Risk Management

RISK MANAGEMENT FOR AFSL HOLDERS

Our discussion here is brief and distils down what is a massive topic, into the most important parts of risk management from the point of view of an entity granted an Australian Financial Services Licence (AFSL).

RISKS TO YOUR LICENCE

REGULATORY RISKS

All AFSL holders are subject to the requirements of the Corporations Law and Financial Services Law and depending on what they do other Laws..

The Australian Investments Securities Commission (ASIC) is responsible for “policing” these laws. 

AUSTRAC is responsible for money movements and reporting the same. Most AFSL holders will only have to report annually. Custodians, banks, sharebrokers, Responsible Entities will have to report more frequently.

The Australian Prudential Regulation Authority (APRA) oversees for banks, credit unions, building societies, friendly societies, superannuation large funds, insurance companies including health insurance companies.

WHAT YOU HAVE TO DO TO SATISFY THE REQUIREMENTS OF THESE REGULATORS

The first thing to do is stop worrying if your business is doing all it can to make the regulators happy.

Your firm needs only to satisfy requirements made of it under the law. Regulatory guidelines are just that, GUIDELINES. The same is true of practice notes etc. It is not a requirement of ASIC or any regulator that you create policies and procedures that meet satisfy guidelines, practice notes and so on, unless compliance with a guideline, practice note is required under the Law.

What is important is that the entities’ directors / trustees are satisfied with policies and procedures comply with the Law.

Further you don’t have to comply with Australian Standards regarding risk management (i.e. AS ISO 31000:2018) to satisfy the regulators.

CORPORATIONS ACT (2001) and RISK MANAGEMENT

Section 912A sets out the general obligations of a financial Services Licensee.

Section 1(h), states thar entities that are not regulated by APRA (Section 1(5)), need to have ‘ADEQUATE’ risk management systems.” Adequate risk management systems are not defined by the Corporations Act 2001 (the emphasis is mine).

The entity’s directors / trustees, need to make sure that in their opinion, the risk management systems they have are adequate for the scale of operations. That is, fit for purpose. Put another way, a firm managing a single asset class portfolio for institutional investors will need fewer risk management policies and procedures that a multi-asset manager investing across many counties .

Obviously, the business that does nothing to protect itself and clients (e.g. by not using frequently changing password, backing up records and systems to the cloud) does not have adequate risk management systems in place.

But businesses that think adopting all of an ASIC guideline or practice note is going to save themselves from ASIC compliant, is fooling themselves. As we have written elsewhere in this website, ASIC are not your friends. The Haynes’ royal commission, was critical of ASIC conduct over the years on many levels. He was noted that ASIC had become too close to some financial services businesses and that this had affected their judgement with regard to enforcement of the Law.

If they think your business and risk management operations are inadequate, they will attack your business, regardless of you’re adherence to guidelines and practice notes. That is their job.

You are also required to report to ASIC any significant breaches of risk management policy and systems to ASIC.

WHAT ABOUT OTHER REGULATORS?

It is the same again. Adherence to the Law is a director’s responsibility. Applying recommended guidelines and practice notes issued by APRA or AUSTRAC is not going to save you from attack by one of them or ASIC.

Your defense needs to be able to clearly demonstrate that your business has adequate policies and procedures that meet the needs of YOUR business not what the regulator thinks is adequate for your business.

What about client requirements?

You can have an AFSL, but with clients, you have no business.

Without an AFSL you can’t have clients.

High Net Worth and Institutional clients will have detailed contractual requirements. The requirements of their service providers are likely to be less demanding.

The standard institutional investment management contract (IMA), will require you to report any investigation from a regulator and what the outcome was. (It is likely, that the due diligence process undertaken before a mandate may be awarded).

A failure of a component of a firm’s internal risk management system, policies and procedures is very likely to be reportable to the client.

If the client considers the failure to be material, they might launch their own investigation. If the failure results in loss to client, they might demand compensation which could be significant. Loss of the investment mandate is a certainty.

Superannuation clients are required to collect your audited GS 007 created by the Australian Auditing and Assurance Standards Board. GS 007 is a controls report that identifies risks and how you intend to deal with them. It is a standard that prescribes a minimum set of control requirements for service organisations offering investment management services.

If your businesses is also regulated by APRA there are a number of regulations that your business has to account for. For example, CPG 235, CSP 234 and CPS 230. Part of what they highlight is the critical role of data risk management.

Recent cyber incidents in the financial sector have shown the need for a robust understanding of data storage, deletion, and security. Data is pivotal in decision-making across various functions and maintaining data privacy is somethings stakeholders trust organisations with – so its protection should be top priority for directors and executives.

HOW INTRINSIC CAN HELP

Start ups

We have an extensive library of over 300 policies and procedures that we can modify to meet your specific business needs and be considered as meeting what a reasonable person would consider adequate risk management systems, (the Corporations Act does not define “adequate”). We believe they will be considered more than adequate.

Established AFSL Holders

We can provide an independent review of your existing risk management systems and suggest changes (if any).

If your business is expanding we can supply you with policies and procedures that can be adapted to meet the satisfy the avenues of expansion that you are pursuing. This will save you time and money.

Start-ups and established AFSL holders

Cyber attacks have highlighted to importance of data protection to a business.

APRA’s recent study of banks (100 Critical Risk Data Elements Data Elements pilot study) outlines some important considerations when you are planning data management systems in your business.  Here are some of the important tasks to focus on:

1.     Implement a cohesive data strategy for robust data governance.

2.     Define clear roles for ownership of essential data throughout its lifecycle.

3.     Streamline technology and data architecture by upgrading platforms and retiring legacy assets.

4.    Identify key data elements and enforce consistent data controls.

5.     Monitor data quality and promptly address errors in alignment with business needs.

6.     Incorporate data management risks into broader risk management frameworks.

We can assist you in the organisational structure of data recording and management in ways that will reduce the risks posed by cyber criminals.