Webinar – Two New Codes for Banking and Lending

Consumer, Financial Services

In our recent webinar focusing on the finance industry, regulatory specialist Dr Drew Donnelly consider two new codes for banking and lending. This year has seen the finalisation of two distinct codes covering lending and banking businesses in Australia: The Banking Code of Conduct 2019 (Banking Code) and the Code of Lending Practice: AFIA Online Small Business Lenders (Lending Code).

This webinar forms part of our series looking at the role of fintech, financial services, and the regulatory and compliance environments that surround them. If you would like to know more about our work supporting companies in the fintech and financial services sector, please contact us by clicking here.

Below you can view a full transcription of the webinar along with the video.

Recent Developments in Banking & Fintech

  • Open Banking Reforms / Consumer Data Right
  • Fintech Lending Code
  • Banking Code
  • Extension of Fintech Sandbox
  • Royal Commission Interim Report

Independent Review:

Code of Banking Practice

The Code of Banking Practice (the Code) sets standards of good banking practice.
The original Code took effect on 1 November 1996. It was most recently reviewed in 2008 with amendments taking effect on 1 February 2014.
Takes into account both consultation and other reviews and reports.

Identified that:

  • A code is valuable
  • Lack of coverage for small business who need better information and enhanced protections with respect to credit
  • There is a need for better coverage for customers in financial difficulty
  • Improved Code Monitoring required.

New Banking Code of Conduct

  • The existing Banking Code of Conduct (2013 Code) updated for 2019 in line with outcomes of Independent Review.
  • Feedback from public and industry indicated the continued need for a code which exists over and above legal and regulatory obligations.
  • In contrast with 2013 Code, will be compulsory for all banks that are members of the ABA by July 2019

Key Changes – Part One

> Upfront principles governing the banking industry.
> A requirement for ‘plain English’ contracts.
> Increased transparency around fees and valuations.
> Restrictions on unsolicited credit card limit increase offers.
> Elevation into an ‘industry code’ approved by ASIC.

Key Changes – Part Two

> Increased assistance to vulnerable customers.
> Simplified small business loan contracts.
> New cooling off periods.
> Clarified role for compliance committee.
> All members of ABA to sign up by July 2019.

FinTech Lending Code

> Report recommending new code for Fintech small business lenders.
> New Code established. As of June, several have signed up.
> Voluntary for members of the Australian Finance Industry Association.
> From high-level principles to detailed duties.
> Emphasis on protection for vulnerable customers and clarity.

Specific Obligations

Disclosure and Pricing Comparison

> Full disclosure of cost and fees for disclosure and pricing comparison documents.

Communication and Dispute Resolution

> All communications to be in plain language.
> Before accepting a loan offer, customers will receive a summary document.
> Internal and external dispute resolution (including CCC)

Privacy

> Affirmation of obligations under the Privacy Act, Credit Reporting regulation and a requirement to have a Privacy Policy.

Advertising

> Advertising and other information about Lona Products must be clear, concise and accurate, be written in plain language; and (c) use terms from the Lending Code.

Key Differences between the two Codes

> The Banking Code applies to all banking services which includes bank accounts and term deposits, all lending, credit cards, payment services and foreign currency exchange. The Lending Code, by contrast, only applies to online lenders who loan to small business.

> The Banking Codes is compulsory, for members of the ABA while the Lending Code is voluntary for members of the AFIA.

> The Lending Code provides for a full external dispute resolution service, whereas the Banking Code expects this to be carried out by existing dispute resolution bodies (such as the financial services ombudsman).

Implications for Compliance Programs

> Consider interaction with legal and regulatory obligations, including Corporations Act 2001, AML/CTF Act, Privacy Act, Banking Act.
> Review disclosure and contractual terms and conditions.
> Review advertising and marketing.
> Staff Training.
> Incentive Structures.

If you have any questions or want further information or assistance please contact us at [email protected] OR [email protected]

ACCC has instituted court proceedings against Click Energy

ACCC has instituted court proceedings against Click Energy

AU Energy Compliance, Consumer

The Australian Competition and Consumer Commission has instituted proceedings in the Federal Court of Australia against Click Energy alleging it made false and misleading marketing claims about discounts and savings that customers in Victoria and Queensland could obtain.

Click Energy - Federal Court of AustraliaPhoto of the Oar Mace of Admiralty from the Federal Court of Australia website.

By Anne Wardell, Regulatory Specialist, Compliance Quarter.

The breaches are alleged to have occurred from around October 2017 to March 2018 and involve a representation by Click Energy that customers could obtain discounts of between 7 and 29 per cent off Click Energy’s bill if they paid their bills on time. The problem with the offer was that the discounts offered applied to market offer rates which varied and were higher than the standing offer prices. Allegations were also made in relation to savings which would be available if the customers switched.

In announcing the action Mr Rod Sims, ACCC Chair said:

‘When compared with Click Energy’s standing offer rates, the discounts were much lower than advertised. In some cases, there was no discount at all.

The advertised savings were based on the amount a consumer could save with Click Energy by paying on time, and not on any estimate of savings a consumer switching from another retailer would obtain.

We believe that Click Energy’s conduct is among the worst practices we see in retail electricity marketing. We allege that consumers were misled about discounts and savings, with some consumers not getting any discount or savings at all.

The retail electricity market is too complex and opaque. Customers need to trust that discounts and savings advertised by retailers are accurate so they can make informed choices about which products are best for them’.

Further information is available on the ACCC Media releases page, ACCC takes action against Click Energy for misleading savings claims.

If you’d like to discuss any aspect of this article with our team, please click here to get in touch.

New benchmark for solar feed-in tariffs in NSW

New benchmark for solar feed-in tariffs in NSW

AU Energy Compliance, Consumer

On 3 July, the Independent Pricing and Regulatory Tribunal (IPART) released its final report on the value of solar feed-in tariffs for 2018/2019[1]. We heralded the release of IPART’s final decision in an earlier article and encouraged our readers to make submissions on the issues paper.

solar feed-in tariffs - girl holds the sun

Photo by Olivier Fahrni on Unsplash

By Alex Silcock, Senior Paralegal, Compliance Quarter

Rooftop solar has become increasingly popular, with customers either using electricity generated by their own panels or selling the electricity generated back to the grid. ‘Solar feed-in tariffs’ refer to the amount customers receive from retailers for electricity that they export back to the grid.

It is important to note that IPART does not set a uniform tariff that all retailers must adhere to. Rather, they set a voluntary ‘benchmark range’ which gives retailers guidance as to the feed-in tariffs that they should offer customers. For the 2017-2018 year, IPART’s benchmark range was 11.9 to 15.0 cents per kilowatt-hour, while the actual tariffs offered by retailers varied between 6 cents and 20 cents per kilowatt-hour.

The newly released report by the NSW regulator has reduced the benchmark range to 6.9 to 8.4 cents per kilowatt-hour. This is a significant reduction on last year, and a key consideration for the regulator was to ensure that feed-in tariffs for solar owners were not pushing up electricity prices for those customers without solar.

It must be emphasised, that IPART also found that customers with rooftop solar pay an average of $450 less on their energy bill than those without. This figure was reached before feed-in tariffs are taken into account. Therefore, even with the reduced benchmark, solar customers are still reaping benefits.

From a regulatory perspective, it is interesting that, despite submissions to the contrary, IPART has continued to persist with the voluntary benchmark range rather than setting a minimum solar feed-in tariff as occurs in other jurisdictions. This is consistent with the state regulator’s monitoring role, which focuses more on investigation and no longer actually sets regulated prices. Furthermore, this should continue to allow retailers greater scope for market innovation around rooftop solar.

It will be interesting to see if there is a significant change to tariffs in response to IPART’s new benchmark.

If you have any questions about your rights as a consumer of rooftop solar, or your obligations as an electricity retailer, please contact us at Compliance Quarter.

 

[1] https://www.ipart.nsw.gov.au/files/sharedassets/website/shared-files/pricing-reviews-energy-services-publications-solar-feed-in-tariffs-201819/final-report-solar-feed-in-tariff-benchmarks-201819-june-2018.pdf

Should You Outsource Compliance?

Should You Outsource Compliance?

AU Energy Compliance, Consumer

In providing legal, regulatory and compliance services, we see a variety of approaches towards compliance and enable clients to outsource compliance to varying degrees. This article is not intended to argue the overall culture a business should create around compliance (we did that in a fantastic recent article – click here) but investigate some of the options for how a company can resource and manage compliance.

outsource compliance

By Stephen Findley, Relationship Manager, Compliance Quarter

Broadly speaking, a company can operate its compliance management in three ways:

  • Fully in-house – Source, hire and build a team dedicated to compliance
  • Fully outsourced – utilise an individual, team or company of outsourced professionals
  • Blended solution – combine in-house and outsourced

And the choices here can often come down to the preferences and experiences of the individuals involved, in addition to the position of the company in question.

Outsource Compliance – The Startup

The start-up company might be more likely to consider outsourced or a blended solution to bring in expertise on an ad-hoc or part-time basis to match cash flow considerations. We’ve worked with a number of startup electricity retailers where they’ll combine our services with a board member, usually general manager or an operations director to blend the compliance workload – and we have developed software tools to help make this a seamless process.

Outsource Compliance – Growth and Expansion

As a company grows, it will usually hire more staff and acquire more customers. This generally leads to increased risk and the compliance spend/function should grow accordingly. We’ve helped some of our clients to identify and hire compliance staff in addition to providing training and helping them to manage the transition to in-house. Some companies will grow to a size beyond our capacity and it is in the interest of both parties to communicate this accordingly. A responsible compliance outsourced function should be upfront about this, the long-term negative effects far outweigh the short-term benefits of maintaining revenue.

Where geography allows we have also provided part-time in-house services to complement the work we do from an outsourced position and this sits well with certain clients looking for a regular personal relationship.

Compliance Technology & The Blended Solution

Technology is also lending a hand rapidly. With the developments in software, companies no longer need to rely on binders full of documents or Excel spreadsheets. Our work with financial services companies and energy retailers has been about using technology to increase the efficiency in compliance and the benefit for companies is that it will reduce the overall costs of compliance whilst also reducing the risk when managed correctly.

The blended solution doesn’t always refer to the staffing approach entirely. An employed compliance manager using dedicated compliance software could be considered a blended solution that reduces some of the risk by allowing the company to take advantage of software solutions that are tried and tested, plus come with support. Plus all of the documentation and management of compliance does not need to sit with one individual – good software can provide reports or update a board on the work being done in compliance and help make transitions smoother.

Our online solution to help companies – the Compliance HUB

At this, and indeed, anytime compliance could be kept outsourced. Companies might like an outsourced function that relies on the expertise of a team as opposed to relying on one or two individuals. In some instances, it could be the cost and risk associated with hiring full-time employees – with the alternative option the company does not have to worry about holidays, sick pay and the associated costs and mechanisms in place to provide cover during these periods.

If your GM has a strong compliance background and your company is small, then they may be able to effectively manage compliance with the support of some good software or regular access to regulatory experts. However, this might not be adequate and taking the time to assess your compliance requirements regularly is at the heart of taking a flexible and pragmatic approach.

Conclusion

With much of the world considering or using outsourced services, it is crucial to select the right vendor to provide support – the reputational risk and fines will likely far exceed the cost if something is not done correctly and compliance culture is something that has been covered through the Royal Commission, the Facebook/Cambridge Analytica data scandal and a host of other more localised stories.

Some of the best software as a service (SaaS) solutions come from times when a problem is set out, addressed and a fix is attempted. Context matters here and a compliance software solution should include the expertise of those with relevant experience.

There really is no right or wrong solution and it’s often the companies that do not apply due care and attention to this important aspect of their business that run into trouble. If you want to discuss the management of compliance within your business, click here to book a call with us or email the team by clicking here.

The Importance of Culture, Not Spend in Compliance

The Importance of Culture, Not Spend in Compliance

Consumer, Financial Services

‘Actions speak louder than words’ – it’s an idiom that’s as old as time itself yet has never been as relevant to the world of compliance management as it stands today. This is a look at the importance of culture, not spend in compliance.

Culture in Compliance

By Sarah Le Breton, Compliance Quarter.

As a former regulator and law enforcer, I have had firsthand experience in working with regulated entities when it comes to their compliance frameworks, particularly when there are a short-comings that need to be examined and addressed. In most instances when you issue notices to produce, you will invariably find an impressive set of formal documents that set out the way that the company is managing its compliance with the relevant statutory obligations – some clearly have better advisors than others, but on the whole the framework will be there and the key obligations will be addressed, they have ticked that box. Or have they?

Why is it then that some entities manage to come to the attention of regulators more often or are considered as more high-risk regulated entities than others? In short, it’s because compliance is not about merely ticking a box, it is not simply about saying we have those documents in place and we have hired someone to sit in that chair and be adorned with the title of ‘Head of Compliance’. It is true that checklists, policies, audits, staff training and systems that consolidate that into a framework are important, but so is a compliance mentality within an organisation. In short, culture matters – culture is what drives conduct within an organisation, it is the subtle cue that says to one staff member to another that’s ok here. The way your people interpret and apply your compliance framework is your greatest business risk. As the saying goes, ‘integrity is doing the right thing, even when no one is watching’.

Culture in Compliance – Let’s change the ‘compliance paradigm’

It’s time that the mentality towards compliance was altered in business — compliance shouldn’t be considered merely a cost centre within a business (often mocked as such openly) and that directors and boards saw compliance as an opportunity to add value to the business rather than merely ‘red tape spend’. A reputable compliance history should be something that a company is proud of, it should be something that investors and customers take note of and that gives staff confidence that they are working inside an organisation that operates ethically and responsibly. I know myself that I have asked that question when it has come to considering compliance roles within organisations – could I trust these people (the business) to do the ‘right thing’ if I accept responsibility for their program?

So how can we get to this new paradigm for compliance within organisations? It starts with individuals – each and every one of us within an organisation – be that the chairman of the board, the head of compliance, the manager of operations right through to the back office. In short, it starts with culture and our ability to identify and actively manage what is known in the world of risk management as ‘conduct risk’.

Why should we care about ‘conduct risk’ as directors, managers or compliance people in an organisation? It’s because without the actions of individuals we do not see compliance failures – what drives those failures by individuals comes back to the culture in which they were operating (could they get away with that, would anyone notice, would anyone care?). It also comes back down to the business model they were operating within, which is often a stark reflection of the culture within an organisation and its appetite for conduct risk.

Quite simply, if you’re choosing a business model that places profit as the principal measure of success and is rewarding staff off the back of meeting those monetary targets, you will invariably encounter compliance failures eventually. It is the key question that I ask myself when I look at new business or industry to work with – how does this business make money? A failed, outdated or ill-considered business model will never bring any good – no matter how many lawyers, risk managers, compliance staff or resources you throw at it.

Culture in Compliance – So how does a business manage ‘conduct risk’?

It isn’t easy – there isn’t one tangible tool you can simply throw at it to create culture in compliance. The approach an organisation adopts also needs to be multi-disciplinary – it needs to consider things like: how do you manage whistle blowers (do you have a program, is there a policy?); how do you remunerate your staff (is it purely based on KPIs that focus on monetary outcomes, does it incorporate other matters like staff behaviours and broader contributions); does the organisation have any systemic issues that keep arising – be that with civil disputes (bullying complaints, harassment, discrimination, dissatisfied clients etc) and how does the business resolve those – deeds of release?; how does the business define and manage conflicts of interest?

ASIC and APRA have undertaken significant amounts of work into this area and have been quite vocal in their view of the threat that conduct risk plays to business. In July 2017, Commissioner John Price announced that ASIC would also be incorporating consideration of a regulated firm’s culture into their risk-based surveillance reviews over the next four years as part of their corporate plan.[1] It is time that business cared about culture and conduct risk as part of their overall risk management framework.

If you operate in a regulated industry (particularly, energy, financial services or credit) and would like additional support around managing conduct risk in your operations please get in touch with Compliance Quarter and one of our regulatory specialists would be pleased to assist you.

 

[1] See ‘Outline of ASIC’s approach to corporate culture’, 19 July 2017 per Commissioner Price available at: http://download.asic.gov.au/media/4393665/john-price-speech-aicd-regulator-insights-on-risk-culture-published-20-july-2017.pdf

The advantages of automating compliance workflows

The advantages of automating compliance workflows

Consumer

It’s no secret that automation is changing the way that business is practised – you just have to look at platforms like MailChimp and SalesForce to see the impact that automation has had on the world of customer relationship management. The benefits that automation can bring to a business are becoming increasingly clear across a number of areas of business management – knowing what tasks your staff are most commonly performing, along with the steps within those tasks and then being able to identify if there is scope for automation is the new norm.

automating compliance

By Sarah Le Breton, Compliance Quarter.

Why then should the world of compliance be any different? As we have previously discussed, the way that your compliance controls are applied by your staff in their day to day work practices is where your greatest source of compliance risk resides. How then can we better utilise technology to manage that risk? The answer lies in compliance workflow design and the automating compliance workflows. We will now take a closer look at what we mean by ‘compliance workflow design’ and how Compliance Quarter is able to assist businesses in boding technology to work practices to better manage compliance risks within a business.

What are workflows?

What is a workflow you might ask – good question. A workflow is effectively a system or business process that is deployed within an organisation to effect a task or project. It looks at the task or project as a whole and then breaks it down into each component whilst mapping the steps and known variables which can impact on the completion of that task or project. A good way to think of it is as a mind map where each key step is identified and described.

automating compliance

By creating workflows within a business, you are not only positioning yourself to better manage risk, but you are creating a valuable source of corporate knowledge and intellectual property that will enhance the value of your business. In some ways, you should consider workflows the ultimate succession plan within a business no matter the complexity of the task at hand – gone are the days of being reliant on one staff member to be able to undertake a particular form of work, you can utilise workflows to democratise corporate knowledge within your business.

The efficiencies that workflows can bring to an organisation are self-evident – gone are the days of Joe from sales asking Susan from accounts etc about what must be done within a common work task. The task has been identified by the business as a routine one and the steps that the company requires to be done to affect that task have been considered and mapped. If the business is serious about unleashing the efficiency that workflows provide they will have taken the next step and utilised a technology solution to act as a repository of those mapped steps and will have automated them.

Why use workflows in compliance?

In short, the development of compliance workflows by an organisation offers the business greater certainty as to how risk is being managed in practice and provides a quality assurance function. The business can have confidence that compliance and risk controls are being considered in the tasks or projects where identified risks are most likely to transpire – for example, product development within an organisation. The key steps in the creation of a product (be it physical or services based) can be broken down into component pieces and the key points where particular legal or regulatory compliance issues need to be considered and/or approved within a business can then be identified and built in as a step that must be adhered to by team members within that process. The creation of workflows act as a further line of defence for the business and largely remove the exercise of discretion by individuals as to how the compliance controls apply to a task or project.

A business can also harness the value of workflows when it comes to its own compliance team and ensuring that the processes that they employ are standardised in so far as possible and are troubleshooting key issues that need to be considered when providing compliance assistance to the business.

The further benefit of automated workflows in the compliance space is the ability of a business to be able to audit and pinpoint with precision where the failure took place. It gives the business the ability to monitor such failures but also to learn from them by knowing exactly what went wrong and then being able to apply a ‘lessons learned’ approach to gain insight as to how the business must evolve to ensure that such failure does not happen again or by minimising the likelihood of that failure happening again.

How can Compliance Quarter assist with workflows?

The Compliance Hub platform, offered to customers of Compliance Quarter, contains a feature to facilitate the creation of automated compliance workflows. By using the Compliance Hub, a business can build in approval and risk management steps themselves as a means of ensuring work practices align with the compliance controls of the organisation. The workflow feature of the Compliance Hub also adds a further means by which the business can demonstrate compliance and can create a footprint that can be audited as part of its ongoing compliance program.

Our team can also assist in facilitating the design of compliance workflows for your organisation using the Compliance HUB, please get in touch and we can arrange a consultation with one of our Regulatory Specialists.

 

Electricity charges in lease agreements: competing interpretations

Electricity charges in lease agreements: competing interpretations

Consumer, NZ Energy Compliance

A recent judgment handed down by the High Court of New Zealand highlights the need for exercising extreme care when drafting and reviewing lease agreements. Volumex Nominees Limited V The Attorney-General [2018] NZHC 647 concerned an agreement between landlord and tenant in a seven-story building in New Plymouth. The dispute was about the amount of electricity charges to be paid by the tenant. We take a look at electricity charges in lease agreements.

Electricity charges lease agreements

Photo by chuttersnap on Unsplash

By Alex Silcock, Compliance Quarter

Electricity charges in lease agreements – Background:

The case was brought before the court in an application for summary dismissal. Associate Judge Johnston, at the beginning of his reasons, noted that ‘at the heart of this case is a humble comma’. The particular clause that provided for the payment of electricity charges was not in dispute. Rather, each party sought to rely on a competing interpretation of the relevant clause.

The landlord and the tenant agreed that the latter would pay “… all charges payable in respect of the Premises for telephone, gas, electricity, and any other Tenant consumables … supplied to and actually consumed on the Premises”.

The landlord submitted that this clause provided that the tenant was to pay for all electricity charges ‘in respect of the Premises’. While the tenant contended that payment was only required for charges that were both ‘in respect of the Premises’ and ‘supplied to and actually consumed on the Premises’.

This distinction was material, as the tenant’s bill included charges for consumption by the building’s heating, ventilation and air-conditioning plant (HVAC plant). The primary HVAC plant is on the roof of the building and therefore excluded from the ‘Premises’ as defined in the lease.

Electricity charges in lease agreements – Competing interpretations:

Landlord’s interpretation: There are two distinct parts to the above clause, separated by an Oxford comma. In the first part, the tenant is required to pay for telephone, gas and electricity in respect of the premises (including the costs of running the HVAC plant on the roof). The second part begins after the comma following ‘electricity’. This part relates only to ‘other Tenant consumables’, not telephone, gas and electricity. Therefore, the landlord contends that the tenant agreed to be charged for ‘other Tenant consumables … actually consumed on the Premises’, but for all electricity charges, in respect of the premises, whether consumed on the premises or not.

Tenant’s interpretation: The entirety of the clause must be read as a whole, and when read as a whole, there is a clear and unambiguous construction of the clause. There is no distinction made between electricity, telephone and gas on one hand, and ‘other Tenant consumables’ on the other. Therefore, for the tenant to be responsible for any of the above charges, they must be both ‘in respect of the Premises’ and ‘supplied to and actually consumed on the premises’.

Electricity charges in lease agreements – Conclusion:

The court preferred the construction as argued by the tenant and found that the plaintiff had not discharged the onus of establishing that the defendant had no defence. Therefore, the application for summary judgment was dismissed and it is likely that the matter will go to trial.

This matter should be a lesson to lawyers, landlords and tenants alike, to ensure that lease agreements are drafted clearly and accurately reflect the intention of the parties. If you are involved in an energy dispute or would like your contracts reviewed, please contact one of the experienced lawyers at Compliance Quarter or Law Quarter.

Six Questions Every Director Should Be Asking About Compliance

AU Energy Compliance, Building and Construction, Consumer, Financial Services, NZ Energy Compliance

The obligation to ensure adherence to general and specific laws applying to your company’s operations is at the heart of your responsibilities as a company director – both under the Corporations Act 2001 (Cth) and at common law. The most recent set of hearings before the Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry (Royal Commission) are a sage reminder of the need for organisations (of all sizes) to reflect on how they are managing issues of governance and compliance within their business. You can follow some of our previous coverage of the Royal Commission here (https://www.compliancequarter.com.au/three-financial-services-compliance-lessons-from-the-royal-commission/#_ftn1).

By Sarah Le Breton, Compliance Quarter.

The consequences of failing to meet your obligations as a director can potentially expose the organisation to actions by shareholders, along with civil penalty enforcement action by the Australian Securities and Investments Commission (ASIC). The enforcement outcomes which can be sought by ASIC do not end with civil action but can also extend to criminal prosecution (depending on the facts) along with administrative disqualifications orders. Directors should also remember that their obligations are personal ones, which in some circumstances may also give rise to personal liability for debts and other losses incurred by the company.

Let’s now consider what it is that you should be asking as a director about compliance within your organisation in wake of recent events.

1. How do we manage our compliance obligations?

It may seem like a base line question to ask but it remains an important one for a director to ask no matter the size of the organisation and you shouldn’t feel uncomfortable asking it. Your obligations as a director are personal and do encompass you understanding how the organisation is managing legal and regulatory risk (inter alia) as part of the overall management of its operations. As such, it is important that you are familiar with the location and contents of the organisation’s compliance framework along with the policies and other controls that form part of that program — as an absolute minimum.

2. How are we embedding our compliance framework into everyday decision making?

It’s all good and well to have an elaborate set of compliance documentation and be able to point to that as your compliance framework, but if members of your organisation are not adhering to those mechanisms or understand how they apply to the work they are doing each day, then how effective is that compliance system in practice? As a director, you should be asking do we (as an organisation) need to better incorporate those controls into our work practices – of course, how you do so is a matter that should be approached based on the size and nature of your organisation.

3. How do we ensure that our compliance framework is current?

Compliance is not a set and forget suite of documentation you put in place and archive. How is your organisation managing its compliance obligations on an ongoing basis? Who within your organisation is monitoring changes in the law or keeping abreast of regulatory guidance by your relevant regulators so that your organisation remains on top of its compliance obligations on an ongoing basis. The directors of all companies should consider compliance as an evolving process and should ensure that the organisation has in place a mechanism that enables the compliance framework and controls to be updated as changes take place.

4. How are we testing adherence to our compliance obligations?

It is critical to have a compliance framework in place but if adherence to that framework is not being tested on a regular basis through monitoring and audits, how can you have confidence that the organisation is meeting its obligations? The process of periodic monitoring and auditing is just as key to managing compliance successfully as having a framework to start with. The governance around how that process takes place is also worth focusing on – are those charged with responsibility for monitoring and auditing sufficiently independent from the work processes to ensure that audits are transparent and robust?

5. What is our breach reporting process?

If a breach does take place, how does your organisation manage that process –  both in relation to assessing the facts that give rise to the concern but also in how that is then escalated within the organisation. A common compliant by regulators is that organisations can have cumbersome and slow assessment processes that can result in breach reporting delays and an overly legalistic approach being applied to the process. Are your breach reporting systems operating so that you can meet any reporting deadlines prescribed by legislation? If not, how are you managing any delays in meeting those obligations when it comes to communication with the regulator and is that considered satisfactory?

6. What kind of relationship do we have with our regulators?

As a director, you should be familiar with the regulatory history of the company that you are a director of. Is there a regulatory history? If so, what is that history and how has the organisation managed the failings that gave rise to those concerns. What kind of relationship does the company now have with its regulators and how can we best manage that, so the company is considered as demonstrating a compliance mentality and posing minimal regulatory risk. It is important that your regulators have confidence in your ability to meet your regulatory obligations and act with candour in dealing with them.

It may be considered by some as a soft compliance skill but the art of maintaining sound regulatory relations is important in managing the reputation of the company and should be considered a part of the overall compliance framework.

If you would like us to run a free webinar for Company Directors, please leave a comment below or contact the Compliance Quarter by clicking here.

 

GDPR Countdown 2: How to get consumer consent and when is it required?

GDPR Countdown 2: How to get consumer consent and when is it required?

Consumer

In today’s article, part 2 of our countdown to GDPR on May 25, we look at what the European Union General Data Protection Regulation (GDPR) says about consumer consent. For a discussion of when the GDPR can apply to Australian businesses see https://www.compliancequarter.com.au/understanding-gdpr-opportunities-risks/.

consumer consent

 

By Dr Drew Donnelly, Compliance Quarter.
  1. Consent Defined

The definition of consent in article 4(11) of the GDPR provides that it be “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.

Compared to the existing EU data protection rules, and the definition in the Australian Privacy Act 1988, there is a greater emphasis in the GDPR consent definition on positive action from the data subject.

  1. Implementing Meaningful Consent

In implement the new definition of consent, draft guidance from the UK Information Commissioner is useful.[1] This guideline provides that consent should be

  • For example, a request for consent to send marketing emails should be separated from other terms and conditions. It should not be a pre-condition to a service;
  • Active opt-in. This means no pre-ticked opt-in boxes. An organisation could instead use unticked opt-in boxes or other active methods such as binary choice;
  • Organisations should give ‘granular’ options, allowing a data subject to consent separately to different types of processing (if there will be different types of processing) wherever appropriate;
  • The organisation should be named as well as any third parties who will be relying on the consent;
  • Organisations should keep records to demonstrate that the individual has consented to, including what they were told, and when and how they consented;
  • Easy to withdraw. Organisations should tell data subjects that they have the right to withdraw their consent at any time, and how to do it. It should be as easy to withdraw as it was to give consent.
  1. When is consent required?

Consent is a very important, but not the only, lawful ground for processing personal data. Under article 6(1), other grounds include where that processing is necessary for:

  • Fulfilment of a contract with the individual;
  • Compliance with a legal obligation;
  • Vital interests. You can process personal data if it’s necessary to protect someone’s life;
  • An official public function. if you need to process personal data to carry out your official functions or a task in the public interest;
  • Legitimate interests. If you are a private-sector organisation, you can process personal data without consent if you have a genuine and legitimate reason (including commercial benefit), unless this is outweighed by harm to the individual’s rights and interests. Organisations should take special care before processing data on this ground. Recital 47 to the GDPR states “the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place”.

If you would like tailored advice as to how your organisation can update its compliance program to account for the new consent requirements, please get in contact with us.

[1] See https://ico.org.uk/media/about-the-ico/consultations/2013551/draft-gdpr-consent-guidance-for-consultation-201703.pdf.