Holders of an Australian Credit License (ACL) must comply with the general conduct obligations outlined under the NCCP and ASIC Regulatory Guide 205 Credit Licensing: General conduct obligations.
As a credit licensee, you must be able to demonstrate that you have arrangements in place to ensure you meet these obligations. So let’s take a look at the obligations and expectations.
Your broad compliance obligations | |
Engaging in credit activities efficiently, honestly, fairly | You must do all things necessary to ensure that the
credit activities authorised by your licence are
engaged in efficiently, honestly and fairly: see
s47(1)(a) |
Complying with the conditions on your licence | You must comply with the conditions on your licence:
see s47(1)(c) |
Complying with relevant laws | You must comply with the credit legislation: see
s47(1)(d)
You must comply with any other obligations that are
prescribed by the regulations: see s47(1)(m) |
Your internal systems | |
Risk management systems | Unless you are a body regulated by the Australian
Prudential Regulation Authority (APRA), you must
have adequate risk management systems: see
s47(1)(l)(ii) |
Conflicts of interest | You must have in place adequate arrangements to
ensure that your clients are not disadvantaged by any
conflict of interest that may arise wholly or partly in
relation to credit activities engaged in by you or your
representatives: see s47(1)(b) |
Dispute resolution | You must have an internal dispute resolution
procedure that:
· complies with standards and requirements made or approved by ASIC in accordance with the regulations (see s47(1)(h)(i)); and
· covers disputes in relation to credit activities engaged in by you or your representatives (see s47(1)(h)(ii))
You must be a member of the Australian Financial
Complaints Authority (AFCA): see s47(1)(i) |
Your people | |
Ensuring your representatives comply | You must take reasonable steps to ensure that your
representatives comply with the credit legislation: see
s47(1)(e) |
Reference checking and information sharing | You must comply with the ASIC Reference checking
and information sharing protocol (ASIC protocol) in
relation to prospective representatives who will act as
mortgage brokers or financial advisers: see s47(1)(ea) |
Training and individual competence | You must ensure that your representatives are
adequately trained, and are competent, to engage in
the credit activities authorised by your licence: see
s47(1)(g) |
Organisational competence | You must maintain the competence to engage in the
credit activities authorised by your licence: see s47(f) |
Your resources | |
Adequate resources | Unless you are a body regulated by APRA, you must
have available adequate resources (including
financial, technological and human resources) to
engage in the credit activities authorised by your
licence and to carry out supervisory arrangements:
see s47(1)(l)(i) |
Compensation arrangements | You must have compensation arrangements in
accordance with s48: see s47(1)(j) |
Ensuring compliance with the general conduct obligations | You must have adequate arrangements and systems to
ensure compliance with your obligations under s47(1),
and a written plan that documents those arrangements
and systems: see s47(1)(k) |
For the full guide please refer to https://asic.gov.au/regulatory-resources/credit/credit-general-conduct-obligations/rg-205-credit-licensing-general-conduct-obligations/
So, what does this mean for you?
ASIC expects that you have documented policies and processes and you must implement these policies and processes and monitor adherence to them. Policies must be regularly reviewed to confirm they are up to date. ASIC specifically note: if you do not do this, we think you will find it difficult to show you are complying with the general conduct obligations. (RG205.28)
How you choose to document your policies and procedures is up to you. For example, you may have one “compliance policy” which covers all the required elements or you may have a separate policy for each topic.
At a minimum, you must have the following documented:
Complaints and IDR policy and process
Compensation and customer remediation policy and process
Monitoring and supervision policy and process
Training and education policy
IT security and data breach reporting policy and process
Risk management policy
Compliance policy covering adherence to relevant laws and legislation (NCCP, BID, AML / CTF, Privacy)
Resources – human resources, financial resources
At a minimum, you should have the following registers:
Referral register
Conflicts of interest register
Complaints register
Breach register
Policy breach register
Data beach register
Best practice policies, processes and registers would also cover:
Breach reporting in accordance with mandatory breach reporting obligations (refer to the article: Preparing-your-business-for-Mandatory-Breach-Reporting-obligations-
Outsourcing operations policy and process (if relevant)
Referral partners policy and process (if relevant)
Gifts and hospitality register
So, what’s next?
In addition to having policies and processes, you are required to implement these, monitor adherence, and review them on a regular basis. During your review, it is important to consider your business to ensure these are relevant to the size and scale of your operations.
There are third-party service providers who can assist with creating relevant policies for your business as well as conducting loan file reviews. For more information, contact [email protected]
There is no doubt, that your obligations are increasing. The expectations by ASIC continue to evolve and you may be wondering if all the time and resources to maintain your license match the benefits. If you want to discuss your options, contact your Partnership Manager of the compliance team.
If you are completing your Connective ACL attestation, select the answers which best fit your business. If you don’t have policies and processes you can contact us to discuss your options.