21 February, 2019
Bringing the norms of conduct to life | Insight series on the Hayne Royal Commission Final Report
The Final Report of the Royal Commission makes a number of recommendations in relation to the extension of Banking Executive Accountability Regime (BEAR) and, in its response the Government goes further and proposes to extend it to all ASIC licensed entities. The recommendations include having APRA and ASIC co-administer BEAR and to extend the accountability obligations.
The Royal Commission focused not just on breaches of law, but also conduct of financial institutions which fell short of community standards and expectations. In the Final Report, the Commissioner's emphasised the need for financial institutions to conduct themselves in accordance with 6 "norms of conduct", and for regulation to reflect this, so as to ensure that those standards and expectations are met. BEAR, as a form of principles-based regulation, presents the means now for APRA, and in due course ASIC, to enforce these standards and expectations.
Introduction
The Hayne Royal Commission has shone an intense spotlight on conduct in the financial services industry at all levels from senior executives down. This has prompted extensive discussion about what more can be done to achieve effective leadership, good governance and appropriate culture within financial services institutions. In response, the Royal Commission recommends a simplification of regulation, with a greater focus on financial institutions adhering to higher standards of conduct, based around what Commissioner Hayne referred to as the 6 "norms of conduct". This marks a significant step towards principles-based regulation in Australia.
The introduction of the Banking Executive Accountability Regime (BEAR) in mid-2018 also represented a material step forward in that direction. BEAR requires banks and their accountable executives to meet "accountability obligations". They include obligations to:
- act with honesty and integrity
- act with due skill, care and diligence
- deal with APRA in an open, constructive and co-operative way
- take reasonable steps to prevent matters from arising that would adversely affect the ADI's prudential standing or prudential reputation.
Significantly, Commissioner Hayne recommends that this regime be extended to all other APRA regulated entities. He also recommends that ASIC and APRA jointly administer BEAR, with ASIC overseeing the conduct aspects of BEAR, and APRA the prudential aspects. The Government, in its response to the Final Report goes further, and recommends BEAR be extended to all financial services entities regulated by ASIC.
In other words, BEAR becomes the Financial Executive Accountability Regime (or "FEAR").
This signals a major shift in financial services regulation in Australia. A shift that will have real implications for financial services institutions and their senior executives. In short, we are on a journey towards principles-based regulation in Australia, with ASIC and APRA having significant powers to enforce the standards this regulation imports.
It is more important than ever for financial institutions and their senior individuals to get to grips with what is expected of them in a post-Royal Commission world. As the Royal Commission has shown, there are significant financial and reputational consequences of not getting it right.
The focus on conduct risk
Since the global financial crisis, regulators globally have spent a great deal of time emphasising the importance of conduct risk. This is the human factor – the risk of inappropriate, unethical or unlawful behaviour. It can be either deliberate, or inadvertent, because of inadequacies in an organisation's processes, frameworks or training programs. Culture is a key driver, influencing why people act in a certain way, along with incentives.
Whilst in recent years Australian financial institutions have had a focus on the management of conduct risk, there have been no real consequences attaching to conduct risk failures. BEAR has only recently been introduced and prior to its introduction, APRA had relatively few powers available to it to address conduct risk issues. Similarly, whilst Australian financial services licensees have been subject to broad based obligations under section 912A of the Corporations Act, a contravention of these obligations did not, of itself, attract penalties. Accordingly, there has been an absence of credible deterrence, a real risk of being caught doing something wrong, and consequences of being caught. That is changing.
The 6 'norms of conduct' – laying the foundations for more effective regulation of conduct risk
In the Final Report, Commissioner Hayne proposes that six norms of conduct be adopted as the basis for regulation. They are:
- Obey the law
- Do not mislead or deceive
- Act fairly
- Provide services that are fit for purpose
- Deliver services with reasonable care and skill
- When acting for another, act in the best interest of that other
Commissioner Hayne favours simpler regulation which is principles-based around these norms. He also recommends minimising "exceptions to the rules" which might detract from these norms.
So how is this different to the general obligations to which licensees have been subject to date, such as the obligation to 'do all things necessary to ensure' that the financial services or credit activities are provided 'efficiently, honestly and fairly'? In the Final Report, Commissioner Hayne states that understood properly, the general obligation would embrace all six norms. However, it is not clear to us that this is how the Courts have approached this obligation. Despite the relatively few cases seeking to define the scope of the obligation, it remains vague at best.
Principles-based regulation – a revolution?
We are clearly moving to a regulatory regime which is more principles-based, one which reflects community expectations. BEAR is at the forefront of this, with its broadly cast accountability obligations.
Principles-based regulation entails setting out in simple terms the high level standards that financial services institutions and senior individuals must meet – for example, the BEAR accountability obligations. Further legislation to encapsulate the 6 norms of conduct would take this significantly further.
Detailed laws or rules may state how those principles are to be understood in particular contexts. However, the principles are typically broader in their scope. They are outcome focussed. They are flexible. There is considerable potential for the norms of conduct to encompass activity which is not currently the subject of existing law. The precise boundaries are unclear, and would be set progressively by the courts in contested cases. Their content and scope may change over time, as the financial services industry evolves and community expectations are adjusted. They will inevitably be considered, and enforced, with the benefit of hindsight.
Commissioner Hayne has encouraged ASIC and APRA to enforce the law, with a "why not litigate" philosophy. He has also suggested that their enforcement performance be reviewed in a few years' time to assess whether they are being effective. So it is reasonable to expect that we will see the spotlight continue to shine on the sector for some time yet. Time will tell how the APRA and, in due course, ASIC enforce BEAR (or FEAR) and how the Courts apply the law.
Specific recommendations in relation to BEAR
Some more detail and commentary on the specific recommendations in the Final Report is set out below.
Extension of BEAR to financial services industry
BEAR should be extended to all APRA-regulated financial services institutions (Recommendations 3.9, 4.12 and 6.8)
The Government Response to the Final Report (Government Response) goes further. It proposes the extension of BEAR to all Australian Financial Services Licence (AFSL) holders, Australian Credit Licence (ACL) holders, market operators, and clearing and settlement facilities.
Treasury had already foreshadowed the extension of BEAR to other financial services institutions in its submission to the Royal Commission dated 13 July 2018, together with a possible extension to cover conduct or behaviour that is systemic in nature, and not just that which has a prudential impact on an institution. Most of the accountability obligations already cover such conduct or behaviour, and need not be amended to do so.
However, civil penalties may only be imposed on an ADI under BEAR if the ADI's contraventions relate to "prudential matters" (a term defined in the Banking Act). It appears likely that this qualification will be removed in the ASIC-administered regime.
Joint APRA/ASIC administration of BEAR
BEAR should be administered jointly by ASIC and APRA, so that ASIC is charged with overseeing those parts of BEAR that concern consumer protection and market conduct matters, and APRA is charged with overseeing the prudential aspects of the regime (Recommendation 6.6)
Perhaps in anticipation of the recommendations in the Final Report, ASIC and APRA have already commenced conducting joint supervisory meetings with financial services entities. Information shared with the regulators in the course of supervisory meetings could form the basis of subsequent enforcement action against an entity.
What is clear is that both regulators' appetites for enforcement action is currently high. Hayne recommends a more litigious approach to enforcement by APRA and ASIC, in favour of settled outcomes.
If BEAR is administered by ASIC as well as APRA, it will become relevant to consider whether the requirements of BEAR have been breached in all cases where other legal or regulatory requirements may have been contravened. This involves consideration of whether there are deficiencies in an institution's underlying governance, risk management and controls which resulted or contributed to the specific contraventions occurring. Any such deficiencies may be systemic in nature and, if so, may crystallise again in the future. Regulators are particularly concerned about these systemic issues.
This has significant implications for internal management, internal regulatory investigations and responding to enforcement investigations, which will need to be carefully focussed around the right issues.
Co-operation with ASIC
The accountability obligations of an ADI and an accountable person under BEAR should be amended so that they are required to deal with ASIC, in addition to APRA, in an open, constructive and co-operative way (Recommendation 6.7)
In our view, this requires an ADI and its accountable persons to inform ASIC of all relevant information of which they are aware, in response to questions from ASIC. In determining how to comply, ADIs and accountable persons should consider the likely significance of the information to ASIC, which it would be reasonable for the ADI/accountable person to assume in the circumstances. When complying with breach reporting obligations, the obligation to co-operate with ASIC in an open, constructive and co-operative way may also need to be considered. The obligation is unlikely to override the right to preserve privilege, a requirement to comply with a court order or other obligation imposed by law or by a regulator.
Prescribed responsibility for products
That APRA determine an additional prescribed responsibility (which would apply to domestic ADIs only) for all steps in the design, delivery and maintenance of all products offered to customers by the ADI and any necessary remediation of customers in respect of any of those products (Recommendation 1.17)
APRA's current expectation is that one or more accountable persons of an ADI will be responsible for the design and distribution of products and services, and compliance with associated laws and regulations.
The Final Report goes further in two important respects. First, it recommends that APRA prescribe a responsibility for product design, distribution and maintenance, to be allocated to a single accountable person of an Australian domestic ADI. For ADIs with a diverse range of products, it may not be reasonable to expect any one senior executive to have the necessary bandwidth to discharge the responsibility adequately.
The Final Report also recommends that this individual should also be responsible for the remediation of customers in respect of any of those products, further concentrating responsibility in the hands of a single person who, by now, may already be overloaded.
The Government has proposed to amend the Corporations Act to introduce design and distribution obligations in relation to financial products and to give ASIC new early product intervention powers. These amendments may mitigate the risk of a disconnect between the design of a product to meet particular specific consumer needs via specified distribution channels, the sales processes by which products are in fact distributed and the ongoing reviews of the product to ensure that it is reaching its target market and remains appropriate for them.
An increasing number of institutions are also taking steps to assign individual products to one of a number of product owners, who have responsibility for the product throughout its life-cycle in accordance with an overarching product governance policy.
Such measures are likely to be more effective than the introduction of the prescribed responsibility recommended by Commissioner Hayne.
ASIC and APRA to be subject to BEAR
This brings BEAR in line with the approach adopted in the UK. The FCA is subject to the UK's Senior Managers Regime (on which BEAR has been based).
Conclusion
In a post-Royal Commission world, it is more important than ever for financial institutions and their senior executives to be absolutely clear about their objectives and accountabilities, and how they should best go about discharging them. This takes a lot of planning. It demands time and resources.
There are significant consequences of not getting it right.
For further information, please contact:
Jonathan Gordon, Partner, Ashurst
jonathan.gordon@ashurst.com
