GCs need to have ‘a risk focus towards regulatory compliance’

Speaking on a recent episode of The Corporate Counsel Show, produced in partnership with FTI Consulting, she discussed key digital and regulatory risks for legal departments and emphasised the importance of being proactive in the face of new challenges.

FTI Consulting also did a recent global study, which found that internal investigations were one of the top challenges for in-house teams and legal departments.

In addition, Faulkner said that regulatory compliance is a key concern for in-house counsel, particularly after the banking royal commission.

“Over the last three years, we’ve found that regulatory compliance is also sort of number one on the list for general counsel, keeping them up at night. We’ve worked with sort of a number of different organisations to help prepare and also then remediate incidents, particularly in those regulated sectors. And part of that process is really to help lawyers understand how far back does an incident go? What’s the root cause? Is it still occurring?

“Significantly, post the banking royal commission, I helped some of the large financial institutions remediate over 70 different incidents and sort of two of them that have hit the news headlines, one related to Westpac, where we had to analyse customers in hardship,” she said.

“And ASIC then pursued Westpac, saying they were in breach when writing around 260,000 home loans. And this case was a test case in responsible lending. And the judge found in Westpac’s favour, saying, you know, I might eat wagyu beef every day and wash it down with the finest Shiraz, but if I really want my new home loan, I’m going to, you know, effectively eat less fancy fare.”

VIEW ALL

There is significant “regulatory complexity” within investigations like this in Australia, which Faulkner said comes from two factors.

“One is we have multiple regulators and regulation and legislation, and that’s really evolving with the sophistication of our market. And then, the second thing is that regulation can often be not very prescriptive. The Privacy Act requires reasonable steps to protect personal information. The Scam Prevention Framework requires reasonable steps to prevent, detect and disrupt scams. The Bribery Act requires adequate procedures to prevent your associates from committing foreign bribery,” she added.

“But the regulators don’t actually define a reasonable step, an adequate procedure. So, then we have to help organisations really get an understanding of what their peers are doing, what are industry and global better practices. But on a positive note, there is some coordination going on and a lot of the regulators are now starting to publish over the next two years.”

Australia’s Scam Prevention Framework came into effect earlier this year to ensure companies are compliant – particularly as scams and fraud are different in the way they’re treated.

“Rather than enforcing banks or any sort of organisation to compensate customers, our regulators have taken an approach where they’re setting out their expectations for compliance, and if you don’t meet them, you could be liable for up to $50 million in fines. So, it’s more like anti-money laundering compliance than fraud because fraud is like a cost of doing business,” Faulkner said.

“Fraud is unauthorised activity. That’s where someone might hack into your account or use your credentials to then take control and take the money themselves. Whereas a scam is when you’re persuaded or duped by the scammer to send your money to an illegitimate source. And the reason that the distinction is important is that fraud is covered by the ePayments Code, so you will be reimbursed for that, whereas scams, you are generally not reimbursed.”

In light of all of this, organisations have a responsibility to be proactive, rather than reactive. However, Faulkner said that proactivity still oftentimes comes after a big investigation, when it should be more of a preventative measure.

“It should be the other way around because you might have stopped that incident from happening in the first place. But at FTI, we help clients really be proactive to prevent and detect financial crime, misconduct and regulatory breaches through risk frameworks, operating model reviews, risk assessments. That training is really important,” she said.

“In our survey, we’ve found that the role of the general counsel is expanding, and often the GCs are now not just being asked legal questions, they are being asked those risk and compliance questions. So, it is valid to then ask the business and make sure that you’re having a risk focus towards regulatory compliance and avoiding these types of investigations.”

Law departments also need to be proactively reporting to regulators if needed as well as continuously looking to detect incidents before they become long-term issues.

Faulkner also advised organisations to keep on top of issues their sector is facing, as challenges with regulation can be common across similar working environments.

“I would keep abreast of issues your local peers are facing because you probably have those issues too. So, in many cases, I work with one organisation, and if you look over the fence to other organisations, even though they’ve got different systems and people and cultures, you often find they have the same challenges with complying with regulation.

“And lastly, my advice would be to really prevent and detect, because as time goes by and you’re not picking up incidents, they just become more complex, the quantum taken goes up, the regulatory and class action risk escalate with your reputational damage,” she added.

“And then when it comes to investigating, there’s a lot more management time that needs to be diverted to dealing with incidents if they’ve gone on for a long time. Ensure you have those effective processes and controls to mitigate and manage your risks, and then test that those controls are actually working in practice.”

To listen to the full episode with Natalie Faulkner, click here.