ASIC Consultation Paper 204 Risk management systems of responsible entities

Transcription

1 17 May 2013 Ms Violet Wong Investment Managers & Superannuation Australian Securities and Investments Commission By Dear Ms Wong ASIC Consultation Paper 204 Risk management systems of responsible entities Thank you for the opportunity to provide a submission to ASIC Consultation Paper 204 Risk management systems of responsible entities (CP 204) and for the extension of time to provide our submission. The Financial Services Council (FSC) represents Australia's retail and wholesale funds management businesses, superannuation funds, life insurers, financial advisory networks, private and public trustees. The FSC has over 130 members who are responsible for investing $1.8 trillion on behalf of more than 11 million Australians. The pool of funds under management is larger than Australia s GDP and the capitalisation of the Australian Securities Exchange and is the fourth largest pool of managed funds in the world. The FSC promotes best practice for the financial services industry by setting mandatory Standards for its members and providing Guidance Notes to assist in operational efficiency. Please find our submission attached. We look forward to discussing the contents of our submission with you. I can be contacted on Yours sincerely Stephen Judge General Counsel

2 FSC SUBMISSION ASIC CONSULTATION PAPER 204 Risk management systems of responsible entities DEFINITIONS USED IN THIS SUBMISSION (a) The draft regulatory guide which is attached to CP 204 and titled Regulatory Guide 000: Risk management systems for responsible entities will also be referred to in this submission as RG Risk Management for REs. (b) RE means responsible entity of a registered scheme. EXECUTIVE SUMMARY Below is a summary of some of the key points made in our submission in response to CP 204. However, our submission should be considered in full for these and all our other comments in response to CP FSC supports ASIC s statement (at page 5 of CP 204) that risk management systems play an important role in building retail investor and financial consumer confidence by mitigating exposure to relevant risks. We also agree with ASIC s statement (also at page 5 of CP 204) that risk management is not about eliminating risk but it is about controlling risks to increase the likelihood of meeting objectives. 2. ASIC s review of risk management as set out in CP 204, in part, considers and responds to the Parliamentary Joint Committee on Corporations and Financial Services in its report on the Inquiry into the collapse of Trio Capital. We support robust risk management processes, and ASIC s review, but we do note that it is important that any new additional requirements imposed by ASIC ought to be balanced, measured and a proportionate response to the Trio Capital matter, particularly in light of the fact that diligent responsible entities will already have robust risk management procedures. 3. ASIC proposes to implement its updated policy via a Class Order. We do not agree, in this case, with ASIC implementing guidance by both a new regulatory guide RG 000: Risk management systems of responsible entities (or updating an existing regulatory guide, such as RG 104) and a class order. A class order may be appropriate if it was necessary to modify the law and exempt responsible entities from the law (albeit on conditions). It seems unnecessary and not appropriate to use a Class Order to record what is ASIC guidance and expectations. We do not see that ASIC needs to exempt or modify (by a Class Order) the Corporations Act either in this case. Hence we do not support ASIC s use of a Class Order in this situation and similar situations. ASIC s media release (dated 21 March 2013) notes that ASIC indicated an intention to develop good practice guidance but that ASIC considers risk management practices are better positioned as requirements. We agree with ASIC providing guidance (in an ASIC Page 2 of 18

3 Regulatory Guide) on risk management practices which ASIC considers meets, or which ASIC considers is required by, the law (namely section 912A of the Corporations Act), but we disagree with ASIC guidance (or ASIC views of what is appropriate and expected or in ASIC s view required by law) being hard-coded as law (by Class Order), which is different from ASIC s view of the law (i.e. guidance). 4. We think that ASIC s policy update in the new regulatory guide Risk management systems of responsible entities (the RG Risk Management for REs) should expressly recognise the ability of a responsible entity within a group of entities (whether that is a domestic group, regional group or a global group) or a conglomerate to leverage group risk management arrangements, provided those arrangements are appropriate for the RE (and, if necessary, modified to the RE s particular situation). Our comment that the RG Risk Management for REs should expressly reflect the ability to leverage group arrangements, applies whether the group is domestic, regional or global all these groups need to be able to leverage compliance and risk frameworks (which can also reduce operational risk). ASIC already acknowledges the use of Group arrangements by licensees and should expressly acknowledge this in ASIC s proposed RG Risk Management for REs. See RG (page 11) in Regulatory Guide 104: Licensing: Meeting the general obligations in which ASIC states: We understand that, in some instances, your monitoring and reporting will be built into your business processes. We also acknowledge that your compliance measures might reflect your corporate group s overall approach to compliance 5. In relation to Group arrangements (see above), we request that ASIC liaise with APRA prior to finalising the RG Risk Management for REs, to ensure any ASIC requirements (or guidelines) for responsible entities which are dual regulated (by ASIC and APRA) or are a responsible entity within a Group which would be captured by the existing APRA Level 2 group requirements or proposed APRA Level 3 conglomerate group proposals, are consistent with APRA s requirements (where relevant). Level 3 groups, are groups comprising APRA-regulated institutions that perform material activities across more than one APRA-regulated industry and/or in one or more non-apra-regulated industries. That is, we request that ASIC liaise with APRA to ensure there is no unnecessary duplication in ASIC and APRA regulation (from a risk management perspective) for any responsible entities subject to ASIC and APRA regulation (whether the application of APRA regulation is because the responsible entity is dual regulated by both ASIC and APRA, or else because the responsible entity is part of a corporate group which would be subject to APRA s existing Level 2 group requirements or APRA s Level 3 conglomerate group proposals). 6. Further, we request that ASIC liaise with APRA to ensure there is no unnecessary duplication of, and to ensure consistency between any, ASIC and APRA requirements for a responsible entity which form part of an APRA Level 1, 2 or 3 group, in particular Page 3 of 18

4 (but without limitation) including having regard to the APRA Discussion Paper (released 9 May 2013) relating to harmonising APRA cross-industry risk management requirements (which APRA states would apply to Level 1, 2 and 3 groups, and hence this is relevant to responsible entities which are part of an APRA Level 1, 2 or 3 Group, even if that responsible entity is not also an APRA regulated RSE licensee). We note that APRA s discussion paper states that the proposed cross-industry risk management requirements will not apply to the superannuation industry (as instead, RSE licensees must comply with the superannuation-specific risk management prudential standard due to commence on 1 July 2013). Nonetheless, APRA s requirements will impact responsible entities (whether or not they are also an APRA regulated RSE licensee) or APRA regulated groups of which the responsible entity is part by virtue of APRA s proposal to apply the cross-industry risk management requirements to all APRA regulated entities, except Superannuation RSE licensees. 7. In essence we request APRA and ASIC liaise to ensure appropriate consistency and that there is no unnecessary duplication in regulatory requirements (including by virtue of any ASIC RG Risk Management for REs), impacting on ASIC regulated responsible entities (irrespective of how APRA regulation may apply or impact on an ASIC regulated responsible entity the APRA impacts are not limited to a responsible entity which also has an APRA RSE license). 8. We note that the risk management requirements are one of a plethora of requirements which responsible entities are required to comply with under the Corporations Act including section 912A and Chapter 5C and other provisions of the Corporations Act. ASIC s guidance should be in an ASIC Regulatory Guide only. We do not see a need for prescriptive requirements (such as a Class Order, and we do not agree with ASIC s proposal to use a Class Order). Any guidance provided by ASIC in respect of risk management should be principles based, flexible (to accommodate the size, nature and complexity of a responsible entity s business) and not overly prescriptive. Section 912A requirements (aside from risk management) are generally not captured in Class Orders (and nor should they be) but are generally the subject of ASIC regulatory guides (e.g. ASIC RG 104). Further, Compliance Plans are already signed by directors; and risk management is part of the broader compliance and risk framework and ASIC has previously stated that risk management plans and compliance plans should be consistent. Page 4 of 18

5 DETAIL RESPONSE TO SPECIFIC ASIC QUESTIONS IN SECTION B OF CP 204 PROPOSED REQUIREMENTS FOR RESPONSIBLE ENTITIES ASIC Question B1Q1: Do you agree with our proposed regulatory approach of modifying s912a(1)(h) of the Corporations Act by class order? If not, why not? 9. We do not agree with the use of a Class Order. ASIC asks this question in B1Q1 (which is appropriate) but provides in our view an insufficient justification as to why ASIC is proposing to use a Class Order (which is, and creates, law) rather than simply providing guidance (as to the current law, or ASIC s interpretation of the current law) in a Regulatory Guide (namely, the new proposed RG Risk Management for REs). FSC notes that ASIC s current RG 104 is not accompanied by a Class Order. ASIC should provide guidance (of its views of what is required of REs) in a regulatory guide (namely the RG Risk Management for REs) but should not also proceed to hardcode ASIC s guidance or views, as law, in a Class Order. 10. ASIC proposes to implement its updated policy via a Class Order. We do not agree, in this case, with ASIC implementing guidance by both a regulatory guide (RG Risk Management for REs) and a class order. A class order may be appropriate if it was necessary to modify the law and exempt responsible entities from the law (albeit on conditions). It seems unnecessary and not appropriate to use a Class Order to record what is ASIC guidance and expectations. We do not see that ASIC needs to exempt or modify the Corporations Act either in this case. Hence we do not support ASIC s use of a Class Order in this situation and similar situations. 11. What is, in our view, an unnecessary and inappropriate use of Class Orders, also unnecessarily adds to the complexity of the regulatory regime. ASIC has previously set out its general guidance in RG 104 in relation to risk management for licensees and we think it is simpler, sufficient and less complex for ASIC to simply set out its guidance on risk management for responsible entities in the proposed new RG Risk Management for REs (without any related Class Order). ASIC s existing RG 104 sets out ASIC s expectations in general terms as to what is required of responsible entities in order to satisfy section 912A(1)(h) of the Corporations Act. That guidance has no Class Order related to risk management. Class Orders have their place but, as a general principle, we do not consider Class Orders should be the means to effect ASIC s expectations, interpretation or guidance, as opposed to modifying the Corporations Act (where it is necessary or appropriate) or providing relief (with or without conditions) from the Corporations Act. ASIC s guidance in regulatory guides reflects ASIC s guidance and expectations. We do not support the use of Class Orders to implement what is ASIC guidance. We consider, in this case, it is sufficient for ASIC to incorporate ASIC s views and guidance in the RG Risk Management for REs. Further, apart from the fact that Page 5 of 18

6 Class Orders operate as the law - as opposed to ASIC s view of the law, its guidance or ASIC s expectations the use of Class Orders to implement (or hard code ) what is guidance adds to the complexity of the regulatory regime, as licensees need to have regard to ASIC Regulatory Guides as well as related Class Orders where, in this case, it is not essential to use a Class Order in addition to a regulatory guide. 12. Class Orders are legislative instruments and we understand are subject to Parliamentary disallowance (at least as a mater of law FSC is not aware of any disallowed Class Order, certainly in recent memory) but nonetheless this in itself is insufficient to justify ASIC modifying the Corporations Act (or notionally providing relief, with or without conditions) by Class Order. It is not apparent to us that relief or modification from the Corporations Act is required and ASIC makes no statement in CP 204 that it considers REs could not comply with the Corporations Act without modification by a Class Order. 13. When matters are to be prescribed as law, such as an Act, a regulation or (generally) a Class Order, they should be subject to public exposure and comment to ensure stakeholders may comment on the finer details of what will be the law. ASIC Question B1Q3: Are stronger, more prescriptive risk management requirements (beyond those proposed) necessary for the managed funds sector and should they be introduced through law reform? If so, please specify the issues that the more prescriptive requirements should address. 14. We are not aware of any systemic issues in relation to risk management practices of responsible entities in general which would support either the need for law reform or the need for further prescriptive requirements in addition to ASIC s proposals (and please also consider our comments on ASIC s proposals in this submission). ASIC Question B1Q4: Would the proposed requirements be better positioned as good practice guidance? If so, please explain why (including how the good practice guidance can improve risk management standards for responsible entities and why you consider that such good practice guidance will be adopted by the industry) and provide detailed suggestions on how we can encourage the adoption of fundamental risk management practices across the managed funds sector. 15. We are happy with ASIC s proposals (subject to the comments in this submission) being included in a new RG Risk Management for REs, which would be interpreted as ASIC s view of the law, unless ASIC stated that the matter was a matter of good practice which suggests that such matter may be an aspiration and good practice (but may be further than the law requires in all cases). We do not agree with ASIC s approach of implementing its guidance in a Class Order as well. The reality is regulatory guidance or expectations or ASIC s interpretation of the law (as set out in ASIC s regulatory Page 6 of 18

7 guides) is highly influential to regulated entities. Potentially, the statement in ASIC question B1Q4 asking why you consider that such good practice guidance will be adopted by the industry is loaded in the sense that there is an implied premise in ASIC s statement that responsible entities need additional reasons to have regard to ASIC guidance. Given ASIC is the regulator, ASIC statements in regulatory guides (whether couched as an ASIC statement that ASIC considers the law requires X or Y, or instead as an ASIC statement that it is good practice for regulated entities to do X or Y) is heavily influential in influencing the behaviour of responsible entities. 16. FSC welcomes ASIC reviewing responsible entities risk management and providing ASIC guidance in a new RG Risk Management for REs as this ensures responsible entities are made aware of ASIC s expectations. We do not however provide suggestions on how ASIC may further encourage the adoption of fundamental risk management practices across the managed funds sector, apart from ASIC issuing as guidance RG Risk Management for REs, because we would expect diligent responsible entities would consider all relevant ASIC regulatory guides. ASIC Question B1Q5: Entities that operate managed investment schemes that are not required to be registered under the Corporations Act may also choose to meet these requirements, although we do not propose to make them mandatory for these types of schemes. Should the requirements also apply to unregistered managed investment schemes? If so, why? 17. ASIC s proposals should not be mandated (or even guidance) for managed investment schemes that are not required to be registered, as such schemes, by definition, are only available to wholesale clients who are in a position to negotiate and review the trustee s arrangements (namely, the trustee of the unregistered managed investment scheme). Managed investment schemes which are not required to be registered are not subject to Chapter 5C regulation and should not be subject to ASIC requirements or guidance in respect of Chapter 5C responsible entities (of registered schemes). ASIC Question B1Q7: What are the potential costs or impacts of this proposal (namely ASIC s proposed requirements for risk management systems for responsible entities) on the managed funds sector? 18. We have not had an opportunity to cost the proposals. However, we note that the more prescriptive (or granular) any ASIC requirements in relation to risk management, the more likely this may impact the costs of operating registered schemes, particularly in smaller schemes, and particularly also of responsible entities operating a large number of schemes where they are not able to leverage Group arrangements (where appropriate) across schemes (again, where and to the extent appropriate). Page 7 of 18

8 ASIC Question B1Q8: We consider that responsible entities are well placed to identify those risks that are material to the operation of their businesses, given their diverse nature, scale and complexity. Do you agree? If not, should we provide guidance on what amounts to material risks? 19. We agree with ASIC that responsible entities are well placed to identify material risks. Therefore, we seek no guidance on material risks. Of course, if ASIC considers a particular matter is a material risk, then ASIC should ensure that is stated in the RG Risk Management for REs so that responsible entities are fully aware of ASIC s position on the matter. Industry may of course seek further ASIC guidance if it becomes apparent that may further assist industry. At this stage, we only seek that ASIC clearly state what ASIC considers may be a material risk. The Appendix titled Appendix: Examples of risks and risk treatments in ASIC s draft RG Risk Management for REs (at pages 52 to 58 of CP 204) is useful from that perspective. ASIC Question B1Q10: APRA-regulated RSEs must submit to APRA a signed declaration on their risk management strategy. Should we include a similar requirement for responsible entities? 20. No. ASIC guidance as to responsible entities risk management set out in any proposed RG Risk Management for REs is sufficient as this sets out what ASIC expects in terms of risk management. Responsible entities should not be required by ASIC to sign risk management declarations. Risk management is simply part of (albeit an important part of) a licensee s holistic risk and compliance framework, and licensee obligations under section 912A of the Corporations Act. Responsible entities are accountable for and must ensure compliance with section 912A (as well as other provisions). Adding a certification requirement (such as ASIC s proposed risk management certification) to some or each of the matters in section 912A is unnecessarily onerous and administratively burdensome, given in any event that responsible entities (as for other licensees) are required to comply with section 912A (including section 912A(1)(h)). Further, Compliance Plans are already signed by directors; and risk management is part of the broader compliance and risk framework, and ASIC has previously stated that risk management plans and compliance plans should be consistent (see attachment to ASIC Media Release ASIC Review of Unlisted property MIS sector (17 July 2012)). 21. For these reasons, we do not support ASIC s proposal for risk management certifications for responsible entities as they are unnecessary given the above and therefore an unnecessary administrative burden. Page 8 of 18

9 RESPONSE TO SPECIFIC ASIC QUESTIONS IN SECTION C OF CP 204 PROPOSED GUIDANCE ON EXPECTATIONS Relying on key employees or external service providers ASIC Question C1Q1 (and ASIC Proposal C1): Do you agree with our proposed expectations of responsible entities that they maintain a strong understanding of risk management and have sufficient skills to independently monitor and assess the performance of key persons or external service providers. (ASIC then refer to draft RG ) 22. We agree that responsible entities should have a strong understanding of risk management and have sufficient skills to independently monitor and assess the performance of key persons or external service providers. (In ASIC Proposal C1 on page 12 of CP 204, ASIC also refer to the proposed Class Order. As set out in our response to Section B of CP 204, we do not agree with ASIC using a Class Order for this matter.) 23. We seek clarification from ASIC as to the distinction between monitoring key employees versus monitoring external service providers. We understand the concept of monitoring external service providers. It is not clear to us from CP 204 or the draft RG Risk Management for REs (attached to CP 204) what ASIC means by monitoring key employees. We request that ASIC clarify this, in light of the fact that the employee s conduct is the RE s conduct (ignoring section 601FB(2), in relation to certain external service providers) so in any event the RE is accountable for the conduct of its employees, including key employees. Does ASIC simply mean that the performance of the key employee (so far as relevant to the responsible entity and schemes) is monitored in accordance with usual performance review and management systems for staff? Fostering a risk management culture ASIC Question C2Q1 (and ASIC Proposal C2): Do you agree with our proposed expectations in relation to responsible entities fostering a strong risk management culture, ensuring all staff understand the purposes of risk management and its value, and require all staff members to report internally, breaches of risk management processes and procedures? [ASIC also refers to draft RG RG and RG ] [Note: FSC has summarised ASIC s Proposal C2 and Question C2Q1 as set out on page 14 of CP 204] 24. We broadly agree that responsible entities should foster a strong risk management culture, ensure that staff understand the purposes of risk management and its value and that procedures should be in place to ensure internal reporting by responsible entity staff of breaches of risk management processes and procedures of which they Page 9 of 18

10 become aware. Question C2Q3. However, we have specific comments in our response to ASIC ASIC Question C2Q3 (and ASIC Proposal C2): Are there any specific elements of risk management culture that we should expand on? If so, please provide detailed suggestions. 25. (RG ): While the board will, and should, have oversight of the matters in RG , some of these matters are, as a practical matter, undertaken by senior management rather than by the board, albeit the board remains responsible and accountable for oversight of those matters. We think ASIC s guidance should reflect the practical reality that the board will not, particularly in large financial conglomerates, be involved in a day to day sense in some of the matters referred to by ASIC in RG For example, staff training, and certain resource decisions, would not be board decisions but would be made or directed by senior management. We suggest RG be amended to note the oversight role of the board and to acknowledge that the day to day implementation of some of the matters may well be delegated to senior management (with appropriate governance and, where appropriate, reporting). Three lines of defence 26. (RG three lines of defence): (We have included here a comment on RG even though the paragraph may be relevant to other ASIC questions.) In relation to RG , in larger conglomerates it may be the case that while Management comprise controls (as set out in paragraph (a) of RG ), the risk management function will facilitate risk management controls (with management input as appropriate) rather than follow risk management controls. We request that ASIC consider amending the beginning of the first sentence in RG (b) to (b) Risk management - The second line of defence facilitates the risk management controls. Page 10 of 18

11 Choosing processes for identifying and assessing risks ASIC Proposal C3 In meeting the risk management obligations, including the proposed class order requirements to have processes in place to identify and assess risks, we expect responsible entities to: (a) (b) maintain a risk register as part of their risk identification process; and take into account the factors set out in draft RG and RG when choosing processes for identifying and assessing risks. See draft RG RG and RG ASIC Question C3Q1: Do you agree with our proposed expectations? If not, why not? 27. We broadly agree with ASIC s proposals in relation to identifying and assessing risks. 28. We request however that the draft regulatory guide (in particular RG to RG ) be clarified to distinguish more clearly between risks relevant to the responsible entity (as an entity) and risks relevant to any registered managed investment scheme operated by the responsible entity. We think this is a matter ASIC may clarify by minor refinements to the draft RG. 29. We request that ASIC s draft RG Risk Management for REs also expressly state and recognise that responsible entities may leverage risk management and identification processes undertaken at a Group level, for responsible entities which are part of a corporate Group (whether a domestic, regional or global Group), provided of course such risk management procedures are appropriate for the responsible entity (and its schemes) and if necessary tailored to reflect the operations of the responsible entity and its registered schemes. ASIC has already acknowledged the use of Group arrangements by licensees in a similar context (see RG ). 30. However, particularly for responsible entities operating a large number of registered schemes (some of FSC s members act as responsible entity for well over 100 registered schemes), requiring specific risk assessment for each scheme may involve undue duplication. We request ASIC s policy reflect the ability to leverage group and RE arrangements provided such arrangements appropriately capture risks holistically at the scheme level. Page 11 of 18

12 ASIC Question C3Q3: Is it appropriate to expect responsible entities to take into account the factors in draft RG and RG when choosing processes for identifying and assessing risks? If not, why not? 31. We broadly agree with the factors in RG and RG However, we consider that ASIC ought to amend the reference to multi-layered structures on page 55 of CP 204 (the draft RG Risk Management for REs) to recognise that the wealth management industry commonly uses inter-funding for a variety of reasons such as due to a balanced fund investing in asset class funds, and to facilitate different unit classes or fees (e.g. retail fees versus wholesale fees for large investments). ASIC s comments on page 55 are, we think, directed to opaque structures (via, for example, using many complex and opaque intermediated vehicles). We think the distinction between opaque structures and vanilla (and commonly used internal inter-funding) should be made clear by ASIC on page 55 (under Investment risk in the draft RG Risk Management for REs). 33. Accordingly, page 55 should be amended to state that A risk may also arise in certain multi-layered structures. [We are aware of ASIC s view that, each level, irrespective contains liquidity and counterparty risk we think however that there is a distinction between internal interfunding by the responsible entity (or related responsible entity) to achieve investment exposure and efficient re-balancing, as opposed to more complex structures and vehicles.] 34. Page 56 of CP 204 (the draft RG Risk Management for REs) refers to product suitability. We agree that issuers ought clearly explain their products and appropriately market them (to the appropriate audience). Apart from this, the suggestion to obtain financial advice is a risk treatment which in our view is more direct and generally more appropriate than ASIC s suggested risk treatment of Consumer research to address any product suitability issues. While a product issuer may consider consumer research, we suggest that this risk treatment be removed and replaced with a reference that the consumer consider obtaining financial advice. 35. Page 57 of CP 204 (the draft RG Risk Management for REs) under Liquidity risk refers to the risk that the responsible entity will not have adequate financial resources at the scheme level including meeting members expectations and requests for redemptions. Members expectations must (necessarily) be informed by product disclosure (the PDS) and the constitution. 36. In relation to the above mentioned reference to Liquidity risk, in our view the draft RG Risk Management for REs (page 57) should be amended to state that, or reflect that, by members expectations this will be informed by the responsible entities product disclosure as to the terms of the product and the redemption arrangements. Alternatively, the reference to members expectations should be removed. During Page 12 of 18

13 the GFC, and by way of example, scheme members may well have expected that unlisted funds which disclosed in their PDSs the risks of suspension or the risk of the fund becoming illiquid (and subject to redemption gates), pay redemptions in the usual timeframe. That expectation (assuming clear disclosure) is simply not one which could have been met and nor (assuming clear disclosure) is the fund/responsible entity required to meet such expectation. ASIC Question C3Q4: Should any other factors be included? If so, please state the relevant factors and why they should be included? 37. We consider ASIC has adequately dealt with risk identification and assessment factors. No other factors need to be included. We also make the observation that the Appendix in the draft RG (appearing from page 52 of CP 204) is useful guidance to industry and is welcomed, albeit subject to our comments about the Appendix made in this submission. Monitoring compliance with risk management systems ASIC Question C4Q1 (and ASIC Proposal C4): In meeting the risk management obligations, including the proposed class order requirements for monitoring compliance, we expect responsible entities to ensure there are: (a) effective information systems and appropriate record keeping policies about risk management systems; (b) appropriate policies for reporting on risk management activities, including that persons who have ownership of risks within the structure of the risk management systems (risk owners) must report regularly and on an exception basis; and (c) clear escalation policies, processes and procedures for exception reporting on breaches of the risk management systems. Do you agree with our proposed expectations? If not, why not? 38. We agree with ASIC s expectations on monitoring compliance with risk management systems. 39. In ASIC Proposal C4 on page 16 of CP 204, ASIC also refer to the proposed Class Order. As set out elsewhere in this submission, we do not agree with ASIC using a Class Order for this matter. Page 13 of 18

14 Reviewing the effectiveness of risk management systems ASIC Question C5Q1 (and ASIC Proposal C5): In complying with the risk management obligations, including the proposed class order requirement to review risk management systems, we expect responsible entities to carry out such reviews when there have been material changes to the context in which they operate their risk management systems. Do you agree with our proposed expectations? If not, why not? 40. We agree that responsible entities should review risk management systems at regular intervals, and when material changes occur in business operations or other material changes for which it is appropriate to review risk management systems. 41. We note that in ASIC Report 298 ASIC note that most responsible entities indicated their risk management systems did not change as a result of the global financial crisis. We do not consider that it is, necessarily the case, that external (albeit, severe) market events will and should necessitate a review of a risk management system. Whether it should, would depend on the robustness and design of the risk management system, and whether the external market events were such that the risk management system needed reviewing or refining. To this extent, we do not agree with paragraph 40 of CP 204 in which ASIC states in effect that material changes to external environments, necessitate a review of the risk management system. We consider instead, that such changes should be considered as to whether an ad hoc (or out of cycle, if you like) review of the risk management system is needed it may or may not be needed. We request ASIC consider refining ASIC s proposed regulatory guide Risk management systems of responsible entities accordingly. 42. We disagree with the statement in RG (page 49 of CP 204) as it is insufficiently nuanced and too bland, and arbitrary in its selection of particular types of funds. ASIC states (at RG ): Our regulatory experience suggests that certain types of schemes (e.g. unlisted property schemes, mortgage schemes, agribusiness schemes or hedge funds) are subject to more complex risks. Accordingly, we think that the risk management systems for these types of schemes should be reviewed more frequently (e.g. on a quarterly basis). 43. While it may be that the output of the risk management system may result in more regular action as a result of the type of scheme (e.g. more regular review of the status of aspects of the fund), it is not necessarily the case that the fund type per se without more justifies a more frequent review of the risk management system. A quarterly review of a risk management system (assuming no material changes to business operations or the environment of the fund) appears excessive. A bond crash may justify (potentially) a review of risk management systems for a bond fund; but that Page 14 of 18

15 does not mean an unlisted property scheme would (in that environment) need a quarterly assessment of its risk management system. For example, in September 2011 following the terrorist attacks on the World Trade Centre, equity markets dropped significantly on the day (and markets could be said to have for a short term been in turmoil) yet mortgage funds essentially operated as usual during that period our point is that it is insufficiently nuanced to suggest mortgage funds (for example) are in need of quarterly review of risk management systems. It may be that if the risk management system is sufficiently robust, that annual reviews of the risk management system remain acceptable as the system may well accommodate severe market events. 44. For these reasons, we think RG needs to be amended to simply note that material changes to the external environment may trigger the need to review the risk management system. 45. In ASIC Proposal C5 on page 17 of CP 204, ASIC also refer to the proposed Class Order. As set out elsewhere in this submission, we do not agree with ASIC using a Class Order for this matter. Using stress testing or scenario analysis ASIC Question C6Q1 (and ASIC Proposal C6): Do you agree with our proposed expectations (in relation to stress testing and/or scenario analysis of investment risk and liquidity risk of their business and schemes; review their framework for stress testing or scenario analysis at appropriate intervals in light of the responsible entity s business and market conditions; and if the responsible entity does not adopt these practices, document why this is the case, keep appropriate internal records of this rationale, and review this decision at appropriate intervals)? [Note: FSC has paraphrased ASIC s Proposal C6 and Question C6Q1 as set out on page 18 of CP 204] 46. Whether and when stress testing is appropriate, and the frequency, depends on the nature of the scheme and its assets. We consider that ASIC s expectations around stress testing needs to be refined to reflect that not every managed investment scheme is subject to risks requiring extensive stress testing and/or scenario analysis. We agree that as part of investment management, funds should (and they do) monitor matters such as investment risk, market risk and liquidity risk. It may not be necessary to undertake extensive stress testing for every scheme. For example, Cash Management Trusts would not be exposed to the extent of risks that, say a longer dated corporate bond fund may, and therefore the extent of stress testing and scenario analysis would be different for each scheme. We request that ASIC ensure that its guidance accommodate the fact that what is appropriate and necessary from a stress testing perspective will depend on the nature of the scheme (in a sense, what is required is scalable and ASIC s regulatory guide should reflect this). Page 15 of 18

16 47. We request that any ASIC guidance in relation to stress testing and/or scenario analysis, recognise that what is required for a particular responsible entity or scheme will depend on the operations of the responsible entity or the assets and investment objective of the scheme. We are not sure that it is necessary to document a decision not to adopt stress testing when that is not appropriate for the nature of the scheme nonetheless the responsible entity should be able to justify any decision or approach. 48. We request that ASIC guidance clarify the distinction between stress testing and/or scenario analysis at the responsible entity level and the scheme level. While we think it is clear there is a distinction, it would be useful for ASIC to expand on this distinction in its proposed regulatory guide Risk management systems of responsible entities. 49. We think ASIC s regulatory guide Risk management systems of responsible entities should note that what is required (in terms of stress testing and scenario analysis) will depend on the circumstances of the responsible entity and the scheme. For example, for many schemes, investment related risk would be a matter for the relevant portfolio manager and investment related risk would be disclosed in the PDS. RESPONSE TO SPECIFIC ASIC QUESTIONS IN SECTION D OF CP 204 PROPOSED GOOD PRACTICE GUIDANCE Establishing and maintaining risk management systems Question D1Q1 (and ASIC Proposal D1): Do you agree with our proposed good practice guidance (in relation to establishing and maintaining risk management systems, including separating responsibility for risk assessment, risk treatment and monitoring compliance with risk management systems to manage conflicts of interest; establishing a dedicated risk management function and/or risk management committee; and use of internal and/or external audits to review compliance with, and the effectiveness of, risk management systems)? [Note: FSC has paraphrased ASIC s Proposal D1 and Question D1Q1 as set out on page 19 of CP 204] 50. We consider there is sufficient law and ASIC guidance on conflicts of interest (e.g. RG 181). We do not consider there is a need for guidance on conflicts in the context of risk management. 51. We do not see a material need for guidance on the matters set out in Proposal D1 (on the assumption they are intended by ASIC to be guidance only, and not expectations which ASIC will seek to review in its supervisory activities). We do not consider the good practice guidance matters ought to be mandated. Therefore, on the assumption it is good practice guidance, and our view that the matters should not be mandated, there does not appear to be a significant need for the good practice guidance on the Page 16 of 18

17 matters set out in ASIC Proposal D1. Any mandated requirements (e.g. external audits) would clearly add to the costs of operating schemes which may bear on fees/expenses incurred by members, and more so on smaller sized schemes. 52. Risk management systems and the risk management functions are dependent on the size, nature and complexity of the operations of the responsible entity. (ASIC acknowledges this in RG in which ASIC note (with our emphasis) that Depending on the nature, scale and complexity of the business, we think it is good practice for responsible entities to establish a designated risk management function and/or committee as part of their risk management systems. The FSC notes, and stresses, that for some businesses (such as a small boutique fund manager by way of one example), a dedicated risk management function may not be appropriate in light of the scale of the business. If ASIC is minded to provide any good practice guidance, we think such guidance needs to expressly acknowledge and state that the extent to which the guidance is appropriate or necessary for a responsible entity, will depend on the nature, scale and complexity of the business. ASIC should then also state in the guidance (if it proceeds with guidance), to the effect that For example, it may not be necessary to establish a designated risk management function and/or risk management committee for small responsible entity operations which are simple. 53. Any ASIC guidance (in RG Risk Management for REs) on establishing and maintaining risk management systems should expressly acknowledge that responsible entities may leverage arrangements set at a Group level where a responsible entity is part of a corporate Group, provided the Group arrangement is appropriate for the responsible entity or tailored for the responsible entity as appropriate. ASIC has already acknowledged the use of Group arrangements by licensees in a similar context (see RG ). 54. Any ASIC guidance in relation to designated risk management functions should be sufficiently flexible to accommodate the circumstances of a responsible entity and should also acknowledge that the risk management function may leverage Group arrangements, compliance committee arrangements, responsible managers or the Board of the responsible entity. Assessing and managing risks Question D2Q1 (and ASIC Proposal D2): Do you agree with our proposed good practice guidance (in relation to a written plan for treating risks)? (ASIC also refer to RG RG ) [Note: FSC has paraphrased ASIC s Proposal D2 and Question D2Q1 as set out on page 20 of CP 204] 55. We do not consider that good practice guidance is needed on risk treatment or written documents in relation to risk treatment, as we consider such matters are broadly Page 17 of 18

18 encapsulated in the general principles set out elsewhere in ASIC s proposed regulatory guide Risk management systems of responsible entities. Responsible entities may decide the appropriate manner, in light of their circumstances, to assess and manage risks and the documentation of that. Nonetheless we have some comments on RG if ASIC proceeds with good practice guidance. 56. (RG ): RG (a) refers to risk treatment plans setting out the intention or objective of the treatment. This requirement may be superfluous given that the intention or objective of all risk controls or risk treatments is to reduce, mitigate or manage risk, so it may be superfluous to state the intention or objective of the treatment. We request ASIC consider removing or otherwise clarify RG (a). 57. RG (c) suggests as good practice that a risk treatment plan set out who is expected to implement the measures and who is to ensure adequacy of resources required to implement the risk treatment. When risk measures or treatments are implemented, it may not be the case that a written document will set out who will implement the treatment and the resources required to implement the treatment. It may be something which happens as a matter of course, that is, for example, a risk manager may simply undertake their task as part of their role. Whether resourcing decisions are required and written allocations as to who will implement the measures will depend on the nature of the risk being treated. For example, a significant risk with material impacts may require this analysis. Whereas, a less significant risk with a simple risk treatment may be treated with less formality and no resource decision may be required. We request ASIC consider refining RG (c) to reflect that what is appropriate (in documenting a risk treatment) will depend on the nature and significance of the risk and the risk treatment. Residual risks 58. (RG ): RG (page 48 of CP 204) states that (or might be interpreted that) any residual risks must be monitored by the board. We seek clarification that (material) residual risks are monitored by the board but other residual risks may be monitored by management (if not the board). Page 18 of 18