ANZIIF overhauls Beyond Breaches, its short compliance course

With 38 years’ experience in the insurance industry, Paul Muir has learned from experience that the most effective compliance arrangements are ‘customer-centric and fit-for-purpose’.

They drive business value while protecting your customers, people, reputation and investments.

Journey to consumer trust

Muir, an ANZIIF Fellow, launched his business Compliance Advocacy Solutions in 2017 to provide specialised compliance services for the insurance industry during a time of significant and complex regulatory change.

And what a time it has been, with the Hayne Royal Commission in 2018 shaking up banking and altering the overall financial services sector forever.

As we know, once the government accepted the bulk of Hayne’s recommendations, there was a flurry of activity to start the journey of rebuilding customer trust.

In 2022, we now have a complex landscape of updated industry codes of practice, new laws and regulations, as well as an array of deadlines and reporting requirements.

ANZIIF’s learning role

Perhaps most notably, as of 1 January 2022, those organisations providing insurance claims handling and settling services must consider themselves the provider of a financial service (subject to certain activities being exempted).

Such entities are therefore required to obtain or be covered by an Australian financial services licence.

In addition, Regulatory Guide 78(RG 78) (Breach Reporting) which explains what Australian Financial Service (AFS) Licensees must report to ASIC and ASIC’s expectations and guidance about Licensee’s compliance systems, was also updated according to the new legislation.

As the leading insurance industry training organisation in APAC, ANZIIF offers a wide variety of resources to help industry players understand and comply with the regulation as it evolves.

Rolling with the punches

Over the last three months, Muir in association with ANZIIF staff, has meticulously updated Beyond Breaches, a short course initially designed for insurers to get a handle on compliance with the general and life insurance codes of practice.

The updated Beyond Breaches courseis not designed to provide a complete understanding of all the new financial services legislation.

However, Muir says it covers off on how insurers’ new licensing obligations dovetail with the industry’s updated industry codes and the requirement to report certain matters to regulators and industry code governance and compliance committees.

Australian industry codes of practice explored in the updated course  include the Insurance Council of Australia’s (ICA) updated General Insurance Code of Practice, the FSC’s new Life Insurance Code of practice (which comes into force in 2023) and NIBA’s Insurance Brokers Code of Conduct. It also covers ICNZ’s Fair Insurance Code in New Zealand.

Understanding reportable situations

Beyond Breaches also provides participants with the competence to identify incidents of non-compliance, take the required actions as soon as possible and minimise customer harm.

‘The financial services laws now categorise certain regulatory breaches as “reportable situations”, which must be reported to ASIC,’ Muir explains.

Reportable situations include ‘breaches of an insurer’s core licence obligation to provide financial services efficiently, honestly and fairly’ and ‘and instances of gross negligence or fraud and misleading or deceptive conduct’. In addition, material customer loss or harm must also be reported to ASIC.

Reportable situations also include a breach of other licensing obligations such as:

• managing conflicts of interest adequately.
• having adequate resources available.
• organisational competence.
• ensuring representatives are adequately trained, competent and compliant.
• having a compliant dispute resolution system.

Under the new financial services laws, ‘reportable situations’ must be notified to ASIC within 30 calendar days of being discovered or suspected.

This also applies to ongoing investigations of breaches of core obligations where the investigation has not been completed within 30 days.

‘Rectifying an incident does not negate the requirement to report,’ Muir says. ‘If the incident was a reportable situation, it remains a reportable situation whether rectified or not.

‘And if 31 days ticks over while you're still investigating a reportable situation, that in itself becomes a reportable situation reportable to ASIC.’

Identifying a problem

Therefore, Muir says, ‘the quicker you can identify an incident internally, the better’.

‘An organisation needs all of its people and external representatives to work hand in hand because the longer we allow an incident to go unchecked, the more likely harm will be caused,’ he says.

He points out that the Hayne royal commission also resulted in wider powers for regulators such as ASIC and APRA to take enforcement actions, including penalising individuals such as executives or board members.

‘It’s largely a self-reporting regime, so it's up to the company to identify when things go wrong,’ he says.

‘Customers won’t always have an awareness of what they should expect from your service, so it's incumbent upon the organisation to have policies, guidelines and procedures in place to assist staff in meeting the company’s obligations.

'These documents comprise a company’s compliance arrangements, which contribute to the safety of the environment your people work within.’

Honest intentions

Muir says the best outcomes will be achieved by licensees who genuinely take responsibility for their obligations and the reporting of breaches.

‘If you rectify what's going wrong, compensate the customer and if the matter meets the criteria, report it to ASIC, you’ve done everything you can to protect the customer,’ he says.

‘Not every case will require a huge investigation, especially if it’s a case of a technical breach, it’s been reported and there hasn’t been any material customer harm.

‘In that kind of scenario, ASIC may just want to know what's gone wrong and what action has been taken to make sure it doesn't happen again, along with whether any customer harmed has been compensated.’

Serious breach, serious penalty

However, if reportable situations reoccur, or the breach is very serious, the consequences can be severe.

‘Civil and criminal penalties for individuals and financial service companies in the insurance sector in breach of their regulatory obligations were increased in March 2019,’ Muir says.

‘At the more serious end of the misconduct scale, you could be looking at a jail term and a significant civil penalty in excess of a million dollars.

'ASIC also has the power to ban and disqualify individuals from practicing in the industry.’

Examples of situations in this category might include engaging in fraudulent or misleading conduct or conduct that causes material harm to customers, especially where a person benefits from their misconduct.

‘ASIC has been very transparent and will usually post media releases that “name and shame” organisations doing the wrong thing,’ Muir warns. ‘That will mean a negative impact to your reputation.’

Human error?

Although the odd mistake might be understandable — we’re all human after all — Muir cites ASIC’s October report (22-295MR), which reveals that a very high percentage of recently reported breaches were put down to ‘human error’.

‘This begs the question: are the proper compliance measures and training in place?

‘If you haven't detected an error or incident , or you haven't reported it in the 30-day time frame required, it may indicate to ASIC (and customers) that your compliance arrangements are not adequate.

‘If ASIC considers this the case, it can enforce an audit of your compliance arrangements at your expense.’

Making the complex simple

If those reasons aren’t enough to inspire you to do the updated Beyond Breaches, Muir has another pointed analogy to offer.

‘You wouldn’t jump into your car without knowing the road rules that keep everyone safe,’ he says. 'Providing financial services is much the same.'

‘We’re suggesting you shouldn’t be providing financial services unless you've got a working knowledge of the laws, or at least the laws that apply to your area of business operation.’

In addition, an important requirement at law is for financial services companies to have trained and competent people.

‘Education and training are vital to understand your obligations and to continually improve,’ says Muir. ‘Even if you pick up one or two things from the course, then it's worthwhile.

‘I would encourage everyone to do this course. It's been designed to make the complex simple and it helps you understand each person’s role as an early warning system within their organisation.’

Muir shares that contributing to the development of the course was a way for him to give back.

‘The insurance industry is wonderful, and it’s been good to me,’ he says.

‘Updating ANZIIF’s course was an interesting challenge and a huge badge of honour. For me it was quite humbling to be asked to do work like this and I had a ball. It was really good fun.’

Do the course