What this means for non-financial organisations

Culture and social licence

'[G]etting culture and conduct right is not a supervisory requirement. It is necessary for banks’ and banking’s economic and social sustainability'¹

Culture and misconduct

The role of corporate culture assumes fundamental importance in the Final Report. This is not surprising: the Interim Report identified culture both as a cause of misconduct and as a driver of responses to it.

A key question posed at the outset of the Final Report is:

What more can be done to achieve effective leadership, good governance and appropriate culture within financial services firms so that firms 'obey the law, do not mislead or deceive, are fair, provide fit for purpose service with care and skill, and act in the best interests of their clients'?'²

As in the Interim Report, Commissioner Hayne remains highly critical of corporate cultures that value sales and profit over compliance and consideration of the customer. These cultural values are often embedded in remuneration and incentive programs that treat profit as the key measure of success.

Commissioner Hayne recommends that every financial services entity look to, and critically examine, its culture. Non-financial services organisations should consider undertaking the same exercise.

Questions every organisation should ask itself

Commissioner Hayne proposes that entities ask themselves the following five questions:

• Is there adequate oversight and challenge by the board and its gatekeeper committees of emerging non‑financial risks?
• Is it clear who is accountable for risks and how they are to be held accountable?
  Are issues, incidents and risks identified quickly, referred up the management chain, and then managed and resolved urgently? Or is bureaucracy getting in the way?
• Is enough attention being given to compliance? Is it working in practice? Or is it just 'box‑ticking'?
• Do compensation, incentive or remuneration practices recognise and penalise poor conduct? How does the remuneration framework apply when there are poor risk outcomes or there are poor customer outcomes? Do senior managers and above feel the sting?³

Underpinning these questions are concerns relating to culture, governance and remuneration – three topics considered by the Commissioner to be inextricably linked. According to the Final Report, '[p]ositive steps taken in one area will reinforce positive steps taken in the others. Failings in one area will undermine progress in the others.'⁴

Remuneration

The Final Report examines in depth the close relationship between remuneration and corporate culture. An entity's remuneration arrangements, particularly variable remuneration and incentive programs, tell staff what the entity rewards and what the entity values.⁵ Remuneration policies that treat profit as the dominant measure of success are considered in the Final Report to be a driving factor behind poor compliance culture and outcomes.⁶ Such policies tell staff that the entity gives priority to profit over the interests of customers and above compliance with the law.⁷

Recommendation 5.5 calls upon banks to implement fully the recommendations of the 2017 Sedgwick Review into retail banking remuneration. The Sedgwick Review relevantly recommends that incentives no longer be paid to any retail staff based directly or solely on sales performance.⁸

Organisations outside of the financial services industry should consider their current variable remuneration policies for front-of-line staff (whether those staff are selling to consumers or business counterparties) and examine whether these policies would withstand similar scrutiny.

Read more information about remuneration.

Creating and maintaining 'good' corporate culture

The Final Report does not advocate a single 'best practice' for creating or maintaining a desirable culture. Organisations are instead encouraged to examine critically their existing structures and continue to work on ways to motivate their staff to act in the best interests of their clients.⁹ The Commissioner calls upon entities to 'challenge assumptions about how they can and should encourage certain behaviours and discourage others'.¹⁰

Recommendation 5.6 states that culture and governance assessments should be conducted by financial services entities as often as reasonably possible to:

• assess the entity’s culture and its governance;
• identify any problems with that culture and governance;
• deal with those problems; and
• determine whether the changes it has made have been effective.

Assessment and review of culture is characterised in the Final Report as an ongoing process rather than a one-off or ad hoc activity.

Broader trends

The emphasis on culture in the Final Report is consistent with an increased focus on culture in legislative, regulatory landscapes that apply across all business sectors. For example:

• In Australia, the Commonwealth Criminal Code provides a basis for attributing criminal liability to corporates that have defective 'corporate cultures'.
• In Australia and internationally 'culture' is a relevant public policy ground when it comes to prosecution decisions, sentencing decisions and civil enforcement penalties.

The rise of the concept of culture within law and regulation, and the Royal Commission's focus on it, is also a reflection of the broader pressure from consumers and other stakeholders on corporations to do what is 'right' or 'ethical', or what would be consistent with 'community standards' in order to maintain a 'social licence to operate'. This trend has influenced other legal and soft law developments such as the reform of Australia's whistleblower laws¹¹ the proposed introduction of a corporate criminal offence for 'failing to prevent foreign bribery'¹² and the 4th edition of the ASX Corporate Governance Council Principles and Recommendations (released in February 2019), in which Principle 3, 'Act ethically and responsibly', is reframed to require listed entities to 'instil and continually reinforce a culture across the organisation of acting lawfully, ethically and responsibly'.

Culture assessment

Entities outside of the financial services industry may wish to proactively conduct an assessment of their own organisational culture, and identify and remedy any deficiencies.

Corporate culture assessments can create legal risk and opportunity for corporations. While corporate culture assessments must be multi-disciplinary, there is a role for legal and compliance functions to help ensure that the assessment is forensically sound and accurate, takes into account compliance frameworks, and address elements that the law and regulators focus on when assessing corporate culture.

Read more about the Final Report's findings in relation to culture.

Senior leadership and governance

Champions of culture

The Final Report emphasises the preeminent role of senior leadership in driving the culture of an organisation. A culture that prevents misconduct and promotes and rewards ethical behaviour must be set at the top.¹³

While all levels of management and, indeed, individuals contribute to culture, what the board says, does and expects, is absolutely critical in setting the tone for the organisation. Leadership within an organisation should demonstrate a culture of consistent compliance with the law, and take steps to ensure that it is treated as a company norm.

Access to information

'Boards cannot operate properly without having the right information. And boards do not operate effectively if they do not challenge management.'¹⁴

The Final Report argues that strong and effective boards can minimise the risk of misconduct and promote a culture of compliance. However, to be effective a board must have access to the right information to challenge management on important issues about breaches of law, and standards of conduct and issues that may give rise to poor outcomes for customers.

A concerning theme emerging from the Royal Commission is that boards may not have access to the right materials to discharge their functions effectively. A distinction is drawn here between the right information and more information: 'it is the quality, not the quantity, of information that must increase. Often, improving the quality of information given to boards will require giving directors less material and more information.'¹⁵ The Final Report also calls on board members to actively seek out information where there are gaps.

It is now an expectation that boards should receive routine and quality reporting on emerging non-financial risk areas, as well as on trends in customer and supplier feedback, and whistleblower reports.

The Final Report reiterates findings made in the Final Report of the CBA Prudential Inquiry, and is a timely reminder of the need for board packs to be complete (not missing any information for the board), balanced (not downplaying risks or overemphasising benefits), and to contain an appropriate level of detail.

See our article on the impact of the Final Report on governance and directors duties.

Improve internal accountability frameworks and enhanced personal accountability

The Final Report sets the tone for increased accountability in relation to risk and compliance in the financial services industry. This is likely to have an effect on what regulators and consumers expect of organisations outside the financial services industry.

The Final Report criticises business models that lack clearly defined ownership of overall processes, beginning with inception of a new product and culminating in offering that product to customers. The Final Report identifies that there is often 'disaggregation of the management of the value chain with no one "accountable from the design of the product through to its implementation and if something goes wrong, remediating it and, importantly, keeping it fit for purpose"'.¹⁶ The result, Commissioner Hayne states, is that 'processing or administrative errors [occur] when the "left hand does not know what the right hand is doing"'.¹⁷

The solution proposed by the Final Report is enhanced personal accountability of senior executives through broadening the reach of the Banking Executive Accountability Regime (BEAR).

This signals a demand for increased accountability, which may extend beyond the financial services industry.
Organisations should consider how they can strengthen internal accountability frameworks and channels of communication, to improve ownership of products and processes.

Asymmetry of power and information between entities and customers

A key concern emerging in the Final Report is the power imbalance between entities and consumers. The consumers of financial products are described as having 'little detailed knowledge or understanding of the transaction', and as having 'next to no power to negotiate the terms'.¹⁸ What emerges is an information asymmetry between a consumer and an entity, which increases the risk of misconduct and poor consumer outcomes.

Consumer-facing organisations and organisations with retail shareholders should take proactive steps to review customer/shareholder communications, and the availability of comprehensive and comprehendible information for those stakeholders. The accessibility of this information should be carefully considered and its content reviewed to ensure that those stakeholders have access to the complete picture of the product they are purchasing, service they are engaging or investment they are holding.

Risk and compliance

'[T]he prudent management of financial risks by financial services entities is and will always remain important. But financial services entities must now accept that financial risks are not the only risks that matter. The prudent management of non-financial risks is equally important.'¹⁹

The Final Report calls for organisations to expand their focus when considering risk, and risk management.
Traditionally, financial entities and regulators have focused on financial risk.²⁰ Commissioner Hayne in the Final Report asks organisations to improve management of compliance risk, conduct risk, regulatory risk and operational risk.

Conduct risk is the risk of inappropriate, unethical or unlawful behaviour on the part of an organisation’s management or employees.²¹ That conduct can be deliberate or inadvertent, arising from inadequacies in an organisation’s practices, frameworks or education programs.

Following the Royal Commission and the APRA CBA Inquiry, it is expected that there will be an increased regulatory focus on conduct extending beyond the financial sector. As such, organisations should examine and strengthen existing risk management processes in relation to non-financial risk.

In October 2019, ASIC's Corporate Governance Taskforce shone a spotlight on non-financial risks, when it released its report on director and officer oversight of non-financial risk practices directed to Australian listed entities. Read more here.

Role of regulators

Following the Royal Commission, there is increasing pressure on regulators to litigate matters, rather than settle or agree enforceable undertakings. In the Final Report, as in the Interim Report, Commissioner Hayne recommended that ASIC commence consideration of an instance of a breach of the law by asking 'Why not litigate?', rather than resorting to negotiated outcomes or infringement notices.²² In his official statement in response to the Final Report, ASIC Chair James Shipton indicated that ASIC would embrace a new 'why not litigate?' enforcement stance.²³ That stance will not be limited to the financial sector, and those outside the financial sector should prepare for more compulsory notices, interviews and proceedings, and fewer matters dealt with outside of court. It remains to be seen how this new approach will be reconciled with the Government's push to encourage greater self-reporting and resolution of criminal liability.

The Commissioner also recommends that APRA take on a more proactive supervisory role in relation to the culture of APRA-regulated institutions. Although the Recommendation is limited to APRA (and not ASIC), ASIC itself has already stated in its four-year plan that culture driving poor conduct is an area of priority for it.²⁴ We anticipate that regulators generally will become more sophisticated in their understanding of culture, and focused on culture assessments as a tool in their supervisory approach and as a consideration relevant to deciding enforcement outcomes.

See our article on the enforcement landscape after the Royal Commission and how to prepare.