Relevant to: Board members and senior executives of banking, investment management, general insurance, and life & pension firms, particularly those involved with the implementation and governance of the Duty.
Firms are working hard to implement the Consumer Duty rules and guidance ahead of the 31 July 2023 deadline. In our experience, most firms have deployed significant resource and effort on the Duty but the complexity and subjective nature have brought challenges. A key aspect of the Duty beyond its central principle, cross-cutting rules, and four outcomes is the requirement for firms to monitor and demonstrate they are acting to deliver good customer outcomes.
As part of the requirement for firms to demonstrate compliance, Boards are required to review and approve an assessment of whether the firm is delivering good customer outcomes, at least annually. The Financial Conduct Authority (FCA) states that “at the end of implementation period, boards (or equivalent management bodies) should assure themselves that their firm is complying with their obligations under the Duty, and ensure the firm has identified any potential gaps or weaknesses in their compliance and any action needed to remedy this” (FCA, PS22/9). This means that Boards are expected to assess compliance with the Duty in the run-up to / from the end of the implementation period. This comes before the requirement for the formal Board Assessment report, which is not required until mid-2024.
There are a variety of tools and resources firms will use to demonstrate compliance with the Duty, such as Management Information (MI) and data, enhancing processes and controls to monitor customer outcomes across groups of customers, and implementing processes to amend and adapt products and communications where risks of potential harm are identified. In our experience, most have deployed their teams across the three lines of defence to contribute to the Duty implementation. This includes varying forms of assurance provided by the Compliance, Risk and/or Internal Audit functions. For example, programme assurance from Internal Audit and/or reviews of regulatory interpretation from Compliance. More recently, firms have begun to ask about the role of external assurance as part of the overall toolkit to demonstrate compliance with the Duty. In this blog, we explore the role of a range of assurance services in helping firms demonstrate Duty compliance.
Assurance services provide a level of comfort over a specific subject matter, such as compliance with regulatory topics, as well as other procedures, controls, and reporting. Often provided by a third party, such services offer independent, objective challenge to management and/or Boards, to assist them in fulfilling their obligations.
Beyond the need to evidence compliance, there are key features of the Duty that make assurance valuable:
Different types of assurance over different areas of the Duty framework will suit different firms best.
There are two main considerations when choosing the most appropriate assurance:
Assurance can be provided over the customer outcomes being delivered – for example, through undertaking outcome testing at different points of the customer journey – as well as the implementation and/or operating effectiveness of Duty frameworks.
Assurance can also be targeted at specific aspects of the Duty requirements and specific parts of your business. The risk of poor customer outcomes and foreseeable harm will vary across a business, taking into account factors such as type of target market, product, distribution and business model.
When determining what to bring into scope, firms may want to consider:
For example, firms might want to consider assurance over product and value workstreams, including the rationale for any actions to amend, adapt or withdraw products. Outcome testing can also be targeted at key aspects of customer understanding and support, such as communications testing, especially given the size and complexity of the communications logs. Our Improving Customer Outcome Testing report provides more insight into this important tool.
We highlight two types of assurance which are most relevant to the Consumer Duty and it’s important for firms to decide on what type would best meet their needs:
R&R assurance is the most suitable at present, given the relative newness of the Consumer Duty and the need for Duty frameworks to continue embedding. This type of assurance includes reviewing the Duty framework and making recommendations for enhancement including market insight and benchmarking intelligence. This can help refine and enhance the Duty framework in line with regulatory expectation and market practice, as well as provide recommendations for further proportionality and efficiency. There is full flexibility in scope, which is tailored to address each individual firm’s priorities, while complementing existing internal assurance work over the Duty.
R&R assurance however is not performed under a formal standard and does not deliver a formal opinion in relation to Consumer Duty compliance, as further specific work and testing is required to substantiate a formal opinion of this nature. R&R assurance is therefore a tailored and often more cost-effective approach to assurance for many firms.
Formal assurance opinions can provide Boards and other stakeholders with a higher level of comfort that their Consumer Duty control framework is designed, implemented and operating effectively. However, these formal assurance opinions are unlikely to be appropriate until the Consumer Duty regime is fully in force and firms are confident their control frameworks are sufficiently embedded.
These formal opinions are based on the International Standard on Assurance Engagement (ISAE) 3000 which provides a rigorous framework for this type of assurance, with the output being an opinion that can be made public or available to third parties. These ISAE 3000 engagements in relation to Consumer Duty compliance would assess whether the controls the firm has in place are designed and implemented appropriately to address the control objectives that management have determined are sufficient to meet the firm’s obligations under the Duty. The practitioner providing this assurance must also meet certain standards, such as having a robust system of quality control to be able to provide such services and issue an opinion.
This type of standards-based assurance is common in other areas of regulation – such as Libor assurance, regulatory reporting and ESG reporting – and provides Boards, as well as other stakeholders with a higher degree of comfort over the controls in place to meet its regulatory obligations. With this higher degree of comfort, comes a greater amount of work required by the practitioner to substantiate this formal opinion, when compared with R&R assurance.
Given the importance of the Duty to the FCA and Boards, we expect standards-based assurance over the Duty framework to become justified in due course, once the frameworks and control environment reach the necessary level of maturity.
Firms and Boards will have to assess their Duty compliance by the end of the implementation period on 31 July and on an annual basis thereafter. To help with demonstrating this, firms are starting to consider the role of external assurance and how it can fit in with internal assurance and other work being carried out. If the scope and approach is right, then assurance can help senior management not only gain peace of mind but also make sure that the Duty framework is proportionate, focussed on what really matters and delivering good customer outcomes.