News

Compliance never sleeps however it may slow down while we take a well-deserved break. How do you kick-start compliance to ensure that compliance is protecting what matters – your business, people, customers, business partners and other key stakeholders? There’s a few simple steps that you should take. Incidents are a critical source of information including as an early-warning system for potential breaches, its important that staff, authorised representatives and material service providers are reminded of their obligations to raise and report incidents. This could be as simple as an email with a FAQ, checklist, link to the incident management system etc and through leader-led team meetings complaints go hand-in-hand with incidents as a critical source of information and business continual improvement in addition to meeting obligations under RG 271 and Code. A quick refresher to staff and representatives in combination with incidents is all that is needed to get complaints back to front-of-mind. Storm season, most teams are returning to full resourcing during the middle of storm season in Australia therefore transitioning back to sense of heightened alert is critical. A reminder of event plans at a team morning tea is a great refresher to shift minds from holiday mode to event readiness mode. This includes IDR teams and service providers. Regulatory change projects – it’s likely that CPS 230, Privacy Act amendments and other regualtory changes were paused over the break. It’s time to reignite the projects and enthuse the teams. A workshop to recap the purpose, the plan & timeframe, the successes achieved to date and what lies ahead, is an awesome way to get the wheels of the project team spinning again and moving the project ahead with a sense of urgency. Monitoring, of internal teams, authorised representatives, material service providers and any other person providing insurance services or products on your behalf is essential to ensure that onbligations are being met and that compliance measures are operating effectively to protect the business & customers. January is a great time to revisit your Monitoring program and pause to reflect on its effectiveness in meeting AFSL, Code and upcoming CPS 230 requirements. Don’t have a Monitoring Program? January is also a great time to develop and implement a tailored monitoing program (contact me for assistance) ASIC IDR data reporting, its time to submit an IDR report to ASIC for the reporting period 1 July to 31 December. A two-month submission window is now open and closes end of February. Failure to report IDR data is a reportable situation to ASIC. Contact me for assistance or read more about your IDR data reporting obligations here Training, if you are half-way through your financial year or at the end of your calendar year it’s nevertheless a good time to review how your staff are progressing with their training. It’s mandatory for AFS Licensees to maintain a training register so it should be a relatively easy exercise to see who is lagging and needs a gentle requirement about the importance of […]

Financial services relevant for general insurance are: providing financial product advice; dealing in a financial product; and providing a claims handling and settling service. Section 912A(1) Corporation Act (also refer RG 104) sets out the general obligations that a AFS licensee in general insurance must comply with: (a) A licensee must do all things necessary to ensure that the financial services covered by the licence are provided efficiently, honestly and fairly. This is a broad and overarching obligation. Generally speaking an insurer who fails to act with the utmost good faith (under the Insurance Contract Act) would also be a failure to provide the financial services efficiently, honestly and fairly. Subscribing to and complying with the standards and timeframes of the General Insurance Code of Practice or Insurance Brokers Code of Practice are typically a strong indicator of a commitment to providing the financial services efficiently, honestly and fairly (refer ASIC INFO 253). (aa) A licensee must have in place adequate arrangements for the management of conflicts of interest that may arise wholly, or partially, in relation to activities undertaken by the licensee or a representative of the licensee in the provision of financial services as part of the financial services business of the licensee or the representative. The 3 ways to manage conflicts are (refer RG 181): – disclosing the conflict; – managing the conflict through controls; and/or – avoiding the conflict (b) A licensee must comply with the conditions on the licence (c) A licensee must comply with the financial services laws. These laws include: – Corporations Act – ASIC Act – Insurance Contracts Act – Insurance Act (plus a number of other Acts applying specifically to general insurers) – Privacy Act (ca) A licensee must take reasonable steps to ensure that its representatives comply with the financial services laws. Representatives include employees or directors of the licensee or of a related body corporate of the licensee , authorised representatives and any other person acting on behalf of the licensee. This is often referred to as the ‘monitoring obligation’ and should be incorporated in a Monitoring program that also includes CPS 230 (for general insurers in context of material service providers) and under the GI Code & Brokers Code responsibilites for the conduct of employees, authorised representatives, distributors and sevice suppliers (d) A licensee must have available adequate resources (including financial (refer RG 166), technological and human resources (refer RG 104)) to provide the financial services covered by the licence and to carry out supervisory arrangements. Note that this requirement does not apply to APRA regulated insurers. General insurers authorised under section 12 of the Insurance Act (including foreign general insurers) must comply with APRA Prudential Standards such as CPS 220, CPS 230 and CPS 234 while Lloyds underwriters (authorised under section 93 of the Insurance Act) must comply with the FCA UK Prudential Standards. (e) A licensee must maintain the competence to provide those financial services. This obligation requires that the licensee must have sufficient Responsible Managers […]

ASIC’s investigation into Sanlam Private Wealth Pty Ltd (Sanlam) uncovered concerns that the AFS licensee had breached its general obligations, including by failing to adequately supervise its many authorised representatives and corporate authorised representatives. (ASIC Media Release MR 24-290) ASIC Deputy Chair Sarah Court said, ‘At one point, Sanlam had 42 CARs and 71 authorised representatives operating under its licence. Despite this, it had plainly inadequate resources and processes to ensure its diverse cohort of authorised entities complied with the law and to oversee those who used its licence to offer risky financial products to retail clients. ‘Licensees like Sanlam must have robust compliance processes that are fit-for-purpose to ensure that those who operate under their licence comply with the law and don’t place Australian investors at risk.’ Sanlam admitted to breaching its licensee obligations and provided a court enforceable undertaking to ASIC. Under section 93AA of the ASIC Act, Sanlam has offered, and ASIC has agreed to accept as an alternative to pursuing civil penalty proceedings, the undertakings. Insurance brokers Insurance brokers often use a network of authorised representatives as a viable business model. An insurance broker, as an AFS licensee, must monitor its authorised representatives and ensure they comply with financial service laws & are trained & competent. Additionally, under the NIBA Code of Practice, brokers must ensure authorised representatives comply with the Code. The undertakings to ASIC in the Sanlam case provide some useful insights for insurance brokers: Due diligence must be undertaken and continue on an ongoing basis to review the ARs’ suitability to operate under the brokers AFSL; A formalised & systematic review process must be implemented to assess whether employees and AR’s are complying with financial service laws; Informal processes and self-reporting by AR’s, of itself, is not adequate as a supervisory mechanism; Brokers must have adequate human resources directed to risk management or overseeing an effective review programme to monitor ARs (my observation – the ‘adequacy of human resources’ should be included as a standing agenda item for the brokers Risk & Compliance Committee); Brokers should develop a human resourcing plan consistent with its current and future needs; Brokers should have an adequate, documented succession plan when heavily dependent on 1 or 2 people and especially when a ‘key person’ requirement’ condition is included on their licence; Brokers must have an adequate number of Responsible Managers for the number and breadth of ARs and must devote sufficient time to effectively discharge their duties as a responsible manager; Brokers must also adequately document and implement processes to ensure they have the appropriate number of suitably qualified RMs having regard to the financial services provided, the complexity of those services, as well as the number and breadth of ARs authorised. There also needs to be an adequate and structured process to assess the ongoing suitability of its RMs. (my observation – the ‘suitability of responsible managers’ should be included as a standing agenda item for the brokers Risk & Compliance Committee) Brokers must implement a […]

Compliance in General Insurance can be complex. Over the years I have developed Paul’s ‘Rules of Thumb’, to assist simplying compliance for my clients. Naturally, when considering compliance arrangements the complete obligation needs to be considered however, the following can be adopted by front end staff as a mantra. Start with Codes – when designing compliance arrangements, start with the GI Code and/or Insurance Brokers Code. Codes go beyond the law and are customer friendly, the end result is a more dynamic and customer experience based compliance approach. It is still necessary to bring in financial service laws however starting with Codes assists in developing a customer centric approach to compliance. Align dislosures with the customer experience – aligned with Rule of Thumb 1, General Advice Warnings, FSG, PDS and many other obligations for Retail Clients have timing requirements (when to provide the notice or warning). Aligning these compliance requirements with the customer sales experience provides a more meaningful & contextual approach for front-end staff. APRA or ASIC– APRA is primarily focused on policyholder protection (carrying on insurance business in Australia) while ASIC is primarily concerned with consumer protection (carrying on a financial services business in Australia). Advice – when a sales person or distributor or broker or underwriter talks to a client/customer, assume they are providing advice. Cash Settlement Fact Sheet (CSFS) – If a PDS has been provided to a client, & that PDS states that claim settlement options include repair or replace, a CSFS will be required to be provided when settlement is to be via a cash settlement. An incident is where something has happened that wasn’t supposed to happen. The intention is for front-end staff to report as many incidents as possible. A trained person can then filter/triage as necessary. A complaint is where a customer is not satisfied with an outcome. The intention is for front-end staff to report as many complaints as possible. A trained person can then filter/triage as necessary. Commissions are an inherent conflict of interest, and must be managed accordingly through disclosure, control(s) or avoiding. Financial Service laws are technology-neutral, the obligation applies irrespective of whether performed by a human or technology (including AI). If in [compliance] doubt, speak to Paul. The key theme from my ‘Rules of Thumb’ is to create simple, meaningful messages for front-end staff as a quick reminder of important compliance obligations. Engaging with customers and clients can be challenging with complex problems requiring a solution. Simple tips and messaging enables compliance to be part of the solution.

ASIC Report 798, Beware the gap: Governance arrangements in the face of AI innovation, identified the most common uses of AI for insurance claims as: Supporting the claims process: Claims triaging, decision engines to support claims staff, document indexation, identifying claims for cost recovery; and Automating a component of the claims decisioning process, but humans remain responsible for overall claims decision. and emerging uses as: The use of generative Al and natural language processing techniques to extract and summarise key information from claims, emails and other key documents. Financial service laws are technology neutral therefore when providing claims handling and settling services using AI, the general obligation to provide those services ‘efficiently, honestly and fairly’, remains. Providing claims handling and settling efficiently, honestly and fairly ASIC INFO 253 provides guidance on providing claims handling and settling efficiently, honestly and fairly. To satisfy this obligation, you will generally need to handle and settle insurance claims: in a timely way; in the least onerous and intrusive way possible; fairly and transparently; and in a way that supports consumers, particularly ones who are experiencing vulnerability or financial hardship Australia’s AI Ethics Principles The incorporation of the eight Australian AI Ethics Principles in AI policies and procedures is supported by ASIC, and should be used when adopting AI in claims processing. The 8 AI Ethics Principles are: Human, societal and environmental wellbeing: AI systems should benefit individuals, society and the environment. Human-centred values: AI systems should respect human rights, diversity, and the autonomy of individuals. Fairness: AI systems should be inclusive and accessible, and should not involve or result in unfair discrimination against individuals, communities or groups. Privacy protection and security: AI systems should respect and uphold privacy rights and data protection, and ensure the security of data. Reliability and safety: AI systems should reliably operate in accordance with their intended purpose. Transparency and explainability: There should be transparency and responsible disclosure so people can understand when they are being significantly impacted by AI, and can find out when an AI system is engaging with them. Contestability: When an AI system significantly impacts a person, community, group or environment, there should be a timely process to allow people to challenge the use or outcomes of the AI system. Accountability: People responsible for the different phases of the AI system lifecycle should be identifiable and accountable for the outcomes of the AI systems, and human oversight of AI systems should be enabled. Licensees must consider their existing regulatory obligations What licensees need to do to comply with their existing regulatory obligations when using AI depends on the nature, scale and complexity of their business. It also depends on the strength of their existing risk management and governance practices. This means there is no one-size-fits-all approach for the responsible use of AI. (ASIC REP 798) ASIC provides the following examples in REP 798: Licensees must do all things necessary to ensure that financial services or credit services are provided in a way that meets all of […]

Much has been said and written about CPS 230 however, the time for talking and planning is rapidly coming to an end (& has probably passed for the large insurers). It’s time for implementation! Debunking the CPS 230 myths There continues to be some misinformation circulating about CPS 230, what it is and what it isn’t. Let’s deal with these first: What are the facts? CPS 230 (i) only applies as an obligation for insurers & (ii) only for those authorised by APRA under section 12 of the Insurance Act 1973 (Act); this means CPS 230 applies to general insurers in Australia including foreign general insurers, and does notapply to Lloyds underwriters. Lloyds underwriters are authorised under section 93 of the Act and do not come within the definition of General Insurers (s11 of the Act). Lloyds underwriters (and Coverholders) do not get a ‘free ride’. FCA UK Operational resilience rules come into effect in the UK in March 2025. Also refer to LLoyds Principle 12 Operational Resilience. The FCA rules are similar to CPS 230. CPS 230 compliance is not a complex technical issue per se. Much should already exist. It’s a resourcing issue especially the work around critical operations, process mapping, controls testing, material service providers and updating existing or creating new risk artefacts. A risk person within the CRO team of an APRA regulated insurer would be very familiar with the key CPS 230 requirements: operational risk; tolerance levels, criticial operations (& disruption thereof), outsourcing, business continuity, risk profile, control testing and scenarios. Service providers do nothave any obligations under CPS 230. CPS 230 is the insurers responsibility. The obligations for service providers manifest when they perform critical operations for the insurer (for general insurance this is claim processing) or expose the insurer to material operational risk (at a minimum, for general insurance unless justified otherwise: underwriting, claims management, insurance brokerage and reinsurance). The Service Provider obligations would be reflected in the Binder Agreement and/or Service Provider Agreement as obligations imposed on the Service Provider by the insurer. Non-compliance with CPS 230 does have significant consequences. Section 38AA of the Act requires insurers to notify APRA of certain matters. These include immediate notification of a breach of a Prudential Standard that relates to financial obligations the general insurer has to its policy holders or to the general insurer’s minimum capital requirements & for other breaches of a Prudential Standard within 10 Business Days where the breach is significant within the meaning of s 38AA(5). What should insurers be doing? As I mentioned earlier, compliance with CPS 230 requires some ‘risk-thinking’ [within risk appetite]. However, CPS 230 is more of a resource and project management challenge. There are a number of risk ‘task-based’ activities that insurers should be doing now: identify critical operations; set tolerance levels; process mapping – identify the processes and resources needed to deliver these critical operations, including material service providers; updating risk artefacts: RMF, Operational risk profiles, BCP, controls and control testing including scenario […]

A great indicator of the health of your compliance arrangements is the quantity and quality of data in your compliance registers. No data or limited data, could indicate issues with your people and/or authorised representatives and the adequacy and effectiveness of your compliance arrangements. So what registers should you have and what should you expect to see? Risk register The risk register should include the 10-15 risks that could seriously impact your business operations. They should cover (as relevant) strategic risk, reputational risk, financial risk, people risk, legal risk, regulatory risk, compliance risk, conduct risk, technology risk, data risk and change management risk. The risk register should include accountability, key controls, control testing & action plans to close out any gaps arising from control testing. The risk register (plus all other registers) should be a standing agenda item at your quarterly Risk & Compliance Committee meeting where control testing outcomes, action plans, the internal & external business environment and emerging risks are discussed. Obligations register This register is similar to the risk register but manages your compliance obligations. The register can be a stand-alone register or, for most underwriting agencies, TPA’s and insurance brokers, included as part of your Risk & Compliance Manual. The register should capture AFS Licence obligations, financial service laws (including Prudential Standards for insurers), industry Codes & obligations arising from binder & other agreements. Typically an APRA regulated insurer will have ~300 material obligations, underwriting agencies & TPAs ~130 & insurance brokers ~80. The obligations register enables a shift in focus from the large number of obligations to 20-40 key controls. You can’t manage what you don’t know, an obligations register is critical. Conflict of interest register Conflicts arise in many situations and are a normal part of conducting business. Conflicts may arise from: family or personal relationships other business interests gifts & entertainment commission & fee arrangements related companies multiple directorships roles within an organisation – operational role v member of a risk committee Financial service laws require licensees to adquately manage conflicts. This is usually by disclosure, controlling or avoiding. The conflict and the signed-off management of the conflict must be recorded in the conflicts register. Incident & breach register This register is the lifeblood of your business. People make mistakes, often. A well populated incident & breach register, covering a wide range of incidents, from a wide range of people across the business, is a sure sign of a continuous improvement culture. Incidents should be raised across all risk categories (refer risk register) just not compliance incidents. However, a compliance specialist must review the register to further investigate incidents & be on the look out for breaches or likely breaches of financial service laws or Code. Typically, APRA regulated insurers should be capturing 200-300 incidents per quarter, Underwriting agencies & TPA’s 50 -75 & insurance brokers 40 – 50. The number of incidents per quarter will be a factor of the nature, complexity & scale of your business. Complaints register If an incident […]

The obligation to have trained, competent and experienced employees arises from many different sources of obligations: AFS Licence general obligations: employees must be trained & competent and comply with financial services laws. These laws include financial service obligations in the Corporations Act, misleading & deceptive & Unfair Contract terms in the ASIC Act, APRA Prudential Standards including CPS 230 & 234, Insurance Contracts Act and Privacy Act; A person providing financial product advice must have RG 146 training. Tier 2 is sufficient for general insurance products unless the person provides product advice for sickness and accident insurance; Responsible Managers, Directors & Officers, Accountable Persons and Fit & Proper People should receive specific training based upon the requirements of each regulatory role; Under the GI Code of Practice, a requirement that employees, Distributors and Claim Service Suppliers are trained to provide their services competently; In addition, its a GI Code obligation to ensure employees are trained in respect of supporting customers experiencing vulnerability. This will most likely include trauma-based training going forward. Under the Insurance Brokers Code of Practice, a professional commitment that employees maintain & improve competency through relevant qualifications, continued education & training Also, Insurance Brokers under the Code must ensure that their employees, Authorised Representatives and agents receive appropriate education and training. ANZIIF CIP and NIBA CPD points A number of organisations use ANZIIF & NIBA methodology and points as evidence of compliance with the various training obligations. This is a great start however ANZIIF & NIBA points are part of the membership requirements for those industry bodies. By themselves, they may not meet the various regulatory obligations. Firms within General Insurance must stipulate specific training A requirement to annually achieve 20/25 hours of training for CIP or CPD purposes is a a good starting point however in order to meet the various training obligations, the training must be specific enough to meet each individual obligation. For example, a firm may mandate that employees must successfully complete 25 hours of training per year, allocated as follows: 7 hours for financial service laws An additional 3 hours for regulatory roles (responsible managers etc) 5 hours for the relevant GI or Insurance Brokers Code of Practice 3 hours on customers supporting vulnerability 5 hours on the products and services provided by the firm. The remaining hours can be left to the choice of the employee noting that ’25 hours’ is not a magical competency figure. Competency is both a subjective and objective test. Some employees, due to the complexity of their role or their inexperience, may require additional hours beyond mandatory requirements The point is that general insurance firms must mandate the nature, quality and quantity of training to be undertaken, in order to meet the various regulatory & Code obligations. Additional obligations It is a regulatory requirement that training must be recorded in a training register. This provides evidence of meeting the AFSL general obligation therefore the register should be maintained and current. Training should be provided during induction […]

More than 10,000 members and claimants of the Construction and Building Unions Superannuation Fund (Cbus) were impacted by death benefits and total and permanent disability (TPD) insurance claims taking more than 90 days to be processed, according to allegations contained in documents lodged by ASIC in the Federal Court (Media Release 24-251MR). ASIC alleges that Cbus may have contravened the following provisions of the Corporations Act: ss 912A(1)(a) & (5A) by failing to act efficiently, honestly and fairly in the handling of its members’ claims for death benefit payments and TPD insurance payments; section 912DAA(1) and (7) for failing to lodge a reportable situation report within 30 days of becoming aware of a reportable situation; and Section 1308(5) for failing to take reasonable steps to ensure the breach report lodged on 5 August 2023 was not false or misleading in a material particular. ASIC is seeking penalties, declarations, adverse publicity orders and orders for compliance matters to be implemented. What does this mean for General Insurance claims handling? There are 3 takeaways: providing claims handling efficiently, honestly & fairly; adequate resourcing & adequately trained staff; and failure to take appropriate action. Providing claims handling efficiently, honestly and fairly. As set out in ASIC INFO 253, ASIC considers that timeliness is a critical component of meeting the AFSL general obligations to provide claims handling & settling services efficiently, honestly & fairly. ASIC also consider that industry Code timeframes are useful indicators of what industry considers to be appropriate standards. In the CBUS matter, ASIC alleges that CBUS management had received reports from their outsourced material service provider that very large numbers of death & TPD claims were (1) older than 90 days & (2) even older than 365 days. Nothwithstanding this data the Board committees did not suggest any cause for alarm. Takeaway: General Insurers, Underwriting Agencies and their claim service suppliers must not only monitor timeframes under the GI Code of Practice but also take appropriate action when data shows that timeframes are consistently not being met. Adequate resourcing & adequately trained staff ASIC allege that the CBus Risk Committee were aware that the material service provider had significant staff turnover & that the provider’s claims processing staff were not adequately trained. ASIC further allege that Cbus failed to implement or adequately implement measures that would address the delays in processing death and TPD benefit claims. Insurers were on notice from ASIC ASIC wrote to insurers on 6 March 2024 ‘Obligations of general insurers: Insurance claims and severe weather events‘. In that letter, ASIC set out their expectations of insurers including Insurers are required to sufficiently resource claims handling and dispute resolution functions, and ensure staff are adequately trained. This is a general obligation for AFSL holders. Relevantly, ASIC also advised insurers our message is that ASIC is watching how insurers support their customers very closely. Evidence of significant misconduct identified through these channels may result in enforcement action. Takeaway: General Insurers, Underwriting Agencies and their claim service suppliers such […]

The requirement of CPS 230 for general insurers is that they must effectively manage operational risks, maintain critical operations through disruptions, and manage the risks arising from service providers. It’s the latter requirement that has caused recent tension, with APRA expressing concern with Insurers use of Underwriting Agencies, reminding insurers that they can outsource critical underwriting & claims functions, but not accountability. Underwriting Agencies as an AFS Licensee It’s all well & good for insurers to impose their requirements on agencies (& rightly so, to a degree) however, among all this, it should be remembered that an Agency who holds an AFSL must comply with its obligations or face severe consequences including reputational harm & civil penalties. Somewhat ironically this may potentially also ‘severly disrupt’ the insurer’s operations. An Agency, holding an AFSL must have adequate risk management systems. The requirement for risk management systems ensures that agencies explicitly identify the risks they face and have measures in place to keep those risks to an acceptable minimum. This requirement sounds remarkably similar to the CPS 230 requirement on insurers. Therein lies the answer ( lightbulb moment – I feel like a ‘tahdah’ is warranted at this point), the insurer meets its CPS 230 requirement to manage the risks arising from material service providers and the agency meets its AFSL obligation to have an adequate risk management system & manage its own risks. ASIC (in RG 104) states that a licensee’s risk management systems will depend on the nature, scale and complexity of its business and risk profile. ASIC also states that the licensee’s risk management systems will need to adapt as their business develops and business risk profile changes over time. This would include enhancing the agency’s risk management system to enable it to meet the risk of their binder agreement being terminated. Taking a step back, an insurer would eventually terminate the agencies binder agreement if they presented an unmanageable CPS 230 risk (or any risk for that matter including in respect of CPS 234 Security Information). What does an adequate risk management system look like for an insurance Underwriting Agency? The risk management system must not only cover the risks of the Agency but also, any of its representatives (such as authorised reps or distributors acting under an ASIC instrument). Risk management components: A risk identification (risk profiling) brainstorming session including relevant stakeholders (potentially the insurer(s)) assists in identifying material risks to the business; to ensure nothing is missed, risks are catergorised. CPS 230 provides assistance defining operational risk as legal risk, regulatory risk, compliance risk, conduct risk, technology risk, data risk and change management risk. To this you would add strategic/reputational risk and financial risk. Risk appetite statement (RAS) – a board/senior management approved RAS is critical to define the amount of risk the Underwriting agency is willing to accept in pursuit of its objectives, expressed against each risk category. This can be a simple 1 pager for a typical Underwriting Agency. Risks should be recorded in […]