Compliance is a business management discipline, just like Marketing, Accounting, Human Resources or any other. Like these other disciplines, Compliance has its own, well-documented standards and "best practices". We at QED are Compliance Professionals and it's our job to understand these standards and try to relay them to our clients. We understand that brokers that are new to QED - just like our many clients over the years when they first joined us - may not understand some of the lines of questioning that get raised when interacting with our services.
Unfortunately, the legislators and their mouthpiece, the Regulators (ASIC in this case) assume that everyone knows what they are talking about when they write legislation and regulatory guides. Many times, in early 2010 during the ASIC Credit Licensing Roadshows, when questions from the audience got too hard, ASIC was heard to say: "Just look it up in the Regulatory Guides, it's all there."
The problem is that Regulatory Guides are NOT written in plain English, so it's left to those like QED to have to explain them to everyone else.
Section 47(1)(k) of the Credit Act requires that a Licensee "have adequate arrangements and systems to ensure compliance with its obligations..."
ASIC reflects this in RG205 at 205.52 where it references AS3806, which has since been replaced by AS/ISO19600. It is in this standard that we find what a "proper" compliance management programme is supposed to look like. To very much simplify the compliance standard, this is what it says:
- "Compliance" concerns your obligations - all of them, not just some of them. Obligations arise from all laws, not just the Credit Act; from your contractual arrangements with other parties, e.g. aggregators and lenders; internal policies that you set for yourself; and from your risk management programme - let's park the last one, that's a whole other conversation. The Licensee needs to identify all of these, but this is why QED has considered them in the assessment of Licensees' own compliance programmes.
- Once identified, all obligations need a control or multiple controls that ensure that the obligation is being met.
- Periodically - not too often and not too far apart - the Licensee needs to test the controls to see whether or not they have been functioning and therefore ensuring the obligations have been met.
- The above testing needs to be carefully documented. What was the test that was performed on the control? What was the observation/outcome of the test?
- Where the testing observed failures of controls or "breaches", there must be documented corrective actions that will take place by documented dates to ensure that the controls are mended and that obligations are met again
- Finally, the whole compliance programme needs to be reviewed at least annually to ensure that it is still up-to-date and adequately captures all the Licensee's obligations.
Take an example. Section 47(1)(l) of the Act says that the Licensee must have adequate financial resources in place to engage in its credit activities. ASIC thinks this requirement is so important that they have written an entire Regulatory Guide dedicated to the topic - RG207. Although it's not stated bluntly - remember, RGs are not in English - at RG207.36 it says that a Licensee must document cash flow forecasting. So, in following the above sequence on how compliance management works:
- The obligation is to perform cash flow forecasting.
- The control is a spreadsheet or similar that documents the forecast of cash flow over the coming period.
- The test is to see whether or not the forecasting document was produced.
- The documentation of the test should describe that the forecasting document was sought for review and whether or not the document had in fact been completed.
- If the forecasting document was either absent or insufficiently completed, this should be noted in the test results and a corrective action should be tasked to someone to ensure that, in future, cash flow forecasting is produced.
Although they are already covered ISO19600 (all obligations including legal, contractual, internal policy), ISO31000 (Risk Management) and ISO10002 (Complaints) are specifically mentioned by ASIC in RG 205.74 and RG 165.32 respectively.
So "compliance" is not simply about responsible lending and the broking process. As a Licensee, a broker has taken on everything that comes with s47 of the Credit Act. It may not have been easily seen up front, but this is what it is.