The TCP Code requires every telco to have a ‘Compliance Plan’ in place by 1 March 2013. Unfortunately, it’s not entirely clear what a ‘Compliance Plan’ requires, under the Code.
Starting point: It’s defined in the Code’s dictionary
‘Compliance Plan’ is defined as:
documentation prepared by a telco in accordance with clause 9.3.1(b).
That’s partly helpful, because it tells us that a ‘Compliance Plan’ is a document. But it doesn’t tell us what the document needs to cover. For that, we’re referred to a clause in the body of the Code.
Off we go to clause 9.3.1(b)
This clause tells us that a ‘Compliance Plan’ must:
- outline the initiatives of the telco supporting compliance with the provisions of the Code, and
- be prepared in a manner consistent with the principles and guidance provided in the Australian Standard on Compliance Programs AS 3806 – 2006.
Let’s look at those two requirements one by one.
‘Outline the initiatives’
This suggests that the ‘Compliance Plan’ is a high level document. ‘Outline the initiatives’ is much broader and vaguer than other wording that might have been used eg ‘detail the policies, processes and procedures’ would have indicated a much more detailed and comprehensive requirement.
So, if we take this requirement alone, a ‘Compliance Plan’ is a high level, summary document that maps out the telco’s compliance initiatives but doesn’t detail them.
‘Prepared consistently with AS 3806’
It is hard to know how the Australian Standard relates to the Code’s ‘Compliance Plan’.
AS 3806 doesn’t use the expression ‘Compliance Plan’ at all. It talks about three things that could be relevant:
A ‘Compliance Program’ is the whole series of activities that make up an organisation’s compliance effort. Documents are an important part of that, but only a part.
It’s pretty clear that the TCP Code’s ‘Compliance Plan’ doesn’t equal the Australian Standard’s ‘Compliance Program’.
A ‘Compliance Policy’ establishes the overarching principles and commitment to action for an organization with respect to achieving compliance. It sets the level of responsibility and performance required within the organization against which actions will be assessed. The policy should be appropriate to the organization’s compliance obligations that arise from its activities and the products or services that it provides.
According to the Australian Standard, the policy should articulate the:
- commitment to compliance;
- scope of the compliance program;
- application and context of the program in relation to the size, nature and complexity of the organization and its operating environment;
- responsibility for managing and reporting compliance; and
- required standard of conduct, accountability and consequences of non‐compliance.
This isn’t exactly the same as the TCP Code’s ‘Compliance Plan’ but it seems closer than a ‘Compliance Program’ does.
Then the Australian Standard references the supporting documents for the Compliance Policy:
The policy is not a stand‐alone document but is supported by other documents including operational policies, procedures and processes.
These don’t seem to be relevant to the TCP Code’s ‘Compliance Plan’ because it is expressly limited to being an ‘outline of initiatives’. That’s not to say that a telco needn’t have compliance processes and procedures. What we’re trying to work out here is whether they form part of the ‘Compliance Plan’ document or are in addition to it.
Where are we up to?
It would have been great if the TCP Code had used the same language as the Australian Standard to identify what it is talking about. But it doesn’t, so we need to do our best to interpret the Code.
At this point, it seems that the TCP Code’s ‘Compliance Plan’ either:
- generally corresponds to what the Australian Standard calls a ‘Compliance Policy’, but minus detailed supporting processes and procedures; or
- is something different to that – and if that’s the case, we are left asking (a) Exactly what is it? and (b) How does AS 3806 relate or apply to it? Which ‘guidance and principles’ within the Australian Standard are relevant to it?
It’s an important point. If telcos can’t be sure exactly what a ‘Compliance Plan’ is, and how the Australian Standard impacts it, it’s hard to certify to Communications Compliance that they have a ‘Compliance Plan’ and that it is prepared in a manner consistent with the principles and guidance provided in the Australian Standard on Compliance Programs.
Regulator guidance required
We can speculate on how the TCP Code can be interpreted in this regard, but the best solution is early guidance from the ‘regulatory stakeholders’ as to what’s expected.