Practical pitfalls for FAR implementations – Seven deadly sins (Part 2/3)
-
Market Insight 03 August 2023 03 August 2023
-
Asia Pacific
-
Regulatory risk
The Financial Accountability Regime is arguably the most significant change to Australia’s financial services regulatory landscape in a generation. It requires banks, insurers and superannuation funds to identify directors and senior executives, detail their specific responsibilities in ‘accountability statements’ and conduct their activities in accordance with broader obligations e.g., ‘integrity’, ‘skill’ and ‘co-operation’ with ASIC and APRA. If they don’t, they can be personally liable, as can the organisation.
In Part 1 of our series on Practical pitfalls for FAR implementations – Seven deadly sins, we discussed “Failing to do ‘reasonable steps’ reviews” and “Insufficient ‘information and control’”.
Part two covers “Treating ‘group executives’ the same”, “Needlessly expanding the regime’s application” and “Engaging directors/executives too late”.
The seven deadly sins (continued)
3. Treating ‘group executives’ the same:
FAR is based on legal entities. Often, for disaggregated group structures (which can span multiple countries) this is a highly artificial approach to governance. Those executives who sit outside the regulated entity itself, and have broader remits, often do not have the same degree of governance and risk frameworks built around them for their protection.
These group executives need additional attention because they sit outside the prudential infrastructure of the entity generating the FAR risk, e.g., insofar as whether critical information is flowing to them, and where there are controls to pick up where it is not. Sometimes they also do not have the experience of operating under APRA and ASIC’s oversight, so upskilling to meet regulatory expectations is a challenge that needs to be recognised and sensitively addressed.
In terms of sensitive issues, executives under FAR are clearly generative of risk for the prudential entity – if they make poor judgments then the entity can face hundreds of millions in fines. There is no double jeopardy rule under FAR. Accordingly, the prudential entity board and Chief Executive Officer need some level of influence over all accountable executives – even if they sit at a group level, and at a higher rung on the corporate ladder. Culturally, this can obviously be a challenge for implementation teams building this framework.
4. Needlessly expanding the regime’s application:
The design phase of FAR is critical, and is not limited to identifying which executives will be captured. Testing and excluding non-regulated aspects of each executive’s remits from their accountability statements to the extent they exist is important to limit liability, such as a group executive responsible for an unregulated credit business.
More insidiously is the expansion of responsibility through poorly defined responsibilities; generic FAR accountability statements are a major risk which entities can sleepwalk into. For an example, take “Responsible for data integrity” for the Chief Technology Officer. Does this mean they are responsible for other executives whose divisions improperly collect personal data or where those other executives do not encourage security measures in line with the IT function or department’s policies? Ideally this should not be the case because they may not have control, however, generic statements leave the issue open to unnecessary and risky conjecture. Poorly understanding the Chief Risk Officer’s role in terms of second line risk is another common issue we see in generic statements.
On 20 July 2023, APRA and ASIC released a consultation list of specific key functions for banks, with a plan to do the same for insurance and superannuation entities. They are broad functions, which need to be included in Accountability Statements e.g., data management or scam management, but with arguably more definition than the consultation guidance (which does not have the force of law, and is not finalised) suggests in our view. For example, data management is stated as follows: “Data management including data strategy, data architecture, data management framework and governance, data quality and issue management, data risk management including the state of data controls and data privacy”. Should the Chief Technology Officer be responsible for specific data quality which is poor, yet collected by the marketing team? Or for breaches of privacy by the Human Resources team, operating outside of set policies?
There is obviously a balance to be had. If accountability statements are too granular, then gaps can arise and FAR can be needlessly complicated. Picking up accountability statements, and scenario testing them is the key. Take, for example, a ransomware attack. Who will be responsible for this? What might an accountable person say to mitigate or shift their responsibility, and what are the responses? What scope does ASIC and APRA have to wield in terms of the breadth of the statement? Remember, on its sharpest perspective, accountability statements are an insider’s roadmap for personal and corporate enforcement for APRA and/or ASIC when things go wrong.
Given the breadth and complexity of FAR, start implementing the legislation as soon as possible - don’t under-estimate how long it will take. Early engagement with your key directors/ executives and training is critical to successful implementation. Regulators will look to see what steps you have taken to implement the new regime, what internal consultation and training has occurred with directors/executives, and what is their level of understanding of their obligations and the new requirements.
Dianne Weinstein, former Head of Group Regulatory Risk for AMP
5. Engaging directors/executives too late:
Accountability regimes like FAR are incredibly personal, as they affect reputations, individual finances and careers. In our experience, it takes at least 9 – 12 months to implement FAR for a general insurer or superannuation fund. Failing to engage with executives early (who will be talking with their competitor peers) will complicate the implementation, and may give rise to increased interpersonal director/ executive stress, engagement of personal lawyers and whistle-blowers. Or worse, disengagement until it is too late.
Even aside from the above challenges, individuals faced with the concerns of personal liability are likely to act in several understandable but ultimately unhelpful ways. Directors may stray into the ambit of management roles, executives may create ‘paper waterfalls’ of unnecessary attestations from direct reports that everything is within compliance parameters, or they may approach challenges from an individualistic standpoint e.g. “I won’t get involved in that spot fire, as its not in my statement”. Approached clumsily, FAR can be deleterious to corporate culture.
FAR requires a strong executive-led project team, usually by the Chief Risk Officer, Chief People Officer and/or the General Counsel. One that can honestly appreciate the challenges, and deal with them and the individuals directly (most often utilising external law firms to protect, privilege and deliver tricky messages).
In meetings with regulators, they will look to see whether the relevant Accountable Person is present, taking responsibility for the issue, and driving the engagement with them, not the CRO…
Dianne Weinstein, former Head of Group Regulatory Risk for AMP
Staying on the straight and narrow
FAR is very simple in theory, and devilishly hard to implement in practice. However, it is always effort well expended. Implemented with the right combination of technical skill, experience and emotional intelligence, it serves to protect executives, and assists the proper functioning of the organisation. Anecdotally, those organisations in the UK who are finally used to the UK SMCR, since its introduction in 2016, report that it has had a positive impact overall on their organisations.
The FAR legislation has passed the House of Representatives and will pass the Senate shortly. For those organisations on their FAR journey, being mindful of the above pitfalls will assist their implementation. For those organisations yet to start, we suggest an initial briefing with key executives who will likely be responsible for implementation, and then considering a project plan. Please reach out to any of the Clyde & Co contacts, who would be more than happy to assist you in this regard.
What’s next in the series
This is part two of our three-part series. Stay tuned for part three, which covers “‘Set and forget’ mentality” and “The Chief Risk Officer and Chief People Officer are disconnected”.
To read Part 1 in the series - please click here
To read Part 3 in the series - please click here
End