Compliance is not a set and forget once a year review. It’s all about data.

I'm often asked 'what's best, technology or human resources to manage compliance?'

At the end of the day, it's probably the wrong question to be asking, however, at this point in time, it's a combination of both. Financial service laws and Industry Codes are technology neutral, the emphasis is on having adequate compliance measures to meet your obligations, & monitor, review and report on those measures. The end game for compliance is to provide your financial services and products so that they will not cause harm or detriment therefore the purpose of your compliance measures must be to protect (your business, people, customers, business partners & other stakeholder). The correct question is therefore whether your compliance measures serve to protect.

The importance of data

Irrespective of whether your compliance measures are technological or human based or a combination of both, data is critical.

Your compliance measures should evolve as the business grows, respond to internal and external factors and produce data. It is this data that enables you to have a view on the adequacy of your compliance measures. Data should provide assurance and act as an indicator of something not right and requiring further investigation. Data should also enable you to identify breaches and meet your self-reporting obligations.

What data?

• Incident data is the number 1 source of data - ASIC identified that the financial service sector continues to under-report incidents (Reportable Situations report issued 4 December 2024). Simply, an incident is 'an event that occurs where something has gone wrong.' Incidents include Operational risk (legal risk, regulatory risk, compliance risk, conduct risk, technology risk, data risk and change management risk), Strategic risk and Financial risk. Your people (including authorised representatives) should be trained and encouraged to identify and raise incidents. Incident management is a critical compliance practice.

• Complaints - in Report 802 ASIC found that the general insurance industry were not adequately identifying complaints. Complaint data is the 'voice of the customer' and is an important source of data. Complaint management is a critical compliance practice and is regulated under RG 271.

• Monitoring & supervision activity generates data - monitoring includes monthly attestations, peer file reviews and formal and 'hallway' meetings

• Due diligence and governance data - for new products or services, new authorised representatives, employees & service suppliers ensures that your gateway filtering (what's coming into your compliance measures) is adequate.

• Training (or the lack of) produces data that goes to the question of the knowledge, skills and expertise of your people.

• Control testing - a key control is only a key control if it has been tested. Testing includes design & operational effectiveness. This testing produces rich data

• Meetings - risk & compliance meetings at the business and enterprise level, project meetings and updates, meetings with business partners and servcie suppliers all generate data.

Analysed, actioned and reported

To be of benefit, the data, from many different sources needs to be analysed, actioned and reported.

Analysed includes looking for individual & grouped variations and themes or issues emerging. This is both a vertical and horizontal lens adopting a 'so what?' approach. Analysis also requires the question to be asked, 'what is the data not telling me' and must be contextualised in terms of compliance obligations.

Actioned ensures that your compliance measures continuously improve as the data identifies gaps with action plans to close out the gaps. Actioned includes remediation and rectification.

Reporting means reporting to management, boards or SOOA, responsible managers, accountable persons and regulators and Code governance committee. Reporting to regulators and Code governance committees includes business reporting (such as IDR data) and breach reporting.

A system of compliance (operating rhythm)

In order to produce meaningful and reliable data you must have a system of compliance or an operating rhythm. A systematic approach to managing (risk &) compliance includes the combination of governance, people, procedures and technology working together as cogs in a machine.

If you need asistance with setting up your Compliance measures to produce data contact me Paul Muir at Compliance Advocacy Solutions

Disclaimer: Reproduction of statements made in this article by media outlets, whether in full or in part, is strictly prohibited without the written express consent of the author. The views, opinions, and positions expressed within this article are those solely of the author and Compliance Advocacy Solutions Pty Ltd and not the views of other individuals, companies or organisations they may be affiliated with. The author and Compliance Advocacy Solutions Pty Ltd make no representations as to accuracy, completeness, currency, suitability, or validity of any information in this article and will not be liable for any errors or omissions or any loss or damage arising from its use or reliance. This article is intended for educational and informational purposes only and should not be relied upon as professional legal advice.