AFS Licensees must have processes, procedures or arrangements for ensuring that, as far as reasonably practicable, they comply with their obligations as a licensee (refer ASIC RG 104.23) and those measures should be documented (RG 104.26)
APRA-regulated insurers must have mechanisms in place for monitoring and ensuring ongoing compliance with all prudential requirements (CPS 220 paragraph 35(f)).
Insurers under the GI Code of Practice must have appropriate systems and processes in place to enable the Code Governance Committee to monitor compliance with the Code. (paragraph 180).
Insurance brokers and their authorised representatives under the Brokers Code of Practice must have in place policies and procedures for their organisation and embed a culture that reflects the Code in the way they provide services and deal with others (paragraph 8.2(a)(iii)).
If you don’t use an Obligations register to record your obligations, its likely:
- you have a reactive approach to compliance;
- compliance is seen as a series of random tasks and activities;
- providing evidence of compliance becomes a lengthy ‘search for a document’ process’;
- that compliance is not embedded within your business;
- there is a lack of assurance that you are complying with your obligations; and
- there is a heightened risk of non-compliance with unresolved incidents and breaches leading to increased operational risk, regulatory risk and regulatory scrutiny.
The purpose of an Obligations register
Irrespective of the source of an obligation, all obligations can be adequately managed by being recorded in an Obligations register.
I adopt 2 approaches when designing an Obligations register for my clients (AFS Licensees such as brokers, underwriting agencies & TPAs; APRA regulated insurers and insurance service providers):
- I design the Obligations register within the Risk & Compliance Manual. This ensures that the obligation has context with a narrative explaining the source of the obligation and how it may operate with other obligations; or
- a stand-alone register, typically for larger organisations.
Irrespective of the approach, the purpose of an Obligations Register is to identify obligations (irrespective of source) and capture those in a single register. Sources of obligations can arise under:
- Legislation such as Corporations Act, ASIC Act, Privacy Act, Autonomous Sanctions, Act, Competition and Consumer Act;
- APRA Prudential Standards such as CPS 230 (Operational risk) and CPS 234 (Information Security);
- ASIC Regulatory Guides such as RG 271 (Dispute resoultion) and RG 166 (Licensing financial requirements);
- Industry Codes – GI Code and Insurance Brokers Code;
- Binder Agreements; or
- Material Service Provider agreements.
The [key] control environment
Once Obligations have been captured in the register, Key controls are then assigned to each obligation, designed to ensure that each obligation is adequately managed.
From this exercise, it is apparent that a Key control may adequately manage multiple obligations. This drives efficiency in business process and better customer experiences.
Assigning key controls to each obligation enables a shift from a focus on obligations to a focus on the control environment.
An annual control testing program ensures that key controls are tested from 2 perspectives:
- that they have been designed effectively (fit-for-purpose); and
- are operating effectively.
Action plans are allocated to close out ineffective controls or partially ineffective controls with reporting to management or the board.
Incident, complaint and monitoring data is used to validate the outcomes of control testing.
An operating rhythm for managing compliance
What will be observed is that an Obligations register is the starting point to adopting an operating rhythm enabling the adequate management of compliance.
An operating rhythm adopts a systemmatic approach and drives business continuous imprivement and better customer experiences.
An operating rhythm provides evidence of compliance and how compliance protects the business, its people, its customers and clients and its business partners.
Need assistance?
If you require assistance in designing an Obligations register that is tailored to your unique business or positioning compliance as an operating rhythm, contact Paul Muir
I explore designing and implementing a Compliance operating rhythm in my upcoming General Insurance Compliance Workshop in Sydney Thursday 23rd October. Clink on the link to register.
Disclaimer: Reproduction of statements made in this article by media outlets, whether in full or in part, is strictly prohibited without the written express consent of the author. The views, opinions, and positions expressed within this article are those solely of the author and Compliance Advocacy Solutions Pty Ltd and not the views of other individuals, companies or organisations they may be affiliated with. The author and Compliance Advocacy Solutions Pty Ltd make no representations as to accuracy, completeness, currency, suitability, or validity of any information in this article and will not be liable for any errors or omissions or any loss or damage arising from its use or reliance. This article is intended for educational and informational purposes only and should not be relied upon as professional legal advice.