Key points
- The adequacy of compliance plans is of fundamental importance to the regulatory framework governing registered managed investment schemes.
- An obÌåÓý review of the compliance plans developed for managed investment schemes has identified widespread poor practice.
- Responsible entities of managed investment schemes must ensure their compliance plans are adequate and must comply with the controls set out in them.
- obÌåÓý has published long-standing guidance on how responsible entities should address their compliance plan obligations.
- Inadequate compliance plans can be indicative of governance failings and risk exposing retail investors to harm.
obÌåÓý has reviewed a cross-section of compliance plans used by responsible entities of registered managed investment schemes (funds). Our review focused on the adequacy of the treatment of regulatory obligations in compliance plans.
The results of the review indicate that the quality of many compliance plans is poor, requiring significant improvements across the sector. To improve practices, we encourage all responsible entities to review our findings, below. Our suggestions should be considered in conjunction with long-standing obÌåÓý guidance on how responsible entities should meet their compliance plan obligations: see Regulatory Guide 132 Funds management: Compliance and oversight (RG 132).
Why effective compliance and control is important
Compliance plans are a fundamental documented reference of the measures that will be applied to meet the obligations under the Corporations Act 2001 (Corporations Act). Responsible entities must develop and maintain a compliance plan for each of their registered funds that protects both internal and external interests.
Planning for effective compliance by responsible entities is a requirement to assist:
- fund investors
- your company
- your employees
- your auditors, and
- obÌåÓý.
If a compliance plan is not adequate and implemented, fund investors are put at risk. To adequately protect fund investors under the Corporations Act, responsible entities must:
- identify all of their compliance obligations
- document the adequate control measures developed to address each obligation, and
- diligently implement and monitor the implementation of those controls.
obÌåÓý’s review
Our focus
To test the adequacy of compliance plans, we limited our review to the treatment of three sets of regulatory obligations (introduced or enhanced in October 2021):
- Reportable situations reporting � see Regulatory Guide 78 Breach Reporting by AFS licensees and credit licensees (RG 78)
- Product design and distribution obligations (DDO) � see Regulatory Guide 274 Product design and distribution obligations (RG 274)
- Internal dispute resolution processes and reporting (IDR) � see Regulatory Guide 271 Internal dispute resolution (RG 271).
Methodology
obÌåÓý reviewed the compliance plans of 50 responsible entities. Their selection was based on factors including the value of assets under management, how recently their compliance plans had been updated, and their record in reporting breaches and complaints.
These responsible entities represent 14.5% of all responsible entities. Combined, they operate 45% of all registered funds and hold 47% of the value of all registered fund sector assets of approximately $2 trillion.
Figure 1: Snapshot of obÌåÓý’s review of managed fund compliance plans
The legislation permits the use of a ‘master compliance planâ€� across multiple funds, provided the responsible entity operates all the funds. Where a responsible entity applied this method of meeting their obligation, obÌåÓý reviewed its master compliance plan.
Using this approach means that the 50 compliance plans we reviewed apply to a total of 1,471 separate funds.
Findings
obÌåÓý identified widespread poor practice in the preparation of the 50 compliance plans we reviewed. In summary:
- Most plans failed to adequately address the most important requirements across all three sets of obligations considered in our review � reportable situations, DDO and IDR.
- While practices varied across plans and across each plan’s treatment of the three sets of obligations, inadequate treatment of the obligations was widespread.
- Some plans completely failed to address one or more of the obligations.
- The treatment of responsible entities� new DDO requirements was identified as the poorest of the three obligation sets, followed by the treatment of IDR requirements.
- Some responsible entities had wrongly relied on parts of the master compliance plan of a fund operated by a different responsible entity. Consequently, these funds had no substantive compliance plan.
Key questions for responsible entities
obÌåÓý is calling on responsible entities to consider the following questions and findings from our review when developing, reviewing and modifying fund compliance plans.
1. Does your plan identify all the obligations in operating the fund or funds?
Poor practice:
Compliance plans that do not address all the responsible entity’s regulatory obligations.
For example, the review identified that most plans did not address the obligation to periodically report IDR data to obÌåÓý, and approximately 40% of the plans did not deal with the DDO requirements at all.
Better practice:
Compliance plans that identify all their compliance obligations and methodically map their elements to an explanation of specific controls.
2. Does your plan identify the functions and the officers responsible for performing and for monitoring each control?
Poor practice:
Compliance plans that do not clearly identify as two separate functions or officers, the responsibility for setting compliance controls and the responsibility for monitoring compliance control performance.
For example, some of the plans reviewed identified the same officer or function for both roles, which is poor practice.
Better practice:
Compliance plans set out as a table with a separate heading for each set of obligations (e.g. for each set of the reportable situations, DDO and IDR obligations). For each obligation in the set of obligations in the table, columns describing:
- the compliance control(s) to be implemented
- the function or officer responsible for implementing the controls
- the method(s) for monitoring control of each obligation, and
- the function or officer responsible for monitoring performance of the control(s).
3. Does your plan specify how the performance of each control measure will be monitored?
Poor practice:
Compliance plans that identify an officer or function responsible for monitoring a control measure without explaining how the control’s effectiveness will be measured and monitored.
Better practice:
Compliance plans that include an objective methodology to ensure the effective performance of a control measure.
Monitoring outputs should be verifiable by the responsible entity, its auditor, or obÌåÓý. Some ways to measure a compliance plan’s performance include sampling, activity report reviews, and exception report reviews.
4. Does your plan identify an adequate frequency for performing each control and for the monitoring of that performance?
Poor practice:
Compliance plans that do not specify the time or frequency within which a control is to be performed or do not do so with sufficient clarity.
For example, some plans state only that a control will be performed ‘periodicallyâ€� or ‘as requiredâ€�. In other cases, timing stipulations do not reflect, or afford sufficient time to meet, statutory timeframes â€� including for submitting reportable situations or significant dealings reports under the DDO to obÌåÓý.
Better practice:
Compliance plans that specify a time from a triggering event, or specific frequency (e.g. ‘weekly�), for the performance of a control that will ensure statutory timeframes can be met.
Where no statuary timeframe is specified, the control should be performed frequently enough to be effective, and the plan should indicate an appropriate frequency of that monitoring.
5. Does your plan provide for the flow of useful information about control performance to the board or a compliance committee?
Poor practice:
Compliance plans that do not provide for regular briefing of the responsible entity’s board or a compliance committee on the operation of controls, such as for reportable incidents, DDO and IDR controls, and/or do not specify the analysis or metrics to be contained in the reports.
Better practice:
Compliance plans that provide for regular reporting to a board or a compliance committee on the operation of compliance controls, specifying the metrics to be included and what analysis of the effectiveness of controls will be included.
For example, some plans provide for reporting that includes the root causes of problems, data trends, impacts on members, compensation paid, rectification and indicators of any systemic issues.
6. Does your plan require adequate record keeping?
Poor practice:
Compliance plans that do not provide for keeping records of the operation of compliance controls or of their monitoring.
Many of the plans reviewed did not specify the type of information to be recorded. For example, one plan we reviewed stated that records of complaints will only be retained where they relate to ‘significant� issues.
Better practice:
Compliance plans that specify the types of information to be kept.
For example, one plan we reviewed requires recording, in relation to complaints, of:
- the substance of the complaint
- the officer responsible for resolving the complaint
- any impact on the fund or responsible entity
- any indication of a systemic error or weakness in a compliance control or plan, and
- the complaint’s resolution, including any rectification of a system error.
7. Does your plan contain sufficient detail?
Poor practice:
Compliance plans that lack detail.
For example, for some plans reviewed, treatment of their reportable situation, DDO and IDR obligations is limited to a brief statement that they will comply with one or more of these sets of obligations. More commonly, plans rely wholly or significantly on controls in a referenced internal compliance policy that is not set out or summarised in the plan. Some responsible entities� treatment of their DDO obligations is limited to the statement that they ‘will have a target market determination�.
Better practice:
Compliance plans that reference a relevant internal policy but also set out the material parts of their policy’s controls against the key elements of the matching regulatory obligations.
For example, compliance plans that, to treat DDO obligations, in the context of product development, include procedures for:
- the assessment of fund features
- the determination of the attributes (objectives, financial situation and needs) of investors in its target market, and
- the determination of appropriate conditions or restrictions on the fund’s distribution should be noted.
8. Is your plan up to date?
Poor practice:
Compliance plans that do not reflect current regulatory obligations and provide for ongoing review of their adequacy.
For example, our review identified eight plans that had not been updated since the new reportable situations, DDO and IDR obligations were introduced in 2021. In other cases, plans had been updated more recently but still did not address the extensive changes in responsible entity regulatory obligations introduced since 2021, notably the DDO requirements. In this context, we observed that most plans provided only for a single annual review of their adequacy.
Better practice:
Compliance plans that remain up to date, not only through an annual assessment program but also by recognising this as an ongoing obligation through a control and by having measures in place for any additional out-of-cycle update requirements.
As regulatory changes and changes to a responsible entity’s business or to the funds they operate will occur between any annual dates for assessing plan adequacy, plans should provide for active review of their adequacy and out-of-cycle updates as required.
Considerations for compliance plan auditors
While compliance plan audits were not within the scope of this review, obÌåÓý is concerned that none of the 23 auditors of the 50 compliance plans we reviewed issued qualified audit reports relating to the areas of concern, identified in our review, over the last three audit cycles. Auditors also failed to raise relevant concerns with obÌåÓý during this period. All 23 auditors from our review belong to large, medium and small firms that are involved in compliance plan audits.
Auditors play a critical assurance role in the regulatory framework protecting fund investors, and auditor reporting obligations are a key aspect of their role.
obÌåÓý relies on annual compliance plan audit reports, lodged with us by responsible entities, for regulatory purposes.
Auditors must notify us through the if they suspect a significant contravention of the Corporations Act, or a contravention that is not significant and the auditor believes will not be adequately dealt with by commenting in the audit report or bringing to the attention of the directors of the responsible entity. Guidance is available in Regulatory Guide 34 Auditor’s obligations: Reporting to obÌåÓý (RG 34).
Where to from here?
Our review of compliance plans developed and maintained by responsible entities identified the need for improvement. We are considering a range of regulatory responses, including writing to responsible entities on our expectation for review and modification of their plans. obÌåÓý is also investigating potential breaches of compliance plan obligations.
obÌåÓý will continue to review compliance plans across the registered fund sector and will act where appropriate.
obÌåÓý is Australia’s corporate, markets and financial services regulator.