From finding new customers through to receiving applications, making decisions about loans and investments, entering contracts, funding and managing customers and collecting debts, financial services providers are seeking to automate business processes and to enable services to be accessed by customers in multiple alternative channels.
When you are thinking about upgrading your technology or setting up new IT processes, failure by your Board and senior managers to assess the changes for compliance and reputation risks as well as financial issues is a flaw in your governance framework.
That is the lesson from three events this year: Austrac’s action against CBA, APRA’s CBA Prudential Report and the Financial Services Royal Commission.
According to the Statement of Agreed Facts in Austrac v CBA, since 2010, CBA invested more than $400 million on AML/CTF compliance, including expenditure on upgrading and enhancing its AML/CTF technology, updating its process documentation, investing in further resourcing and strengthening training of its personnel.
But CBA conceded it failed to carry out an appropriate assessment of the money laundering and terrorism financing (ML/TF) risks of its Intelligent Deposit Machines (IDMs) until AUSTRAC drew reporting anomalies to CBA’s attention. CBA acknowledged it failed to complete the introduction of appropriate controls to mitigate and manage the ML/TF risks of IDMs.
Those failures and the consequent failure to lodge reports with Austrac cost CBA $700 million in penalties.
In APRA’s Prudential Report into CBA the Panel concluded that CBA’s management of its non-financial risks (that is, its operational, compliance and conduct risks) were neither clearly understood nor owned, the frameworks for managing them were cumbersome and incomplete, and senior leadership was slow to recognise, and address, emerging threats to CBA’s reputation.
In his evidence to the Financial Services Royal Commission, CBA’s Chief Risk Officer said:
“ the state of our systems that recorded and aggregated instances of misconduct … were not particularly advanced. They were not particularly well connected. The difficulty that the bank experienced was that various incidents of misconduct were recorded on different systems in different business units, without necessarily being all encompassed in a single business unit.”
In the Commissioner’s Interm Report, in respect of the responses to requests for information the Commissioner observed that:
“the course of events and the explanations proffered can lead only to the conclusion that neither CBA nor NAB could readily identify how, or to what extent, the entity as a whole was failing to comply with the law. And if that is right, neither the senior management nor the board of the entity could be given any single coherent picture of the nature or extent of failures of compliance; they could be given only a disjointed series of bits of information framed by reference to particular events. Information presented in that way points too easily towards explaining what has happened as ‘a small number of people choosing to behave unethically’ or as the product of ‘people, policies and processes that existed with a pocket of poor culture in that area at that time’.”
But compliance is not just good data analytics and reporting.
The Commissioner has asked a key question arising from the evidence heard this year:
“Should there be greater consequences for financial services entities that fail to design, maintain and resource their compliance systems in a way that ensures they are effective in:
• preventing breaches of financial services laws and other regulatory obligations; and
• ensuring that any breaches that do occur are remedied in a timely fashion?”
Your technology (including business rules and algorithms) needs to be assessed for compliance with laws and regulations, cybersecurity risks, the privacy of customers’ information and fraud prevention and monitoring.
Failure to act “efficiently, honestly and fairly” could result in substantial Corporations Act and Credit Act penalties.
APRA has also identified information security as an important prudential issue.
Ask whether the new processes, apart from reducing costs for the business and reducing processing time, will benefit your customers or create new risks for your customers.
Austrac’s 2018 compliance report will ask whether a reporting entity has assessed mobile apps for risks.
The recent first full quarter report of Notifiable Data Breaches by the Privacy Commissioner showed the primary source of breaches was malicious or criminal attacks (59 percent), followed by human error (36 percent) and system faults (5 percent).
The following compliance questions need to be asked whenever there is a report of a “glitch” or a “systems fault”:
- is the technology failure symptomatic of a more widespread systems failure in the organisation or a “one-off”?
- does the organisation have adequate resources and controls as required for financial services and credit licensees?
- was the failure the result of cybercrime? What security does the organisation have in place? How often is its security tested?
- has there been a data breach as a result of a lapse in security and a failure to train staff on the importance of customer privacy?
- were any of the services outsourced? was the third party provider adequately supervised and monitored?
The conclusion: an IT implementation plan is not complete without assessing the non-financial risks. Compliance breaches could result in substantial penalties and reputational damage.