In the second part of a regular series, compliance consultancy Deloitte & Touche explains the burden of proof under FSA rules

In establishing the framework for compliance under the Financial Services Authority (FSA) regime, the regulator established a high level and generic approach that could be applied to all regulated firms regardless of their underlying business. These revolved around three fundamental concepts, not dissimilar to those operated by the General Insurance Services Council (GISC):

  • Principles relating to the operation of the business itself

  • Rules that are set at a higher and less prescriptive level

  • Guidance, which if followed can provide a safe haven for those responsible for the interpretation and implementation of the rules.

    Equally important is that those principles, rules and guidance contained within the high level standards section of the handbook, are applied consistently to each and every regulated firm. The only variable firms may use in the subjective application of these high level rules to their own business is the size, complexity and nature of the business undertaken.

    But even behind this ability for firms to apply their own subjective interpretation of rules is the essential requirement for a firm to be physically capable of demonstrating compliance if called upon to do so.

    The golden rule for a firm's compliance culture is therefore -"if you can't prove it, then you didn't do it."

    Let's consider for example Principle 3, which requires a firm to "take reasonable care to organise and control its affairs responsibly and effectively with adequate risk management systems". This in turn links into a rule that "a firm must take reasonable care to establish and maintain such systems and controls as are appropriate to its business".

    These rules do not prescribe a specific system or the underlying controls that either an insurer or an insurance intermediary may seek to apply in placing or accepting an insurance risk on behalf of a client or insurer. They merely indicate that such systems and controls must be "appropriate", given the size of business and its method of operations. The onus is clearly on the firm to formulate its systems and controls structure, and be able to demonstrate what these systems and controls are.

    Clearly, if the firm can actually demonstrate its systems and controls, it is then essential that they can show this system is actually being applied and followed. So, will your systems and controls, meet the expectations of the regulator? Put yourself to the test:

  • Can you demonstrate your structure and reporting lines? Given the nature, scale and complexity of your business, would they be considered appropriate?

  • Do you have a procedures manual for your key processes? If so, when was the last time that it was reviewed or updated? Is it a practical and frequently-used part of your tool kit or simply something kept in a cupboard?

  • When did you last review the systems and controls you use in practice against these records? And if you have had a track record of problems in any area, have you reviewed the process, kept a record of the findings and implemented any recommendations? Can you prove it if you've done it?

    For some firms, all this record-keeping might appear to be a heavy regulatory burden, which if ignored might even go away given their likely regulatory risk rating.

    For insurance intermediaries who will have to demonstrate compliance before being authorised to sell general insurance products in future, such a `head in the sand' approach is likely to generate real compliance issues and authorisation problems, which could, at worst, actually put them out of business.

    Although such documentation may seem onerous, it doesn't have to be. The secret is to make these compliance requirements work for you. If you list and regularly review your business risks, then you focus in on what's important to your business. And regulatory requirements become an integral part of the successful management of the business. n

  • This article was provided by Alexandra Peterkin and David Rush. They can be contacted at apeterkin@deloitte.co.uk and drush@deloitte.co.uk

    • Topics