In my experience the first question a regulator such as ASIC asks when making inquiries is “can you show me ?”
Whether it is evidence of compliance with a specific statutory requirement or your record of a policy or procedure a regulator is looking for verification or proof that you have met your obligations.
Although your compliance can be performed and recorded electronically you need to be able to prove that you have internal controls which ensure your implementation of your obligations.
Policies and procedures on their own are not enough; you need to be able to produce records of implementation of those policies and procedures.
While it is theoretically possible to have good controls but no records, a regulator will assume that poor record-keeping also means poor internal controls because the records would exist if the controls were adequate.
Record-keeping is also usually a separate statutory obligation.
Poor record keeping also suggests insufficient resources (both money and staff) to perform the function.
Be prepared: a regulator will start by asking you to show them the following:
- your compliance program;
- evidence of monitoring and supervision of compliance;
- your training records;
- your complaints register;
- your disputes register;
- your breaches register.