Conduct by Responsible Entities
ASIC has released its report detailing findings from its surveillance of 28 responsible entities and their compliance with their legal obligations. Generally, ASIC has found the majority of responsible entities demonstrated a commitment to complying with their legal obligations. However, the findings have shown many of the entities fall short of ASIC’s expectations of their ‘what good looks like’ model for funds and management. One of the key themes was the lack of oversite by the board
The key concerns are outlined below.
It is important for investors to be correctly compensated for losses resulting from poor conduct. While all responsible entities had PI insurance in place, two had less than the minimum required cover. Licensees are to assess adequacy based on likelihood of claims against the business. Financial resource calculations should consider the ability to pay on excess, entities should also consider the minimum requirements under the conditions of their AFS licence and minimum cover per RG 126.
Responsible entities should regularly review their breach reporting measure, ensuring they effectively identify, manage and if necessary report breaches.
It was found that 19 of the entities identified compliance breaches or control failure incidents. Largely, the responsible entities perform annual reviews of their documented measures for their breach reporting obligations to ensure the can identify and manage breaches effectively.
Only half of the 28 entities were seen to have established separate documented measures for monitoring their arrangements with an external custodian. Responsible entities should review their custody measures to ensure they are meeting the requirements of RG 133.
The ongoing review of documented measures for the custody of scheme assets by the board has also generally been lacking. ESV recommend compliance personnel at least annually providing comment and feedback to the board
Risk Management Systems
The top risk identified by responsible entities was operational risk, which was closely followed by market and regulatory risks. From this most responsible entities had risk management systems in place, which had been reviewed within the 12 months prior to ASIC’s surveillance.
All responsible entities have at least one person who is responsible for the compliance function with most employees who are responsible for compliance having a direct reporting line to the entities board.
Concerns are raised around entities in which the nominated compliance officer have other significant or conflicting duties. To ensure best practice for compliance plans, there is to be sufficient detail and definitions to show how those assigned to monitoring can meet specific obligations.
Responsible entities are required to meet legal requirements surrounding whistleblowing measures, supporting an open and transparent culture within the entity. ASIC’s surveillance has shown less than one third of the 28 entities have established and continued to maintain specific whistleblowing measures.
Each entity should continually review and ,where needed, strengthen their existing cyber resilience measure. The responsible entities have recognised the growing threat of malicious cyber activity and have a range of measures to reduce any cyber risks. If using any external service providers to discharge some of the obligations of responsible entities, management agreements need to specifically address cyber risk measures the third parties have in place.
Should you have any questions in relation to correct conduct by responsible entities, please contact us or speak to your ESV engagement partner on 02 9283 1666.