In the second part of a regular series, compliance consultancy Deloitte & Touche explains the burden of proof under FSA rules
In establishing the framework for compliance under the Financial Services Authority (FSA) regime, the regulator established a high level and generic approach that could be applied to all regulated firms regardless of their underlying business. These revolved around three fundamental concepts, not dissimilar to those operated by the General Insurance Services Council (GISC):
Equally important is that those principles, rules and guidance contained within the high level standards section of the handbook, are applied consistently to each and every regulated firm. The only variable firms may use in the subjective application of these high level rules to their own business is the size, complexity and nature of the business undertaken.
But even behind this ability for firms to apply their own subjective interpretation of rules is the essential requirement for a firm to be physically capable of demonstrating compliance if called upon to do so.
The golden rule for a firm's compliance culture is therefore -"if you can't prove it, then you didn't do it."
Let's consider for example Principle 3, which requires a firm to "take reasonable care to organise and control its affairs responsibly and effectively with adequate risk management systems". This in turn links into a rule that "a firm must take reasonable care to establish and maintain such systems and controls as are appropriate to its business".
These rules do not prescribe a specific system or the underlying controls that either an insurer or an insurance intermediary may seek to apply in placing or accepting an insurance risk on behalf of a client or insurer. They merely indicate that such systems and controls must be "appropriate", given the size of business and its method of operations. The onus is clearly on the firm to formulate its systems and controls structure, and be able to demonstrate what these systems and controls are.
Clearly, if the firm can actually demonstrate its systems and controls, it is then essential that they can show this system is actually being applied and followed. So, will your systems and controls, meet the expectations of the regulator? Put yourself to the test:
For some firms, all this record-keeping might appear to be a heavy regulatory burden, which if ignored might even go away given their likely regulatory risk rating.
For insurance intermediaries who will have to demonstrate compliance before being authorised to sell general insurance products in future, such a `head in the sand' approach is likely to generate real compliance issues and authorisation problems, which could, at worst, actually put them out of business.
Although such documentation may seem onerous, it doesn't have to be. The secret is to make these compliance requirements work for you. If you list and regularly review your business risks, then you focus in on what's important to your business. And regulatory requirements become an integral part of the successful management of the business. n