At a glance:
- Firms and Boards have to assess their Consumer Duty (“Duty”) compliance by the end of the implementation period on 31 July and on an annual basis thereafter, including formal approval of an annual board assessment. Firms are starting to consider the role of external assurance around Duty compliance and how it can fit in with internal assurance.
- External assurance services can be particularly valuable for compliance with the Duty given the complexity and judgement required, as well as how customer needs and regulatory expectations will evolve over time.
- Not all assurance services are the same, so it’s important to make sure they are scoped right and delivered in the most appropriate way. Firms may want to focus on areas of higher risk, greater judgement or regulatory scrutiny when selecting which areas of the framework to obtain assurance on.
- Firms will also need to consider the right type of assurance service. In the short to medium term, this is likely to take the form of “Review and Recommend” assurance. This type of assurance includes making recommendations for enhancement, as well as providing market insight and benchmarking intelligence. This can help refine and enhance the Duty framework in line with regulatory expectation and market practice, as well as provide recommendations for further proportionality and efficiency.
- Given the importance of the Duty to the FCA and Boards, we expect standards-based assurance over the Duty control framework to become justified in due course, once the frameworks and control environment reach the necessary level of maturity. This will provide Boards with formal assurance opinions in relation to Consumer Duty compliance, which provides a higher degree of comfort.
Relevant to: Board members and senior executives of banking, investment management, general insurance, and life & pension firms, particularly those involved with the implementation and governance of the Duty.
Firms are working hard to implement the Consumer Duty rules and guidance ahead of the 31 July 2023 deadline. In our experience, most firms have deployed significant resource and effort on the Duty but the complexity and subjective nature have brought challenges. A key aspect of the Duty beyond its central principle, cross-cutting rules, and four outcomes is the requirement for firms to monitor and demonstrate they are acting to deliver good customer outcomes.
As part of the requirement for firms to demonstrate compliance, Boards are required to review and approve an assessment of whether the firm is delivering good customer outcomes, at least annually. The Financial Conduct Authority (FCA) states that “at the end of implementation period, boards (or equivalent management bodies) should assure themselves that their firm is complying with their obligations under the Duty, and ensure the firm has identified any potential gaps or weaknesses in their compliance and any action needed to remedy this” (FCA, PS22/9). This means that Boards are expected to assess compliance with the Duty in the run-up to / from the end of the implementation period. This comes before the requirement for the formal Board Assessment report, which is not required until mid-2024.
There are a variety of tools and resources firms will use to demonstrate compliance with the Duty, such as Management Information (MI) and data, enhancing processes and controls to monitor customer outcomes across groups of customers, and implementing processes to amend and adapt products and communications where risks of potential harm are identified. In our experience, most have deployed their teams across the three lines of defence to contribute to the Duty implementation. This includes varying forms of assurance provided by the Compliance, Risk and/or Internal Audit functions. For example, programme assurance from Internal Audit and/or reviews of regulatory interpretation from Compliance. More recently, firms have begun to ask about the role of external assurance as part of the overall toolkit to demonstrate compliance with the Duty. In this blog, we explore the role of a range of assurance services in helping firms demonstrate Duty compliance.
Why consider assurance as part of your Duty toolkit?
Assurance services provide a level of comfort over a specific subject matter, such as compliance with regulatory topics, as well as other procedures, controls, and reporting. Often provided by a third party, such services offer independent, objective challenge to management and/or Boards, to assist them in fulfilling their obligations.
Beyond the need to evidence compliance, there are key features of the Duty that make assurance valuable:
- The FCA expects firms to apply a proportionate approach to Duty compliance which requires judgement and decision-making. For many firms developing their Duty frameworks, a key question has been how far to go and how much will be enough.
- Compliance with the Duty will evolve with changing customer needs, good market practice, and regulatory expectations. As a result, firms will need to have a dynamic approach to compliance that takes in consideration the changing environment.
- The breadth of Duty frameworks may lead to potential inefficiencies, as well as the risk of regulatory intervention. Duty frameworks need to bring together 10+ years of conduct good practice with the new Duty requirements and deliver it in a smart and streamlined way.
Different types of assurance over different areas of the Duty framework will suit different firms best.
How to approach assurance over the Duty
There are two main considerations when choosing the most appropriate assurance:
- Scope: Prioritising the aspects of your Duty Framework and business where assurance is most valuable; and
- Type: Deciding on the type of assurance that is most valuable and practical.
a. Scope: Which aspects of your framework and business?
Assurance can be provided over the customer outcomes being delivered – for example, through undertaking outcome testing at different points of the customer journey – as well as the implementation and/or operating effectiveness of Duty frameworks.
Assurance can also be targeted at specific aspects of the Duty requirements and specific parts of your business. The risk of poor customer outcomes and foreseeable harm will vary across a business, taking into account factors such as type of target market, product, distribution and business model.
When determining what to bring into scope, firms may want to consider:
- Areas where risk of customer harm (present or foreseeable) is highest. For example, higher risk products or parts of the customer journey;
- Newer, more complex or more subjective aspects of the Duty framework;
- Areas subject to more intense regulatory scrutiny in the past or in the near future;
- Areas of potential “greenwashing” risk that can lead to foreseeable harm. For example, sales and marketing disclosures. Please see our blog which expands on this link between climate risk and the Duty; and/or
- Products and processes that are more likely to be used by vulnerable customers, who in turn are likely to be at higher risk of poor outcomes.
For example, firms might want to consider assurance over product and value workstreams, including the rationale for any actions to amend, adapt or withdraw products. Outcome testing can also be targeted at key aspects of customer understanding and support, such as communications testing, especially given the size and complexity of the communications logs. Our Improving Customer Outcome Testing report provides more insight into this important tool.
b. Type: What type of assurance?
We highlight two types of assurance which are most relevant to the Consumer Duty and it’s important for firms to decide on what type would best meet their needs:
- Review & Recommend (R&R) assurance; and
- Standards-based assurance.
R&R assurance is the most suitable at present, given the relative newness of the Consumer Duty and the need for Duty frameworks to continue embedding. This type of assurance includes reviewing the Duty framework and making recommendations for enhancement including market insight and benchmarking intelligence. This can help refine and enhance the Duty framework in line with regulatory expectation and market practice, as well as provide recommendations for further proportionality and efficiency. There is full flexibility in scope, which is tailored to address each individual firm’s priorities, while complementing existing internal assurance work over the Duty.
R&R assurance however is not performed under a formal standard and does not deliver a formal opinion in relation to Consumer Duty compliance, as further specific work and testing is required to substantiate a formal opinion of this nature. R&R assurance is therefore a tailored and often more cost-effective approach to assurance for many firms.
Formal assurance opinions can provide Boards and other stakeholders with a higher level of comfort that their Consumer Duty control framework is designed, implemented and operating effectively. However, these formal assurance opinions are unlikely to be appropriate until the Consumer Duty regime is fully in force and firms are confident their control frameworks are sufficiently embedded.
These formal opinions are based on the International Standard on Assurance Engagement (ISAE) 3000 which provides a rigorous framework for this type of assurance, with the output being an opinion that can be made public or available to third parties. These ISAE 3000 engagements in relation to Consumer Duty compliance would assess whether the controls the firm has in place are designed and implemented appropriately to address the control objectives that management have determined are sufficient to meet the firm’s obligations under the Duty. The practitioner providing this assurance must also meet certain standards, such as having a robust system of quality control to be able to provide such services and issue an opinion.
This type of standards-based assurance is common in other areas of regulation – such as Libor assurance, regulatory reporting and ESG reporting – and provides Boards, as well as other stakeholders with a higher degree of comfort over the controls in place to meet its regulatory obligations. With this higher degree of comfort, comes a greater amount of work required by the practitioner to substantiate this formal opinion, when compared with R&R assurance.
Given the importance of the Duty to the FCA and Boards, we expect standards-based assurance over the Duty framework to become justified in due course, once the frameworks and control environment reach the necessary level of maturity.
Firms and Boards will have to assess their Duty compliance by the end of the implementation period on 31 July and on an annual basis thereafter. To help with demonstrating this, firms are starting to consider the role of external assurance and how it can fit in with internal assurance and other work being carried out. If the scope and approach is right, then assurance can help senior management not only gain peace of mind but also make sure that the Duty framework is proportionate, focussed on what really matters and delivering good customer outcomes.