Insurance companies have seen a range of new industry rules and standards come into force in recent years, many as a result of the Hayne Royal Commission. Some industry experts say two new regulations, in particular, are very significant for Australia’s financial services sector, including insurers.
CPS 230, finalised by the Australian Prudential Regulation Authority (APRA) in July, could be a turning point for insurers and how they manage disruptive events and operational risks.
“It’s [CPS 230] hugely important for the insurance industry,” said Sydney-based Rachel Riley, head of strategic operations for Ansarada, in a recent interview with Insurance Business.
The second piece of legislation is the Financial Accountability Regime Bill 2023 (FAR). This bill has passed the House of Representatives and is currently before the Senate.
This Bill replaces the Banking Executive Accountability Regime (BEAR), which dates to the Banking Act 1959. However, BEAR only applied to banks. FAR will extend “BEAR like accountability” to the insurance and superannuation industries.
According to a Bills Digest on the Parliament of Australia website, FAR “imposes four fundamental sets of obligations.” The Digest describes these obligations as relating to accountability, key personnel, deferred remuneration and notifications.
Liam Hennessy (pictured above), a partner with global law firm Clyde & Co, put that dry Bills Digest summary into stark terms: “The Financial Accountability Regime (FAR) is arguably the most significant change to Australia’s financial services regulatory landscape in a generation,” he said.
Brisbane-based Hennessy specialises in financial services risk and compliance, licensing and regulatory matters. He also lectures on these topics at Griffith University.
Hennessy told IB that, under FAR, insurers will need to identify directors and senior executives, detail their specific responsibilities in accountability statements and conduct their activities in accordance with broad obligations like ‘integrity’ and ‘skill’.
“If they don’t,” said Hennessy, “They can be personally liable, as can the organisation.”
The Senate is currently sitting and if it passes this legislation, he said, it will come into force for insurance companies in 18 months.
The Clyde & Co regulations expert suggested that the main change for insurers under FAR is how accountability is more personal.
“For an example, take ‘Responsible for protecting against cyberattacks’ for the chief technology officer,” said Hennessy. “What taking ‘reasonable steps’ in this context means is different for each organisation in terms of size, complexity and risk.”
He said this “will inevitably lead to questions” around insurers’ operations.
Hennessy said Australia’s insurance companies could learn from his firm’s experience dealing with a similar legislative rollout in the UK called the Senior Managers and Certification Regime (SM&CR).
He said the first tip for insurers from that experience is to engage directors and executives about FAR changes early. Hennessy said Clyde & Co considers FAR implementation time for a small insurer to be six to nine months.
“FAR is deceptively simple in practice and tricky to implement in actuality,” said Hennessy. “It is also emotive as it potentially impacts on personal finances, reputations and responsibilities.”
The second tip, he said, is ensuring that executives and directors have the right information to both make decisions and fix any problems which arise in their area.
“Individuals faced with the concerns of personal liability are likely to act in several understandable but ultimately unhelpful ways,” said Hennessy.
He gave the example of directors possibly straying into the ambit of management roles or executives creating ‘paper waterfalls’ of unnecessary attestations from direct reports that everything is within compliance parameters.
“Or they may approach challenges from an individualistic standpoint like not getting involved in that spot fire, as it’s not in their statement,” he said. “Approached clumsily, FAR can be deleterious to corporate culture.”
One feature of the FAR regime that stands out, said Hennessy, is how it is “intensely evidence-based.”
“A director or executive who has bespoke responsibilities marked against their name and who signs their accountability statement without having had those responsibilities stress-tested is at appreciable risk when something breaks in their domain,” he said.
Hennessy said they could find themselves “building a defence contemporaneously” while the regulators examine them.
Another feature of the regime, he said, is how a firm’s risk and people divisions will be the key FAR drivers in both implementation and operation.
“If they are not working closely together in understanding the joint demands of directors and executive concerns on the one hand, and regulators’ concerns on the other, it is a recipe for disaster,” said Hennessy.
He said it’s important to run FAR simulations which he said are much like running cyberattack simulations.
“Take a director charged with domestic abuse, or tax evasion outside the workplace,” said Hennessy. “The chief people officer’s division may initiate a Human Resources investigation on the grounds that this could be a breach of the FAR obligation of ‘integrity’ or ‘honesty’.”
He said without the involvement of the chief risk officer’s (and general counsel’s) division in the set-up and operation of FAR investigations, such an investigation could generate considerable risk from both the regulatory and executive side. For example, if they sue.
Hennessy said some issues for a firm to consider would include if their definition of ‘integrity’ extends to conduct outside work, would an investigation be kept confidential and is there an overlap with other breach reporting requirements.
Clyde & Co has published a practical guide to help insurers and other financial services companies deal with FAR: “Practical pitfalls for FAR implementations – Seven deadly sins”.
How do you see FAR legislation impacting the insurance industry? Please tell us below
