What this means for culture

A Cultural Revolution?


Unsurprisingly, the Commission's Final Report repeats the finding in the Interim Report that a key cause of the conduct identified in those reports can be attributed to the culture within the organisations concerned.1 In the Commissioner's view, culture can both 'drive or discourage misconduct'.2

The Commissioner's recommendations have implications for the supervisory role of APRA in relation to culture, which will be broader, more resource intensive and proactive.

For financial services entities, there will be a requirement to conduct regular culture and governance assessments, and to correct any problems that have been identified. For the reasons set out below, it is important that legal and compliance functions are involved in this process.

Are there implications over a year on?

Yes. The broader lessons on culture are becoming clearer, and we have seen an increasing trend towards its regulatory supervision, particularly with APRA regulated entities.

  • In February 2019, the 4th edition of the ASX Corporate Governance Principles and Recommendations was published. Principle 3, concerning instilling a culture of acting lawfully, ethically and responsibly, raises the bar for listed companies to have detailed and concrete disclosures concerning their values and how they are implemented. Read more here.
  • In May 2019, APRA published an information paper that outlined the outcomes of financial institutions' self-assessments of governance, accountability and culture. The paper highlighted APRA's view that weaknesses in risk culture were evident across institutions, and the effectiveness of solutions was hampered by institutions' failures to identify fully the root causes of these weaknesses (at p11). APRA continues to apply capital requirements in light of these self-assessments.
  • In November 2019, APRA published another information paper, on governance, culture, remuneration and accountability (GCRA). APRA outlined a new approach to GCRA, focusing on:
    • clarifying expectations of boards and senior managers;
    • embedding regular risk governance self-assessments in the prudential framework;
    • holding institutions accountable for promptly addressing deficiencies; and
    • sharing APRA's insights with industry and the public, to reinforce prudential expectations.
  • The courts have also demonstrated an increased focus on culture. In considering corporate culture within a financial institution, Justice Lee of the Federal Court emphasised that a culture of compliance 'must transcend simply putting in place expensive "systems"' (at [2]). In that case, His Honour found that there was a 'want of corporate will' to ensure that existing compliance systems worked adequately.
  • As part of a review of corporate criminal responsibility, the Australian Law Reform Commission has also examined the role of corporate culture as a pathway to criminal liability for corporations. Its initial Discussion Paper, published in November 2019, was inclined to consider the concept of corporate culture to be too 'conceptually imprecise' and 'uncertain' to be useful as an express way of holding a company criminally liable, as it currently is under s12.3 of the Criminal Code. The weight of submissions the Commission received may have shifted its perspective, and it is expected to report in April 2020.

The emerging clarity of expectations and enhanced regulatory supervision of culture have practical implications:

  • We can expect to see corporate culture playing an increasingly prominent role in determining the severity of civil penalties and establishing corporate criminal liability.
  • Corporate culture continues to be a focus area for boards and senior executives. Companies are investing time and thinking in this area, to set and assess their corporate culture. We've seen a shift from this being the primary domain of people and development teams to being a focus of the regulatory and compliance teams. Some areas we've been assisting clients with are: updating board and committee charters, to ensure they adequately address issues raised during and post the Royal Commission (including setting the correct 'tone from the top' and providing greater clarity on reporting lines); carrying out risk, governance and compliance reviews; and giving input into culture assessments.

Will culture within financial services entities be prescribed?

No. The Final Report identifies that there is no single 'best practice' for culture, but adherence to 'basic norms of behaviour' is a bare minimum; and culture cannot be prescribed or regulated, but can be assessed and measured, allowing proactive corrective steps to be taken.3

This is consistent with public statements previously made by ASIC and APRA, and the general approach taken internationally by prudential and conduct regulators.4

Will there be more regulatory supervision of culture?

Yes. The Commissioner has recommended greater supervision of organisational culture by APRA, which follows from the conclusion that the culture of financial services entities is directly linked to financial soundness and stability.5 The Commissioner believes that APRA's historical focus on 'risk culture' (which has traditionally emphasised financial risk over non-financial risk) is too narrow.

The Final Report praises the APRA Prudential Inquiry into the Commonwealth Bank of Australia for having taken a broader approach in assessing organisational culture (as opposed to just risk culture), and for 'providing a very valuable, publicly available account of the ways in which failings of culture, governance and remuneration can act as drivers of misconduct'. The Final Report describes as 'not desirable' APRA's plan to refocus its culture review program more narrowly, focusing back on an assessment of the way that boards of financial services entities form a view of the risk culture in those institutions.6

In the Commissioner's view, prudential supervisors should look at culture as part of root cause analysis, and intervene when they see serious problems – with 'conduct' and 'values' aspects of mainstream supervisory processes. He acknowledges that it will be necessary to increase APRA's resources to achieve this level of supervision.

The Final Report concludes that 'supervision' of culture must include:

  • assessing culture and identifying deficiencies;
  • 'holding up a mirror' to organisations and educating them about their own culture; and
  • agreeing cultural changes to be implemented by the organisation, and supervising that implementation.7

Recommendation 5.7 sets out the Commissioner's recommendation in relation to supervision of culture and governance.8 It states that APRA should:

  • build a supervisory program focused on building culture that will mitigate the risk of misconduct;
  • use a risk‑based approach to its reviews;
  • assess the cultural drivers of misconduct in entities; and
  • encourage entities to give proper attention to sound management of conduct risk and improving entity governance.

This Recommendation adopts the recommendations of the Financial Stability Board, the international body that monitors the financial system, in its Strengthening Governance Frameworks to Mitigate Misconduct Risks: A Toolkit for Firms and Supervisors report dated April 2018.

What does this mean for financial services entities?

Financial services entities will need to conduct regular culture assessments and rectify identified problems

APRA-regulated institutions should anticipate greater supervision in relation to culture and governance, but the Commissioner sees the responsibility for culture resting primarily with financial institutions and with those who manage and control them: their boards and senior management.9

While the Commissioner acknowledged that reform of organisational culture is difficult, the Final Report directs all financial services institutions (whether named or not in the Final Report or Interim Report, and whether regulated by APRA or not) to 'look to [their] culture'. It concludes that many institutions will need to 'change their culture and governance'.10

Recommendation 5.6 requires that culture and governance assessments should be conducted by financial services entities as often as reasonably possible to:11

  • assess the entity’s culture and its governance;
  • identify any problems with that culture and governance;
  • deal with those problems; and
  • determine whether the changes it has made have been effective.

The Commissioner cites ANZ's approach to cultural assessment as an example of the time and effort he expects to be put into the process.12 He warns that the process of assessment and improvement must not be an exercise in box-ticking; and that it demands intellectual drive, honesty, rigour, thought, work and action. It must be informed by what happened in the past, why it happened and what steps are proposed to prevent its reoccurrence.13

The Commissioner warns financial services entities that 'this particular Recommendation requires entities to take all that is set out in this Report, including all the other recommendations that are made, and apply, re-apply, and keep re-applying what is said to their culture and their governance.'14

It is clear that the Commission expects assessment and review of culture to be an ongoing process, rather than a one-off or ad hoc activity.15

The Government has accepted this Recommendation, but it remains to be seen whether it will lead to legislative change or regulatory guidance. Even if it does not, however, financial services entities would be well advised to initiate a cultural assessment and improvement process now. Financial services institutions will need to put in place a clear framework for continuous assessment of culture and governance, and for acting upon areas for improvement that have been identified.

Lessons on culture

The Final Report describes culture within an entity as 'the shared values and norms that shape behaviours and mindsets';16 or, put another way, 'what people do when no-one is watching'.17

In the Final Report, the Commissioner set out some key lessons learned in relation to culture assessments and improvements. These will be familiar to those who have read the G30 Report into Banking Conduct and Culture18 (which the Commissioner cites heavily), as well as other reports such as the Financial Conduct Authority's paper on Transforming Culture in Financial Services.19 They are that:

  • Managing culture is not a one off event, but a continuous and ongoing effort that must be integrated into day-to-day business operations.20
  • 'Culture, governance and remuneration are closely related'.21 The Final Report reaffirms the claim made in the Interim Report that '…in almost every case, the conduct in issue was driven not only by the relevant entity's pursuit of profit but also by individuals' pursuit of gain, whether in the form of remuneration for the individual or profit for the individual's business'.22 See our article on remuneration.
  • The culture of an organisation is influenced by the tone from the top, as well as all levels of management.23 Improvements to culture will require continued attention by boards, senior executives and others within financial services entities. Boards and senior management must accept they have primary responsibility for culture.24 See our article on the implications of the Final Report for governance and directors' duties.
  • While cultural norms and beliefs cannot be explicitly measured, behaviours and outcomes that culture drives can and should be measured.

What's next?

The Final Report recommends imposing greater responsibility on financial services institutions and APRA in relation to culture.

Law and regulations already play an important role in influencing culture, defining it and providing for consequences when it falls short of expected standards. For example:

  • in Australia, the Commonwealth Criminal Code provides a basis for attributing criminal liability to corporates that have a deficient 'corporate culture';
  • in Australia, culture is a relevant factor in determining the amount of pecuniary penalties to be imposed under various statutes;25 and
  • in Australia and internationally, 'culture' is a relevant public policy issue when it comes to prosecution26 and sentencing decisions.27

The Final Report's recommendations will further increase this role.

Culture and culture assessments can create legal risk and opportunity for corporations and directors. While culture assessments must be multi-disciplinary, there is an important role for legal and compliance functions in helping to ensure that the assessment process is forensically sound and accurate, takes into account compliance frameworks as part of the assessment process, and addresses elements of culture that the law and regulators focus on.


  1. Final Report, Volume 1, p. 12; G30, Banking Conduct and Culture: A Permanent Mindset Change November 2018, Foreword, v.

  2. Final Report, Volume 1, p. 375.

  3. Final Report, Volume 1, p. 376.

  4. See, eg, a speech by John Price, Commissioner, Australian Securities and Investments Commission, AICD Directors' Forum: Regulators' Insights on Risk Culture, 19 July 2017.

  5. Final Report, Volume 1, p. 377.

  6. Final Report, Volume 1, pp. 385–386.

  7. Final Report, Volume 1, p. 377.

  8. Recommendation 5.7 – Supervision of culture and governance, Final Report, Volume 1, p. 393.

  9. Final Report, Volume 1, pp. 333 and 392.

  10. Final Report, Volume 1, p. 391.

  11. Recommendation 5.6 – Changing culture and governance, Final Report, Volume 1, p. 392.

  12. Final Report, Volume 1, p. 388.

  13. Final Report, Volume 1, p. 392.

  14. Final Report, Volume 1, p. 393.

  15. Final Report, Volume 1, p. 391.

  16. Final Report, Volume 1, p. 375.

  17. Final Report, Volume 1, p. 375, citing G30, Banking Conduct and Culture: A Call for Sustained and Comprehensive Reform, July 2015, 17.

  18. G30, Banking Conduct and Culture: A Call for Sustained and Comprehensive Reform, July 2015.

  19. Financial Conduct Authority, DP18/2: Transforming culture in financial services, 12 March 2018.

  20. Final Report, Volume 1, p. 391 citing G30, Banking Conduct and Culture: A Permanent Mindset Change, November 2018, xii–xiii.

  21. Final Report, Volume 1, p. 47.

  22. Final Report, Volume 1, p. 1.

  23. Final Report, Volume 1, p. 391.

  24. Final Report, Volume 1, pp. 391 to 392.

  25. See, eg, ACCC v Singtel Optus Pty Ltd (No 4) [2011] FCA 761 at [11].

  26. See, eg, Australian Federal Police and Commonwealth Direction of Public Prosecutions, Best Practice Guidelines on Self-reporting Foreign Bribery and Other Related Offences (2017), paragraph 15, and Commonwealth Attorney General's Department, Deferred Prosecution Agreement Code of Practice Code of Practice, Paragraph 7.1(c) (draft).

  27. See, eg, United States Sentencing Commission Guidelines 2018, Chapter 8.