FAR: How should insurers approach this regulatory step change?

FAR: How should insurers approach this regulatory step change?

FAR: How should insurers approach this regulatory step change? | Insurance Business Australia

Legal Insights

FAR: How should insurers approach this regulatory step change?

Expert says it’s “tricky to implement”

Legal Insights

By
Daniel Wood

Insurance companies have seen a range of new industry rules and standards come into force in recent years, many as a result of the Hayne Royal Commission. Some industry experts say two new regulations, in particular, are very significant for Australia’s financial services sector, including insurers.

CPS 230, finalised by the Australian Prudential Regulation Authority (APRA) in July, could be a turning point for insurers and how they manage disruptive events and operational risks.

The second piece of legislation is the Financial Accountability Regime Bill 2023 (FAR). This bill has passed the House of Representatives and is currently before the Senate.

How significant is FAR?

Liam Hennessy (pictured above), a partner with global law firm Clyde & Co, put that dry Bills Digest summary into stark terms: “The Financial Accountability Regime (FAR) is arguably the most significant change to Australia’s financial services regulatory landscape in a generation,” he said.

Brisbane-based Hennessy specialises in financial services risk and compliance, licensing and regulatory matters. He also lectures on these topics at Griffith University.

Hennessy told IB that, under FAR, insurers will need to identify directors and senior executives, detail their specific responsibilities in accountability statements and conduct their activities in accordance with broad obligations like ‘integrity’ and ‘skill’.

See also  AIG names new general counsel

“If they don’t,” said Hennessy, “They can be personally liable, as can the organisation.”

The Senate is currently sitting and if it passes this legislation, he said, it will come into force for insurance companies in 18 months.

Personal accountability

The Clyde & Co regulations expert suggested that the main change for insurers under FAR is how accountability is more personal.

“For an example, take ‘Responsible for protecting against cyberattacks’ for the chief technology officer,” said Hennessy. “What taking ‘reasonable steps’ in this context means is different for each organisation in terms of size, complexity and risk.”

He said this “will inevitably lead to questions” around insurers’ operations.

FAR implementation: up to nine months

Hennessy said Australia’s insurance companies could learn from his firm’s experience dealing with a similar legislative rollout in the UK called the Senior Managers and Certification Regime (SM&CR).

He said the first tip for insurers from that experience is to engage directors and executives about FAR changes early. Hennessy said Clyde & Co considers FAR implementation time for a small insurer to be six to nine months.

“FAR is deceptively simple in practice and tricky to implement in actuality,” said Hennessy. “It is also emotive as it potentially impacts on personal finances, reputations and responsibilities.”

The second tip, he said, is ensuring that executives and directors have the right information to both make decisions and fix any problems which arise in their area.

“Individuals faced with the concerns of personal liability are likely to act in several understandable but ultimately unhelpful ways,” said Hennessy.

See also  SME marketplace io.insure launches in Australia

He gave the example of directors possibly straying into the ambit of management roles or executives creating ‘paper waterfalls’ of unnecessary attestations from direct reports that everything is within compliance parameters.

“Or they may approach challenges from an individualistic standpoint like not getting involved in that spot fire, as it’s not in their statement,” he said.  “Approached clumsily, FAR can be deleterious to corporate culture.”

“Intensely” evidence based

One feature of the FAR regime that stands out, said Hennessy, is how it is “intensely evidence-based.”

“A director or executive who has bespoke responsibilities marked against their name and who signs their accountability statement without having had those responsibilities stress-tested is at appreciable risk when something breaks in their domain,” he said.

Hennessy said they could find themselves “building a defence contemporaneously” while the regulators examine them.

Risk and people are “key drivers”

Another feature of the regime, he said, is how a firm’s risk and people divisions will be the key FAR drivers in both implementation and operation.

“If they are not working closely together in understanding the joint demands of directors and executive concerns on the one hand, and regulators’ concerns on the other, it is a recipe for disaster,” said Hennessy.

He said it’s important to run FAR simulations which he said are much like running cyberattack simulations.

“Take a director charged with domestic abuse, or tax evasion outside the workplace,” said Hennessy. “The chief people officer’s division may initiate a Human Resources investigation on the grounds that this could be a breach of the FAR obligation of ‘integrity’ or ‘honesty’.”

See also  Singlife named "Champion of Good" for leading ESG initiatives

He said without the involvement of the chief risk officer’s (and general counsel’s) division in the set-up and operation of FAR investigations, such an investigation could generate considerable risk from both the regulatory and executive side. For example, if they sue.

Hennessy said some issues for a firm to consider would include if their definition of ‘integrity’ extends to conduct outside work, would an investigation be kept confidential and is there an overlap with other breach reporting requirements.

How do you see FAR legislation impacting the insurance industry? Please tell us below

Related Stories

Keep up with the latest news and events

Join our mailing list, it’s free!