Learning from claims related recent dispute trends
If we look at some of the complaint trends we can observe recent claim related dispute trends.
Top issues for claims dispute
AFCA’s decision outcome for fraudulent claims
Insurance contracts act is the top compliance failure reason for claim related disputes
Resolving claim disputes with Insurance Contracts Act
AFCA’s approach document “The AFCA Approach to section 54 of the Insurance Contracts Act” is a guideline for firms to understand how they can resolve claim related disputes and support an efficient IDR & EDR processes. Section 54 is a remedial provision and aims to strike a fair balance between the interest of an insurer and an insured with respect to a contractual term designed to protect the insurer from an increase in risk during the period of insurance cover.
When considering a complaint and the application of section 54, AFCA determines the complaint on the basis of what is fair in all the circumstances having regard to the relevant legal principles, the terms of the policy, good industry practice including relevant industry codes and prior AFCA or predecessor scheme decisions.
Below approach outlines how AFCA evaluates and applies section 54 of the Insurance Contracts Act 1984 to insurance complaints
Learning from AFCA’s definition of complaint and resolution approach is a great way to learn and apply section 54.
When applying section 54 to complaints, AFCA will ask
- What are the inherent limitations and restrictions within the claim?
- Is there an act or omission that occurred after the contract was entered into that the financial firm is relying upon?
- Could the act reasonably be regarded as being capable of causing or contributing to the loss?
- If yes, was the act either:
- > necessary to protect the safety of the person or preserve property or
- > could not reasonably be avoided?
- If no, has the financial firm been prejudiced by the act, and what is the extent of the prejudice?
Some of the above questions help in determining the scope and in identifying the search criteria’s to find similar disputes from the past using AFCA Insights
- Identify keywords
- Identify metadata like Issue, Category, Product, Specific issue, etc.
- Similar companies
- Decisions outcome
How is this applied in practice?
Above is a real case study (315503) and as there was no evidence that driver was not an acceptable risk or would not have been insured by the financial firm if nominated there was no prejudice to the financial firm. FOS, the predecessor of AFCA found in favour of the complainant.
Sign up here for Cognitive View’s AFCA Insights (Sign up here)
Who can use AFCA Insights tool?
- Financial firms, consumers and consumer representatives who have an insurance complaint at AFCA involving technical policy exclusions.
- Lawyers and other professionals who are assisting the insurance claims process.
- Anyone who wants to understand how AFCA applies legal principles, industry codes and good industry practice when considering insurance complaints involving s54.
Here is a full list of AFCA complaint resolution approaches.
Royal Commission’s final report recommended that insurance claims handling should not be excluded from the definition of ‘financial services’, reflected issues arising from a number of case studies examined. In general insurance, as demonstrated by several case studies, poor conduct included:
- Failing to handle claims in a fair and transparent manner, failing to act in an efficient, professional and practical manner, and breaching the insurer’s duty of utmost good faith;
- Delays in claims that resulted in consumer detriment. The cause of the insurer’s poor conduct was “was largely attributed to its internal systems and processes for handling claims and dispute arising from those claims”.
Further, the Commissioner highlighted several instances where insurers fell below community standards and expectations, these included:
- Implementing an inadequate system to train case managers and inadequate systems to oversee the actions of case managers; and
- A lack of robust systems to avoid potential conflicts of interest; and
- A failure to have adequate systems in place to ensure that its Internal Dispute Office conducted a robust analysis of declined claims, in a way that was independent of the claims team; and
- A failure to engage with external dispute resolution in a frank and cooperative way
Proposed regulatory change to support claims as a financial service
In implementing the Royal Commission’s Recommendation 4.8, Treasury proposes a two-pronged approach:
1. Remove Regulation 7.1.33; and
2. Use existing legislative powers to define the activity of handling or settling an insurance claim as a ‘financial service’ for the Corporations Act’s purposes.
The proposed regulatory change applies to insurers and third-party representatives of insurers that provide claims handling service.
The requirements that could apply differently depending on the type of advice provided (general versus personal) and the insurance product. Examples of provisions that could apply include:
- general obligations on an AFS licensee that apply to the financial services that it provides;
- providing a Financial Services Guide;
- general advice warnings;
- conduct obligations (which apply to the provision of personal advice to retail clients);
- conflicted remuneration;
- providing a Statement of Advice when providing personal advice to retail clients; and
- training obligations.
Supervision in the claims decision-making process reduces unsubstantiated claim rejections and discrimination. To support compliant claims process and fair customer outcomes AI & Big data analytics can provide appropriate oversight and transparency mechanisms. A systemic approach is required to establish compliance and conduct risk for adequate supervision.
As a first step, establish and document the system of internal controls and processes that requires supervision. The supervision process should include the complete customer engagement lifecycle depending on the compliance requirement and the role the entity plays in the value chain. This may consist of sales, support, claims, complaints.
One of the significant causes of claim-related disputes is information asymmetry and customers not meeting disclosure requirements which can be avoided in the policy sales by agents with improved supervision. Below are some of the critical steps in establishing a compliance and conduct risk management process.
- Identify Policies & Obligations: An effective internal controls system typically includes a centralized documented inventory of key processes and policies and of the controls. To support a risk-based supervision model, identify risk for each of the compliance and conduct requirements. Since Insurers will anticipate risks from customer’s day-to-day communication monitoring, consider the impact of the changes in risk dynamics.
- Control Automation: Review manual supervision process. Augment the manual process with AI-based automation. Improve operational model to support risk automation strategies.
- Reporting: Enable incident and breach management with continuous control monitoring to support the predictive decision-making process
- Remediation: Support an ongoing improvement process with risk mitigation strategies
RG 271 will replace RG 165 and takes effect for complaints received from 5 October 2021. It has several new requirements that are enforceable and other guidance to assist financial firms in complying with their legal obligations. Below are some of the highlights
- The complaint’s definition should include complaints made on a social media channel or account owned or controlled by the financial firm that is the subject of the post, where the author is both identifiable and contactable.
- ASIC has reduced the times allowed for responding to complaints.
- When a financial firm rejects or partially rejects a complaint, the IDR response must set out the decision’s reasons.
- When a customer advocate reviews a complaint following an IDR response, the total time spent dealing with the complaint must not exceed the relevant maximum IDR timeframe. The total time includes both the IDR process and the customer advocate review.
- The guide also includes enforceable requirements around how systemic issues should be managed and clarifies that setting the accountabilities for complaints handling and managing systemic issues is a board responsibility.
The updated guide is intended not only to improve the quality of internal complaint resolution but will enable financial firms to deliver better outcomes for consumers and reduce the need to escalate complaints to AFCA.
IDR is the key to early resolution, which benefits consumers, financial firms, and the financial sector broadly. At the same time, most financial firms have developed the IDR process; more progress is needed in several key areas to create and maintain positive complaint management cultures that welcome complaints and focus on fair and timely consumer outcomes. It can start with a current state review of KPI, Process, People, Technology.
Designing or improving an IDR process is as simple as asking some simple questions and setting the goal.
- What data do we need to capture the complaint information and support an efficient, fair, and compliant process?
- How do we identify and record customer concerns and complaints?
- What should be our IDR response & how do we achieve an early resolution?
- How do we prevent escalation and support EDR?
- How do we achieve compliance and prevent systemic issues?
- What can we learn from complaints and enable a feedback loop with product design & distribution?
- What do we need to report to enable an efficient decision-making process and management accountability?
With clear goals, the right technology, and the right people on hand, the above questions can be answered pretty quickly.
Setting the IDR foundation
To develop and maintain a positive complaint management culture, financial firms should have a robust IDR process, including all procedures, documents, policies, resources, governance, and arrangements to manage complaints.
Capturing the correct information is an essential first step in resolving the disputes promptly, responding to the customers with the required information, and also supporting the governance requirements.
ASIC has adopted the AS/NZS 10002:2014 definition of ‘complaint’ as: “[An expression] of dissatisfaction made to or about an organization, related to its products, services, staff or the handling of a complaint, where a response or resolution is explicitly or implicitly expected or legally required.”
So firms need to start with an organization-wide understanding of the definition of ‘complaint’ and the types of matters that must be dealt with in a firm’s IDR process. AS/NZS 10002:2014 is an excellent standard that can be referred to.
Additional metadata must be considered to align with AFCA’s resolution process and to support EDR.
Monitor social media & other customer communication channels
Communication monitoring should not be limited to the Contact center and must include all customer communication channels, including Social media, Emails, and chatbots.
The new regulation requires social media monitoring where the social media channel or account owned or controlled by the financial firm is the subject of the post, where the author is both identifiable and contactable. Through monitoring, you can spot concerns and complaints and respond more efficiently, providing excellent customer care and compliance with RG 271.
Identify customer concerns & complaints early.
Firms need to identify customer concerns at an early stage instead of waiting for situations to be escalated and customers lodging complaints. Monitoring customer communication channels, including the contact center to identify customer concerns early, allows firms to resolve them proactively, concerns becoming complaints or complaints escalated to AFCA.
To identify customer concerns early, the most important question to ask what keywords/phrases to look for. Some examples of customer concerns: “I’m switching to…” “I’m not happy with” “cancel the account,” “close account,” “cancel service,” “stop service,” “incorrect fees,” “bad service.”
By creating an inventory of such “topics of interest” through metrics can help in prioritization. These topics should also include any potential areas that relate to systemic issues.
As a customer-focused organization, listening should be one of the key brand values. But sometimes, in the hustle and bustle of calls, the listening aspect can be overlooked.
Speech analytics can help identify the root cause of customer dissatisfaction and help you understand whether your call agents are focusing on listening. Also, it can help in determining how your agents are handling your customers and their issues. By identifying the reasons for customer dissatisfaction early, you can address the potential problems and encourage your customers to stay loyal.
First-call resolution (FCR) is an important contact center metrics and the element of customer relationship management (CRM). The term is self-explanatory: a contact center’s ability to resolve customer concerns, questions, or needs the first time they call, with no follow-up required.
It may sound a lot considering the volume of calls, but speech analytics can categorize the calls which require urgent attention. Categorization is the automatic tagging of certain language patterns, keywords, phrases, or other customer concern and complaint related characteristics. Categories allow you to find, count, and trend call that contains these characteristics.
IDR response & resolution
The update to RG 165 was also encouraged by the findings from ASIC’s on-site surveillance of the IDR process observed at some of the large firms, which had initially commenced to monitor whether they were complying with their regulatory requirements. The monitoring encouraged more stringent procedures for IDR after ASIC monitors found significant “deficiencies” and “delays” in the banks’ disputes and complaints processes.
Supporting the swift decision-making process
Whether it is a complex claims related dispute or a simple incorrect fee charged, the IDR processes should work efficiently and be capable of responding to each complaint in a timely and flexible manner. Firms should actively encourage staff to resolve complaints, wherever possible, at the first point of contact, including meeting the maximum IDR timeframes.
First call resolution is the important metric of customer care. The last thing your customers want is to be passed from agent to supervisor, back to another agent in another team, and so on.
Handling a complex case
Building a knowledge center and empowering your agents to take on more responsibility for resolving issues will help. So will call center features such as chat – giving agents the ability to ask a subject matter expert for solutions whilst still on the phone to the customer.
Besides the internal knowledge base, there is so much that can be learned from AFCA’s historical complaints data. AFCA makes some of this information available through its determination search publicly.
Cognitive View also has a developed an independent service called AFCA Insights “Analytics as a Service” that allows you to learn and gain a deeper understanding of historical financial disputes, AFCA’s decision-making approach, systemic issues, and actionable insights that you can learn from industry.
Responding to the customer
Both how and when the financial firm responds to complaints are enforceable as part of updated guideline. It should acknowledge receipt of each complaint promptly i.e. within 24 hours (or one business day) of receiving it, or as soon as practicable. And the final outcome of their complaint at IDR should include a lot more details and the options if the customer willing to take this up further with AFCA;
The maximum timeframe to respond to standard complaints will be no later than 30 calendar days after receiving the complaint (a reduction from the existing 45 days). These changes are designed to improve customer outcomes by reducing complaint handling delays by providing fair, timely, and efficient resolution of complaints about customers.
A successful complaint resolution with AFCA requires learning from the fundamental principles of AFCA’s complaint resolution approach and embedding them as part of your customer support, IDR, EDR, and compliance monitoring processes. It can start with a review process. This review should cover:
- Benchmarking the firm’s complaints processes from end-to-end, making sure that all aspects of
- performance is captured
- Reviewing the firm’s performance against industry best practice, ensuring specific, meaningful,
- and realistic comparisons and recommendations, enabling robust analysis and a clear path to
- change, if needed
- Looking at overall customer journey and processes, rather than organizational silos
- Thorough reporting on performance and compliance to help identify constraints and evaluate
- potential for improvement on an ongoing basis
- Each firm will have its view on what AFCA referral rate is satisfactory but the lower this is, the better.
RG 271 requires clear accountabilities for the complaint-handling function to be in place as well as in-depth, board-level visibility of complaints. Many organizations do not have a clear link between compliance and complaints. The systems should support risk-based control automation and remediation. Below are some of the considerations that the risk and compliance team needs to make.
Identify obligations and policies that can be monitored
To monitor the IDR & EDR control effectively for compliance & conduct risk, firms need to consider monitoring:
- Legal obligations
- Applicable industry code of conduct or guidance
- Contractual obligations & disclosure requirements
- Company policies including consumer fairness
Identify gaps that may result in systemic issues.
A systemic issue is one that has been raised in a complaint or several complaints or is otherwise identified by information obtained by, or provided to, AFCA that is likely to affect a class of persons beyond any person who lodged a complaint or raised a concern. Several complaints of the same type or a single complaint may raise a systemic issue, provided that the effect of the issue may clearly extend beyond a single Complainant.
- An inadequate disclosure document
- A documented procedure that does not comply with legal requirements, for example, permits privacy requirements to be breached
- A repeated complaint of a certain type highlights a procedural weakness that is liable to recur
- Receipt of several new complaints about the same issue
- Where the issue that affected the parties to the complaint could have affected others in a similar way
- Where the complainant claims the issue affected others in a similar way
Monitoring outsourced IDR processes.
Some financial firms outsource part, or all, of their IDR process. Outsourcing might be to external parties or to other entities within a related corporate group. According to an enforceable RG 271.48 financial firm that outsources part, or all, of its IDR process remains responsible for ensuring that the service provider’s IDR processes comply with all the requirements in this regulatory guide.
Learning from customer complaints
Complaints can help firms support individual customers and provide insight into product and service improvements, and identify broader issues with compliance programs, internal controls, communications, and processes. Complaints can be turned into constructive opportunities in
- Identifying vital areas for service improvement.
- Identifying needed improvement in policies and procedures.
- Improve customer communication.
- Improve product design and distribution gaps
- Meeting compliance: as part of the product design & distribution regulatory obligation (RG 274), Issuers and distributors must implement and maintain robust and effective product governance and monitoring arrangements to monitor managing risk complaints.
- Identifying systemic risk
Reporting & Actionable insights should go beyond the IDR team and needs to be customized and include some of the below roles
- Product management & fund administrators
- Complaints handling teams
- Member-facing staff
- Service providers
- Risk and compliance
- CEO/senior management
Contact us (firstname.lastname@example.org) to schedule a time to discuss below topics
- Customer communication monitoring, including contact centre & social media
- Predictive Analytics to reduce customer concerns & complaints
- Compliance monitoring to support RG 271
- AFCA Insights (Sign up here)
Previously, claims handling and settling services for insurance products were excluded from the definition of a ‘financial service’. This exclusion was removed as part of the Government’s response to the final report of the Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry.
From 1 January 2022, if you carry on a business in Australia of providing claims handling and settling services and you belong to certain prescribed categories, you must hold an AFS licence authorising you to provide such services (a ‘claims handling authorisation’) or be authorised by a person who holds claims handling authorisation (unless an exemption applies).
Who is this relevant to?
Some of these changes introduce multiple challenges in operational risk management. Customers’ expectations in terms of turnaround time, and omni-channel access continue to increase. Further, increase of compliance burden will continue to erode profitability. Claims processing involves several managerial, administrative and customer service functions that perform information-intensive manual tasks to protect the company against fraud or compliance errors.
Compliance is a necessity as new policies and regulations are constantly being introduced, making it difficult to keep up with changing regulations while executing efficient processes.
With the company’s standards of service and its commitment to customers at stake, the scope for errors is next to none and the price of accurate claims processing cannot be underestimated. There is a greater need to consider automation to combat these challenges.
Claims Process Automation
The insurance-claims journey—from prevention to loss notification, to assessment, to handling and settlement—has historically been opaque and confusing to customers. They have paid in advance for an abstract product, a policy to defend against risk, and at the “moment of truth” when they want to recoup a loss, they are faced with a complex, cumbersome, often very time consuming and iterative process.
Claims processing is much data and document-intensive. It needs you to collect a vast amount of information from varying sources. A claim process that is manual and lengthy can create trouble for both customer service and operations.
RPA is a process automation technology that can help the insurers in easily gathering data from various sources to be used at the centralized documents so that the claims can be processed in a much faster pace. What’s required is process automation technology that enables companies to scale human decision-making and apply it to use cases that involve hundreds of thousands of complex documents consisting of long-form text, tables, images and more. Dealing with this unstructured data is where the real opportunity lies in terms of achieving true effectiveness of the process automation.
As part of the new regulatory requirements, a detailed review of the claims value chain should be conducted to identify who may be captured, for what activities, and how they will identify, communicate with and ultimately train and supervise those who are their representatives. This will mean that additional compliance requirements may apply to small businesses such as smash repairers and builders, who will be largely unprepared for higher levels of oversight.
Supervision & Communication Monitoring Automation
Below are some of the areas where supervision and communication monitoring can be used to support Insurance claims handling as a financial service.
Claimants experiencing vulnerability or financial hardship
The vulnerability may arise from a range of factors such as age, disability, mental health, physical health, family violence, language barriers, literacy, cultural background, Aboriginal or Torres Strait Islander status, remote location or financial distress. To address these gaps companies need to establish policies and conduct guidelines to handle and settle claims efficiently, honestly and fairly, but also making it mandatory to use it as a foundation for control automation. Insurance industry codes provide useful indicators of what industry considers to be appropriate strategies for dealing with consumers experiencing vulnerability. These include:
- recognise a person’s vulnerability
- identify factors that contribute to vulnerability in your policyholders and how you will tailor the claims process for the needs of those consumers
- training your representatives on how to proactively identify if a person is experiencing vulnerability or financial hardship, and not rely on a person to self-identify this
- ensuring your representatives are trained on your policies and that you monitor compliance with those policies
Although training of staff is already part of many organization’s processes, organizations find consistent gaps in adherence to these policies. Incentives and performance measurements for claims handling staff and management creates conflicts of interest, so continuous review is required for the adequacy of these processes.
Industry codes typically set out obligations for subscribers about:
- completing stages of claims handling and settling within certain timeframes
- making relevant requests for information
- explaining the claims process to claimants, keeping them informed during claims assessment, outlining reasons for decisions and how to access dispute resolution, and
- identifying and responding to consumers who are experiencing vulnerability or financial hardship.
The relevant insurance codes of practice are:
- Life Insurance Code of Practice
- Insurance in Superannuation Voluntary Code of Practice
- General Insurance Code of Practice, and
- Insurance Brokers Code of Practice.
It is important to establish internal processes and guidance for staff and will monitor compliance with these processes based on relevant industry’s code of practice. Monitoring the code compliance will ensure claims are handled efficiently, honestly and fairly with the service standards and timeframes.
As part of the AFS licensee requirements to satisfy this obligation, there is a need to handle and settle insurance claims:
• in a timely way
• in the least onerous and intrusive way possible
• fairly and transparently, and
• in a way that supports consumers, particularly ones who are experiencing vulnerability or financial hardship.
It is possible that many claims service suppliers and other agents acting on behalf of insurers may seek to become authorised representatives of insurers rather than going through the process of obtaining their own AFSL. Insurers will need to consider their obligations to train, monitor and supervise the conduct of such authorised representatives, and the significant additional compliance that may entail. Leveraging technology to automate the supervision process will help in
- verifying compliance and detect any non-compliance (e.g. which obligations have breached and monitor key indicators of quality and performance)
- investigate, assess and escalate reports of non-compliance
- deal with non-compliance (e.g. train the representative, change processes to ensure future compliance and monitor processes to ensure they are operating effectively), and
- remediate claimants who have been harmed by the non-compliance (e.g. refer the claimant to another representative), regardless of whether or not the claimant was aware of the non-compliance.
Below are some of the top disputes for claims lodged at AFCA(Australian Financial Complaints Authority). Denial of claim is one of the top dispute issues in the General insurance category.
Denial of your claim-related disputes may happen based on a variety of reasons. For example, it could be based on non-disclosure of a pre-existing condition or exclusion; driving under the influence; where loss or damage occurred as the result of a breach of the insurance policy or an excluded event (such as flood where flood is excluded); where the claim is alleged to be false or fraudulent; where the policy is claimed to be lapsed or cancelled; where you have been unable to prove that the loss has occurred or that the goods damaged or lost were yours.
Many firms have invested in CRM/Complaints management technologies and established dispute resolution processes. Identifying customer concerns & complaints early in the claim process provides insurers with an opportunity to resolve before it gets escalated to AFCA. Setting the right expectations with the customer and proactive communication also creates a good claims experience. Compliance needs to be considered as part of the claims process. Below are some of the top compliances mentioned in AFCA’s claim related disputes.
Decision-making process for complex claims and claim-related disputes supported by external data sources like AFCA Insights gives an opportunity for claim assessor and IDR team to make the right decisions but learn from others.
Risk-based supervision is largely outcomes and principles-based compared to a compliance-based approach. It seeks to assess, within a forward-looking perspective and making extensive use of judgment, the most important prudential and conduct risks posed by firms to supervisory objectives and the extent to which firms are able to manage and contain these.
Supervisors are mostly resource-constrained and requiring them to prioritize a variety of code compliance & conduct related activities rigorously. Risk-based supervision increases the effectiveness of compliance while increasing efficiency through improved resource allocation and processes. It assists in prioritization of resources to the areas of greatest conduct risk. Risks are not eliminated, but supervisors are able to address them in the most efficient and effective way of pursuing their objectives. This allows banks to address the risks in a systematic manner giving priority to what matters most.
Contact us (email@example.com) to schedule a time to discuss below
- Strategy whitepaper control automation to support Insurance claims handling as a financial service
- AFCA Insights integration with Claim management and IDR systems for dispute resolution
Over the next few years, the adoption of automation and AI technologies will transform the risk & compliance as firms increasingly interact with ever-smarter machines. These technologies, and that human-machine interaction, will bring numerous benefits in the form of higher productivity, reduction of cost for compliance, risk, but they will also change the skills required of risk and compliance workforce.
Non-financial risks like conduct are now a top issue because of the range of adverse events that have come to light and the huge cost to the industry from a variety of conduct and compliance events with sizable financial and reputational costs. Many are strengthening risk assessment and measurement of compliance and conduct risk, increasing accountability for conduct risks in the business lines, strengthening the first and second line of defence monitoring and testing, and embedding conduct risk into the business model, strategy analysis and HR processes.
Automation of first and second line of defence will change control monitoring, risk forecasting and breach reporting. Some of the capabilities areas that automation will bring immidiate benefits are
- Maintaining a breach register and comprehensive information necessary for an investigation
- Factors that determine the nature of the breach and whether it is reportable
- Understanding the frequency of similar previous breaches and evidence that remediation actions have been taken in the past
- The impact of the breach and predictive risk-based supervision
- Recognizing the customer and potential loss to them
- Breach report preparation
- Meeting the reporting timeframe
- Prevention of breach
Overall this will support improved governance and a systematic and disciplined approach. It will provide adequacy and effectiveness of risk management and control process i.e. ability to clearly articulate, measure and prevent.
The COVID-19 pandemic has forced organizations to operate with a physically dispersed workforce. Employees are involuntarily working from remote locations. Due to the changing dynamics and demographics of modern work, enterprises have evolved to manage labour and talent, increasingly favouring automation. This shift, also known as digital transformation, helps organizations digitize manual work processes, freeing up time for employees to focus on more high-value tasks. Over half of executives say automating knowledge work is among their top priorities over the next two years.
Since COVID-19, the adoption of digitization and automation technologies has accelerated.
The clear trend is that remote working is fast becoming the norm, not the exception, bolstered not only by the advent of new modern workplace technology and collaboration software but by a workforce increasingly made up of millennials and Gen Z’ers. They expect to work remotely and even go as far as to make career decisions based on this. Remote work statistics for 2019 by Global Workplace Analytics found that:
- Digital natives are changing the dynamics of the workforce.
- The nature of work is moving from large, structured projects to unstructured, collaborative work.
- Enterprise teams are adjusting the ways they manage work to support digitization and the modern workplace.
- New digital tools are dramatically changing how we collaborate
According to a recent McKinsey survey, 85 per cent of respondents said their businesses have somewhat or greatly accelerated the implementation of technologies that digitally enable employee interaction and collaboration, such as videoconferencing and filesharing. Roughly half of those surveyed reported increasing digitization of customer channels, for example, via e-commerce, mobile apps, or chatbots. Some 35 percent have further digitized their supply chains, for example, by connecting their suppliers with digital platforms in supply chain management.
Compliance in a collaborative model
The interminable Work From Anywhere (WFA) trend has overall uncertain net effects on productivity, ethics, and compliance. This does not change the company’s obligations for regulatory compliance and oversight required to manage compliance risk.
At the beginning of the pandemic, many regulators, including ASIC have temporarily changed their regulatory work and priorities to allow regulated entities to focus on the impact of COVID-19 and focus on business continuity or supervision arrangements that may affect their ability to meet their regulatory obligations. This is to allow firms more time to:
- back-test tactical solutions and changes that were risk accepted during the pandemic under pressure. This is to ensure they are robust to avoid any inadvertent exposure to undue risk of misconduct or breach of law
- assess the ‘new normal’ – the enduring impacts of the pandemic – on flexible working practices and implications for the control environment
- review risk appetites and risk limits, including for offshored and outsourced functions, and adjust them where appropriate
- use stress testing and scenario analysis as effective risk management tools
- update BCPs to incorporate key changes, including the possibility of longer periods of remote working
- reflect on technological challenges encountered during COVID-19. Strengthen technological resilience and plan for any changes or improvements to existing systems and infrastructure
- assess the adequacy of measures that were implemented to address cybersecurity risk during COVID-19 and prepare for the risk of more attacks.
Operational risk & supervision challenges
With an explosion of new working tools and channels, there has never been a greater need to understand digital communications and its risk. But the volume of data that needs to be monitored has gone up massively. In any rapidly evolving environment, it is important that firms continually review their risk appetite and risk frameworks to ensure they address new risks and work arrangements. The pandemic’s experience suggests this should include controls to address outsourcing, information and data security, supervision, and conflicts of interest when working remotely.
Where staff are working remotely, there should be protocols in place to ensure a firm’s compliance with their mandatory recording obligations under the market integrity rules. Staff should be advised only to make calls using a software-based phone system that enables recording or to take instructions and orders by email and chat message, providing a clear audit trail. Only authorised communication channels should be used and this should be monitored. In the rare instance, this isn’t possible, the participant must ensure there is some form of written record. For risk mitigation, this should be followed by electronic confirmation by the client as soon as possible.
Where policies need to change to reflect the current conditions, they should be robustly reviewed and approved by compliance and other control functions to ensure they do not introduce any undue compliance, conduct or operational risk. For example, market intermediaries should carefully consider if it’s appropriate to have staff dealing with confidential client information while working from home. If they do work from home, they should be set up so they can’t be overheard, others can’t see their screens at home and phone calls are recorded (or there are other equivalent record-keeping arrangements). They should be required to lock their screen or log-off when they leave their computer. Market intermediaries should consider what additional monitoring of staff practices and behaviour is necessary when working from home (e.g. whether more or fewer calls are being made from work/recorded lines and whether login patterns change unexpectedly).
Privacy act & protecting personal information
Therefore, organizations are having to revisit their security posture to provide a safe remote-working experience that prevents data breaches. Not only should they address vulnerabilities to their own networks and the physical storage of data, but they will also have to face the fact that remote workers will inevitably have to move data between the corporate network, the cloud and the personal laptop. To protect personal data in transit from one location to another, regulations like GDPR suggests encryption to protect privacy and security and prevent leakage.
The regulators have warned that dramatic news coverage of viral outbreaks and pandemics can be an opportunity for scammers to pump inaccurate information into the marketplace to try to manipulate markets and investors. The coronavirus is no exception. Job loss, financial strain, and social distancing are conditions that present fraudsters with an opportunity to pounce.
For example, ASIC has warned to watch out for scammers who try to take advantage of coronavirus (COVID-19). Scams can take many forms, for example, phishing attempts. In the comfort of their own home, do your employees know what to do to protect themselves from such scams amidst the fear and chaos?
As and when we gradually emerge from the global pandemic, working from anywhere is predicted to become a core part of the new normal, and the processes laid down today will remain relevant for years to come. Organizations need to automate the risk and compliance process to alleviate the compliance and conduct risk failure challenges, reduce the cost burden and improve customer experience. Even if the majority of the workforce does indeed choose to return to the office, this investment for new collaborative work environment will ensure that organization can be confident that it’s prepared, should any similar event happen in future, and that it can offer more-flexible working practices should its employees demand it.