On Friday, 16 July 2021, Treasury released the exposure draft legislation for the Financial Accountability Regime (FAR). Building on the Banking Executive Accountability Regime introduced on 1 July 2018, FAR will apply to all prudentially-regulated institutions e.g. banks, insurers and super funds and will operate to place institutional and personal liability on key executives for regulatory failures, based on new broad principles-based obligations.

Background

Our lawyers have deep experience with FAR’s forerunners: the Australian BEAR, the Hong Kong Managers in Charge Regime and the United Kingdom Senior Managers & Certification Regime. The FAR is heavily based on these overseas regimes, which reflect the global shift to more principles-based regulation and personal accountability in the wake of the Global Financial Crisis.

In essence, FAR requires financial services firms to identify senior individuals by a mixture of prescriptive and principles-based guidance e.g. directors / C-suite executives have them record their responsibilities in ‘accountability statements’, and then conduct those responsibilities by reference to certain broad obligations e.g. they need to act with ‘integrity, honesty and due care, skill and diligence’. If they do not, then the corporation and individual can be subject to sanctions e.g. disqualification for the individual. FAR also imposes remuneration conditions, including the deferral of up to 40% of variable remuneration for four years as hostage against executives’ good behaviour.

An in-depth Gadens analysis providing an overview of the FAR regime, based on the consultation paper released in January 2020, can be accessed here. Importantly, a comparative Gadens analysis of the UK experience in applying these broad principles-based regulations to individual accountability, can be found here. For example, should accountable persons be held accountable for a breach of integrity in their personal life? For sexual harassment concerns in their division by the corporate regulator?

The purpose of this article is not to revisit existing ground, but to highlight what is new or materially different in the exposure draft legislation. We recommend you read the abovementioned briefing papers first.

What is new?

Delving into the details of the exposure legislation, explanatory memorandum and ancillary materials, there are several important pieces of information to appreciate:

1. Legislation: the legislation will be introduced in the Spring sitting of Parliament.

2. Commencement: FAR will apply from 1 July 2022 for banks, and from 1 July 2023 for insurers and superannuation firms. In our experience, it generally takes 6 – 12 months for implementation depending on the size of the financial services firm.

3. Individual fines: Division 6 of the exposure draft legislation does not contain civil penalty provisions against individuals. This is a significant change from the January 2020 consultation, which proposed civil penalties of over $1M against accountable persons who breached their accountability obligations. The corresponding provisions on non-indemnification of accountable persons has been removed, being redundant.

While pleasing to see – and appropriate – the spectre of disqualification remains. The imposition of this penalty will require the agreement of both ASIC and APRA.

4. Responsibilities: the broad principles-based obligations applicable to financial services firms and accountable persons remain the same e.g. an accountable person must take reasonable steps to act with ‘honesty, integrity, and with due care, skill and diligence’.

The one nuance is that previously the consultation paper stated that accountable persons would need to take reasonable steps in conducting their responsibilities so as to comply with undefined financial services laws, being one of their four broadly expressed new obligations together with the abovementioned one. Those financial services laws have now been set out as follows:

  • the FAR legislation;
  • the Banking Act 1959;
  • the credit legislation (within the meaning of the National Consumer Credit Protection Act 2009);
  • the Financial Sector (Collection of Data) Act 2001;
  • the financial services law (within the meaning of 10 section 761A of the Corporations Act 2001);
  • the Insurance Act 1973;
  • the Life Insurance Act 1995;
  • the Private Health Insurance (Prudential Supervision) Act 2015;
  • the Superannuation Industry (Supervision) Act 1993; and
  • any regulations or other instruments, directions or orders, made under a law mentioned above.

5. ‘Reasonable steps’: the Bill provides additional detail on what amounts to taking reasonable steps to support proactive compliance by accountable persons and accountable entities, rather than endorsing a set-and-forget attitude. This includes taking appropriate action when ensuring compliance, and in responding to non-compliance or suspected non-compliance. Appropriate action for a particular matter consists of having appropriate governance, control and risk management in relation to that matter.

6. Defence: the legislation provides that a person is not liable for the performance of powers, functions or duties, if done in good faith and without negligence. This appears to be a protection for actions, not omissions (which is the predominant cause for the reasonable steps provisions being engaged in our experience).

7. Breach notifications: the time for a prudentially-regulated institution to provide notification of breaches of its or its accountable persons’ obligations has been extended from 14 days to 30 days. The obligation is only on the financial services firm, and not the individual.

8. Temporary vacancies: accountable persons filling temporary vacancies or unforeseen vacancies have up to 90 days after becoming an accountable person to be registered. Appointing an accountable person to fill a permanent position on a fixed-term contract will not constitute a temporary vacancy to which this longer period will apply.

9. Subsidiaries: FAR captures ‘significant related entities’ of primary entities. Aside from superannuation firms, an entity will be a significant related entity of an accountable entity if it is a subsidiary of the accountable entity, and the effect of the subsidiary on the accountable entity is material and substantial.

A significant related entity of a superannuation firm includes a wider variety of entities than subsidiaries, including related bodies corporate of the licensee and entities with certain control relationships with the licensee e.g. ‘connected entities’. For this reason, different related entities are covered by FAR for registrable superannuation entity licensees as they may have a different operating structure to other types of accountable entities. Under the draft exposure legislation and related guidance, there is appreciable guidance and structure charts on identifying significant related entities – a welcome change as structural governance is the starting point for the application of the FAR regime.

10. Product role: for the product accountable person role, the end-to-end product responsibility remains very broad, and must include responsibility for all steps in the design, delivery and maintenance of all products and services offered to customers; customer remediation; linkages to IT systems and data quality; outsourcing; and incentive arrangements of frontline staff.

This is a challenging responsibility, which caused considerable consternation when APRA first outlined its extremely broad view of the role. Thankfully, by way of a silver lining, the draft exposure legislation contemplates that there will only be several liability for accountable persons for the products for which they are responsible. This is different to every other accountable person role, where if more than one person holds the responsibilities they are jointly and severally liable. It is wholly appropriate, given the breadth of the product responsibility role, and we expect to see multiple accountable persons take on this responsibility given the breath of the responsibility and number of products (which lends itself to diffusing liability among multiple individuals).

11. Direction: APRA or ASIC may give a financial services firm a direction if they believe the firm or one of its accountable persons has breached FAR or is likely to breach FAR, and the direction is necessary to prevent the breach. Examples include changing systems/compliance, amalgamating or changing structures, taking or not undertaking a specific action or undertaking an audit. While APRA has always had this power under the prudential framework it operates within, and for that macro purpose, the conduct regulator ASIC has not, and it is a very large power to wield.

There is an open question as to the overlap with judicial power e.g. what if ASIC/APRA directed a firm to pay another entity a sum of money because ASIC/APRA felt it was warranted? As it is currently drafted, the legislation would permit that. It is worth noting in this context that it is a civil penalty not to comply with a direction which applies to both the financial services firm and individuals. Further, ASIC / APRA can deem the direction to be a secret, which means if the financial services firm or individual discloses the direction, they could be criminally liable (save for limited exceptions).

12. Enforceable undertakings: APRA and ASIC can accept enforceable undertakings in relation to the FAR, which are enforceable in the Federal Court, and may relate to compliance with the Regime by an accountable entity or an accountable person. They will also be accepted in relation to any matter in relation to which APRA / ASIC has a power or function under the draft exposure legislation, and when combined with the directions powers, this provides a very broad enforcement toolkit for the regulators quite outside the civil penalty regime.

13. Co-operation: a lot of focus in the materials ancillary to the draft exposure legislation has been given to the co-operation between ASIC and APRA in administering the regime. APRA and ASIC are required to enter into an arrangement outlining their general approach to administering and enforcing the Regime within 6 months of its commencement – one clear example from the materials is that they both need to agree to disqualify an accountable person. ASIC also cannot utilise its FAR powers against any firm that does not hold an ACL or AFSL.

14. Enforcement: one of the striking matters in the draft exposure legislation is just how procedurally advantaged ASIC and APRA are in terms of enforcement actions. For example:

  • privilege against self-incrimination is not an excuse to refuse to provide documents or information (though it will not be admissible in court proceedings);
  • there are novel penalties against lawyers for refusing to provide details which are legally privileged (but only if the person to whom it relates consents);
  • to establish the state of mind of the financial services firm, it is sufficient to show that an employee or agent of the individual engaged in the relevant conduct and had the relevant state of mind. That appears to apply irrespective of seniority or collective consciousness.

15. Merits review: certain decisions of APRA and ASIC under the FAR are subject to merits review – a right not originally proposed to be in the forerunner to the FAR, the Banking Executive Regime (and hard fought for to be included). Interestingly, under the draft exposure legislation, to seek review, a person affected by a reviewable decision may first apply for the Regulator that made the original decision to reconsider the decision. The Regulator must reconsider the decision within 60 days and notify the applicant of the outcome by written notice.

Next steps

The legislation clears up some of the concerns with the consultation paper, though major structural questions remain. For example, double jeopardy aspects i.e. if an accountable person breaches their duty, does that mean the corporation automatically does? Outside these considerations, the interpretational difficulty with the broad principles-based obligations remains, as we outlined in our previous article. The legislation does not assist in this regard, and it can only be hoped that substantial regulatory guidance will be provided by APRA and ASIC as to its views on these obligations. Given the personal liability attached to them, the industry deserves this.

From a practical perspective, insurers and superannuation firms should start their plans to implement FAR now. That is, if they have not already – many financial services firms have. The black letter requirements of FAR are relatively straightforward, but the execution is where the difficulty resides. Many ancillary questions arise outside of who has responsibility for what (which is often a challenging task in and of itself – ‘information and control’ need to be the guiding focus for accountable persons in defining their roles). For example, updating remuneration frameworks, reporting policies & procedures, insurance arrangements and determining a proportionality framework for reducing variable remuneration (when warranted) as but a few considerations.