ASIC, CBA & Swiss Cheese

Deborah Latimer, 10 July 2014

http://sectorseven.com.au/view/blog/asic,-cba-&-swiss-cheese

In the world of risk management the well-known Swiss cheese model of accident causation is often used to illustrate the pathway (through successive preventative barriers) from a hazard to an accident/loss via holes created both by latent conditions and by active failures.

Following the publication on 26 June of the Final Report of the Senate Economics References Committee into the performance of ASIC, which was in large part based on a case study of misconduct within Commonwealth Financial Planning Limited (CFPL) between 2006 and 2010, the Swiss cheese model can be used laterally to provide a perspective on the overall regulatory outcomes achieved to date and the extent to which affected clients of CFPL have benefited from them.

So –let’s now construct the Swiss cheese. The cheese is loosely made up of a licensing regime involving ASIC as regulator and CFPL as Licensee as well as various statutory obligations and licence conditions to be enforced by ASIC and to be met by the Licensee. Relevant Swiss cheese barriers in place included (at least);

• Whistle blowing
• The mandated self-reporting obligation of the Licensee requiring it to notify ASIC of breaches or potential or likely breaches ( and reporting made by CFPL from 2008)
• ASIC investigation activities into reported breaches
• ASIC surveillance activities conducted from 2008
• Acceptance by ASIC of an Enforceable Undertaking in 2011
• The Enforceable Undertaking terms
• Additional special licence conditions imposed by ASIC in 2014

We will take as our ‘regulatory outcomes test’ the Senate Inquiry finding that it is essential that all clients who have suffered as a consequence of the serious misconduct that occurred receive just compensation.

The Committee considered that there remains potentially many more affected clients in 2014 than have been fairly compensated and in response to the Report the CBA announced an ‘open review’ for all advised clients of CFPL over the period. It seems fair to say therefore that this outcome remains to be achieved.

Where were the holes then? An obvious ‘latent condition’ hole is the licensing regime itself which leaves the establishment and maintenance of compliance measures largely up to the Licensee.

The regime itself created conditions between at least 2006 and 2008 (when CFPL self-reported a breach) where no active monitoring of the compliance measures of CFPL took place.

It is the ‘active failure’ holes, however, that are most interesting. Active failure holes, in terms of the achievement of just compensation for affected CFPL clients, include:

• Responses on whistle blowing
• Ongoing unsatisfactory Licensee self-reporting of breaches
• ASIC investigation and surveillance activities that did not ensure an effective client compensation process was established or implemented
• An Enforceable Undertaking (EU) the terms of which did not sufficiently address the question of client compensation
• Special licence conditions that will need to be enforced by ASIC oversighting CFPL’s compliance with them

The most interesting of these active failure holes is the EU accepted by ASIC from CFPL in 2011following 3 to 4 years of responsive regulatory investigation and surveillance activity.

The EU terms required CFPL to self-assess the adequacy of its own Risk Management Framework and develop an Implementation Plan to address any deficiencies it found as well as a set of 6 ASIC concerns.

The ASIC concerns were whether:

a) There have been adequate processes and controls in place to deal with ongoing risks of noncompliance.

b) Representative misconduct has been dealt with in a consistent manner.

c) Recurring themes have been appropriately identified.

d) Data analysis processes and reporting capabilities allow for early detection of advice process irregularities.

e) There have been adequate controls over client records.

f) There has been consistent application of CFP's complaints handling and internal dispute resolution processes

None of the ASIC concerns (and likely none of CFPL’s own risk assessment findings) was actually directed at ensuring affected CFPL clients would be justly compensated. Under the terms of the EU it was left up to CFPL to “consider the circumstances and appropriately remediate clients found [by CFPL] to have been adversely impacted by the conduct of a representative”.

Because of this it was unlikely that monthly implementation progress meetings with ASIC or periodic reporting to ASIC by the appointed independent expert would serve to ensure the actual achievement of an outcome where all clients who have suffered as a consequence of the serious misconduct that occurred receive just compensation.

The Senate Committee recommendations included a series of recommendations about Enforceable Undertakings.

By recommendations 24 to 28, the Committee effectively calls for stronger EU terms, particularly regarding the remedial action to be taken to ensure compliance can be enforced in court, more robust independent supervision and more vigilant ASIC monitoring of the implementation of terms, and more transparency around monitoring of ongoing compliance with terms.

Publication of its activities in monitoring compliance with EU’s in ASIC’s annual report as well as how the activities have led to improved compliance, and improved governance for independent experts are also called for.

The Committee observed that when ASIC accepts an enforceable undertaking, it needs to have a mechanism in place that will provide assurances to the public that the desired changes have indeed taken place.

Looking through the ASIC/CBA Swiss cheese from the lens of the Senate Committee, it is not surprising that a Royal Commission (or some lesser independent review) has now been recommended.

Deborah Latimer, 10 July 2014