The Spotlight is on Compliance Culture: What does it mean and the cost if you get it wrong

In this edition:

  • ACE Insurance Ltd’s Enforceable Undertaking;
  • ANZ’s One Path failures;
  • Conflicts Management in Funds Management- ASIC Report; and
  • ASIC’s focus on culture.

ASIC’s Culture Club

For the past year, ASIC has been talking about compliance culture, or the lack of, in our finance services industry. Recently, we have started to see the results of its surveillance in this area including investigations of the CBA, Macquarie Bank, ANZ, Ace Insurance (now Chubb) to name a few.

Ahead of ASIC’s annual forum titled “culture shock” which begins today, ASIC’s Chairman Greg Medcraft has said in a recent interview that ASIC is now stepping up its focus on culture by including it in its risk-based surveillance reviews. Mr Medcraft said “what we are now doing is bringing the elements of culture together and considering whether they indicate a cultural problem. Where we think there may be a problem, we will ask questions and do a ‘deeper dive’.”

This blog will explore some of the recent regulatory activity involving culture and ask: what is the cost of poor culture?

Poor Compliance Culture central theme of recent EU

ASIC recently accepted an Enforceable Undertaking (EU) from ACE Insurance Limited (ACE), following an investigation which found evidence that ACE had ‘inadequate or insufficiently documented compliance and risk management policies and systems in place’. The breaches in question related to the Australian branch of the Combined Insurance Company of America (Combined), which operates as a division of ACE.

Misconduct of Authorised Representatives

Combined is an insurance business which sells a number of products including sickness and household accident insurance policies to individual clients.

The misconduct which led to the EU occurred from 1 January 2012 to 30 June 2014, and involved a limited number of the representatives of Combined who were authorised to provide financial advice and/or sell policies to clients. During the relevant period, some Authorised Representatives engaged in misconduct which included:

  • overselling of policies: selling policies which duplicated the consumer’s existing coverage and exceeded Combined’s underwriting limits;
  • twisting/churning of policies: encouraging consumers to cancel existing policies and take out new policies with no benefit for, or in some cases detriment to, the consumer; and
  • selling of unsuitable policies: advising consumers to take up policies when they were ineligible for the coverage they believed they were obtaining.

In addition to the misconduct, ASIC also identified several compliance incidents, which indicated more generally that ACE had failed in some respects to foster and maintain a culture of compliance. This was generally indicated by ACE’s failure to:

  • prepare adequate compliance policies and procedures;
  • take action to address compliance risks once identified;
  • create adequate systems to investigate and supervise Authorised Representatives to ensure compliance with financial services law; and
  • create adequate procedures to ensure consumers were given appropriate financial advice.

The cost of poor culture

Although ASIC noted that several changes have been made by ACE to improve its standard of governance, ACE is required to undertake the following actions as part of the EU:

  • cease issuing Combined products to new consumers;
  • place limits on the advice Authorised Representatives may give in relation to Combined products;
  • appoint an Independent Expert to conduct a Licensee Review (compliance review);
  • implement the recommendations under the supervision of the Independent Expert;
  • remediate consumers who have suffered detriment due to the misconduct of Authorised Representatives; and
  • make a voluntary contribution of $1 million to organisations that promote financial literacy.

The cost of poor culture to ACE has been significant. The Combined Insurance division does not write new business, ACE will be subject to an independent review by a compliance expert and implement their recommendations, will remediate consumers and make a $1 million contribution to charity – not to mention the reputational repercussions of being pursued by ASIC.

Need for a culture of compliance

ASIC summed up the breaches as a failure to foster and consistently maintain a culture of compliance. As discussed above, a company’s poor culture does not in itself constitute a breach of law, but it creates an environment in which misconduct can occur and go unaddressed.

One Path: ANZ’s walk in the wrong direction

One Path is ANZ’s financial services business which provides superannuation, funds management, life and general insurance products. It recently agreed with ASIC to an independent review of its compliance frameworks after systemic breaches were identified including:

  • a failure to provide disclosure documents for some insurance products;
  • processing errors (such as superannuation contributions placed into the wrong account); and
  • inadequate systems or processes.

It also failed to follow up 21,000 unbanked cheques, which were issued for insurance claims, superannuation benefits and refunds of premiums – all outcomes which relate to an underlying issue with its compliance culture.

The One Path review is part of a wider surveillance activity being undertaken by ASIC as it looks at culture (or lack thereof), using its powers under the FOFA reforms relating to financial services providers.

So, what’s been the cost of poor compliance culture? To date, ANZ One Path has paid:

  • $4.5 million to customers in compensation and refunds;
  • $49 million worth of rectifications and other remediation;
  • $2.9 million has been returned to customers, but a further $11.6 million remains in unclaimed insurance claims; and
  • $400,000 in compensation for lost earnings and incorrect fees to superannuation members.

Therefore, the cost of a poor compliance culture for One Path is just shy of $60 million, not including the legal and investigation costs incurred to date, the cost of engaging the Independent Reviewer and implementing its recommendations, reputational cost and customer retention cost.

The takeaway message for other financial services providers: poor compliance culture is expensive.

Conflicts Management and Funds Management – ASIC is looking at you

One of the primary conditions of an AFS Licensee, is to have in place adequate arrangements for the management of conflicts that arise in relation to its activities in the provision of finance services. Using an AFS Licensee’s general obligations as a platform, ASIC is continuing its exploration of the impact of culture through the examination of conflicts management in the Fund Management Industry.

Today it released its report, which examined conflicts management within vertically integrated businesses including those entities which operate at least two of: funds management, responsible entity, superannuation trustee, platform structure (IDPS and IDPS-like structure), investment administration and custody business.

One of ASIC’s specific concerns was how such businesses identify and manage conflicts of interest and the associated risks (conflicts management), as well as what the organisation’s avoidance or management of those conflicts implied about the organisation’s culture.

In its report, it observed that a conflicts policy is one of many policies which have been prepared to satisfy a regulatory requirement rather than seeking to properly identify and address conflicts and embed requirements to address conflicts into business practices.

It further observed, that on some occasions conflicts of interest may not have been adequately managed, leading to concerns that an appropriate and, in some cases, necessary outcome may be to restructure business units, roles and remuneration structures to prevent the conflict of interest arising.

ASIC Chairman, Greg Medcraft said, ‘As our work on culture has indicated, the ‘tone’, being the attitude and commitment to conflicts management, must come from the ‘top’ and needs to be appropriately cascaded down the organisation through business practices, communication and accountability, as well as appropriate governance and remuneration’.

‘ASIC encourages all Australian financial services licence holders to carefully review the findings of this report, whatever their market sector, to assess their own approach to conflicts management and broader cultural issues’, Mr Medcraft said.

ASIC Focus on Culture

Since the release of ASIC’s 2014-2015 strategic outlook, corporate culture and its role in maintaining the integrity of the Australian Financial Services Industry has been a hot topic – but one that is not widely understood, practically speaking.

In his opening statement to the Senate Committee, ASIC’s chairman Greg Medcraft said that in addition to administrative action (revoking or putting conditions on an AFS license – as recently experienced by Macquarie Bank) ASIC takes the position that ‘when an officer breaches a law ASIC administers – and culture is responsible – then the officers and the firm should be responsible’.

ASIC has identified poor culture as a key indicator of prominent regulatory breaches that need to be investigated.

What is corporate culture and why does it matter?

Issues with corporate culture exist where there is a disconnect between an organisation’s goal to provide financial services at a profit and acting in the best interest of the consumer. Following the GFC financial services regulators  globally have increasingly focused on the culture of an organisation in addition its conduct.

From a regulator’s perspective, a positive corporate culture enables an organisation to foster business activities that are fair and honest in the treatment of customers. A negative corporate culture is one which promotes the interests of business above the interest of the customer in its activities and brings the organisation and the industry into disrepute.

What does good corporate culture look like?

In May 2015 ASIC introduced the ‘3 C’s framework on culture risk for organisations’ (see our previous blog Penalties for poor corporate culture – will ASIC ‘nudge’ your organisation?).

The 3 C’s stand for: communication, challenge, and complacency. These elements are important influencers of an organisation’s culture.

Communication of conduct expectations needs to be clear, concise and effective. It must be proactive and regularly and consistently repeated across the organisation.

Organisations should Challenge existing practices to determine whether the current conduct is appropriate and foster an environment where employees are encouraged to (and rewarded for) raising concerns.

Organisations must not be Complacent – conduct should be reviewed continually, enforced and validated.

As such, ASIC will to look at an organisation’s internal operating systems to ascertain if poor organisational culture is the driving force behind poor conduct.

ASIC’s enforcement toolkit

At present, ASIC has no powers to specifically punish organisations for poor culture. Despite this, it has flexibility within current criminal and civil sanctions to warrant attention.

In severe matters, ASIC may refer the conduct of the organisation to the Commonwealth DPP for prosecution.

The Commonwealth Criminal Code (the Code) provides that a company may be found to have committed an offence under certain provisions of the Code if it is proved that a corporate culture existed within the company that ‘directed, encouraged, tolerated or led to non-compliance with the relevant provision’ or which did not require compliance with the provision.

Under the Code, ‘Corporate Culture’ is defined as ‘’attitude, policy, rule, or course of conduct or practice existing within the body corporate generally or in the part of the body corporate in which the relevant activities take place.’’

The general obligations of AFS licensees outlined in s912A of the Corporations Act provide a legislative framework which can be used to frame an investigation into an organisation’s culture in connection with its conduct.

Despite this, ASIC is calling for increased powers to target poor culture.

ASIC has sought for comparative offences such as those in the Code to be incorporated into the Corporations Act. Last year ASIC made submissions to the Financial Services Inquiry that it be granted wider regulatory powers, including the ability to punish both individuals and companies for poor organisational culture.

In its response, the Federal Government agreed to a review of the penalties that ASIC considers.

Despite its lack of direct powers to penalise poor culture, ASIC has recently demonstrated its investigation and enforcement of poor culture in the ACE Insurance Enforceable Undertaking, where breaches of misleading and deceptive conduct and a failure to act in the best interests of consumers were framed against its poor risk and compliance culture.

The Net Result

Creating a positive compliance culture goes beyond the creation of policies and procedures; it requires consistency in the enforcement and promotion of these policies and procedures as the only acceptable conduct within the workplace. A company should pay careful attention to the attitudes and reactions of employees towards compliance issues, to ensure that any shortcomings are identified and addressed according to company policy before they develop into a systemic problem throughout the organisation. Get it wrong and it’s likely you’ll be front and centre of ASIC surveillance activity – and in the press.

One thing is for sure, we are going to see a lot more regulatory action from ASIC with a focus on culture over the coming months and no doubt, year.

CompliSpace will be running webinars on this topic in the next couple of months so watch this space. In the meantime, please get in touch if you have any questions about how you can improve the compliance culture of your organisation.


How CompliSpace can help
Australian Financial Services Licence holders are inundated with a raft of corporate governance obligations and an ever-growing compliance burden,that can distract focus away from core business activities.

CompliSpace provides industry-specific policies, programs and procedures to ease the burden of compliance.

Our compliance and corporate governance solutions include Whistleblower, AFSL, AML/CTF and other industry-specific compliance programs.

Contact Details
P: 1300 132 090

This blog is a guide to keep readers updated with the latest information. It is not intended as legal advice or as advice that should be relied on by readers. The information contained in this blog may have been updated since its posting, or it may not apply in all circumstances. If you require specific or legal advice, please contact us on 1300 132 090 and we will be happy to assist.

Posted in ALL

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s