• NCCP Requirements • Greg Ashe
"Compliance" can be a pretty misused term but it simply refers to your obligations. When it comes to your Credit Licence, these obligations can be split into two categories:
- Credit-related obligations - Responsible Lending and Best Interests Obligation; and
- Everything else - called your General Conduct Obligations (NOT "general obligations" btw).
Put aside the first one. Everyone is all over that and most people think that that's all that it's about. It's the second one that's lacking in almost every system that QED sees.
Two of the General Conduct Obligations actually open up something of a Pandora's Box. You have an obligation to have a "compliance programme". A compliance programme is required to look at ALL your obligations. Not just those of the NCCP Act but other legislation too. It also requires you to manage your own internal obligations - your own policies as to how you want to run your business. The other one is the requirement to have a risk management programme. This really opens the whole world. This is looking at any event that could impact your business.
Try these quirky examples that most businesses don't think of when talking "compliance":
Workplace Health and Safety legislation in your State. It's a law that applies to you - you have to comply with it. Does your aggregator platform ask you when was the last time you documented a walk-around risk assessment of your office? CompliFast does.
Taxation Assessment Act 1936. Did you know that if you get into specific discussions with clients about costs of investment properties that they could offset against their personal income and you are not a Registered Tax Agent, you are breaking the law? Does your aggregator platform ask you whether or not you are doing this? CompliFast does.
Outsourcing of your internal business functions. ASIC doesn't have a policy on this but they do refer to the APRA one. Amongst other things, the recommendation is that you review your service providers at least once a year and ask yourself if you're getting what you need out of them. Does your aggregator platform ask if you did this? CompliFast does.
We get busy with sales and trying to keep up with every other thing. Compliance Management is a way of being sure we don't lose track of some important things. Why wouldn't you want periodic assurance that you're not going to injure your colleagues; why wouldn't you want to remind yourself not to give specific tax advice when there are substantial penalties involved; why wouldn't you want to be sure that the money you're paying to your service providers is worth it?
And it's not just the "knowing" - it's in documenting the knowing so you can prove it to yourself or any other party that needs to know you're on it.
THIS is Compliance Management:
- Know your obligations
- Set up controls to help you meet the obligations
- Test the controls regularly depending on how risky non-compliance would be
- Document the testing
- When your testing identifies that you made mistakes, document how you're going to fix it up
This is not up for debate. This is not QED's "opinion" on which others can beg to differ. This is in accordance with a formally documented International Standard. All systems need to be "scaled down" to meet the context of a small business such as yours. However, beware, "scaled down" does not mean "non-existent"!
Does your aggregator "compliance" platform have all that? CompliFast does.