This case study raised issues not only about the misleading and deceptive content on Allianz’s website, but also about Allianz’s compliance processes, governance and culture more generally.
It is convenient to begin with the issues relating to the misleading and deceptive content on Allianz’s website.
7.3.1Misleading and deceptive content on the website
In its submissions, Allianz rightly accepted that it may have engaged in conduct that was misleading or deceptive – and therefore amounted to misconduct – in respect of:[1]
- each of the 39 representations in relation to travel insurance described in the table in paragraph 86 of the statement of Michael Winter dated 24 August 2018;
- each of the 14 representations in relation to home insurance described in the table in the Annexure to that statement;
- each of the four representations in relation to motor vehicle insurance described in that Annexure;
- each of the three representations in relation to life insurance described in that Annexure; and
- the representation in relation to boat insurance described in that Annexure.
Allianz noted that the misleading representations in relation to home insurance, motor vehicle insurance, life insurance and boat insurance were remedied in 2016.[2] However, as described above, the misleading representations in relation to travel insurance were not remedied. They remained on the website until 2018.
The matter having been drawn to ASIC’s attention, it is for it to determine what action it should take.
Allianz accepted that, by not taking steps to remove the relevant pages of its website from public view while it investigated the extent of the misleading representations and determined how to fix them, it engaged in conduct that fell below community standards and expectations.[3]
In its submissions, Allianz acknowledged that the number of misrepresentations on the website, and the time it took to remedy them, gave rise to a significant breach that should have been reported to ASIC in accordance with section 912D of the Corporations Act. Allianz rightly conceded that it failed to report this breach within 10 business days, as required by section 912D.[4] As noted above, Mr Winter acknowledged that the decision not to report this matter to ASIC in May 2016 was the wrong decision.[5]
I refer Allianz’s conduct to ASIC, pursuant to paragraph (a) of the Commission’s Terms of Reference, for ASIC to consider what action it should take.
In giving evidence about the decision not to report the website issue to ASIC in May 2016, Mr Winter said that he could not recall whether the committee had considered the number or frequency of similar previous breaches, as required by section 912D(1)(b) of the Corporations Act.[6] Mr Winter exhibited notes ‘relating to’ that meeting to his witness statement,[7] but those notes did not refer to the number or frequency of previous similar breaches.[8] In these circumstances, I would infer that Allianz did not take these matters into account in determining whether to report the website issue to ASIC in May 2016.
As noted above, Allianz ultimately reported the website issue to ASIC in June 2018.[9] It is concerning that, although Allianz found out on 21 June 2018 that some of the misleading and deceptive statements had been on the website since July 2012,[10] it did not inform ASIC of this fact until 7 September 2018, and then in response to a compulsory notice.[11] In circumstances where Allianz had previously told ASIC that the misleading and deceptive content had only been on the website since December 2015,[12] I consider that the community would expect Allianz to correct its previous representation to the regulator in a more timely manner.
7.3.2Breach reporting processes
Allianz’s failure to report the website issue to ASIC in May 2016, and the inadequacy of the records of its consideration of whether to report that issue to ASIC, give rise to broader concerns about the adequacy of Allianz’s breach reporting systems at that time.
In her witness statement, Ms Callahan described the key features of Allianz’s breach reporting procedure since January 2013.[13] She also exhibited copies of the various versions of Allianz’s Compliance Incidents and Breaches Handling Procedure that were in force over that time.[14] While there were changes to that procedure over that time, the procedure for reporting breaches to ASIC remained substantially the same between January 2013 and May 2018. Among other things, that procedure required compliance officers to engage relevant senior individual stakeholders separately when determining whether to report a breach to ASIC.[15]
In May 2018, Allianz introduced a new Breach Review Committee.[16] Allianz also began reviewing all open compliance incidents and reassessing them to determine whether they were reportable to ASIC.[17] As a result of that process, in 2018, Allianz had reported seven significant breaches to ASIC by the time of the hearings.[18]
This was more reports than had been made in previous years. Ms Callahan said that there had been one year where Allianz reported four significant breaches but that in other years Allianz had reported either no breaches or only one breach to ASIC.[19] Ms Callahan said that Allianz has now recognised that it needs to look at all historical breaches to determine whether Allianz had an obligation to report them to ASIC.[20] This is because the corporate compliance department at Allianz could not assure itself that the section 912D reportability requirements had been applied to all prior breaches.[21] Ms Callahan said that this task was underway, but she was unable to say how many historical breaches would be assessed.[22]
Ms Callahan did not accept that Allianz’s breach reporting procedure prior to May 2018 was inadequate to ensure that Allianz complied with its obligations under section 912D,[23] but she did accept that Allianz had failed to comply with section 912D in the past.[24] She attributed this to a failure to adhere to the documented processes.[25] Ms Callahan also accepted that the breach reporting procedure prior to May 2018 ‘was not sufficient … with regard to the consideration of the four reporting criteria’.[26] She said that the breach reporting procedure should not have involved individual discussions with the relevant stakeholders.[27]
Given the matters accepted by Ms Callahan, her refusal to accept that the reporting procedure before 2018 was inadequate should be treated with caution. But it is not necessary for me to reach a concluded view about whether Allianz’s documented breach reporting procedure was adequate to ensure that Allianz complied with its obligations under section 912D of the Corporations Act. I note that concerns about that process were expressed in an internal audit report prepared in September 2015,[28] not long before the misleading and deceptive content on Allianz’s website was discovered. But even if I assume that the documented process was adequate, Ms Callahan’s evidence was that:
- the process was not always followed; and
- the failure to follow that process caused Allianz to fail to comply with its obligation under section 912D of the Corporations Act.
The adequacy of a system is not to be judged only by the way it is documented. Whether a system is adequate to fulfil a particular purpose will also depend on the way the system is understood and applied in practice. Here, Allianz’s breach reporting process was not always followed, and Allianz’s corporate compliance department could not assure itself that the section 912D reportability requirements had been applied to all prior breaches. After Allianz introduced a new process, the number of significant breaches identified increased from zero or one per year to seven in the first half of 2018. In these circumstances I would infer that, prior to May 2018, Allianz’s breach reporting processes were not adequate to ensure that Allianz complied with its obligations under section 912D of the Corporations Act.
I refer Allianz’s conduct to ASIC, pursuant to paragraph (a) of the Commission’s Terms of Reference, for ASIC to consider what action it should take.
7.3.3Compliance processes
The issues with Allianz’s systems and processes that were explored in this case study extended beyond its breach reporting processes.
Ms Callahan accepted that, based on the evidence she and Mr Winter had given, Allianz had failed to comply with the requirement, set out in Prudential Standard CPS 220, that it have a designated compliance function that assists senior management in effectively managing compliance risks, and is adequately staffed by appropriately trained and competent persons who have sufficient authority to perform their role effectively.[29]
This concession was rightly made. The evidence of Mr Winter and Ms Callahan demonstrated that, prior to the recent commencement of the Compliance Transformation Program, Allianz’s compliance systems were not adequate to meet the requirements of Prudential Standard CPS 220.
I refer Allianz’s conduct to APRA, pursuant to paragraph (a) of the Commission’s Terms of Reference, for APRA to consider what action it should take.
The inadequacy of Allianz’s compliance systems can be illustrated by reference to four matters that each contributed to Allianz’s conduct in relation to the misleading and deceptive content on the travel insurance pages on its website.
Processes for monitoring website content
First, I consider that Allianz’s conduct in relation to the travel insurance pages on its website was attributable, in part, to the fact that, for many years, Allianz had inadequate processes for monitoring the content of its own website, and the websites of other companies that distributed its products.
Ms Callahan accepted that, for many years, Allianz had inadequate processes in this respect.[30] Both Ms Callahan and Mr Winter accepted that these issues contributed to the misleading and deceptive content remaining on the travel insurance pages of the website. In its submissions, Allianz accepted that these issues were one major cause of the misleading content appearing on the relevant websites, and staying there for so long.[31]
Both Mr Winter and Ms Callahan accepted that issues with Allianz’s DCSO process were identified in 2015.[32] Despite this, in 2018, Allianz continued to have problems with its DCSO process.[33] This was evidenced by another compliance breach, identified in May 2018, which related to hyperlinks on a number of financial institution partner websites that were linked to the incorrect PDS.[34]
An internal audit report prepared in August 2018 found that the execution of the DCSO process was ineffective in ensuring adherence with legislative and internal requirements.[35] Ms Callahan agreed with the findings of the report.[36] In its submissions, Allianz noted that it had begun to take steps to address the failings identified in the report, but conceded that it was at the start of that process.[37]
Process for monitoring and closing compliance incidents
Second, I consider that Allianz’s conduct in relation to the travel insurance pages on its website was also attributable to the fact that, for many years, Allianz has had inadequate processes for monitoring and closing compliance incidents once they had been identified.
In its submissions, Allianz accepted that this was another of the major causes of the misleading content appearing on the relevant websites, and staying there for so long.[38]
Ms Callahan accepted that one of the causes of the misleading and deceptive content remaining on the travel insurance pages of the website was that there was insufficient oversight of the incident by corporate compliance.[39] A report to Allianz’s risk committee in September 2016 recorded that remediation of the incident was substantially complete, and that all material errors on the website had been corrected – even though, at that time, the review of the travel insurance content on the website was still ongoing.[40]
Ms Callahan accepted that, for many years, Allianz’s processes for identifying and monitoring compliance incidents were ‘not sufficient … to deliver the compliance results that one would want’.[41]
An internal audit report from September 2015 found, among other things, that significant improvement was required in ‘measuring, monitoring and reporting’ within Allianz, and that there was no standard process to monitor and confirm that remedial actions had been implemented prior to closing reported incidents.[42] Despite the critical findings made in the report, the issue was listed as a low priority.[43] Ms Callahan accepted that the audit report indicated that, at the time, Allianz was not taking its compliance obligations seriously, particularly in relation to remedial action necessary after a compliance incident had been identified.[44]
At the time the Commission heard evidence about his matter, monitoring and supervision remained an issue at Allianz. An internal audit report prepared in August 2018 found that ‘[t]he compliance plans for laws, legislation and regulation(s) impacting product and related processes are out of date and compliance monitoring is not taking place’.[45] Ms Callahan agreed with this finding.[46] She said that Allianz was only ‘at the start’ of addressing it.[47]
Oversight of AWP
Third, I consider that Allianz’s conduct in relation to the travel insurance pages on its website was also attributable to inadequate oversight of AWP by Allianz, prior to July 2018.
In its submissions, Allianz accepted that this was a contributing issue.[48] Ms Callahan also accepted that Allianz’s past inadequate oversight of AWP was one of the causes of the misleading and deceptive content remaining on the travel insurance pages of the website.[49]
Ms Callahan accepted that, under the underwriting agreement between Allianz and AWP that was in force between 2010 and July 2018, Allianz’s oversight of AWP was inadequate.[50] Allianz’s monitoring of AWP did not improve until Allianz and AWP entered into a new underwriting agreement in July 2018.[51]
It is concerning that Allianz did not enter into a new underwriting agreement until July 2018 even though – and as Ms Callahan accepted[52] – during the period while the previous underwriting agreement was in force, Allianz was aware that there were issues with its oversight of AWP, and with AWP’s compliance with its legal obligations. She also observed that, in 2016, an internal audit had identified that Allianz’s monitoring and control of its underwriting agencies was not sufficient.[53] Although steps were taken in 2017 to address those issues across other underwriting agencies, those steps did not include AWP.[54]
Ms Callahan said that Allianz’s systems for monitoring and supervising third party distributors had been a broader problem that extended beyond AWP. She admitted that, as well as underwriting agencies, Allianz also had problems supervising car dealers and the financial institutions selling Allianz products.[55] Ms Callahan gave evidence that Allianz was currently investing more in its compliance systems to improve its supervision and monitoring of third parties.[56]
Giving sufficient priority to compliance
Fourth, I consider that Allianz’s conduct in relation to the travel insurance pages on its website was also attributable to Allianz’s failure to give enough priority to compliance.
Ms Callahan accepted that one of the causes of the misleading and deceptive content remaining on the travel insurance pages of the website was that Allianz had an insufficient appreciation of the consequences for customers of this information being on the website.[57] She said also said that this incident was an example of an instance where Allianz’s management had not considered compliance to be a priority.[58]
In its submissions, Allianz conceded that both of these matters contributed to Allianz’s conduct in relation to the travel insurance pages on its website.[59]
Ms Callahan said that, prior to her time as Chief Risk Officer, there had been instances where Allianz had focused on technical or legal compliance, rather than encouraging a culture that really looked to improve Allianz’s processes.[60] Other than clarifying that Ms Callahan’s evidence on this point concerned the past, and did not refer to the current compliance culture at Allianz, Allianz’s submissions did not seek to depart from this assessment.[61]
Ms Callahan also accepted that, in the past, Allianz had not devoted adequate resources to compliance.[62] Ms Callahan gave evidence that Allianz only reached the point at which it was fully resourced for its compliance function one week before she gave evidence.[63] Again, other than clarifying that Ms Callahan’s evidence on this point concerned the past, Allianz’s submissions did not seek to depart from this assessment.[64]
7.3.4Reaction to external reports
It remains to say something about the way that Allianz reacted to the external reports from Ernst & Young (EY) and Deloitte that were considered in this case study.
The Commission heard that Allianz commissioned EY to prepare two reports – a risk report and a compliance report.[65] Allianz commissioned the risk report for the purpose of complying with Prudential Standard CPS 220, and providing the report to APRA.[66] After receiving draft copies of both reports, Allianz staff provided extensive feedback to EY. After receiving this feedback, EY changed the ratings in the compliance report, but did not change the ratings in the risk report.[67]
Ms Callahan accepted that it appeared that there were Allianz staff who did all they could to push for the ratings given by EY in the reports to be improved.[68] Ms Callahan accepted that this was not appropriate.[69] In relation to the risk report, she also accepted that Allianz was trying to influence and alter the content of a report that it was required to produce under CPS 220.[70] Ms Callahan was shown an email from the Head of Risk Management to the Acting Head of Compliance, dated 29 September 2017, in relation to the risk report. In that email, in response to the question ‘How did the meeting with EY go?’ the Head of Risk management said:[71]
Went ok … they are going to rewrite with a more balanced view … we didn’t get to finish the whole report though 🙁
[The Chief Risk Officer] tried to ask for a Mature rating for some elements but didn’t think it worked 😛
Ms Callahan accepted that it could be inferred from this email that there was an attempt to manipulate the content of EY’s report.[72]
In closing, Counsel Assisting submitted that it was open to me to find that Allianz had engaged in conduct falling below community standards and expectations by ‘seeking to manipulate the content of an independent report commissioned by Allianz for the purpose of satisfying the requirements of CPS 220 and which Allianz intended to provide to APRA’.[73]
In response to this submission, Allianz contended that the phrase ‘rewrite with a more balanced view’ does not suggest ‘manipulation’. Allianz said that ‘[i]t lends itself more towards notions of reconsideration, or even correction’.[74] However, this submission fails to grapple with the reference in the email to the Chief Risk Officer having ‘tried to ask for a Mature rating for some elements’. In my view, the clear inference to be drawn from the email is that the Chief Risk Officer attempted to manipulate the content of the risk report. Whether or not she succeeded is beside the point – the attempt to do so was conduct that fell below what the community expects. It demonstrates a concerning attitude to the content of an independent report being prepared for the purpose of provision to the regulator.
For the avoidance of doubt, I emphasise that nothing I have said suggests that EY acted inappropriately in any way. My focus is only upon what Allianz sought to do.
A concerning attitude was also demonstrated by Allianz’s reaction to a draft report prepared by Deloitte. In June 2018, Ms Callahan commissioned Deloitte to prepare a report addressing the compliance incidents that Allianz had recently reported to ASIC. On receiving a highly critical draft report, Ms Callahan’s reaction was to ask Deloitte to retract the report.[75] She agreed that this was ‘not her finest moment’,[76] and that this matter would be relevant to the risk governance written assessment that Allianz was then preparing for submission to APRA in November 2018.[77] In its submissions, Allianz acknowledged that this aspect of Ms Callahan’s reaction to the Deloitte report may reflect poorly on Allianz’s compliance culture as a whole, and characterised it as ‘a regrettable human error’.[78] But it is a course of events that does not reflect well on Allianz or its compliance culture.
[1] Allianz, Module 6 Case Study Submission, 1–2 [3]–[4].
[2] Allianz, Module 6 Case Study Submission, 2 [4].
[3] Allianz, Module 6 Case Study Submission, 5 [27].
[4] Allianz, Module 6 Case Study Submission, 2 [6].
[5] Transcript, Michael Winter, 17 September 2018, 5940.
[6] Transcript, Michael Winter, 17 September 2018, 5939.
[7] Exhibit 6.253, Witness statement of Michael Winter, 24 August 2018, 19 [92].
[8] Exhibit 6.253, Witness statement of Michael Winter, 24 August 2018, Exhibit MW-02 (Tab 11) [ALZ.0001.0067.2757].
[9] Exhibit 6.263, Witness statement of Michael Winter, 24 August 2018, Exhibit MW-02 (Tab 17) [ALZ.0001.0067.0010]; Transcript, Michael Winter, 17 September 2018, 5960.
[10] Transcript, Michael Winter, 17 September 2018, 5975.
[11] Transcript, Michael Winter, 17 September 2018, 5975. See Allianz, Module 6 Case Study Submission, 7 [41].
[12] Exhibit 6.263, Witness statement of Michael Winter, 24 August 2018, Exhibit MW-02 (Tab 18) [ALZ.0001.0067.0059]; Transcript, Michael Winter, 17 September 2018, 5960.
[13] Exhibit 6.284, Witness statement of Lori Callahan, 24 August 2018, 2–6 [15]–[20].
[14] Exhibit 6.284, Witness statement of Lori Callahan, 24 August 2018, Exhibits LMC-02 (Tab 1) [ALZ.0001.0017.3153], LMC-02 (Tab 2) [ALZ.0001.0078.0222], LMC-02 (Tab 3) [ALZ.1000.0002.2921], LMC-02 (Tab 4) [ALZ.0001.0078.0247], LMC-02 (Tab 5) [ALZ.1000.0004.3996], LMC-02 (Tab 6) [ALZ.0001.0017.3135], LMC-02 (Tab 7) [ALZ.0001.0077.0555].
[15] Exhibit 6.284, Witness statement of Lori Callahan, 24 August 2018, 13 [73].
[16] Exhibit 6.284, Witness statement of Lori Callahan, 24 August 2018, 13 [73].
[17] Transcript, Lori Callahan, 18 September 2018, 6002.
[18] Transcript, Lori Callahan, 18 September 2018, 6003.
[19] Transcript, Lori Callahan, 18 September 2018, 6002–3.
[20] Transcript, Lori Callahan, 18 September 2018, 6002.
[21] Transcript, Lori Callahan, 18 September 2018, 6002.
[22] Transcript, Lori Callahan, 18 September 2018, 6004.
[23] Transcript, Lori Callahan, 18 September 2018, 6072. See Allianz, Module 6 Case Study Submission, 4 [21].
[24] Transcript, Lori Callahan, 18 September 2018, 6072.
[25] Transcript, Lori Callahan, 18 September 2018, 6072.
[26] Transcript, Lori Callahan, 18 September 2018, 6071.
[27] Transcript, Lori Callahan, 18 September 2018, 6071.
[28] See Exhibit 6.284, Witness statement of Lori Callahan, 24 August 2018, Exhibit LMC-02 (Tab 12) [ALZ.0001.0078.0177 at .0206–.0207].
[29] Transcript, Lori Callahan, 18 September 2018, 6076.
[30] Transcript, Lori Callahan, 18 September 2018, 5995.
[31] Allianz, Module 6 Case Study Submission, 11 [64].
[32] Transcript, Michael Winter, 17 September 2018, 5917; Transcript, Lori Callahan, 18 September 2018, 6005.
[33] Transcript, Lori Callahan, 18 September 2018, 6007.
[34] Transcript, Lori Callahan, 18 September 2018, 6007.
[35] Transcript, Lori Callahan, 18 September 2018, 6009.
[36] Transcript, Lori Callahan, 18 September 2018, 6009.
[37] Allianz, Module 6 Case Study Submission, 11 [65].
[38] Allianz, Module 6 Case Study Submission, 11 [67].
[39] Transcript, Lori Callahan, 18 September 2018, 5993–4.
[40] Transcript, Lori Callahan, 18 September 2018, 6017–8.
[41] Transcript, Lori Callahan, 18 September 2018, 5995.
[42] Transcript, Lori Callahan, 18 September 2018, 6020–1.
[43] Transcript, Lori Callahan, 18 September 2018, 6020
[44] Transcript, Lori Callahan, 18 September 2018, 6023.
[45] Transcript, Lori Callahan, 18 September 2018, 6009 (emphasis added).
[46] Transcript, Lori Callahan, 18 September 2018, 6009.
[47] Transcript, Lori Callahan, 18 September 2018, 6011.
[48] Allianz, Module 6 Case Study Submission, 12–13 [71]–[79].
[49] Transcript, Lori Callahan, 18 September 2018, 5994–5.
[50] Transcript, Lori Callahan, 18 September 2018, 6027.
[51] Transcript, Lori Callahan, 18 September 2018, 6026.
[52] Transcript, Lori Callahan, 18 September 2018, 6026–8.
[53] Transcript, Lori Callahan, 18 September 2018, 5996.
[54] Transcript, Lori Callahan, 18 September 2018, 5995–6.
[55] Transcript, Lori Callahan, 18 September 2018, 6030–1.
[56] Transcript, Lori Callahan, 18 September 2018, 6030–1.
[57] Transcript, Lori Callahan, 18 September 2018, 5994.
[58] Transcript, Lori Callahan, 18 September 2018, 5996.
[59] Allianz, Module 6 Case Study Submission, 13–14 [83]–[84].
[60] Transcript, Lori Callahan, 18 September 2018, 5996.
[61] Allianz, Module 6 Case Study Submission, 14 [86].
[62] Transcript, Lori Callahan, 18 September 2018, 5991; see also Transcript, Lori Callahan, 18 September 2018, 6057.
[63] Transcript, Lori Callahan, 18 September 2018, 6069.
[64] Allianz, Module 6 Case Study Submission, 14 [87].
[65] Transcript, Lori Callahan, 18 September 2018, 6077.
[66] Transcript, Lori Callahan, 18 September 2018, 6078.
[67] Transcript, Lori Callahan, 18 September 2018, 6077.
[68] Transcript, Lori Callahan, 18 September 2018, 6048.
[69] Transcript, Lori Callahan, 18 September 2018, 6078.
[70] Transcript, Lori Callahan, 18 September 2018, 6078.
[71] Exhibit 6.302, 29 September 2017, Emails Concerning Risk Report.
[72] Transcript, Lori Callahan, 18 September 2018, 6078.
[73] Transcript, Senior Counsel Assisting, 21 September 2018, 6497.
[74] Allianz, Module 6 Case Study Submission, 9 [54].
[75] Transcript, Lori Callahan, 18 September 2018, 6064.
[76] Transcript, Lori Callahan, 18 September 2018, 6064.
[77] Transcript, Lori Callahan, 18 September 2018, 6079–80
[78] Allianz, Module 6 Case Study Submission, 15 [94].