04 November 2021

FMA speaks to MinterEllisonRuddWatts clients

FMA speech to MinterEllisonRuddWatts clients on 4 November 2021

(Notes may differ slightly from speech as delivered)

Tēnā koutou, tēnā koutou, tēnā koutou katoa

Our topic today is about managing relationships in the face of an FMA investigation or enforcement action and I want to talk mainly to the entities that are supervised by the FMA.  There is a natural tension between the dual aspects of this regulatory relationship.  You’ve got the supervisory side, which is core to our licensing framework and a familiar part of your BAU, and on the other side, the possibility of enforcement action when things go wrong.  This part, I’m sure no entity hopes for, but is critical and expected from an effective regulator.

It’s about managing this professional relationship through the good times and the bad.  As long as your business remains within the FMA’s mandate, we want and expect our relationship to be constructive.

It’s critical that industry should not be surprised by our approach to regulation, supervision, and enforcement. That’s why we strive to set visible expectations on how we implement the laws within our jurisdiction, our expectations for good conduct, and our enforcement strategy.  It’s important that our risk appetite for enforcement is well-signalled by our actions and guidance, and is not subject to ad hoc swings like a pendulum.

If you have held a market licence with the FMA since the Financial Markets Conduct Act was introduced, then hopefully you will know our guidance and strategic documents.  These materials are designed to show you what good and bad conduct looks like.  They also indicate where our priorities lie, and importantly for this topic, where we allocate our enforcement resources.

With the passage of the Conduct of Financial Institutions Bill (CoFI bill) through parliament, banks and insurers and NBDTs will join our licensed population and be required to treat their customers fairly and act in their best interests.

So, while some of you will be familiar with how we interact with licensed entities, I want to speak to those who are newer to us and will be coming through the licensing gate when CoFI is implemented.  The regulatory landscape has evolved for financial institutions in New Zealand and Australia, and with that evolution, you are going to see us more active in these industries even before CoFI arrives.  Our relationship with these market participants is only going to get closer.

Regulation is not an end in itself – Confidence and trust in financial services is the goal

Before I get into it, I’d like to step back and remember what we’re all here for.  Regulation is not an end in itself. There is a purpose underpinning the FMC Act and the other laws under our mandate.

We want NZ’s financial sector to earn trust and to succeed by treating people fairly. And we want New Zealanders to have confidence in the financial services they receive.  This in turn requires confidence that the markets are effectively regulated, and that entities and individuals will be held to account when things go wrong.

To get this right – we – both you, the entities under our supervision, and us, the regulator - need to engage well and consistently.  We need to ensure our expectations around conduct are well understood, and those who compromise market integrity are held to account. You wouldn’t expect anything less.

And it’s only natural that, considering my role as Head of Enforcement, which is the pointier end of the FMA’s regulatory stick, there will be tension in parts of this relationship.

Even while supervision works as it should and we remain open and engaged with you, there will be – there have been - occasions when we need to go further than standard monitoring and refer a matter for a formal investigation.

Referrals are based on the nature of potential breaches and the level of risk and harm to consumers and the market.  Any of which could justify deeper interrogation.  Although this process can lead to discomfort, maintaining the ongoing health and wellbeing of the relationship is crucial – on both sides.  We recognise litigation is a serious response and one that is not taken lightly. But it’s important to remember that even where we do take enforcement action, this relationship survives beyond any particular case.

This isn’t new – we are here to clarify and clear up misconceptions

None of what I’m saying should be novel or surprising to you - especially if you’ve been keeping up with how we work in practice.  I’m here to refresh and perhaps clear up some common misconceptions we are seeing from the industry.

Sometimes entities express surprise where we have taken enforcement action in response to serious misconduct, even where the fact of the breach is largely undisputed.  Why is this?   Common themes emerge and I believe it stems from misconceptions around the significance of one or more of these factors:

  • self-reporting,
  • customer remediation,
  • and inadvertent misconduct.

Where does self-reporting fit?

Among our minimum expectations for those we supervise, and for good conduct risk management, is that issues and potential breaches should be self-reported to the FMA.  This is a sign that entities take their legal and licensing obligations seriously - and by informing us, they will endeavour to fix the issues quickly.

When the self-reported issues have the potential to reveal significant breaches or involve risks and harms to customers, we may investigate further and it can result in enforcement action.

We also want to be clear on how we view a firm’s best practice version of “self-reporting”. When we send firms a request for information as part of a thematic review, or any other information request, we expect thorough, accurate and constructive answers. If the response to such an exercise reveals a problem, then to a degree this could be described as self-reporting, and we see participants characterising it as such, but we’ve initiated this. 

Proactive self-reporting, on the other hand, is unsolicited and a sign that, unprompted, you have identified issues you want to fix and consider relevant to us. This shows us you have been listening when we say it’s critical to invest in the systems and processes to manage conduct risk. And that you have effective reporting capabilities that filter information all the way up to the board.

If you identify an issue in your business that requires remediation for customers or shows that your processes are not delivering optimal outcomes, that’s obviously not good news.  But there are still plenty of choices at this juncture to either handle this discovery the right way or the wrong way.  The right way involves promptly informing the board, self-reporting to the FMA, and ensuring timely remediation and communication with customers.  While entities may be tempted to wait until they have fully unravelled the problems before making first contact with the FMA or their customers we urge you to prioritise early engagement and stopping the harm.

You can be confident the choices made by an entity after discovering the problem will be relevant to the FMA’s enforcement response and will often colour how we view the entity’s overall conduct. At the same time, self-reporting cannot provide immunity from litigation, especially if the issues are significant, systemic or have led to customer harm.

The nature of the underlying misconduct itself will always be the driving factor in assessing the appropriate response.  The more serious the misconduct – to consumers or to the market - the more likely we will take strong enforcement action, irrespective of how it was reported.   And that makes sense, for any law enforcement agency.  A confession does not absolve responsibility. 

Obviously, this is not an invitation to avoid self-reporting.  That would be a high-risk gambit.   As recently found by the High Court last year, timely self-reporting to the regulator is expected.  Delayed, incomplete self-reporting is considered an aggravating factor.  That was a fair-dealing case centred on issues that were reported to the FMA late and were not disclosed during our Banking Conduct and Culture review, where we specifically asked the entity to disclose such issues.  In addition to the late reporting, it became apparent during the investigation that these issues dated back to well over a decade.  So, it’s not just the fact of the self-reporting, which is important, but also the manner.

What if customers have or will be remediated?

The same can be said for steps taken by an entity to remediate customers who have been impacted by the misconduct.  Putting customers right is the bare minimum step we expect from entities – of course it wouldn’t be acceptable to benefit from misconduct, however inadvertent.  We also take notice of how the remediation has unfolded – whether it was timely, well organised and communicated or whether there were delays and mistakes.  Where an entity seriously struggles with the exercise, it doesn’t tend to reflect well on the robustness of their systems and governance.   While an entity’s approach to remediation is a relevant factor, simply correcting the wrong to customers does not absolve it from responsibility or guard against enforcement.  

What if the misconduct was inadvertent?

An area where deterrence is important is where system failures have let down customers.  We have seen entities make representations to customers, seemingly conceived by the marketing department, without much regard for the systems required to ensure delivery. For example, offering discounts for taking on multiple policies or multiple account types with the same provider, enticing customers to do more business with the entity.  We have seen systems that were destined to fail from the outset, such as requiring manual exceptions to be applied by staff.  While this may have been inadvertent, it demonstrates a lack of prioritisation and investment in appropriate systems and processes to support such representations.  One of the objectives of court action in this area is to change the incentives at work, so that entities make the necessary investments in controls, before launching marketing campaigns.

Stepping back again, our job is to regulate the conduct of financial services firms – we are interested in how that conduct affects consumers of financial services and New Zealand’s reputation.  So, when we see issues that demonstrate that firms are not giving priority to system and process design to ensure the firm can live up to the promises it makes to its customers, or to the standards expected by the law, we will act to incentivise change in that behaviour, and to signal that expectation to the market and to New Zealanders. So even where misconduct is not deliberate, a strong enforcement response may well be appropriate.

What if we were working well with the FMA’s supervision team?

Our supervision teams will be the first point of contact for any self-reporting or compliance matters and will be focused on monitoring and guidance as they work through correcting the issues.  Those interactions should always be constructive, but don’t take this as an indication the FMA is content fully resolving the issues in that context.  As mentioned earlier, an internal referral can be made to investigations in parallel, and this could lead to enforcement.  Our commitment to you is that we will inform you that an investigation has been opened so that you are not taken by surprise, and we will be clear about who you can talk to at the FMA about the investigation.

Maturity of the regime  

FMA’s interaction and engagement with some firms has been ongoing since we were established, or the FMC Act coming into effect after 2014. That’s sufficient time for entities to understand and meet relevant standards and to observe the way we operate. It’s natural for us to be less patient with those licensed since December 2016, than we are with those who are waiting to see what the final licensing standards are going to look like under the CoFI Bill.

Noting of course, that some firms expecting to be brought into the CoFI regime will already have a relationship with us through other standard market licenses such as for Managed Investment Schemes, financial advice or derivatives.

At this stage in our mandate, there should be no surprises for any reasonably-sized entity - who has risk and compliance functions – about what the FMA is concerned with, and where we have taken action.

In the wake of the Australian Banking Royal Commission, it was natural to review and test our enforcement strategy against the risks we were seeing in the market and the overall state of conduct risk management.

The CoFI Bill enables entities to understand their upcoming obligations and will empower the FMA to be more proactive in supervising the sector.  But the fair-dealing provisions around misleading and deceptive conduct have been in place since 2014 and apply to all financial services providers already.

It is not acceptable for a well-resourced, major market participant to fail to invest in adequate conduct risk systems and processes despite the same standards being applied to their peers.  Equally, it is not acceptable to focus on customer acquisition, but not actively pursue the best outcomes for them as a part of the ongoing business relationship. 

Given that the FMC Act has been in force for some time, we expect these issues should already be fundamental to regulated entities.

Final remarks - Confidence and trust are the pillars of good reputation

To wrap up.  Maintaining a market licence to operate is now increasingly combined with nurturing a social licence to operate. We recognise that entities are sensitive to their reputation for good conduct with their customers.   And rightly so - high consumer trust is paramount for success.   We hope entities will be mindful of their reputation, not only when faced with enforcement action, but in taking preventative measures to avoid it in the first place.

Coming back to where I started, we all want New Zealanders to have trust and confidence in the financial services they receive.  That means investing in systems that put customer interests first and showing a willingness to deal with the regulator in a way that is open, transparent and engaged.  And this doesn’t need to break down when it gets to the pointy end of the enforcement stick. 

Remember, cases will come and go – this relationship endures.

Tēnā koutou, ngā mihi, thank you