News

The obligation (also refer RG 105) If you are an AFS licensee, you must maintain the competence to provide the financial services covered by your AFS licence: see s912A(1)(e) of the Corporations Act. ASIC refers to this obligation as the ‘organisational competence obligation’. This is because this obligation requires you to be competent at the organisational level. You need to nominate responsible managers who: are directly responsible for significant day-to-day decisions about the ongoing provision of your financial services; together, have appropriate knowledge and skills for all of your financial services and products; & individually, meet one of the five options for demonstrating appropriate knowledge and skills (Table 1 RG 105). If you breach or are likely to breach the organisational competence obligation, you may need to notify ASIC of that breach: see s912DAA. Nominating responsible managers The people you nominate as responsible managers must have direct responsibility for significant day-to-day decisions about your financial services. In context of general insurance; together, your responsible managers must have the skills & knowledge in: providing financial product advice or general advice only; and/or dealing in a general insurance product, including (a) issuing [typically insurers or underwriting agencies] or (b) on behalf of another person [typically insurance brokers]; and/or claims handling and settling services (a) by an insurer or acting on behalf of the insurer [typically underwriting agencies or insurance claim managers] or (b) on behalf of the insured [claimant intermediaries]. The number of people you need to nominate as responsible managers will depend on the nature, scale and complexity of your business. However, ASIC expects that you will nominate at least two responsible managers. If you are heavily dependent on the competence of one or two responsible managers (e.g. in a small organisation with one or two principals), ASIC will generally impose a ‘key person’ condition on your AFS licence Tips to assist in meeting your personal obligations As a responsible manager you need to stay across the business operations. I provide the following practical advice to my clients: all responsible managers should work together as a team, regularly meeting to exchange views and observations and share concerns receive regular risk & compliance dashboard reporting – complaints, incidents & breaches, QA & audit outcomes, control breakdowns, breach remediation & rectification updates, control testing outcomes, risk profiles & training completion keep across industry issues such as AFCA complaints & regulatory and Code reviews engage with the internal risk and compliance committee, CRO, directors , management & extrenal auditors be curious – ask questions look behind the data, what is it telling you? A lack of data is not healthy the effectiveness of your compliance arrangements and monitoring program to meet licence, regulatory and Code obligations the adequacy of your incident & breach reporting and dispute resolution systems. Notifying ASIC of changes to your responsible managers You must advise ASIC within 30 business days of adding or removing a responsible manager. You need to complete the relevant sections of Form FS20 and lodge it […]

I was talking to my ‘coffee guy’ at my local cafe this morning (he is also a small business owner) about how well my compliance business is travelling and he commented, ‘it’s because you love what you do.’ As I was walking back home, sipping my coffee (pure bliss), I reflected on his comment and how it aligned to my compliance mantra; the purpose of compliance is to ‘protect what matters’. Protecting what matters Compliance is about placing ‘what matters’ at the heart of everything we do & building layers of protection around that heart. What matters? Our customers & clients, our people, our business, our business partners & stakeholders and the wider community. The pillars of compliance provide the foundation for the layers of protection, the 4 pillars of compliance are: Governance & frameworks People & culture Procedures & process Systems & reporting each of these 4 pillars work together to provide robust compliance arrangements. Protecting what matters, is designed on a fortress of layers of protection: Compliance arrangements People Monitoring program Culture The Compliance model for General Insurance is represented diagramatically: The importance of people As you will observe from the Compliance Model, people are critical to the strength of the Compliance Model. People include employees, directors, authorised representatives, service suppliers & fulfillment providers. Anyone who is providing the financial services on your behalf. We need people to: identify and self-report incidents and complaints quickly; follow process and procedures (doing the right thing); meet their continual development training requirements; understand the obligations that apply to their business area; test the controls that manage the obligations applying to their area; genuinely care about protecting the business, customers, colleagues and partners; close out gaps identifed through reviews, monitring and audit activties; and generally be compliance-focused Simply, without people, the Compliance model collapses and harm & detriment results: complaints & breaches increase regulator scrutiny of the business intensifies business partners raise issues and concerns customers are impacted management time is lost focusing on customer remediation and rectification reputational & financial impacts are felt the risk of civil penalties naming & shaming the risk of banning & dsqualification the risk of product stop orders Simply, trust is eroded The test of ‘engaged people’ A simple test of whether your people are truly engaged in compliance is to look at your registers: incidents, breaches, complaints, conflicts, training etc . Are they well populated, indicating that people are engaged taking an active role in compliance, and compliance is part of what we do around here, or are they empty or contain a small number of entries? Do people actively attend compliance training? Do people actively close out issues ahead of time? Do people view compliance as an addition to their role or as part of their role? Do leaders talk about the importance of compliance in the same tone & passion as when they talk about their family and other things they love, care about & want to protect? Connecting the heart with the […]

Governance is a system that provides a framework for managing organisations. It identifies who can make decisions, who has the authority to act on behalf of the organisation and who is accountable for how an organisation and its people behave and perform. A simple illustration of good governance is the doctrine of the separation of powers. The doctrine of the separation of powers divides the institutions of government into three branches: legislative, executive and judicial: the legislature makes the laws; the executive puts the laws into operation; and the judiciary interprets the laws. Governance is about the time you dedicate to working ‘on’ your business, rather than ‘in’ it. This includes all the checks and balances you put in place to ensure your business runs smoothly, meets its objectives, stays out of trouble and protects the things that matter (your business, people, customers, business partners and other key stakeholders). The elements of Governance for General Insurance A system of good Governance comprises the following elements: A framework approach – frameworks provide a system of consistency of approach ensuring that an operating rhythm is created for risk & compliance. A framework ensures that the risk & compliance measures of a business evolve as the business grows & adapts to internal & external change. Roles and responsibilities – clarity and accountability of who does what is important – ‘doing, monitoring and oversight’ require seperate & independent people, boards or committees with a specific focus and purpose (documented through position descriptions and charters). Examples of roles & responsibilities in insurance include directors, officers, responsible persons (FAR), responsible managers (AFSL) and fit & proper people (AFSL). Aligned to roles and responsibilities is delegated authority, the 3 lines of defence model & reporting lines. Delegated authorities – the key to DA is the source of ultimate authority. Typically this will be the Board, SOOA (for foreign insurers) or business owner(s). Authority provides a mechanism to manage decision-making. Authorities (underwriting, claims, financial, strategy etc) are linked to experience, skills and knowledge therefore ensuring decisions are being made by the appropriate people. The key to delegated authority is that you can’t give (authority) what you don’t have. 3 lines of defence model – conceptually, the 3 lines of defence model continues to be the fundamental cornerstone of good governance across general insurance. The 1st line, typically business operations, manages risk & compliance, the 2nd line provides frameworks, oversight, monitoring and advice while the 3rd line is Internal Audit. Significantly APRA Prudential Standards create the role of the Auditor with reporting obligations to the Board and seperate & disctinct obligations to APRA ensuring a degree of independence. The key to the 3 lines of defence model is based on the the doctrine of the separation of powers – each line is seperate to and with a degree of independence from the other lines. Reporting lines – it’s critical that organisation structures and reporting lines enable unfettered ability to perform work and discharge responsibilities. For example, 2nd line risk […]

The white noise associated with APRA Prudential Standard CPS 230 in connection with material service providers has tended to distract from the benefits of CPS 230. It should be remembered that CPS 230 includes an amalgamation of 2 existing prudential standards: CPS 231 Outsourcing; and CPS 232 Business continuity management With effect from July 2025, outsourcing and business continuity management for general insurers will be governed by CPS 230. CPS 230 requirements only apply to General Insurers who are authorised by APRA under section 12 of the Insurance Act. However, CPS 230 and the asssociated Prudential Practice Guide CPG 230 (PPG CPG 230) provides very useful guidance and information for anyone operating a business in general insurance including Underwriting Agencies, TPAs, Insurance Brokers and service providers. It should be remembered that holders of an AFS Licence must have adequate risk management systems. Business continuity and outsourcing is a critical part of risk management. Process mapping material business processes APRA expects that, in implementing CPS 230, a prudent general insurer would start with the identification of its critical operations. A general insurer would (see paragraph 2 PPG CPG 230): a) identify its critical operations (note that claims processing is a deemed critical business operation for an insurer however any other critical operation must also be identified); b) set tolerance levels for disruption of these critical operations; and c) identify the processes and resources needed to deliver these critical operations, including material service providers. Identification of critical (or material) business operations is a very sensible starting point. Business continuity steps As mentioned, business continuity not only applies to general insurers and is relevant for Underwriting Agencies, TPAs, Insurance brokers and anyone providing general insurance products or services. Here are some simple steps to get you started: Identify, at an enterprise level, material business activitiessuch as distribution, underwriting, claims, broking, complaints, information management, marketing etc for each of the material business activities, map out the end-to-end, 5-10 key sub-activitiesthat combined, enable the material business activity to be delivered. As an example, think about the end-to-end process for claims: FNOL, assessment, claim decision etc consider each of the sub-activities in terms of people, IT, process, outsourcing & information (collectively resources). This provides a matrix of sub-activities x resourcesneeded to deliver your material business activities. This information alone provides very useful insights into managing your business and business risks. Consider the tolerance level for each of the sub-activities in the event of a disruption to any of the identified resources. Tolerances should be set based on (refer PPG 230 paragraph 32): – the impact on customers and other stakeholders of a disruption; – the financial and reputational impact on your business from a prolonged or material disruption; – the financial and reputational impact on the broader financial system, including any flow-on effects or contagion; – legal or regulatory requirements; and – recovery objectives. Factors to consider when setting tolerances include (refer Table 4 PPG CPG 230): (i) the maximum allowable disruption period; (ii) the minimum […]

Compliance never sleeps however it may slow down while we take a well-deserved break. How do you kick-start compliance to ensure that compliance is protecting what matters – your business, people, customers, business partners and other key stakeholders? There’s a few simple steps that you should take. Incidents are a critical source of information including as an early-warning system for potential breaches, its important that staff, authorised representatives and material service providers are reminded of their obligations to raise and report incidents. This could be as simple as an email with a FAQ, checklist, link to the incident management system etc and through leader-led team meetings complaints go hand-in-hand with incidents as a critical source of information and business continual improvement in addition to meeting obligations under RG 271 and Code. A quick refresher to staff and representatives in combination with incidents is all that is needed to get complaints back to front-of-mind. Storm season, most teams are returning to full resourcing during the middle of storm season in Australia therefore transitioning back to sense of heightened alert is critical. A reminder of event plans at a team morning tea is a great refresher to shift minds from holiday mode to event readiness mode. This includes IDR teams and service providers. Regulatory change projects – it’s likely that CPS 230, Privacy Act amendments and other regualtory changes were paused over the break. It’s time to reignite the projects and enthuse the teams. A workshop to recap the purpose, the plan & timeframe, the successes achieved to date and what lies ahead, is an awesome way to get the wheels of the project team spinning again and moving the project ahead with a sense of urgency. Monitoring, of internal teams, authorised representatives, material service providers and any other person providing insurance services or products on your behalf is essential to ensure that onbligations are being met and that compliance measures are operating effectively to protect the business & customers. January is a great time to revisit your Monitoring program and pause to reflect on its effectiveness in meeting AFSL, Code and upcoming CPS 230 requirements. Don’t have a Monitoring Program? January is also a great time to develop and implement a tailored monitoing program (contact me for assistance) ASIC IDR data reporting, its time to submit an IDR report to ASIC for the reporting period 1 July to 31 December. A two-month submission window is now open and closes end of February. Failure to report IDR data is a reportable situation to ASIC. Contact me for assistance or read more about your IDR data reporting obligations here Training, if you are half-way through your financial year or at the end of your calendar year it’s nevertheless a good time to review how your staff are progressing with their training. It’s mandatory for AFS Licensees to maintain a training register so it should be a relatively easy exercise to see who is lagging and needs a gentle requirement about the importance of […]

Financial services relevant for general insurance are: providing financial product advice; dealing in a financial product; and providing a claims handling and settling service. Section 912A(1) Corporation Act (also refer RG 104) sets out the general obligations that a AFS licensee in general insurance must comply with: (a) A licensee must do all things necessary to ensure that the financial services covered by the licence are provided efficiently, honestly and fairly. This is a broad and overarching obligation. Generally speaking an insurer who fails to act with the utmost good faith (under the Insurance Contract Act) would also be a failure to provide the financial services efficiently, honestly and fairly. Subscribing to and complying with the standards and timeframes of the General Insurance Code of Practice or Insurance Brokers Code of Practice are typically a strong indicator of a commitment to providing the financial services efficiently, honestly and fairly (refer ASIC INFO 253). (aa) A licensee must have in place adequate arrangements for the management of conflicts of interest that may arise wholly, or partially, in relation to activities undertaken by the licensee or a representative of the licensee in the provision of financial services as part of the financial services business of the licensee or the representative. The 3 ways to manage conflicts are (refer RG 181): – disclosing the conflict; – managing the conflict through controls; and/or – avoiding the conflict (b) A licensee must comply with the conditions on the licence (c) A licensee must comply with the financial services laws. These laws include: – Corporations Act – ASIC Act – Insurance Contracts Act – Insurance Act (plus a number of other Acts applying specifically to general insurers) – Privacy Act (ca) A licensee must take reasonable steps to ensure that its representatives comply with the financial services laws. Representatives include employees or directors of the licensee or of a related body corporate of the licensee , authorised representatives and any other person acting on behalf of the licensee. This is often referred to as the ‘monitoring obligation’ and should be incorporated in a Monitoring program that also includes CPS 230 (for general insurers in context of material service providers) and under the GI Code & Brokers Code responsibilites for the conduct of employees, authorised representatives, distributors and sevice suppliers (d) A licensee must have available adequate resources (including financial (refer RG 166), technological and human resources (refer RG 104)) to provide the financial services covered by the licence and to carry out supervisory arrangements. Note that this requirement does not apply to APRA regulated insurers. General insurers authorised under section 12 of the Insurance Act (including foreign general insurers) must comply with APRA Prudential Standards such as CPS 220, CPS 230 and CPS 234 while Lloyds underwriters (authorised under section 93 of the Insurance Act) must comply with the FCA UK Prudential Standards. (e) A licensee must maintain the competence to provide those financial services. This obligation requires that the licensee must have sufficient Responsible Managers […]

ASIC’s investigation into Sanlam Private Wealth Pty Ltd (Sanlam) uncovered concerns that the AFS licensee had breached its general obligations, including by failing to adequately supervise its many authorised representatives and corporate authorised representatives. (ASIC Media Release MR 24-290) ASIC Deputy Chair Sarah Court said, ‘At one point, Sanlam had 42 CARs and 71 authorised representatives operating under its licence. Despite this, it had plainly inadequate resources and processes to ensure its diverse cohort of authorised entities complied with the law and to oversee those who used its licence to offer risky financial products to retail clients. ‘Licensees like Sanlam must have robust compliance processes that are fit-for-purpose to ensure that those who operate under their licence comply with the law and don’t place Australian investors at risk.’ Sanlam admitted to breaching its licensee obligations and provided a court enforceable undertaking to ASIC. Under section 93AA of the ASIC Act, Sanlam has offered, and ASIC has agreed to accept as an alternative to pursuing civil penalty proceedings, the undertakings. Insurance brokers Insurance brokers often use a network of authorised representatives as a viable business model. An insurance broker, as an AFS licensee, must monitor its authorised representatives and ensure they comply with financial service laws & are trained & competent. Additionally, under the NIBA Code of Practice, brokers must ensure authorised representatives comply with the Code. The undertakings to ASIC in the Sanlam case provide some useful insights for insurance brokers: Due diligence must be undertaken and continue on an ongoing basis to review the ARs’ suitability to operate under the brokers AFSL; A formalised & systematic review process must be implemented to assess whether employees and AR’s are complying with financial service laws; Informal processes and self-reporting by AR’s, of itself, is not adequate as a supervisory mechanism; Brokers must have adequate human resources directed to risk management or overseeing an effective review programme to monitor ARs (my observation – the ‘adequacy of human resources’ should be included as a standing agenda item for the brokers Risk & Compliance Committee); Brokers should develop a human resourcing plan consistent with its current and future needs; Brokers should have an adequate, documented succession plan when heavily dependent on 1 or 2 people and especially when a ‘key person’ requirement’ condition is included on their licence; Brokers must have an adequate number of Responsible Managers for the number and breadth of ARs and must devote sufficient time to effectively discharge their duties as a responsible manager; Brokers must also adequately document and implement processes to ensure they have the appropriate number of suitably qualified RMs having regard to the financial services provided, the complexity of those services, as well as the number and breadth of ARs authorised. There also needs to be an adequate and structured process to assess the ongoing suitability of its RMs. (my observation – the ‘suitability of responsible managers’ should be included as a standing agenda item for the brokers Risk & Compliance Committee) Brokers must implement a […]

Compliance in General Insurance can be complex. Over the years I have developed Paul’s ‘Rules of Thumb’, to assist simplying compliance for my clients. Naturally, when considering compliance arrangements the complete obligation needs to be considered however, the following can be adopted by front end staff as a mantra. Start with Codes – when designing compliance arrangements, start with the GI Code and/or Insurance Brokers Code. Codes go beyond the law and are customer friendly, the end result is a more dynamic and customer experience based compliance approach. It is still necessary to bring in financial service laws however starting with Codes assists in developing a customer centric approach to compliance. Align dislosures with the customer experience – aligned with Rule of Thumb 1, General Advice Warnings, FSG, PDS and many other obligations for Retail Clients have timing requirements (when to provide the notice or warning). Aligning these compliance requirements with the customer sales experience provides a more meaningful & contextual approach for front-end staff. APRA or ASIC– APRA is primarily focused on policyholder protection (carrying on insurance business in Australia) while ASIC is primarily concerned with consumer protection (carrying on a financial services business in Australia). Advice – when a sales person or distributor or broker or underwriter talks to a client/customer, assume they are providing advice. Cash Settlement Fact Sheet (CSFS) – If a PDS has been provided to a client, & that PDS states that claim settlement options include repair or replace, a CSFS will be required to be provided when settlement is to be via a cash settlement. An incident is where something has happened that wasn’t supposed to happen. The intention is for front-end staff to report as many incidents as possible. A trained person can then filter/triage as necessary. A complaint is where a customer is not satisfied with an outcome. The intention is for front-end staff to report as many complaints as possible. A trained person can then filter/triage as necessary. Commissions are an inherent conflict of interest, and must be managed accordingly through disclosure, control(s) or avoiding. Financial Service laws are technology-neutral, the obligation applies irrespective of whether performed by a human or technology (including AI). If in [compliance] doubt, speak to Paul. The key theme from my ‘Rules of Thumb’ is to create simple, meaningful messages for front-end staff as a quick reminder of important compliance obligations. Engaging with customers and clients can be challenging with complex problems requiring a solution. Simple tips and messaging enables compliance to be part of the solution.

ASIC Report 798, Beware the gap: Governance arrangements in the face of AI innovation, identified the most common uses of AI for insurance claims as: Supporting the claims process: Claims triaging, decision engines to support claims staff, document indexation, identifying claims for cost recovery; and Automating a component of the claims decisioning process, but humans remain responsible for overall claims decision. and emerging uses as: The use of generative Al and natural language processing techniques to extract and summarise key information from claims, emails and other key documents. Financial service laws are technology neutral therefore when providing claims handling and settling services using AI, the general obligation to provide those services ‘efficiently, honestly and fairly’, remains. Providing claims handling and settling efficiently, honestly and fairly ASIC INFO 253 provides guidance on providing claims handling and settling efficiently, honestly and fairly. To satisfy this obligation, you will generally need to handle and settle insurance claims: in a timely way; in the least onerous and intrusive way possible; fairly and transparently; and in a way that supports consumers, particularly ones who are experiencing vulnerability or financial hardship Australia’s AI Ethics Principles The incorporation of the eight Australian AI Ethics Principles in AI policies and procedures is supported by ASIC, and should be used when adopting AI in claims processing. The 8 AI Ethics Principles are: Human, societal and environmental wellbeing: AI systems should benefit individuals, society and the environment. Human-centred values: AI systems should respect human rights, diversity, and the autonomy of individuals. Fairness: AI systems should be inclusive and accessible, and should not involve or result in unfair discrimination against individuals, communities or groups. Privacy protection and security: AI systems should respect and uphold privacy rights and data protection, and ensure the security of data. Reliability and safety: AI systems should reliably operate in accordance with their intended purpose. Transparency and explainability: There should be transparency and responsible disclosure so people can understand when they are being significantly impacted by AI, and can find out when an AI system is engaging with them. Contestability: When an AI system significantly impacts a person, community, group or environment, there should be a timely process to allow people to challenge the use or outcomes of the AI system. Accountability: People responsible for the different phases of the AI system lifecycle should be identifiable and accountable for the outcomes of the AI systems, and human oversight of AI systems should be enabled. Licensees must consider their existing regulatory obligations What licensees need to do to comply with their existing regulatory obligations when using AI depends on the nature, scale and complexity of their business. It also depends on the strength of their existing risk management and governance practices. This means there is no one-size-fits-all approach for the responsible use of AI. (ASIC REP 798) ASIC provides the following examples in REP 798: Licensees must do all things necessary to ensure that financial services or credit services are provided in a way that meets all of […]

Much has been said and written about CPS 230 however, the time for talking and planning is rapidly coming to an end (& has probably passed for the large insurers). It’s time for implementation! Debunking the CPS 230 myths There continues to be some misinformation circulating about CPS 230, what it is and what it isn’t. Let’s deal with these first: What are the facts? CPS 230 (i) only applies as an obligation for insurers & (ii) only for those authorised by APRA under section 12 of the Insurance Act 1973 (Act); this means CPS 230 applies to general insurers in Australia including foreign general insurers, and does notapply to Lloyds underwriters. Lloyds underwriters are authorised under section 93 of the Act and do not come within the definition of General Insurers (s11 of the Act). Lloyds underwriters (and Coverholders) do not get a ‘free ride’. FCA UK Operational resilience rules come into effect in the UK in March 2025. Also refer to LLoyds Principle 12 Operational Resilience. The FCA rules are similar to CPS 230. CPS 230 compliance is not a complex technical issue per se. Much should already exist. It’s a resourcing issue especially the work around critical operations, process mapping, controls testing, material service providers and updating existing or creating new risk artefacts. A risk person within the CRO team of an APRA regulated insurer would be very familiar with the key CPS 230 requirements: operational risk; tolerance levels, criticial operations (& disruption thereof), outsourcing, business continuity, risk profile, control testing and scenarios. Service providers do nothave any obligations under CPS 230. CPS 230 is the insurers responsibility. The obligations for service providers manifest when they perform critical operations for the insurer (for general insurance this is claim processing) or expose the insurer to material operational risk (at a minimum, for general insurance unless justified otherwise: underwriting, claims management, insurance brokerage and reinsurance). The Service Provider obligations would be reflected in the Binder Agreement and/or Service Provider Agreement as obligations imposed on the Service Provider by the insurer. Non-compliance with CPS 230 does have significant consequences. Section 38AA of the Act requires insurers to notify APRA of certain matters. These include immediate notification of a breach of a Prudential Standard that relates to financial obligations the general insurer has to its policy holders or to the general insurer’s minimum capital requirements & for other breaches of a Prudential Standard within 10 Business Days where the breach is significant within the meaning of s 38AA(5). What should insurers be doing? As I mentioned earlier, compliance with CPS 230 requires some ‘risk-thinking’ [within risk appetite]. However, CPS 230 is more of a resource and project management challenge. There are a number of risk ‘task-based’ activities that insurers should be doing now: identify critical operations; set tolerance levels; process mapping – identify the processes and resources needed to deliver these critical operations, including material service providers; updating risk artefacts: RMF, Operational risk profiles, BCP, controls and control testing including scenario […]