Many Insurance brokers operate as an Authorised Representative (AR) under the AFS licence of another insurance broker.
The risks for the Licensee, from its AR network, are clear and generally well understood:
The licensee has obligations in respect of its AR’s, including:
- take all reasonable steps to ensure that the AR complies with the financial services laws (s912A(1)(ca) Corporations Act;
- ensure that its AR’s are adequately trained and are competent to provide the financial services (s912A(1)(f)); and
- NIBA members must ensure that their AR’s comply with the Insurance Brokers Code of Practice (Part 8.1)
Generally, the Licensee will:
- conduct extensive due diligence before appointing an AR under s916A Corporations Act including checking with any previous licensee that the AR was authorised by;
- provide a risk and compliance framework;
- provide training;
- provide systems to facilitate compliance;
- sign off on marketing materials, disclosure documents and other such collateral;
- have adequate compliance resources to carry out supervision of the ARs (s912A(1)(d) Corps Act);
- provide specialist skill sets such as cybersecurity (refer Fortnum case below)
- monitor and supervise;
- provide advice and ongoing support; and
- manage incidents, reportable situations and complaints.
Contagion risks
A significant risk that must be considered and managed is contagion risk. This is the risk where inadequate compliance arrangements for one AR, will quickly spread to other ARs, resulting in regulatory and reputational impacts for the Licensee and all AR’s in the newtork.
This was the case in proceedings recently filed in the NSW Supreme Court by ASIC against Fortnum Private Wealth Limited alleging it failed to properly manage and mitigate cybersecurity risks. ASIC alleges Fortnum did not meet its obligations as an AFS licensee because it failed to have adequate policies, frameworks, systems and controls in place to deal with cybersecurity risks. As a result, ASIC claims Fortnum exposed the company, its authorised representatives (ARs) and clients of its ARs to an unacceptable level of risk of a cyber-attack or a cybersecurity incident. (refer ASIC Media Release 25-143MR).
Obligations of an Authorised Representative
An AR must assist the Licensee in meeting the Licensee’s financial service obligations (and under the Code) however, the AR has independent and seperate obligations, as an AR, under financial services laws, including:
- must not hold out that they have an AFS Licence (s911C Corporations Act);
- must comply with licence conditions imposed by regulations (s914(8) Corps Act and Reg 7.6.04) , specifically:
– can only sub-authorise individuals with the Licensee’s consent (note that an AR is not permitted to sub-authorise a company, it can only sub-authorise individuals);
– refer to its AR number in all business documents including registered business office and website;
– provide a copy of its authorisation on request, to any person, free of charge and as soon as practicable after receiving the request, but no later than 10 business days;
- provide retail clients with a FSG (s941B);
- obtain the retail client’s informed consent to any commission payment where personal advice will, or will likely, be provided before insurance is issued or sold (s963BB Corps Act and see INFO 292);
- when providing general financial advice, provide a general advice warning (s949A);
- when engaging in retail product distribution conduct must (s994D-F):
– not distribute insurance products unless a target market determination (TMD) has been made;
– take reasonable steps to ensure distribution is consistent with the TMD; and
– notify the Licensee immediately of a significant dealing not consistent with the TMD.
- must not make false statements or engage in dishonest, misleading or deceptive conduct (s1014E-H Corporations Act and Part 2 Division 2 ASIC Act)
In addition, the AR must ensure it meets its obligations to the Licensee under the Insurance Brokers Code of Practice.
Managing the risks of being an AR
To adequately manage its own risk and protect its business, people, clients , licensee and the AR network, an AR should do the following:
- have an AR written agreement including the scope of its authorisation;
- conduct its own due diligence of the AFS Licensee prior to being authorised to ensure the licensee has adequate supervision procedures across the AR network;
- implement sound risk & compliance measures covering all operational, strategic, and financial risk including cybersecurity risk;
- devleop its own tailored risk and compliance manual that dovetails with the Licensee’s requirements;
- the manual should record all obligations including the AR’s independent obligations and assign key controls to manage those obligations;
- test the key controls through a control testing program;
- train and educate its staff including a due diligence process for hiring;
- the training must include indentifying, raising and reporting incidents and complaints;
- a comprehensive system to complete and sign-off staff monthly attestations before providing the attestation to the licensee. The principal of the business must take personal accountability for this;
- adopt performance and consequence staff management;
- incorporate governance procedures to manage risk & compliance;
- incorporate governance procedures to develop, sign-off and implement disclosure documents and marketing material including its website;
- conduct a risk-based approach to client file reviews; and
- implement simple one-pagers for staff to follow covering: the disclosure documents provided to retail clients (including under the Code) and the timing of providing those documents; determining a retail v wholesale client; providing personal v general advice.
Assistance for AR’s
The Licensee will provide assistance and support to its AR’s however there is commercial sense in obtaining your own independent advice/view on the adequacy of your compliance arrangements.
Its your business not the licensee’s business although they have skin in the game.
An independent review or support will enable you to adequately manage the risks to your business and protect your business, people, clients, licensee and other AR’s in the network.
Contact meto explore the assistance that I can provide to Authorised Representatives.
Disclaimer: Reproduction of statements made in this article by media outlets, whether in full or in part, is strictly prohibited without the written express consent of the author. The views, opinions, and positions expressed within this article are those solely of the author and Compliance Advocacy Solutions Pty Ltd and not the views of other individuals, companies or organisations they may be affiliated with. The author and Compliance Advocacy Solutions Pty Ltd make no representations as to accuracy, completeness, currency, suitability, or validity of any information in this article and will not be liable for any errors or omissions or any loss or damage arising from its use or reliance. This article is intended for educational and informational purposes only and should not be relied upon as professional legal advice.