Insight,

FAR is here – what does it mean for insurers and insurance?

03 August 2021

Our People
KWM Kinetic
Owl Advisory
AU | EN
Current site :    AU   |   EN
Australia
EN |
China
JP | ZH | EN |
China Hong Kong SAR
ZH | EN |
Japan
JP | ZH | EN |
Singapore
ZH | EN |
United States
EN |
Global
ZH | EN |

This article is written by Mandy Tsang, Travis Toemoe and Rouzbeh Ansari

Overview

On 16 July 2021, the Treasury released its much-anticipated consultation draft legislation introducing the Financial Accountability Regime (FAR, the Regime), which will extend the Banking Executive Accountability Regime (BEAR) to all entities that are regulated by APRA, as well as introducing further obligations for affected entities. We have published a general overview of the Regime on our website.

This update:

  • focuses on the specific impact of FAR on general, life and private health insurers (and their registered authorised Non-operating Holding Companies (NOHCs)); and
  • considers whether APRA regulated entities should reassess their insurance policies.

When?

Subject to a ministerial declaration, FAR will apply to insurers (and the insurers' NOHCs) from the later of 1 July 2023 or 18 months after the Regime has commenced (which will depend on when the legislation is passed and assented to).

What?

Under FAR, an accountable entity must comply with its:

  1. accountability obligations;
  2. key personnel obligations;
  3. deferred remuneration obligations; and
  4. notification obligations,

and must also ensure that its "significant related entities" comply with certain obligations. Please see our earlier general overview for further details.

Accountable persons

Treasury has identified 14 streams of responsibilities that are common to all locally incorporated accountable entities (please see our earlier overview for a list of these). NOHCs are subject to a separate 5 streams of responsibilities, rather than the 14 applicable to locally incorporated entities. Insurers that form part of a broader corporate group should note that, in certain circumstances, individuals who are not employed by the insurer may nonetheless be caught as "accountable persons". 

In addition, FAR imposes 2 further prescribed responsibilities for insurers. The first of these is senior executive responsibility for the actuarial function. Treasury's decision to differentiate insurers from other accountable entities by reference to this core function unique to insurers is not surprising.

The second specialised responsibility is senior executive responsibility for the insurers' claims handling function. However, this is expressed to concern the development, maintenance and review of the framework that goes to managing the accountable entity's claims handling function – and may not include the execution of the function.  This role, together with the recent reforms to the Corporations Act which treat claims handling as a financial service (see our previous article on this here), demonstrates the increased regulatory focus in this area and the higher bar to which insurers will be held when it comes to claims handling. Depending on the insurer's organisational structure, there may be joint accountability for this responsibility across multiple executives, including the responsible manager for claims handling for the purpose of the insurer's Australian Financial Services Licence. This may undermine the aim that there be a "single point" of accountability for each responsibility.

The inclusion of these two specific responsibilities should not suggest that the general 14 responsibilities are of any less importance to regulators of the insurance industry or could be of less significance to insurers. In fact, many of the general responsibilities have been subject to not only increasing regulatory scrutiny but also the insurers' own renewed attention to compliance following the Financial Services Royal Commission. These include those with respect to risk management, internal audit, compliance, IDR and EDR, remediation programs and breach reporting.

End-to-end product responsibility

Consistent with APRA's previous indications, one prescribed responsibility for all APRA regulated entities is end-to-end product responsibility. The aim of this responsibility is to ensure holistic management of the value chain, including when the function is outsourced, rather than disaggregation by stages. It is not necessary for the relevant accountable person to have technical expertise on every stage of the product chain.

With adjacent marketing, product and digital innovation being a focus for many insurers as they look to new markets and digital channels, as well as vertical and conglomerate mergers on the rise, insurers venturing forward should be mindful of this new responsibility. It is important to note that end-to-end product responsibility is broad, with the only exclusion currently contemplated being road-side assistance. It will accordingly be important to have someone with the requisite skillset to meet this new prescribed responsibility. What might comprise the necessary skillset will likely depend on a range of matters including the nature of the product, the distribution channel and the intended consumer.

This end to end product responsibility seems to impose obligations upon the accountable person which is already imposed on the company under the design and distribution obligations (DDO) legislation.  Further, in some cases, the individual responsibility under FAR appear to go further than what is required for a company under the DDO regime.

The consultation material envisages that the responsible person will likely be the CEO of a small accountable entity or Head of a business division of a larger more complex accountable entity (APRA recognises that there may be more than one person with this responsibility – e.g. in each core division).

Accountability obligations of Accountable Persons

Accountable persons in the insurance industry will be expressly required to fulfil their responsibilities with honesty, integrity, due skill, care and diligence and deal with the regulators in an open, constructive and cooperative way. Importantly, they will be required to take reasonable steps in fulfilling their responsibilities to prevent adverse impact on their entity's prudential standing, as well as ensure compliance with applicable laws and regulatory regimes including any financial services law, the Insurance Act 1973 (Cth) (Insurance Act), Life Insurance Act 1995 (Cth) and Private Health Insurance (Prudential Supervision) Act 2015 (Cth).

The latter obligation was not included in BEAR and has the potential to significantly increase the potential sources of liability faced by accountable persons (as described in our earlier alert). It is troubling that an entity or individual could be found to be in breach of multiple legislation for one act with the imposition of different liabilities or penalties under different legislation.

Notification obligations (core and enhanced)

FAR will require all accountable entities to notify ASIC and APRA of certain events concerning the entity and its accountable persons, (such as the appointment or cessation of accountable persons, or a reduction in variable remuneration) as well as of certain breaches of the Regime. These are known as the core notification obligations.

In addition, some accountable entities—proposed to be demarcated by reference to their total assets—will be subject to enhanced notification obligations. The consultation materials indicate that general and private health insurers with total assets over 2 billion dollars and life insurers with total assets over 4 billion dollars will be subject to these enhanced obligations.

In short, enhanced notification obligations will require accountable entities to provide accountability statements and an accountability map, and updates to them, to the regulators (broadly similar to ADIs' current obligations under BEAR). The Exposure Draft Explanatory Materials describe the former as a document which comprehensively states the accountable person's responsibilities accompanied by a statement made by the accountable person personally confirming the accuracy of the content of the document and the person's understanding of the same. The latter is described as a separate document which will contextualise the position of all accountable persons within the accountable entity and its related bodies corporate, the accountable persons' responsibilities and the lines of reporting between them. Both ASIC and APRA are proposed to be able to determine any other matters which will form part of these documents.

Based on our experience with BEAR, the accountability statements and accountability map are important documents which will require material time and input from various business divisions to prepare, particularly for entities which are considering changes to their governance or organisational structure in preparation for FAR, or for corporate groups that contain more than one "accountable entity". The regulators have indicated that they expect to see, and comment on, draft maps and statements prior to implementation.

Enforcement

FAR contemplates civil penalties for breaches of the Regime by an accountable entity, being the highest of:

  • $11.1 million dollars (current equivalent to the prescribed 50,000 penalty units);
  • three times the benefit derived and detriment avoided; or
  • 10% of the annual turnover of the body corporate capped at $555 million dollars (2.5 million penalty units).

Should an accountable person breach their obligations, the regulators are empowered to direct that their remuneration be readjusted, their responsibilities reallocated or to disqualify them for a period of time. Accessorial liability may also arise from an accountable entity's breach of FAR obligations.

Interestingly the range of regulatory powers exercisable by APRA and ASIC do not completely align with their powers under other legislation such as the Insurance Act.  For example, under s 52 of the Insurance Act, there is a two-step process for APRA to investigate the insurer – first that it must appear to APRA that the entity has not complied with the Insurance Act or the Financial Sector (Collection of Data) Act 2001 (Cth) (amongst other things); second, APRA must require the entity to show cause why it should not be investigated.  In contrast under s 42 of FAR, the Regulator may investigate an accountable entity or significant related entity if it "reasonably believes" that the accountable entity, the significant related entity or accountable person has contravened a provision of FAR.  Arguably, the two regimes should be consistent.

Insurance policies

Given the wide range of penalties and regulatory action available to APRA and ASIC under FAR, accountable entities should consider whether their insurance policies (such as professional indemnity, statutory liability and directors and officers liability policies) adequately cover them and their accountable persons.  Consideration should be given to whether new types of claims should be covered, such as for an insured person to contest a disqualification order, for insureds to contest other reviewable decisions under FAR or to respond to other regulatory investigations.

APRA regulated entities should bear in mind that under FAR, like BEAR, a related body corporate of an accountable entity cannot indemnify nor pay premiums for an insurance contract that would insure the accountable entity against the consequence of breaching an obligation under FAR (albeit excluding insurance coverage or indemnification for legal costs).  As under BEAR, the scope of this prohibition and what is within the scope of "consequence" of breaching a FAR obligation is unclear.

Accordingly, entities should ensure that their policies, deeds of indemnity and constitutions are drafted or amended in a way that does not breach this prohibition, or they risk a situation where a policy, otherwise validly negotiated and incepted, is voided by the Federal Court. This is a delicate exercise to preserve as much coverage as possible whilst staying within the boundaries of the prohibition. Whether it is open for an accountable entity to take out and pay for its own insurance policy which covers it for the consequences of breaching FAR obligations will need to be explored.

Interestingly, unlike the position in BEAR and public expectation prior to the release of the FAR exposure draft materials, the prohibition above does not extend to indemnifying or paying premiums for accountable persons or insurance policies covering these individuals, which should provide some reassurance for accountable persons and their employers.

The Treasury intends that accountable persons will be members of the Board and various senior executives who ordinarily should be covered under a D&O policy. If there is any doubt as to whether any holders of the office of the accountable person are covered, entities should consider expressly adding them as insured persons.

Conclusion

We have supported our banking clients to both meet the initial implementation requirements of BEAR and its ongoing application (see our previous article here). This Exposure Draft provides an opportunity for insurers and other participants in the financial services industry to make submissions prior to 13 August 2021.

Insurers should also start considering whether their governance and compliance regimes meet their FAR obligations and reassess coverage under their insurance policies.

We have extensive experience in this area and would be happy to assist.

Categories

MEET THE AUTHORS

SHOW MORESHOW LESS
LATEST THINKING
Insight
AI governance in government: Is your agency ready for the ANAO’s spotlight?
The Australian National Audit Office’s (ANAO) has recently emphasised the importance of agencies having effective and specific AI governance frameworks. This was the key message coming out of the ANAO’s performance audit report on the ATO’s Governance of Artificial intelligence.

14 March 2025

Insight
B Corps: To B or not to B
We explain what a B Corp is, how to become a B Corp and some of the benefits and challenges of obtaining this certification.

13 March 2025

Insight
The Cyber Security and Critical Infrastructure Rules have now been registered
Following a period of consultation on rules to support the Government’s Omnibus Cyber Security and Critical Infrastructure package discussed here, 4 of the 6 proposed rules have now been registered.

13 March 2025

EXPLORE LATEST THINKING
OUR PEOPLE
LOCATIONS
MEDIA CENTRE
CAREERS
ABOUT US
KWM KINETIC
OWL ADVISORY BY KWM
Explore Our Expertise
Explore insights
Explore Our Insights

Advertising and Targeting Cookies