Less than one year to go! How FAR along is your organisation with implementation planning? (Part 3/3)
-
Market Insight 07 June 2024 07 June 2024
-
Asia Pacific
-
Regulatory & Investigations
Key insights in preparing for FAR as the twelve month countdown for insurers and RSEs continues (Part 3/3).
The impending introduction of the Financial Accountability Regime (FAR) continues to be a key focus area for insurers and RSEs.
In Part 1 of this series, we focused on Accountability Statements for Senior Executive Managers and the impact of the regime on Directors. Part 2 covered the high personal and professional stakes for Accountable Persons and the specific obligations under FAR for Accountable Entities.
In this final instalment of the series, we consider what to expect from an oversight perspective and future-proofing steps to take right now.
1. The Regulators
The role of the Australian Security and Investments Commission (ASIC) as a “co-regulator” with the Australian Prudential Regulatory Authority (APRA) is an interesting differentiator between FAR and its predecessor, the Banking Executive Accountability Regime (BEAR).
Although ASIC’s remit is technically limited to so-called “dual regulated Accountable Entities” (and their Accountable Persons and SREs), each Regulator has the power to delegate their responsibilities to the other under the Joint Administration Agreement and ASIC is widely recognised as the more experienced and better resourced litigator in respect of enforcement action.
APRA’s enforcement approach in recent years has relied largely on negotiated outcomes with prudentially regulated entities, and the use of its powers to impose capital charges and licensing conditions. However, following significant criticism of its enforcement approach in the Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry, ASIC has increasingly demonstrated its willingness to seek redress through the courts. There is broad scope for differing interpretations of key concepts and obligations in the FAR regime which do not have a history in Australian regulations (e.g. “integrity”) – it remains to be seen how aligned APRA and ASIC will be.
We expect that APRA may therefore be inclined to lean on ASIC in enforcement scenarios. In the UK, commonly one agency assigns the investigation to the other and then determines its approach based on the outcomes of that first agency’s investigation. Here the outcome, under FAR, will be a joint one.
Given ASIC’s stated appetite over the last few years to crack down on instances of non-compliance in financial services, the expectation is that this trajectory will continue at pace following the implementation of FAR.
Practical example:
An ADI that was subject to the BEAR regime has uplifted its systems and controls to comply with the requirements of FAR. It proceeds to identify a serious FAR breach by an Accountable Person, which it notifies to the Regulators though the single point of contact portal.
As the ADI is a “dual regulated Accountable Entity”, the Regulators jointly commence an investigation, which concludes that the Accountable Person has failed to take reasonable steps to prevent matters from arising that would constitute a failure by the accountable entity to comply with the financial services law and the accountable entity has failed to comply with its key personnel obligations. For example, an accountable person delegates to people who are not sufficiently skilled or resourced.
The Regulators decide to pursue civil penalties as the most appropriate course of action, culminating in disqualification of the Accountable Person and the issuing of directions to the accountable entity (such powers exercised with mutual agreement in accordance with section 38 of the FAR legislation).
2. Day One compliance
By now, Accountable Entities are likely to have an understanding of the key deliverables and governance arrangements that are necessary to achieve Day One compliance from 15 March 2025. Checklists should include:
- registering Accountable Persons via APRA Connect;
- finalising accountability statements (and lodging with APRA if you are subject to the enhanced notification thresholds);
- completing accountability maps (and lodging with APRA if you are subject to the enhanced notification thresholds);
- documenting reasonable steps framework; and
- uplifting remuneration policies and consequence management frameworks.
However, one of the most effective ways to test capacity to comply with FAR is to run a simulation of a breach. This will build on the reasonable steps review phase of FAR implementation. Only preparing the accountability statements, without checking there is evidence to underpin them, leaves Accountable Persons exposed.
When run properly, this exercise will force Accountable Persons to deeply engage with the various components of their accountability statements and reasonable steps framework, and allow the organisation to test the operation of systems and controls in a “near-live” environment.
The fictional circumstances that form the basis of the simulation should be plausible but severe enough to require a multi-disciplinary response. A range of key stakeholders should be involved and the process executed in accordance with then existing policies and procedures to examine their efficacy from the ground up.
Commonly requested scenarios include a data breach, a cyber-attack resulting in a significant IT systems failure, and an incident of misconduct.
Practical example:
A licensed insurer that is below the enhanced notification thresholds has dedicated extensive management resources to its FAR implementation planning supported by external advisors.
Despite not being required to lodge accountability statements and maps with APRA, it has opted to prepare these documents to the highest standard and implemented robust uplifts to its internal governance processes. It now wishes to test the application of FAR to its business.
As an initial step, the entity identifies matters of significance in recent years, regardless of how they were ultimately managed and resolved. Consideration is also given to the types of conduct that have been the subject of regulatory scrutiny across the relevant industry and more broadly. For example, failure to oversee key outsourced service providers, cyber breaches, product pricing defects, sexual harassment (inside and outside work) – all of these foreseeable scenarios, if they arose, would need to be considered in a FAR context.
The organisation then conducts a simulation using one of these historical scenarios. The simulation proceeds on the basis of an employee-generated data breach. As the events unfold in the “near live” environment, it becomes apparent that there are gaps between the accountabilities of three of their Accountable Persons in relation to how this incident is identified, the immediate next steps, the internal reporting requirements and the application of the consequence management protocol.
Following the simulation, the relevant accountability statements are adjusted to remedy the gaps and the consequence management framework is clarified.
3. Post-implementation learnings
Looking ahead to a world where FAR has become the norm and status quo, the Regulators will be expecting:
- Accountable Entities to have clear systems and controls that are appropriate for the size, scale and complexity of the business; and
- Accountable Persons to be aware of the boundaries that define their spheres of influence and control.
However, the complexities and vagaries of commercial reality will mean that, inevitably, elements of implemented FAR controls may not operate as expected, notwithstanding any simulation scenarios conducted in preparation for Day One compliance. Controls identified in reasonable steps reviews, will need to be constantly reviewed (e.g. incident monitoring), as they form part of an Accountable Person’s reasonable steps defence.
It is therefore critical that the entire FAR infrastructure within Accountable Entities is closely monitored on an ongoing basis to identify components that may require uplifts and adjustments from time to time.
FAR cannot be approached as a set-and-forget compliance exercise and most, if not all, Accountable Entities should expect to make a range of adjustments to their compliance framework within the first one to three years of implementation.
The reality is that the Regulators will be watching closely following implementation date on 15 March 2025 and early enforcement action will influence understanding of the fundamental concepts of the regime across the industry.
Practical example:
Two years after the implementation date, the concepts of “integrity” and dealing openly and constructively with the Regulators have started to be tested and clarified by the Regulators and the courts. Also, consequence management and remuneration decision-makers within firms will have formed their own views, as these concepts are a benchmark to reduce Accountable Person remuneration.
An RSE that is above the enhanced notification threshold has been complying with its additional notification requirements under the legislation, including notifying the Regulators of a departure of one its Accountable Persons in December 2025. However, it has not made any changes to its risk management framework, including in relation to remuneration policies or consequence management protocols, since its FAR project concluded.
The RSE should look at its existing FAR governance and compliance system to identify why no updates have been made since the implementation date.
It should closely examine the terms of its RMF and ancillary policies to determine the extent of any necessary changes in light of the clarification of the concepts of integrity and dealing openly with the Regulators to align with market standards, and consider uplifting oversight procedures to ensure that the FAR systems are operating as expected by the Board.
End