What this means for risk, compliance & personal accountability

The BEAR

It comes as no surprise that one of the key ways in which the Final Report recommends the need for greater personal accountability be addressed is by the expansion of the BEAR. Specifically, the Commissioner has recommended that:

1. After appropriate consultation, the Australian Prudential Regulation Authority (APRA) should determine a responsibility within each authorised deposit-taking institution (ADI) subject to BEAR, for all steps in the design, delivery and maintenance of all products offered to customers by the ADI, and any necessary remediation of customers in respect of any of those products.²
2. Over time, provisions modelled on the BEAR should be extended to all registrable superannuation entity (RSE) licensees and all APRA-regulated insurers.³
3. The Australian Securities and Investments Commission (ASIC) and APRA should jointly administer the BEAR,⁴ including any new provisions that become applicable to RSE licensees and APRA-regulated insurers, as recommended in item 2 above.⁵
4. Further to item 3 above, sections 37C and 37CA of the Banking Act 1959 (Cth) should be amended to make clear that an ADI and accountable person must deal with APRA and ASIC (as the case may be) in an open, constructive and cooperative way. Practical amendments should be made to relevant provisions of the Banking Act, such as ss 37K and 37G(1), so as to facilitate joint administration by ASIC and APRA.⁶
5. In a manner agreed with the external oversight body (the establishment of which is the subject of the Commission's Recommendation 6.14), APRA and ASIC should each internally formulate and apply to its own management accountability principles of the kind established by the BEAR.⁷

The BEAR was adopted in Australia on 1 July 2018, through legislative amendments to the Banking Act. The BEAR legislation imposes a range of obligations on banks and other ADIs and their senior management, and seeks to ensure that they are held accountable when they fail to meet expectations. The BEAR commenced for large-sized ADIs on 1 July 2018, and small and medium-sized ADIs will be required to comply from 1 July 2019. APRA was originally given the responsibility of overseeing BEAR and was granted the regulatory powers to do so. Importantly, the BEAR requirements include that:

• An accountable person of an ADI or its subsidiary (which includes directors) must:
  • act with honesty and integrity, and with due skill, care and diligence; and
  • deal with APRA in an open, constructive and cooperative way; and
• take reasonable steps in conducting those responsibilities to prevent matters from arising that would adversely affect the prudential standing or prudential reputation of the ADI or subsidiary.

ADIs must defer a minimum percentage of a senior executive’s variable remuneration for at least four years, and have a remuneration policy that provides for reduction of the deferred variable remuneration where a senior executive has not met obligations under BEAR.

APRA can currently institute civil penalty proceedings against ADIs, and can disqualify an accountable person from being or acting as an accountable person if they fail to comply with their obligations.

The proposed expansion of the BEAR

The Commission's recommendations to expand the scope of BEAR come as no surprise to those following the Commission's hearings during 2018. An expansion of the type recommended by the Commission was suggested in the Treasury submission on key policy issues⁸, and APRA was supportive of the expansion of BEAR in its submission in response to the Commission's Interim Report, saying that there would be 'benefits' to adopting the UK Senior Managers Regime by extending the existing BEAR to other financial sectors and all types of misconduct, including conduct affecting individual consumers (rather than being limited to conduct that is prudential in nature).

The proposed expansion is consistent with the approach adopted in the UK. Following the 2008 financial crisis and subsequent review of the UK's financial services industry, the UK Parliament introduced the senior managers and certification regime (the SM&CR). The SM&CR comprises three main elements – the Senior Managers Regime (SMR), the Certification Regime and the Conduct Rules. The regime has been in force for banks, building societies and credit unions in the UK since March 2016, and was extended to insurance and reinsurance firms in December 2018. In December 2019, it will also be extended to all Financial Conduct Authority (FCA – the equivalent of ASIC) solo-regulated financial services firms (that is, firms regulated by the FCA only). This latter extension will significantly broaden the SMR's application to include, for example, large asset managers, mortgage providers, consumer credit providers, crowdfunding platforms and sole traders.

The SMR also covers a much broader set of conduct issues than the BEAR currently does, extending beyond prudential issues and, as a result, it is jointly administered by the FCA and the UK prudential Regulatory Authority (PRA) in the same manner as has been proposed for the BEAR.

From an enforcement perspective, 2018 saw the first fine issued under the SMR for a chief executive's attempt to uncover a whistleblower's identity. The executive was fined £642,430 by the FCA and the Prudential Regulation Authority, and his employer clawed back £500,000 of his bonus. In this respect, the UK will be a useful looking glass into the future of the BEAR in Australia, with increasing regulatory action against individuals a likely consequence of the Commission's recommendations.

For more on the SMR, see our Linklaters colleagues' insights.

The Commission's particular focus on responsibility for products is an interesting outcome, which departs from the UK model and, no doubt, reflects a number of the specific case studies considered by the Commission. The Final Report concluded that administrative errors occur because there is no one ‘accountable from the design of the product through to its implementation and if something goes wrong, remediating it and, importantly, keeping it fit for purpose’.⁹ If the product recommendations are adopted, we will, no doubt, see any future enforcement proceedings in this space focus heavily on what steps were taken by the relevant executives throughout the lifecycle of a product to ensure that appropriate steps were taken and controls in place to prevent errors and to ensure that products remain fit for purpose.

Risk and compliance

In addition to the proposed expansion of the BEAR, the Final Report emphasises the importance of considering non-financial risks, and sends a clear message to APRA in relation to the importance of ensuring that non-financial risks receive the appropriate emphasis in the relevant prudential standards.

The focus on non-financial risks was a key theme of the Prudential Inquiry into CBA. The Commission pointed to a number of examples from evidence at the hearings where the importance of considering and managing non-financial risks was discussed, particularly those risks associated with misconduct such as compliance risk, conduct risk, regulatory risk and operational risk. In connection with those comments, the Final Report emphasises the role of compliance, and the need to ensure that compliance departments are adequately resourced and have a strong voice in the business. As the Final Report notes, 'financial services entities must now accept that financial risks are not the only risks that matter. The prudent management of non-financial risks is equally important. Financial services entities must give sufficient attention, and devote sufficient resources, to the effective management of non-financial risks.'¹⁰ One area of the Final Report where the importance of non-financial risk has been emphasised is in the context of remuneration.

This emphasis on the role of risk and compliance in financial instructions is not new, and has been a key theme across the financial industry over the last few years. In particular, the CBA Prudential Inquiry emphasised the importance of an approach to risk and compliance that focuses on more than just strict legal requirements, and incorporates standards of integrity and ethical behaviour. This increased consideration of broader standards of integrity and ethical behaviour or, in the context of the Commission, 'community standards', will make it important for financial institutions to consider whether some of the findings of the Commission are addressed in the content of risk management and compliance practices, even before many of the proposed changes are adopted into law.

What do the Commission's recommendations mean in practice?

If the Commission's recommendations are adopted, extensive consultation will be required before they are implemented. The recommendations have implications for:

• ADIs that are already captured by the BEAR but may face broader obligations, including in relation to the product lifecycle; and
• other RSE licensees and APRA-regulated insurers. The Commission has suggested that in the expansion of the regime to cover a broader range of entities, changes should be made first in the superannuation sector and then to the insurance sector.¹¹ It will therefore be important for both of these industries to get on the front foot as soon as possible.

To that end, organisations that are in line to be encompassed by an expanded version of BEAR, and those that are already captured by the current regime but may be in line for expanded responsibilities, may wish to start mapping their governance and risk arrangements to responsible senior executives, and considering where gaps may lie (for example, with the responsibility for all aspects of the product lifecycle). Given the particular focus in the Final Report on administrative errors and product issues, we may well see an increased regulatory focus on these issues, and an expectation of senior management oversight and ownership of them even before any associated changes are made to the legislative regime.

ASIC and APRA will have to work together more closely if they are to co-regulate the BEAR efficiently and effectively. To that end, the Commissioner has recommended a new statutory scheme for the mandatory sharing of information between APRA and ASIC.¹² While the details of that scheme are yet to be seen, the Commission has suggested it be founded on the premise that joint responsibility and cooperation necessitate substantial commonality of information.¹³ That would mean two cops on the beat for those entities subject to the BEAR, but those cops would also be policed by a newly established external oversight body, in accordance with similar management accountability principles to the BEAR. Indeed, as ASIC Chair James Shipton said, 'If we expect something of the regulated community, we must be holding that – that standard to ourselves'.¹⁴

In the meantime, with BEAR already in force for the big four banks, and commencing for medium and small ADIs in July of this year, it remains to be seen how APRA (and potentially ASIC) will operationalise its supervision and enforcement of the regime. The legislation presently contains an absolute requirement to notify APRA of any breaches of accountability obligations, but it is not clear how APRA will interpret that obligation in practice, and whether it will provide any guidance on when and how to report.

Given the ability to institute civil penalty proceedings if an ADI fails to meet its BEAR obligations, and a suggestion by the Commissioner that both APRA and ASIC should litigate more, we may well see BEAR-related litigation and remuneration impacts for executives in the years to come.

In relation to the Commission's recommendations regarding increased focus on non-financial risk, financial institutions can likely expect increased scrutiny from regulators on this issue – that will, no doubt, lead to increased investment in areas such as compliance and risk and, consequently, a greater internal voice for these parts of the organisation.