The broadened scope of a compliance audit in light of TCF, ethics and business integrity risks

Cornea Matthee, Group Compliance and Risk Officer, Centriq Insurance.

Terms like proportionality, principle-, outcome-, and risk-based have made the role and function of the compliance officer more complex and challenging than ever before.

Whilst the methodology of compliance management remains unchanged, the scope to which it is applied has broadened substantially.

As such, compliance officers need to apply the ‘methodology of identifying, assessing, mitigating and reporting’ to the various aspects of market conduct risks so as to provide the risk and board committee with assurance on the adequacy and effectiveness of the controls they have in place to mitigate these risks.

With that said, the monitoring of compliance with the various outcomes of treating customers fairly (TCF), ethics and business integrity risks (commonly referred to as fraud), require not only competence, but technical skill. And this requires the compliance officer to understand the ins and outs of a company’s business operations.

When conducting an audit at a particular financial services provider, the compliance officer needs to formulate the questions he needs to ask in such a way that an in-depth understanding of the company’s policies and procedures and its impact on the end-user (customer), is gained.

In my view, the compliance officer is also responsible for helping companies better understand the link that exists between TCF and the roles and responsibilities of entities within the distribution value chain whilst taking the Regulator’s requirements into account when determining the risks that an organisation faces.

Questions the compliance officer could include in the audit scope

When it comes to TCF, ethics and business integrity, the compliance officer can include the following in the audit scope:

Research (product and service design):

- What research have you conducted to establish a need for this product or service offering?
- How do you know that the product or service meets customer needs?
- What existing data gave rise to the development of the product or service offering?
- Have you tested the product or service on the target market?
- How are competitors in a similar market performing?

Customer sophistication:

Here the criteria used to determine the sophistication level of customers as well as the manner in which you define the average customer, and the differentiation of customers per product type, should be taken into account.

One would also need to assess how the sophistication level of customers has impacted wording and processes, and how frequently the company reassesses customer sophistication levels.

Market segmentation:

As far as market segmentation is concerned, the percentage of the following aspects would need to be taken into consideration:

- Book per product type
- Customers per personal lines product offering
- Market in relation to competitors
- Customers falling within the sophistication criteria
- Customers falling within the definition of a retail customer
- The primary language of defined retail-customers
- How frequently a company reassess market segments.

Products and services:

The range of products offered, and whether or not the company maintains a product register, and risk-rate products based on customer sophistication and expectations, complexity and adequacy, should be considered.

One would also need to determine how frequently the company assesses their wording for simplicity and a full understanding of their product and service offerings.

Whether or not queries, rejections and complaints inform a company’s service offering or product development (and changes thereto) should also be taken into account.

Marketing and advertising:

Questions to ask, include:

- Which methods are used to market and advertise your products?
- How do you measure the effectiveness of the method/s used?
- How does the target market inform the marketing method?
- Do complaints inform the marketing methods?
- Have you tested the marketing material to ensure customers are not mislead?

Customer communication and disclosures:

- How do you ensure that customers understand the product?
- How do you communicate to the customer any changes to any wording?
- What criteria is used to determine whether a change is material or not, and how is this communicated to the customer?
- Do you provide a summary of policy benefits and exclusions (informed by queries, rejections and complaints) in laymen terms (and with examples) to the customer?
- What informs your decision to cancel a policy?

Distribution value chain (service providers and outsourced business partners):

Here the compliance officer would typically have to determine which of the companies’ partners provide services within the value chain, and what exactly it is that these entities do.
The compliance officer would also have to determine:

- which entities engage with customers;
- if the company has a due diligence take-on process in place, and
- if the due diligence does include the manner in which the company and its representatives treat customers at sales, claims, complaints and rejection stage.

Other questions that need to be asked are:

- Do you have service levels agreements in place?
- How do you communicate service expectations to customers?
- Do you monitor service delivery to customers?
- How frequently do you monitor these entities?
- What are the reporting requirements in relation to service levels?
- What does the complaints process involve?

Distribution channel (broker, direct marketer, application form):

What the company does to determine if the chosen distribution channel suits the market segment or not, as well as what exactly it is that the queries, rejections and complaints the company receives tells them about the distribution channel they use, are all aspects to consider during the distribution channel auditing process.

Whether a company provides training on products, services and target markets or not, and if they provide feedback on the root cause undertaken in relation to queries, rejections and complaints to determine appropriate remedial action or not, are all questions to ask.

Should an underwriting management agency (UMA) be used, the compliance officer would also need to know if the UMA monitors complaints with brokers directly or not.

Claims and complaints handling:

Aspects the compliance officer would have to consider include whether or not a root cause analysis on complaints inform policy changes, and what a company’s complaints are telling them about the customer’s understanding of the policy wording, service providers, sales and complaints handling processes.

Business integrity:

- What procedures do you have in place to mitigate improper sales practices?
- How do you monitor the processes that the staff follows?
- Do you have checks to monitor the risks that are associated with the backdating of cover or duplicate payments?

Ethical behaviour and practices:

Here one would have to determine:

- which policies and processes the company reviewed to ensure alignment with TCF;
- how the roles and responsibilities of staff members have been changed in view of TCF; and
- if the company’s mandates and employment contracts have been updated accordingly?
Other aspects that would need to be considered include:
- How the company verifies employee honesty and integrity
- If staff are trained on matters relating to the disclosure of financial, sensitive or confidential information and the risks thereof
- Whether or not customers understand conflict of interest disclosures.

Overall, it is important to note that the impact of non-compliance with TCF, ethics and business integrity from an outcomes, risk and principle based perspective cannot be assessed in isolation.

Context should be established with regards to the nature, scale and complexity of the particular organisation’s business model, its chosen distribution channel, products and services offerings as well as customer base.

Book size, loss ratios, profitability as well as complaints and rejections statistics in itself do not provide a full picture of the risk and compliance culture within an organisation. One complaint based on materiality, seriousness and the reputation risk it poses could necessitate a root cause analysis to be undertaken, resulting in a decision to implement certain mitigating controls and remedial actions.

Similarly, where potential customer detriment is identified through a single complaint, an organisation should consider the impact it could have on comparable customers who have not complained with the view to consider how best to address and rectify the issue where appropriate.

In light of the above, it is clear that the undertaking of a due diligence or compliance audit is no longer a case of asking a set of questions, verifying the answers thereto (by way of either sampling or a document collation), and determining the residual risk based on the adequacy and effectiveness of the business controls that are in place to mitigate the incidental risk.

An answer to a particular question from a functional point of view may potentially result in a multitude of other questions that need to be asked.

The lens, therefore, through which compliance officers now look at a particular business and the functions it performs is now three dimensional, as opposed to the (mostly) one dimensional application of the compliance methodology previously used.