Consumer Duty for Internal Auditors

The FCA’s new Consumer Duty takes effect from 31 July 2023 for existing products and services. It reflects a continued focus by regulators on customer outcome. This guest blog by the Banking and Financial Services Sector Advisory Panel shares what this means for internal auditors now and in the future.

Click here for a free webinar Consumer Duty - Practitioner Perspectives 21 June 2023

What is Consumer Duty?

• Consumer Duty reflects a move towards more outcomes-based regulation over the last 15 years and an increasing focus on real consumer behaviour such as customers in vulnerable situations and the use of behavioural economics (how and why consumers make decisions and behave in response to products/services/comms/journeys).
• It applies to all firms that “have a material influence over, or determine, retail customer outcomes” - and across the whole distribution chain, from product and service origination through to distribution and post-sale activities.
• It sets a much higher bar for governance and accountability including a requirement for a Consumer Duty Board Champion; at least an annual Board attestation that the firm is delivering good customer outcomes AND for customer outcomes to be a central part of risk and audit activity. It also sets higher expectations regarding organisational culture and a new individual conduct rule.
• It sets higher standards and has been described as a “paradigm shift”. It demands rigorous evidence – the burden of proof is on firms to demonstrate how they’re delivering good customer outcomes.  The idea of ‘symmetry’ or ‘proportionality’ is a key thread throughout. The expectation is that firms spend the same resources, attention and standards on generating good customer outcomes as they do on sales and revenue so, for example, it is as easy to switch or cancel products as it is to sign up in the first place.

What does this mean for Internal audit?

A shift in mindset. To think beyond checking whether a control has operated but consider whether the process is designed and executed to deliver good customer outcomes.

• A sharper focus to understand actual consumer behaviour – not what we assume or would like - and how a firms’ products and services might, unintentionally or intentionally, lead to poor outcomes. More specifically, as per rule 2A.8.1.2b, “a firm must ensure retail customer outcomes are a central focus of the firm’s internal audit function”. This aligns to the Chartered Institute’s Financial Services Code of Practice 10h, which states that internal audit “should not adopt a ‘tick box’ approach based purely on the design of processes and controls and should always consider the actual outcomes which result from their application...”. Internal auditors should consider if this is something that they are already doing and whether this is reflected clearly in their terms of reference.
• Internal audit’s role continues to assess how management understands, monitors and responds to customer outcomes. Where management is not doing this, it may be necessary to get this information themselves.
• Most internal audit functions will have great foundations to build on with their work being evidence based, objective and data driven. An internal auditors unique position with a view across the organisation should help in the assessment of outcomes throughout the product and customer lifecycle.
• However, some functions may need to up their game building on the core work of assessing the design and effectiveness of the control environment, to considering what the outcomes of that process are and for whom?  The former FCA, CEO Andrew Bailey said “One of our Principles for Business requires firms to communicate in a way which is fair, clear and not misleading, and pays due regard to the information needs of its clients… [But] with our knowledge of behavioural economics, it seems like too low a bar. Its focus is the firm’s processes, rather than the outcome we want to see – consumers understanding their options”.
• There will be greater expectations on firms with more advanced capabilities (eg FG22/5 paragraph 7.18), although all firms have the same responsibility to act to deliver good outcomes for customers. For example, firms with more sophisticated communications and data strategies will be expected to also have more detailed testing and monitoring. Regardless of the size and complexity of the firm, internal auditors can use the concept of proportionality when running assessments and test whether product owners and journey managers are applying the same standards and capabilities to delivering good customer outcomes as they are to generating sales and revenue in comparable areas. For example, testing whether communications focused on supporting customers are as clear as those used to sell the product, and whether the quality of post-sale support is as good as the pre-sale support. 

Now – things to consider today

• Readiness - are you looking at the challenge and governance around approval of key customer journeys (are the processes designed correctly) in addition to readiness for the “go live” expectation of your organisation. Are key dates for completion, dependencies and responsibilities understood? Is there adequate resource (skills and capability) to support the commitments?
• Level of engagement - what level of engagement should internal audit have in an organisation’s planning and preparation for Consumer Duty implementation eg workshops, governance fora? How will independence be maintained whilst supporting the business towards implementation?
• Audit tools and resources - What tools will be needed to assess progress? Will there be a need to adjust audit methodology? What resources are required to review planning and preparation activities – is there a mix of skill sets needed? What training and upskilling is in place to ensure that teams are equipped to undertake audit and assurance activities right now?
• Level of assurance - How will you assess ‘substantive compliance’? What assurance should internal audit be providing to Executive Management in relation to Consumer Duty implementation before July 2023 and how frequent should this be?

Next – things to develop for the future

• Enhancing audit approaches: existing audit methodologies may need to be enhanced to reflect the increased expectations of Consumer Duty. Even if outcomes testing principles and guidance are in place this may need to be reviewed in light of the new regulation. For example, what impact will Consumer Duty have on IA’s approaches for assessing Control Design Adequacy? Audit objectives may need to adapt – to opine on whether we saw good customer outcomes as well as the effectiveness of governance, risk management and management control.
  • Internal auditors may want to perform both traditional risk & controls testing as well as more direct outcome testing, where possible, to assess the business’ compliance with Consumer Duty requirements.
• Practical example - the Duty requires firms who manufacture financial products or services to identify a target market at a sufficiently granular level, considering the characteristics, risk profile, complexity and nature of the product or service. When conducting an engagement an internal auditor would traditionally perform a control design adequacy assessment on the controls over management’s review and approval of a target market plan, and then through control effectiveness testing ensure that this review and approval had operated as designed.
  • Under Consumer Duty, internal auditors may plan to go further and obtain target market documentation and data to explore how the characteristics of actual customers compare with the stated characteristics in the target market plan.
  • Internal auditors will need to think about the suitability of sampling approaches and sizes, given the different nature of the audit engagement.
• Changing mindset to starting at the end and look from the outside-in: to put yourself in the customers’ shoes, and not just focus on internal processes and systems or inputs, which can be different. This may require different tools and innovative approaches to both assess and understand potential harm (which can be different from risk). Illustrative examples may include:
  • Considering potential customer ‘harms’ during audit planning and how they may stem from products/services and behavioural biases. 
  • Conducting outcome testing of different products and services: How will internal audit assess whether customers are getting products and services that meet their needs, and understand what they’re getting? Or whether the onboarding stage is comparable to the offboarding stage? 
  • Undertaking audit engagements to determine which elements of a journey are inconvenient for customers, or where excessive bureaucracy can reduce the likelihood of the desired outcomes (“sludge audits").
• Skills and integration: Internal audit functions will need to have the resources and capabilities to perform a broad array of testing (for example Data Analytics). This may not always be the case. Consumer Duty provides a great opportunity for chief audit executives to add even more value to their organisation and its customers. 
  • Incorporating diverse skill sets to understand and perform (or at least effectively challenge) aspects like customer journey mapping, or exploration of outcomes across different customer segments. 
  • Integration during audits to understand the world from the customers’ perspective will need internal auditors across a bank to collaborate and share new skills – to generate a holistic view of the customer journey and experience, and the outcomes they receive.
  • Regular training and knowledge sharing: to properly assess whether good customer outcomes are being achieved, internal audit will need to put in place robust training plans on Consumer Duty across teams.

Are you ready for Consumer Duty?

Do you have the mindset and methodology to provide the assurance that is needed now and in the future?