Beyond the BEAR Necessities
Wayne Byres, Chairman - UNSW Centre for Law Markets and Regulation Seminar, Sydney
Thank you for the invitation to be part of this morning's event.
Before I make some specific remarks on the new Banking Executive Accountability Regime (BEAR), I'm going to request the organiser's indulgence to say a few words about accountability in the financial sector more broadly. That's because the key point I'd like to make this morning is that the BEAR provides an important new framework for promoting stronger accountability in the banking sector, but more than the BEAR alone is needed if financial institutions truly wish to demonstrate accountability.
Trust in financial institutions
Trust is the foundation stone for a financial business. Depositors in banks need trust that their deposits are safe and available when needed. Policyholders need trust their insurers have the wherewithal to pay claims when they are made. Superannuation members need trust that their investments will be managed in their long-term interests. Without that foundation stone of trust, a business can quickly crumble.
The Australian financial system is widely acknowledged as financially sound. There's no sign that the community lacks trust in the underlying financial strength of the institutions they deposit, insure and invest with. But while the financial sector might be trusted to be safe, it is far less trusted to 'do the right thing' – and at the moment that form of trust is taking a severe hit. That is not as fatal as it would be if an institution's financial soundness was called into serious question. It is unlikely to lead to a bank run, for example. It does, however, still have commercial implications, and will likely make the financial system less efficient and competitive over the longer run than it might otherwise be.
The financial institutions that APRA regulates operate in a privileged position in society. Their products are, in many cases, effectively mandatory. Very few of us could live without the convenience and functionality of a bank account; some classes of insurance are compulsory, and for others it's very unwise to live without; and we are all obliged to contribute to our superannuation. This privileged position is compounded by two other important characteristics of financial products: the difficulty consumers have in judging their value and quality; and the long-term commitment (contractual or behavioural) often involved.
The result is the financial sector provides products which are, in many cases, not optional to consume, difficult to understand, and of great importance to an individual's overall financial well-being, now and into the future. That combination of compulsion, opacity and materiality generates, as a quid pro quo, a heightened expectation that financial institutions will exhibit high standards of behaviour in the way they operate.
Of course, things can and do go wrong. The financial system comprises thousands of financial institutions, employing hundreds of thousands of people, competing for the financial business of the Australian community. The system as a whole, and the institutions that operate within it, are increasingly complex. The unrelenting competitive drive to lower costs, speed up service, develop new products, find new distribution channels, and enter new markets generates great benefits to the community over time, but won't be successful in every instance. Inevitably, things will go wrong. Systems and processes will fail, bad decisions (even with the best intent) will be made.
Institutions always need to do everything they can to minimise these risks. But given heightened expectations of behaviour in the financial sector, it is also important that when things do go wrong they are quickly and transparently identified, reported and rectified. The community will be far more likely to maintain its trust that the sector will do the right thing if it is evident there is accountability when it does not.
The interest of the prudential regulator
All of that's well and good, but why is a prudential regulator talking about these different aspects of trust? One might think APRA is only interested in the first form of trust that I mentioned earlier – trust that financial institutions are safe. Given our mandate, that is definitely our primary focus. But we are also interested in the issues of governance, culture and accountability that are central to the current community debate. Why? Because they have potential to tell us something about how financial institutions respond to and deal with risk. Traditional prudential requirements for adequate financial resources may not be sufficient when an institution suffers from poor governance, weak culture, or ineffective risk management. These deficiencies can, if severe and persistent enough, threaten the financial soundness that is at the heart of prudential safety.
As APRA has taken an increasing interest in issues of risk culture within financial institutions, some have questioned whether it leads to a blurring of responsibilities between APRA and ASIC. That is not the case. We certainly have complementary interests, and we work together to ensure we are aligned and coordinated in our activities, but the two agencies come at the issue from different perspectives. (And in any event, I would advocate that a small degree of overlap between regulators is better for the community than any form of gap in regulatory oversight.) ASIC, reflecting its own mandate, will take an interest in shortcomings that lead to damaging outcomes for consumers and markets. APRA, on the other hand, has an interest in failings in governance, culture and accountability that indicate a lax attitude to risk-taking, which might ultimately impact the soundness of the financial institution itself (and thereby jeopardise the interests of depositors, policyholders and superannuation fund members).
Which brings me to the BEAR, which imposes substantially strengthened requirements in relation to accountability within banking organisations. In its design, the BEAR draws its inspiration from the Senior Manager Regime (SMR) in the UK. However, the BEAR is narrower in coverage: the BEAR applies only to ADI groups, and deals primarily with matters related to the prudential standing and reputation of the ADI. For this reason, the BEAR is naturally administered by APRA. The joint administration between the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) that occurs the UK reflects the wider range of institutions and behaviours that are covered by the SMR.[1] Were the BEAR to be broadened at some stage in the future, a similar joint administration might well be appropriate in Australia. Until then, it is framed with a prudential focus and hence administered by a prudential regulator.
Bringing the BEAR to life
The BEAR formally comes into effect very shortly: 1 July 2018. In practice though, implementation occurs over time. The new regime applies to the largest banks from day one; other ADIs have a further year before they are subject to the BEAR. There are also additional transitional provisions within the legislation: from a requirement that allows ADIs three months to register their accountable persons, to allowing until the end of 2019 to accommodate the remuneration requirements in pre-existing executive employment contracts. So it will be some time before the BEAR is in full force.
Broadly, there are five main elements to the BEAR and I'd like to say a few words about each: registration, obligations, accountabilities, remuneration and sanctions.[2] In each case, I'll talk about the new requirements, and what's changing from the regime in place today.
The first element is registration.
The BEAR prescribes a set of 'accountable persons'. These are essentially the directors and senior executives responsible for an ADI's overall health and well-being. The BEAR requires accountable persons to be registered with APRA before they can perform their duties.
Accountable persons are deemed registered 14 days after they have lodged their registration.[3] Unlike the UK SMR, there is no scope for regulatory approval of appointments, nor any process of interviews. That is a deliberate choice: it maintains accountability for senior appointments where it rightly belongs – with the Boards and senior executive teams that are making the appointments. However, unlike the current process which only requires an ADI to notify APRA after an appointment,[4] the BEAR requires an executive to be registered prior to taking up duties. While APRA will not be vetting all appointments, the pre-appointment registration does provide an opportunity, should we be aware of information that might make an appointee unsuitable, to discuss any concerns with the individual or the employing ADI.
The second element of the BEAR is obligations.
New statutory obligations apply to both accountable persons, and ADIs. These obligations require each to (i) act with honesty and integrity, (ii) with due skill, care and diligence, and (iii) deal with APRA in an open, constructive and cooperative way. In doing so, they must also take reasonable steps to prevent matters arising which would undermine the ADI's prudential standing and prudential reputation.[5]
Are these new obligations onerous? I personally don't think they are notably more onerous than the existing requirements in our Prudential Standards, which requires that 'responsible persons' possess the competence and character to perform their roles.[6] Of course, there's no explicit obligation at present to be open and cooperative with APRA, or any formal obligation to prevent matters arising that would undermine the ADI's prudential standing and reputation. But I hope no one wants to claim they require senior executives to do something they shouldn't naturally do!
The third element of the BEAR is the requirement for accountability maps and statements.
Each accountable person needs to have an accountability statement, setting out the aspects of an ADI's operations for which they are accountable. Each ADI must have an accountability map, showing how the statements come together to cover the totality of an ADI's business and risks. Together, the map and accompanying statements establish clarity on the allocation of accountability across the executive team within an ADI.
To the person in the street, this wouldn't seem particularly difficult. After all, all executives have some kind of role statement that sets out their broad responsibilities, and they have staff reporting to them that undertake various functions and that they oversee. But this is probably the most important element of the BEAR. In many ADIs, there is often collective responsibility for various aspects of its business: for any given process or product, there are often hand-offs of responsibility (including, at times, to external partners and suppliers). But this creates the risk of collective responsibility leading to no individual accountability. Clarity of accountability – the foundation of the BEAR – goes to the heart of a strong risk culture.
In speaking with some executives and directors in the largest ADIs – not all of whom, I must admit, were fans of the BEAR – they acknowledge the benefits that the accountability statements and maps can bring them from a business perspective. The complexity of organisational structures, with the separation of product manufacturing, distribution, and operations, makes it challenging to ensure it is clear who is responsible when things are not as they should be. Clearer accountabilities can only be beneficial.
Clearer accountabilities can also improve remuneration outcomes. As we noted recently, it is not uncommon for performance metrics within executive scorecards to be weighted more heavily to the performance of the institution rather than the individual.[7] On a positive note, this promotes a collegiate whole-of-organisation focus but, on the other hand, can also permit poor risk outcomes in a particular business line to be 'averaged out' across the business as a whole, reducing the impact on the executive(s) most accountable and potentially undermining effective risk management. Clearer accountabilities should allow for more targeted scorecards, and thereby greater alignment between the outcomes an individual delivers and the rewards he or she receives.[8]
Which brings me to the fourth element: the remuneration requirements.
The BEAR requires ADIs to defer a minimum proportion of an accountable person's variable remuneration – generally 40 per cent for executives, or 60 per cent for the CEO, of a large bank – for a minimum of four years.[9] It also requires ADIs to have remuneration policies that provide for the reduction in variable remuneration should an accountable person fail to comply with their obligations, and to exercise the provision should circumstances warrant it. Contrary to some beliefs, however, the BEAR does not grant APRA any power to determine what amount of remuneration an individual should receive.
The basic requirements of the BEAR – a remuneration policy, and provision for the reduction of variable remuneration when warranted – are in place today. But compared to today, the BEAR introduces the prescribed minimum deferral amounts and terms, and creates a stronger link to the statutory obligations I referred to earlier.
The BEAR will therefore mean accountable persons have more skin in the game for a longer period of time than is typically the case now and will place greater pressure on ADIs, when adverse prudential outcomes occur, to explain how that has been factored into remuneration outcomes. As a result, the BEAR will require many ADIs to restructure their remuneration frameworks. As I did a few weeks ago, I'd encourage all ADIs to think more holistically about the right structure for performance-based remuneration[10] – the BEAR's '40 per cent for four years' formula is not necessarily the right mix for all. Alongside our recent remuneration review, the BEAR provides an opportunity to fundamentally rethink remuneration frameworks and achieve a stronger alignment with long-term financial safety and a strong risk culture. It will be a lost opportunity if everyone just defaults to the minimum.
The fifth and final element of BEAR are the sanctions.
These apply at two levels: the ADI and the individual. For ADIs, the BEAR provides a penalty regime in instances where the ADI has failed to meet its obligations under the legislation – put simply, failing to operate with integrity, skill, care and diligence, or preventing the prudential standing or reputation of the ADI from being materially undermined.
I'd like to point out here, in response to some misunderstandings that seem to exist, that APRA cannot impose the fines unilaterally: APRA must make a successful case before the Courts. That will require APRA to have a belief as to its reasonable grounds for success, and that the offence is material.[11]
For individuals, the financial sanctions for any failure to fulfil their obligations will be addressed via the ADI's remuneration policy. APRA's sanction is a disqualification power – the power to remove an accountable person from their role, and in the most extreme cases, prevent them for taking on any similar role in the industry in the future. This is obviously not a power that will be used lightly, but appropriate and useful where necessary to eliminate known poor behaviour endangering prudential safety.
APRA's role
I want to finish by noting another concern that some have raised about the BEAR: that it somehow changes APRA's role. I hope I've been able to point out today that that's not the case. Many aspects of the BEAR are already present in APRA's prudential framework, and the BEAR has been framed from a prudential perspective. In that sense, the BEAR should be viewed as a major strengthening of APRA's prudential framework, not an expansion of its mandate. And the BEAR is not dissimilar to a number of other management responsibility/fitness and propriety regimes that are administered by APRA's prudential peers in other jurisdictions.[12]
The BEAR certainly provides for a strengthening of after-the-event sanctions that could apply if things go seriously wrong in an ADI. But its real value, I hope, will be to support APRA's preventative role by promoting strong and clear accountability, and ensuring directors and executives who have the primary responsibility for the safe and sound operation of an ADI stay focussed on that task. Indeed, that has been the experience in the UK: despite the SMR's extensive penalty regime, the UK authorities have only needed to use it sparingly because the industry itself has lifted its game.
Concluding remarks
The BEAR provides a major strengthening of the accountability regime for the directors and senior executives of ADIs. The clarity of accountabilities, the clear obligations, and the potential sanctions, will inevitably focus the minds of all concerned on ensuring that accountabilities are understood, and issues that need attention are promptly addressed. But by itself, BEAR will not be a panacea to perceptions of a lack of accountability in the financial sector. It is a strong regulatory foundation, but it would be wrong to rely on regulations alone. To fully address the community's concerns, the industry itself will need to do more.
The BEAR will mean changes to the way ADIs govern and manage their businesses. This provides an opportunity to demonstrate to the community that accountability is actively practiced within the industry. To that end, it is important that the BEAR is not seen as a compliance exercise, but rather a trigger to genuinely improve systems of governance, responsibility and accountability.
Organisational complexity and diffused responsibility have been at the heart of many of the issues that have damaged the standing of the banking industry in recent years. Often, process failures or poor decision-making have been the result of a lack of clear accountability for ensuring a product works as it should, a risk is fully understood, or that a system delivers what was intended. To the extent that BEAR provides a catalyst to untangle that complexity and provide clear accountability for putting things right, it can only be a good thing. Regulators will play their role, but the industry needs to wholeheartedly embrace that opportunity and think beyond the BEAR necessities.
Footnotes
- Even with joint administration, the PRA still retains a key role when it comes to the administration of the SMR as it applies to prudentially regulated entities.
- An easy way to remember the five elements is the BEAR ROARS.
- Where APRA requests additional information in relation to an individual, registration is deemed to occur 14 days after that information is provided.
- In practice, many entities do provide APRA with advance notice of the most senior roles.
- The obligations of the ADI and accountable persons are all subject to taking reasonable steps to comply, with the exception of the obligations on an individual accountable person to act with honesty and integrity, to act with due skill, care and diligence, and to deal with APRA in an open, constructive and cooperative way.
- See Prudential Standard CPS 520 Fit & Proper, para. 30.
- APRA Information Paper (April 2018), Remuneration Practices in Large Financial Institutions.
- That is not to imply that a collective responsibility amongst the senior executive team for a financial institution’s overall performance and well-being is not a good thing. Such an approach has important benefits, but it should not come at the cost of personal accountability for specific outcomes.
- These percentages are subject to a cap, which may apply in some circumstances when variable remuneration is a high proportion of total remuneration.
- See Byres, W. (April 2018), 'The Incentive to Fly Safely', speech to the AFR Banking and Wealth Summit.
- The Explanatory Memorandum for the Bill stated: 'The Government expects that APRA would only seek a civil pecuniary penalty for significant breaches of the BEAR.'
- More than a dozen jurisdictions have initiated or instituted new requirements targeting accountability in various forms, ranging from increased fitness and propriety requirements to explicit approval of senior executives prior to appointment. While there is a range of complexity in these proposals, they are all ultimately targeted at holding financial executives accountable.
The Australian Prudential Regulation Authority (APRA) is the prudential regulator of the financial services industry. It oversees banks, mutuals, general insurance and reinsurance companies, life insurance, private health insurers, friendly societies, and most members of the superannuation industry. APRA currently supervises institutions holding around $9 trillion in assets for Australian depositors, policyholders and superannuation fund members.