Written by Matthew McLennan and Michael Mathieson
In recent times, APRA has been active in prescribing duties for directors of the institutions it regulates. In light of what has happened, it is worth asking: should the question of directors' duties be excluded from APRA's prudential standard-making powers?
Directors of superannuation trustees were the first to be exposed to the full force of APRA's latest thinking on directors' duties, following the commencement of APRA's new superannuation prudential standards on 1 July 2013. Since then, directors of ADIs, general insurers and life companies have been put on notice that they will receive similar treatment, through the making of Prudential Standard CPS 220 Risk Management. They have had some time to think about it too – CPS 220 was released in January this year but is not due to commence until 1 January 2015.
Having thought about it, directors have expressed some significant concerns about the terms which APRA plans to make them responsible. The concerns have related, for the most part, to the requirement that the Board of the APRA-regulated institution 'ensure' that specified things happen or specified circumstances exist. Perhaps the most troubling of these for directors has been the requirement that the Board ensure that 'a sound risk management culture is established and maintained throughout the institution'.
APRA has listened to those concerns and on 8 May 2014, it wrote to the CEOs of ADIs, general insurers and life companies. In the letter, APRA said it proposed to define 'ensure', when used in relation to a responsibility of the Board, to mean 'to take all reasonable steps and make all appropriate enquiries so that the board can determine, to the best of its knowledge, that the stated matter has been properly addressed'.
The concerns were also raised with the Financial System Inquiry which noted them in its Interim Report. In its second round submission to the Inquiry, APRA appeared to acknowledge that it might have gone too far. It agreed 'that regulatory requirements should not confuse or blur the delineation between the role of the board and that of management. ... In light of industry concerns, APRA is currently reviewing its prudential requirements to identify areas that may be perceived as leading to a blurring of duties'.
More recently, on 7 October, APRA released for public consultation a proposed replacement version of CPS 220. For the most part, the replacement version of the standard would, if adopted, involve a watering-down of elements of the existing standard (which, as mentioned, has yet to commence). For example, the requirement that the Board ensure that 'a sound risk management culture is established and maintained throughout the institution' would be replaced by one to ensure that 'it [ie the Board] forms a view of the risk culture in the institution, and the extent to which that culture supports the ability of the institution to operate consistently within its risk appetite, identifies any desirable changes to the risk culture and ensures the institution takes steps to address those changes'.
At the same time that it released the proposed replacement CPS 220, APRA also:
- reconfirmed its commitment to defining the term 'ensure' (with some minor refinements to the definition proposed in its 8 May letter);
- released a proposed replacement draft CPG 220; and
- released an 'Aid for Directors of ADIs and insurers'.
While the rationale for APRA's commitment to define the term 'ensure' is welcome, the merits of the proposal itself are debateable. Rather than manipulating the ordinary meaning of the word, a more direct solution that has the advantage of being consistent with legislative precedent would be simply to replace 'ensure' with 'take all reasonable steps'. What is more, the proposal is to include the definition in the relevant definition standards but for the word 'ensure' to continue to be used in the substantive standards themselves. The definition, on which so much is intended turn, will be buried away in a separate definition standard. A more substantive point is that the issues at hand are really too important to be resolved by way of a definitional device. In our view, the better approach would be to focus on the precise terms in which each obligation is imposed on the Board and to get those terms right.
Another comment is that the 'Aid for Directors' promises a lot but, with respect, delivers not very much. The first half of the document sets out contextual matters and the remaining half comprises, for the most part, motherhood statements. We do not suggest that motherhood statements are not worthy in and of themselves (although they often simply beg further questions) but we do doubt the extent to which they provide any meaningful and practical guidance to directors in this case as to what are their legal duties under the prudential standards.
What is APRA trying to achieve, by imposing specific duties on Boards rather than on the APRA-regulated institutions themselves? We think APRA's second round submission to the Financial System Inquiry provides the answer:
The Interim Report notes that it may be possible to identify areas where management could more appropriately undertake certain obligations. It is important that the Inquiry understands that, in many cases, obligations imposed on boards are designed to demonstrate that appropriate oversight and challenge of management is occurring. Delegating such responsibilities to management may be ineffective or counterproductive. Therefore, consideration may also need to be given to additional external (third party) review to achieve the prudential objective.
APRA's notion of the special need for the Board to oversee and challenge management in respect of particular matters brings to mind an issue at the heart of the 2011 Centro decision. That case concerned financial reporting by a listed entity and, in particular, the requirement imposed on boards by section 344 of the Corporations Act 2001 (Cth). Implicit in that section, and looming large in Justice Middleton's judgment, was the proposition that the board of a listed entity must be ready and able to challenge management in respect of financial reporting.
That construction of a director's duty of care respects the ability of boards to rely on management and advisers without relieving them of ultimate responsibility for the management of the company. Management is meant to do things, boards are meant to make sure they do them and do them properly. APRA's second round submission suggests that either it does not accept that this is the law, that it is sceptical that the law will be observed, or that it wants to prescribe particular ways in which the law is to be observed. The second and third of those options are the most likely explanation for the regulator's approach to the drafting of the prudential standards.
Understood in this way, a fundamental issue with APRA's approach, and the likely source of the criticisms reported in the Interim Report, is that it has the potential to upset the typical division of labour in a large corporation. Redefining the word 'ensure' is not going to resolve that issue.