Practical pitfalls for FAR implementations – Seven deadly sins (Part 1/3)
-
Market Insight 27 July 2023 27 July 2023
-
Asia Pacific
-
Regulatory risk
The Financial Accountability Regime is arguably the most significant change to Australia’s financial services regulatory landscape in a generation. It requires banks, insurers and superannuation funds to identify directors and senior executives, detail their specific responsibilities in ‘accountability statements’ and conduct their activities in accordance with broader obligations e.g., ‘integrity’, ‘skill’ and ‘co-operation’ with ASIC and APRA. If they don’t, they can be personally liable, as can the organisation.
The Fall
The Financial Accountability Regime (FAR) is a regulatory hydra. It is easy to understand in theory, but difficult to implement in practice – new heads keep emerging!
This three-part series draws on our experience in implementing FAR, and its forerunner regimes such as the Australian Banking Executive Accountability Regime (BEAR), the United Kingdom’s Senior Manager’s & Certification Regime (SMCR) and the Hong Kong Certification Regime (MIC). It is a deeply practical look at where FAR can go wrong in implementation, designed to assist clients in avoiding this fate.
Part one examines “Failing to do ‘reasonable steps’ reviews” and “Insufficient ‘information and control'".
The seven deadly sins
In order, the 7 deadly sins to avoid in FAR implementations are:
1. Failing to do ‘reasonable steps’ reviews
FAR is an intensely evidence-based regime. A director / executive[1] who has bespoke responsibilities marked against their name, and who signs their accountability statement without having had those responsibilities stress-tested is at appreciable risk when something breaks in their domain. They will find themselves building a defence contemporaneously while ASIC and/or APRA examines them.
The ‘reasonable steps review’ aspect of FAR implementation is as important as the drafting of the accountability statements in our experience. It flushes out a plethora of critical issues which can be solved in the implementation phase as to the division or scope of responsibility for each risk; the person responsible for ‘manufacturing’ a key policy may well not be the one responsible for implementing it. Data is a good example – individual executives will be personally responsible for the manner in which they collect data i.e., in line with policy, but the Chief Technology Officer will be personally responsible if the policy and/or the data system itself is flawed.
At its most basic, for each director / executive, organisations need to create a new artefact setting out the separate requirements which constitute ‘reasonable steps’ under the FAR legislation e.g., ‘appropriate delegations of responsibility’ (and add the UK / HK additional guidance, for completeness) and detail all the governance and risk framework artefacts which satisfy those elements for each responsibility e.g., policies, procedures, and controls (especially). If this proves difficult, or the answer to key responsibilities from the executive is ‘I don’t have a document, but can speak to this in practice!’, this indicates that the organisation is not managing the risks. The point here is the importance of good corporate governance – employees need to know where responsibility lies and who to report to in any given scenario.
Within this framework, there should be an acknowledgement of the functional role of each director / executive. As a rule of thumb, there are usually five roles for each area of risk or responsibility, being: decision makers (usually board / CEO); manufacturers (e.g., of a policy); implementers (e.g., of a policy from another division); overseers (e.g., of a particular process) and leaders (e.g., of a division). All accountable persons (AP) will have a combination of these functional roles. For instance, no AP will just be an ‘implementer’. They may, and very likely, will also have accountabilities of a ‘leader’, ‘manufacturer’ and ‘overseer’. Having consistent and understood definitions reduces director / executive risk when ASIC and/or APRA is interpreting an accountability statement from an enforcement perspective.
It has been said that a person who takes reasonable steps is one who does not exhibit a negligent or reprehensible state of mind, who is conscientious, exhibiting, through diligence, a keen and watchful eye on his or her field of responsibility, observing, asking questions and so informed and informing, being vigilant, deciding, guiding and monitoring, oversighting, delegating when safe to do so to those who are well-placed, and only acting beyond expertise and experience with competent expert advice. This is not exhaustive and denotes a person not only in terms of qualities – skill and competence – but also in terms of how the person should behave and the behaviour is described with doing words, verbs (these verbs are really the tools of responsibility). In other words, doing nothing, in circumstances where reasonable steps requires something to be done, will not suffice.
Mark Steward, Former UK FCA Head of Enforcement
2. Insufficient ‘information and control’
Executives and directors need to ensure they have the right information to make decisions, and ‘control’ (which does not necessarily mean additional FTE, or budget) to fix any problems which arise in their area. Ignorance or ‘decision by committee’ is no defence under FAR. It is specifically designed to attribute liability to one person, irrespective of whether they are directly responsible for the failure or not. A major and unreported AFSL breach, a cyber-attack which could potentially have been averted, an executive remuneration structure which breaches CPS 511, a materially defective PDS – each of these will come back to one, or more, individuals under FAR who have functional responsibility.
Information is the easier of the two considerations. What specific information does the board or individual executive need to have to do their job? The project implementation team must work with these individuals to identify this information and ensure that, before FAR is enacted, that the framework is structured such that the right information is flowing through the organisation to the director/executive with functional responsibility. Remember, individuals are personally accountable, and saying ‘I didn’t have the right information’ will not serve as a valid defence when facing ASIC and/or APRA. Those with functional responsibility must themselves ensure that they have the right information. The focus on directors and officers is evident from the Star Casino ASIC action.[2]
Control is more difficult and time consuming to map and evidence. In essence, control is demonstrated by directors / executives having the power to fix problems in their purview or, arguably, be appropriately over-ruled within the usual governance framework. FAR sets governance expectations but does not confer additional legislative powers. Control may be the power to allocate additional budget, FTE or powers within the organisation. Or, most often, it could involve a strategy change and refocus – one of the great benefits of FAR is the support and reinforcement of first line risk. For example, a Head of Product is going to be responsible for defects in the PDSs and disclosure documents. Risk is certainly not the only purview of the Chief Risk Officer, who has second line responsibility. For less experienced directors / executives, this often requires appreciable upskilling, and is where we have seen many constructive conflicts within FAR implementation programs.
In this regard, a range of issues arise that need to be mediated. The Chief Technology Officer who argues they don’t have the budget to protect the organisation from cyber-attacks is a typical example. If they can’t get comfortable in discharging their FAR obligations, they need to resort to a structural mechanism created by the company’s FAR implementation project team to be over-ruled by the CEO effectively (and transfer risk) – or, worst case, take more drastic steps.
Staying on the straight and narrow
FAR is very simple in theory, and devilishly hard to implement in practice. However, it is always effort well expended. Implemented with the right combination of technical skill, experience and emotional intelligence, it serves to protect executives, and assists the proper functioning of the organisation. Anecdotally, those organisations in the UK who are finally used to the UK SMCR, since its introduction in 2016, report that it has had a positive impact overall on their organisations.
The FAR legislation has passed the House of Representatives and will pass the Senate shortly. For those organisations on their FAR journey, being mindful of the above pitfalls will assist their implementation. For those organisations yet to start, we suggest an initial briefing with key executives who will likely be responsible for FAR implementation, and then considering a project plan. Please reach out to any of the Clyde & Co contacts, who would be more than happy to assist you in this regard.
What’s next in the series
This is part one of our three-part series. Stay tuned for part two, which covers “Treating ‘group executives’ the same”, “Needlessly expanding the regime’s application” and “Engaging directors/executives too late”.
[1] FAR does not just apply to directors / executives. While it is most common that these roles will be
subject to FAR – ‘Head Ofs’, ‘General Managers’, ‘Senior Managers’ etc can also fall under its ambit.
[2] ASIC has commenced Federal Court proceedings against the directors and officers of Star Casino, including the General Counsel, for failure to prioritise and comply with AML / CTF obligations.
To read Part 2 in the series - please click here
To read Part 3 in the series - please click here
End