Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
Review of the Four Major Banks: First Report
7. 7. Force Independent Reviews of Risk Management Systems
“When did I personally become aware of it?...As a result of the attention that it got earlier this year” Mr Ian Narev, CEO of the Commonwealth Bank, on how Four Corners alerted him to CommInsure’s alleged mishandling of claims[1]
“We made a mistake. It was poorly managed. We did not have the right controls and processes in place” Mr Shayne Elliott, CEO of the Australia and New Zealand Bank on the incorrect allocations of funds between 1,400 superannuation accounts for up to 12 months[2]

Recommendation 7

7.1
The committee recommends that the major banks be required to engage an independent third party to undertake a full review of their risk management frameworks and make recommendations aimed at improving how the banks identify and respond to misconduct. These reviews should be completed by July 2017 and reported to ASIC, with the major banks to have implemented their recommendations by 31 December 2017.
7.2
Effective risk management and mitigation is central to protecting consumers and other stakeholders from problems before they have the chance to arise or become endemic.
7.3
Over the last two decades Australia’s major banks have demonstrated that they have robust, forward looking, financial risk management frameworks.[3]
7.4
It is disappointing that the committee cannot say the same of the frameworks that are in place to manage risks that threaten consumers.
7.5
The processes that the major banks have in place to protect consumers seem to be reactive, rather than proactive. APRA’s Chairman, Mr Wayne Byres, agreed with this conclusion. He noted that:
I think there has rightly been a lot of attention in the banking industry given to financial risks...There has probably not been the attention given to the soft stuff - to cultural issues and the impacts that they can have...[4]
7.6
For example, on numerous occasions bank CEOs only became aware of issues of serious misconduct and operational failings after - in some cases - thousands of consumers had been negatively affected. For example:
  • the collection of around $178 million in financial advice fees for which no financial advice was provided;
  • the provision of poor financial advice at NAB[5] (which has since resulted in more than $21 million in compensation);
  • OnePath (ANZ’s wealth management arm) charging more than 400,000 customers inappropriate fees on four occasions since 2015;[6]
  • NAB incorrectly calculating returns for around 62,000 wealth management customers (for which it has had to refund $25 million);
  • Westpac incorrectly collecting $29.2 million in fees from account holders and credit card customers;[7]
  • Westpac failing to identify 11 financial planners guilty of misconduct;[8] and
  • Capital Finance Australia (a Westpac subsidiary) breaching important consumer protection provisions in the National Consumer Credit Protection Act 2009 58 times during three months in 2015.
7.7
As further evidence, there are a number of cases where CEOs only became aware of issues of serious misconduct after external parties brought it to their attention. For example:
  • Mr Narev, CEO of the CBA, was unaware of poor claims handling practices at CommInsure prior to the ABC and Fairfax investigation;
  • CBA was unaware of serious misconduct - including fraud - in its financial planning division prior to a whistle-blower going public in 2013; and
  • Mr Elliott, CEO of the ANZ, would arguably still be unaware of highly unethical behaviour within his bank’s institutional division had ASIC not commenced an investigation into that division of the bank.[9]
7.8
It is unacceptable that, in the case of CBA (and ostensibly other institutions), existing ‘quality assurance systems ...failed to identify patterns of bad behaviour.’ [10]
7.9
The committee is pleased to hear that each of the major banks has increased investment in the systems that they use to identify misconduct.[11]APRA’s Chairman noted that:
They [the banks] are looking harder for instances where things have gone wrong and people have been mistreated...to the extent that they are finding them...I think that is a cleansing of past issues.[12]
7.10
However, in most cases these changes appear to have been ad hoc and in response to known failures. They have been reactive.
7.11
From the testimony provided, it is not clear that all of the major banks have completely reviewed the processes that they have in place to protect consumers, despite the numerous observable failure of these systems. [13]
7.12
Even in cases where reviews have been undertaken, given that ‘approaches to understand and manage risk culture are at a relatively early stage of development[within prudentially regulated institutions]’[14] and that demonstrable links exist between poor risk culture and the potential for poor consumer outcomes, the committee believes that further reviews are required.
7.13
For this reason, the committee recommends that each of the major banks be required to engage an independent third party to undertake a full review of their risk management frameworks and make recommendations aimed at improving how the banks identify and respond to misconduct. These reviews should focus on:
  • the development of a proactive framework to identify and manage risks to consumers;
  • the creation of an ‘early alert’ system, similar to those used in other industries, to ensure that relevant executives are informed of emerging problems;
  • the merits of a ‘product recall’ tool that can be triggered in response to a range of fixed criteria, to supplement ASIC’s proposed product intervention and banning power; and
  • the appropriateness of existing training on, and frameworks to support, whistle-blowers and whistle-blower protections.
7.14
As noted by APRA’s Chairman, improving the major banks’ ability to detect and respond to risks to consumers is critical because:
...it [culture and compliance frameworks] is essential to long-run financial health and long-term community trust in the financial system. The financial system - banking in particular - is a business of trust. If you lose that trust, you lose your franchise.[15]
7.15
The outcome of these reviews should be submitted to ASIC. This will also allow ASIC to monitor the implementation of their recommendations.

[1]     

Mr Ian Narev, CEO of the CBA, Committee Hansard, 4 October 2016, p. 19.

[2]     

Mr Shayne Elliott, CEO of the ANZ, Committee Hansard, 5 October 2016, p. 3.

[3]     

For example: Mr Andrew Thorburn, CEO of NAB, Committee Hansard, 6 October 2016, p. 21.

[4]     

Mr Wayne Byres, Chairman of APRA, Committee Hansard, 14 October 2016, p. 9.

[5]     

Mr Andrew Thorburn, CEO of NAB, Committee Hansard, 6 October 2016, p. 10.

[6]     

Mr Shayne Elliott, CEO of ANZ, Committee Hansard, 5 October 2016, p. 5.

[7]     

Mr Brian Hartzer, CEO of Westpac, Committee Hansard, 6 October 2016, pp. 44-45.

[8]     

Mr Brian Hartzer, CEO of Westpac, Committee Hansard, 6 October 2016, p. 57.

[9]     

Mr Shayne Elliott, CEO of ANZ, Committee Hansard, 5 October 2016, p. 15.

[10]     

CBA, Submission Senate Economics References Committee: Inquiry into the scrutiny of financial advice, December 2014, p. 5.

[11]     

Mr Andrew Thorburn, CEO of NAB, Committee Hansard, 6 October 2016, p. 10; Mr Ian Narev, CEO of CBA, Committee Hansard, 4 October 2016, p. 2; Mr Brian Harzter, CEO of Westpac, Committee Hansard, 6 October 2016, p. 41; Mr Shayne Elliott; CEO of ANZ, Committee Hansard, 5 October 2016, p. 15.

[12]     

Mr Wayne Byres, Chairman of APRA, Committee Hansard, 14 October 2016, p. 10.

[13]     

Mr Hartzer’s evidence suggests that Westpac has reviewed all of its processes to enable Westpac to identify risks - including conduct risks - on a more proactive basis.

[14]     

APRA, Information Paper: Risk Culture, October 2016, p. 14.

[15]     

Mr Wayne Byres, Chairman of APRA, Committee Hansard, 14 October 2016, p. 9.