Address by Director of Consumer Protection, Bernard Sheridan, to the Institute of Internal Auditors

16 April 2015 Speech

Outcomes focussed, evidence based – delivering consumer protection in a changing world

I would like to thank the Institute for inviting me to speak this morning.  I note the theme of your conference – Internal Audit: Champions of Positive Change and I welcome this timely opportunity to share with you some of my thoughts on how we, in the Central Bank, are delivering consumer protection for consumers of financial services in a changing and challenging environment.  Having recently published our first Consumer Protection Outlook Report I will outline how we are further developing our approach to consumer protection by increasing our emphasis on delivering sustainable consumer outcomes.  Internal audit is an important function and can play such an influential role both with regard to an organisation’s culture and practices and in how people behave.  As the focus on consumer protection increases we expect that the role played by internal audit in helping deliver the best outcomes for consumers through your work with firms will also increase.  In that context as I was preparing for this morning I was struck by the fact that many of the challenges facing internal auditors are very similar to those which we face in delivering on our consumer protection mandate in the Central Bank. I will touch on a number of the themes we are directing our attention towards in our work as well setting out how I see the role of internal audit responding to our expectation of firms going beyond compliance to demonstrating that they are delivering better outcomes and are acting in the best interests of consumers. I trust that by sharing our insights and experiences I will prompt your thinking and provide some potential pointers about how you approach internal audit in the consumer protection space.

Central Bank role 

The Central Bank has a statutory objective of effective regulation of financial service providers and markets WHILE ENSURING THAT THE BEST INTERESTS OF CONSUMERS ARE PROTECTED.  The importance we place on consumer protection is reflected in our mission statement of Safeguarding Stability – Protecting Consumers.  Our consumer protection strategy forms a key part of the Central Bank’s overall wider strategy including our prudential supervision mandate and financial stability goal.  Our consumer protection strategy is delivered in the context of our consumer protection mission of “Getting it right for consumers” using what we call the 5Cs Framework which helps us focus on the outcomes we are trying to achieve. The 5Cs Framework has the Consumer as its first C and is at the centre of our work and, we expect, is clearly demonstrable at the centre of delivery of financial services and products within the firms we regulate. In our view, this can only be achieved where firms have a consumer focused Culture which enables consumers to have Confidence in the financial decisions they are making and in the firms they are dealing with.  However firms need to continuously Challenge themselves and be challenged by the regulator where their focus is not on those consumer outcomes.  There is a need and an appetite for appropriate regulatory action where firms fail to deliver or to demonstrate that they have delivered good consumer outcomes in a Compliant way. 

Within consumer protection, we deliver our mandate through a risk-based, forward-looking and outcome focused way through three broad functions: 

  • Policy function - where we work to ensure the consumer protection framework is fit for purpose through developing and influencing policy and strategy at home and at European/international fora.
  • Gatekeeper function – where we guard the regulatory perimeter through the authorisation of individuals and firms to provide financial services for low impact firms.
  • Supervisory function - where we monitor, review, investigate and enforce compliance (and require redress by firms) with the consumer protection framework requirements in place through onsite, desk-based and thematic work. 

The financial sector in Ireland is made up of a large number of different types of firms which are engaging with retail consumers and range from the largest banks and insurance companies to smaller firms like intermediaries, payment institutions, debt management companies and moneylenders.  It is also currently planned that we will assume responsibility for credit servicing firms during 2015. Our overarching objective is to ensure that consumers are treated fairly and with dignity and respect and that regulated firms act in their consumers’ best interests in all that they do.   Critical to the success of our work, therefore, is that culture, practices and behaviours change in terms of how consumers are treated.  Certainly having a strong consumer protection framework in place underpins the right behaviours that consumers expect and require.  Also having a robust gatekeeper helps maintain standards from the point of entry and strong monitoring and enforcement of the rules drives a more compliant culture.  However it is only when the culture drives firms to go beyond compliance and is focused on the needs of consumers and delivering the right outcomes that sustainable change occurs.  This culture must be driven from the top down with boards taking responsibility for ensuring and being assured that all levels of their organisation are aligned to that culture. 

Environment within which we work

The financial services environment and how firms are engaging with consumers is constantly changing.  New products, new distribution channels, new sectors emerging as well as increasing online and cross border sales represent challenges for the regulation of firms.  Emerging risks both at home and at European level as well as the growing influence of European bodies on the consumer protection landscape all help shape the way we approach our work.  The European Commission has been developing a number of directives covering mortgage credit, insurance intermediation, payment accounts, payment services, and investment services.  In addition to this the three European Supervisory Authorities with responsibility for banking, insurance and investments are all progressing initiatives in consumer protection.  It is important that the Central Bank plays its part in the development of such initiatives in order to influence and shape the consumer protection framework.  We participate on all of the main standing committees on consumer protection and I am currently chairing the EBA Standing Committee on Consumer Protection.  Many of these European initiatives will be in the form of guidelines issued on a comply or explain basis and may apply directly to firms as well as the supervisory authorities.  Countries will be required to demonstrate how they are implementing the guidelines and in this context greater focus will be placed on having the evidence to demonstrate compliance.

Evolving consumer protection model 

Within this context, during 2014 we commenced a review of our approach to consumer protection in order to ensure that we continued to be as effective, responsive and anticipatory as possible to identifying and mitigating consumer detriment risks that firms may pose to consumers. Our consumer protection model has been evolving over time as we deliver our mandate and learn from our experiences, engagement and feedback from key stakeholders including the Consumer Advisory Group which advises us on key policy and strategic issues, consumer and industry bodies, statutory bodies and others. We have also been subject to review by international peers, most recently from the Dutch regulator, which has really helped inform our thinking – more on that later.  A key outcome from these reviews has been the confirmation of the importance of Culture as an ongoing and key priority for us in our regulation of firms. 

I do appreciate that culture doesn’t change overnight and we will continue to challenge firms to demonstrate to their customers and to ourselves how they are delivering in the best interests of the consumers. 

The right consumer focused culture helps ensure that at all times and particularly during a period of challenge and change in the financial services environment, the priority of consumer protection remains where it should be, i.e. with the firms themselves.  From our own visits and ongoing engagement with firms we can see how positive cultures can result in better outcomes for consumers.  Where there is a strong consumer culture, such firms tend to have fewer compliance issues and a more positive engagement with us as regulator.  

Our review has culminated in the publication of our first Consumer Protection Outlook Report in February.  The Outlook Report is structured around the 5 Cs framework and sets out our key consumer protection objectives, the potential risks we see to those objectives being achieved and critically it confirms the continuation of our established focus on the outcomes we are seeking to achieve namely that: 

  • Consumers are treated fairly.
  • Consumers are treated with dignity and respect.
  • Firms act in the best interests of their customers.

It also identifies a number of priority issues for action and sets out our expectation of industry in dealing with those issues.  The publication of the Outlook Report has brought greater transparency to what we are about and what we see as some of the big challenges facing us in delivering our consumer protection mandate.  Change is always going to be with us so it is important we review what we are doing, assess the risk environment for consumers, learn from it and respond in a responsible way should our priorities need to change.  Therefore, we are committed to keeping the Outlook Report under review with our key stakeholders in order to reflect the changing environment as we move out of crisis to recovery mode over the next few years.

In the wider context of evidence based supervision we have set out in the Outlook Report that we will increasingly require firms and their boards to be able to demonstrate how they are going beyond the minimum standards and how their culture, business models, incentive structures, products and services meet the underpinning principle of consumer protection.  

Specific mandatory rules set a minimum standard, but we expect a firm with the right culture to go beyond tick box compliance with these minimum requirements. Therefore it will be important for firms to not only maintain the appropriate records to show compliance but also to have the information to show how the products and services they are providing are delivering the right outcomes for their customers. I would urge you to consider this point in your audit work and to challenge your firms to demonstrate, with hard evidence, how they are getting it right for consumers.

Peer Review 

I thought it would be useful to briefly update you on the completion of a peer review of our consumer protection function by the Netherlands Authority for Financial Markets (AFM).  It is important that we as the regulatory authority are open to review and examination in order to ensure we are doing the best we can and in a period of significant change it is very useful to obtain the views and input from an external peer perspective.  Importantly, the primary focus of this review throughout has been on mutual learning between the Central Bank and the AFM by facilitating knowledge sharing in relation to best practices and challenges facing each jurisdiction.  In addition,  it resulted in a very open engagement between the authorities and has also helped us develop a stronger relationship with the AFM for the future which can only be of benefit to us.  Although worldwide there is increasing focus on consumer protection by policy makers and regulators, there are still limited internationally accepted common standards and effective practices in this field.  This peer review signifies the first time that the G20/OECD High-Level Principles on Financial Consumer Protection have been used as a basis for such a review and has, accordingly, elicited international interest in the process, the report and the learnings.  The outcome of the review was published in March and is available on our website.  The report endorsed the direction of consumer protection travel as outlined in our consumer protection model while also helpfully identifying areas where we could develop it further to retain and enhance the central focus on the consumer.   It contained recommendations on how we prioritise our work and also highlighted and affirmed the need to place increased focus on culture and compliance motivation among firms, enhance our approach to product oversight and governance and improve our supervision of low impact firms.  The report also cited some good practices within our consumer protection model including our engagement with stakeholders and motivation and commitment of staff. 

Role of Internal Audit

I have outlined how we are delivering on our consumer protection mandate and some current developments in how we are approaching and continuously reviewing our work.  I would like to take this opportunity to touch upon a number of issues for you to reflect on in the context of your internal audit function in our regulated firms.  I believe that these will be of benefit to you as internal auditors playing your part in helping deliver consumer protection outcomes and being champions of positive change.  I have looked at a number of recent surveys of internal audit which highlight a number of challenges that you face in the delivery of your function.  I have also reviewed the revised supervisory guidance for assessing the effectiveness of internal audit functions in the context of the Basel Committee on Banking Supervision.  This guidance lists 20 principles and there are four areas that I would like to cover as I believe they very much resonate with our consumer protection model and reflect areas of focus and priority within our Outlook Report – strategy development and alignment; managing expectations/expansion of scope; role of the board and senior management and measuring success. 

Strategy Development and Alignment 

Basel Committee Principle 1 provides for the role of internal audit to provide independent assurance on internal controls, risk management and governance systems and processes.  Principle 5 provides for an internal auditor charter which should set out the purpose and scope of the internal audit function.  The recent EY survey reports that over half of internal auditor respondents identified that their internal audit functions did not have a documented mandate aligned to the overarching strategy of their business.  This is an area where we, as regulators, have placed importance.  Our consumer protection mandate stems from the Central Bank’s statutory role as I have just outlined and our consumer protection strategy has been developed in the context of the wider organisation’s strategy and is subject to continuous development. Key to the successful delivery of our mandate is this alignment with the overall strategy alongside full support and understanding internally on what we are trying to achieve and clarity for our external stakeholders, including firms, in relation to what our strategy means in real terms. 

Similarly for regulated firms it is important that they clearly set out within their business models and strategies what they assess as the main risks for their customers, how they are dealing with them and what specific metrics they have in place for measuring how well the risks are being managed and mitigated, and how they put things right when they go wrong.  This goes beyond compliance with the minimum standards but forces firms to have the appropriate governance and controls in place which are focused on the consumer risk.  This in turn assists internal auditors to develop and document their own strategies, and helps ensure that their strategies are fully aligned with the overall aims of the business as well as helping ensure that these consumer risks can be the focus of internal review. 

Scope of activity and managing expectations 

Principle 6 sets out the scope of internal audit activities for banks.  Essentially everything is in scope within the firm’s business, including any outsourced activities.  Principle 7 provides that activities should ensure adequate coverage of matters of regulatory interest.  It is important that internal auditors consider all areas for examination including risks posed by firms to consumers which is clearly a priority for us within consumer protection.  Our own reviews of firms consistently and worryingly demonstrates that levels of compliance in outsourced activities can be lower as firms over-rely on third parties to ensure compliance rather than taking responsibility for gaining clear direct evidence of full compliance.  

The recent Deloitte’s survey of heads of internal audit showed that 63% of respondents advised the scope of internal audit functions has widened and, in addition 74% said that stakeholder expectations of internal audit has changed over the past three years.  This undoubtedly presents many challenges for internal audit where priorities keep changing and new areas of expertise are required.  These are similar challenges which we face in consumer protection where the scope of our role continues to expand with new sectors falling to be regulated, new products emerging posing different risks to consumers and also the increased pace of developments at European level which needs to be managed.  In response, we seek to build up and enhance the necessary skill base in order to deliver on our mandate and also that we learn from other supervisory authorities who have experience already in these areas.  Learning and sharing is important - we maintain strong links with other regulators both in Europe and further afield to help us in this regard.  In terms of dealing with the issue of increased expectations of our important role in protecting consumers of financial services, we believe it necessary to be very clear with both internal and external stakeholders on what our role is, our priorities and also what we are seeking to deliver in terms of consumer outcomes.  Open communications also have a part to play in managing expectations.  We publish the findings of our themed reviews and inspections, our Outlook Report and we also publish formal enforcement actions taken so that people can see exactly what we do in a timely and accessible way. However I believe that there is strong merit in not only highlighting poor practices but also recognising good practices when we see them.  Many firms want to do the right thing for their customers and are working hard to achieve this.  It is important that we encourage these behaviours while at the same time dealing with those firms who are lagging behind. 

Similarly for internal audit it is important that, in addition to having a clear documented strategy, there is support and scope for continuous learning from both within and outside the firm.  Also it is essential that there is shared clarity around consumer protection priorities and expected outcomes and I would argue that ensuring the risks to consumers are properly managed should rank as one of the key risks facing firms and therefore to form an important element of internal audit plans.   

Role of the board and senior management 

Principle 9 provides that the board has ultimate responsibility for ensuring senior management maintains an appropriate internal control system.  It also provides that the board should support the internal audit function in discharging its duties effectively.  This brings me back once again to the culture issue and my point of emphasis that consumer focused culture permeates from the top down through the organisation to the points of contact with the consumer. In our approach to consumer protection we have a programme in place for engaging directly with boards and CEOs to raise the profile of consumer protection and to reiterate at the senior level of the organisation our expectation that all firms develop internal consumer protection risk frameworks, reflecting the nature, scale and complexity of their businesses and to provide the right support structure to embed the right culture.  These frameworks will then support firms to deliver a more sustainable consumer-focused business model.

While many firms are in the early stages of developing such internal frameworks we believe it is an important development and one which would benefit from the advice and input of not only the compliance function within the firm but also internal audit expertise.  This would also provide the internal auditors with an elevated insight and fuller understanding of how the firm ensures that the framework is embedded throughout the organisation and how it will deliver the right outcomes thereby resulting in more effective audits. 

Measuring success/effectiveness 

Principle 5 relating to the internal audit charter provides that it should set out the purpose and scope of the internal audit function.  Principle 12 provides for the internal audit function to be accountable to the board or its audit committee on all matters related to the performance of its mandate.  It is interesting to note that key measures of success are not required to be in the charter or reported up to the board.  The EY survey examined the key metrics used by internal auditors with completed audits per plan coming out on top (86%) with significance of findings and recommendations second at 74%.  EY concluded that senior management and boards need to get better at giving feedback to the internal audit functions on their performance.  I would suggest that it should also work the other way as well, with more proactive feedback being sought by Internal Audit from the firm’s board or audit committee.  This is an area where we have increased our proactive approach to gaining feedback relating to the delivery of better outcomes. These outcomes stem from the key risks identified through our ongoing monitoring of the market.  Our peer review feedback pointed our attention towards better risk-based prioritisation and deprioritisation of our activities in the context of limited resources and to focus on the key consumer detriment issues.  

Ultimately we are trying to shift behaviours among regulated firms through a combination of activities but it is important to be able to measure how effectively we are contributing to that shift.  We are also using the Outlook Report and our annual review of this as a basis for obtaining feedback from key stakeholders on our performance. In that context it will be important for us to have evidence as to the effectiveness of our three main functions of gatekeeper, policy maker and supervisor in achieving our consumer objectives.  This is an area for further work for us and again we hope to learn more from our international colleagues on how they are cracking this particular nut.  

I would recommend the same approach to yourselves both within your internal audit functions within firms and also within your professional bodies as a means of engaging and being engaged within the organisation and having clear and growing professional relationships with the board and senior management team to deliver added-value internal audit. 


In conclusion I trust that I have helped you gain a better understanding of how we are approaching consumer protection in an ever changing environment and how our strategy and approach has developed and been enhanced in order to meet these new challenges.   I do believe that there is real resonance between ourselves as regulators and internal auditors in terms of the roles we perform with firms and the challenges we face in defining priorities and measuring success and benefits. In that regard I have also highlighted a few issues and our approach to them which may help internal audit in delivering effective outcomes.  

For me internal auditors really are and can be champions of positive and sustainable change – you do indeed have an important part to play in helping achieve the right outcome for consumers through organisational input and review of key elements of the firm’s consumer risk and business models.  I believe the key to success is knowing and understanding what consumer outcomes the firm is trying achieve and putting in place the right controls and measures to assess if they are working.