News

Brokers generally place business with Insurers and Lloyds underwriters authorised under the Insurance Act (sections 12 and 93 respectively). This includes a foreign general insurer who is authorised under section 12 of the Act. The purpose of being APRA authorised to carry on insurance business in Australia is to protect our local market and policyholders. There are inherent protections in the Insurance Act and through the Prudential Standards issued by APRA. This protection flows through to an Underwriting Agency or Lloyds Coverholder who act on behalf of an APRA regulated insurer (including Lloyds underwriters). Additional consumer protection arises under financial service laws. When can an Insurance Broker place business with an Unauthorised Foreign Insurer (UFI)? Our laws recognise that the Australian market relies on the global insurance market to adequately meet the needs and requirements of Australian businesses, hence there is a mechanism available to use an UFI (or DOFI) in certain circumstances. Section 3A of the Insurance Act and the Insurance Regulations 2024 provide 4 exemptions: High-value clients; Insurance for atypical (or unusual) risks; Insurance required by foreign law; and Risks that cannot be reasonably placed in the Australian market. High-value clients A person is a high‑value insured at a time (the test time) in a financial year if: (a) the average of the person’s Australian operating revenue for the 3 previous financial years is at least $200 million; or (b) the average of the person’s gross Australian assets for the 3 previous financial years is at least $200 million; or (c) the average of the person’s number of Australian employees for the 3 previous financial years is at least 500. Insurance for atypical (or unusual) risks This exemption applies to a contract of insurance if each risk insured under the contract is a risk of any of the following: (a) loss or liability arising from the hazardous properties (including radioactive, toxic or explosive properties) of nuclear fuel, nuclear material or nuclear waste; (b) loss or liability arising from the hazardous properties of biological material or biological waste; (c) loss or liability arising from war or warlike activities (within the meaning of theInsurance Contracts Regulations 2017); (d) loss or liability arising from a terrorist act (within the meaning of section 100.1 of theCriminal Code); (e) liability arising from health‑care related research; (f) loss of, or liability arising from the operation of, a space object (within the meaning of theSpace (Launches and Returns) Act 2018); (g) liability arising from the ownership or operation of an aircraft (but not loss of the aircraft or its cargo); (h) liability and expenses arising from a person owning, chartering, managing, operating or being in possession of a vessel other than a pleasure craft (within the meaning of subsection 9A(2) of theInsurance Contracts Act 1984); (i) loss or liability arising from equine mortality or fertility and related risks. However this does not apply to Equestrian packages (as defined in the Reg); (j) loss or liability incidental to a loss or liability mentioned in paragraphs (a) to (i). Insurance required by foreign law If a law of a foreign country requires that the […]

The obligation (also refer RG 105) If you are an AFS licensee, you must maintain the competence to provide the financial services covered by your AFS licence: see s912A(1)(e) of the Corporations Act. ASIC refers to this obligation as the ‘organisational competence obligation’. This is because this obligation requires you to be competent at the organisational level. You need to nominate responsible managers who: are directly responsible for significant day-to-day decisions about the ongoing provision of your financial services; together, have appropriate knowledge and skills for all of your financial services and products; & individually, meet one of the five options for demonstrating appropriate knowledge and skills (Table 1 RG 105). If you breach or are likely to breach the organisational competence obligation, you may need to notify ASIC of that breach: see s912DAA. Nominating responsible managers The people you nominate as responsible managers must have direct responsibility for significant day-to-day decisions about your financial services. In context of general insurance; together, your responsible managers must have the skills & knowledge in: providing financial product advice or general advice only; and/or dealing in a general insurance product, including (a) issuing [typically insurers or underwriting agencies] or (b) on behalf of another person [typically insurance brokers]; and/or claims handling and settling services (a) by an insurer or acting on behalf of the insurer [typically underwriting agencies or insurance claim managers] or (b) on behalf of the insured [claimant intermediaries]. The number of people you need to nominate as responsible managers will depend on the nature, scale and complexity of your business. However, ASIC expects that you will nominate at least two responsible managers. If you are heavily dependent on the competence of one or two responsible managers (e.g. in a small organisation with one or two principals), ASIC will generally impose a ‘key person’ condition on your AFS licence Tips to assist in meeting your personal obligations As a responsible manager you need to stay across the business operations. I provide the following practical advice to my clients: all responsible managers should work together as a team, regularly meeting to exchange views and observations and share concerns receive regular risk & compliance dashboard reporting – complaints, incidents & breaches, QA & audit outcomes, control breakdowns, breach remediation & rectification updates, control testing outcomes, risk profiles & training completion keep across industry issues such as AFCA complaints & regulatory and Code reviews engage with the internal risk and compliance committee, CRO, directors , management & extrenal auditors be curious – ask questions look behind the data, what is it telling you? A lack of data is not healthy the effectiveness of your compliance arrangements and monitoring program to meet licence, regulatory and Code obligations the adequacy of your incident & breach reporting and dispute resolution systems. Notifying ASIC of changes to your responsible managers You must advise ASIC within 30 business days of adding or removing a responsible manager. You need to complete the relevant sections of Form FS20 and lodge it […]

It can be difficult for insurers, underwriting agencies, insurance brokers and other distributors to consistently meet compliance obligations to customers especially when processes are not automated. A simple way to think about compliance obligations is to align them to the customer journey. This can be reduced to a 1 page ready-reckoner for all sales staff, account executives, business development managers & authorised representatives. Pre-appointment or pre-purchase During this stage of the customer journey the customer is considering their insurance needs and may engage an insurance broker or shop around online Insurance brokers, who are NIBA members and subscribe to the Insurance Brokers Code of practice, must provide a Terms of engagement to a prospective client who agrees to engage the broker. Underwriting Agencies or Insurers selling direct must not engage in misleading or deceptive conduct, whether through their website, advertising or otherwise & comply with the hawking prohibitions in respect of retail clients. These obligations also apply to Insurance Brokers Referrers ofAgencies, Insurers or Brokers can only ‘refer’ the client to the financial service provider and must disclose any payment for the referral. All licensees & ARs must be efficient, honest & fair when providing their financial services. Insurers and their distributors, under the GI Code, must be honest, efficient, fair, transparent & timely in all dealings with the customer. NIBA Insurance Brokes must act honestly and with integrity in all dealings with clients under the Insurance Brokers Code. All staff must be trained and competent to provide the financial services. Purchasing general insurance products Before providing the financial services, a licensee or authorised representative must provide a FSG , if the services are to be provided to a Retail cleint. Having said that, its best practice to provide a FSG to all clients. Before providing any financial product advice, a general advice warning must be provided to a retail client if providing general advice and brokers providing personal advice must be aware of the modified best interest duty for general insurance & provide a Statement of advice for sickness & accident insurance. In addition for retail product distribution, insurers and Agency’s must ensure that a TMD is available, usually on their website, and the direct sales process is aligned to the TMD. Brokers must ensure they distribute the insurance products in accordance with the TMD. The sales process Where relevant, the deferred sales-model for add-on insurance must be complied with where an insurance product is sold or offered for sale at the time of purchasing a primary product and an insurance product exemption does not apply. At the start of the sales process the underwriting agency or insurer must determine whether the general insurance product is a consumer insurance contract, if so, the insured’s duty to take reasonable care not to make a misrepresentation applies otherwise the duty of disclosureapplies. Brokers should note to take care when commencing renewal activities to clarify with the agency or insurer whether the product is being treated as a consumer insurance contract (in […]

I was talking to my ‘coffee guy’ at my local cafe this morning (he is also a small business owner) about how well my compliance business is travelling and he commented, ‘it’s because you love what you do.’ As I was walking back home, sipping my coffee (pure bliss), I reflected on his comment and how it aligned to my compliance mantra; the purpose of compliance is to ‘protect what matters’. Protecting what matters Compliance is about placing ‘what matters’ at the heart of everything we do & building layers of protection around that heart. What matters? Our customers & clients, our people, our business, our business partners & stakeholders and the wider community. The pillars of compliance provide the foundation for the layers of protection, the 4 pillars of compliance are: Governance & frameworks People & culture Procedures & process Systems & reporting each of these 4 pillars work together to provide robust compliance arrangements. Protecting what matters, is designed on a fortress of layers of protection: Compliance arrangements People Monitoring program Culture The Compliance model for General Insurance is represented diagramatically: The importance of people As you will observe from the Compliance Model, people are critical to the strength of the Compliance Model. People include employees, directors, authorised representatives, service suppliers & fulfillment providers. Anyone who is providing the financial services on your behalf. We need people to: identify and self-report incidents and complaints quickly; follow process and procedures (doing the right thing); meet their continual development training requirements; understand the obligations that apply to their business area; test the controls that manage the obligations applying to their area; genuinely care about protecting the business, customers, colleagues and partners; close out gaps identifed through reviews, monitring and audit activties; and generally be compliance-focused Simply, without people, the Compliance model collapses and harm & detriment results: complaints & breaches increase regulator scrutiny of the business intensifies business partners raise issues and concerns customers are impacted management time is lost focusing on customer remediation and rectification reputational & financial impacts are felt the risk of civil penalties naming & shaming the risk of banning & dsqualification the risk of product stop orders Simply, trust is eroded The test of ‘engaged people’ A simple test of whether your people are truly engaged in compliance is to look at your registers: incidents, breaches, complaints, conflicts, training etc . Are they well populated, indicating that people are engaged taking an active role in compliance, and compliance is part of what we do around here, or are they empty or contain a small number of entries? Do people actively attend compliance training? Do people actively close out issues ahead of time? Do people view compliance as an addition to their role or as part of their role? Do leaders talk about the importance of compliance in the same tone & passion as when they talk about their family and other things they love, care about & want to protect? Connecting the heart with the […]

Governance is a system that provides a framework for managing organisations. It identifies who can make decisions, who has the authority to act on behalf of the organisation and who is accountable for how an organisation and its people behave and perform. A simple illustration of good governance is the doctrine of the separation of powers. The doctrine of the separation of powers divides the institutions of government into three branches: legislative, executive and judicial: the legislature makes the laws; the executive puts the laws into operation; and the judiciary interprets the laws. Governance is about the time you dedicate to working ‘on’ your business, rather than ‘in’ it. This includes all the checks and balances you put in place to ensure your business runs smoothly, meets its objectives, stays out of trouble and protects the things that matter (your business, people, customers, business partners and other key stakeholders). The elements of Governance for General Insurance A system of good Governance comprises the following elements: A framework approach – frameworks provide a system of consistency of approach ensuring that an operating rhythm is created for risk & compliance. A framework ensures that the risk & compliance measures of a business evolve as the business grows & adapts to internal & external change. Roles and responsibilities – clarity and accountability of who does what is important – ‘doing, monitoring and oversight’ require seperate & independent people, boards or committees with a specific focus and purpose (documented through position descriptions and charters). Examples of roles & responsibilities in insurance include directors, officers, responsible persons (FAR), responsible managers (AFSL) and fit & proper people (AFSL). Aligned to roles and responsibilities is delegated authority, the 3 lines of defence model & reporting lines. Delegated authorities – the key to DA is the source of ultimate authority. Typically this will be the Board, SOOA (for foreign insurers) or business owner(s). Authority provides a mechanism to manage decision-making. Authorities (underwriting, claims, financial, strategy etc) are linked to experience, skills and knowledge therefore ensuring decisions are being made by the appropriate people. The key to delegated authority is that you can’t give (authority) what you don’t have. 3 lines of defence model – conceptually, the 3 lines of defence model continues to be the fundamental cornerstone of good governance across general insurance. The 1st line, typically business operations, manages risk & compliance, the 2nd line provides frameworks, oversight, monitoring and advice while the 3rd line is Internal Audit. Significantly APRA Prudential Standards create the role of the Auditor with reporting obligations to the Board and seperate & disctinct obligations to APRA ensuring a degree of independence. The key to the 3 lines of defence model is based on the the doctrine of the separation of powers – each line is seperate to and with a degree of independence from the other lines. Reporting lines – it’s critical that organisation structures and reporting lines enable unfettered ability to perform work and discharge responsibilities. For example, 2nd line risk […]

The white noise associated with APRA Prudential Standard CPS 230 in connection with material service providers has tended to distract from the benefits of CPS 230. It should be remembered that CPS 230 includes an amalgamation of 2 existing prudential standards: CPS 231 Outsourcing; and CPS 232 Business continuity management With effect from July 2025, outsourcing and business continuity management for general insurers will be governed by CPS 230. CPS 230 requirements only apply to General Insurers who are authorised by APRA under section 12 of the Insurance Act. However, CPS 230 and the asssociated Prudential Practice Guide CPG 230 (PPG CPG 230) provides very useful guidance and information for anyone operating a business in general insurance including Underwriting Agencies, TPAs, Insurance Brokers and service providers. It should be remembered that holders of an AFS Licence must have adequate risk management systems. Business continuity and outsourcing is a critical part of risk management. Process mapping material business processes APRA expects that, in implementing CPS 230, a prudent general insurer would start with the identification of its critical operations. A general insurer would (see paragraph 2 PPG CPG 230): a) identify its critical operations (note that claims processing is a deemed critical business operation for an insurer however any other critical operation must also be identified); b) set tolerance levels for disruption of these critical operations; and c) identify the processes and resources needed to deliver these critical operations, including material service providers. Identification of critical (or material) business operations is a very sensible starting point. Business continuity steps As mentioned, business continuity not only applies to general insurers and is relevant for Underwriting Agencies, TPAs, Insurance brokers and anyone providing general insurance products or services. Here are some simple steps to get you started: Identify, at an enterprise level, material business activitiessuch as distribution, underwriting, claims, broking, complaints, information management, marketing etc for each of the material business activities, map out the end-to-end, 5-10 key sub-activitiesthat combined, enable the material business activity to be delivered. As an example, think about the end-to-end process for claims: FNOL, assessment, claim decision etc consider each of the sub-activities in terms of people, IT, process, outsourcing & information (collectively resources). This provides a matrix of sub-activities x resourcesneeded to deliver your material business activities. This information alone provides very useful insights into managing your business and business risks. Consider the tolerance level for each of the sub-activities in the event of a disruption to any of the identified resources. Tolerances should be set based on (refer PPG 230 paragraph 32): – the impact on customers and other stakeholders of a disruption; – the financial and reputational impact on your business from a prolonged or material disruption; – the financial and reputational impact on the broader financial system, including any flow-on effects or contagion; – legal or regulatory requirements; and – recovery objectives. Factors to consider when setting tolerances include (refer Table 4 PPG CPG 230): (i) the maximum allowable disruption period; (ii) the minimum […]

Compliance never sleeps however it may slow down while we take a well-deserved break. How do you kick-start compliance to ensure that compliance is protecting what matters – your business, people, customers, business partners and other key stakeholders? There’s a few simple steps that you should take. Incidents are a critical source of information including as an early-warning system for potential breaches, its important that staff, authorised representatives and material service providers are reminded of their obligations to raise and report incidents. This could be as simple as an email with a FAQ, checklist, link to the incident management system etc and through leader-led team meetings complaints go hand-in-hand with incidents as a critical source of information and business continual improvement in addition to meeting obligations under RG 271 and Code. A quick refresher to staff and representatives in combination with incidents is all that is needed to get complaints back to front-of-mind. Storm season, most teams are returning to full resourcing during the middle of storm season in Australia therefore transitioning back to sense of heightened alert is critical. A reminder of event plans at a team morning tea is a great refresher to shift minds from holiday mode to event readiness mode. This includes IDR teams and service providers. Regulatory change projects – it’s likely that CPS 230, Privacy Act amendments and other regualtory changes were paused over the break. It’s time to reignite the projects and enthuse the teams. A workshop to recap the purpose, the plan & timeframe, the successes achieved to date and what lies ahead, is an awesome way to get the wheels of the project team spinning again and moving the project ahead with a sense of urgency. Monitoring, of internal teams, authorised representatives, material service providers and any other person providing insurance services or products on your behalf is essential to ensure that onbligations are being met and that compliance measures are operating effectively to protect the business & customers. January is a great time to revisit your Monitoring program and pause to reflect on its effectiveness in meeting AFSL, Code and upcoming CPS 230 requirements. Don’t have a Monitoring Program? January is also a great time to develop and implement a tailored monitoing program (contact me for assistance) ASIC IDR data reporting, its time to submit an IDR report to ASIC for the reporting period 1 July to 31 December. A two-month submission window is now open and closes end of February. Failure to report IDR data is a reportable situation to ASIC. Contact me for assistance or read more about your IDR data reporting obligations here Training, if you are half-way through your financial year or at the end of your calendar year it’s nevertheless a good time to review how your staff are progressing with their training. It’s mandatory for AFS Licensees to maintain a training register so it should be a relatively easy exercise to see who is lagging and needs a gentle requirement about the importance of […]

Financial services relevant for general insurance are: providing financial product advice; dealing in a financial product; and providing a claims handling and settling service. Section 912A(1) Corporation Act (also refer RG 104) sets out the general obligations that a AFS licensee in general insurance must comply with: (a) A licensee must do all things necessary to ensure that the financial services covered by the licence are provided efficiently, honestly and fairly. This is a broad and overarching obligation. Generally speaking an insurer who fails to act with the utmost good faith (under the Insurance Contract Act) would also be a failure to provide the financial services efficiently, honestly and fairly. Subscribing to and complying with the standards and timeframes of the General Insurance Code of Practice or Insurance Brokers Code of Practice are typically a strong indicator of a commitment to providing the financial services efficiently, honestly and fairly (refer ASIC INFO 253). (aa) A licensee must have in place adequate arrangements for the management of conflicts of interest that may arise wholly, or partially, in relation to activities undertaken by the licensee or a representative of the licensee in the provision of financial services as part of the financial services business of the licensee or the representative. The 3 ways to manage conflicts are (refer RG 181): – disclosing the conflict; – managing the conflict through controls; and/or – avoiding the conflict (b) A licensee must comply with the conditions on the licence (c) A licensee must comply with the financial services laws. These laws include: – Corporations Act – ASIC Act – Insurance Contracts Act – Insurance Act (plus a number of other Acts applying specifically to general insurers) – Privacy Act (ca) A licensee must take reasonable steps to ensure that its representatives comply with the financial services laws. Representatives include employees or directors of the licensee or of a related body corporate of the licensee , authorised representatives and any other person acting on behalf of the licensee. This is often referred to as the ‘monitoring obligation’ and should be incorporated in a Monitoring program that also includes CPS 230 (for general insurers in context of material service providers) and under the GI Code & Brokers Code responsibilites for the conduct of employees, authorised representatives, distributors and sevice suppliers (d) A licensee must have available adequate resources (including financial (refer RG 166), technological and human resources (refer RG 104)) to provide the financial services covered by the licence and to carry out supervisory arrangements. Note that this requirement does not apply to APRA regulated insurers. General insurers authorised under section 12 of the Insurance Act (including foreign general insurers) must comply with APRA Prudential Standards such as CPS 220, CPS 230 and CPS 234 while Lloyds underwriters (authorised under section 93 of the Insurance Act) must comply with the FCA UK Prudential Standards. (e) A licensee must maintain the competence to provide those financial services. This obligation requires that the licensee must have sufficient Responsible Managers […]

ASIC’s investigation into Sanlam Private Wealth Pty Ltd (Sanlam) uncovered concerns that the AFS licensee had breached its general obligations, including by failing to adequately supervise its many authorised representatives and corporate authorised representatives. (ASIC Media Release MR 24-290) ASIC Deputy Chair Sarah Court said, ‘At one point, Sanlam had 42 CARs and 71 authorised representatives operating under its licence. Despite this, it had plainly inadequate resources and processes to ensure its diverse cohort of authorised entities complied with the law and to oversee those who used its licence to offer risky financial products to retail clients. ‘Licensees like Sanlam must have robust compliance processes that are fit-for-purpose to ensure that those who operate under their licence comply with the law and don’t place Australian investors at risk.’ Sanlam admitted to breaching its licensee obligations and provided a court enforceable undertaking to ASIC. Under section 93AA of the ASIC Act, Sanlam has offered, and ASIC has agreed to accept as an alternative to pursuing civil penalty proceedings, the undertakings. Insurance brokers Insurance brokers often use a network of authorised representatives as a viable business model. An insurance broker, as an AFS licensee, must monitor its authorised representatives and ensure they comply with financial service laws & are trained & competent. Additionally, under the NIBA Code of Practice, brokers must ensure authorised representatives comply with the Code. The undertakings to ASIC in the Sanlam case provide some useful insights for insurance brokers: Due diligence must be undertaken and continue on an ongoing basis to review the ARs’ suitability to operate under the brokers AFSL; A formalised & systematic review process must be implemented to assess whether employees and AR’s are complying with financial service laws; Informal processes and self-reporting by AR’s, of itself, is not adequate as a supervisory mechanism; Brokers must have adequate human resources directed to risk management or overseeing an effective review programme to monitor ARs (my observation – the ‘adequacy of human resources’ should be included as a standing agenda item for the brokers Risk & Compliance Committee); Brokers should develop a human resourcing plan consistent with its current and future needs; Brokers should have an adequate, documented succession plan when heavily dependent on 1 or 2 people and especially when a ‘key person’ requirement’ condition is included on their licence; Brokers must have an adequate number of Responsible Managers for the number and breadth of ARs and must devote sufficient time to effectively discharge their duties as a responsible manager; Brokers must also adequately document and implement processes to ensure they have the appropriate number of suitably qualified RMs having regard to the financial services provided, the complexity of those services, as well as the number and breadth of ARs authorised. There also needs to be an adequate and structured process to assess the ongoing suitability of its RMs. (my observation – the ‘suitability of responsible managers’ should be included as a standing agenda item for the brokers Risk & Compliance Committee) Brokers must implement a […]

Compliance in General Insurance can be complex. Over the years I have developed Paul’s ‘Rules of Thumb’, to assist simplying compliance for my clients. Naturally, when considering compliance arrangements the complete obligation needs to be considered however, the following can be adopted by front end staff as a mantra. Start with Codes – when designing compliance arrangements, start with the GI Code and/or Insurance Brokers Code. Codes go beyond the law and are customer friendly, the end result is a more dynamic and customer experience based compliance approach. It is still necessary to bring in financial service laws however starting with Codes assists in developing a customer centric approach to compliance. Align dislosures with the customer experience – aligned with Rule of Thumb 1, General Advice Warnings, FSG, PDS and many other obligations for Retail Clients have timing requirements (when to provide the notice or warning). Aligning these compliance requirements with the customer sales experience provides a more meaningful & contextual approach for front-end staff. APRA or ASIC– APRA is primarily focused on policyholder protection (carrying on insurance business in Australia) while ASIC is primarily concerned with consumer protection (carrying on a financial services business in Australia). Advice – when a sales person or distributor or broker or underwriter talks to a client/customer, assume they are providing advice. Cash Settlement Fact Sheet (CSFS) – If a PDS has been provided to a client, & that PDS states that claim settlement options include repair or replace, a CSFS will be required to be provided when settlement is to be via a cash settlement. An incident is where something has happened that wasn’t supposed to happen. The intention is for front-end staff to report as many incidents as possible. A trained person can then filter/triage as necessary. A complaint is where a customer is not satisfied with an outcome. The intention is for front-end staff to report as many complaints as possible. A trained person can then filter/triage as necessary. Commissions are an inherent conflict of interest, and must be managed accordingly through disclosure, control(s) or avoiding. Financial Service laws are technology-neutral, the obligation applies irrespective of whether performed by a human or technology (including AI). If in [compliance] doubt, speak to Paul. The key theme from my ‘Rules of Thumb’ is to create simple, meaningful messages for front-end staff as a quick reminder of important compliance obligations. Engaging with customers and clients can be challenging with complex problems requiring a solution. Simple tips and messaging enables compliance to be part of the solution.