The FMA today made a significant speech outlining its expectations for the way in which supervised entities will navigate their relationship with the FMA’s enforcement team. The speech, given by Karen Chang, Head of Enforcement and Acting General Counsel of the FMA, focuses on the ongoing relationship between entity and regulator and how the FMA views self-reporting, remediation and inadvertent misconduct. A copy of the speech is available here.
Who needs to read it? Why?
The speech is required reading for entities that are currently supervised by the FMA as well as banks, insurers and non-bank deposit takers who will join the FMA’s licensed population once the Conduct of Financial Institutions Bill is passed. It is important that they understand the FMA’s expectations of them and how to maintain a constructive relationship with the FMA both during general supervision and in an investigation or enforcement proceeding.
What does the speech cover?
The speech addressed several misconceptions which the FMA believes exist in the supervised community. It focussed on the following topics:
- When to enforce. The FMA does not take a “why not litigate” approach to breaches, but enforcement is more likely to be appropriate where there is customer harm or serious misconduct.
- Inadvertent conduct. Regulated entities are often surprised when the FMA commences enforcement action for inadvertent breaches that they have voluntarily disclosed. The FMA’s view is that inadvertent errors justify enforcement because they may demonstrate a wider problem such as undue deferral to the wishes of a marketing team or a lack of investment in systems or processes. Enforcement may therefore be used to incentivise entities to dedicate appropriate resources to meet commitments to customers even where conduct was not deliberate.
- Self-reporting. The FMA views self-reporting as a minimum expectation for supervised entities. Best practice requires proactive self-reporting to the Board and then to the FMA when an issue requiring remediation is found. Entities may not get as much credit for self-reporting when they disclose a breach as part of a thematic review or request for information initiated by the FMA. The FMA has warned that although it may be tempting to wait until a problem has been fully unravelled, it expects early engagement. Although prompt self-reporting and remediation will colour how the FMA views the conduct, it does not give immunity from litigation, especially if the harm is significant or the fault is systemic.
- Remediation. The FMA views putting the customer right as the bare minimum step. This must be prompt and effective. The FMA will take into account whether remediation is timely, well organised and communicated and whether it suffered from mistakes and delays. If an entity struggles to carry out remediation, this may raise concerns regarding the robustness of its systems and governance. Again, remediation does not remove the risk of enforcement action.
- Maturity. The FMA considers that regulated entities have had sufficient time to understand and meet relevant standards and observe the way that the FMA operates. It will be less patient with those that have been regulated since December 2016 than with recently regulated entities.
In the past few years, the FMA has increasingly brought enforcement proceedings in circumstances where previously it may have responded to unintended breaches with agreed settlements without penalties. The New Zealand financial sector has asked questions around whether the FMA’s approach to enforcement may now be closer to the “why not litigate” approach to enforcement that is evident in the approach taken by ASIC in Australia and by some other New Zealand regulators. The FMA assures us that this is not the case, although the speech makes it clear that the FMA will bring enforcement proceedings in a wider range of circumstances than the regulated community may have come to expect.
The speech clarifies the FMA’s expectations and enforcement intentions. We recommend that regulated entities take heed of the following key messages:
- The FMA will have limited tolerance even in the early days of a regime, as they assist market participants to understand and comply, and less tolerance once the regime has been in force for a few years. So be alert for the inflexion point when the FMA will become stronger on enforcement.
- Beware of over-deference to the wishes of your marketing department for sales pitches to customers that are not diligently backed up by strong processes. Promises must be kept, and representations must be substantiated at the time they are made. But it is not just sales pitches that create risks – well-intentioned aspirational statements, particularly in the ESG area, need to be supported by a robust programme.
- Record keeping is important – the FMA expects regulated entities to know what information is available and be able to access records when required.
- Think about whether you have an effective process to identify when issues need to be escalated to the board and possibly reported to the FMA. Pro-actively review systems for areas of weakness in terms of compliance and delivery. Ask your compliance officers to help identify where systems may not be working.
- The FMA expects high standards of performance from systems and controls from the entities it supervises. It may see long-standing under-investment in digital systems or human capability as evidence of a corporate intent to prioritise growth or profit over complying with the law. The FMA views manual exception processes that rely upon human beings as destined to fail. Often issues arise not because systems are faulty but become people expect them to support functions or products for which they were not designed.
- The FMA expects high standards of performance from systems and controls but it recognises that no system is perfect and it will take into account where reasonable expenditure and expertise have been employed. Firms should keep a record of the resources expended and the efforts made to ensure that systems do not fail.
- A good relationship with the FMA’s supervision team does not mean that your systems are compliant. Every engagement with the FMA needs to be taken seriously. Be sure of your ground and do due diligence before answering any questions asked by FMA because inadvertently incorrect answers or light-weight answers will not be well received.
- Self-reporting is, as always, a way to reduce the severity of any enforcement action but it must be proactive and prompt to be effective. Once errors are identified and initial investigations to check that there is a real problem have been conducted, the entity should make an initial report to the FMA rather than taking more time to investigate the error fully.
- Less credit will be given for self-reporting of breaches that arise from reviews that the FMA has instigated itself. Regulated entities should consider running their own reviews and checks from time to time to demonstrate a genuine willingness to find problems and solve them.
- Remediation can be difficult to get right, particularly when an error is long-standing and requires inspection of archived documents, changing terms and conditions and changing software systems. However, the FMA expects prompt and effective remediation. Resources need to be committed to achieve this. If remediation goes wrong, it is likely that the FMA will see this as adding insult to injury.
If you have any questions in relation to the speech, please contact one of our experts.
Read more of our related insights.View all insights