FAR is not far away are you ready

What you need to know

The Financial Accountability Regime (FAR) bill was reintroduced to Parliament on 8 September.  It is not substantially different from the 2021 version of the bill which lapsed when the general election was called this year.

The timeline for implementation is fast approaching.  The earliest commencement date of FAR is 2023 for the banking sector and 2024 for the insurance and superannuation sectors.

FAR will be administered by ASIC, as well as APRA (the Regulators) and introduces a number of new features to the Banking Executive Accountability Regime (BEAR). BEAR currently only applies to the authorised deposit-taking institutions (ADIs) and is solely administered by APRA.

You can access our previous Financial Services Update on the 2021 FAR bill here.

What you need to do

With significant obligations on financial institutions and their directors and senior executives, potential civil penalties for contraventions, onerous breach reporting requirements and uncertainty regarding the full reach of FAR, now is the time to prepare for the commencement of the regime.

• ADIs, who are already subject to BEAR, should evolve and mature their accountability frameworks to support compliance with FAR and mitigate potential future exposures under the regime.  Domestic ADIs should consider which entities within their groups are likely to be 'significant related entities' and therefore indirectly fall within the scope of FAR.
• Insurers and registered superannuation entities should move now and get ahead on the steps required to implement FAR, noting that core governance, risk management and other arrangements may need to be uplifted before the regime takes effect.
• Directors and senior executives should be briefed on how they could best demonstrate compliance with FAR.  D&O insurance policies and deeds of indemnity should be reviewed to ensure potential FAR exposures are covered to the extent possible.

Why has FAR been introduced?

The financial system is a central driver of economic growth. Decisions taken by directors and senior executives of financial institutions are important and have flow on effects for the Australian economy and for consumers.

FAR imposes a strengthened responsibility and accountability framework for financial services institutions and their directors and most senior and influential executives (accountable persons). In doing so, the regime aims to improve the risk and governance cultures of these institutions and to promote the improved performance and stability of the Australian financial system.

FAR is the government's implementation of recommendations 3.9, 4.12, 6.6, 6.7 and 6.8 of the Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry (Royal Commission).

FAR imposes four core sets of obligations

The FAR imposes four core sets of obligations:

• Accountability obligations: which require entities in the banking, insurance and superannuation industries (accountable entities) and their accountable persons to conduct their business in a certain manner (i.e. honestly and with care, skill and diligence);
• Key personnel obligations: which require accountable entities to nominate accountable persons to be responsible for all areas of their business operations;
• Deferred remuneration obligations: which require accountable entities to defer at least 40 per cent of the variable remuneration (for example, bonuses and incentive payments) of their accountable persons for a minimum of 4 years, and to reduce their variable remuneration for non-compliance with their accountability obligations. Additional remuneration requirements apply under APRA's new Prudential Standard CPS 511 Remuneration; and
• Notification obligations: which require accountable entities to provide ASIC and APRA with certain information about their business and accountable persons and, for entities above a certain threshold to be determined by the Minister, to prepare and submit accountability statements and an accountability map to the Regulators.

How does FAR differ from BEAR?

There are a number of material differences between BEAR and FAR, including the following:

• Scope of the FAR more narrow in certain respects:  whereas BEAR indirectly captured all subsidiaries of ADIs, FAR will extend only to 'significant related entities' of APRA-regulated entities.  Uncertainty remains as to when in which a group entity will have a sufficiently material and substantial relationship with an APRA-regulated entity to fall within the scope of FAR.
• Key focus on compliance: obeying the law is a key focus. Accountable persons will be obliged under FAR to take reasonable steps to prevent material contraventions of specified laws.  Accountable persons and accountable entities will also be required to take appropriate action in response to non-compliance, or suspected non-compliance.  This brings into sharper focus the adequacy of the design and operational effectiveness of an accountable entity's compliance management framework (refer to our separate article 'Compliance in the spotlight- APRA heightens focus on Compliance Risk');
• Deferral of variable remuneration simplified:  FAR reflects a simplified deferral requirement. The proposed regime requires that 40% of an accountable person's variable remuneration be deferred for a minimum period of four years (with cliff vesting at four years).  Enhanced deferral requirements will apply for significant financial institutions under APRA's Prudential Standard CPS 511 Remuneration (CPS 511). See our previous Financial Services Updates on CPS 511 here and here.  FAR clarifies the definition of 'variable remuneration' by, for example, making clear that retention bonuses will fall within the definition. The start date for the four year deferral period will be earlier under FAR than currently, in alignment with the deferral requirements in CPS 511.
• Enhanced compliance for larger entities: the distinction between 'small', 'medium' and 'large' ADIs under BEAR has been replaced by new references to 'core' and 'enhanced' compliance entities.  Reflecting a proportionate application of the regime for smaller entities, only enhanced compliance entities must submit accountability statements and maps to the Regulators (although they must still be prepared).
• Civil penalties potentially higher for breaches by entities: the maximum civil penalty that may be imposed on an accountable entity for failing to comply with FAR will range from $11.1 million to $525 million, and could potentially be higher in certain circumstances.  This replaces the maximum penalties under BEAR which currently range from $10.5 million for small ADIs to $210 million for large ADIs.  Individuals (including accountable persons) may also be liable to pay a civil penalty of up to $1.05 million if, for example, they are in any way, directly or indirectly, knowingly concerned in, or party to a contravention of certain provisions of FAR. 

What does a mature accountability framework look like?

Larger organisations operating an accountability framework in a mature state will have a number of arrangements in place and will have navigated their way through various considerations, such as those noted below:

• Accountability principles: The accountability framework will be designed and documented around clear accountability principles which may cover, for example, the approach used to identify accountable persons and the circumstances in which accountabilities may be jointly owned.
• Organisation structure and governance: For some entities, a review of board and management committees, delegation of authority frameworks and reporting lines may be necessary. Complex questions for groups which have non-operating holding companies or non-APRA regulated parents of one or more APRA-regulated subsidiaries may need to be resolved, often involving trade-off decisions between centralised decision making and operating a federated group model.   
• Assisting accountable persons to comply with their accountability obligations: Reasonable steps frameworks are often implemented which require an accountable person to map individual accountabilities to underlying governance, risk management, compliance and other arrangements to demonstrate how accountabilities are discharged in practice. There are numerous challenges and pitfalls associated with reasonable steps frameworks, including the business's understanding of what 'good' looks like in the context of specific arrangements to identify any gaps or areas for uplift, and 'kitchen sick' approaches which result in unduly lengthy documents which do not assist accountable persons.
• Scenario testing: Scenario testing of accountabilities will take place at least once a year for directors and executives, facilitating the realisation of FAR as a powerful tool to drive improved performance, governance, risk management and culture throughout the organisation. Accountabilities are tested across enterprise-wide value chains to ensure clarity and completeness, to facilitate diagnostics on potential accountability exposures and to deliver training on issue management to mitigate risks.
• Monitoring accountability practices: A governance or accountability office is established to undertake an annual cycle of accountability-related activities. These including monitoring how well accountable persons are discharging their accountability obligations through reviews of risk, compliance, audit and other reports and thematic deep dives on reasonable steps frameworks.  Responsibilities are formally distributed to direct reports of accountable persons and often further down the management chain.
• Change management: Holistic, periodic reviews of accountabilities and robust change processes are in place to keep accountability statements and maps up to date.  Accountable person handover processes are in place with documented continuity for changes at board and executive level.
• Breach and consequence management: Breach reporting and performance, consequence and remuneration frameworks are integrated with with accountabilities.  Breaches are defined, escalation process are clear and principles-based processes for investigation are established.
• Regulatory engagement: Mandatory notifications are provided to the Regulators and regulatory engagement is open, constructive and co-operative.
• People and culture: FAR is communicated widely across the entity and embedded in culture programmes.  The framework minimises conduct risk and enhances organisational risk culture.
• Assurance and effectiveness of the accountability framework: Assurance is provided over the design and operating effectiveness of key controls that mitigate risks.  Success measures for the accountability framework are defined and an approach to conducting a review of the effectiveness of the framework has been established.
• Reporting to the board on accountability: Reporting to the board on accountabilities is established, including as part of the performance review process for senior executives in all aspects of the regime .

A proportionate approach will be required for smaller organisations operating a streamlined approach to accountability having regard to the nature, scale and complexity of their operations.

How we can help

Given the expected short implementation period for the regime, our APRA-regulated clients will need to clarify quickly how the legislation affects them and commence work on their FAR implementation to ensure they are ready for the regime.

We have a mixed disciplinary legal and risk advisory business with significant depth advising financial services clients in Australia on their regulatory obligations and requirements.  We would be happy to assist our clients and their directors and senior executives on all aspects of the regime.

_{Ashurst Risk Advisory Pty Ltd (ABN 74 996 309 133) provide services under the Ashurst Consulting brand and are part of the Ashurst Group. Ashurst Consulting services do not constitute legal services or legal advice, and are not provided by Australian legal practitioners. The laws and regulations which govern the provision of legal services in the relevant jurisdiction do not apply to the provision of non-legal services. For more information about the Ashurst Group and the services offered, please visit www.ashurst.com.}

_{Liability limited by a scheme approved under Professional Standards Legislation (Ashurst Risk Advisory only).}