Duty Calls - How Should Internal Audit Tackle the Consumer Duty?

Introduction

The FCA’s rules on Consumer Duty were finalised in July 2022. The impact of the Consumer Duty on FS firms is unprecedented, with the FCA expecting a ‘paradigm shift’ which will require significant strategic and operational change. A recent survey found that most firms have commenced programme activity [1], and per the FCA’s latest guidance Boards are expected to have agreed implementation plans that include evidence of scrutiny and challenge by October 2022. The Duty rules will be effective from 31 July 2023 to all products and services that are either new, remain on sale or are open for renewal. The Duty will also apply to closed products and services from the end of July 2024.

Internal Audit should consider whether their current approach to the Consumer Duty is sufficient – a standalone review towards the beginning of 2023 is unlikely to be enough. Leading-edge Internal Audit functions should be involved from programme inception, providing real-time design assurance, all the way to supporting Board attestations with an annual opinion on the principles of the Consumer Duty. We also expect that the ongoing requirements of the Consumer Duty could reposition the focus of some traditional Internal Audit activity going forward, including challenging skill-sets and capabilities around conduct further, and may act as a burning bridge for Internal Audit to modernise their ways of working.

In this blog we will explore why the Consumer Duty is so important for Internal Audit, what Internal Audit functions need to consider, and how they can provide impactful assurance at each point in the programme’s lifecycle.

 Why is it important for Internal Audit?

As firms seek to design, implement and embed the processes and controls that will be required to meet the Consumer Duty rules, Internal Audit functions have a critical role to play for the following reasons:

Supporting the business 

For many firms, the Consumer Duty changes will require a depth of technical expertise across a broad range of topics, including programme delivery, product governance, and customer outcome testing. A key concern for senior management is that their programmes do not adequately capture all relevant risks and dependencies to meet the principles of the Consumer Duty.

In addition, we are seeing many firms wrestling with capacity to deliver their Consumer Duty programmes against existing BAU transformation, with many either doing this side of desk, and relying on risk and compliance colleagues to support delivery, which could pose risks to the second line’s independence.

Internal Audit will play a critical role in assessing the effectiveness of the programme design and governance, providing assurance that the programme is looking at the right areas, and giving confidence to the business around delivery milestones.

Supporting the Board

In advance of the rules being implemented by July 2023, the FCA have set out their expectation that the Board will have signed off the Duty implementation plans by October 2022. We expect Internal Audit to play a key role in providing an opinion on the appropriateness of the plan activity that will be presented to the Board.

Following the implementation date, the Board will be expected to provide annual assessments to confirm that their Firm has taken the appropriate steps to ensure the Consumer Duty principles have been met and that fair outcomes are being achieved. The first report is expected within 12 months of the rules coming into effect, so the first report must be finalised before the end of July 2024.

The Board will need to place confidence in their attestations. First and foremost, these will rely on strong monitoring and reporting mechanisms supported by a clear understanding of operational controls, but we also expect Internal Audit’s opinion to form a key component of the information the Board will use to inform their attestation.

Importantly Internal Audit activity regarding Consumer Duty should not end at the point that the programme is considered to have been embedded effectively and is seen as BAU activity. Attestations will be expected on an annual basis and Internal Audit should consider how they will provide ongoing assurance.

What should Internal Audit be looking at and when?

The following diagram aligns Internal Audit considerations against the four phases we would expect any Consumer Duty programme to follow:

How should Internal Audit be looking at it?

As part of the roadmap, individual workstreams will be defined, with some workstreams potentially being enterprise-wide and some being developed at a divisional level. Internal Audit teams will need to ensure that whichever approach is adopted it provides adequate assurance across both the requirements of the outcomes and the cross-cutting rules.

During the initial phases Internal Audit activity will focus on the design of the Programme and the outputs of the gap analysis. At this stage the most valuable output for the business will be timely insights which keep the project on the right track with regular, actionable observations. Features of these reviews could include considerations such as real-time assurance with regular check-ins with the business and ungraded assurance opinions.

As the project moves into the implementation phase Internal Audit will want to consider how they look at the operating effectiveness of controls. Given the potential impact these controls can have on customers, Internal Audit should consider transitioning to a more traditional reporting approach to ensure that the Board and Audit Committee have sufficient oversight of material issues. Figure 2 below provides an illustrative example of what this roadmap could look like:

Beyond July 2023

Looking beyond the July 2023 implementation date Internal Audit should consider how it will provide ongoing assurance to support the attestation process. Whilst most firms have not yet determined their approach to this, an Internal Audit annual opinion would be valuable to both operational management and the Board. The opinion could include:

• Assurance that any changes to the attestation process are designed appropriately;
• Assurance that the processes and controls underpinning the attestation are operating effectively;
• Highlight any issues or risk events relating to the Duty that have occurred in the year; and
• An opinion on the overall culture in place to adhere to the principles of the Duty.

Given the significant regulatory focus that the Consumer Duty brings, it will be increasingly important that Internal Audit can demonstrate that they have the appropriate skillset to identify issues relating to matters such as customer outcomes and product governance, amongst others. Where gaps are identified and not remediated, Internal Audit will struggle to provide a meaningful opinion regarding whether Consumer Duty principles are being upheld.

As with any opinion, Internal Audit will also need to consider whether their audit plans provide appropriate coverage of Consumer Duty related principles to enable them to make the right judgement calls.

Conclusion

Whilst we've seen regulations such as GDPR and SMCR that have effected large-scale enterprise-wide changes and increased individual accountability before, if approached in the right way, the Consumer Duty is a unique opportunity for Internal Audit to strengthen relationships with the business and further establish themselves as a trusted partner to provide valuable insights and recommendations that further support the Board as it seeks to provide its annual attestation on the Consumer Duty.

[1] An informal survey conducted in June 2022 of 31 respondents found that 5 had not commenced their project, 17 were just starting and 9 had established their project and were starting programme activity.