Responsible Lending and BID are only one part of a Licensee's obligations. Licensees are required to have a risk management and compliance program, testing all the general conduct obligations including the Licensee's financial, HR, IT resources; conflicts of interest; outsourcing; complaints and compensation arrangements.
When it comes to your Credit Licence, these obligations can be split into two categories:
- Credit-related obligations - Responsible Lending and Best Interests Obligation; and
- Everything else - called your General Conduct Obligations (NOT "general obligations" btw).
Put aside the first one - most people in the industry think that that's all that it's about. It's the second one that's lacking in almost every system that QED sees.
Two of the General Conduct Obligations actually open up something of a Pandora's Box. You have an obligation to have a "compliance programme". A compliance programme is required to look at ALL your obligations. Not just those of the NCCP Act but other legislation too. It also requires you to manage your own internal obligations - your own policies as to how you want to run your business.
The other one is the requirement to have a risk management programme. This really opens the whole world. This is looking at any event that could impact your business.
And it's not just the "knowing" - it's in documenting the knowing so you can prove it to yourself or any other party that needs to know you're on it.
THIS is Compliance Management:
- Know your obligations
- Set up controls to help you meet the obligations
- Test the controls regularly depending on how risky non-compliance would be
- Document the testing
- When your testing identifies that you made mistakes, document how you're going to fix it up
This is not up for debate. This is not QED's "opinion" on which others can beg to differ. This is in accordance with a formally documented International Standard. All systems need to be "scaled down" to meet the context of a small business such as yours. However, beware, "scaled down" does not mean "non-existent"!
Does your aggregator "compliance" platform have all that? CompliFast does.