APRA released the final version of SPG 223 (Fraud Risk Management) on 10 June 2015.
A number of amendments have been made to the draft version of the Prudential Guide.
In the final version, APRA has made it clear that RSE licensees are not required to disclose details of its risk policies and fraud appetite to third parties; information that could potentially assist a third party to commit fraud. Rather, an RSE licensee is expected to inform third parties of its expectations regarding fraud prevention, including reporting and monitoring.
References to “incentives” that could be offered to promote a strong risk culture have been removed on the basis that the word is inconsistent with the message that APRA is trying to communicate. Instead, greater emphasis is now placed on “performance management policies and metrics”.
The assertion that the improper registration and use of an RSE’s assets is a common type of fraud has been removed. Instead, the Guide now refers to the risks of investing otherwise than in compliance with investment mandates.
Some changes have been made to more clearly distinguish investment governance risks and fraud risks. However, the concepts are inter-related and under the heading “Fraud related investment risks” there is reference to critical fraud risks that may arise in connection with investment risk.
Trustees should now consider reviewing their relevant risk and fraud policies in light of the final version of SPG223.