Following the Financial Services Royal Commission, the Government proposed an extended regulatory framework, the Financial Accountability Regime (FAR) which will apply to all registrable superannuation entities (RSEs). The FAR will have a focus on non-financial risks including misconduct and end-to-end product management to enhance consumer protections.
Following the COVID-19 crisis, APRA will defer the regulatory extension until at least September 2020 and more likely 2021. As the coronavirus restrictions begin to ease and we move into a recovery phase, now is the time for RSEs to prepare their data for the impending regulations.
Data provides cultural insights
A keystone principal is the superannuation fund trustee must act in the ‘best interests’ of its beneficiaries. The FAR drills down on this principal and sets out the obligations of ‘accountable persons’ within an RSE. This includes the obligation to ‘take reasonable steps […] to prevent matters from arising that would adversely affect the prudential standing or prudential reputation of the entity.’
To demonstrate ‘reasonable steps’, RSEs and their ‘accountable persons’ will need to quickly navigate, understand and report on all aspects of their internal governance, culture and risk management.
An entity’s data contains key insights into the culture of that organisation. A strong information governance framework is essential to managing current and future data holdings and mitigating non-financial risks.
Information governance framework review
A review of your existing information governance framework is fundamental to getting to grips with your data and ensuring compliance with the impending regulatory obligations.
Some necessary steps when conducting the review, analysis and evolution of your information governance framework include:
1) Stakeholder representation
The obligations under the FAR will extend across multiple functions within licenced RSEs. In the example cited by Treasury, ‘accountable persons’ may have responsibility for operations including:
- oversight of the entity as a member of the Board
- risk management
- dispute resolution (internal and external)
- claim and benefit entitlement handling
- financial advice offerings (if any)
- insurance offerings.
The information governance review must have stakeholder representation from across all functions, not just legal or IT.
2) Data mapping and audit
All records held by a licensed RSE, from historical hardcopy trust agreements through to instant messenger exchanges are classified as data.
It is important to understand your existing data holdings and data creation methods. This may involve an audit or mapping of your organisation’s data.
Who is responsible for the data?
Where is the data stored?
When was the data created? Is the data still relevant?
What format is the data? What systems generate the data?
Why is the data necessary? What is the operational value?
3) Understanding regulatory requirements
Your data management strategy and information governance framework will be influenced by the new obligations created under the FAR.
What are the regulatory obligations related to this data or the information it records? Are there privacy obligations related to the content of the data?
The Commission’s final report on superannuation had a significant focus on the culture and governance of an entity. Case studies included examples of corporate culture that promoted aggressive sales tactics, conflicts between duty and interests and failures to report statutory breaches.
Are you currently monitoring internal and external communications for indications of a culture of misconduct?
Could you quickly and efficiently provide the regulators all the data related to sales, complaints or claims in response to a regulatory notice?
4) Managing unstructured and disparate data
Unstructured and disparate data held across multiple software platforms is difficult to navigate and review.
Compliance under the FAR will require organisations to demonstrate that they understand exactly what data they have, where it is stored and can produce it quickly.
Collecting, processing and indexing data can provide you with the foundations of a searchable database. Tagging documents with key metrics such as custodian, date of creation and document categorisation creates organised and easily managed data holdings.
Indexed data stored in a central repository is easily searched, analysed and produced to internal audit teams, your lawyers and the regulators.
5) Team ‘buy in’
In order to remain compliant with the new obligations under the FAR, you will need more than policies, software and databases. Ongoing compliance will involve the ‘buy in’ of your team.
The employees in your organisation need to clearly understand what is required of them and why.
Your team will require not just onboarding to new systems, processes and procedures but also regular training to remain compliant.
In order to demonstrate ‘reasonable steps’ to the regulators, training should be recorded and stored to produce to the regulators when required.
6) Ongoing monitoring
Completing your information governance framework review should provide:
- understanding of your entity’s existing data
- identification of the systems and custodians that create new data
- understanding of the regulatory requirements
- a searchable central document repository
- key data that may indicate a potential regulatory breach
- internal stakeholder and team buy in.
Now is the time to define methods to continually monitor your data. For example, if all internal and external communication data is regularly collected, organised and analysed, the risk of misconduct will dramatically reduce.
Continual monitoring of data will demonstrate ‘reasonable steps’ have been taken to understand organisational culture, promote accountability and act in the ‘best interests’ of members.
7) Measure results
Define metrics and organisational goals related to your updated information governance framework.
Ensuring compliance with the new regulatory obligations created by the FAR may be the primary driver to improving your data management but there may be several other benefits including:
- enhanced data security
- securing sensitive, confidential or personal information
- reducing data volumes, technology and administrative costs
- increased team productivity
- mitigating the risk of litigation.
Defining metrics and benchmarks for these goals will enable you to measure the success of the implementation of your updated information governance framework. You can gain insight into key performance indicators such as:
- reduced overheads related to compliance and governance
- lower data volumes and IT storage costs
- fewer irrelevant documents collected in response to a regulatory notice
- decreased incidence of potential data breach.
Information governance for proactive compliance
Effective information governance goes far beyond data holdings and defensible deletion of documents. Data contains the insights as to whether the culture of an organisation promotes acting in the ‘best interests’ of members in every interaction.
A strong information governance framework is the first step to demonstrating to APRA that you are moving into a regime of proactive compliance.