Many Australian financial services organisations report that they are struggling to meet increased regulatory burdens. Prominent examples include the extensive breach reporting regime introduced by the Australian Securities and Investments Commission (ASIC) in October 2021. There are also COVID-related work health and safety issues; design and distribution obligations; and challenging rules designed to protect consumer data rights.
Regulatory compliance is clearly critical for organisations, and its implications are widespread. Effectively managing compliance protects organisations from material reputational damage, fines, remediation and distraction from core strategy objectives.
According to MinterEllison’s annual survey of the industry, governance and conduct requirements were the chief concern of businesses last year. This year, some 55% of respondents identified breach reporting as their biggest challenge. Almost half of respondents feared that increased regulatory demands would hurt their organisation’s recovery from the pandemic, just as many aspire to resume normal operations or reactivate deferred growth projects. The impact of the ructions from 2019 also remains apparent: 36% of those surveyed said their organisation had increased their focus on implementing the recommendations of the Financial Services Royal Commission since the pandemic began.
The constantly evolving regulatory and strategic environment makes sustainable compliance challenging. Businesses need to ensure that strategic change appropriately considers compliance obligations, processes and controls to ensure that compliance is sustained.
Of the following regulatory issues, which are you finding the most challenging to implement?
Navigating a complex landscape
Change is a constant in any business, whether stemming from market forces, competitive pressures or new regulations. But it is hard to dispute there has been a paradigm shift in financial services since the global financial crisis of 2008–09. Previously, firms in the financial sector could place profitability before customer need. However, public expectations have changed particularly since the Hayne Royal Commission.
“The past 10 years has seen a significant step change with industry being expected to take on greater responsibility for the appropriateness of products and how they actually work in practice,” says Richard Batten, MinterEllison Partner and specialist in the areas of financial services regulation and anti–money laundering. The pace and volume of regulation is unrelenting, he adds, with companies facing increasingly prescriptive burdens and “always needing to react to the next thing coming down the pipe.”
In 2020, the government and regulators paused several regulatory changes to enable organisations to manage through the COVID-19 pandemic. A number of these have since restarted, which is has upped the pace and intensity of the activity.
Different regulations can sometimes overlap or contradict each other. They can also spring in uncoordinated fashion from different sources, including ASIC, the Australian Prudential Regulation Authority and the Australian Securities Exchange.
Sometimes, as with Consumer Data Right (CDR) obligations, a gap can exist between regulators’ expectations and what those being regulated can realistically deliver. This is making it hard for organisations to implement large and consistent reform programs. According to Michael Lawson, MinterEllison Partner and Financial Services Industry Leader, “many of our clients are saying that they are struggling to do regulatory change at scale well”.
Initiating a regulatory change project
The key for financial services organisations – in the words of Donna Worthington, MinterEllison Partner – is “responding to the tsunami of regulation and understanding that community expectations have changed”, while balancing the reality of running a profit-making business.
No silver bullet can make regulatory burdens vanish. Instead, the goal should be to institute a consistent process across the business to manage change. It is important to take the time to understand the full extent of new regulatory schemes instead of jumping straight into implementing new solutions.
“The more you front load and plan, the better it is from an implementation standpoint,” Worthington says.
With any regulatory change project, the stakes are high if you get it wrong. So the time spent to embed change in the organisation and ensure compliance is pretty critical.”
Donna Worthington, Partner
A sustainable approach involves building change-making capacity across the business, supported by clear accountabilities. This can be hard when different units might wish to avoid responsibility for budget imposts. Understanding where the principal obligation lies can be like a game of ‘pass the parcel’ between product teams, legal and compliance functions. Nevertheless, it is important to think strategically about different risk events – for example, what happens in the organisation when a customer complains, or a data breach occurs.
“What are the things that could absolutely impact your ability to operate?” Worthington says. Such an exercise allows organisations to prioritise strategic risks while downplaying issues that can be “kicked a little down the road”.
A regulatory change framework will help organisations on this journey.
Driving new business value
At their best, regulatory change initiatives allow financial services organisations to rethink how they deliver their mission from first principles. The downsides of such projects are normally easy to quantify. However, emphasising the revenue and growth potential, Worthington says, is “when you start to get people’s ears pricking up to do more than just compliance”.
For example, new CDR obligations provide an opportunity to create new ways to impress customers with tailored financial products. Such proactive management of regulatory burdens offers a way to restructure the business – and in Batten’s words, “get ahead of the curve”.
“It’s hard to move into that proactive space because of shareholder and market pressure, but it’s the best way to ensure regulatory issues are addressed before they become more serious,” Batten says.
Proactively reshaping the organisation is the only actual solution, but a really hard one.”
Richard Batten, Partner
Investing in technology to do it better
Among the financial services organisations planning to invest in new technology, 57% of respondents to our survey said their aim was to create easier or streamlined compliance. Many businesses are investing in governance, risk and compliance systems to centralise the management of their regulatory obligations, reporting requirements, and internal policies and procedures. This can help unite information strewn across different spreadsheets or locked away in various silos.
Other regulatory technology (regtech) applications can help businesses satisfy know-your-customer obligations, such as verifying income and identity. Of course, any use of external technology creates its own financial, privacy and integrity risks requiring due diligence. “You can’t use it as a solution without considering the prudential management implications of relying on a regtech company that is a third-party supplier,” says Ian Lockhart, MinterEllison Partner.
How to manage obligations
The demands on the financial services industry are only likely to grow. This is due to changing public expectations, and an increasingly populist political and media culture. Upcoming areas of regulation will include cybersecurity, management of customer data and payments and cryptocurrency regulation. Financial services organisations accordingly face high stakes in a fast-changing area. Regulatory breaches can incur heavy fines or embarrassing reputational damage.
Some key challenges for organisations include:
- having clear accountabilities and role clarity across the organisation for compliance leadership
- aligning strategy, products and services to regulatory change
- managing the volume of the regulatory reform pipeline and regulatory compliance requirements, whilst balancing business-as-usual activities
- implementing new ways of working
- having access to external regulator feeds and systems, which then need to operationalise and integrated into risk and compliance frameworks.
For any organisation managing regulatory change, the more planning they do upfront to understand the original requirement, the easier the process will be further down the line if they run into breaches or remediation issues.
Guiding cultural change
Building more resilient organisations and focusing on culture is a priority. The industry has never been static, and so organisations need to be in a position where they can evolve as needed. Having a culture that encourages staff to proactively identify and prepare for change will help organisations build resilience.
Organisations need to take a sustainable approach to change through building capability and a system that is flexible.
Batten encourages financial services organisations to look honestly at the “friction points” that can drive problematic behaviour, with remuneration incentives or unclear accountabilities being two obvious examples. It’s also important, he says, that businesses don’t fall into a pattern of jumping into line, only to drift back into discredited patterns when regulators are no longer focusing on the issue.
A true commitment to change needs to be permanent. “Often there are cultural drivers that cause issues not to be identified or confronted,” he says. “There are barriers around raising issues with senior executives to avoid looking bad or being seen to raise difficult issues without easy solutions. These dynamics can require an external eye to work with an organisation to identify and change how these issues are addressed.”
Organisations should seek to build a culture that looks to implement regulatory change holistically, rather than tactically. Taking a holistic approach will, in the long term, decrease change load that organisations need to manage, and improve staff engagement and motivation to make the changes. Worthington gives the example of the numerous customer protection changes that commenced in October 2021. “Organisations that did not take a holistic approach to the introduction of the design and distribution obligations, anti-hawking measures, deferred sales model for add on insurance and internal dispute resolution changes, would have placed unnecessary change burdens on their teams who were likely already suffering from change fatigue”.