Most business people, if asked to comment on the state of the EU, would provide their views on the problems facing the European economies. For those in the Australian financial services industry the question may prompt a very different answer. For example, "Our EU is costing us a fortune, we've had experts and consultants trawling through our business for the last 12 months" or "The training never seems to stop; I wish we could get it over and done with and get back to business".

The financial impact of an enforceable undertaking, or EU, can be significant and may lead to cash flow difficulties for the affected business or person. Sometimes the Pingee agrees to pay compensation, but even in the absence of this, the professional fees and business interruption can be significant.

All EUs are public documents, because the transparency of ASIC's dealings is important, and can be easily accessed through ASIC's website. Typically, ASIC also issues a media release informing the community of the EU and this can have reputational impact.

However, there is also a positive side to EUs. Typically, the matters that raise ASIC's concerns are breaches of what we like to refer to as 'the ten commandments'. Not THE ten commandments, of course, but the general obligations of Licensees set out in section 912A of the Corporations Act. These are the obligations to have things like: a risk management framework, a process of managing conflicts of interest, a program for the training of staff and appropriate procedures to monitor and supervise them, a good complaints handling and dispute resolution system, and adequate technological, human and financial resources.

The way to look at these obligations is as a series of business systems, rather than as isolated regulatory obligations. One of the policy objectives of the Corporations Act is to have an efficient and healthy financial services sector. The ten commandments should be seen as a 'how to' for running a successful financial services business. If each of the systems is working and the information flowing from the systems is informing the other systems, the outcome will be a well run business.

For example, if the risk management framework is being properly used it will assist the business to understand the environment in which it is conducting its business. The environment will include its internal environment, which will force it to look at things like its mission, its values and its service and/or product offering. It will also include its external environment, requiring it to inform itself of the economy, upcoming changes in legislation, what its competitors are doing, what the politicians and the regulators are doing, what is on offer with changes in technology, and so on. The business can then identify the risks, which include the risk of missing out on opportunities, and to evaluate and treat them. In this way its scarce resources are allocated efficiently and the somewhat competing objectives in the obligation to conduct its business "efficiently, honestly and fairly" can be managed.

Some of the actions put in place to treat particular risks will include training. Information gathered during training can inform risk assessment. Complaints provide valuable intelligence for the business and assist in identifying client needs and ways to better meet them. That information will inform risk assessments and also the training programs.

The failure to report breaches is a common concern leading to EUs. The breach reporting obligation is a form of industry self regulation. The regulatory regime is complex and it is difficult to know all of the obligations and to keep up with changes. It is even more difficult particularly for large licensees with geographically spread workforces to ensure that all of their representatives comply with all of the laws all of the time. I would go so far as to say that it is impossible or, to put it another way, everybody is breaching.

A failure to report breaches may therefore be more of an indication that the Licensee does not have a functioning system for identifying, considering and reporting breaches than that there have not been any breaches. It may also be indicative of a culture which seeks to hide breaches rather than to deal with them.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.