'FAR' on the horizon: Evaluating enforcement measures

21/11/2023

On 14 September 2023, the Financial Accountability Regime (FAR) received Royal Assent. The regime will apply to the banking sector (from 15 March 2024) and superannuation and insurance industries (from 5 March 2025). Whilst a similar regime exists in the United Kingdom from which some guidance may be derived, the application of FAR in Australia remains to be tested.

In this article, we consider the potential enforcement actions and approach that regulators could adopt if accountable entities and accountable persons have not acted in accordance with their FAR obligations.

Introduction: A new era for financial services enforcement

FAR comprises the Financial Accountability Regime Act 2023 with consequential amendments and transitional matters addressed under the Financial Accountability Regime (Consequential Amendments) Act 2023. Our previous articles discuss how we can help you to implement FAR to support effective governance, risk and compliance here.

But what does the introduction of FAR mean for financial services enforcement action? We take a look at the administration of FAR’s precursor, the Banking Executive Accountability Regime (BEAR), and other financial services legislation in Australia as well as the Senior Managers and Certification Regime (SMCR) in the United Kingdom to find some possible answers.

What we know

The regime will replace and extend BEAR (which only applies to authorised deposit-taking institutions (ADIs)), to:

general insurers, life insurers, private health insurers, registrable superannuation entities and licensees and indirectly, to their significant related entities (accountable entities); and
all directors and most senior executives of these accountable entities (accountable persons).

FAR is to be jointly administered by APRA and ASIC (Regulators).

There is a slew of enforcement actions which the Regulators are empowered to take under FAR. However, ASIC is only empowered to exercise powers in relation to entities that hold an Australian Financial Services Licence, or an Australian credit licence, significant related entities and/or accountable persons of these entities.

On 24 October 2023, the Regulators hosted a webinar on FAR in which they announced that they will publish an information statement on their approach to enforcement of FAR in the first quarter of 2024.

Powers given to the Regulators under FAR include the power to:

investigate an entity or accountable person, if there is reason to believe they have contravened an obligation under FAR;
request information through issuing compulsory notices for the production of documents (Part 4, Division 1); and
require a person to appear for an in-person or remote examination concerning matters within the examinee’s knowledge (Part 4, Division 2).

The types of enforcement actions and penalties available to the Regulators, including through Court processes, include the following:

Enforcement Type	Enforcement measure	Comparable and/or relevant legislation
Direction (entity) Part 4, Division 5	The Regulator can direct an accountable entity to take certain actions to address actual or likely non-compliance with obligations. Directions can include a direction to: (a) take a specific action; (b) undertake an audit; (c) make changes to internal systems and practices; (d) restructure, amalgamate or otherwise alter part of the entity’s structure or that of its relevant group; and/or (e) not take a specific action.	A similar power exists under the Banking Act 1959 and other legislation regulating APRA-regulated institutions.
Direction (individual) Part 4, Division 5	The Regulator can direct an *accountable entity* to reallocate the responsibilities of an *accountable person* of the entity or its relevant group. This direction can be made in exceptional circumstances to minimise prudential risk or risks of serious non-compliance with financial laws. Non-compliance with a direction attracts a penalty (50 penalty units, currently $15,650 per contravention) and may also amount to a contravention of a civil penalty provision of FAR.
Disqualification Part 3, Division 2	The Regulator can disqualify a person from being an *accountable person* for a period the Regulator considers appropriate, if the Regulator is satisfied that the accountable person has breached their accountability obligations under FAR and having regard to the seriousness of the breach. If an accountable person is convicted of an offence under FAR, the person can also be disqualified from being a director, senior manager or auditor of an ADI or an authorised non-operating holding company (NOHC); being a director or senior manager of a general insurer or NOHC or corporate agent; being a director, principal executive or otherwise act for a life company; acting as an officer or an appointed actuary of a private health insurer; or being a trustee, actuary or auditor of a superannuation entity.	A similar power exists under BEAR, contained in Part 11AA of the Banking Act 1959.
Enforceable undertaking Part 4, Division 7	The Regulator can accept enforceable undertakings in relation to compliance with FAR. Undertakings may relate to any matter in relation to which the Regulator has a power or function under the regime (and may therefore impact both *accountable entities* and/or accountable persons).	Undertakings will be accepted and enforced under Part 6 of the Regulatory Powers (Standard Provisions) Act 2014, as modified by FAR.
Injunctions Part 4, Division 8	The Regulator may apply for an injunction in the Federal Court of Australia to uphold the requirements of FAR. The Court may grant an injunction requiring or restraining conduct, for instance to restrain an accountable person and/or accountable entity from engaging in conduct that contravenes a direction given by the Regulator. The Court may also grant an injunction by consent of all parties to the relevant proceedings.	N/A
Civil penalties Part 4, Division 6	Civil penalties apply in relation to contravention of obligations under FAR and are designed to deter and punish malfeasance and non-compliance with the obligations of the regime. The maximum penalty for a body corporate, including an *accountable entity, is at least 50,000 penalty units (currently $15.65 million, 1pu = $313 under s4AA Crimes Act 1914, as indexed). The maximum penalty for a person other than a body corporate, including an accountable person, is at least 5,000 penalty units (currently $1.565 million*, 1pu = $313 under s4AA Crimes Act 1914, as indexed). The maximum penalties applicable to either an accountable entity or person may be greater depending on the benefit derived or detriment avoided by the entity or person.	The civil penalties under FAR are consistent with some existing legislative regimes, including the Corporations Act 2001 (Corporations Act), the Insurance Contracts Act 1984, the Australian Securities and Investments Commission Act 2001 (ASIC Act), and the National Consumer Credit Protection Act 2009, and are comparable to those under BEAR.
Limited criminal offences	Criminal offences attach to certain instances of non-compliance under the regime, including non-compliance with an investigation, request for information, or directions made by the Regulator, the appointment of disqualified accountable persons, and claims of legal professional privilege. Five of these offences include a custodial sentence as a maximum penalty. A director, senior executive or other senior employee of an accountable entity (not just an *accountable person) commits an offence if they fail to take reasonable steps to ensure that the Accountable Entity complies with a direction from the Regulator (50 penalty units, currently $15,650* per contravention).	These offences and their maximum penalties accord with the treatment of failing to comply with a condition of a notice issued by a Regulator under the Banking Act 1959, including for example, by allowing a disqualified person to act as an accountable person.
Court orders for compliance Part 4, Division 9	If the Regulator is satisfied that a person has, without reasonable excuse, failed to comply with a requirement of FAR, certification of the failure and an order for compliance with FAR may be sought in the Federal Court of Australia.	See, for example, s 1101B of the Corporations Act.
Liability as an accessory	Any person (including an accountable person) can face a civil penalty if they assist another person to contravene a civil penalty provision under FAR (for example, if they aid, abet, counsel or procure, induce, conspire with others, or be in any way, directly or indirectly, knowingly concerned in, or party to, a contravention of a civil penalty provision of FAR). The civil penalty that may be imposed is the greater of: 5,000 penalty units (currently $1.565 million); and the benefit derived or detriment avoided because of the contravention, multiplied by 3.
Impact on regulatory decisions	Breaches of FAR may inform decisions of the Regulator under other laws (e.g. revocation or refusal to grant a licence).

Poking the BEAR

BEAR has applied to large ADIs since 1 July 2018 and to small or medium ADIs since 1 July 2019. BEAR also applies to subsidiaries, Australian branches of foreign ADIs and those in director and senior executive roles of these entities and is enforced by APRA.

In its Enforcement Strategy Review, published in March 2019 (and in the subsequent Enforcement Approach paper published in September 2019), APRA outlined a framework to raise its enforcement appetite from one of “last resort” to a “constructively tough” approach to enforcement. Further, in an information paper published by APRA in December 2020 on the implementation of BEAR, APRA noted its intention to embed the range of supervisory approaches available in its day-to-day supervisory activities:

Australian Prudential Regulation Authority, Implementation of the Banking Executive Accountability Regime (BEAR) (Information Paper, 11 December 2020) 24.

Examples of the types of enforcement actions that have been taken by APRA relating to accountability measures since the implementation of BEAR are as follows:

Enforcement Action	Details	Application	Year
Remedial Action Plans	Following a review of residential mortgage risk management across the major banks, APRA required each bank to develop remediation plans concerning their mortgage risk management frameworks and to nominate accountable person(s) for the development and implementation of the plans.	Accountable entities and/or persons	2018
Infringement notices	In connection with reported breaches of obligations to report data to APRA, APRA (i) issued infringement notices on a Big Four bank and two of its subsidiaries; (ii) requested these entities clarify the accountable persons responsible for the breaches; and (iii) requested action be taken to address this issue.	Accountable entities and persons.	2019
Enforceable Undertakings	APRA entered into an Enforceable Undertaking with a Big Four bank pursuant to s 18A of the Banking Act 1959, regarding efforts to address risk governance deficiencies. The EU included undertakings concerning the making of necessary changes, and weight to be given, to the accountability for completing certain items as part of an Integrated Plan.	Accountable entity	2020

Examining the background to FAR, and the criticism levied against its predecessor BEAR, may shine a light on the path forward for Regulators.

FAR was developed in response to recommendations from the Financial Services Royal Commission to extend BEAR to other APRA regulated industries and to have ASIC and APRA jointly administer a new extended regime. The FAR Explanatory Memorandum notes that FAR is aimed at increasing the transparency and accountability of entities in the banking, insurance and superannuation industries, while improving their operating cultures. These aims are stated by reference to an acknowledgement that the decisions of directors and senior executives of financial institutions are important and have flow on effects for the Australian economy and for consumers.

APRA’s approach to enforcement under BEAR was criticised by consumer advocacy group CHOICE as having ‘precisely zero’ financial impact due to a failure to claw back any executive remuneration or issue any fines for contraventions (APRA Prudential Standard CPS 511 Remuneration has since been introduced requiring APRA-regulated entities to have appropriate consequence management frameworks in place). In submissions made to Treasury in September 2021, CHOICE contended that ‘strong enforcement of FAR is required to ensure that positive cultural change occurs within financial institutions.’ The group voiced its support for the joint administration of FAR between ASIC and APRA, noting that, as a conduct regulator, ASIC will be better positioned to prosecute executives who breach their accountability obligations.

The appropriate balancing of APRA’s approach to enforcement with ASIC’s historical focus on penalties that promote specific and general deterrence may pose a challenge for Regulators.

Takeaway: Regulators will need to reconcile a “constructively tough” approach to enforcement under FAR against criticism that BEAR has not gone far enough.

Other legislation

The totality of the mechanisms for enforcement provided to the Regulators under FAR align with those available under existing financial services laws including the Banking Act 1959, Insurance Act 1978, Superannuation Industry (Supervision Act) 1993, Corporations Act, ASIC Act and the Credit Act 2009.

Courts have applied pecuniary penalty provisions for contraventions of applicable financial services laws consistently and that can be expected to continue under FAR.

Examples of the pecuniary penalties imposed by Courts and their key considerations for imposing the penalties for such contraventions include:

Case name	Relevant contravention	Penalty imposed	Key considerations
Australian Securities and Investments Commission v Westpac Banking Corporation (Omnibus) [2022] FCA 515	Sections 12CB, 12DA, 12DB, 12DI and 12DM of the ASIC Act and sections 912A, 962P, 963K and 1041H of the Corporations Act	Cumulative penalty of $113 million across 6 separate proceedings, with $40 million being the largest penalty issued in a single proceeding	The Court emphasised the importance of specific and general deterrence when calculating appropriate penalties. The following factors were viewed positively (i.e. supported a reduced penalty): cooperation with ASIC; taking steps to resolve the issues / stop engaging in the conduct; expressing sincere and sufficient remorse; and contraventions arising from system failures rather than intentional wrongdoing. The following factors were viewed negatively (i.e. supported a higher penalty): conduct occurring over a not insubstantial period of time; preferring the interests of directors, officers and customers over the interests of ASIC, the Commonwealth and regulatory obligations; contraventions with serious consequences; and numerous, systemic failures of systems and processes.
Australian Securities and Investments Commission v Aware Financial Services Limited [2022] FCA 146	Section 12DI(3) of the ASIC Act	$20 million	The Court noted that the penalty reflects the seriousness of the contraventions and should operate as both a specific and general deterrent. When determining an appropriate penalty, the Court had recourse to the following considerations: in cases that involve agreement between the parties as to a very large number of contraventions, it is not helpful to make a finding as to the precise number of contraventions, or to calculate a maximum aggregate penalty by reference to such a number; the contraventions were of a serious nature, extended over several years and arose through admitted failures of Aware Financial Services’ processes and controls; Aware Financial Services’ contravening conduct was not deliberate; the conduct was systematic as it took place over and over again, during an extended period of time; the contraventions arose out of conduct – failures in respect of systems, procedures and processes – within the responsibility of senior management, rather than the conduct of lower level employees; and Aware Financial Services had not previously been found by the Court to have engaged in any similar conduct.
Australian Securities and Investments Commission v Westpac Banking Corporation (The Consumer Credit Insurance Case) (2022) 158 ACSR 647	Section 12DM(1) of the ASIC Act	$1.5 million	While the Court acknowledged the risk of the penalty failing to operate as a deterrent for a ‘large, profitable, asset-rich banking institution’, it found that the conduct did not warrant a ‘penalty anywhere near the upper end of the scale’ for the following reasons: the contraventions were not deliberate or reckless and Westpac’s conduct did not amount to negligence; the contraventions were not systemic; in some cases the customers lost no money, while in most cases the losses were small; Westpac did not profit from the contraventions and, save for one customer who was 10 cents out of pocket, made full and prompt reparation; the risk of Westpac reoffending was substantially reduced as it had since modified its compliance systems and implemented ASIC’s recommendations; Westpac admitted liability relatively early in the proceeding and cooperated with ASIC, a level of cooperation ASIC described as “very constructive”; and Westpac was contrite.

Case name

Relevant contravention

Penalty imposed

Key considerations

Australian Securities and Investments Commission v Westpac Banking Corporation (Omnibus) [2022] FCA 515

Sections 12CB, 12DA, 12DB, 12DI and 12DM of the ASIC Act and sections 912A, 962P, 963K and 1041H of the Corporations Act

Cumulative penalty of $113 million across 6 separate proceedings, with $40 million being the largest penalty issued in a single proceeding

The Court emphasised the importance of specific and general deterrence when calculating appropriate penalties.

The following factors were viewed positively (i.e. supported a reduced penalty):

cooperation with ASIC;
taking steps to resolve the issues / stop engaging in the conduct;
expressing sincere and sufficient remorse; and
contraventions arising from system failures rather than intentional wrongdoing.

The following factors were viewed negatively (i.e. supported a higher penalty):

conduct occurring over a not insubstantial period of time;
preferring the interests of directors, officers and customers over the interests of ASIC, the Commonwealth and regulatory obligations;
contraventions with serious consequences; and
numerous, systemic failures of systems and processes.

Australian Securities and Investments Commission v Aware Financial Services Limited [2022] FCA 146

Section 12DI(3) of the ASIC Act

$20 million

The Court noted that the penalty reflects the seriousness of the contraventions and should operate as both a specific and general deterrent. When determining an appropriate penalty, the Court had recourse to the following considerations:

in cases that involve agreement between the parties as to a very large number of contraventions, it is not helpful to make a finding as to the precise number of contraventions, or to calculate a maximum aggregate penalty by reference to such a number;
the contraventions were of a serious nature, extended over several years and arose through admitted failures of Aware Financial Services’ processes and controls;
Aware Financial Services’ contravening conduct was not deliberate;
the conduct was systematic as it took place over and over again, during an extended period of time;
the contraventions arose out of conduct – failures in respect of systems, procedures and processes – within the responsibility of senior management, rather than the conduct of lower level employees; and
Aware Financial Services had not previously been found by the Court to have engaged in any similar conduct.

Australian Securities and Investments Commission v Westpac Banking Corporation (The Consumer Credit Insurance Case) (2022) 158 ACSR 647

Section 12DM(1) of the ASIC Act

$1.5 million

While the Court acknowledged the risk of the penalty failing to operate as a deterrent for a ‘large, profitable, asset-rich banking institution’, it found that the conduct did not warrant a ‘penalty anywhere near the upper end of the scale’ for the following reasons:

the contraventions were not deliberate or reckless and Westpac’s conduct did not amount to negligence;
the contraventions were not systemic;
in some cases the customers lost no money, while in most cases the losses were small;
Westpac did not profit from the contraventions and, save for one customer who was 10 cents out of pocket, made full and prompt reparation;
the risk of Westpac reoffending was substantially reduced as it had since modified its compliance systems and implemented ASIC’s recommendations;
Westpac admitted liability relatively early in the proceeding and cooperated with ASIC, a level of cooperation ASIC described as “very constructive”; and
Westpac was contrite.

Takeaway: Determinations of appropriate pecuniary penalties under FAR (if such penalties are imposed at all) will likely be framed by reference to the notions of specific and general deterrence. Mitigating factors such as cooperation with Regulators, taking active steps to resolve the conduct giving rise to the contravention and expressing sincere remorse will generally support a reduced penalty.

There have been no applications for civil or criminal penalties for breaches of the specific accountability obligations under BEAR since it commenced in July 2018.

This appears consistent with APRA’s approach to enforcement. That is, to influence preventative or remedial action to be taken by entities and accountable persons before they pose a threat to an ADIs financial viability as a first step, escalation of these issues where activities are not producing expected outcomes and then taking formal enforcement actions should circumstances warrant it.

The extent to which APRA and ASIC will raise the stakes on enforcement when it comes to civil and/or criminal penalties for accountability specific obligations under FAR based on the BEAR experience is not yet clear.

In a recently published Joint Administration Agreement between APRA and ASIC, the Regulators have given some indication that, in practice, they will work together on investigations and enforcement of FAR, and focus on the following key areas:

proactive engagement and cooperation;
early and regular consultation with one another;
open and timely sharing of information and expertise; and
coordinated and timely use of powers.

The Agreement clearly foreshadows the use and exercise of enforcement powers by the Regulators in a coordinated manner.

In relation to monitoring and supervision under FAR, the Regulators will:

take a risk-based and outcomes-focused approach to the monitoring and supervision of accountable entities and accountable persons, including surveillance, engagements, reviews and resolving technical queries;
collaborate and coordinate on these regulatory activities when there is joint interest on a FAR-related risk area; and
keep each other informed as accountability issues are identified and work together as appropriate when resolving these issues with entities.

International Experience

FAR is similar to other leading international accountability regimes, such as the UK’s SMCR and Hong Kong’s Manager-In-Charge measures. These regimes have been developed over time with a stated focus of driving greater individual accountability within corporate entities and increasing the supervisory role of regulators. Under these regimes, penalties have been increasingly applied to entities and individuals, including public condemnation, financial penalties and disqualification.

Take the SMCR for example. The UK’s financial services regulatory bodies include the Prudential Regulation Authority (PRA) which regulates banks, insurers and large investment firms and the Financial Conduct Authority (FCA) which regulates all other firms for prudential purposes.

In June 2022, the FCA released information concerning investigations and enforcement actions in connection with SMCR individuals. From March 2016 to March 2022, 71 enforcement investigations were opened and numerous enforcement measures were taken, where one or more of the individuals being investigated was a Senior Manager:

2 investigations resulted in the imposition of either a financial penalty or public censure against senior management;
1 investigation resulted in the disqualification of senior managers;
1 investigation resulted in an undertaking being entered into with a senior manager; and
20 investigations resulted in no further formal enforcement action, including in cases where there was insufficient evidence of a breach or where alternative action was taken (such as further supervisory action from the regulator).

Top

1 enforcement outcome in relation to a Senior Manager; and
3 public outcomes resulting from 5 of the investigations (including the publication of a notice prohibiting the individuals from carrying out any activities required by an authorised person).

Top

In April 2023, the PRA imposed its first enforcement action for breach of the SMCR Rules against a Senior Manager, imposing a financial penalty of £81,620.

In this case, the PRA commenced an investigation into the Chief Information Officer (CIO) of TSB Bank plc concerning the migration of information technology services to a new platform, which resulted in the significant disruption of core banking functions for some months. Prior to the migration, TSB sought and obtained assurances from the relevant service provider as to the operational readiness of the new platform and the CIO recommended to TSB’s board that the migration proceed.

In conducting its investigation, the PRA reviewed the CIOs Statement of Responsibilities under the SMCR and separate Conduct Rules which also apply to individuals performing senior management functions and require reasonable steps to be taken to ensure the entity for which the individual is responsible complies with regulatory frameworks.

Takeaway: Under FAR, the accountability obligations imposed on accountable entities and accountable persons are framed by reference to the taking of reasonable steps. There is a non-exhaustive definition of reasonable steps under FAR.

The PRA found that the CIO breached the Conduct Rules because of a failure to take reasonable steps to ensure that TSB complied with the regulatory framework and not adequately managing and appropriately supervising the arrangement with the service provider.

In reaching these findings, the PRA:

placed heavy emphasis on the Conduct Rules and Statement of Responsibilities (which is similar to accountability statements required under FAR);
looked at the wording of the confirmation provided by the service provider (which included confirmations from fourth parties) and noted that the statements were forward looking rather than statements of facts regarding the completeness of the readiness activities that had in fact been undertaken;
noted that the CIO relied on the fourth party confirmations without further verifying with the service provider whether they had critically assessed the confirmations;
was critical of the CIO’s recommendation to the Board because it did not annex the confirmation received from the service provider; and
held that the CIO failed to ensure a formal ongoing assessment of the service providers capabilities and to take a holistic view of the risks associated with the migration.

Takeaway: The above findings are commensurate with what constitutes reasonable steps under FAR, including having appropriate governance, control and risk management, having safeguards against inappropriate delegations of responsibility, having appropriate procedures for identifying and remediating problems that arise or may arise and taking appropriate action in response to non-compliance or suspected non-compliance.

The FCA has brought enforcement action against a range of individuals under the SMCR Conduct Rules (those rules which are broadly similar to the Accountability Obligations under FAR) resulting in considerable financial penalties and banning orders. One of the most significant and recent FCA enforcement actions was against Mr James Staley (the former CEO of Barclays Bank) which we have described below.

On 12 October 2023, the FCA published a Decision Notice under which it proposed to impose a £1,812,800 penalty on Mr Staley and ban him from the financial services industry. Mr Staley has appealed to the Upper Tribunal both in respect to the financial penalty and to the prohibition order.

The FCA had found Mr Staley to have misled both the FCA and the Barclays Board about the nature of his relationship with the late Jeffrey Epstein. The Barclays Board had sent a letter to the FCA confirming that Mr Staley “did not have a close relationship with Mr Epstein”. In reality, it transpired that Mr Staley had a long friendship with Mr Epstein.

In the Decision Notice, the FCA concluded that Mr Staley breached conduct rules in respect to: (1) integrity; (2) being open and cooperative with regulators; and (3) disclosing to regulators information of which they would reasonably expect notice. Mr Staley resigned as CEO of Barclays Bank in 2021 after the investigation by the FCA into his relationship with Mr Epstein had first come to light.

You can read our analysis of this regulatory enforcement matter 'FAR Implications: FCA Fines and Bans Barclays CEO'.

Takeaway: Under FAR, the Regulators may take action to ban senior individuals from the financial services sector where the Regulators form the view that they have failed to act with integrity and to be open and honest with both their boards and the Regulators.

Preparing for FAR: Crucial steps for accountable entities

With FAR getting closer by the day, accountable entities should review and update their existing policies and procedures to ensure they are prepared. Only time will tell how a “constructively tough” approach to enforcement under FAR will play out.

In the meantime, we have published guidance for ADI’s and superannuation entities on the transition to FAR, 'Long-awaited regulatory guidance for ADIs on the transition to FAR' and 'Financial Accountability Regime: Key aspects for RSE licensees'. Regulators also intend to publish further guidance specific to the insurance and superannuation sectors in the first quarter of 2024.

We have implemented BEAR and FAR for in excess of 30 APRA-regulated entities, routinely provide strategic advice to Boards and Executives on the identification and mitigation of potential BEAR and FAR exposures and have led internal investigations into potential breaches of the regime.

If you need assistance with any aspect of the regime, don't hesitate to contact us.