Speech by ASIC Commissioner Sean Hughes at the Financial Services Assurance Forum, hosted by the Institute of Internal Auditors Australia, Thursday 25 November 2021.

Check against delivery

I begin by acknowledging the Traditional Custodians of the lands I am on today, the Boon Wurrung and Woiwurrung people of the Kulin nation. I pay my respects to their elders past, present and emerging, and extend that respect to Aboriginal and Torres Strait Islander peoples joining the forum today.

It is a pleasure to speak to you today and to participate in this forum.

Today I will suggest with some conviction that internal auditors can use their position and influence to pursue better outcomes for customers. By ‘customers’ I refer to investors and consumers using your firms’ products and services. Indeed, we can all include ourselves among this population as consumers of financial products and services.

My point is a simple one. Australian consumers need your insights on risk and wariness to harm more than ever before.

Before COVID-19, digital business models across different industries were progressing at varying speeds, and with some level of voluntary take-up. But the scale of the pandemic forced a dramatic acceleration, and a move to a digital-first or preferred operating environment.

The speed of change and the required investment in technology was driven by the need to service customers wherever they were. This digital transformation has led to many benefits but it also came with a shadow-side – a convergence of consumer harms, some of which are entirely new and others more evolutionary.

The surface area of risk-exposure is growing exponentially due to conditions created by the pandemic. Consumers and investors are pushing into the digital realm across financial services, wealth management and markets. Everything – from what we invest in, to whose advice we listen to – is rapidly evolving. As such, the work of internal auditors, and risk, compliance and governance professionals, is more significant for risk identification and control efficacy today than perhaps at any other time in modern history.

We need to support the economy, promote market integrity and efficient and competitive markets. We need to protect consumers – regardless of whether they are individual consumers, retail investors, wholesale investors or small businesses.

ASIC’s oversight role and responsibilities

Within the context of this line of reasoning, I will provide you with an update on ASIC’s latest regulatory work.

Before I go into the details it is important to provide an overview of ASIC’s broader priorities for 2022, including the issues that have informed ASIC’s strategic settings for the next twelve months.

Current context: as risk appetite rises, so does scam activity

The good news is that Australia’s financial system has proven to be resilient under the challenging circumstances presented by the Delta variant of COVID-19. Many Australian companies have remained well, with strong balance sheets. However, some sectors such as hospitality and tourism were severely challenged and are facing a difficult recovery period.

As we look back at the past 18 months, I am mindful that everyone here is part of the broader Australian community. Many people have endured hardship in this period. At this stage, it does look like the economy will remain resilient thanks in large part to the community’s commitment, determination and competitive energy, as well as the policy responses of governments around the country.

The bad news is that we have to be ever-more vigilant against the potential for consumer harm.

Digital transformation accelerated during the pandemic, bringing with it both consumer benefits and detriments in equal measure.

Since the outset of the pandemic, new retail investors have entered the market at an unprecedented rate. Meanwhile a significant number of investors, both those who are deeply experienced and those who are new, dived head-first into risky investments in the search for higher yield in a low-yield environment. This included crypto-assets, some of which fall outside the definition of a ‘financial product’ and as such, are not currently subject to markets conduct regulation under Australian law.

Unfortunately, it is clear that an ever-increasing number of scammers are taking advantage of consumers and investors – although the motivation remains the same – maximise returns while misunderstanding the risks. ASIC noted a rapid rise in investment scams in early 2020 at the beginning of the pandemic.[1]

It is also worth noting the following statistics, which make for sober reading:

1. In the 2020 calendar year, Australians lost a record $851 million to scams, according to the ACCC.[2]
2. In January and February 2021, reports of misconduct to ASIC were up by over 200% compared to last year.[3]
3. In March 2021, ASIC received about 10 times as many reports of misconduct about investment scams compared with the pre-pandemic average.

These statistics are why ASIC’s strategic priority for 2022, among others, is to continue addressing the most significant threats and harms in our regulatory environment.[4] In particular, we are continuing our work on reducing the risk of harm to consumers exposed to poor product governance and design. It is closely aligned to one of our longstanding strategic priorities – to hunt down predatory behaviour; especially that which targets vulnerable communities and consumers.

We also continue to support industry readiness for – and compliance with – standards set by Parliament’s recent suite of law reforms, the majority of which commenced in October this year.

To achieve our strategic priorities, ASIC is looking to financial services organisations to demonstrate strong governance controls that support sound decision making and a culture of achieving fair and efficient outcomes.

We also expect firms to put in place efficient processes to handle consumer complaints, and ensure timely and fair remediation where losses are incurred due to poor conduct.

How internal auditors can support good consumer outcomes

As a conduct regulator, you will find that at the heart of all ASIC’s regulatory endeavours lies a resolute focus to ensure good consumer outcomes through compliance with the laws that we administer. While it is our regulatory touchstone, it makes commercial sense to attract and retain customers and avoid operational loss.

It is a strong expectation of ASIC, and other conduct regulators around the world, that when a financial services organisation sells a product or service to a customer, the organisation has robust and effective strategies within its risk framework to manage non-financial and conduct risks.

For example, Deloitte notes that the UK’s Financial Conduct Authority ‘expects organisations to be able to demonstrate that conduct-focused behaviour and customer outcomes are truly embedded to play an integral part in all strategic and operational decisions”[5].

Furthermore, the FCA has an increased focus on the internal audit function, and how it exercises its responsibilities in assessing how the internal control environment supports the delivery of fair customer outcomes.[6]

Like the FCA, ASIC seeks to understand the role and effectiveness of the internal audit function in ensuring an organisation’s compliance with financial services laws, and delivering good consumer outcomes. That is why ASIC is engaging with the internal audit functions of financial institutions, and observed the drafting of the principles of IIA‑Australia.

As an ‘independent, objective assurance and consulting activity’[7], internal audit plays a key role in an organisation’s risk management, control, and governance processes. An important part of those processes should be ensuring that customers who buy your products and services are not exposed to harmful conduct, but rather, experience fair and positive outcomes.

With the right operating framework, resourcing and leadership backing, the internal audit function can provide the company’s leadership with a trusted ‘independent voice’ for an objective assessment of the organisation’s capabilities.

More importantly, the organisation can improve its culture and conduct off the back of this objective assessment.

In fact, I believe the Board should see the internal audit function as its best friend. Internal Audit is the mirror into which the organisation’s leadership looks to ask itself – is this how we really appear? Internal auditors can use their truly independent voice to provide the Board with a frank assessment of the organisation’s ‘pain points’.

This makes good business sense.

We all know that good culture and a customer-focused approach protects and advances the assets, reputation, and sustainability of the organisation.

If there is one thing that the Financial Services Royal Commission has taught us, it is that non‑financial risks, contrary to its term, are often very costly and damaging to an organisation if not managed well.

We only need to look at the problem of ‘fees for no service’, for which remediation is still ongoing. Almost six years have passed since ASIC first launched its review.[8]

As at 30 June 2021, six of Australia's largest banking and financial services institutions have paid or offered a total of $1.64 billion in compensation to 1,066,493 customers who suffered loss or detriment because of fees-for-no-service misconduct.[9]

Right now, ASIC is monitoring 64 remediation programs that will see the return of over $5.4 billion to more than 5.6 million consumers upon finalisation. There are also many other remediations that are dealt with directly by firms.[10]

Issues like this highlight why organisations need to have a better focus on embedding within their risk framework ways to effectively identify and manage conduct risk on a pre-emptive and timely basis, in particular risks to consumers.

One of the criticisms made by Commissioner Kenneth Hayne in the Royal Commission Final report was that “Too often, boards did not get the right information about emerging non-financial risks; did not do enough to seek further or better information where what they had was clearly deficient; and did not do enough with the information they had to oversee and challenge management’s approach to these risks”.[11]

Commissioner Hayne’s emphasis was not that Boards lacked information. Rather, that they failed to receive the right information and engage with it meaningfully. For example, by not challenging the information provided to them, or ignoring what was being escalated, including by internal audit teams.

Almost three years on from Commissioner Hayne’s final report, it is fair to say that the financial services industry has undergone significant reform and improvements. The landscape looks very different (especially in financial advice) and both businesses and high profile individuals have departed the sector.

ASIC hopes that boards are now – more than ever – actively listening, seeking the right information, and improving their engagement with the proper resolution of conduct risk. I say ‘hope’ because we can never be confident and our population is large.

For internal audit teams and other risk professionals, this means there is no better time than now to establish a strong and audible voice.

To influence your leadership to step-up and do better.

This will, of course, include delivering better customer outcomes. As I said earlier, this isn’t just the voice of risk and regulation talking, it also makes sounds commercial sense.

Three practical steps to ensure good customer outcomes

So what are practical steps that internal audit teams can take to ensure your organisations are well-positioned to achieve good customer outcomes? Here are three suggestions:

1. You can ensure that the risk of consumer harm is at the forefront of audit planning. Your audit plans, coverage, charters and methodologies should include specific references to identifying consumer harm and improving consumer outcomes. They should also cover specific topics such as vulnerable consumers.
2. You can invest in training internal audit staff members, and the first and second lines of assurance. You should ensure your employees have the necessary tools and skills to identify consumer risks, and develop adequate action plans to mitigate or escalate those risks.
3. You can develop good data points and techniques to assess the effectiveness of the business in managing conduct risk and driving better customer outcomes. For example, to test whether there is a decrease in the number and the severity of customer complaints as a result of an action being put in place.

Follow the IIA-Australia guide

I also recommend the Internal Audit Better Practice Guide for Financial Services in Australia, which specifically addresses customer harm.[12] This is the IIA-Australia’s own principles-based guide and was released in the wake of the Financial Services Royal Commission.

For example, ‘risk of poor customer treatment’ is listed as one of four areas of scope, alongside ‘governance, risk structures and processes’ and ‘risk and control culture of the organisation’.

The guide also encourages you to consider whether your organisation ‘acts with integrity in its dealing with customers and broader interactions with the market’.

Furthermore, it suggests you consider ‘the manner by which the business and risk management are designing and controlling products, services and supporting processes to align with customer interests and conduct regulation.’[13]

The ‘upskilling’ imperative for internal audit

As our businesses are constantly evolving, internal audit teams also need to stay on top of trends and develop capabilities. These include the need to audit in a customer-centric manner, which places customers’ best interests at the heart of the work you do. I will talk more about this a little later.

Another trend I touched upon earlier is digital transformation. It is vital for anyone involved in the internal audit function to ‘upskill’ themselves with an understanding of how it is changing your business. From digitalisation of systems, to crypto-assets, and the end-to-end infusion of artificial intelligence into the lifecycle of products and services.

Staying on top of these trends and capabilities requires a thorough assessment of the skills, experiences and knowledge of internal audit teams. You have to ensure they have what it takes to keep pace with fast-evolving business strategies and models.

Conclusion: a call to action

It is critical for financial services entities to adopt a proper risk framework with a customer-centric focus. All of you listening today play a vital role, as an internal audit professional, in achieving that outcome.

To conclude, I would like to end with a call to action.

As you no doubt are all aware, six new law reforms commenced last month in October 2021.

They include the design and distribution obligations (DDOs); restrictions on the unsolicited selling of financial products (hawking); a deferred sales model for add-on insurance products; reference checking and information sharing requirements for financial advisers and brokers; and new requirements around how breaches are reported to ASIC, and disputes are managed internally in firms. 

While they all have good consumer outcome as the core intent, three in particular are pertinent for internal audit and risk professionals – they need you to play a key role in the successful implementation and application.

These three reforms are DDOs, breach reporting, and internal dispute resolution (IDR). They were developed in response to public inquiries over the past decade, including the Financial Services Royal Commission, which revealed widespread consumer harm.

These three reforms, coupled with ASIC’s regulatory guidance, encourage firms to put the consumer at the centre of all decisions. This necessitates ‘end-to-end’ thinking – from the moment your organisation begins to design a product, to when it begins to distribute it. And also at the end of the process – when your organisation considers what to do with information about breaches or customer complaints.

To play that key role in helping to successfully implement and apply the DDO, breach reporting and IDR reforms, I encourage you to ask five questions during your internal audit:

1. How did your internal audit team assess whether or not the preparation for – and implementation of – these reforms was on the right track? How good were the end-products? What difference or improvements did you observe?
2. Now that the DDO, breach reporting and IDR regimes are in place, how effectively are they being applied? How are you measuring and testing this?
3. What are the impacts on customers, for example using DDO – have distribution practices changed?
4. Are your customers enjoying better outcomes? Have the number of customer complaints changed? What metrics are there to measure these outcomes? How are they being reported to the board? How fresh is the data?
5. Are there other things your organisation could be doing to implement the regimes more effectively?

It is important to remain vigilant and not grow complacent.

We know that “conduct risk is not static, nor is it limited to a defined part of the business. It is present in almost every part of the business in different ways…”[14] and there is no ‘one-size fits all’ strategy.

This leads to my final question.

What skills do internal audit professionals need in order to influence and steer their Boards and executives towards successful implementation of law reforms, through a customer lens?

I would argue that the following four attributes are ideal:

1. A competent understanding of your organisation’s business strategies, as well as of external factors such as new law reforms.
2. An agile mindset and attitude to adapt to the fast-evolving nature and needs of the business, including digital transformation.
3. Confidence to challenge the status quo and provide an objective, independent voice to leadership; especially when that voice might result in uncomfortable discussions.
4. A deep-seated conviction that customers who buy your products and services should be better off, and ultimately receive outcomes that are good for them. And a sense of self-recognition and acknowledgment that you played a part in that success, and that your efforts made a difference, for the better.

Thank you.

[1] ASIC media release, 20-147MR Rise in investment scams during COVID-19 pandemic, 24 June 2020.

[2] ACCC, Targeting scams report 2020, 7 June 2021.

[3] ASIC, Financial scams double in 2021: reporting up more than 200%, 12 March 2021.

[4] ASIC Corporate Plan 2021–25: Focus 2021–22, August 2021, page 5.

[5] Deloitte LLP, Getting the right outcome: Internal Audit and retail conduct risk, An Internal Audit viewpoint, UK, 2015.

[6] Deloitte LLP, Getting the right outcome: Internal Audit and retail conduct risk, An Internal Audit viewpoint, UK, 2015.

[7] Definition of ‘Internal audit’ from The International Professional Practices Framework.

[8] ASIC, REP 499 Financial advice: Fees for no service; INFO 232 Fees for no service: remediation, August 2018; and RG 256 Client review and remediation conducted by advice licensees, September 2016.

[9] ASIC media release, 21-203MR ASIC update: Compensation for financial advice-related misconduct as at 30 June 2021, 5 August 2021.

[10] ASIC media release, 21-307MR ASIC consults on consumer remediation draft guidance, 17 November 2021.

[11] Final Report – Volume 1, Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry, February 2019, page 395.

[12] IIA-Australia, Internal Audit Better Practice Guide for Financial Services in Australia, November 2020.

[13] IIA-Australia, Internal Audit Better Practice Guide for Financial Services in Australia, November 2020, page 9.

[14] Deloitte LLP, Getting the right outcome: Internal Audit and retail conduct risk, An Internal Audit viewpoint, UK, 2015.