APRA has issued a summary report card of ANZ, CBA and NAB’s BEAR implementation. WBC was omitted from the review due to Austrac’s allegations of anti-money laundering breaches.
Following APRA’s prudential CBA enquiry (see HERE), APRA found that CBA had the “most developed approach” for its BEAR implementation. ANZ was identified as less effective, having “invested less in centralised resources”, while NAB was somewhere in between.
CBA had 3.6 FTEs in its centralised BEAR functions, while ANZ has 1.25. NAB had 2.25. All banks have since added to their centralised BEAR teams, although ANZ has hired one FTE to the other banks’ two. Reporting paths also differed with CBA’s, ANZ’s and NAB’s centralised BEAR function reporting into the Deputy CEO, the Chief Risk Officer and the Company Secretary respectively.
All banks performed well on defining accountabilities among senior executives, which APRA noted, had “sharpened focus on identifying, mitigating and resolving significant risk.” There were still challenges around allocating accountability that spanned multiple business units or technology functions, with ANZ still working out some issues around IT accountabilities for executives below the CEO, although it appears to have ironed this out since.
NAB was effective in scenario testing, due to the regular nature of its testing, which APRA believed would help reflect evolving business situations and changes in personnel, exploring gaps, overlap or points of handover. ANZ’s strong point was handling handover of accountable persons. It created a checklist identifying key information to include in the handover.
In terms of accountable persons in taking “reasonable steps” to ensure they were meeting obligations under the BEAR, delegating the responsibilities down the chain was ok, it seems, as long as it was not done via broadcast, such that every direct report received the same list of duties. Instead, a tailored to-do list was better as it enabled executives to only delegate responsibilities within the direct report’s span of control.
The most important part for remuneration was the consequence management framework detailing what happens if breaches occur.
CBA had the most developed consequence management framework, with detailed guidance on variable remuneration adjustments to decision makers, based on a range of risk outcomes including worked examples with impacts on multi year deferred remuneration. NAB’s framework lacked the detail to ensure consistency. ANZ’s process had been “bottom up” to assess accountability of executives for risks, and was judged “too complex”.
An effective path to consequence management has four key steps, according to APRA.
Breach identification- What is a breach? Are there guidelines with quantitative and qualitative thresholds? Is there a variety of sources to supplement self-reporting?
Escalation and assessment – Are there guidelines for how breaches are assessed and escalated in a way that minimises conflicts of interest? .
Investigation – Are there principles-based processes to inform decision to launch an investigation, including criteria to engage external parties to assist, eg legal counsel?
Consequence management – Are there processes and guidelines that detail the consequences an ADI could apply to respond to incidents across a spectrum of incidents of varying severities?
Since the review, ANZ, CBA and NAB have all worked on improving consequence management, by reducing conflicts of interest or strengthening processes to investigate accountability, assess breaches or monitor information sources.
In notes for boards, APRA makes the point that there is no perfect formula for execution, just the right outcome, i.e. meeting the basic obligations under the BEAR. It is up to directors to decide how best to go about it. It seems their preferred modus operandi has been to become more hard-nosed, with directors letting BEAR know they had been more engaged and more meaningfully challenging management. One director said BEAR had “sharpened our ability to question who is responsible, gave permission to directors to cut to the chase when there was an airy-fairy response given to something and it made it easy for a director to ask management directly who is the BEAR accountable executive and what did they do”.
Sounds like executives in every industry should be BEARed to the same scrutiny.
APRA points out that better practice for consequence management would be to be able to show where the new frameworks have led to the right behaviour. This would be a very interesting development, as few regulators (and add to that list proxy advisers, investors and many boards) have actually reviewed the behavioural impacts of remuneration and other governance aspects on behaviour.
Read the full APRA review HERE.© Guerdon Associates 2021 Back to all articles