The increasing use of risk management and compliance declarations

The increasing use of risk management and compliance declarations (also called attestations) by regulators as a supervisory tool creates a personal risk for Boards and CEO’s who make the declaration.

CEO’s already make annual compliance declarations in respect of Australian Financial Services Licences and Australian Credit Licences.

But both APRA CPS 220 Risk Management (which commences on 1 January 2015)and the proposed new AUSTRAC compliance report contain broad risk management and compliance attestations by the Board.

In the case of CPS 220, APRA has agreed that the CPS 220 declaration and the SPS 220 declaration will contain a materiality qualification.

APRA has also agreed that the three lines of defence risk management model (management, internal risk controls, and the board) is not intended to increase the legal liability of directors under the Corporations Act.

Declarations required by regulators may cover:

1.Notification: an agreement to notify the regulator if a specified risk changes in its nature, magnitude or extent. This type of attestation requires risk monitoring and notification of anything significant. This is already a requirement for AFS licensees and APRA regulated bodies.
2.Undertaking: an attestation that a specific action will be undertaken.
3.Self-certification: an attestation that specified risks have been mitigated or resolved (this may be a voluntary agreement, publicly announced).
4.Verification. a regulator may require that certain remedial action has been taken and be verified by an independent review (usually given in an Enforceable Undertaking).

As enforcement action may be taken against an individual for making a declaration which is subsequently found to be untrue, attestations should be noted and supporting evidence recorded.

All attestations should be signed off by department heads and be reviewed by the senior compliance officer.

An attestation should have a clearly defined, limited scope.

It is critical that your risk management and compliance framework (including the monitoring of compliance and reporting of compliance breaches) is tested on an ongoing basis.

Call me if you’d like to discuss common flaws in risk management and compliance frameworks and what you can do to prevent them.

 

Your Compliance Support Plan

We understand you need a cost-effective way to keep up to date with regulatory changes. Talk to us about our fixed price plans.