FAQ: How the Australian Financial Accountability Regime (FAR) will affect CIOs

As part of its response to the Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry, the government is planning to expand its executive accountability regime.

The transformation of the Banking Executive Accountability Regime (BEAR) into the Financial Accountability Regime (FAR) means that more chief information officers will be subject to rules governing their conduct and their variable remuneration.

What is the Banking Executive Accountability Regime (BEAR)?

The government in 2017 announced that it would introduce legislation to create the ‘Banking Executive Accountability Regime’ (BEAR). The government described the new rules as the biggest overhaul of the Australian Prudential Regulation Authority’s powers since APRA’s formation in 1998.

The rules currently apply to authorised deposit-taking institutions (ADIs); essentially those entities with an Australian banking licence. Major banks were covered by the BEAR from 1 July 2018. From 1 July 2019, small and medium ADI holders were covered.

The BEAR meant that an ADI is required to identify and register its so-called accountable people with APRA. Accountable people are directors and senior executives. That covers the senior executive responsible for an organisation’s information management, including IT systems.

Organisations are also required to provide APRA with individual “accountability statements” setting out the specific responsibilities of an executive or director, as well as an “accountability map” for the institution.

Both BEAR and the new FAR system feature a collection of accountability obligations for organisations, including conducting business with honesty and integrity, and with due skill, care and diligence.

The rules for both systems mandate the notification of the regulators in circumstances such as a relevant individual leaving the organisation or not meeting their accountability obligations.

How does the BEAR affect remuneration?

The BEAR includes some requirements on deferred variable remuneration: A minimum amount of variable remuneration must be deferred for at least four years. The amount varies depending on the size of the ADI.

“Given the variation in structures and complexity of remuneration arrangements utilised across the industry, an ADI will need to determine an implementation approach appropriate to its own remuneration structures and in accordance with APRA’s prudential framework,” an APRA BEAR implementation paper (PDF) explains.

“APRA expects ADIs to assess their deferred variable remuneration calculations against the intent of the legislation and to ensure that there is a sufficient pool of deferred remuneration to allow for meaningful downward adjustments should an accountable person fail to comply with his or her accountability obligations.”

The intention is to make sure that an executive (or director) can be held to account if they fail to live up to their accountability obligations, allowing their variable remuneration to be reduced when appropriate.

What is the Financial Accountability Regime (FAR)?

The FAR is essentially an expansion of the BEAR system to cover all entities regulated by APRA. In addition to ADIs, APRA has oversight of insurers, including private health insurers, and superannuation funds (although no self-managed superannuation funds).

The extension of BEAR to all APRA-regulated entities was one of the recommendations of the banking royal commission.

A second major change introduced by FAR is that the Australian Securities and Investments Commission (ASIC) will be made an administrator of the system, alongside APRA

The government is currently consulting on the implementation of the FAR system, and it has revealed some measures that will differ from the current BEAR rules. Banks will transition from BEAR to FAR.

Are small and medium businesses covered by the FAR?

All APRA-regulated entities will be covered by the new system. However, there will be two categories of entity: Core compliance entities and enhanced compliance entities, replacing the BEAR classifications of small, medium and large ADI.

Core compliance entities will not be required to submit accountability maps and statements to the FAR administrators (APRA and ASIC).

“APRA has found that accountability maps and statements are of most benefit for large and more complex institutions as they provide further clarity about their accountability arrangements,” states a consultation paper (PDF) released by the Treasury.

APRA, ASIC and the minister will be able to exempt organisations, but that power is not expected to be used frequently.

How does the FAR affect CIOs?

Similar to BEAR, FAR will require an organisation to register details of an “accountable person”. The definition is based on a person having a senior executive position within an organisation with control over a substantial part of its operations. A senior executive in a subsidiary may also be covered.

“An accountable person will be defined using a principles-based element and a prescriptive element,” the consultation paper explains.

The prescriptive element of the definition will be outlined in a list of particular responsibilities drawn up by ASIC and APRA, with the regulators able add additional responsibilities as necessary. The indicative list includes “senior executive responsibility for information management, including information technology systems, for the entity”.

The consultation paper states that an accountable person must:

• act with honesty and integrity, and with due skill, care and diligence;
• deal with APRA and ASIC in an open, constructive and cooperative way (noting that this will not displace legal professional privilege);
• take reasonable steps in conducting those responsibilities to prevent matters from arising that would adversely affect the prudential standing or prudential reputation of the entity;
• take reasonable steps in conducting their responsibilities as an accountable person to ensure that the entity complies with its licensing obligations

How does the FAR affect executive remuneration?

The FAR has somewhat similar rules to the BEAR. At least 40 per cent of the variable remuneration of accountable people will be deferred for at least four years (as long as the deferred amount is in excess of $50,000).

“Variable remuneration is so much of an accountable person’s total remuneration that is not guaranteed because it is conditional on the achievement of pre-determined objectives and can be forfeited if these objectives are not met,” the consultation paper states.

If an accountable person does not live up to their obligations, there must be policies in place that can reduce the variable remuneration they receive.

Can an individual be banned from being a CIO?

The FAR extends ARPA’s ability to veto individuals from being appointed a director or to a senior executive role. The ability will be available to the regulator in the period between an organisation applying to register an accountable individual and that registration taking effect. An individual can seek an ARPA review of a decision, and a further review by the Administrative Appeals Tribunal.

Will more businesses eventually be covered by the rules?

Following implementation of the FAR, the government says it intends to extend the rules to cover all ASIC-regulated entities

What are the penalties for breaching FAR rules?

Entities can be slapped with fines of up to $10.5 million (50,000 penalty units), or any benefit obtained as a result of a contravention multiplied by three, or 10 per cent of annual turnover (up to 2.5 million penalty units, or $525 million). Individuals face fines of up to $1.05 million (5000 penalty units) or the “benefit derived or detriment avoided because of the contravention, multiplied by three”.

When will the FAR take effect?

The government says it has not yet determined a timeframe. It is accepting submissions on the implementation of the FAR until 14 February.