? This assists in planning the runway. ‘Where’ does the regulatory change apply? eg underwriting, claims, broking ‘how’ provides the details of what you must do to comply with the new regualtory change ‘who’ does the change apply to […]

An Australian financial services licensee (Kalkine) must appoint an independent compliance consultant to address ASIC concerns that the Kalkine’s customer service representatives were giving unlicensed advice. (refer ASIC Media Release 25-085MR) New licence conditions have been imposed on the Kalkine’s licence to ensure compliance with its obligations as an AFS licensee. These conditions require Kalkine to engage a consultant to review, assess and report to ASIC whether Kalkine’s interactions with its customers are compliant and its supervision mechanisms are adequate. ASIC had concerns that: Kalkine’s representatives, who are based in India, may have provided personal advice as part of the sale of subscription services when Kalkine’s AFS licence only authorised it to provide general financial product advice, Kalkine’s representatives may have misrepresented to customers the kind of advice being given, by qualifying this as general advice but leaving customers with the impression that the advice was directed to their own personal circumstances, Kalkine failed to do all things necessary to ensure that the financial services covered by its AFS licence were provided efficiently, honestly and fairly including but not limited to ensuring the advice being given by its representatives was appropriate and within the scope of its licence, and Kalkine’s processes to ensure that its representatives were complying with the law when interacting with consumers were inadequate. Westpac case and personal advice The High Court in Westpac Securities Administration Ltd v Australian Securities and Investments Commission [2021] HCA 3 held that WSAL and BTFM breached the Corporations Act by providing personal financial product advice in calls made to 14 customers. Neither company was licensed to provide personal financial advice. The decision of the High Court clarified the difference between general and personal advice for consumers and financial services providers. ASIC Commissioner Danielle Press said (ASIC Media Release 3 February 2021), ‘The High Court has provided clarity concerning the differences between personal advice and general advice. Westpac were actively conducting a sales campaign aimed at rolling customers into Westpac products under the banner of general advice.’ In the judgment, Justice Gordon reinforced that s766B(3) of the Corporations Act, which outlines the meaning of general and personal advice, ‘is directed to the protection of the retail client’ and clarified that ‘[…] the general advice warning must be assessed in light of all the circumstances. The general advice warning was given only once, at the beginning of the telephone conversation. Members were subsequently asked directly about their personal objectives. Members were not encouraged to seek personal advice before deciding whether to accept the rollover service.’ Key compliance takeaways A General Advice Warning does not make the advice provided general advice. It is substance over form When you are giving general advice to a client, in addition to giving a general advice warning, it is good practice to take reasonable steps to ensure that the client understands upfront that they are getting general advice and not personal advice. You should take reasonable steps to ensure that the client understands that you have not taken […]

General insurance products are excluded from the conflicted remuneration obligations in respect of monetary or non-monetary benefits. However, from 9th July 2025, where personal advice is provided, or is likely to be provided, on general insurance products, the exclusion for monetary benefits only applies if the client’s informed consent to the monetary benefit has first been given. Refer: Corporations Act s963B(1)(a), s963BB, s963C(1)(a), and reg 7.7A.12G. Also refer ASIC RG 246 and INFO 292. what are the requirements? If you are a general insurance broker holding an AFS licence (or an [authorised] representative of a licensee) that receives monetary benefits (e.g. commissions) in connection with issuing or selling general insurance to a retail client while providing, or being likely to provide, personal advice to that client, you must: – obtain the client’s informed consent to receive the benefit before the insurance is issued or sold; – have the client’s written consent (or a copy of it), or a written record of any verbal consent that the client gave, and – as soon as practicable after the client provided informed consent, give the client a copy of the written consent, or a copy of the written record of the client’s verbal consent what does this mean in practice? The informed consent requirement applies to monetary benefits received by brokers from insurers (including underwriting agencies & Lloyds coverholders) given in connection with general insurance issued or sold after 9th July 2025 (including renewals after that date). if a broker is an authorised representative, the obligation applies to you in your capacity as an authorised representative. personal advice is financial product advice where the broker has considered one or more of the clients objectives, financial situation and needs or a reasonable person might expect the broker to have considered one or more of those matters. All other financial product advice is general advice. The informed consent requirement does not apply to monetary benefits given in connection with insurance issued or sold by AFS licensees and representatives if only general advice is provided or likely to be provided. If the situation involves both general advice and personal advice, the informed consent requirement applies to these benefits. The informed consent requirement does not apply to the giving of non-monetary benefits (e.g. education and training) to AFS licensees or representatives in connection with issuing or selling insurance. Note that AFSL general obligations ‘efficient, honest & fair’ and ‘conflicts of interest’ would apply to these arrangements especially if they are used to ‘disguise’ otherwise commission payments. This would also be misleading or deceptive conduct. If you are paid a monetary benefit without obtaining informed consent from your client, the monetary benefit you receive will breach the ban on conflicted remuneration. The consequences of breaching this ban could include a civil penalty, a banning order, or AFS licence suspension or cancellation. what must be provided to the client before they provide informed consent? Before a client can provide informed consent, you must disclose the following information to them: […]

‘Documentation helps you demonstrate whether or not you are complying with the general obligations.’ – ASIC RG 104.26 Insurers, underwriting agencies, TPAs, Lloyds coverholders, insurance brokers and claim service suppliers have a myriad of obligations to comply with. Compliance with your obligations, through your processes, procedures, systems and people are collectively known as your ‘compliance measures‘. Your compliance measures, together with your governance mechanisms, should work as an operating rhythm that manages your obligations in a systematic manner, incorporates changes, evolves as your business grows and responds to the external environment. The Risk & Compliance Manuals that I design and are tailored for my general insurance clients achieve this purpose, through the following: 1. Identifying the source of your obligations The source of your obligations are defined by: Who you are ? – an APRA regulated insurer holding an ASF Licence and who subscribes to the GI Code has different obligations to a NIBA insurance broker who is an authorised representative of a Licensee. Who do you act on behalf of? an underwriting agency or material service provider acting on behalf of an insurer or an insurance broker acting on behalf of a client? What do you do? – provide financial advice, issue general insurance products, provide a claims handling service or are a claims service supplier to an APRA regulated insurer How do you do it? – do you distribute direct or through brokers, do you sell through human interaction or automated processes, do you provide claims under your licence or through a TPA? Who are your clients? – retail or wholesale clients , consumer insurance contract or other insurance contracts. standard form contracts 2. Capture your obligations For my smaller-medium sized clients I capture obligations within their Risk & Compliace Manual, providing a single source document. Larger clients usually have a stand-alone obligations register. The manual or register should also include the source of the obligations (e.g., Section 912A(1)(a) Corporations Act or paragraph 21 GI Code of Practice), this enables the reader to deep-dive into the actual obligation when required. 3. Assign key controls This is the heart of ensuring your compliance measures are adequate. Key control(s) are assigned to each obligation, so that the obligation is managed within risk appetite. The focus of the Board, Senior Managers and Risk & Compliance Committee now shifts from the numerous obligations to a suite of more manageable key controls. 4. Test your key controls A key control that is not periodically tested is no control. Testing should incorporate (1) design effectiveness – is it fit for purpose? and (2) operational effectiveness – is it operating as intended? Gaps must be identified, reported and closed out in a timely manner. The gaps must be assessed for regulatory or Code breaches. You must have a control testing program. 5. Monitoring and reviewing your compliance measures Your compliance measures must be monitored on an ongoing basis. An effective risk & compliance operating rhythm generates data – incidents, complaints, control testing, file reviews, attestations, […]

In its preamble, The Insurance Contracts Act is, an Act to reform and modernise the law relating to certain contracts of insurance so that a fair balance is struck between the interests of insurers, insureds and other members of the public and so that the provisions included in such contracts, and the practices of insurers in relation to such contracts, operate fairly, and for related purposes The Act provides the foundation of insurance: the Utmost Good Faith, and for consumer insurance contracts ‘the insureds duty to take reasonable care not to make a misrepresentation.’ The powers that ASIC has under the insurance Contracts Act add significant weight to ASIC’s enforcement tool-kit and their already far-reaching enforcement powers under the ASIC Act & Corporations Act. ASIC responsible for general administration of Act The Insurance Contracts Act (Act) is one of several financial service laws referenced in section 912A(1) Corporations Act. AFS Licensees must: comply with the financial services laws (s912A(1)(c)); and take reasonable steps to ensure that its representatives comply with the financial services laws (s912A(1)(ca)) Powers of the ASIC (section 11B) ASIC’s powers are set out in Part IA of the Act. ASIC has the general administration of the Act (s11A) ASIC has power to do all things that are necessary or convenient to be done in connection with the administration of the Act and, without limiting the generality of that power, has power: (a) to promote the development of facilities for handling inquiries in relation to insurance matters; (b) to monitor complaints in relation to insurance matters (note that this is in addition to Corporations Act and enforceable paragraphs of RG 271); (c) to liaise generally with other persons or bodies having a responsibility to deal with inquiries, complaints and disputes concerning insurance matters (such as Code Governance Committee and AFCA); (d) to review documents (including documents promoting particular kinds of insurance cover) issued by insurers (such as PDS, TMD, key fact sheets etc) and given to ASIC in compliance with section 11C; (e) to review particulars, statistics and documents given to ASIC in compliance with section 11D; and (f) to monitor legal judgments, industry trends and the development of community expectations that are, or are likely to be, of relevance to the efficient operation of the Act; and (g) to promote the education of the insurance industry, the legal profession and consumers as to the objectives and requirements of the Act. Supervisory powers—ASIC may obtain insurance documents (section 11C) 1) ASIC may, for any purpose connected with the general administration of the Act , require an insurer within 30 days (following ASICs written notice) provide: (a) documents specified in the notice relating to insurance cover provided, or proposed to be provided, by the insurer; or (b) documents relating to insurance cover of a kind specified in the notice provided, or proposed to be provided, by the insurer. Non compliance without reasonable excuse is a strict liability offence. Supervisory powers—ASIC may review administrative arrangements (section 11D) ASIC may, require an insurer to give to ASIC, within 30 days of receipt of […]

As Tropical Cyclone Alfred approaches Queensland & Northern NSW, it is appropriate for general insurers, underwriting agencies, brokers, insurance claim managers and service suppliers to consider how the GI Code of Practce (Code) responds to Catastrophes. Firstly, for consumers the ICA has advised, where possible, to prepare, residents should: Clear their property and gutters from loose material that possibly cause injury or damage during extreme winds or heavy rain, including moving outdoor furniture and pool accessories Secure boats or vehicles and move their car under cover Place important documents and valuables in plastic bags or other waterproof containers and put in a safe place Check your emergency kit is ready and nearby Insurance disaster response specialists are on standby, and the Insurance Council is liaising with the State Government, Queensland Reconstruction Authority and the National Emergency Management Agency in preparation. Code overarching obligations Insurers & their Distributors and Service Suppliers will be honest, efficient, fair, transparent and timely in dealings with customers. This is the Code’s overarching obligation to consumers and continues during Catastrophes (paragraph 21) Fast-tracking urgent claims Where an event (for example, a natural disaster) caused an insured to be in urgent financial need of the benefits they are entitled to under the policy, insurers we will do either or both of the following: fast-track both the insurers assessment of the claim and the process followed to make a decision about the claim; pay an advance amount to help ease an urgent financial need — insurers will do this within 5 Business Days after demonstration of an urgent financial need. If the insured is not happy with the insurers response to a request about urgent financial need, then the insurer must tell the insured about their Complaints process. (paragraphs 64-66) Claims for total loss When an insured has suffered a total loss, the insurer and Service Suppliers will treat the claim with sensitivity. If the claim has been accepted for a total loss under a home building and home contents insurance policy and the insured is unable to provide proof of ownership for the relevant insured property because it was lost in or damaged by the insured event (and ownership is clear) insurers will not: require proof of ownership; or require a list of insured property that was lost or damaged. (paragraph 80) Responding to Catastrophes Insurers will respond to Catastrophes efficiently, professionally, practically and compassionately. Insurers will co-operate and work with the Insurance Council of Australia on industry coordination and communications under the Insurance Council of Australia’s industry Catastrophe coordination arrangements. If an insured has a property claim resulting from a Catastrophe and the insurer has finalised the claim within 1 month after the Catastrophe event causing the loss, the insured can request a review of the claim if they think that assessment of the loss was not complete or accurate, even though a release was signed. Insureds have up to 12 months from the date of finalisation of the claim to ask for a review of […]

AFS Licensees must have in place adequate arrangements for the management of conflicts of interest that may arise wholly, or partially, in relation to activities undertaken by the licensee or an employee, authorised representative or any other person acting on behalf of the licensee. (section 912A(1)(aa) Corporations Act. ASIC notes the underlying principles for this obligation (refer RG 181.13 and 181.14): Adequate conflicts management arrangements help minimise the potential adverse impact of conflicts of interest on clients. Conflicts management arrangements thereby help promote consumer protection and maintain market integrity. Without adequate conflicts management arrangements, licensees whose interests conflict with those of the client are more likely to take advantage of that client in a way that may harm that client and may diminish confidence in the licensee or the market. and Having adequate conflicts management arrangements should also help a licensee ensure that the quality of their financial services is not significantly compromised by conflicts of interest. The quality of a service is significantly compromised if the service is of materially lesser quality than the licensee would have been likely to provide if they were not subject to the relevant conflict of interest Examples of Conflicts of Interest in General Insurance Typical examples include: having a family or personal relationship with a client. Such as a family member holding an insurance policy with your company and making a claim on that policy and you are an underwriter/claims handler at that company or your partner works at an insurance broker with whom your company does business with; having an interest in a service supplier who provides services to your business; receiving confidential non-public information (as a broker or underwriter) about an insured who is an ASX listed company and using that information to trade on the stock exchange prior to any public disclosure by the ASX listed company or informing another person who subsequently trades (insider trading); brokers (when acting on behalf of an insured) receiving commissions, profit share or other monetary arrangements or non-monetary benefits from an insurer such as IT systems, training, marketing etc; Acting on behalf of an insured in a third-party claim where indemnity made be declined in full or in part or acting on behalf of 2 or more insureds in the same insurance claim; Brokers acting for 2 or more clients who are looking (or have) to enter into a contractual relationship; Underwriters or brokers with aggressive sales targets based on volumes without any counter-balancing metrics; receiving gifts, benefits, gratuities or entertainment from a provider; brokers or service suppliers having equity in an insurer or underwriting agency; and being a director on a board of a client. Retail or wholesale clients A licensee’s obligation to manage conflicts of interest does not depend on whether its clients are retail or wholesale. Licensees must have adequate arrangements to identify and manage all conflicts of interest (other that those that occur wholly outside a licensee’s financial services business), whether they relate to retail clients or wholesale clients. Licensees […]

Brokers generally place business with Insurers and Lloyds underwriters authorised under the Insurance Act (sections 12 and 93 respectively). This includes a foreign general insurer who is authorised under section 12 of the Act. The purpose of being APRA authorised to carry on insurance business in Australia is to protect our local market and policyholders. There are inherent protections in the Insurance Act and through the Prudential Standards issued by APRA. This protection flows through to an Underwriting Agency or Lloyds Coverholder who act on behalf of an APRA regulated insurer (including Lloyds underwriters). Additional consumer protection arises under financial service laws. When can an Insurance Broker place business with an Unauthorised Foreign Insurer (UFI)? Our laws recognise that the Australian market relies on the global insurance market to adequately meet the needs and requirements of Australian businesses, hence there is a mechanism available to use an UFI (or DOFI) in certain circumstances. Section 3A of the Insurance Act and the Insurance Regulations 2024 provide 4 exemptions: High-value clients; Insurance for atypical (or unusual) risks; Insurance required by foreign law; and Risks that cannot be reasonably placed in the Australian market. High-value clients A person is a high‑value insured at a time (the test time) in a financial year if: (a) the average of the person’s Australian operating revenue for the 3 previous financial years is at least $200 million; or (b) the average of the person’s gross Australian assets for the 3 previous financial years is at least $200 million; or (c) the average of the person’s number of Australian employees for the 3 previous financial years is at least 500. Insurance for atypical (or unusual) risks This exemption applies to a contract of insurance if each risk insured under the contract is a risk of any of the following: (a) loss or liability arising from the hazardous properties (including radioactive, toxic or explosive properties) of nuclear fuel, nuclear material or nuclear waste; (b) loss or liability arising from the hazardous properties of biological material or biological waste; (c) loss or liability arising from war or warlike activities (within the meaning of theInsurance Contracts Regulations 2017); (d) loss or liability arising from a terrorist act (within the meaning of section 100.1 of theCriminal Code); (e) liability arising from health‑care related research; (f) loss of, or liability arising from the operation of, a space object (within the meaning of theSpace (Launches and Returns) Act 2018); (g) liability arising from the ownership or operation of an aircraft (but not loss of the aircraft or its cargo); (h) liability and expenses arising from a person owning, chartering, managing, operating or being in possession of a vessel other than a pleasure craft (within the meaning of subsection 9A(2) of theInsurance Contracts Act 1984); (i) loss or liability arising from equine mortality or fertility and related risks. However this does not apply to Equestrian packages (as defined in the Reg); (j) loss or liability incidental to a loss or liability mentioned in paragraphs (a) to (i). Insurance required by foreign law If a law of a foreign country requires that the […]

The obligation (also refer RG 105) If you are an AFS licensee, you must maintain the competence to provide the financial services covered by your AFS licence: see s912A(1)(e) of the Corporations Act. ASIC refers to this obligation as the ‘organisational competence obligation’. This is because this obligation requires you to be competent at the organisational level. You need to nominate responsible managers who: are directly responsible for significant day-to-day decisions about the ongoing provision of your financial services; together, have appropriate knowledge and skills for all of your financial services and products; & individually, meet one of the five options for demonstrating appropriate knowledge and skills (Table 1 RG 105). If you breach or are likely to breach the organisational competence obligation, you may need to notify ASIC of that breach: see s912DAA. Nominating responsible managers The people you nominate as responsible managers must have direct responsibility for significant day-to-day decisions about your financial services. In context of general insurance; together, your responsible managers must have the skills & knowledge in: providing financial product advice or general advice only; and/or dealing in a general insurance product, including (a) issuing [typically insurers or underwriting agencies] or (b) on behalf of another person [typically insurance brokers]; and/or claims handling and settling services (a) by an insurer or acting on behalf of the insurer [typically underwriting agencies or insurance claim managers] or (b) on behalf of the insured [claimant intermediaries]. The number of people you need to nominate as responsible managers will depend on the nature, scale and complexity of your business. However, ASIC expects that you will nominate at least two responsible managers. If you are heavily dependent on the competence of one or two responsible managers (e.g. in a small organisation with one or two principals), ASIC will generally impose a ‘key person’ condition on your AFS licence Tips to assist in meeting your personal obligations As a responsible manager you need to stay across the business operations. I provide the following practical advice to my clients: all responsible managers should work together as a team, regularly meeting to exchange views and observations and share concerns receive regular risk & compliance dashboard reporting – complaints, incidents & breaches, QA & audit outcomes, control breakdowns, breach remediation & rectification updates, control testing outcomes, risk profiles & training completion keep across industry issues such as AFCA complaints & regulatory and Code reviews engage with the internal risk and compliance committee, CRO, directors , management & extrenal auditors be curious – ask questions look behind the data, what is it telling you? A lack of data is not healthy the effectiveness of your compliance arrangements and monitoring program to meet licence, regulatory and Code obligations the adequacy of your incident & breach reporting and dispute resolution systems. Notifying ASIC of changes to your responsible managers You must advise ASIC within 30 business days of adding or removing a responsible manager. You need to complete the relevant sections of Form FS20 and lodge it […]

It can be difficult for insurers, underwriting agencies, insurance brokers and other distributors to consistently meet compliance obligations to customers especially when processes are not automated. A simple way to think about compliance obligations is to align them to the customer journey. This can be reduced to a 1 page ready-reckoner for all sales staff, account executives, business development managers & authorised representatives. Pre-appointment or pre-purchase During this stage of the customer journey the customer is considering their insurance needs and may engage an insurance broker or shop around online Insurance brokers, who are NIBA members and subscribe to the Insurance Brokers Code of practice, must provide a Terms of engagement to a prospective client who agrees to engage the broker. Underwriting Agencies or Insurers selling direct must not engage in misleading or deceptive conduct, whether through their website, advertising or otherwise & comply with the hawking prohibitions in respect of retail clients. These obligations also apply to Insurance Brokers Referrers ofAgencies, Insurers or Brokers can only ‘refer’ the client to the financial service provider and must disclose any payment for the referral. All licensees & ARs must be efficient, honest & fair when providing their financial services. Insurers and their distributors, under the GI Code, must be honest, efficient, fair, transparent & timely in all dealings with the customer. NIBA Insurance Brokes must act honestly and with integrity in all dealings with clients under the Insurance Brokers Code. All staff must be trained and competent to provide the financial services. Purchasing general insurance products Before providing the financial services, a licensee or authorised representative must provide a FSG , if the services are to be provided to a Retail cleint. Having said that, its best practice to provide a FSG to all clients. Before providing any financial product advice, a general advice warning must be provided to a retail client if providing general advice and brokers providing personal advice must be aware of the modified best interest duty for general insurance & provide a Statement of advice for sickness & accident insurance. In addition for retail product distribution, insurers and Agency’s must ensure that a TMD is available, usually on their website, and the direct sales process is aligned to the TMD. Brokers must ensure they distribute the insurance products in accordance with the TMD. The sales process Where relevant, the deferred sales-model for add-on insurance must be complied with where an insurance product is sold or offered for sale at the time of purchasing a primary product and an insurance product exemption does not apply. At the start of the sales process the underwriting agency or insurer must determine whether the general insurance product is a consumer insurance contract, if so, the insured’s duty to take reasonable care not to make a misrepresentation applies otherwise the duty of disclosureapplies. Brokers should note to take care when commencing renewal activities to clarify with the agency or insurer whether the product is being treated as a consumer insurance contract (in […]

I was talking to my ‘coffee guy’ at my local cafe this morning (he is also a small business owner) about how well my compliance business is travelling and he commented, ‘it’s because you love what you do.’ As I was walking back home, sipping my coffee (pure bliss), I reflected on his comment and how it aligned to my compliance mantra; the purpose of compliance is to ‘protect what matters’. Protecting what matters Compliance is about placing ‘what matters’ at the heart of everything we do & building layers of protection around that heart. What matters? Our customers & clients, our people, our business, our business partners & stakeholders and the wider community. The pillars of compliance provide the foundation for the layers of protection, the 4 pillars of compliance are: Governance & frameworks People & culture Procedures & process Systems & reporting each of these 4 pillars work together to provide robust compliance arrangements. Protecting what matters, is designed on a fortress of layers of protection: Compliance arrangements People Monitoring program Culture The Compliance model for General Insurance is represented diagramatically: The importance of people As you will observe from the Compliance Model, people are critical to the strength of the Compliance Model. People include employees, directors, authorised representatives, service suppliers & fulfillment providers. Anyone who is providing the financial services on your behalf. We need people to: identify and self-report incidents and complaints quickly; follow process and procedures (doing the right thing); meet their continual development training requirements; understand the obligations that apply to their business area; test the controls that manage the obligations applying to their area; genuinely care about protecting the business, customers, colleagues and partners; close out gaps identifed through reviews, monitring and audit activties; and generally be compliance-focused Simply, without people, the Compliance model collapses and harm & detriment results: complaints & breaches increase regulator scrutiny of the business intensifies business partners raise issues and concerns customers are impacted management time is lost focusing on customer remediation and rectification reputational & financial impacts are felt the risk of civil penalties naming & shaming the risk of banning & dsqualification the risk of product stop orders Simply, trust is eroded The test of ‘engaged people’ A simple test of whether your people are truly engaged in compliance is to look at your registers: incidents, breaches, complaints, conflicts, training etc . Are they well populated, indicating that people are engaged taking an active role in compliance, and compliance is part of what we do around here, or are they empty or contain a small number of entries? Do people actively attend compliance training? Do people actively close out issues ahead of time? Do people view compliance as an addition to their role or as part of their role? Do leaders talk about the importance of compliance in the same tone & passion as when they talk about their family and other things they love, care about & want to protect? Connecting the heart with the […]

Governance is a system that provides a framework for managing organisations. It identifies who can make decisions, who has the authority to act on behalf of the organisation and who is accountable for how an organisation and its people behave and perform. A simple illustration of good governance is the doctrine of the separation of powers. The doctrine of the separation of powers divides the institutions of government into three branches: legislative, executive and judicial: the legislature makes the laws; the executive puts the laws into operation; and the judiciary interprets the laws. Governance is about the time you dedicate to working ‘on’ your business, rather than ‘in’ it. This includes all the checks and balances you put in place to ensure your business runs smoothly, meets its objectives, stays out of trouble and protects the things that matter (your business, people, customers, business partners and other key stakeholders). The elements of Governance for General Insurance A system of good Governance comprises the following elements: A framework approach – frameworks provide a system of consistency of approach ensuring that an operating rhythm is created for risk & compliance. A framework ensures that the risk & compliance measures of a business evolve as the business grows & adapts to internal & external change. Roles and responsibilities – clarity and accountability of who does what is important – ‘doing, monitoring and oversight’ require seperate & independent people, boards or committees with a specific focus and purpose (documented through position descriptions and charters). Examples of roles & responsibilities in insurance include directors, officers, responsible persons (FAR), responsible managers (AFSL) and fit & proper people (AFSL). Aligned to roles and responsibilities is delegated authority, the 3 lines of defence model & reporting lines. Delegated authorities – the key to DA is the source of ultimate authority. Typically this will be the Board, SOOA (for foreign insurers) or business owner(s). Authority provides a mechanism to manage decision-making. Authorities (underwriting, claims, financial, strategy etc) are linked to experience, skills and knowledge therefore ensuring decisions are being made by the appropriate people. The key to delegated authority is that you can’t give (authority) what you don’t have. 3 lines of defence model – conceptually, the 3 lines of defence model continues to be the fundamental cornerstone of good governance across general insurance. The 1st line, typically business operations, manages risk & compliance, the 2nd line provides frameworks, oversight, monitoring and advice while the 3rd line is Internal Audit. Significantly APRA Prudential Standards create the role of the Auditor with reporting obligations to the Board and seperate & disctinct obligations to APRA ensuring a degree of independence. The key to the 3 lines of defence model is based on the the doctrine of the separation of powers – each line is seperate to and with a degree of independence from the other lines. Reporting lines – it’s critical that organisation structures and reporting lines enable unfettered ability to perform work and discharge responsibilities. For example, 2nd line risk […]

The white noise associated with APRA Prudential Standard CPS 230 in connection with material service providers has tended to distract from the benefits of CPS 230. It should be remembered that CPS 230 includes an amalgamation of 2 existing prudential standards: CPS 231 Outsourcing; and CPS 232 Business continuity management With effect from July 2025, outsourcing and business continuity management for general insurers will be governed by CPS 230. CPS 230 requirements only apply to General Insurers who are authorised by APRA under section 12 of the Insurance Act. However, CPS 230 and the asssociated Prudential Practice Guide CPG 230 (PPG CPG 230) provides very useful guidance and information for anyone operating a business in general insurance including Underwriting Agencies, TPAs, Insurance Brokers and service providers. It should be remembered that holders of an AFS Licence must have adequate risk management systems. Business continuity and outsourcing is a critical part of risk management. Process mapping material business processes APRA expects that, in implementing CPS 230, a prudent general insurer would start with the identification of its critical operations. A general insurer would (see paragraph 2 PPG CPG 230): a) identify its critical operations (note that claims processing is a deemed critical business operation for an insurer however any other critical operation must also be identified); b) set tolerance levels for disruption of these critical operations; and c) identify the processes and resources needed to deliver these critical operations, including material service providers. Identification of critical (or material) business operations is a very sensible starting point. Business continuity steps As mentioned, business continuity not only applies to general insurers and is relevant for Underwriting Agencies, TPAs, Insurance brokers and anyone providing general insurance products or services. Here are some simple steps to get you started: Identify, at an enterprise level, material business activitiessuch as distribution, underwriting, claims, broking, complaints, information management, marketing etc for each of the material business activities, map out the end-to-end, 5-10 key sub-activitiesthat combined, enable the material business activity to be delivered. As an example, think about the end-to-end process for claims: FNOL, assessment, claim decision etc consider each of the sub-activities in terms of people, IT, process, outsourcing & information (collectively resources). This provides a matrix of sub-activities x resourcesneeded to deliver your material business activities. This information alone provides very useful insights into managing your business and business risks. Consider the tolerance level for each of the sub-activities in the event of a disruption to any of the identified resources. Tolerances should be set based on (refer PPG 230 paragraph 32): – the impact on customers and other stakeholders of a disruption; – the financial and reputational impact on your business from a prolonged or material disruption; – the financial and reputational impact on the broader financial system, including any flow-on effects or contagion; – legal or regulatory requirements; and – recovery objectives. Factors to consider when setting tolerances include (refer Table 4 PPG CPG 230): (i) the maximum allowable disruption period; (ii) the minimum […]

Compliance never sleeps however it may slow down while we take a well-deserved break. How do you kick-start compliance to ensure that compliance is protecting what matters – your business, people, customers, business partners and other key stakeholders? There’s a few simple steps that you should take. Incidents are a critical source of information including as an early-warning system for potential breaches, its important that staff, authorised representatives and material service providers are reminded of their obligations to raise and report incidents. This could be as simple as an email with a FAQ, checklist, link to the incident management system etc and through leader-led team meetings complaints go hand-in-hand with incidents as a critical source of information and business continual improvement in addition to meeting obligations under RG 271 and Code. A quick refresher to staff and representatives in combination with incidents is all that is needed to get complaints back to front-of-mind. Storm season, most teams are returning to full resourcing during the middle of storm season in Australia therefore transitioning back to sense of heightened alert is critical. A reminder of event plans at a team morning tea is a great refresher to shift minds from holiday mode to event readiness mode. This includes IDR teams and service providers. Regulatory change projects – it’s likely that CPS 230, Privacy Act amendments and other regualtory changes were paused over the break. It’s time to reignite the projects and enthuse the teams. A workshop to recap the purpose, the plan & timeframe, the successes achieved to date and what lies ahead, is an awesome way to get the wheels of the project team spinning again and moving the project ahead with a sense of urgency. Monitoring, of internal teams, authorised representatives, material service providers and any other person providing insurance services or products on your behalf is essential to ensure that onbligations are being met and that compliance measures are operating effectively to protect the business & customers. January is a great time to revisit your Monitoring program and pause to reflect on its effectiveness in meeting AFSL, Code and upcoming CPS 230 requirements. Don’t have a Monitoring Program? January is also a great time to develop and implement a tailored monitoing program (contact me for assistance) ASIC IDR data reporting, its time to submit an IDR report to ASIC for the reporting period 1 July to 31 December. A two-month submission window is now open and closes end of February. Failure to report IDR data is a reportable situation to ASIC. Contact me for assistance or read more about your IDR data reporting obligations here Training, if you are half-way through your financial year or at the end of your calendar year it’s nevertheless a good time to review how your staff are progressing with their training. It’s mandatory for AFS Licensees to maintain a training register so it should be a relatively easy exercise to see who is lagging and needs a gentle requirement about the importance of […]

Financial services relevant for general insurance are: providing financial product advice; dealing in a financial product; and providing a claims handling and settling service. Section 912A(1) Corporation Act (also refer RG 104) sets out the general obligations that a AFS licensee in general insurance must comply with: (a) A licensee must do all things necessary to ensure that the financial services covered by the licence are provided efficiently, honestly and fairly. This is a broad and overarching obligation. Generally speaking an insurer who fails to act with the utmost good faith (under the Insurance Contract Act) would also be a failure to provide the financial services efficiently, honestly and fairly. Subscribing to and complying with the standards and timeframes of the General Insurance Code of Practice or Insurance Brokers Code of Practice are typically a strong indicator of a commitment to providing the financial services efficiently, honestly and fairly (refer ASIC INFO 253). (aa) A licensee must have in place adequate arrangements for the management of conflicts of interest that may arise wholly, or partially, in relation to activities undertaken by the licensee or a representative of the licensee in the provision of financial services as part of the financial services business of the licensee or the representative. The 3 ways to manage conflicts are (refer RG 181): – disclosing the conflict; – managing the conflict through controls; and/or – avoiding the conflict (b) A licensee must comply with the conditions on the licence (c) A licensee must comply with the financial services laws. These laws include: – Corporations Act – ASIC Act – Insurance Contracts Act – Insurance Act (plus a number of other Acts applying specifically to general insurers) – Privacy Act (ca) A licensee must take reasonable steps to ensure that its representatives comply with the financial services laws. Representatives include employees or directors of the licensee or of a related body corporate of the licensee , authorised representatives and any other person acting on behalf of the licensee. This is often referred to as the ‘monitoring obligation’ and should be incorporated in a Monitoring program that also includes CPS 230 (for general insurers in context of material service providers) and under the GI Code & Brokers Code responsibilites for the conduct of employees, authorised representatives, distributors and sevice suppliers (d) A licensee must have available adequate resources (including financial (refer RG 166), technological and human resources (refer RG 104)) to provide the financial services covered by the licence and to carry out supervisory arrangements. Note that this requirement does not apply to APRA regulated insurers. General insurers authorised under section 12 of the Insurance Act (including foreign general insurers) must comply with APRA Prudential Standards such as CPS 220, CPS 230 and CPS 234 while Lloyds underwriters (authorised under section 93 of the Insurance Act) must comply with the FCA UK Prudential Standards. (e) A licensee must maintain the competence to provide those financial services. This obligation requires that the licensee must have sufficient Responsible Managers […]

ASIC’s investigation into Sanlam Private Wealth Pty Ltd (Sanlam) uncovered concerns that the AFS licensee had breached its general obligations, including by failing to adequately supervise its many authorised representatives and corporate authorised representatives. (ASIC Media Release MR 24-290) ASIC Deputy Chair Sarah Court said, ‘At one point, Sanlam had 42 CARs and 71 authorised representatives operating under its licence. Despite this, it had plainly inadequate resources and processes to ensure its diverse cohort of authorised entities complied with the law and to oversee those who used its licence to offer risky financial products to retail clients. ‘Licensees like Sanlam must have robust compliance processes that are fit-for-purpose to ensure that those who operate under their licence comply with the law and don’t place Australian investors at risk.’ Sanlam admitted to breaching its licensee obligations and provided a court enforceable undertaking to ASIC. Under section 93AA of the ASIC Act, Sanlam has offered, and ASIC has agreed to accept as an alternative to pursuing civil penalty proceedings, the undertakings. Insurance brokers Insurance brokers often use a network of authorised representatives as a viable business model. An insurance broker, as an AFS licensee, must monitor its authorised representatives and ensure they comply with financial service laws & are trained & competent. Additionally, under the NIBA Code of Practice, brokers must ensure authorised representatives comply with the Code. The undertakings to ASIC in the Sanlam case provide some useful insights for insurance brokers: Due diligence must be undertaken and continue on an ongoing basis to review the ARs’ suitability to operate under the brokers AFSL; A formalised & systematic review process must be implemented to assess whether employees and AR’s are complying with financial service laws; Informal processes and self-reporting by AR’s, of itself, is not adequate as a supervisory mechanism; Brokers must have adequate human resources directed to risk management or overseeing an effective review programme to monitor ARs (my observation – the ‘adequacy of human resources’ should be included as a standing agenda item for the brokers Risk & Compliance Committee); Brokers should develop a human resourcing plan consistent with its current and future needs; Brokers should have an adequate, documented succession plan when heavily dependent on 1 or 2 people and especially when a ‘key person’ requirement’ condition is included on their licence; Brokers must have an adequate number of Responsible Managers for the number and breadth of ARs and must devote sufficient time to effectively discharge their duties as a responsible manager; Brokers must also adequately document and implement processes to ensure they have the appropriate number of suitably qualified RMs having regard to the financial services provided, the complexity of those services, as well as the number and breadth of ARs authorised. There also needs to be an adequate and structured process to assess the ongoing suitability of its RMs. (my observation – the ‘suitability of responsible managers’ should be included as a standing agenda item for the brokers Risk & Compliance Committee) Brokers must implement a […]

Compliance in General Insurance can be complex. Over the years I have developed Paul’s ‘Rules of Thumb’, to assist simplying compliance for my clients. Naturally, when considering compliance arrangements the complete obligation needs to be considered however, the following can be adopted by front end staff as a mantra. Start with Codes – when designing compliance arrangements, start with the GI Code and/or Insurance Brokers Code. Codes go beyond the law and are customer friendly, the end result is a more dynamic and customer experience based compliance approach. It is still necessary to bring in financial service laws however starting with Codes assists in developing a customer centric approach to compliance. Align dislosures with the customer experience – aligned with Rule of Thumb 1, General Advice Warnings, FSG, PDS and many other obligations for Retail Clients have timing requirements (when to provide the notice or warning). Aligning these compliance requirements with the customer sales experience provides a more meaningful & contextual approach for front-end staff. APRA or ASIC– APRA is primarily focused on policyholder protection (carrying on insurance business in Australia) while ASIC is primarily concerned with consumer protection (carrying on a financial services business in Australia). Advice – when a sales person or distributor or broker or underwriter talks to a client/customer, assume they are providing advice. Cash Settlement Fact Sheet (CSFS) – If a PDS has been provided to a client, & that PDS states that claim settlement options include repair or replace, a CSFS will be required to be provided when settlement is to be via a cash settlement. An incident is where something has happened that wasn’t supposed to happen. The intention is for front-end staff to report as many incidents as possible. A trained person can then filter/triage as necessary. A complaint is where a customer is not satisfied with an outcome. The intention is for front-end staff to report as many complaints as possible. A trained person can then filter/triage as necessary. Commissions are an inherent conflict of interest, and must be managed accordingly through disclosure, control(s) or avoiding. Financial Service laws are technology-neutral, the obligation applies irrespective of whether performed by a human or technology (including AI). If in [compliance] doubt, speak to Paul. The key theme from my ‘Rules of Thumb’ is to create simple, meaningful messages for front-end staff as a quick reminder of important compliance obligations. Engaging with customers and clients can be challenging with complex problems requiring a solution. Simple tips and messaging enables compliance to be part of the solution.

ASIC Report 798, Beware the gap: Governance arrangements in the face of AI innovation, identified the most common uses of AI for insurance claims as: Supporting the claims process: Claims triaging, decision engines to support claims staff, document indexation, identifying claims for cost recovery; and Automating a component of the claims decisioning process, but humans remain responsible for overall claims decision. and emerging uses as: The use of generative Al and natural language processing techniques to extract and summarise key information from claims, emails and other key documents. Financial service laws are technology neutral therefore when providing claims handling and settling services using AI, the general obligation to provide those services ‘efficiently, honestly and fairly’, remains. Providing claims handling and settling efficiently, honestly and fairly ASIC INFO 253 provides guidance on providing claims handling and settling efficiently, honestly and fairly. To satisfy this obligation, you will generally need to handle and settle insurance claims: in a timely way; in the least onerous and intrusive way possible; fairly and transparently; and in a way that supports consumers, particularly ones who are experiencing vulnerability or financial hardship Australia’s AI Ethics Principles The incorporation of the eight Australian AI Ethics Principles in AI policies and procedures is supported by ASIC, and should be used when adopting AI in claims processing. The 8 AI Ethics Principles are: Human, societal and environmental wellbeing: AI systems should benefit individuals, society and the environment. Human-centred values: AI systems should respect human rights, diversity, and the autonomy of individuals. Fairness: AI systems should be inclusive and accessible, and should not involve or result in unfair discrimination against individuals, communities or groups. Privacy protection and security: AI systems should respect and uphold privacy rights and data protection, and ensure the security of data. Reliability and safety: AI systems should reliably operate in accordance with their intended purpose. Transparency and explainability: There should be transparency and responsible disclosure so people can understand when they are being significantly impacted by AI, and can find out when an AI system is engaging with them. Contestability: When an AI system significantly impacts a person, community, group or environment, there should be a timely process to allow people to challenge the use or outcomes of the AI system. Accountability: People responsible for the different phases of the AI system lifecycle should be identifiable and accountable for the outcomes of the AI systems, and human oversight of AI systems should be enabled. Licensees must consider their existing regulatory obligations What licensees need to do to comply with their existing regulatory obligations when using AI depends on the nature, scale and complexity of their business. It also depends on the strength of their existing risk management and governance practices. This means there is no one-size-fits-all approach for the responsible use of AI. (ASIC REP 798) ASIC provides the following examples in REP 798: Licensees must do all things necessary to ensure that financial services or credit services are provided in a way that meets all of […]

Much has been said and written about CPS 230 however, the time for talking and planning is rapidly coming to an end (& has probably passed for the large insurers). It’s time for implementation! Debunking the CPS 230 myths There continues to be some misinformation circulating about CPS 230, what it is and what it isn’t. Let’s deal with these first: What are the facts? CPS 230 (i) only applies as an obligation for insurers & (ii) only for those authorised by APRA under section 12 of the Insurance Act 1973 (Act); this means CPS 230 applies to general insurers in Australia including foreign general insurers, and does notapply to Lloyds underwriters. Lloyds underwriters are authorised under section 93 of the Act and do not come within the definition of General Insurers (s11 of the Act). Lloyds underwriters (and Coverholders) do not get a ‘free ride’. FCA UK Operational resilience rules come into effect in the UK in March 2025. Also refer to LLoyds Principle 12 Operational Resilience. The FCA rules are similar to CPS 230. CPS 230 compliance is not a complex technical issue per se. Much should already exist. It’s a resourcing issue especially the work around critical operations, process mapping, controls testing, material service providers and updating existing or creating new risk artefacts. A risk person within the CRO team of an APRA regulated insurer would be very familiar with the key CPS 230 requirements: operational risk; tolerance levels, criticial operations (& disruption thereof), outsourcing, business continuity, risk profile, control testing and scenarios. Service providers do nothave any obligations under CPS 230. CPS 230 is the insurers responsibility. The obligations for service providers manifest when they perform critical operations for the insurer (for general insurance this is claim processing) or expose the insurer to material operational risk (at a minimum, for general insurance unless justified otherwise: underwriting, claims management, insurance brokerage and reinsurance). The Service Provider obligations would be reflected in the Binder Agreement and/or Service Provider Agreement as obligations imposed on the Service Provider by the insurer. Non-compliance with CPS 230 does have significant consequences. Section 38AA of the Act requires insurers to notify APRA of certain matters. These include immediate notification of a breach of a Prudential Standard that relates to financial obligations the general insurer has to its policy holders or to the general insurer’s minimum capital requirements & for other breaches of a Prudential Standard within 10 Business Days where the breach is significant within the meaning of s 38AA(5). What should insurers be doing? As I mentioned earlier, compliance with CPS 230 requires some ‘risk-thinking’ [within risk appetite]. However, CPS 230 is more of a resource and project management challenge. There are a number of risk ‘task-based’ activities that insurers should be doing now: identify critical operations; set tolerance levels; process mapping – identify the processes and resources needed to deliver these critical operations, including material service providers; updating risk artefacts: RMF, Operational risk profiles, BCP, controls and control testing including scenario […]

A great indicator of the health of your compliance arrangements is the quantity and quality of data in your compliance registers. No data or limited data, could indicate issues with your people and/or authorised representatives and the adequacy and effectiveness of your compliance arrangements. So what registers should you have and what should you expect to see? Risk register The risk register should include the 10-15 risks that could seriously impact your business operations. They should cover (as relevant) strategic risk, reputational risk, financial risk, people risk, legal risk, regulatory risk, compliance risk, conduct risk, technology risk, data risk and change management risk. The risk register should include accountability, key controls, control testing & action plans to close out any gaps arising from control testing. The risk register (plus all other registers) should be a standing agenda item at your quarterly Risk & Compliance Committee meeting where control testing outcomes, action plans, the internal & external business environment and emerging risks are discussed. Obligations register This register is similar to the risk register but manages your compliance obligations. The register can be a stand-alone register or, for most underwriting agencies, TPA’s and insurance brokers, included as part of your Risk & Compliance Manual. The register should capture AFS Licence obligations, financial service laws (including Prudential Standards for insurers), industry Codes & obligations arising from binder & other agreements. Typically an APRA regulated insurer will have ~300 material obligations, underwriting agencies & TPAs ~130 & insurance brokers ~80. The obligations register enables a shift in focus from the large number of obligations to 20-40 key controls. You can’t manage what you don’t know, an obligations register is critical. Conflict of interest register Conflicts arise in many situations and are a normal part of conducting business. Conflicts may arise from: family or personal relationships other business interests gifts & entertainment commission & fee arrangements related companies multiple directorships roles within an organisation – operational role v member of a risk committee Financial service laws require licensees to adquately manage conflicts. This is usually by disclosure, controlling or avoiding. The conflict and the signed-off management of the conflict must be recorded in the conflicts register. Incident & breach register This register is the lifeblood of your business. People make mistakes, often. A well populated incident & breach register, covering a wide range of incidents, from a wide range of people across the business, is a sure sign of a continuous improvement culture. Incidents should be raised across all risk categories (refer risk register) just not compliance incidents. However, a compliance specialist must review the register to further investigate incidents & be on the look out for breaches or likely breaches of financial service laws or Code. Typically, APRA regulated insurers should be capturing 200-300 incidents per quarter, Underwriting agencies & TPA’s 50 -75 & insurance brokers 40 – 50. The number of incidents per quarter will be a factor of the nature, complexity & scale of your business. Complaints register If an incident […]

The obligation to have trained, competent and experienced employees arises from many different sources of obligations: AFS Licence general obligations: employees must be trained & competent and comply with financial services laws. These laws include financial service obligations in the Corporations Act, misleading & deceptive & Unfair Contract terms in the ASIC Act, APRA Prudential Standards including CPS 230 & 234, Insurance Contracts Act and Privacy Act; A person providing financial product advice must have RG 146 training. Tier 2 is sufficient for general insurance products unless the person provides product advice for sickness and accident insurance; Responsible Managers, Directors & Officers, Accountable Persons and Fit & Proper People should receive specific training based upon the requirements of each regulatory role; Under the GI Code of Practice, a requirement that employees, Distributors and Claim Service Suppliers are trained to provide their services competently; In addition, its a GI Code obligation to ensure employees are trained in respect of supporting customers experiencing vulnerability. This will most likely include trauma-based training going forward. Under the Insurance Brokers Code of Practice, a professional commitment that employees maintain & improve competency through relevant qualifications, continued education & training Also, Insurance Brokers under the Code must ensure that their employees, Authorised Representatives and agents receive appropriate education and training. ANZIIF CIP and NIBA CPD points A number of organisations use ANZIIF & NIBA methodology and points as evidence of compliance with the various training obligations. This is a great start however ANZIIF & NIBA points are part of the membership requirements for those industry bodies. By themselves, they may not meet the various regulatory obligations. Firms within General Insurance must stipulate specific training A requirement to annually achieve 20/25 hours of training for CIP or CPD purposes is a a good starting point however in order to meet the various training obligations, the training must be specific enough to meet each individual obligation. For example, a firm may mandate that employees must successfully complete 25 hours of training per year, allocated as follows: 7 hours for financial service laws An additional 3 hours for regulatory roles (responsible managers etc) 5 hours for the relevant GI or Insurance Brokers Code of Practice 3 hours on customers supporting vulnerability 5 hours on the products and services provided by the firm. The remaining hours can be left to the choice of the employee noting that ’25 hours’ is not a magical competency figure. Competency is both a subjective and objective test. Some employees, due to the complexity of their role or their inexperience, may require additional hours beyond mandatory requirements The point is that general insurance firms must mandate the nature, quality and quantity of training to be undertaken, in order to meet the various regulatory & Code obligations. Additional obligations It is a regulatory requirement that training must be recorded in a training register. This provides evidence of meeting the AFSL general obligation therefore the register should be maintained and current. Training should be provided during induction […]

More than 10,000 members and claimants of the Construction and Building Unions Superannuation Fund (Cbus) were impacted by death benefits and total and permanent disability (TPD) insurance claims taking more than 90 days to be processed, according to allegations contained in documents lodged by ASIC in the Federal Court (Media Release 24-251MR). ASIC alleges that Cbus may have contravened the following provisions of the Corporations Act: ss 912A(1)(a) & (5A) by failing to act efficiently, honestly and fairly in the handling of its members’ claims for death benefit payments and TPD insurance payments; section 912DAA(1) and (7) for failing to lodge a reportable situation report within 30 days of becoming aware of a reportable situation; and Section 1308(5) for failing to take reasonable steps to ensure the breach report lodged on 5 August 2023 was not false or misleading in a material particular. ASIC is seeking penalties, declarations, adverse publicity orders and orders for compliance matters to be implemented. What does this mean for General Insurance claims handling? There are 3 takeaways: providing claims handling efficiently, honestly & fairly; adequate resourcing & adequately trained staff; and failure to take appropriate action. Providing claims handling efficiently, honestly and fairly. As set out in ASIC INFO 253, ASIC considers that timeliness is a critical component of meeting the AFSL general obligations to provide claims handling & settling services efficiently, honestly & fairly. ASIC also consider that industry Code timeframes are useful indicators of what industry considers to be appropriate standards. In the CBUS matter, ASIC alleges that CBUS management had received reports from their outsourced material service provider that very large numbers of death & TPD claims were (1) older than 90 days & (2) even older than 365 days. Nothwithstanding this data the Board committees did not suggest any cause for alarm. Takeaway: General Insurers, Underwriting Agencies and their claim service suppliers must not only monitor timeframes under the GI Code of Practice but also take appropriate action when data shows that timeframes are consistently not being met. Adequate resourcing & adequately trained staff ASIC allege that the CBus Risk Committee were aware that the material service provider had significant staff turnover & that the provider’s claims processing staff were not adequately trained. ASIC further allege that Cbus failed to implement or adequately implement measures that would address the delays in processing death and TPD benefit claims. Insurers were on notice from ASIC ASIC wrote to insurers on 6 March 2024 ‘Obligations of general insurers: Insurance claims and severe weather events‘. In that letter, ASIC set out their expectations of insurers including Insurers are required to sufficiently resource claims handling and dispute resolution functions, and ensure staff are adequately trained. This is a general obligation for AFSL holders. Relevantly, ASIC also advised insurers our message is that ASIC is watching how insurers support their customers very closely. Evidence of significant misconduct identified through these channels may result in enforcement action. Takeaway: General Insurers, Underwriting Agencies and their claim service suppliers such […]

The requirement of CPS 230 for general insurers is that they must effectively manage operational risks, maintain critical operations through disruptions, and manage the risks arising from service providers. It’s the latter requirement that has caused recent tension, with APRA expressing concern with Insurers use of Underwriting Agencies, reminding insurers that they can outsource critical underwriting & claims functions, but not accountability. Underwriting Agencies as an AFS Licensee It’s all well & good for insurers to impose their requirements on agencies (& rightly so, to a degree) however, among all this, it should be remembered that an Agency who holds an AFSL must comply with its obligations or face severe consequences including reputational harm & civil penalties. Somewhat ironically this may potentially also ‘severly disrupt’ the insurer’s operations. An Agency, holding an AFSL must have adequate risk management systems. The requirement for risk management systems ensures that agencies explicitly identify the risks they face and have measures in place to keep those risks to an acceptable minimum. This requirement sounds remarkably similar to the CPS 230 requirement on insurers. Therein lies the answer ( lightbulb moment – I feel like a ‘tahdah’ is warranted at this point), the insurer meets its CPS 230 requirement to manage the risks arising from material service providers and the agency meets its AFSL obligation to have an adequate risk management system & manage its own risks. ASIC (in RG 104) states that a licensee’s risk management systems will depend on the nature, scale and complexity of its business and risk profile. ASIC also states that the licensee’s risk management systems will need to adapt as their business develops and business risk profile changes over time. This would include enhancing the agency’s risk management system to enable it to meet the risk of their binder agreement being terminated. Taking a step back, an insurer would eventually terminate the agencies binder agreement if they presented an unmanageable CPS 230 risk (or any risk for that matter including in respect of CPS 234 Security Information). What does an adequate risk management system look like for an insurance Underwriting Agency? The risk management system must not only cover the risks of the Agency but also, any of its representatives (such as authorised reps or distributors acting under an ASIC instrument). Risk management components: A risk identification (risk profiling) brainstorming session including relevant stakeholders (potentially the insurer(s)) assists in identifying material risks to the business; to ensure nothing is missed, risks are catergorised. CPS 230 provides assistance defining operational risk as legal risk, regulatory risk, compliance risk, conduct risk, technology risk, data risk and change management risk. To this you would add strategic/reputational risk and financial risk. Risk appetite statement (RAS) – a board/senior management approved RAS is critical to define the amount of risk the Underwriting agency is willing to accept in pursuit of its objectives, expressed against each risk category. This can be a simple 1 pager for a typical Underwriting Agency. Risks should be recorded in […]

One of the compliance services that I provide is a fit-for-purpose & tailored risk & compliance manual All Manuals are personally designed by myself. 𝙏𝙝𝙚 𝙗𝙚𝙣𝙚𝙛𝙞𝙩𝙨 – governance, risk & compliance is maintained in a single place (~30-40 pages) – documented evidence of your arrangements that can be easily shared with others. This is particularly useful for CPS 230 & FAR when dealing with APRA regulated insurers – the manual is an accessible, learning tool for your staff – at a glance you can view your key controls – the manual provides you with an operating rhythm for risk & compliance 𝙏𝙝𝙚 𝙛𝙚𝙖𝙩𝙪𝙧𝙚𝙨 – your manual is crafted based on what you do. If you are a Licensee, Auth Rep, Code subscriber, Lloyds coverholder etc your manual talks about the uniqueness of your business based upon the nature & scope of what you do & how you do it – the manual is a source of staff training. Written in plain english, the manual provides easy-to-understand & concise guidance. Sources of law, Code & regulatory guidance are included as footnotes for when you need to know a little bit more. If something does not apply to your business, its not included. This reduces complexity, uncertainty & confusion. – the manual includes the context for each obligation & incorporates your key controls. This joins the dots for your people, key stakeholders & partners in understanding how your control environment manages your obligations. – the manual provides an operating rhythm for: a) governance including oversight by your board/senior management & your risk & compliance committee; b) roles & responsibilities c) risk management process d) licence management e) control testing f) monitoring of your people, Auth Reps & material servcie providers g) incident management & breach reporting h) dealing with regulatory change. – the Manual reflects your business. Its branded with your Corporate logo & colours, it talks about your AFS Licence or your Auth Rep scope, your AFCA responsibilities, your obligations under Code, your obligations as a member of a group network or industry body If you are a Steadfast broker & use CCX 360, the manual includes that. If you are a Lloyds coverholder, the manual includes Lloyds market bulletins If you have a binder, the manual includes your key binder obligations. If you are a material service provider, the manual assists in managing the expectations of your partners. 𝘼𝙨𝙨𝙪𝙧𝙖𝙣𝙘𝙚 Importantly, your Risk & Compliance Manual provides assurance of the adequacy of your compliance arrangements to your key stakeholders The Manual clearly shows: the sources of your obligations =>your obligations => your key controls. If you are interested in understanding how a tailored, fit-for-purpose Risk & Compliance Manual can benefit your business, contact me.

I have worked with more than 175 firms in general insurance, providing compliance assistance. I’ve found that the best leaders consistently possess certain fundamental qualities & skills when viewed through a compliance lens. 𝗛𝗼𝘄 𝗱𝗼 𝘆𝗼𝘂 𝗰𝗼𝗺𝗽𝗮𝗿𝗲 𝗮𝗴𝗮𝗶𝗻𝘀𝘁 𝘁𝗵𝗲𝘀𝗲 𝟭𝟬 𝗰𝗼𝗺𝗽𝗹𝗶𝗮𝗻𝗰𝗲 𝗹𝗲𝗮𝗱𝗲𝗿𝘀𝗵𝗶𝗽 𝗮𝘁𝘁𝗿𝗶𝗯𝘂𝘁𝗲𝘀? 1. 𝘿𝙤𝙣’𝙩 𝙙𝙚𝙛𝙚𝙧 𝙖𝙘𝙘𝙤𝙪𝙣𝙩𝙖𝙗𝙞𝙡𝙞𝙩𝙮 Good leaders don’t say ‘compliance is someone elses job’. They own responsibility for compliance in their business area & are accountable & take ownership for control-breakdowns, issues & breaches & resultant customer remediation. 2. 𝙋𝙧𝙤𝙩𝙚𝙘𝙩 𝙮𝙤𝙪𝙧 𝙩𝙚𝙖𝙢 𝙢𝙚𝙢𝙗𝙚𝙧𝙨 They protect the careers of their team members. They ensure that compliance arrangements provide a safe environment for team members to perform their work. Good leaders make staff aware of their compliance obligations through training &, consistently, through team meetings. Good leaders protect team members from the team members ‘compliance ignorance’ through adopting Sandard operating procedures, implementing sales, underwriting & claims guidelines & through business documented business practices, systems & ongoing training. 3. 𝘾𝙧𝙚𝙖𝙩𝙚 𝙖 𝙨𝙖𝙛𝙚 𝙚𝙣𝙫𝙞𝙧𝙤𝙣𝙢𝙚𝙣𝙩 Leaders create a safe environment for team members to self-report incidents, breaches & complaints quickly. They accept that team members are human & make mistakes. They are fair & equitable in their responses to compliance incidents. They remain calm & focused on facts when presented with potential customer or business harm arising from something going wrong within their team. They remain focused on remediation & rectification and not retribution. 4. 𝘽𝙚 𝙞𝙣𝙛𝙤𝙧𝙢𝙚𝙙 𝙖𝙣𝙙 𝙖𝙬𝙖𝙧𝙚 𝙤𝙛 𝙞𝙣𝙙𝙪𝙨𝙩𝙧𝙮 𝙘𝙤𝙢𝙥𝙡𝙞𝙖𝙣𝙘𝙚 𝙝𝙖𝙥𝙥𝙚𝙣𝙞𝙣𝙜𝙨 Leaders stay on top of compliance change, they are curious & seek to understand how upcoming changes (such as CPS 230, FAR, Code review, flood inquiry) may impact their area of accountability & risk profile. They seek out the advice & counsel from compliance & legal specialists to fully understand the impacts of regulatory (& Code) change. They openly discuss with their team news headlines (commission payments, premium affordability & availablity) even when those conversations may be difficult due to potential business impacts. 5. 𝙊𝙗𝙩𝙖𝙞𝙣 𝙙𝙖𝙩𝙖 𝙛𝙤𝙧 𝙮𝙤𝙪𝙧 𝙖𝙧𝙚𝙖 𝙤𝙛 𝙧𝙚𝙨𝙥𝙤𝙣𝙨𝙞𝙗𝙞𝙡𝙞𝙩𝙮 They obtain data (incidents, breaches, complaints, control testing, QA etc) to inform them of the adequacy of compliance arrangements for their area of accountability. They drill-down & ask questions including when there is a lack of data They compare their area’s data with other business areas from a learning perspective not from a competition perspective. 6. 𝙒𝙖𝙡𝙠 𝙩𝙝𝙚 𝙩𝙖𝙡𝙠 – 𝙖𝙩𝙩𝙚𝙣𝙙 𝙖𝙣𝙙 𝙚𝙢𝙗𝙧𝙖𝙘𝙚 𝙮𝙤𝙪𝙧 𝙤𝙬𝙣 𝙩𝙧𝙖𝙞𝙣𝙞𝙣𝙜 They are mindful of the compliance shadow they cast. Good leaders enthusiastically inform team members about upcoming compliance training the leader is attending & share the outcomes & learnings back with the team. They consistently demonstrate through their actions how compliance protects the business, their team members, customers & business partners 7. 𝙐𝙨𝙚 𝙘𝙤𝙢𝙥𝙡𝙞𝙖𝙣𝙘𝙚 𝙞𝙨𝙨𝙪𝙚𝙨, 𝙗𝙧𝙚𝙖𝙘𝙝𝙚𝙨 𝙖𝙣𝙙 𝙘𝙤𝙢𝙥𝙡𝙖𝙞𝙣𝙩𝙨 𝙖𝙨 𝙖 𝙡𝙚𝙖𝙧𝙣𝙞𝙣𝙜 𝙚𝙭𝙥𝙚𝙧𝙞𝙚𝙣𝙘𝙚 They use data from their own area together with other business areas to provide learnings & business continuous improvement. They use story-telling from their lived experience to bring compliance to life for the team. They use practical business examples to create […]

Your people are a critical part of your compliance arrangements and serve the purpose of being your early warning system. In addition to employees, this includes Authorised Representatives, Material Service Providers and anyone acting on your behalf to provide your financial services and general insurance products. Your compliance arrangements provide a safe place to do business. Your Compliance arrangements are the (1) governance & frameworks, (2) people & culture, (3) processes & procedures & (4) systems & reporting, that collectively operate together and provide a fortress, protecting what matters – the business & its customers, people, partners & stakeholders. What is an incident However, stuff happens and things go wrong. Technically, this means there has been a break-down in your control envirronment. When this happens, an incident has escaped from within the safe harbour of your compliance arrangements. The sole purpose of an incident is to cause as much harm and chaos in the shortest time possible. Incidents act stealthily. They lurk in the shadows causing loss, harm and detriment until detected. An incident may or not not be a breach, however, if left undetected they will exponetially grow until they are so big that they have manifested into a breach of obligations/code or a complaint & become visible to customers and regulators It is critical to identify incidents as early as possible. An incident, self-identified & reported on day 1, may cost the business $1,000; 4 years later, the same incident may have matured into a breach & cost $xx million + interest + lost management time + reputational impacts + regualtory enforcement action. Your people as an early warning system Your compliance arrangements are the first layer of protecting what matters. Your people are the 2nd layer. Your people vigilantly survey the landscape waiting to identify & self-report when ‘something has happened that shouldn’t have or hasn’t happened that should have’ (the definition of an incident). In this context, incidents are those being self-identified & reported & not incidents discovered through other mechanisms such as quality assurance monitoring, 2nd line oversight, customer complaints or regulatory activity. The golden rules of incident management The quicker an incident is identified & raised, the less likelihood of harm or detriment being caused Provide a safe environment to raise incidents Be conservative & raise everything. Look at the root cause and review the control environment Use AIRR Awareness Identify Raise Report Awareness Train your people on what an incident is (identify) and what to do when detected (report). Your training should not focus on the 10,000+ laws & Code that governs our industry. Provide examples of what an incident in each area of the business looks like – sales, underwriting, claims, finance, broking etc An incident, something has happened that shouldn’t have, is: a pool of water on the staff kitchen floor my IT system is down for 30 minutes I didn’t send out an FSG or PDS I haven’t completed my training I think I provided the customer some incorrect information […]

In a speech to the ICA Annual Conference in Brisbane yesterday, APRA Executive Board member, Suzanne Smith said, ‘a focus for APRA over the coming year: [is] the risk associated with outsourced underwriting to agencies.’ Ms Smith continued Partnering with experts to underwrite hard-to-place risks or to reduce operational and distribution costs can be a strategy. However, it is important to remember that the responsibility for core underwriting decisions always remains with the licensed insurer, as insurance risk and accountability are the very reason why insurers hold licences in the first place. Strong governance practices are crucial here, including robust on-boarding and exit plans, elimination or clear management of conflicts of interest, adequate governance resources, and sound data security. This also extends to scaling operations, such as ramping up claims handling during a crisis. The key takeaway is that while authority can be delegated, the ultimate responsibility remains solely with the insurer. The intersection between Prudential Standard CPS 230 & AFS Licence obligations I asked the question from the floor, ‘how should the dichotomy between the obligations of an APRA regulated insurer in respect of CPS 230 for underwriting agencies be managed, given the independent obligations of an agency holding an AFS Licence?‘ Let me answer my own question. CPS 230 requirements An APRA-regulated entity must … manage the material risks associated with using [material service] providers. Material service providers are those on which the entity relies to undertake a critical operation or that expose it to material operational risk. (paragraph 49 CPS 230) Underwriting Agencies, TPA’s (insurance claim managers) & insurance brokers with delegated underwriting authority are deemed to be material servcie providers, unless the insurer can justify otherwise (p 50). Operational risk is defined to include but not limited to legal risk, regulatory risk, compliance risk, conduct risk, technology risk, data risk and change management risk. (p24) AFSL requirements Underwriting agencies (& TPAs & brokers), who hold an AFS Licence, have general obligations (refer section 912A(1) Corporations Act) including the obligation to have adequate risk management systems (s912A(1)(h)). ASIC expects that Licensee’s risk management system will be: (a) be based on a structured and systematic process that takes into account your obligations under the Corporations Act; (b) identify and evaluate risks faced by your business, focusing on risks that adversely affect consumers or market integrity (this includes risks of non-compliance with the financial services laws); (c) establish and maintain controls designed to manage or mitigate those risks; and (d) fully implement and monitor those controls to ensure they are effective. (refer RG 104.62) Importantly, ASIC also notes that [the licensees] risk management systems will depend on the nature, scale and complexity of their business and their risk profile (my emphasis). They will be different for each licensee. (RG 104.63) So what does this mean for insurers and their underwriting agencies? It follows from the above, that: Underwriting Agencies holding an AFS Licence must have a fit-for-purpose system of managing risk, including operational risk Insurers must manage the risk, […]

I was honoured to be part of the three-person panel to have undertaken an independent review of the GI Code of Practice, as part of the regular 3-year Code continuous improvement cycle. The panel was chaired by former APRA Deputy Chair Helen Rowell & consumer expert Gerard Brody We made 101 recommendations, reflecting the rapid change in consumer standards and expectations since the 2020 Code. The Insurance Council of Australia will undertake a detailed review of the recommendations & engage with members & key stakeholders to prepare a whole-of-industry response in coming weeks. Some of the recommendations include: – the expansion of financial hardship support to include people who need help maintaining premium payments – redrafting of Code language to avoid consumers having to identify as being in vulnerable circumstances to access support – a broader definition of vulnerability – a range of protections for customers affected by family violence – overarching obligation for education & training requirements for employees, distributors & service suppliers & must include the Code, vulnerability & complaint management – all parts of the Code applying to small business, adopting the AFCA definition of small business – a decoupling of the Code from legal definitions of retail client, wholesale client & general insurance products – insurers having effective systems to monitor the conduct of distributors & service suppliers in respect of Code compliance – unanticipated additional costs (removal of debris & architectural fees) provided as policy benefits & not as part of sum insured – meaningful updates on claims progress to be provided every 20 days – additional requirements for cash settlements – minimum standards for experts – an increase in the maximum Community Benefit Payment to $200,000 (indexed annually) – the Code be incorporated into customer contracts so that they are contractually enforceable The full report can be accessed from the Code of Practice Review website.

Not adequately managing conflict of interests (CoI) is a breach of AFS Licence obligations &, in the more serious cases, can lead to individuals being banned or disqualified by ASIC & or civil/criminal penalties. 𝙒𝙝𝙖𝙩 𝙞𝙨 𝙖 𝙘𝙤𝙣𝙛𝙡𝙞𝙘𝙩 𝙤𝙛 𝙞𝙣𝙩𝙚𝙧𝙚𝙨𝙩 𝙞𝙣 𝙂𝙄? A CoI occurs when your Interests (direct or indirect), or a duty you owe to a person (such as a broker to a client), conflicts, or may reasonably be thought to conflict, with the proper performance of your functions & duties at your company or to the client. Licensee’s obligations extend to the conduct of employees, Directors & Authorised Reps. I use the term employee however the examples also relate to ARs & Directors Typical GI examples are: – an employee is employed by or gains remuneration from a competitor or supplier (such as a claims service supplier) – an employee receives gifts or entertainment from other companies who the licensee does business with (such as a broker being entertained by an insurer at an event) – an employee having interests or investments in competitors, customers or suppliers (such as insurers or brokers in underwriting agencies) – engaging in transactions where a personal relationship exists. Such as managing the claim of a family member – conducting business with a related company – making use of confidential information. Such as an underwriter being advised of a potential M&A for an insured & using that information to trade shares on the ASX (or telling others who then trade) – bribery, inducements etc especially where to gain a business advantage – an employee having multiple roles in the licensee – Director, shareholder, Responsible Manager, CRO etc 𝙈𝙖𝙣𝙖𝙜𝙞𝙣𝙜 𝙘𝙤𝙣𝙛𝙡𝙞𝙘𝙩𝙨 𝙤𝙛 𝙞𝙣𝙩𝙚𝙧𝙚𝙨𝙩 The 3 mechanisms for managing CoI are: – disclosing the conflict – controlling the conflict & – avoiding the conflict Disclosure should be clear & transparent & not just hidden in a FSG 𝘾𝙤𝙢𝙥𝙡𝙞𝙖𝙣𝙘𝙚 𝙖𝙧𝙧𝙖𝙣𝙜𝙚𝙢𝙚𝙣𝙩𝙨 At a minimum, a Licensee should implement: – due diligence for new employees, companies etc – a tailored CoI policy (including gifts & entertainment, bribery, insider trading) – a CoI register – CoI training – Monthly attestations – Monitoring Contact me for assistance in reviewing your approach to adequately managing Conflict of interests.

Referral arrangements continue to be a very popular mechanism to promote & distribute insurance products & services. Where a financial service is only a referral you do not need to hold an AFS Licence. A typical referral arrangement consists of: 1. informing a person (customer) that a licensee (or its AR) is able to provide a particular financial service; & 2. giving that person the contact details for the licensee or representative. A simple example is an industry association referring members to an insurance broker or underwriting agency, to meet the insurance needs & requirements of its members. If the referrer receives any benefits for the referral, these must be disclosed to the person, by the referrer. 𝘼𝙧𝙧𝙖𝙣𝙜𝙞𝙣𝙜 𝙜𝙚𝙣𝙚𝙧𝙖𝙡 𝙞𝙣𝙨𝙪𝙧𝙖𝙣𝙘𝙚 A problem arises, when the referrer is doing more than 1 & 2 above. They may also: – assist the customer to complete a proposal/application form; – display brochures for the broker or underwriting agency; – co-brand the on-line quote/marketing tool; – receive a percentage of the commission; or – offer premium payment facilities. Some or a combination of these activities may constitute ‘arranging’. Arranging is a form of dealing & is an AFS licensed activity. Arranging occurs when a person brings into effect the issue, variation, disposal or acquisition of, or application for, a financial product. Conduct may constitute arranging if the ‘referrers’ involvement in the chain of events leading to the relevant general insurance transaction, was of sufficient importance that without their involvement the transaction would probably not take place. Arranging is a question of fact & requires careful legal analysis. It is an offence to provide unlicensed financial services. ‘Referring’ is not a financial service, ‘arranging’ is. The line between the 2 can be blurred with significant consequences. 𝙈𝙖𝙣𝙖𝙜𝙞𝙣𝙜 𝙩𝙝𝙚 𝙘𝙤𝙢𝙥𝙡𝙞𝙖𝙣𝙘𝙚 𝙧𝙞𝙨𝙠 𝙤𝙛 𝙧𝙚𝙛𝙚𝙧𝙧𝙖𝙡 𝙖𝙧𝙧𝙖𝙣𝙜𝙚𝙢𝙚𝙣𝙩𝙨 There are a number of steps that should be taken to protect everyone involved in a referral arrangement. 1. Conduct due diligence on your proposed referrer – are they of good standing & character? 2. Obtain legal advice & be aware of the guardrails 3. Execute a legally binding agreement clearly setting out what the referrer can & can’t do. 4. Understand remuneration & conflict of interests. Is the payment to the referrer commensurate with the value they are adding? 5. Provide training & support materials to ensure the referrer is aware of & understands the boundaries, the consequences of non-compliance & how to report incidents & complaints 6. Ongoing monitoring is critical, care must be taken that they don’t morph to ‘arranging’ ASIC RG 36 provides information on ‘referrals’ & ‘arranging’. Contact me if you have any questions.

𝟭𝟳 𝗦𝗲𝗽𝘁𝗲𝗺𝗯𝗲𝗿 𝟮𝟬𝟮𝟰 ASIC Chair Joe Longo has provided some great insights talking about the role of the compliance professional. Key points: – the role of a compliance professional is a critically important one. You are part of the fabric of the business – not only to help your organisation meet its legal obligations, but to help create an ethical culture, where employees act in the best interests of its customers – It’s the role of the directors of a company to set the tone, establish & lead a culture of compliance. This includes monitoring the arrangements the company has in place to ensure compliance with regulatory obligations. But it’s the compliance professionals who are closer to the nuts & bolts of how the business runs. They actually do the work to support & implement those arrangements. – An effective regulatory compliance program must reflect the organisation’s key values & ethos – & focus on putting customers at the centre of how the organisation operates. – A compliance professional is, in essence, a gatekeeper – a trusted adviser to the board, relied on for well-thought-out advice. – Written policies & procedures provide the framework for compliance. Systems, processes, & technology can be used to underpin & support compliance. But compliance in practice requires a culture of integrity, ethics, & trust. – What’s needed is an attitude of compliance, based on a curious mind that asks the right questions. Questions like: What are our obligations? What are the risks? How can we manage them? What systems & controls should be in place to ensure we meet our obligations? Is what we are doing both legal & ethical? How can we make sure they’re being followed? Do I have an open line to the board? Am I keeping them informed? – Your role (as a compliance professional) is to refine the systems & controls, & to call out what’s working & what can be improved. That will enable the board to look ahead to spot the risks, think about how to balance the legal & commercial perspectives, & monitor the compliance arrangements that the company has in place. – And so, more than ever, you play an influential & strategic role in the boardroom – a role that is critical in ensuring effective compliance.

In General Insurance, Authorised Representative (AR) models continue to be popular for Insurance brokers & to a lesser degree for Underwriting Agencies & TPAs. 𝘼𝙥𝙥𝙤𝙞𝙣𝙩𝙞𝙣𝙜 & 𝙘𝙚𝙖𝙨𝙞𝙣𝙜 𝙖𝙣 𝘼𝙪𝙩𝙝𝙤𝙧𝙞𝙨𝙚𝙙 𝙍𝙚𝙥 Sections 916A-F of the Corps Act, as modified by Corps regs 7.6.04AA & 7.6.08, relate to the appointment & cessation of ARs by AFS licensees. Licensees must notify ASIC within 30 business days of the date an authorisation is issued. 𝗢𝗯𝗹𝗶𝗴𝗮𝘁𝗶𝗼𝗻𝘀 𝗼𝗳 𝘁𝗵𝗲 𝗟𝗶𝗰𝗲𝗻𝘀𝗲𝗲 𝗳𝗼𝗿 𝘁𝗵𝗲𝗶𝗿 𝗔𝗥’𝘀 Licensees must ensure that their AR’s have, & the AR’s must have, compliance measures to: – provide the financial services efficiently, honestly & fairly – adequately manage conflicts of interest – comply with the financial service laws – have adequate resources (human, IT & financial) to provide the services – ensure its people are adequately trained & are competent – have adequate risk management systems – identify complaints, incidents & breaches & report those to the licensee – the trust account for client money must be in the name of the Licensee however the AR may be involved in directing the money into that account 𝙊𝙗𝙡𝙞𝙜𝙖𝙩𝙞𝙤𝙣𝙨 𝙤𝙛 𝙖𝙣 𝘼𝙍 AR’s have independent obligations: – must not hold out they have an AFS Licence – can only sub-authorise individuals with the licensees consent – include its AR number in business documents & website – provide a copy of its authorisation on-request, free of charge within 10 business days – provide retail clients with a FSG – provide a general advice warning when providing general advice – comply with the hawking prohibtion – when engaging in retail product distribution comply with TMD requirements – must not make false statements or engage in dishonest, misleading or deceptive conduct 𝘼𝙍 𝙤𝙗𝙡𝙞𝙜𝙖𝙩𝙞𝙤𝙣𝙨 𝙪𝙣𝙙𝙚𝙧 𝙞𝙣𝙙𝙪𝙨𝙩𝙧𝙮 𝙘𝙤𝙙𝙚𝙨 𝘎𝘐 𝘊𝘰𝘥𝘦 – 𝘜𝘯𝘥𝘦𝘳𝘸𝘳𝘪𝘵𝘪𝘯𝘨 𝘈𝘨𝘦𝘯𝘤𝘪𝘦𝘴 𝘰𝘳 𝘛𝘗𝘈𝘴 – deal with customers in a honest, efficient, fair, transparent & timely manner – be trained & have relevant expertise – advise the customer of what they are authorised to do – notify the insurer of complaints & breaches within 2 business days – generally comply with the Code 𝘕𝘐𝘉𝘈 𝘉𝘳𝘰𝘬𝘦𝘳𝘴 𝘊𝘰𝘥𝘦 – 𝘐𝘯𝘴𝘶𝘳𝘢𝘯𝘤𝘦 𝘣𝘳𝘰𝘬𝘦𝘳𝘴 𝘸𝘩𝘰 𝘢𝘳𝘦 𝘈𝘙𝘴 – comply with the Code when acting on behalf of the licensee – have the expertise, skills & experience to provide the services – receive appropriate education & training – be reviewed annually by the Licensee for Code compliance 𝗖𝗼𝗺𝗽𝗹𝗶𝗮𝗻𝗰𝗲 𝘀𝗲𝗿𝘃𝗶𝗰𝗲𝘀 To assist Licensees & their AR’s, I provide the following compliance services: 1) design tailored & fit-for-purpose Monitoring Programs for AFS Licensees; & 2) design tailored & fit-for-purpose compliance arrangements for ARs

ASIC’s Corporate Plan 2024–25 outlines the projects ASIC will undertake to deliver on their important mandate. ASIC makes a crucial contribution to maintaining Australia’s fair, strong and efficient financial system. The priortites relevant for General Insurance have a focus on claims handling practices including enforcement actions. 1. 𝙄𝙢𝙥𝙧𝙤𝙫𝙚 𝙘𝙤𝙣𝙨𝙪𝙢𝙚𝙧 𝙤𝙪𝙩𝙘𝙤𝙢𝙚𝙨 – undertake a cross-sector surveillance of compliance with the requirements outlined in Regulatory Guide 271 Internal dispute resolution (RG 271). – In 2024, ASIC will publish observations from the first year of IDR data reported by all firms, while in 2025 ASIC will publish firm-level IDR data. – take action against insurers in relation to claims handling, especially in relation to home insurance claims. – take action in response to harmful product design and distribution practices, including conduct that results in consumers receiving unsuitable products. – monitor general insurers’ improvements to claims handling and engage with the independent review of the 2020 General Insurance Code of Practice. 2. 𝘼𝙙𝙙𝙧𝙚𝙨𝙨 𝙛𝙞𝙣𝙖𝙣𝙘𝙞𝙖𝙡 𝙨𝙮𝙨𝙩𝙚𝙢 𝙘𝙡𝙞𝙢𝙖𝙩𝙚 𝙘𝙝𝙖𝙣𝙜𝙚 𝙧𝙞𝙨𝙠 ASIC will review how general insurers are handling customer complaints and responding to recommendations from previous reviews about their handling of claims following severe weather events. 3. 𝘼𝙙𝙫𝙖𝙣𝙘𝙚 𝙙𝙞𝙜𝙞𝙩𝙖𝙡 𝙖𝙣𝙙 𝙙𝙖𝙩𝙖 𝙧𝙚𝙨𝙞𝙡𝙞𝙚𝙣𝙘𝙚 𝙖𝙣𝙙 𝙨𝙖𝙛𝙚𝙩𝙮 ASIC will continue to monitor how retail financial services use AI and advanced data analytics. ASIC will also assess their risk management and governance processes. 𝙊𝙩𝙝𝙚𝙧 𝙠𝙚𝙮 𝙖𝙘𝙩𝙞𝙫𝙞𝙩𝙞𝙚𝙨 1. ASIC will continue to work closely with APRA to implement the FAR by providing guidance, engaging with industry and developing effective registration and other processes 2. ASIC will work with the Australian Government to support the introduction of the Regulatory Initiatives Grid (RIG). The RIG will provide industry with information, in a single location and from across multiple agencies, about upcoming reforms and regulatory actions that will materially affect the financial sector.

A new standard agreed by general insurers will provide additional clarity & certainty for customers when independent expertise is required to help determine a claim. The Expert Report Best Practice Standard has been developed by the Insurance Council of Australia to provide consistency when insurers are using reports by experts such as hydrologists, engineers, builders, or specialist tradespeople. The best practice standard has been developed using feedback provided by consumer advocates and AFCA. An Expert Report is a report produced by an External Expert as defined in the GI Code of Practice. The ICA will be recommending to the independent Code Review Committee that the Standard is referenced in the next version of the Code to provide additional certainty and rigour around the use of Expert Reports. The Standard contains the following requirements: 𝙋𝙧𝙚-𝙧𝙚𝙥𝙤𝙧𝙩 𝙘𝙤𝙢𝙢𝙞𝙨𝙨𝙞𝙤𝙣𝙞𝙣𝙜 1. Relevant expertise – prior to an expert report being commissioned, insurers must ensure the expert being briefed is relevant, qualified, & objective 2. Capacity – The insurer should confirm that for each report commissioned the expert has the capacity to provide an expert report to the highest possible standard. 3. Briefing – The insurer should ensure that the expert has been fully briefed on relevant matters relating to the claim. 4. Advice to customers – The insurer should ensure that the customer is informed about the need to seek an expert report, the intended scope & use of the report, & is provided an opportunity to consider the need to submit any evidence to the insurer or expert in the commissioning process. 5. Exclusions – the insurer should make it clear to the expert exactly what they want the expert to provide an opinion on by including specific questions 𝙏𝙝𝙚 𝙧𝙚𝙥𝙤𝙧𝙩 𝙞𝙩𝙨𝙚𝙡𝙛 Insurers should ensure that reports: – are neutral & in plain english – formatted with conclusions – consider all relevant matters – rely only on facts – provide clear & cogent reasoning – clear on whether an opinion is tenative or firm – identify the cause(s) contributing to the loss – provide a statement of objectivity – provide the expert’s qualifications 𝙐𝙨𝙚 𝙤𝙛 𝙩𝙝𝙚 𝙧𝙚𝙥𝙤𝙧𝙩 – the expert report should be considered by claims managers & critically examined – provided to the customer & the insurer should explain which parts of the report have been relied on for the claim decision & why – disregard any statements or opinions outside of the scope or expert’s expertise

Underwriting Agencies continue to play an important role in the Australian GI market. Underwriting Agencies (UA) provide specialist skills & services, often filling gaps with niche products. By nature, UA are agile & provide a mechanism for the industry to innovate through technology. UA can also assist in the growth & development of people competencies & skill-sets 𝘾𝙤𝙢𝙥𝙡𝙞𝙖𝙣𝙘𝙚 𝙘𝙤𝙣𝙨𝙞𝙙𝙚𝙧𝙖𝙩𝙞𝙤𝙣𝙨 UA are a core client segment for me. I provide AFS Licensing, risk & compliance frameworks, training & education together with general compliance advice. There are some unique compliance considerations for UA: 1. A UA may initially focus on underwriting & defer claims to their insurer partner or TPA. This brings benefits by being able to tap into wider expertise however it’s important that dedicated claims staff are appointed to manage the UA claims so that the UA market proposition & brand values are not compromised 2. Complaints. It’s important to triage new complaints to understand whose licence(s) the complaint falls under. If the UA has all AFSL authorisations (advice, issuing & claims) the complaint will be against the UA, & any referral to insurers, claim managers or Lloyds Australia (to tap into their skill-set) is done so on an outsourced basis. 3. Insurers have various obligations to monitor a UA (under AFSL, Code & CPS 230). This should be through initial due-diligence & the ongoing provision of data rather than constantly looking over the shoulder of the UA. 4. UA should push back when insurers try to implement an APRA regulated risk management system on the UA. UA compliance arrangements must be tailored & based on the nature, scale & complexity of the UA. 5. A UA should be a member of Underwriting Agencies Council (UAC), ensuring that they have a strong voice at the table to provide input for regulatory change & GI Code issues. 6. Excel spreadsheets & word docs are more than adequate to manage compliance at smaller UA. Automation & complex risk management practices are a factor of size & should be considered as the UA grows. 7. UA should adopt 3 lines of defence, risk maturity matrix & risk appetite statements to enable management to better manage risks. However, adopt the principle & tailor to the size of the UA 8. Unless large, most UA will default compliance to the COO or similar. It’s critical that business leaders manage compliance, with the COO providing support. Usually the COO will tap into someone like myself for more specialised compliance expertise 𝑼𝒏𝒊𝒒𝒖𝒆 𝒄𝒐𝒎𝒑𝒍𝒊𝒂𝒏𝒄𝒆 𝒄𝒉𝒂𝒍𝒍𝒆𝒏𝒈𝒆𝒔 𝒇𝒐𝒓 𝑼𝒏𝒅𝒆𝒓𝒘𝒓𝒊𝒕𝒊𝒏𝒈 𝑨𝒈𝒆𝒏𝒄𝒊𝒆𝒔 Underwriting Agencies are a critical part of our General Insurance industry & are very exciting to be part of. However, they present unique compliance challenges that must be understood & managed.

𝙒𝙝𝙤 𝙝𝙖𝙨 𝙩𝙤 𝙈𝙤𝙣𝙞𝙩𝙤𝙧? The obligation to monitor arises under financial service laws & industry Codes, these include: 1. Insurers have an obligation to monitor Distributors & Service Suppliers under the GI Code; 2. All AFS licensee’s have an obligation to monitor representatives (employees & ARs) under financial services laws. This obligation extends to referrers & distributors operating under ASIC instruments; 3. Insurance Brokers have an obligation to monitor AR’s & employees under the Insurance Brokers Code; 4. Claim Managers have an obligation to monitor service suppliers. 5. Agreements include a contractual obligation to monitor & be monitored. In addition FAR & CPS 230 creates additional monitoring obligations for APRA regulated insurers in respect of Insurance Key Functions (FAR) & Material Service Providers (CPS 230). 𝘿𝙚𝙫𝙚𝙡𝙤𝙥𝙞𝙣𝙜 & 𝙞𝙢𝙥𝙡𝙚𝙢𝙚𝙣𝙩𝙞𝙣𝙜 𝙖 𝙈𝙤𝙣𝙞𝙩𝙤𝙧𝙞𝙣𝙜 & 𝙎𝙪𝙥𝙚𝙧𝙫𝙞𝙨𝙞𝙤𝙣 𝙋𝙧𝙤𝙜𝙧𝙖𝙢 A single, tailored, fit for purpose Monitoring Program can meet all your requirements irrespective of the source – a single program is efficient, risk-based & enables an Enterprise view to manage risk & compliance requirements. 𝙀𝙨𝙨𝙚𝙣𝙩𝙞𝙖𝙡 𝙘𝙤𝙢𝙥𝙤𝙣𝙚𝙣𝙩𝙨 𝙤𝙛 𝙖 𝙈𝙤𝙣𝙞𝙩𝙤𝙧𝙞𝙣𝙜 & 𝙎𝙪𝙥𝙚𝙧𝙫𝙞𝙨𝙞𝙤𝙣 𝙋𝙧𝙤𝙜𝙧𝙖𝙢 1. Due diligence prior to engagement; 2. Agreements that capture obligations of the parties; 3. Onboarding (includes training & education) 4. Alignment to your Risk & Compliance framework 5. Ongoing Training (includes laws & Code, complaints, incidents & breaches) 6. Monitoring, including: a) file reviews b) call recording c) attestations d) control testing e) 3 lines of defence activities f) QA program g) external events incl regulator activity 7. Supervision, including: a) new starters without authority; b) delegated authority c) Standard Operating Procedures, systems & processes d) team meetings e) individual meetings f) hallway conversations 8. Using people as an ‘early warning system’ 9. Incident & breach management 10. Complaint management (IDR & EDR) 11. Data – what is it telling me? (complaints, incidents, Control testing etc) 12. Reporting

The purpose of compliance is to Protect Protect who? 𝘗𝘳𝘰𝘵𝘦𝘤𝘵𝘪𝘯𝘨 𝘤𝘶𝘴𝘵𝘰𝘮𝘦𝘳𝘴 & 𝘤𝘭𝘪𝘦𝘯𝘵𝘴, 𝘵𝘩𝘦 𝘣𝘶𝘴𝘪𝘯𝘦𝘴𝘴, 𝘪𝘵𝘴 𝘱𝘦𝘰𝘱𝘭𝘦 & 𝘱𝘢𝘳𝘵𝘯𝘦𝘳𝘴, 𝘴𝘵𝘢𝘬𝘦𝘩𝘰𝘭𝘥𝘦𝘳𝘴 & 𝘵𝘩𝘦 𝘤𝘰𝘮𝘮𝘶𝘯𝘪𝘵𝘺 Protect from what? 𝘩𝘢𝘳𝘮 𝘰𝘳 𝘥𝘦𝘵𝘳𝘪𝘮𝘦𝘯𝘵 – financial, reputational, loss of licence, lost management time, disqualification, systematic failures, industry mistrust, regulatory scrutiny, anxiety etc Compliance provides a safe environment to operate, providing [insurance] products & services to customers. It does not matter whether you are an APRA regulated insurer, an underwriting agency, an insurance broker, a Claims manager (TPA) or material service provider. A systematic approach to compliance is critical. 𝙃𝙤𝙬 𝙙𝙤𝙚𝙨 𝙘𝙤𝙢𝙥𝙡𝙞𝙖𝙣𝙘𝙚 𝙥𝙧𝙤𝙩𝙚𝙘𝙩? Think of a fortress, with inner & outer walls providing protection to those within. The 1st layer of protection is 𝗖𝗼𝗺𝗽𝗹𝗶𝗮𝗻𝗰𝗲 𝗮𝗿𝗿𝗮𝗻𝗴𝗲𝗺𝗲𝗻𝘁𝘀 – policies, process, procedures , systems, trained & competent people that combined, form ‘a safe place to conduct business’ The 2nd layer is 𝙋𝙚𝙤𝙥𝙡𝙚 – employees, authorised reps, material service providers are ‘an early warning system’ reporting things that penetrate the 1st layer. Such as incidents, complaints, breaches, control breakdowns etc The 3rd layer of protection is your 𝙈𝙤𝙣𝙞𝙩𝙤𝙧𝙞𝙣𝙜 𝙋𝙧𝙤𝙜𝙧𝙖𝙢 – ‘providing assurance’ to board, management & stakeholders. The final layer of protection is 𝘾𝙪𝙡𝙩𝙪𝙧𝙚 – ‘a desire to do the right thing’, knowing what the right thing is, how to do the right thing & doing something when things go wrong – when no one is watching. 𝗧𝗵𝗲 𝟰 𝗣𝗶𝗹𝗹𝗮𝗿𝘀 𝗼𝗳 𝗖𝗼𝗺𝗽𝗹𝗶𝗮𝗻𝗰𝗲 It’s critical that the layers of protection are underpinned by a strong foundation. These are the ‘4 pillars of compliance’: 1. Governance & Frameworks 2. People & Culture 3. Procedures & Process 4. Systems & Reporting The 4 pillars of compliance, when combined, ensure a consistent, risk-based approach to compliance, with inherent oversight, monitoring & continuous improvement. The 4 pillars are used when: 1. Setting up & maintaining the compliance arrangements 2. Assessing the risk maturity of the arrangements 3. Managing regulatory change 4. Self-monitoring, highlighting potential areas of attention 𝙉𝙖𝙩𝙪𝙧𝙚, 𝙨𝙘𝙖𝙡𝙚 & 𝙘𝙤𝙢𝙥𝙡𝙚𝙭𝙞𝙩𝙮 A compliance framework, including the layers of protection & the 4 Pillars of compliance, is a conceptual, principle-based model that can be tailored to the nature, scale & complexity of any business operating within general insurance. The framework provides a compliance operating rhythm that is part of normal business operations with in-built early warning lights, self-monitoring, data-producing & continually evolving to meet consumer, regulatory & business standards & expectations.

AFS Licensee’s have several general obligations, these are set out in s912A(1) Corporations Act. Licensee’s must: 1. Provide their financial services (includes advice, dealing in general insurance products & claims handling) efficiently, honestly & fairly. Such as – acting without delay, responding to queries & claims – assessing claims & insurance applications in the least intrusive & onerous way – informing insured’s of processes & including fairness in those processes (eg procedural fairness for claim declines) – services tailored to customers experiencing vulnerability & – Code membership 2. adequately manage conflicts of interest. Disclosing conflicts, controlling conflicts & avoiding those conflicts that can’t be adequately managed (see RG 181) 3. comply with licence conditions. This may include a key persons requirement or the ability to use restricted broking terms. 4. comply with financial services laws. These include Corps Act Chap 7, ASIC Act Part 2 Div 2, Insurance contracts Act, Insurance Act & Privacy Act among others 5. Ensure representatives comply with financial service laws. This requires a monitoring program for employees, Authorised reps, claim servcie suppliers & material service providers. 6. Other than APRA regulated insurers, have adequate financial, people & IT resources to provide the financial services. Also refer RG 104 & RG 166. APRA insurers must comply with Prudential Standards 7. maintain the competence to provide the financial services. This entails having responsible managers with the requisite knowledge, skills & experience providing complete coverage of your financial services across the business (refer table 1 RG 105) 8. ensure that your representatives (see 5 above) are competent & adequately trained, including RG 146 when providing advice 9. Have a dispute resolution system complying with the enforceable paragraphs of RG 271, provide IDR data to ASIC & be a member of AFCA 10. other than APRA insurers have adequate risk management systems. APRA insurers must comply with CPS 220 & from July 2025 CPS 230 11. comply with Reg 7.6.04 which includes obligations to: – advise ASIC of material changes to financial position – adding/deleting Authorised reps – maintaining a training register – due diligence prior to appointing AR’s & including their AR number in documents – provdie a copy of AFSL/AR authorisations upon request – advise ASIC of change of control of licensee 𝑴𝒂𝒏𝒂𝒈𝒊𝒏𝒈 𝒐𝒃𝒍𝒊𝒈𝒂𝒕𝒊𝒐𝒏𝒔 An obligations register or table (contained within a risk & compliance manual) should be used to manage these & other regulatory (& Code) obligations Accountability & key controls are aligned to the obligations, enabling management within risk appetite. Control testing, monitoring, data validation & reporting complete the picture. Speak to me to explore obligations management further.

The key to embedding compliance in your General Insurance business is 𝒑𝒆𝒐𝒑𝒍𝒆. Leave the technical side of compliance to specialists such as myself & focus on your people. 1. 𝑻𝒉𝒆 𝒕𝒓𝒖𝒆 𝒑𝒖𝒓𝒑𝒐𝒔𝒆 𝒐𝒇 𝒄𝒐𝒎𝒑𝒍𝒊𝒂𝒏𝒄𝒆 𝒊𝒔 𝒕𝒐 𝒑𝒓𝒐𝒕𝒆𝒄𝒕 Don’t talk about laws or rules, not inspiring language. Talk about how compliance creates an environment that protects your customers, clients, people, the business, partners & other key stakeholders 2. 𝑪𝒐𝒏𝒏𝒆𝒄𝒕 𝒕𝒉𝒆 𝒉𝒆𝒂𝒓𝒕 𝒘𝒊𝒕𝒉 𝒕𝒉𝒆 𝒉𝒆𝒂𝒅 Everyone has someone like my elderly mum in ther lives. Mum lives by herself. She banks & buys insurance. Compliance is about protecting my mum & people we deeply care about. Involving the heart, brings about caring & caring brings actions 3. 𝑻𝒉𝒆 𝒑𝒐𝒘𝒆𝒓 𝒐𝒇 𝒔𝒕𝒐𝒓𝒚𝒕𝒆𝒍𝒍𝒊𝒏𝒈 A story about Paul’s mum is far more powerful than section 912(A)(1)(g)(ii). Use storytelling to sell the message of compliance. 4. 𝑬𝒗𝒆𝒓𝒚 𝒑𝒆𝒓𝒔𝒐𝒏 𝒉𝒂𝒔 𝒂 𝒑𝒂𝒓𝒕 𝒕𝒐 𝒑𝒍𝒂𝒚 Creating a compliance ecosystem needs everyone to actively play a part. From incident reporting to following the processes. We all have a role to play 5. 𝑬𝒎𝒃𝒓𝒂𝒄𝒆 𝒕𝒓𝒂𝒊𝒏𝒊𝒏𝒈 Train people on the why & how, & less on the technical. How compliance protects? How to identify incidents & complaints? Why should I care? 6. 𝑬𝒙𝒑𝒆𝒄𝒕 𝒕𝒉𝒊𝒏𝒈𝒔 𝒕𝒐 𝒈𝒐 𝒘𝒓𝒐𝒏𝒈 We are human & stuff happens that’s not supposed to. The role of compliance is to make it easy to identify, remediate & rectify when stuff goes wrong. It’s impractical from a business viewpoint to build a compliance system that 100% prevents things going wrong – unless you want to stop being human. 7. 𝑪𝒓𝒆𝒂𝒕𝒆 𝒂 𝒔𝒂𝒇𝒆 𝒆𝒏𝒗𝒊𝒓𝒐𝒏𝒎𝒆𝒏𝒕 If you want people to self-report & raise incidents & complaints promptly you need to create a safe environment for them to do so. 8. 𝑯𝒂𝒗𝒆 𝒂 𝒇𝒓𝒂𝒎𝒆𝒘𝒐𝒓𝒌 A framework provides a foundation to manage compliance in a systematic, risk-based approach. A fit-for-purpose framework supports & enables your people 9. 𝑫𝒐𝒏’𝒕 𝒃𝒆 𝒉𝒆𝒔𝒊𝒕𝒂𝒏𝒕 𝒕𝒐 𝒇𝒐𝒓𝒎𝒂𝒍𝒍𝒚 𝒓𝒆𝒑𝒐𝒓𝒕 𝒃𝒓𝒆𝒂𝒄𝒉𝒆𝒔 At a time of ‘naming & shaming’ don’t be hesitant when deciding whether to report a breach to ASIC or a Code Committee. Timely reporting is a feature of good compliance arrangements & being a responsible corporate citizen. 10. 𝑲𝒆𝒆𝒑 𝒄𝒐𝒎𝒑𝒍𝒊𝒂𝒏𝒄𝒆 𝒕𝒐𝒑 𝒐𝒇 𝒎𝒊𝒏𝒅 Compliance is not a set & forget exercise or annual activity. To truly embrace compliance as a way of working it must be top of mind. Do leaders walk the talk? Is compliance part of your regular team conversations? Can you access FAQs easily on your internet? Do you know the risks & controls in your area of the business? 𝐂𝐨𝐦𝐩𝐥𝐢𝐚𝐧𝐜𝐞 𝐢𝐬 𝐚𝐛𝐨𝐮𝐭 𝐩𝐞𝐨𝐩𝐥𝐞 In summary, think less about rules, laws, clauses & sections & more about people.

Today’s list covers the top 5 groups that influenced compliance for the insurance industry during 2023. 𝗡𝗼. 𝟱 𝗜𝗻𝘀𝘂𝗿𝗲𝗿𝘀 APRA-regulated insurers make it onto my list due to a number of factors. With substantial resources (particularly the larger insurers), insurers have the internal numbers to implement complex & robust compliance arrangements, this sets expectations & a benchmark for best practice; Given insurers dominate the insurance landscape, especially retail insurance, the focus of regulators & industry bodies is always on Suncorp, IAG, QBE, Allianz, Hollard et al Insurers in turn drive the compliance measures at MGAs & TPAs. Due to FAR & CPS 230, this will continue into 2024/25 extending to insurance brokers. 𝗡𝗼 𝟰. 𝗜𝗻𝗱𝘂𝘀𝘁𝗿𝘆 𝗯𝗼𝗱𝗶𝗲𝘀 The Insurance Council of Australia, CGC, National Insurance Brokers Association (NIBA) & IBCCC continue to heavily influence & drive compliance positions across the industry. In addition, Insurtech Australia & Underwriting Agencies Council (UAC) have also been leading the way in respect of technology & the emergence of underwriting agencies. 𝗡𝗼 𝟯. 𝗜𝗻𝗱𝘂𝘀𝘁𝗿𝘆 𝗖𝗼𝗱𝗲𝘀 The GI Code of Practice has always been a heavy influence on the compliance programs for insurers (& MGAs & TPA’s) however the Insurance Brokers Code of Practice has been remarkable in driving the compliance focus for insurance brokers. This has been particularly evident for brokers with large Authorised Representative networks. 𝗡𝗼 𝟮. 𝗥𝗲𝗴𝘂𝗹𝗮𝘁𝗼𝗿𝘀 ASIC, Australian Prudential Regulation Authority &, while technically not a regulator, Australian Financial Complaints Authority have continued to have a strong influence on compliance across the insurance industry. From taking Federal Court action on pricing promises to shutting down an insurer & its underwriting agency partners for 24 hours due to a defective TMD to CPS 230 & AFCA determinations, the regulators continue to set the direction & focus on compliance for the insurance industry. 𝗡𝗼 𝟭 𝗖𝗼𝗺𝗽𝗹𝗶𝗮𝗻𝗰𝗲 𝗣𝗲𝗼𝗽𝗹𝗲 🏆 🥇 The Gold Medal for 2023 in successfully driving compliance are the unsung heroes – people, specifically the person(s) within each organisation who drives & champions compliance. The better compliance people manage to find the right balance between compliance & business & focus their efforts on raising internal awareness, training & education. The Compliance Champions for 2023 and the top influencers on Compliance within the Insurance industry for 2023 are our wonderful compliance people.

𝟐𝟎𝟐𝟒 𝐫𝐞𝐠𝐮𝐥𝐚𝐭𝐨𝐫𝐲 𝐜𝐡𝐚𝐧𝐠𝐞 & 𝐨𝐭𝐡𝐞𝐫 𝐝𝐞𝐯𝐞𝐥𝐨𝐩𝐦𝐞𝐧𝐭𝐬 𝐢𝐧 𝐆𝐞𝐧𝐞𝐫𝐚𝐥 𝐈𝐧𝐬𝐮𝐫𝐚𝐧𝐜𝐞 We are almost at the mid-point of the year & already we have seen a plethora of changes, consultations & reviews impacting the General Insurance industry. Compliance never sleeps in General Insurance. 𝑪𝒐𝒏𝒔𝒖𝒍𝒕𝒂𝒕𝒊𝒐𝒏𝒔, 𝒓𝒆𝒗𝒊𝒆𝒘𝒔, 𝒄𝒐𝒖𝒓𝒕 𝒄𝒂𝒔𝒆𝒔, 𝒈𝒖𝒊𝒅𝒂𝒏𝒄𝒆 & 𝒐𝒕𝒉𝒆𝒓 𝒄𝒉𝒂𝒏𝒈𝒆𝒔 11 June – Treasury – feedback on draft legislation (financial advice reform) which include requiring general insurance brokers to obtain commission consent from retail clients if personal advice has been or is likely to be provided. Closes July 8 May – 3 person-panel independent review of the GI Code of Practice – The Terms of Reference set out the review’s overarching principle of maintaining & enhancing consumer protections, along with Code modernisation, enhancement of customer experience, accessibility, effectiveness & efficiency, & providing customer value. Consultation closed, report due mid-year 28 May – ASIC to launch new Professional Registers search (for licences) late June 20 May – IBCCC publish guidance note ‘Supporting vulnerable clients’ as guidance for section 10.0 Insurance Brokers Code of Practice 16 May – Senate – Select Committee on the Impact of Climate Risk on Insurance Premiums & Availability established. The Committee has been established to inquire & report on the unaffordability & unavailability of insurance in some regions due to climate-driven disasters & the underlying causes & impacts of increases in insurance premiums. The committee is to present a final report by 19 November 2024. Submissions close 2 July 2024. 22 March – Federal Crt – In finding Auto & General did not include an unfair contract term in its PDS, determined that Utmost Good faith, Section 54 & construction of the PDS, must be taken into account when considering whether a term of the insurance contract is unfair. 7 March – Treasury – consultation on standardising definitions & standard cover for insurance terms – fire, storm, stormwater & rainwater run-off. Consultation closed 4th April 6 March – ASIC – letter to insurers to improve claims handling practices Feb – House of Reps – Parliament inquiry into insurers’ responses to 2022 major floods claims. Report due Sept 2024 Also, FAR commencing March 2025 – RG 279 issued 14 March 2024 CPS 230 commencing July 2025

𝗖𝗹𝗮𝗶𝗺 𝗺𝗮𝗻𝗮𝗴𝗲𝗺𝗲𝗻𝘁 𝗮𝗿𝗿𝗮𝗻𝗴𝗲𝗺𝗲𝗻𝘁𝘀 – 𝗚𝗲𝗻𝗲𝗿𝗮𝗹 𝗜𝗻𝘀𝘂𝗿𝗮𝗻𝗰𝗲 Following on from my previous post on Distribution arrangements, I thought I would cover off the typical general insurance claim arrangements. 𝙁𝙞𝙣𝙖𝙣𝙘𝙞𝙖𝙡 𝙨𝙚𝙧𝙫𝙞𝙘𝙚𝙨 & 𝙡𝙞𝙘𝙚𝙣𝙨𝙞𝙣𝙜 Claims handling & settling services (CHSS) has been a financal service since 1 Jan 2022. CHSS covers the activities as defined under section 766G Corporations Act. The need to hold an AFS licence is determined by s 911A(2)(ek). You need to hold an AFSL for CHSS if you are: the insurer under the insurance product or an underwriting agency with authority from the insurer to provide CHSS; an insurance fulfilment provider but only where you have authority to reject all or part of a claim; an insurance claims manager aka TPA (acting for an insurer) but only where this is a primary part of your business. For example, if assessing or investigations is the primary part of your business, you don’t need an AFSL (Reg 7.1.04CB); an insurance broker, but only if they have authority from an insurer to provide the CHSS. Brokers acting on behalf of insured’s can rely on the exemption & not hold an AFSL; a claimaint intermediary, that is a person providing CHSS on behalf of an insured for a prescribed product other than insurance brokers, accountants, vets, travel agents, financial advisers & counsellors, property managers, estate management & public trustees. An exemption applies for CHSS where the issuer of the general insurance product is Lloyd’s underwriters or an UFI. A licensee may appoint others as an Authorised Rep to provide CHSS. 𝙂𝙄 𝘾𝙤𝙙𝙚 𝙤𝙛 𝙋𝙧𝙖𝙘𝙩𝙞𝙘𝙚 There are obligations for CHSS under the Code. It is necessary to examine the definitions in Part 16 of the Code to determine how the Code applies to your business. Service Supplier – means an Investigator, Loss Assessor or Loss Adjuster, Collection Agent, who is not an employee of the insurer but is contracted to manage claims on behalf of an insurer (including a broker) & any of their approved sub-contractors. Investigator, Loss Assessor or Loss Adjuster, Collection Agent are all defined terms in Part 16. External Expert means a company, entity, or a person who is not an Employee or a Service Supplier & is contracted solely to provide an expert opinion about the likely cause of loss or damage. 𝟮 𝗽𝗮𝗿𝘁 𝗽𝗿𝗼𝗰𝗲𝘀𝘀 It follows from the above, in order to determine your obligations under financial services laws & the Code, you need to understand: 1. Your requirement to hold an AFS Licence; & 2. The category you fall within under the GI Code This starts with the questions (in context of CHSS): what CHSS do you do? how do you do the CHSS? who do you do the CHSS on behalf of?

Distribution Arrangements Compliance with requirements for 3rd party GI distribution arrangements is critical for Brokers, underwriting agencies & insurers. It is an offence to distribute general insurance products if you are not: an ASF licensee; an AR of a licensee; acting under an ASIC instrument; or relying upon an exemption. 𝙍𝙚𝙛𝙚𝙧𝙧𝙖𝙡 𝙖𝙧𝙧𝙖𝙣𝙜𝙚𝙢𝙚𝙣𝙩𝙨 This arrangement allows a broker or MGA to access the referrer’s customer database & offer them insurance products/service. Typically the referrer is a non-financial service business. A referrer does not provide financial services (& is not required to hold a licence or be appointed as an AR) provided: they only inform their customers that another person (A) provides insurance products or services; provide the contact details of (A); & disclose to their client if they are being paid a referral fee by (A). It is critical that the referrer does no more than referring. The more involved in the insurance transaction, the more likely they are to provide a financial service. 𝘼𝙪𝙩𝙝𝙤𝙧𝙞𝙨𝙚𝙙 𝙧𝙚𝙥𝙧𝙚𝙨𝙚𝙣𝙩𝙖𝙩𝙞𝙫𝙚𝙨 An AR arrangement enables firm B to provide financial services under firm A’s AFS Licence. An AR may be authorised to provide all or part of the Licensee’s financial services. The licensee is responsible for ensuring the AR complies with financial service laws & its licence conditions however, the AR also has independent obligations. Generally, AR’s must be notified to ASIC within 30 business days of appointment. There are also a number of other formalities that are required. 𝘼𝙎𝙄𝘾 𝙙𝙞𝙨𝙩𝙧𝙞𝙗𝙪𝙩𝙞𝙤𝙣 𝙞𝙣𝙨𝙩𝙧𝙪𝙢𝙚𝙣𝙩 Under this instrument, a person may distribute insurance products on behalf of the licensee, subject to: the distributor not being an AR of the Licensee; provides details of the licensee’s IDR; discloses the relationship & remuneration received; & does not provide financial product advice. 𝗔𝗦𝗜𝗖 𝗚𝗿𝗼𝘂𝗽 𝗣𝘂𝗿𝗰𝗵𝗮𝘀𝗶𝗻𝗴 𝗕𝗼𝗱𝘆 𝗶𝗻𝘀𝘁𝗿𝘂𝗺𝗲𝗻𝘁 Under this instrument, typically a person is provided with a master insurance policy & extends cover to its clients as a named individual for payment of a premium. The GPB: must not be carrying on financial services as its primary business, the arrangement is ‘incidental’ to its primary business; & must not make a profit from the arrangement. They can only cover their reasonable expenses in administering the arrangement. 𝗠𝗼𝗻𝗶𝘁𝗼𝗿𝗶𝗻𝗴 & 𝗦𝘂𝗽𝗲𝗿𝘃𝗶𝘀𝗶𝗼𝗻 A licensee has obligations to monitor all these arrangements & should adopt a systematic approach.

Insurance brokers – Tidying up after a busy June: a compliance perspective You’ve had a hectic June but feel satisfied because you assisted so many clients There is an alarming amount of paperwork that you need to clear & you’re desperately trying to remember all the compliance stuff that you’re supposed to do. I’m not condoning non-compliance however you have a small window to rectify. We are only human after all & we all make mistakes. Don’t forget to raise any non-compliance as an incident in either CCX 360 or similar register & declare on your attestation. 𝗬𝗼𝘂𝗿 𝗵𝗶𝗻𝗱𝘀𝗶𝗴𝗵𝘁 𝗰𝗼𝗺𝗽𝗹𝗶𝗮𝗻𝗰𝗲 𝗰𝗵𝗲𝗰𝗸𝗹𝗶𝘀𝘁 Over the past 4 weeks 1 Did you provide Terms of engagement to prospective clients? Did you provide an FSG? If the client is a retail client did you disclose your actual $ remuneration? Was any client dissatisfied with your service? If so, raise as a complaint, give the client a call to check in, apologise & advise of your IDR process Did you provide support to any client experiencing vulnerability? Did you correctly identify consumer insurance contracts & comply with your client’s duty to take reasonable care not to make a misrepresentation? In all other cases did your client comply with their duty of disclosure? Did you contact your client at least 14 days before the policy expiry date? Did you bind terms for your client? If the insurer or underwriting agency did not provide renewal terms or non-renewal notice to you 14 days prior to the due date your client has the benefit of statutory cover for renewals. Did you ensure that your retail client fell within the Target Market Determination? Did you send your retail client the PDS? (Which also includes the policy schedule). If you are a NIBA member & won the account but the previous broker did all the renewal work. Did you send the commission to the previous broker? In your client dealings, did you act honestly & with integrity? Did you act with commercial decency? Did you provide a duty of care to your client that a reasonable broker in your circumstances would? Was all client money paid into your trust account? Any E&O matters that you need to disclose to your PI insurer? 𝙋𝙤𝙨𝙩 𝙅𝙪𝙣𝙚 𝙞𝙨 𝙖 𝙜𝙧𝙚𝙖𝙩 𝙩𝙞𝙢𝙚 𝙛𝙤𝙧 𝙖 𝙘𝙤𝙢𝙥𝙡𝙞𝙖𝙣𝙘𝙚 𝙝𝙚𝙖𝙡𝙩𝙝-𝙘𝙝𝙚𝙘𝙠 As the dust settles in June, now is a great time to think about a compliance health check. When conducting a compliance health check of your broking business I consider: 1. Financial service laws 2. Your AFSL authorisations & conditions 3. Your obligations as an Authorised Rep 4. Your monitoring of your staff, ARs & referrers 5. If you’re a Steadfast member – Steadfast Broker Code of conduct 6. If you’re a NIBA member – the Code of Practice 7. CCX 360 or equivalent (evidence of compliance)

ASIC has issued a letter reminding general insurers of their obligations as Australian financial services (AFS) licensees when handling insurance claims, especially in response to severe weather events. (ASIC’s letter was published on 6th March 2024). The letter sets out the obligations general insurers have as AFS licensees under the Corporations Act 2001 (Cth). General insurers are required to act efficiently, honestly, & fairly when providing claims handling services: see section 912A. This includes resolving claims in a timely manner, especially when responding to claims relating to severe weather events. Insurers are required to: – communicate transparently, clearly & in a timely way with consumers regarding their claims – effectively project manage third parties, including assessors & tradespeople – identify complaints and expressions of dissatisfaction at the earliest opportunity – recognise consumers experiencing vulnerability & tailor their claims handling service accordingly, & sufficiently resource claims handling & dispute resolution functions, & ensure staff are adequately trained. Insurance claims handling is an enforcement priority for ASIC in 2024. ASIC is monitoring claims handling through reports of misconduct made directly to ASIC, any systemic issues reported by AFCA, and regular contact with consumer groups assisting people with claims & related disputes. ASIC’s message is they are watching how insurers support their customers very closely. Evidence of significant misconduct identified through these channels may result in enforcement action. 𝘾𝙤𝙢𝙥𝙡𝙞𝙖𝙣𝙘𝙚 𝙧𝙚𝙫𝙞𝙚𝙬 𝙤𝙛 𝙘𝙡𝙖𝙞𝙢𝙨 𝙝𝙖𝙣𝙙𝙡𝙞𝙣𝙜 𝙥𝙧𝙖𝙘𝙩𝙞𝙘𝙚𝙨 It may be prudent to conduct a compliance review of your claims handling & settling practices including service suppliers. The review should also cover GI Code of Practice obligations. A compliance review assesses the adequacy of your compliance arrangements to manage AFSL & Code obligations & provides solutions adopting a risk-based approach. Underwriting Agencies with AFSL claims authorisation & Insurance Claims Managers (TPA) should also consider a compliance review. Contact me to explore how I can assist.

As a compliance specialist, I always read adverts from insurers, underwriting agencies, insurance brokers etc I analyse the inherent compliance risk arising from the advertisement. 𝙈𝙞𝙨𝙡𝙚𝙖𝙙𝙞𝙣𝙜 𝙤𝙧 𝙙𝙚𝙘𝙚𝙥𝙩𝙞𝙫𝙚 𝙘𝙤𝙣𝙙𝙪𝙘𝙩 Advertising gives rise to the risk of engaging in misleading or deceptive conduct. Generally speaking, misleading or deceptive conduct leads a person into error. Engaging in Misleading or deceptive conduct is a reportable situation to ASIC. ASIC’s regulatory guide RG 234, helps licensees & promoters comply with their legal obligations to not make false or misleading statements or engage in misleading or deceptive conduct. 𝙂𝙤𝙤𝙙 𝙋𝙧𝙖𝙘𝙩𝙞𝙘𝙚 𝙂𝙪𝙞𝙙𝙖𝙣𝙘𝙚 RG 234.16 contains an overview of ASIC’s good practice guidance for advertising in all media: Returns, features, benefits & risks – a balanced message between benefits & risks should be provided. Benefits should not be given undue prominence compared with risks; Warnings, disclaimers, fine print & qualifications should not be inconsistent with other content in an advertisement, including any headline claims; Where a fee or cost is referred to in an advertisement, it should give a realistic impression of the overall level of fees & costs a consumer is likely to pay, including any indirect fees or costs; Comparisons should only be made between products that have sufficiently similar features or, where an advertisement compares different products, the differences should be made clear in the advertisement; Past performance information should be accompanied by a warning that past performance is not indicative of future performance; Terms and phrases should not be used in a particular way by industry where these are not consistent with the ordinary meaning commonly recognised by consumers (e.g. ‘free’, ‘secure’ & ‘guaranteed’); Advertisements should be capable of being clearly understood by the audience that might reasonably be expected to see the advertisements; Where an advertisement draws attention to specific product features, the advertisement should be consistent with information contained in any disclosure document (such as a PDS); Photographs & images should not contradict, detract from or reduce the prominence of any warnings, disclaimers or qualifications; & Advertisements for a financial advice service should not create unrealistic expectations about what the service can achieve. In certain media, adverts must refer to the PDS & TMD 𝙊𝙫𝙚𝙧𝙖𝙡𝙡 𝙞𝙢𝙥𝙧𝙚𝙨𝙨𝙞𝙤𝙣 𝙤𝙛 𝙩𝙝𝙚 𝘼𝙙𝙫𝙚𝙧𝙩 Assessing the overall impression is important. ASIC considers the following factors: a) the subject; b) the content; c) the format; d) the audience; e) the media used; & f) the likely effect of the advertisement

A common question I’m asked is the timing to provide disclosure documents & other notices. The source of the obligation – Act, Regs or Code includes the timing & content requirements for each document & by whom & to whom provided. The requirements depend on the type of client (retail or wholesale), what you do & who you represent (broker representing an insured or MGA/TPA representing an insurer, or an insurer). 𝗦𝘂𝗺𝗺𝗮𝗿𝘆 𝑭𝑺𝑮 An AFS Licensee or their AR must give a FSG to a retail client as soon as practicable after it becomes apparent that a financial service will be provided to that client & before a financial service is provided. It is industry best practice to provide an FSG to wholesale clients. Insurance brokers should be aware that an FSG may be given after the services have been provided in ‘time critical’ cases such as an impending policy due date (4pm). Brokers can also provide the ‘Terms of engagement’ (part 4.2 Brokers Code) at the same time as providing an FSG. Insurance Claims Managers do not need to provide an FSG (as they act for insureds) but Claimant Intermediaries must. 𝗦𝗢𝗔 A Statement of Advice must be provided where personal advice is provided to a retail client for sickness & accident & CCI insurance products. The SOA must be provided when or as soon as practicable after providing the advice. 𝗚𝗲𝗻𝗲𝗿𝗮𝗹 𝗮𝗱𝘃𝗶𝗰𝗲 𝘄𝗮𝗿𝗻𝗶𝗻𝗴 A GAW must be provided at the same time & in the same format as when general advice is provided to retail clients. If the GA is provided on a website or in a document the GAW must be included. 𝑷𝑫𝑺 Generally, a product issuer (insurer or MGA) must provide a PDS to a retail client when making an offer (quote) or sale. A broker should ensure a PDS is provided when making a recommendation to a retail client to buy an insurance product. 𝑻𝑴𝑫 A TMD must be made publicly available before any person distributes a financial product that is subject to the design & distribution obligations ie ‘retail product distribution’. Generally the TMD is available on issuers websites with links provided in relevant documents. 𝑪𝒂𝒔𝒉 𝑺𝒆𝒕𝒕𝒍𝒆𝒎𝒆𝒏𝒕 𝑭𝒂𝒄𝒕 𝑺𝒉𝒆𝒆𝒕 & 𝑪𝒐𝒏𝒇𝒊𝒓𝒎𝒂𝒕𝒊𝒐𝒏 𝒐𝒇 𝑻𝒓𝒂𝒏𝒔𝒂𝒄𝒕𝒊𝒐𝒏𝒔 A CSFS must be provided by insurers (or TPA) to retail clients before a cash payment is made where there are other legally available options to settle the claim. A CoT must be provided as is reasonably practicable after the transaction with the retail client occurs & includes acceptance & settlement of an insurance claim. A CSFS may be provided up to 5 days after the payment in cases of ‘immediate need’. A CSFS or CoT is not required in family violence situations. 𝑼𝑭𝑰 Brokers must provide a written notice to a client when placing business with an Unauthorised Foreign Insurer when relying upon 1 of the 4 exceptions. Contact me to understand all your disclosure & notices obligations.

The regulatory regime for providing insurance products & services in Australia is complex. Financial services laws, ASIC Reg Guides, APRA Prudential Standards, GI & Brokers Code of Practice, and Agreements (binder, agency, distribution & claims) create a plethora of obligations with severe consequences for non-compliance. The primary purpose of compliance is to protect. Protect the business, its people, customers & other key stakeholders. How do you ensure that you achieve this purpose & not get pulled down the ‘tick-a-box checklist’ pathway that creates a multitude of rules, instructions & documents? Here are some tips to effectively & efficiently manage the complexities of compliance: 𝙎𝙮𝙨𝙩𝙚𝙢𝙖𝙩𝙞𝙘 𝙖𝙥𝙥𝙧𝙤𝙖𝙘𝙝 Compliance management requires an operating rhythm. Adopting a systematic approach to compliance ensures that your compliance measures provide optimum protection to the business, its people & customers. 𝘾𝙡𝙚𝙖𝙧 𝙧𝙤𝙡𝙚𝙨 & 𝙧𝙚𝙨𝙥𝙤𝙣𝙨𝙞𝙗𝙞𝙡𝙞𝙩𝙞𝙚𝙨 Clarity around roles & responsibilities creates accountability. It also drives efficiencies & avoids gaps or duplication. Typically, the business performs the compliance task & activities while risk & compliance functions (or a risk & compliance committee) provide monitoring & oversight. 𝙀𝙙𝙪𝙘𝙖𝙩𝙞𝙤𝙣 & 𝙖𝙬𝙖𝙧𝙚𝙣𝙚𝙨𝙨 Compliance is complex, and training is essential. The training for employees & Authorised Reps must be practical, business-focused & lead people to understand why they should care. Caring results in doing. 𝙏𝙝𝙚 𝙙𝙤𝙞𝙣𝙜 A well-crafted document doesn’t provide protection. The protection comes from people reporting incidents, breaches & complaints; from undertaking compliance training in a timely fashion; from following systems & procedures & with a genuine desire to play their part in protecting the business, colleagues & customers. 𝙈𝙤𝙣𝙞𝙩𝙤𝙧𝙞𝙣𝙜 & 𝙨𝙪𝙥𝙚𝙧𝙫𝙞𝙨𝙞𝙤𝙣 ‘You can’t see the forest for the trees’. Successful compliance arrangements include those who are doing with an added layer of protection provided by monitoring & supervision. There needs to be a degree of independence between doing & oversight. 𝘿𝙖𝙩𝙖 & 𝙧𝙚𝙥𝙤𝙧𝙩𝙞𝙣𝙜 A systematic approach to compliance produces data, lots of data. To be meaningful, this data must be analysed. To be valuable, this data must be reported. A systematic approach to compliance includes the use of data to validate the health of the compliance arrangements. 𝙀𝙫𝙞𝙙𝙚𝙣𝙘𝙚 𝙗𝙖𝙨𝙚𝙙 Effective documentation helps to educate, raise awareness & demonstrate whether or not you are complying with your obligations. Documentation also provides a transparent benchmark for accountability. 𝙍𝙞𝙨𝙠 & 𝘾𝙤𝙢𝙥𝙡𝙞𝙖𝙣𝙘𝙚 𝙂𝙤𝙫𝙚𝙧𝙣𝙖𝙣𝙘𝙚 The combination of the above elements provides good Governance ensuring that compliance is protected. Contact me should you need assistance with your Compliance measures.

𝑻𝒉𝒆 𝒐𝒃𝒍𝒊𝒈𝒂𝒕𝒊𝒐𝒏 AFS Licensees must have in place adequate arrangements for the management of conflict of interest (s912A(1)(aa) Corps Act). Conflicts of interest are circumstances where some or all of the interests of people (clients) to whom a licensee (or its representative) provides financial services are inconsistent with, or diverge from, some or all of the interests of the licensee or its representatives. This includes actual, apparent & potential conflicts of interest. (RG 181.15) 𝙏𝙮𝙥𝙞𝙘𝙖𝙡 𝙘𝙤𝙣𝙛𝙡𝙞𝙘𝙩𝙨 𝙤𝙛 𝙞𝙣𝙩𝙚𝙧𝙚𝙨𝙩 𝙩𝙝𝙖𝙩 𝙢𝙖𝙮 𝙖𝙧𝙞𝙨𝙚 𝙬𝙞𝙩𝙝𝙞𝙣 𝙩𝙝𝙚 𝙞𝙣𝙨𝙪𝙧𝙖𝙣𝙘𝙚 𝙞𝙣𝙙𝙪𝙨𝙩𝙧𝙮 Some of the typical conflicts that may arise include: – commissions & non-monetary remuneration paid by the issuer of the products (insurers/MGAs) to insurance brokers. Insurance Brokers act on behalf of the insured (refer s11 Insurance Contracts Act & Part 6.0 Insurance Brokers Code of Practice) – having equity or common directors in a brokerage & underwriting agency; – a claims handler or underwriter having a family or personal relationship with the claimant/broker/insured; – having an interest in an outsourced provider; – providing insurance broking services to 2 clients who contract with each other; – receiving gifts or entertainment from a service supplier, insurer etc 𝙈𝙖𝙣𝙖𝙜𝙞𝙣𝙜 𝙩𝙝𝙚 𝙘𝙤𝙣𝙛𝙡𝙞𝙘𝙩 The requirement is to adequately manage the conflict. The three mechanisms that licensees would generally use to manage conflicts of interest are: (a) controlling conflicts of interest; (b) avoiding conflicts of interest; & (c) disclosing conflicts of interest Controlling conflicts of interest include: – passing the file to a colleague or another firm to manage & putting in place ‘ethical walls’; – adhering to the firms policies & procedures. This means an underwriter would follow their underwriting guidelines when managing a conflict for eg with a broker; similarly a claims handler would follow the claim guidelines where there is a personal relationship & a broker adhering to internal guidelines for commissions; – dealings with related companies would be conducted at arms-length & on commercial terms. Disclosing (to the parties) – this is commonly via a disclosure document (FSG) or on the website (stating who you act for); – raising & recording on the conflicts or gifts & entertainment register with a senior person sign-off; Avoiding If the conflict can’t be adequately managed through controls or disclosure then it must be avoided. 𝘿𝙤𝙘𝙪𝙢𝙚𝙣𝙩𝙚𝙙 𝙚𝙫𝙞𝙙𝙚𝙣𝙘𝙚 It is best practice to document your approach to managing conflicts in a manual or policy & maintaining a conflicts of interest &/or gifts & entertainment register. Staff & representatives must be trained If you would like assistance in implementing mechanisms to manage your conflicts reach out to me.

When speaking to clients who are concerned about the complexity of compliance, I advise aligning compliance obligations with the customer experience. This enables us to think about compliance in a logical, systematic manner. The risk of non-compliance, regulatory enforcement action & customer detriment is managed. 𝙏𝙝𝙚 𝙞𝙣𝙨𝙪𝙧𝙖𝙣𝙘𝙚 𝙨𝙖𝙡𝙚𝙨 𝙥𝙧𝙤𝙘𝙚𝙨𝙨 – 3 𝙥𝙧𝙚𝙡𝙞𝙢𝙞𝙣𝙖𝙧𝙮 𝙦𝙪𝙚𝙨𝙩𝙞𝙤𝙣𝙨 Answering 3 simple questions sets the signage for the customer sales pathway. 1. Is the client retail or wholesale? It is important to understand the disclosure documents & warnings that must be provided. This is a 2 step process. a) is the customer an individual or small business (as defined)? If yes, keep going, no = wholesale client b) does the product fall within s761G(5)(b) Corps Act as defined in Regs 7.1.11 – 7.117A? if yes = retail, if no = wholesale. 2. Is this a consumer insurance contract? This is important to determine whether the duty to take reasonable care not to make a misrepresentation or the Duty of disclosure applies. Either: a) falls within the definition of s11AB Insurance Contracts Act; or b) is deemed to be a consumer insurance contract by the insurer giving a written notice to that effect 3. Are you a Distributor (GI Code) or a [NIBA member] Insurance broker or AR of a broker (Brokers Code). This determines whether the standards & obligations of the relevant industry Codes apply to you during the sales process 𝙏𝙝𝙚 𝙘𝙪𝙨𝙩𝙤𝙢𝙚𝙧 𝙞𝙣𝙨𝙪𝙧𝙖𝙣𝙘𝙚 𝙨𝙖𝙡𝙚𝙨 𝙥𝙧𝙤𝙘𝙚𝙨𝙨 Once you have the information, it is relatively easy to map compliance obligations to each stage of the customer insurance sales process As an example – a retail client for a consumer insurance contract & you are an insurance broker acting for an insured or in plain language, a new client asks about insurance for their home. 𝘼𝙩 𝙚𝙣𝙜𝙖𝙜𝙚𝙢𝙚𝙣𝙩 provide the client with: 1. Terms of engagement (Brokers Code) 2. FSG (AFSL requirement) 𝙉𝙚𝙚𝙙𝙨 𝙖𝙣𝙖𝙡𝙮𝙨𝙞𝙨 1. provide a warning – general or personal advice [AFSL] 2. understand the insurers or underwriting agency’s underwriting questions to respond to the insured’s duty to take reasonable care not to make a misrepresentation [Insurance Contracts Act] 3. Disclose $$ remuneration (or an estimate & the actual amount as soon as reasonably practicable) [Code] 4. ensure the client falls within the relevant TMD [AFSL] 𝙌𝙪𝙤𝙩𝙞𝙣𝙜 𝙨𝙩𝙖𝙜𝙚 1. Provide the PDS [AFSL] 𝙈𝙖𝙥𝙥𝙞𝙣𝙜 𝙩𝙝𝙚 𝙨𝙖𝙡𝙚𝙨 𝙥𝙧𝙤𝙘𝙚𝙨𝙨 There may be other obligations that arise during the sales process such as misleading or deceptive conduct, hawking etc however you can see that this is merely a case of mapping out the sales process & assigning the compliance obligation at each stage

AFS Licensees have an obligation to ensure that their 𝒓𝒆𝒑𝒓𝒆𝒔𝒆𝒏𝒕𝒂𝒕𝒊𝒗𝒆𝒔 are adequately trained & are competent (s912A(1)(f) Corps Act) 𝗪𝗵𝗼 𝗶𝘀 𝗮 𝗿𝗲𝗽𝗿𝗲𝘀𝗲𝗻𝘁𝗮𝘁𝗶𝘃𝗲? Representative means (s9): – an authorised representative of the licensee; – an employee or director of the licensee; – an employee or director of a related body corporate of the licensee; & – any other person acting on behalf of the licensee. 𝘼𝙎𝙄𝘾’𝙨 𝙚𝙭𝙥𝙚𝙘𝙩𝙖𝙩𝙞𝙤𝙣𝙨 ASIC expects licensees to: (a) identify the knowledge & skills your representatives need to competently provide the financial services; (b) ensure they have the necessary knowledge & skills; (c) ensure they undertake continuing training programs to maintain & update their knowledge & skills; & (d) maintain a record of the training they have undertaken (this is required under reg 7.6.04(1)(d)). As you will observe, training is an ongoing obligation. 𝙏𝙧𝙖𝙞𝙣𝙞𝙣𝙜 Most firms adopt a CPD approach to training. However, in order to meet the obligation, representatives must be trained in financial services laws & in the specific financial services & insurance products offered. Simply attending functions or events to obtain CPD points may not satisfy the AFSL obligation. The training must have a connection with your authorised financial services. ASIC has specified minimum training for representatives who provide financial product advice to retail clients (RG 146): Tier 1 products – personal sickness & accident, CCI; Tier 2 – all other general insurance products. 𝘾𝙤𝙢𝙥𝙚𝙩𝙚𝙣𝙘𝙚 Competence includes skill, knowledge & experience. The competence must be aligned to the financial services (such as claims handling or insurance broking) & the products provided. Generally role descriptions, qualifications, short industry courses, on the job training & professional membership (ANZIIF, NIBA) are indicators of competence however on-going training is required to ensure professional development & remaining relevant. 𝙏𝙧𝙖𝙞𝙣𝙞𝙣𝙜 𝙨𝙥𝙚𝙘𝙞𝙛𝙞𝙘𝙖𝙡𝙡𝙮 𝙛𝙤𝙧 𝙥𝙚𝙤𝙥𝙡𝙚 𝙬𝙤𝙧𝙠𝙞𝙣𝙜 𝙞𝙣 𝙜𝙚𝙣𝙚𝙧𝙖𝙡 𝙞𝙣𝙨𝙪𝙧𝙖𝙣𝙘𝙚 I have developed training options, specifically for general insurance, to assist in meeting your AFSL obligations: I provide training services to businesses: a) Facilitated training on financial services laws, Industry Codes, Responsible Managers; & b) Design of in-house tailored compliance training modules. Check out ‘Compliance Education & Training’ under the ‘Services’ tab on my website (link below) I provide training services to individuals: a) Compliance workshop in Brisbane 21st Mar b) Monthly virtual financial laws training: next course 14th Mar c) Membership subscription Click below & go the tabs ‘Training’ & ‘Membership’ to learn more & register Compliance Advocacy Solutions

Under-reporting of breaches continues to be an industry-wide issue A business focus on incidents is key to successfully managing breaches 𝙁𝙤𝙘𝙪𝙨 𝙤𝙣 𝙞𝙣𝙘𝙞𝙙𝙚𝙣𝙩𝙨 An incident is something that has happened that shouldn’t have (this includes inaction) All people across the business, Authorised Reps, distributors & anyone acting on your behalf should be trained in understanding, identifying & raising incidents If you focus on breaches then you are expecting your people to know ‘000’s laws Your obligations should be linked to key control(s) therefore control breakdowns are automatically an incident. The training should include practical examples of what an incident(s) looks like within your business & for each business area. If your incident management is inadequate, the incident will continue to grow & cause harm & detriment until such time that it manifests into a breach or a significantly larger breach than if immediately detected. There is also the risk that the breach will be identified by a customer. This suggests that your compliance arrangements are inadequate & may lead to a systemic issue investigation by ASIC or AFCA. An incident & breach register should be maintained. 𝙏𝙧𝙞𝙖𝙜𝙚 𝙤𝙛 𝙞𝙣𝙘𝙞𝙙𝙚𝙣𝙩𝙨 It is important that you don’t allow the business to determine whether an incident is a breach. This analysis requires expertise. An experienced compliance person should review all incidents periodically (frequency based on the size of the organisation) & determine whether (1) additional information is required (2) the incident is a breach & if so, (3) the law &/or Code that has been breached & (4) comply with breach reporting requirements 𝙎𝙤𝙪𝙧𝙘𝙚𝙨 𝙤𝙛 𝙗𝙧𝙚𝙖𝙘𝙝 𝙤𝙗𝙡𝙞𝙜𝙖𝙩𝙞𝙤𝙣𝙨 Each Law/Code has its own requirements on what needs to be reported, to who & the timing Chp 7 Corporations Act (AFS Licensees) – Section 912DAA – note that ‘financial services laws’ is defined widely (s761A) & include, for example, breaches of the Insurance Contracts Act & the ASIC Act. Insurance Act (APRA regulated insurers) – Section 38AA Privacy Act – Division 3 (notifiable data breaches) GI Code of Practice – paragraph 181 Insurance Brokers Code of Practice – paragraph 11.2 Having separate processes for each law/code is impractical, adds complexity & creates gaps. A single breach management process is paramount 𝘽𝙧𝙚𝙖𝙘𝙝 𝙢𝙖𝙣𝙖𝙜𝙚𝙢𝙚𝙣𝙩 𝙥𝙧𝙤𝙘𝙚𝙨𝙨 Your breach management process should incorporate RG 78 with pathways to incorporate the breach reporting requirements of all other laws/industry Codes. The process should include: timeframes roles & responsibilities information gathering analysis breach committee or similar breach reporting remediation & rectification learning from the breach & continual improvement Contact me for assistance with your incident & breach management process.

As the FSG is a legal document it’s important that your FSG has legal sign-off. Copying & pasting the FSG of another should be avoided. A Licensee (s941A) or, independently, an Authorised rep (s940A), must give a person a FSG if a financial service is provided to a retail client. 𝙏𝙞𝙢𝙞𝙣𝙜 𝙤𝙛 𝙜𝙞𝙫𝙞𝙣𝙜 𝙁𝙎𝙂 The FSG must be given as soon as practicable after it becomes apparent to the providing entity that the financial service will be, or is likely to be, provided & in any event before the financial service is provided. Generally, for insurance brokers, this means the earlier of, an appointment or when first providing financial product advice. For insurers & underwriting agencies this generally is at the time of making an offer for insurance products (eg a quote). In respect of claims handling & settling services; insurance brokers, underwriting agencies, insurers & insurance claim managers are not required to provide an FSG as the FSG was provided at the time of sale/engagement. However, claimant intermediaries (who act for insureds) must provide an FSG before they provide the financial service. Refer to s941C for situations in which an FSG is not required 𝘛𝘪𝘮𝘦 𝘤𝘳𝘪𝘵𝘪𝘤𝘢𝘭 𝘤𝘢𝘴𝘦𝘴 If the client immediately requests the financial service or it is not reasonably practicable to give an FSG before providing the service, a statement may be provided (meeting the requirements of s941D(3)) & the FSG provided within 5 days after the statement. 𝘾𝙤𝙣𝙩𝙚𝙣𝙩𝙨 𝙤𝙛 𝙖 𝙁𝙎𝙂 The title ‘𝘍𝘪𝘯𝘢𝘯𝘤𝘪𝘢𝘭 𝘚𝘦𝘳𝘷𝘪𝘤𝘦𝘴 𝘎𝘶𝘪𝘥𝘦’ must be on the cover of, or near the front of, the FSG. Thereafter, the abbreviation ‘𝘍𝘚𝘎’, may be used. An FSG must be dated, presented in a clear, concise & effective manner & contain (see s942B also refer to Part 7.7 Div 2 of the regulations): details of the provider including AFSL or AR number the financial services provided who the provider acts for details of remuneration & benefits (incl commission) details of associations or relationships between the provider & issuer (including any related body corporate) for personal advice, details of restricted words or expressions. This includes, for insurance brokers who are paid a commission, that the broker is not independent, impartial or unbiased. information about dispute resolution & how it can be accessed (IDR & EDR) for underwriting agencies details of any binder a statement about PI cover 𝙈𝙪𝙡𝙩𝙞𝙥𝙡𝙚 𝙙𝙤𝙘𝙪𝙢𝙚𝙣𝙩𝙨 ss942D & 942DA A FSG may consist of multiple documents such as, for brokers bound by the Code, a 𝘛𝘦𝘳𝘮𝘴 𝘰𝘧 𝘌𝘯𝘨𝘢𝘨𝘦𝘮𝘦𝘯𝘵 however must have on the cover a statement to the effect the document is part of a FSG. For insurers & underwriting agencies, an FSG may be combined with a PDS in a single document.

I’ve been sorting out banking & accounting issues. While frustrating, & taking me away from my client work, I appreciate that as a small business owner such work is necessary. Without banking & accounting my business simply can’t function. I appreciate that many people see compliance in the same way. Frustrating & time-consuming, however a necessity for the business. Unfortunately, this approach can diminish the importance of compliance & not truly embed compliance within the business & each role. The purpose of compliance is to protect – your business, clients, people & partners. Think about how important your car is to you. Yes, you can arrange for other, more skilled people to service the car & attend to repairs & the like however, you have accountability to ensure the car is roadworthy & that you know the road rules. You can outsource certain tasks that require a specialist skill set however, at the end of the day, you are accountable for your car when you drive it on a public road. Compliance is no different. The FAR regime [for insurers] creates the concept of Accountable Persons & [for enhanced entities] the requirement for Accountability maps. These concepts are sound & can be scaled down & tailored to a business of any size so that compliance is role-based & part of day-to-day business activities. Let’s see how this works for underwriting agencies, Insurance claim managers & Insurance brokers [& insurers]. 𝘾𝙤𝙢𝙥𝙡𝙞𝙖𝙣𝙘𝙚 𝙖𝙘𝙘𝙤𝙪𝙣𝙩𝙖𝙗𝙞𝙡𝙞𝙩𝙮 𝙖𝙨 𝙥𝙖𝙧𝙩 𝙤𝙛 𝙮𝙤𝙪𝙧 𝙗𝙪𝙨𝙞𝙣𝙚𝙨𝙨 𝙧𝙤𝙡𝙚 1. Ensure that your risk & compliance manual includes an obligation table or you have a stand-alone register. This simply captures your AFSL, Code & other obligations at an operational level; 2. For each business leader/manager identify the obligations that fall within their area of business responsibility (sales, underwriting, claims, finance). Each manager now has their own compliance plan; 3. Assign key controls to each of the obligations. This ensures the obligation is being managed; 4. Periodically (at least annually), each manager tests the control(s) to ensure it is designed & operating effectively; 5. Each manager receives complaints, incidents, QA & other data, for their area, to validate the control testing results; 6. The manager oversights action plans to rectify any control that is ineffective 7. The manager provides reporting for their area that is consolidated into an enterprise report. 𝘼𝙘𝙘𝙤𝙪𝙣𝙩𝙖𝙗𝙞𝙡𝙞𝙩𝙮 𝙛𝙤𝙧 𝙘𝙤𝙢𝙥𝙡𝙞𝙖𝙣𝙘𝙚 𝙞𝙨 𝙥𝙖𝙧𝙩 𝙤𝙛 𝙮𝙤𝙪𝙧 𝙧𝙤𝙡𝙚 Adopting a systematic approach to compliance within each business area of responsibility & accountability will ensure that compliance is something that is done as part of each role. If you need assistance in setting up compliance arrangements that work for you, provide business value & protect your business, people, customers, partners & YOU, contact me.

I was chatting to some Lloyd’s underwriters last night & they mentioned the complexity of the Australian regulatory landscape for general insurance. I agree that the landscape is complex however, I also made the point, of how a systematic approach to compliance enables that complexity to be adequately managed. 𝘼 𝙨𝙮𝙨𝙩𝙚𝙢𝙖𝙩𝙞𝙘 𝙖𝙥𝙥𝙧𝙤𝙖𝙘𝙝 𝙩𝙤 𝘾𝙤𝙢𝙥𝙡𝙞𝙖𝙣𝙘𝙚 Identify the sources of your obligations. Obligations will arise from (i) what you do (& the licences & authorisations you need/hold); different obligations apply to insurers, Underwriting Agencies, brokers & TPAs & (ii) how you provide your services e.g., different distribution channels & use of claim service suppliers Record your material obligations. Larger firms may do this through a stand-alone register while smaller firms should incorporate it within their risk & compliance manual Adopt a risk appetite statement (RAS) position for regulatory/compliance risk. Assign key control(s) to each obligation until the obligation is within your RAS. Periodically test the control to ensure that it is designed effectively & operating effectively. Take action to close out any identified gaps Train your people (& ARs) on how compliance protects, the importance of a systemic approach to compliance & their role in control testing & self-reporting by promptly identifying & reporting incidents, breaches & complaints Use data generated by the systematic approach to compliance (incidents, breaches, complaints, self-reports, file reviews, QA etc) to validate the control test results & to report breaches to regulators or Code committees Use external information such as regulatory/Code reviews, ASIC letters, Court cases, regulator speeches & media releases & the like to question ‘could this happen to us?’ or ‘How are we managing this?’ Report the control test results & data & external information to your risk & compliance committee. The data should be analysed, connections & insights provided & decisions made. Incorporate regulatory change mechanisms into your systematic approach. Use the data that the systematic approach generates as a continuous improvement mechanism so that compliance continues to protect & adds value to your business. 𝙂𝙚𝙣𝙚𝙧𝙖𝙡 𝙞𝙣𝙨𝙪𝙧𝙖𝙣𝙘𝙚 𝙞𝙨 𝙘𝙤𝙢𝙥𝙡𝙚𝙭 A systematic approach to compliance results in an ecosystem that continually evolves to respond to & manage the risks associated with business growth & regulatory change & increasing complexity. The regulatory landscape for general insurance is complex. However, a systematic approach to compliance enables this complexity to be understood & managed in a way that protects your business, people, customers & stakeholders.

The recent Federal Court decision in Australian Securities and Investments Commission v Lanterne Fund Services Pty Limited [2024] FCA 353 provides the elements that an effective monitoring & supervision program should contain. I have expanded these elements based on my experience in working with clients in the insurance industry. 𝙄𝙢𝙥𝙡𝙚𝙢𝙚𝙣𝙩𝙞𝙣𝙜 𝙖𝙣 𝙚𝙛𝙛𝙚𝙘𝙩𝙞𝙫𝙚 𝙈𝙤𝙣𝙞𝙩𝙤𝙧𝙞𝙣𝙜 & 𝙎𝙪𝙥𝙚𝙧𝙫𝙞𝙨𝙞𝙤𝙣 𝙥𝙧𝙤𝙜𝙧𝙖𝙢 A robust due diligence process of all representatives pre-appointment Agreements with new CARs (& employees) containing requirements & obligations Supervisory arrangements – comprising monthly attestations, self-audits & risk-based audits by the licensee, formal & informal meetings with comprehensive note-taking, robust reporting of incidents, breaches & complaints Risk management & compliance systems – must be formal, systematic & documented & cover the risks faced by the firm. Risk & Compliance manuals must be tailored & current. The licensee should provide clear guidance & instructions to its CARs & ARs about their obligations regarding compliance with the financial services laws Training – must be provided & cover financial services laws including AR obligations & the relevant industry Codes. Conducted during induction & annually thereafter Human resources – the licensee must have enough people to conduct the monitoring & supervision activities. This includes regular performance reviews of the representatives & consequence management Technological resources – an adequate IT infrastructure to keep abreast of issues such as IT security or cyber security The Licensee must have enough responsible managers who are qualified, skilled & experienced in general insurance with sufficient time to conduct their role effectively Governance should include a risk & compliance committee meeting quarterly & receiving data, information & insights to oversight the licensee & their representatives The Monitoring & Supervision program must include self-checking mechanisms so that your compliance arrangements continue to evolve with regulatory changes & business growth.   I can work with you to: 1. Conduct a compliance review of your current compliance arrangements identifying gaps and adopting a risk-based approach. My reviews adopt a top-down approach not a file-by-file audit approach; 2. Design a fit-for-purpose, tailored AR program for your business; 3. Provide training for your representatives.

I’m currently compiling an obligations register for an APRA-regulated insurer. At a Federal level, there are more than 400 obligations that a general insurer needs to identify & manage by mapping to key control(s) & the person(s) accountable. Underwriting Agencies, TPA’s & Insurance Broker generally have 150-200 obligations. For smaller-sized clients, I include obligation tables within a tailored Risk & Compliance manual so that everything is retained in one place & there is context for the obligations. The important lesson is, how can you manage your obligations if you don’t capture [record] them? 𝙎𝙤𝙪𝙧𝙘𝙚𝙨 𝙤𝙛 𝙤𝙗𝙡𝙞𝙜𝙖𝙩𝙞𝙤𝙣𝙨 𝙛𝙤𝙧 𝙂𝙚𝙣𝙚𝙧𝙖𝙡 𝙄𝙣𝙨𝙪𝙧𝙖𝙣𝙘𝙚 The starting point is to get a good text that covers the clauses and provides a pathway to any associated regulations or ASIC Regulatory Guides. I use Thomson Reuters 2024 Corporations Legislation & Lexis Nexis Australian Corporations Legislation 2024 – Vol 1 & 2. So what are the key sources of obligations for general insurance? 𝘊𝘩𝘢𝘱𝘵𝘦𝘳 7 – 𝘊𝘰𝘳𝘱𝘰𝘳𝘢𝘵𝘪𝘰𝘯𝘴 𝘈𝘤𝘵 7.6 – licensing issues, general AFSL obligations, Auth Reps, & restricted [broker] terms 7.7 – disclosure requirements: FSG & Cash Settlement Fact Sheet 7.8 – dealing with clients’ money, lodging financial returns & auditor 7.8A – design & distribution obligations (& TMD) 7.9 – product disclosure: PDS, SPDS, cooling off 7.10 – market misconduct: misleading conduct 𝘈𝘚𝘐𝘊 𝘈𝘤𝘵 Pt 2, Div 2 – unconscionable conduct, unfair contract terms, misleading or deceptive conduct, add-on insurance 𝘐𝘯𝘴𝘶𝘳𝘢𝘯𝘤𝘦 𝘊𝘰𝘯𝘵𝘳𝘢𝘤𝘵𝘴 𝘈𝘤𝘵 includes the duty to take reasonable care, UGF & s54 𝘗𝘳𝘪𝘷𝘢𝘤𝘺 𝘈𝘤𝘵 including the 13 Australian Privacy Principles 𝘈𝘗𝘙𝘈 𝘗𝘳𝘶𝘥𝘦𝘯𝘵𝘪𝘢𝘭 𝘚𝘵𝘢𝘯𝘥𝘢𝘳𝘥𝘴 for Governance, Risk Management, Financial Resilience, Recovery & Resolution & Reporting 𝘍𝘪𝘯𝘢𝘯𝘤𝘪𝘢𝘭 𝘈𝘤𝘤𝘰𝘶𝘯𝘵𝘢𝘣𝘪𝘭𝘪𝘵𝘺 𝘙𝘦𝘨𝘪𝘮𝘦 𝘈𝘤𝘵 Also, don’t forget: Insurance Act especially s114 use of words ‘insurance’ & insurer Spam Act & DNCR Act Autonomous Sanctions – DFAT & United Nations and of course General Insurance Code of Practice & Insurance Brokers Code of Practice. 𝙄𝙙𝙚𝙣𝙩𝙞𝙛𝙮𝙞𝙣𝙜 & 𝙢𝙖𝙣𝙖𝙜𝙞𝙣𝙜 𝙤𝙗𝙡𝙞𝙜𝙖𝙩𝙞𝙤𝙣𝙨 – 𝙖 𝙜𝙧𝙚𝙖𝙩 𝙞𝙣𝙫𝙚𝙨𝙩𝙢𝙚𝙣𝙩 Identifying, recording & managing obligations through key controls & accountability, requires some initial investment of resources however the ongoing benefits soon outweigh the costs.

In the wake of the recent public hearings and the release of transcripts, there’s been a surge of discussions, particularly among clients in Queensland. These conversations are honing in on several key areas highlighted during the hearings. One significant topic of interest is ‘claims handling including delays’. People are keen to delve into how insurers are managing claims, especially in terms of timeliness and efficiency. Another focal point is ‘the role of experts such as assessors & builders’. This aspect delves into the expertise involved in assessing claims and the impact it has on the overall process. Lastly, there’s a spotlight on ‘customers experiencing vulnerability’. The discussions are examining how insurers are addressing the needs of vulnerable customers and ensuring they receive fair treatment throughout the claims process. These discussions are driven by submissions and the line of questioning from the Committees during the hearings. As we continue to analyse and reflect on these topics, we aim to gain deeper insights into the dynamics of insurance practices and how they affect clients, particularly in Queensland.

A 5 week consultation period is seeking industry feedback on the proposed list of key functions for the insurance industry & the supporting key functions descriptions (by 19 April 2024) 𝘼 𝙬𝙤𝙧𝙙 𝙤𝙛 𝙘𝙖𝙪𝙩𝙞𝙤𝙣 Insurers should resist the temptation to create a FAR framework (& for the matter a CPS230 framework) Insurers & underwriting agencies, TPAs, brokers etc are required under Prudential Standards (insurers) or AFSL general obligations (MGA/TPA/Brokers) to have a risk management framework/system. Often the level of sophistication is a factor of the risk maturity of the business. FAR & CPS 230 presents an opportunity to refresh & enhance existing risk management arrangements not create complexity or duplication through seperate frameworks. Accountability & culture components should already be included in existing risk & compliance frameworks. 𝙁𝘼𝙍 – 𝙘𝙤𝙧𝙚 𝙤𝙗𝙡𝙞𝙜𝙖𝙩𝙞𝙤𝙣𝙨 The FAR introduces 4 core sets of obligations: • accountability obligations; • key personnel obligations; • deferred remuneration obligations; & • notification obligations. 𝘼𝙘𝙘𝙤𝙪𝙣𝙩𝙖𝙗𝙡𝙚 𝙥𝙚𝙧𝙨𝙤𝙣𝙨 Central to FAR is the concept of acountable persons. An accountable person must conduct their responsibilities by: – acting with honesty & integrity, & with due skill, care & diligence; – dealing with the Regulators in an open, constructive & cooperative way; – taking reasonable steps to prevent matters from arising that would adversely affect an insurer; & – taking reasonable steps to prevent matters from arising that would result in a material contravention of financial services laws. 𝙄𝙣𝙨𝙪𝙧𝙖𝙣𝙘𝙚 𝙠𝙚𝙮 𝙛𝙪𝙣𝙘𝙩𝙞𝙤𝙣𝙨 An accountable person has responsibility for the Insurance Key Function if they have actual or effective senior executive responsibility for management or control of the whole of, or a significant or substantial part or aspect of, the applicable key function. The draft proposes the following key functions for insurance: You will readily observe that these can be easily aligned to existing risk categories & Financial Services Laws & Code obligations. 1. Capital management 2. Collections & enforcements 3. Conduct risk management 4. Data management 5. Financial & regulatory reporting 6. Hardship processes 7. Insurance risk management 8. Operational risk management 9. Product design & distribtion obligations 10. Product origination 11. Recovery & exit planning & resolution planning 12. Reinsurance management 13. Scam management 14. Technology management 15. Training & monitoring of relevant representatives & staff 16. Underwriting 17. Whistleblower policy & process 𝗔𝗦𝗜𝗖 𝗥𝗚 𝟮𝟳𝟵 ASIC/APRA has issued an information paper – click here to view! Have a chat with me if you need assistance

A term requiring insureds to notify A&G of any changes to their home & contents was not unfair under the ASIC Act 1. The proceedings concern home/contents insurance which contained certain notification obligations on the part of the insureds. 2. The PDS contained a number of references that explained certain matters relevant to the notification obligations (see paras 4-11 of the judgment). 3. Relevantly, the PDS contained 11 examples of changes A&G wanted the insured to tell them about 4. The offending clause, which preceded the 11 examples stated, ‘you need to tell us if 𝗮𝗻𝘆𝘁𝗵𝗶𝗻𝗴 changes about your home & contents.’ This Notification Clause was the focus of ASIC’s claim 5. Evidence concerning the processes for applying for cover (p12-22) & claim assessment (p23-30) was led by A&G 6. The Crt considered relevant provisions of Unfair Contract Terms (ASIC Act) & Utmost Good Faith (ICA) 7. The Crt rejected the literal meaning of 𝗮𝗻𝘆𝘁𝗵𝗶𝗻𝗴. 8. The Crt accepted that the requirement in the Notification Clause was restricted to notify A&G “if anything changes” concerned the information already provided by the insured to A&G. (refer 2 & 3 above) 9. The Crt held that the duty of UGF operates to limit what A&G can do under the Notification Clause in response to an insured’s failure to notify it of the relevant changes. 10. The Crt determined, upon the proper construction of the Notification Clause, the contracts of insurance contained a term that: (a) the insured must notify A&G if, during the term of the policy, there was any change to the information about the insured’s home or contents that the insured had disclosed to A&G prior to entry into the contract; & (b) if the insured failed to notify A&G of such changes, it had the right to refuse to pay a claim, reduce the amount it paid, cancel the contract or not offer to renew the contract if & to the extent that it would be consistent with commercial standards of decency & fairness for A&G to do so 11. The Crt applied the 3 limb test for ‘unfair clauses’ & held a. s54 (ICA) operates to ensure that A&G’s powers to refuse or reduce claims would not cause a 𝙨𝙞𝙜𝙣𝙞𝙛𝙞𝙘𝙖𝙣𝙩 𝙞𝙢𝙗𝙖𝙡𝙖𝙣𝙘𝙚 in the rights & obligations of the parties arising under the contract b. 𝙋𝙧𝙤𝙩𝙚𝙘𝙩𝙞𝙣𝙜 𝙡𝙚𝙜𝙞𝙩𝙞𝙢𝙖𝙩𝙚 𝙞𝙣𝙩𝙚𝙧𝙚𝙨𝙩𝙨 of A&G – s54 & UGF constrains A&G to the extent that only a failure to notify a change in information that has prejudiced its interests is relevant c. The Crt accepted ASIC’s submission that the lack of clarity in the Notification Clause 𝙘𝙖𝙪𝙨𝙚𝙙 𝙙𝙚𝙩𝙧𝙞𝙢𝙚𝙣𝙩 to the insured 𝘾𝙤𝙣𝙘𝙡𝙪𝙨𝙞𝙤𝙣 The Crt found that as only 1 of the 3 criteria of an unfair term was met, ASIC failed to establish that the Notification Clause is unfair

As the industry continues to be under scrutiny, it’s timely to revisit the overarching obligations in the GI Code & Insurance Brokers Code of Practice. 𝙂𝙄 𝘾𝙤𝙙𝙚 𝙤𝙛 𝙋𝙧𝙖𝙘𝙩𝙞𝙘𝙚 Part 3 of the GI Code requires insurers & their distributors & claim service suppliers to be 𝘩𝘰𝘯𝘦𝘴𝘵, 𝘦𝘧𝘧𝘪𝘤𝘪𝘦𝘯𝘵, 𝘧𝘢𝘪𝘳, 𝘵𝘳𝘢𝘯𝘴𝘱𝘢𝘳𝘦𝘯𝘵 & 𝘵𝘪𝘮𝘦𝘭𝘺 𝘪𝘯 𝘥𝘦𝘢𝘭𝘪𝘯𝘨𝘴 𝘸𝘪𝘵𝘩 𝘤𝘶𝘴𝘵𝘰𝘮𝘦𝘳𝘴. Let’s unpack this: – the obligation extends to underwriting agencies & external insurance claim managers; – the obligation applies to both retail & wholesale insurance. – the obligation applies to all dealings including buying insurance, making a claim, dealing with customers experiencing vulnerability & complaints. – You may ask, how does Part 3 apply to claims for wholesale insurance when, for example ‘Part 8 Making a Claim’ (& Parts 5,6,7,9 & 11), does not apply to wholesale insurance? The individual requirements of Part 8 would not apply to wholesale insurance claims however the insurer & their claim service suppliers must continue to be ‘honest, fair etc..’ – it would be a reasonable interpretation of Part 3 to suggest that each component is a separate obligation. Therefore a failure to act timely (such as in claim delays) would be a breach of the Code. 𝙄𝙣𝙨𝙪𝙧𝙖𝙣𝙘𝙚 𝘽𝙧𝙤𝙠𝙚𝙧𝙨 𝘾𝙤𝙙𝙚 𝙤𝙛 𝙋𝙧𝙖𝙘𝙩𝙞𝙘𝙚 The Brokers Code, requires NIBA members to have 𝙥𝙧𝙤𝙛𝙚𝙨𝙨𝙞𝙤𝙣𝙖𝙡 𝙘𝙤𝙢𝙢𝙞𝙩𝙢𝙚𝙣𝙩, 𝙖𝙘𝙩 𝙚𝙩𝙝𝙞𝙘𝙖𝙡𝙡𝙮 & 𝙗𝙚 𝙩𝙧𝙖𝙣𝙨𝙥𝙖𝙧𝙚𝙣𝙩 & 𝙖𝙘𝙘𝙤𝙪𝙣𝙩𝙖𝙗𝙡𝙚. Due to Part 8.0, these obligations extend to the brokers employees, agents & authorised representatives. The Ethical behaviour commitment requires brokers, their staff & [authorised] representatives to act honestly & with integrity in all dealings with clients. 𝘼𝙁𝙎𝙇 𝙜𝙚𝙣𝙚𝙧𝙖𝙡 𝙤𝙗𝙡𝙞𝙜𝙖𝙩𝙞𝙤𝙣 𝙩𝙤 𝙥𝙧𝙤𝙫𝙞𝙙𝙚 𝙛𝙞𝙣𝙖𝙣𝙘𝙞𝙖𝙡 𝙨𝙚𝙧𝙫𝙞𝙘𝙚𝙨 𝙚𝙛𝙛𝙞𝙘𝙞𝙚𝙣𝙩𝙡𝙮, 𝙝𝙤𝙣𝙚𝙨𝙩𝙡𝙮 & 𝙛𝙖𝙞𝙧𝙡𝙮 The overarching obligations of the Codes complement the AFS Licence obligation to provide financial services efficiently, honestly & fairly, but with one important distinction. The AFSL obligation only applies to financial services (which of itself is still far-reaching) while the Code obligation apply to all dealings, including administrative or clerical processes. 𝙃𝙤𝙬 𝙩𝙤 𝙞𝙢𝙥𝙡𝙚𝙢𝙚𝙣𝙩 The Code overarching obligations should be viewed as a lens after specific controls are applied. For example, the obligation to update the customer every 20 business days about the progress of their claim may receive a tick, however the question then needs to be asked, where we ‘𝘩𝘰𝘯𝘦𝘴𝘵, 𝘦𝘧𝘧𝘪𝘤𝘪𝘦𝘯𝘵, 𝘧𝘢𝘪𝘳, 𝘵𝘳𝘢𝘯𝘴𝘱𝘢𝘳𝘦𝘯𝘵 & 𝘵𝘪𝘮𝘦𝘭𝘺’? It is possible to comply with individual Code paragraphs but still be in breach of the overarching Code obligations.

Compliance is only effective when you have all people engaged. This includes staff, authorised representatives, claim service suppliers & business partners. Thinking about compliance in terms of rules & regs is generally not exciting & certainly not engaging. This is one of the things I learnt very early in my compliance career. Not many people really care about the intricacies of section 912A(1) or Part 3 of the GI code or part 8 of the Brokers Code – personally, I love this stuff. Here’s a simple test. If you can’t answer the question ‘why should I care [about compliance]’? or you think the answer is ‘because we must’, then you need to change how you position & see compliance. The true purpose of compliance is to protect. The image below shows who we should protect & from what. Let me explain how compliance protects. Your compliance arrangements are the combination of your people, IT systems, manuals, policies, guidelines & processes. Think about this another way, your compliance arrangements are the controls that you have in place to manage your financial services & industry code obligations. These compliance arrangements provide a safe environment for your people to work within. By staying within these boundaries your compliance arrangements operate to protect your customers, business, partners & people from harm. As we know, mistakes happen; systems, people & processes fail. This is when your people become your early warning system. By identifying ‘something has happened that should not have happened’ at an early stage (aka an incident) your people can quickly identify when the perimeter of your compliance arrangements have been breached. This serves to minimise any harm & enables the control(s) to be quickly rectified. Thus securing the business, its customers & people. The importance of the concept of ‘compliance protects’ has never been more evident as the insurance industry moves into the era of accountability. If something happens, under your watch, in your area of accountability there will be personal consequences – both financial & reputational. FAR & CPS 230 are examples of where accountability is heading & casting a wide net. This is why compliance protects. Robust compliance arrangements provide a mechanism & infrastructure to support & protect your business, your customers & you from harm & detriment. I will be exploring the theme of ‘compliance protects’ at my Compliance workshop in Brisbane on Thursday 21st March at Lightspace, Brisbane’s unique event venue and co-working warehouse. I will be providing you with the tools & insights to develop compliance arrangements that operate to support & protect the things that matter to you. Registration for the workshop is now open & can be accessed via the link below. See you in Brisbane Managing Compliance in the insurance industry

An Australian financial services licensee may appoint ‘authorised representatives’ to provide specified financial services on its behalf. Acting as an AR can be a cost effective way of operating a financial services business although most insurers require their MGAs & TPAs to hold their own AFSL. This is due to the risk that the AR presents to the insurer’s Licence. AR networks continue to be used within the Insurance Broking community however due diligence & compliance monitoring is being strengthened. There are regulatory requirements for appointing ARs & notifying ASIC. There are also rules & limitations in appointing sub-authorised representatives. Notification requirements also apply in respect of when an AR ceases to be authorised. These requirements should be captured in the Licensee’s compliance manual. In addition, the Licensee, if a subscriber to the GI Code or Insurance Brokers Code, will also have Code obligations in respect of the conduct of its ARs (GI Code see Parts 3-5 & Brokers Code see Part 8). Generally, the Licensee is responsible for the training, competency & conduct of its ARs & therefore should have a Monitoring & Supervision Program in place. This benefits & protects both the Licensees & Authorised Reps business. 𝑶𝒃𝒍𝒊𝒈𝒂𝒕𝒊𝒐𝒏𝒔 𝒐𝒇 𝒂𝒏 𝑨𝒖𝒕𝒉𝒐𝒓𝒊𝒔𝒆𝒅 𝑹𝒆𝒑𝒓𝒆𝒔𝒆𝒏𝒕𝒂𝒕𝒊𝒗𝒆 In addition to meeting the obligations of the Licensee, ARs have a number of independent obligations, including: Be appointed in writing as an Authorised Representative of the Licensee ; Not hold out that they have an AFS Licence. In this regard, the AR should include their AR number & disclose the relationship with the Licensee in all business documents & on their website; Provide disclosure documents (FSG, PDS) as required when the General Insurance Products are provided to Retail clients; Provide details of remuneration in an FSG; Keep records of insurance transactions; Comply with hawking prohibitions (retail clients) & misleading & deceptive conduct provisions; Ensure they act within the scope of authority given; & Comply with Product design & distribution requirements & TMD (when financial services are provided to retail clients). 𝘼𝙪𝙩𝙝𝙤𝙧𝙞𝙨𝙚𝙙 𝙍𝙚𝙥𝙧𝙚𝙨𝙚𝙣𝙩𝙖𝙩𝙞𝙫𝙚 𝙘𝙤𝙢𝙥𝙡𝙞𝙖𝙣𝙘𝙚 𝙢𝙚𝙖𝙨𝙪𝙧𝙚𝙨 It follows from the above, that the best practice is for the Authorised Representative to have its compliance measures captured in a Compliance Manual. The Manual should be tailored to the ARs business model & way of working & dovetail with the Licencee’s compliance requirements. Speak to me if you are an Authorised Representative requiring assistance with your compliance requirements or if you are an AFS licensee requiring assistance with your AR monitoring & supervision program.

APRA has mandated an insurer to undertake a risk remediation program & has increased its capital requirements in response to concerns about its risk governance. APRA’s decision follows a prudential review that identified significant weaknesses in the insurer’s risk governance, risk management & compliance practices. These included capability & capacity weaknesses in the risk function, ineffectiveness of the “three lines of defence” model, & weak risk reporting. The review also revealed unclear accountabilities and responsibilities across the business, & overall, an immature risk culture. Given the heightened prudential risk arising from the identified weaknesses, APRA has also imposed an additional $50 million capital requirement in the form of an operational risk charge. 𝙈𝙚𝙖𝙨𝙪𝙧𝙞𝙣𝙜 𝙘𝙤𝙢𝙥𝙡𝙞𝙖𝙣𝙘𝙚 𝙧𝙞𝙨𝙠 𝙢𝙖𝙩𝙪𝙧𝙞𝙩𝙮 There are many benefits in measuring compliance risk maturity: Identification of gaps & weaknesses in your compliance arrangements; A prioritised action plan to close out gaps by adopting a risk-based approach; Enables the allocation of resources (including human, technology & financial) to those areas of strategic, customer or regulatory importance; Provides transparent criteria to benchmark progress & facilitate board reporting; & Enables different maturity levels to be set as targets for each of the 4 components. 𝙃𝙤𝙬 𝙩𝙤 𝙘𝙤𝙣𝙙𝙪𝙘𝙩 𝙖𝙣 𝙖𝙣𝙖𝙡𝙮𝙨𝙞𝙨 𝙤𝙛 𝙘𝙤𝙢𝙥𝙡𝙞𝙖𝙣𝙘𝙚 𝙧𝙞𝙨𝙠 𝙢𝙖𝙩𝙪𝙧𝙞𝙩𝙮 (𝙞𝙣 𝙩𝙝𝙚 𝙞𝙣𝙨𝙪𝙧𝙖𝙣𝙘𝙚 𝙞𝙣𝙙𝙪𝙨𝙩𝙧𝙮) Step 1 – there are 4 components or categories that are assessed from a compliance risk perspective – (1) governance, (2) process & procedures, (3) people and (4) systems & reporting. A compliance review is conducted to determine the firm’s current state against each of these components; Step 2 – the current state is assessed as either ‘basic, evolving, established, advanced or optimised’. Pre-agreed criteria is used to describe each phase of maturity enabling a robust conversation to take place so that a realistic current state is determined. The current state is plotted on the matrix for each category; Step 3 – recognising the cost-benefit trade-off, the board sets the desired level of risk maturity to be achieved over a defined period for each component. For example, the Board may set a target that within 18 months: systems will be ‘Advanced’ while people will be ‘Optimised’. This enables a strategic allocation of resources & a plan that can be shared with key stakeholders; Step 4 – actions are developed, cost & approved to achieve the target level of risk maturity for each of the 4 components; Step 5 – Progress to plan is monitored & included in board reporting. Please contact me if you would like to explore the compliance reviews & risk maturity assessments I provide.

APRA Prudential Standard CPS 230 ‘Operational Risk Management’ comes into force July 2025. CPS 230 applies to APRA-regulated insurers (including both local insurers & Category C insurers) however there are indirect or downstream impacts on Underwriting Agencies, Claim Managers (Service Suppliers) & Insurance Brokers. These impacts arise in respect of insurers’ critical operations & material service providers. 𝙘𝙧𝙞𝙩𝙞𝙘𝙖𝙡 𝙤𝙥𝙚𝙧𝙖𝙩𝙞𝙤𝙣𝙨 An APRA-regulated entity must maintain its critical operations within tolerance levels through severe disruptions & manage the risks associated with the use of service providers (para 12 CPS 230). For an insurer, claims processing is a critical operation unless the insurer can justify otherwise. 𝙈𝙖𝙩𝙚𝙧𝙞𝙖𝙡 𝙨𝙚𝙧𝙫𝙞𝙘𝙚 𝙥𝙧𝙤𝙫𝙞𝙙𝙚𝙧𝙨 An APRA-regulated entity must, at a minimum, classify a provider of the following services as a material service provider, unless it can justify otherwise: for an insurer (general, life, private health): underwriting, claims management, insurance brokerage & reinsurance (p50) 𝘔𝘢𝘯𝘢𝘨𝘦𝘮𝘦𝘯𝘵 𝘰𝘧 𝘴𝘦𝘳𝘷𝘪𝘤𝘦 𝘱𝘳𝘰𝘷𝘪𝘥𝘦𝘳 𝘢𝘳𝘳𝘢𝘯𝘨𝘦𝘮𝘦𝘯𝘵𝘴 An APRA-regulated insurer must: Maintain a comprehensive service provider management policy (p47); Identify & maintain a register of its material service providers & manage the material risks associated with using these providers (p49) & submit the register to APRA on an annual basis; Before entering into or modifying a material arrangement undertake due diligence assessing the financial & non-financial risks (p53) Maintain a formal legally binding agreement covering the matters listed in p54 (a) – (g); Monitor the arrangement (p58); Meet the APRA notification requirements (p59); & Have the arrangements reviewed by its internal audit function (p60). 𝙎𝙤 𝙬𝙝𝙖𝙩 𝙙𝙤𝙚𝙨 𝙩𝙝𝙞𝙨 𝙢𝙚𝙖𝙣 𝙛𝙤𝙧 𝙢𝙖𝙩𝙚𝙧𝙞𝙖𝙡 𝙨𝙚𝙧𝙫𝙞𝙘𝙚 𝙥𝙧𝙤𝙫𝙞𝙙𝙚𝙧𝙨? Material service providers who are well prepared for the impacts of CPS 230 will achieve a competitive advantage in their partnering with insurers. Providers of material services must: Incorporate the requirements of CPS 230 into their risk & compliance arrangements including referencing APRA’s Prudential Practice Guide (CPG 230); Engage early with insurer(s) to understand the insurer(s) project plan in respect of timeframes & any unique requirements they have; & Arrange for a compliance review in early 2024 (due diligence) to fully understand the impact of the proposed changes to ensure a seamless transition to the new arrangements. Do not hesitate to contact me to assist in being prepared for the impacts of CPS 230 on your business.

A common issue I observe when reviewing risk & compliance frameworks is the absence of a logical flow. Risk & compliance should be managed in a systematic manner ensuring that nothing is missed & no gaps emerge. The purpose of compliance is to protect. Protect the business, its people, stakeholders & customers. To do this, all component parts must work in sync. 𝙏𝙝𝙚 𝙘𝙤𝙢𝙥𝙤𝙣𝙚𝙣𝙩𝙨 𝙤𝙛 𝙖 𝙨𝙮𝙨𝙩𝙚𝙢𝙖𝙩𝙞𝙘 𝙖𝙥𝙥𝙧𝙤𝙖𝙘𝙝 𝙩𝙤 𝙧𝙞𝙨𝙠 & 𝙘𝙤𝙢𝙥𝙡𝙞𝙖𝙣𝙘𝙚 1. What you do & how you do it. Within the insurance industry, the services & products you provide & on whose behalf, determine the need for you to be APRA authorised, AFS Licensed, Authorised Rep, Code subscriber, Distributor, Service Supplier etc. This in turn shapes your risk profile. Unpacking what you do & how you do it, is always the starting point in any risk & compliance framework. 2. Governance Roles & responsibilities: whose doing what, who provides oversight & the mechanics of ‘doing & oversight’, is the next step & creates an environment within which business can be safely conducted & layers of protection. 3. Risk management Understanding your risks & managing those risks [in 6 simple steps] within the boundaries of the firm’s risk appetite provides an internal mechanism for decision-making. 4. Licence management For AFS Licensees, I call out licence management as a separate component. Your Licence, is, after all, your ticket to play [including any Authorised Reps]. 5. Material obligations. AFS Licence, APRA authorisation, Code & AFCA membership, Binder & Authorised Rep Agreements, Distribution & Claim service supplier arrangements all create obligations. These obligations must be identified. You can’t manage what you don’t know. Depending on the size of the firm, I include the key control(s) within the obligations section. I find its best to have a single source of truth [manual] rather than multiple referenced documents. 6. Obligations management This sets in place a systematic approach to managing the obligations including the sources of new/amended obligations & how these are incorporated into the framework. 7. Control testing A control that is not tested (design & operational) is no control. 8. Monitoring & supervision This extends to staff & AR’s & forms another layer of protection. The M&S needs to be independent, fit-for-purpose & risk-based. 9. Reporting Data from risk & compliance registers, control testing, monitoring & supervision provides an indication of the health of the compliance system. 10. Incident & breach management Things do go wrong. The quicker they are identified the less harm caused. 𝙍𝙞𝙨𝙠 & 𝙘𝙤𝙢𝙥𝙡𝙞𝙖𝙣𝙘𝙚 𝙖𝙨𝙨𝙞𝙨𝙩𝙖𝙣𝙘𝙚 Contact me to understand how a systematic approach to risk & compliance protects your business, people & customers.

Financial services laws are designed to protect consumers. The 1st layer of protection is the need to hold an AFS Licence. Unless you are an AR of a Licensee or can rely upon an exemption you need to hold an AFS Licence to provide general insurance financial services: 𝙇𝙞𝙘𝙚𝙣𝙘𝙚 𝙖𝙪𝙩𝙝𝙤𝙧𝙞𝙨𝙖𝙩𝙞𝙤𝙣𝙨 The 3 authorisations relevant for GI are: 1 Providing financial product advice, this may be restricted to general product advice; 2. Dealing in general insurance products by: Issue, apply for, acquire, vary or dispose of; and/or Apply for, acquire, vary, or dispose of on behalf of another. 3. Provide a claims handling & settling service. to Retail &/or Wholesale clients. 𝙒𝙝𝙖𝙩 𝙖𝙪𝙩𝙝𝙤𝙧𝙞𝙨𝙖𝙩𝙞𝙤𝙣 𝙙𝙤 𝙮𝙤𝙪 𝙣𝙚𝙚𝙙? APRA-regulated insurers – although authorised by APRA to carry on insurance business in Australia, insurers require an AFS Licence when providing financial services unless relying upon the Wholesale client exception. Insurers generally need all 3 authorisations although dealing is limited to the issuing authority & the claims authorisation does not include representing a person making a claim. Underwriting Agencies – depending on their binder/agency agreement will generally require the same authorisations as insurers. If the MGA places the business in the open market (ie not under a binder) they will require the dealing authorisation ‘on behalf of another’. Insurance brokers – require financial product advice & dealing on behalf of another authorisation only. Brokers can rely on the claims exemption provided they arranged the contract of insurance or are acting under a letter of appointment. Brokers also require the Licence condition permitting them to use the restricted terms associated with insurance broking. TPAs – will require the same claim authorisations as insurers, as the TPA acts on behalf of insurers as an ‘Insurance claims Manager’. Claimant Intermediaries act on behalf of insureds & will require a Claims authorisation limited to making a recommendation; assisting & representing a person making a claim. Claim Service Suppliers & insurance fulfilment providers, acting on behalf of insurers, generally do not require a licence as they can rely on exemptions. In these cases it’s necessary to examine the authority they have from insurers/MGA. 𝙒𝙝𝙖𝙩 𝙝𝙖𝙥𝙥𝙚𝙣𝙨 𝙞𝙛 𝙮𝙤𝙪 𝙥𝙧𝙤𝙫𝙞𝙙𝙚 𝙛𝙞𝙣𝙖𝙣𝙘𝙞𝙖𝙡 𝙨𝙚𝙧𝙫𝙞𝙘𝙚𝙨 𝙬𝙞𝙩𝙝𝙤𝙪𝙩 𝙖 𝙇𝙞𝙘𝙚𝙣𝙘𝙚? It is an offence to provide financial services without a licence (or acting as an AR or relying on an exemption). It is also an offence to hold out that you hold an AFS Licence if you do not. Ensuring that you hold the correct AFS Licence authorisations & conditions is critical when providing (or intending to provide) financial services in Australia.