Information paper

Implementation of the Banking Executive Accountability Regime (BEAR)

  • Banking
  • Current
    11 December 2020
Disclaimer and copyright
While APRA endeavours to ensure the quality of this publication, it does not accept any responsibility for the accuracy, completeness or currency of the material included in this publication and will not be liable for any loss or damage arising out of any use of, or reliance on, this publication.
© Australian Prudential Regulation Authority (APRA)
This work is licensed under the Creative Commons Attribution 3.0 Australia Licence (CCBY 3.0). This licence allows you to copy, distribute and adapt this work, provided you attribute the work and do not suggest that APRA endorses you or your work. To view a full copy of the terms of this licence, visit https://creativecommons.org/licenses/by/3.0/au/ 

Executive summary

The Banking Executive Accountability Regime (BEAR) is a major legislative reform that commenced on 1 July 2018 for large authorised deposit-taking institutions (ADIs) and on 1 July 2019 for medium and small ADIs. The BEAR has driven greater clarity and transparency of individual accountability at ADIs, and is a key regulatory lever for APRA to drive action from ADIs and to transform governance, risk culture, remuneration and accountability (GCRA) outcomes across the industry.
APRA completed a review of the implementation of the BEAR at Australia and New Zealand
Banking Group Limited (ANZ), Commonwealth Bank of Australia (CBA) and National Australia Bank Limited (NAB) (‘the large ADIs’) over the period from December 2019 to February 2020. Westpac Banking Corporation (WBC) was not included in the review due to an ongoing investigation into potential breaches of the Banking Act 1959 (Act).
APRA is publishing the key elements of the feedback provided to the large ADIs from this review to share examples of better practice with all stakeholders. Importantly, this
Information Paper does not create new obligations for ADIs or accountable persons to comply with, beyond those set out in the Act. The publication of this Information Paper is part of APRA’s commitment to transparency made in its 2019 Information Paper on Transforming governance, culture, remuneration and accountability.

Overall assessment of the large ADIs, as at February 2020:

The review found that all large ADIs had designed adequate frameworks to administer the BEAR. These actions have delivered a stronger understanding of the end-to-end accountability obligations of accountable persons at the ADIs, have sharpened challenge by boards on executive accountable persons’ actions, and facilitated more targeted engagement with APRA to achieve prudential outcomes.
However, the overall maturity of the approaches to implement the BEAR differed and APRA’s assessment for each ADI, as at February 2020, is summarised below. APRA assessed the approaches taken by the ADIs to support the operation of the BEAR, to define and deliver accountability, and to establish a breach and consequence management framework. This assessment was based on APRA’s supervisory judgement about the relative maturity of the approaches taken, considering the ADIs’ relative size and complexity.
  • ANZ had designed adequate frameworks to administer the BEAR at the time of the review, but was considered to be at an earlier stage of maturity than its two peers in embedding the BEAR. In particular, APRA considered that ANZ could provide better support to the board and accountable persons to embed the regime, and could simplify its breach and consequence management process for the BEAR;
  • CBA had the most developed approach to implement the BEAR and had benefited from the execution of the remedial action plan associated with the Prudential Inquiry.
    Nevertheless, CBA could improve monitoring of accountable persons’ ‘reasonable steps’ and undertake periodic scenario tests to proactively identify gaps in accountabilities; and
  • NAB had designed adequate frameworks to implement the BEAR and demonstrated better practice in conducting periodic scenario tests, but could take further action to embed the key principles of BEAR in its ongoing risk management. NAB could improve the monitoring of reasonable steps being taken by accountable persons, and strengthen the design and implementation of the consequence management process supporting the regime.

Thematic feedback points identified in the review:

APRA identified a range of thematic points from its review of the large ADIs, that are summarised below.
  • The large ADIs could benefit from better monitoring the actions taken by accountable persons to fulfil their accountability obligations. To date, APRA observed that these ADIs had different levels of understanding about the actions being taken by individual accountable persons to fulfil their obligations;
  • Non-executive accountable persons could reflect on whether the ADI’s governance arrangements and their individual practices enable them to demonstrate how they, and the ADI, are meeting their accountability obligations. The board performance assessment may be a useful tool to demonstrate that BEAR obligations are being met; and
  • Executive accountable persons could consider how they can more deliberately align their actions and records with the ADI’s expectations about what constitutes reasonable steps to deliver accountability obligations. This process could be supported by routine monitoring and assurance to inform the ADI about the actions taken.

Better practice observations:

APRA identified a range of better practice observations that could help other ADIs to improve their implementation of the BEAR, and to drive clearer and more effective accountability arrangements in practice. These observations are based on approaches used by three large ADIs, and so may not be entirely relevant to smaller and less complex ADIs.
Support for implementation and operation of the BEAR: introducing centralised resources to implement the BEAR, and to provide meaningful support to accountable persons to meet their obligations;
Defining accountabilities: having robust processes in place to ensure that accountabilities remain clear and accurate on an ongoing basis, including to reflect business changes;
Delivering reasonable steps: establishing frameworks that support accountable persons to take reasonable steps, and monitoring the range of practices that accountable persons are using to meet their obligations through periodic reporting;
Breach and consequence management: integrating the consequence management and remuneration framework to reinforce accountability obligations through variable remuneration decisions; and
BEAR for non-executive directors (NEDs): having the board reflect and decide on whether existing governance practices are sufficient to demonstrate reasonable steps of NEDs.

Actions the large ADIs have committed to take since the review, as at December 2020:

APRA provided the large ADIs with feedback from the review in June 2020. As at December 2020, the ADIs had committed to taking a range of actions to address this feedback, and to enhance and embed their approaches to implementing the BEAR.
The main actions included:
  • increasing resources in their respective centralised BEAR functions;
  • enhancing the use of scenario testing to explore and clarify roles and responsibilities in hypothetical scenarios;
  • refreshing how responsibilities are cascaded from executive accountable persons to direct reports; and
  • further integrating their consequence management and remuneration frameworks and outcomes.
The detailed entity-specific commitments are included in Attachment B.
APRA will assess the effectiveness of the actions and their outcomes, and continue to engage with the ADIs on progress through its ongoing supervisory activities.

APRA’s supervisory approach:

Consistent with international peer regulators, APRA will continue to embed the BEAR into its ongoing supervisory activities and to use the BEAR to influence ADIs and accountable persons to take preventative or remedial action well before issues pose a risk to an ADI’s financial viability. Chapter 7 highlights a range of supervisory actions APRA has taken to drive better prudential outcomes. However, where these actions are not producing the expected outcomes, APRA is prepared to be constructively tough and use formal enforcement actions, including the penalties provided under the BEAR, should this be necessary.

Glossary

Accountable person
A person, including a senior executive or director, that falls within the definition under section 37BA of the Act
Accountability statement
A comprehensive statement complying with section 37FA of the Act that details the parts or aspects of the ADI’s or ADI group’s operations for which an accountable person is accountable
Act
Banking Act 1959
ADI
Authorised deposit-taking institution
APRA
Australian Prudential Regulation Authority
BEAR
The Banking Executive Accountability Regime set out in Part IIAA of the Act
Breach
For the purposes of this Information Paper, breach refers to an ADI or an accountable person’s failure to meet their respective accountability obligations under the BEAR
Executive accountable person
A person that has actual or effective senior executive responsibility for management or control of the ADI or part of its operations
Large ADIs
For the purposes of this Information Paper, this refers to ANZ, CBA and NAB
Non-executive accountable person
A person responsible for oversight of the ADI as a member of the board of the ADI
Particular responsibilities
The list of responsibilities to be held by accountable persons under subsection 37BA of the Act

Chapter 1 - Objectives of the BEAR and the implementation review

1.1 Objectives of the BEAR

The objectives of the BEAR are to drive significant improvements in the operating culture of ADIs through increasing transparency and accountability, and reinforcing the standards of conduct expected of the banking industry by the Australian community. To achieve these objectives, the BEAR imposes a number of requirements on ADIs, summarised below.

Figure 1. Overview of the BEAR

1.2 Objectives of the Implementation Review

The objective of the review was to assess how effectively ANZ, CBA and NAB had implemented the BEAR, but did not aim to provide assurance that the ADIs or accountable persons were complying with their legal obligations under the BEAR. APRA’s review methodology is set out in Attachment A.
APRA provided feedback to the large ADIs in June 2020 to ensure that they can continue to effectively integrate the BEAR into decision-making and business practices to deliver clear and transparent accountability. Key elements of that feedback are published in this Information Paper to reinforce transparency to lift industry-wide accountability practices.
All ADIs are expected to effectively implement the BEAR. This may include reflecting on the observations included in this Information Paper, and their own practical experiences of implementing the regime. APRA will expect board members and executive management to be able to demonstrate their understanding and implementation of the BEAR obligations through ongoing prudential engagements.

Chapter 2 - Support for BEAR implementation and operation

2.1 Key feedback provided to the large ADIs in June 2020

ADIs are required to take reasonable steps to meet their accountability obligations, including to ensure that each accountable person meets their obligations. To do this effectively, ADIs could benefit from providing support to accountable persons.
APRA observed that centralised BEAR functions played a critical role in the design of accountability statements and maps to implement the regime and to provide support to accountable persons, and were well placed to lead initiatives to strengthen the operating effectiveness of the regime. All of the ADIs also supplemented the central function with decentralised resources that were embedded in the business.
However, APRA found that the large ADIs had different levels of understanding of the actions being taken by individual accountable persons to fulfil their obligations, and all of the ADIs could develop their capabilities to conduct routine monitoring and prepare periodic reporting to the board about the actions taken.

2.1.1 Maturity of approach across the large ADIs, as at February 2020

APRA found that CBA had the most developed approach, partly due to the investment made in its people, frameworks and processes to address the recommendations of the Prudential Inquiry. ANZ had invested less in centralised resources to support the ADI and accountable persons, and had more work to do to focus on the operating effectiveness of the regime.

2.2 Detailed observations

2.2.1 Support for the ADI

All large ADIs introduced centralised BEAR functions to support the board to implement the BEAR. The key attributes that influenced the effectiveness of these functions included their seniority and skills, access to the board and independence from executive management.

Table 1. Structure and resourcing of the centralised BEAR function, as at February 2020 

[1]
This table does not include additional resources the ADI may use outside of the centralised BEAR function.
 
ANZ
CBA
NAB
Reporting
Company Secretary
Deputy CEO
Chief Risk Officer
FTE resourcing
1.25
3.6
2.25
Table 1 outlines the amount of dedicated full time equivalent (FTE) resource that each ADI had in its centralised BEAR team. This shows that CBA had the most dedicated resources, which may have helped it to offer more support to the ADI, and to strengthen the implementation of the regime. In contrast, ANZ had the least centralised resources and placed greater reliance on decentralised resources. This may have impacted its ability to have a consolidated view of the implementation of the regime.

Seniority and skills

All large ADIs had assigned the responsibility for administering the BEAR to staff members with sufficient seniority and skills to interact with the board. These individuals were typically one or two levels below executive accountable persons.

Access to the board

Access to the board varied between the large ADIs, with some ADIs using the formal structure of the centralised BEAR team to access the board, and others using existing internal relationships of individual staff members with board members.
For example, ANZ’s team was part of the Company Secretary’s Office, and was able to access the board directly as the Company Secretary was expected to attend every board meeting. NAB’s team arranged six monthly workshops and an annual scenario exercise with the board, and held ad-hoc meetings with relevant directors to approve the registration of new accountable persons as required. CBA’s centralised BEAR function had less formal access to the board and was reliant on infrequent check-ins to discuss the regime with directors.

Independence

The large ADIs had taken steps to ensure that relevant staff were able to administer the BEAR in an independent manner, so that they could advise the board and executives on issues that may affect individual executives or the board itself.
The ADIs noted that operational independence of these teams created a trade-off in terms of the staff’s ability to understand the needs of executive accountable persons. For example, where an ADI’s centralised BEAR team was structurally independent from executive accountable persons it was more distanced from the day-to-day operations of the ADI, and vice versa.

2.2.2 Support for and oversight of accountable persons

At the time of the review, the large ADIs provided varying degrees of support and oversight of accountable persons to fulfil their obligations, including with respect to advice, monitoring and assurance practices.

Advice

The large ADIs provided advice to accountable persons to assist them to meet their obligations, and sought to strike a balance between principles-based and prescriptive advice. The ADIs noted that if the advice is too prescriptive, it may diminish the agency of accountable persons to fulfil their obligations. Conversely, if they provide complete discretion, accountable persons may not have the appropriate support to make an informed judgement about how to meet their obligations. One better practice observed was CBA creating high-level principles to inform accountable persons about the ADI’s expectations for engaging with regulators in an open and transparent way.

Case Study 1: Support provided to executive and non-executive accountable persons

Accountable persons provided insight into a range of different mechanisms that were used to support them in their implementation of the BEAR obligations. In general, most accountable persons relied on advice and support provided directly by the ADI, and did not consider it necessary to seek third party legal advice to understand their obligations. The level of advice depended on each individuals’ understanding and experience with the regime, or with other comparable regimes.
For instance, one executive accountable person noted that they had worked in similar accountability regimes overseas, and reflected that they were ‘very comfortable to understand what my accountability was. I was astonished how quickly it was implemented. It was a very clear, understandable framework.’ Similarly, a non-executive accountable person noted that ‘considerable work has gone into aligning directors’ duties under the Corporations Act 2001 with the BEAR’ and that this made it easier for directors to understand their obligations.
However, there were also examples of accountable persons taking further action to seek support. For example, one executive accountable person with a relatively new leadership team went to the United Kingdom (UK) to learn from international experience, noting ‘a new team needed to start again and dissect everything we do, so we can say we are best practice’.

Monitoring

Although there will be differences in the actions taken by accountable persons to fulfil their obligations, all large ADIs could enhance how they ensure that each accountable person is complying with their obligations.
ADIs could monitor the reasonable steps taken by accountable persons, consider how they align with the ADI’s expectations, and assess whether accountable persons have the right support to discharge their obligations. This focus on reasonable steps would represent an important shift in the approach of ADIs to maturing their approach to implementing the BEAR and would be supported by embedding clear accountability in decision-making processes and the development of periodic reporting.

Assurance

All large ADIs engaged either internal audit or external consultants to provide assurance about the implementation of the BEAR, however the quality and depth of assurance varied. CBA engaged an external consultant to perform a comprehensive post-implementation review that identified specific actions that could be taken to improve the implementation of the BEAR. CBA had committed to using the insights from this review report to enhance further the operating effectiveness of the regime. In contrast, NAB requested internal audit to perform a post-implementation review shortly after the BEAR commenced, focusing on the compliance aspects of the regime, and planned to conduct an audit on its operating effectiveness in the medium term. ANZ also relied on internal audit to perform a review. ANZ’s review did not use its formal audit methodology and provided only high-level observations on potential areas of improvement to be considered by management.
Over time, ADIs could undertake periodic assurance to ensure that they have a mature understanding of how well they have implemented and embedded the BEAR in practice.

Chapter 3 - Defining accountabilities

3.1 Key feedback provided to the large ADIs in June 2020

The BEAR requires an ADI to ensure full coverage of accountabilities for all parts or aspects of its operations, and to accurately document this in accountability statements and maps.
To ensure that accountabilities remain clear and accurate on an ongoing basis, an ADI should have robust practices in place to maintain accountabilities over time, including to reflect business changes or changes to individual accountable persons.

3.1.1 Maturity of approach across the large ADIs, as at February 2020

APRA found that all large ADIs had a well-developed approach to defining accountabilities, with significant investment made prior to the BEAR commencing to create accountability statements. The large ADIs noted the discipline of allocating accountabilities amongst senior executives has sharpened focus on identifying, mitigating and resolving significant risk issues.
The large ADIs all aimed to maximise individual accountability and limit joint accountabilities. Common challenges included allocating accountability to individuals, particularly where the accountability spanned multiple business units or technology functions. However, whilst CBA and NAB had addressed these issues at the time of the review, ANZ acknowledged it was still experiencing challenges with allocating accountability for information technology to individual executives below the CEO.

3.2 Detailed observations

The diagram below summarises the actions taken by large ADIs to define, update and test the allocation of accountabilities.

Figure 2. Defining accountabilities lifecycle

3.2.1 Create statements

APRA found that the large ADIs followed robust processes to ensure full coverage of accountabilities across the organisation when accountability statements were being created. These processes included holding interviews, workshops, challenge sessions and scenario testing with executive accountable persons to assess the allocation of accountabilities.
Consistent with the guidance in APRA’s Information Paper, the large ADIs all aimed to maximise individual accountability and limit joint accountabilities. The ADIs found that this was most challenging in the areas of information technology and operations. While CBA and NAB had been able to delineate accountability for information technology between business and technology functions, ANZ had not completely resolved this at the time of the review.
While collective accountability is not defined in the BEAR, the CBA Prudential Inquiry identified that this concept forms part of a mature approach to strengthening accountability within an ADI. For example, CBA and ANZ accountable persons had discussed scenarios where all executive accountable persons would be held collectively accountable, even where an incident occurs outside an individual area of accountability.”
[2]
Information Paper: Implementing the Banking Executive Accountability Regime, 17 October 2018

Case Study 2: Changes to CBA’s accountability statements to strengthen the ‘voice of risk’

The CBA Prudential Inquiry found that the ‘voice of risk’, particularly in relation to nonfinancial risk, had been diluted and did not provide a sufficient counterweight to the ‘voice of finance’ in ensuring sound risk and compliance outcomes. The Prudential Inquiry also noted that CBA had introduced a remediation program to address this, which included developing Group-wide principles describing the roles and responsibilities across the three lines of defence, and included restructuring individual business areas (e.g. retail banking services) to clarify the roles and responsibilities of the first and second lines of defence.
CBA also made changes to its CRO’s accountability statement, to strengthen the ‘voice of risk’ and to clarify that they are accountable for ‘approving or accepting the effectiveness of the Group’s Line 1 teams’ identification and mitigation of risks and providing Line 2 assurance over that effectiveness’.
A CBA accountable person explained these words were chosen to ‘create a sense of tension’ between Line 1 and 2 and noted that ‘review and challenge is a waste of time if it does not produce an outcome’.

3.2.2 Ongoing due diligence

The large ADIs had developed due diligence processes to maintain the accuracy of accountability statements over time, with better practices including:
  • centralised BEAR functions regularly checking in with accountable persons to confirm that statements remain accurate;
  • periodic review of individual accountability statements;
  • use of triggers, such as organisational change announcements, to update accountability statements; and
  • centralised BEAR functions monitoring human resource reporting and systems to check the accuracy of accountability statements.

3.2.3 Scenario testing

Although all the large ADIs used scenario testing and workshops prior to the BEAR taking effect, only NAB maintained scenario testing on a regular basis. Better practice could include conducting periodic scenario testing for executive accountable persons, and for directors, to ensure accountabilities accurately reflect evolving business operations and changes in accountable persons.
Scenario testing can facilitate a deeper understanding of accountability by examining where points of handover, gaps or overlap occur, exploring the interaction between product, consumer and operational functions and reviewing how accountability for third party providers has been assigned.
Executive accountable persons may also benefit from cascading scenario testing to direct reports to test and clarify accountabilities at an operational level.

3.2.4 Accountable person handover

All the large ADIs had experienced accountable persons turnover since the commencement of the BEAR. The review found that there were adequate formal handover processes in place to manage permanent changes or temporary arrangements at the director and executive accountable person level and to be able to meet the notification requirements.
ANZ demonstrated better practice by developing a checklist to assist accountable persons in identifying key pieces of information to include in their handover, such as relevant stakeholders to be engaged, relevant papers and documents (e.g. policies, charters), recent audits and risk assessments, financial performance and upcoming projects.

Chapter 4 - Delivering on accountability

4.1 Key feedback provided to the large ADIs in June 2020

To effectively meet their obligations under the BEAR, ADIs could benefit from establishing frameworks that support accountable persons and monitoring the range of practices accountable persons are using to meet their obligations through periodic reporting.
Executive accountable persons could consider how to more deliberately align their actions and associated records with the ADI’s expectations about what actions to take, including what constitutes reasonable steps, to deliver accountability obligations. This process could be supported by routine monitoring and assurance to inform the ADI about actions taken.
The scope of APRA’s review aimed to draw out the range of actions that the large ADIs or accountable persons had taken to deliver on accountability obligations, but did not provide the ADIs with a maturity rating on this topic. ADIs and accountable persons should be satisfied with their approaches to delivering on accountability, and be able to demonstrate the reasonable steps taken should risk issues materialise.

4.2 Detailed observations

Section 37CB of the Act provides a non-exhaustive range of actions that could comprise the reasonable steps of an ADI or accountable person, including establishing appropriate governance arrangements and effectively delegating responsibilities.
Examples of key actions taken by the large ADIs in practice included:
  • Frameworks: the ADIs had developed frameworks to support accountable persons to discharge their accountabilities;
  • Distributed responsibilities: accountable persons had formally distributed tailored responsibilities to direct reports; and
  • Demonstrated practices: accountable persons had demonstrated reasonable steps by taking and recording a range of actions that reflect their executive style.

4.2.1 Accountability obligations on an ADI

Frameworks

The large ADIs had established principles-based frameworks to inform the actions taken by executive accountable persons to fulfil their obligations. This included providing examples of what could constitute an accountable person fulfilling their obligations, such as: adequately resourcing business units and support functions; clearly delegating accountability; and establishing governance arrangements to oversee the business.
CBA and NAB went further than ANZ in developing tools and resources to establish a degree of standardisation in how practices could be demonstrated by executive accountable persons.
Better practice included the centralised BEAR function sharing examples of the reasonable steps taken by executive accountable persons to raise awareness about the range of practices. Although there will be divergence in practices, it is important that an ADI monitors the reasonable steps being taken and understands how they align with the ADI’s expectations.
Over time, ADIs could develop periodic reports that empower the board on behalf of the ADI to challenge the actions being taken by accountable persons to fulfil their obligations.

4.2.2 Accountability obligations of an accountable person

Distributed responsibilities

APRA observed that it was common practice responsibilities for executive accountable persons to cascade formally aspects of their responsibilities to direct reports. Two different approaches were adopted by the ADIs in the review as outlined in Figure 3.

Figure 3. Cascading

Better practice could involve combining the more rigorous aspects of approaches 1 and 2. This would involve tailoring responsibilities to direct reports and directly integrating this in the performance management framework. It is in the ADIs’ interests to ensure that the approach adopted is sustainable in that it accurately reflects the direct report’s span of control and is applied consistently across accountable persons.

Demonstrated practices

APRA’s interviews with accountable persons identified different approaches and degrees of intensity used to demonstrate reasonable steps. APRA is not providing a view on which approach accountable persons should adopt and Case Study 3 on the next page summarises the range of practices observed. This reflects variances in style across executive accountable persons.
APRA heard from executive accountable persons of a greater focus on documentation as a result of the BEAR with one executive noting ‘(I’m) more conscious of ensuring what’s documented, what’s evidenced. I make sure I’m on record of asking them to go through and follow up on certain items.’ However, some executive accountable persons also noted that there can be practical limitations to documenting reasonable steps and that their approach needs to balance the ability to make quick decisions and the depth of supporting documentation.

Chapter 5 - Consequence management

5.1 Key feedback provided to the large ADIs in June 2020

An integrated consequence management and remuneration framework is central to reinforcing accountability obligations, including through variable remuneration decisions.
The BEAR requires an ADI to have a remuneration policy in force that requires that variable remuneration be proportionally reduced to reflect a failure in an accountable person to fulfil their obligations under section 37CA of the Act. APRA expects this alignment between accountability and consequence management to be further strengthened through the introduction of Prudential Standard CPS 511 Remuneration.
[3]
APRA released an updated prudential standard for remuneration for a second round of consultation in November 2020. See https://www.apra.gov.au/consultation-on-remuneration-requirements-for-all-apra-regulated-entities

5.1.1 Maturity of approach across the large ADIs, as at February 2020

APRA found varying levels of maturity across the large ADIs’ breach and consequence management frameworks for administering the BEAR, with differences in design, operating effectiveness, and independence.
CBA had more developed consequence management frameworks and was able to clearly explain how this applied to executive accountable persons. Relative to CBA, NAB’s framework lacked detail and processes to fully ensure consistency in process and outcome, and ANZ’s bottom-up process to assess accountability of executives for significant risk issues was considered to be overly complex.

5.2 Detailed observations

Better practices observed for breach and consequence management included:
  • Breach identification: practically defining a breach to inform consequence management decisions;
  • Escalation and assessment: defining escalation process to ensure that decision-makers were provided with timely information relating to breaches;
  • Investigation: clear principles-based processes to inform the decision to launch an investigation, including criteria to engage external parties to assist with the investigation; and
  • Consequence management: defining processes and guidelines detailing the consequences an ADI could apply to respond to incidents across a spectrum of severities.

5.2.1 Breach identification

Clear and effective breach identification processes help to reduce delays in identifying risk incidents, which was raised as a concern in the CBA Prudential Inquiry, and is common in large and complex ADIs.
CBA had the most well-defined breach identification process of the three large ADIs. CBA provided detailed guidance for identifying a breach, supported by quantitative thresholds (such as the scale of customer impact), and qualitative thresholds (such as lack of due diligence). CBA’s centralised BEAR function was empowered to obtain information from a range of sources on potential breaches of the BEAR (e.g. risk and internal reports) to complement self-reporting by accountable persons. In contrast, the other large ADIs provided only high-level guidance and described their breach definitions as ‘a work in progress’.

5.2.2 Escalation and assessment

Once a potential breach has been identified, the large ADIs would assess the nature and severity of the incident. CBA and ANZ’s processes included guidance to assess a potential breach, such as model questions to assess severity by looking at the scale of financial or customer impact, accountable person due diligence and reputational impacts for the ADI.
The large ADIs had a range of practices for escalating potential breaches of the BEAR for assessment. For example, CBA had made the most significant investment in staff capability and processes to ensure an independent assessment of potential breaches of the BEAR. In contrast, ANZ’s escalation process could create challenges in terms of actual or perceived conflicts of interest, as potential breaches were discussed initially at divisional consequence management forums that were chaired by executive accountable persons.

5.2.3 Investigation

Effective investigation processes would be expected to be robust and impartial. While a formal investigation is not always required to assess the significance of a potential breach, a mature framework would set clear parameters on when such investigations are warranted, and be supported by a sufficiently robust decision-making process. This could be achieved through the establishment of explicit protocols to access appropriate legal counsel, as potential breaches may result in enforcement and administrative actions.

Table 2. Elements of the large ADIs’ investigation processes, as at February 2020

 
Requesting party for investigation
Approval of investigation
External legal counsel involvement in investigation
Decision maker on outcome
ANZ
Legal Counsel
First panel of select NEDs and Executives
Optional
Second panel of select NEDs and Executives
CBA
Committee of
DCEO, Legal,
CRO, and CEO's
office
CEO (or Board Chair if a CEO matter)
Optional
Panel of NEDs
NAB
BEAR Central Team
CRO
Optional
Board Risk Committee or full board

5.2.4 Consequence management

A key part of the BEAR is requiring variable remuneration to be proportionally reduced to reflect a failure in an accountable person fulfilling their obligations. A robust framework would clearly outline the potential consequences of accountable persons failing to meet their obligations, and promote the alignment between risk and remuneration outcomes.
CBA had the most developed consequence management framework, providing detailed guidance on variable remuneration adjustments to decision-makers, correlated against a range of risk outcomes, including worked examples with impacts on multi-year deferred remuneration. Better practice would involve ADIs demonstrating how they have used the framework in practice to drive the intended risk behaviours and outcomes.

Chapter 6 - BEAR for non-executive directors

6.1 Thematic observations from the review

The BEAR imposes additional individual accountability obligations on directors to provide oversight of the ADI as a member of the board. These obligations complement but do not replace directors’ duties under the Corporations Act 2001.
Non-executive accountable persons could reflect on whether the ADI’s governance arrangements and their individual practices enable them to demonstrate how they and the ADI are meeting their accountability obligations. The board performance assessment may be a useful tool to demonstrate that BEAR obligations are being met.
APRA’s review aimed to gather insights from individual directors on their perspective of the impact of the BEAR on board practices. APRA’s review did not focus on the design or effectiveness of the ADI’s overall board practices. This chapter does not include entityspecific observations about individual boards or directors.

6.2 Detailed observations

Examples of actions taken by directors to meet the individual accountability obligations of the BEAR, in the context of established corporate governance processes, are summarised below. Figure 4. Examples of actions taken by directors to meet accountability obligations

6.2.1 Understanding

The board and individual directors play a critical role in embedding principles of accountability in an ADI by setting a tone from the top that embraces the heightened obligations, which is cascaded to executive accountable persons. Better practice would include individual directors taking the time to understand the intent of the BEAR to drive the expected outcomes of the regime. As expressed by a director ‘the BEAR states basic obligations but not how to execute. It’s up to me to choose to execute in different ways.’

6.2.2 Preparing and participating

To discharge effectively their accountability obligations, the board and individual directors would typically need to prepare and participate in meetings, beyond reading board papers and attending board and committee meetings. Better practice would include directors playing an active role in contributing to the decisions of the board and challenging management.
The directors interviewed generally relied on existing preparation practices to fulfil BEAR obligations. A director explained their individual preparatory practices are to ‘read and interrogate board papers, join the dots and investigate inconsistencies’, and at the board level, the board ‘looks at other data sources and keeps our outside knowledge current. We undertake deep dives and immersive activities such as visiting actual business locations.’
APRA was advised that the BEAR had been used by directors to drive more active participation at the board level, including asking sharper questions of management and pushing for more comprehensive responses. Multiple directors reported that the board had been more engaged and more meaningfully challenging management, with one director reflecting that the BEAR ‘sharpened our ability to question who is responsible, gave permission to directors to cut to the chase when there was an airy-fairy response given to something and it made it easy for a director to ask management directly who is the BEAR accountable executive and what did they do.’
Better practice would involve ADIs considering how board reporting and papers support director participation and challenge of management, including identifying relevant accountable persons for different areas of decision or action.

6.2.3 Recording

The majority of directors continued to rely on board and committee meeting minutes as the primary documents to record how they have discharged their accountability obligations. A minority of directors utilised a range of additional formal and informal records, such as confirming key decisions and discussions via email and maintaining their own personal records. The board performance assessment may also provide a way for the board and individual directors to demonstrate how they have fulfilled their accountability obligations.

Chapter 7 - Supervisory application

7.1 Insights from international peer regulators

The BEAR shares a number of attributes with other leading international accountability regimes, such as the UK’s Senior Manager and Certification Regime and Hong Kong’s Manager-In-Charge measures. These regimes were introduced in 2016 and 2017 respectively, and have been developed and embedded over time, to drive greater maturity of individual accountability within entities and to be increasingly integrated into the respective regulators’ ongoing supervisory approaches.
Peer regulators primarily aim to use accountability regimes to clarify accountability for risks and issues, and to sharpen entities’ and individuals’ focus on addressing key risks in a timely manner. They also retain the ability to take enforcement action if necessary, and penalties have been increasingly applied to entities and individuals over time, including public censure, financial penalties and disqualification. APRA continues to engage with domestic and international regulators to share insights from the implementation of accountability regimes.

7.2 APRA’s supervisory approach

APRA is focused on enhancing risk-based, forward-looking supervision to deliver a range of community outcomes, including transforming GCRA across all regulated entities.
APRA has significantly uplifted its capability in supervising and enforcing better accountability practices. This includes delivering accountability training to supervisors, integrating the regime into ongoing prudential engagements, and completing a thematic review of the implementation of the BEAR to inform the industry of better practices.
APRA will increasingly embed the use of the BEAR into its day-to-day supervisory activities and risk-based prudential reviews, as summarised in Figure 5 below.

Figure 5. Range of supervisory approaches available to APRA to use the BEAR

Consistent with international peers, APRA primarily aims to use the BEAR in its day to day supervision, to influence preventative or remedial action to be taken by entities and accountable persons well before they pose a threat to an ADI’s financial viability. In particular, where APRA identifies risks or issues in its prudential engagements, it will expect these risks to be assigned to specific accountable persons and to receive updates from these accountable persons on actions and progress made. APRA has observed that the implementation of the BEAR has already helped to motivate ADIs and accountable persons to take remedial action across a range of APRA’s supervisory priorities, including the examples provided in Case Study 4.
However, where these activities are not producing the expected outcomes, APRA will escalate these issues to the ADI board to ensure accountable persons are delivering on their obligations. The BEAR requires variable remuneration to be proportionally reduced to reflect a failure in an accountable person to fulfil their obligations, and APRA expects this alignment between accountability and consequence management to be further strengthened through Prudential Standard CPS 511 Remuneration.
APRA is also prepared to be constructively tough and to use formal enforcement actions, including using the penalties provided under the BEAR, should circumstances warrant it.

Case Study 4: Examples of supervisory actions taken by APRA

Major bank residential mortgages prudential review: In 2018, APRA completed a comprehensive review of residential mortgage risk management across the major banks. APRA required each of the banks to develop a remediation plan to strengthen the banks’ mortgage risk management framework. To ensure that there was sufficient senior executive focus and traction, APRA requested each of the banks to nominate accountable person(s) for the development and implementation of the plan.
CBA Remedial Action Plan (RAP): The Prudential Inquiry recommendations set an expectation that the accountability principles specified in its report be incorporated within the BEAR statements and that clear accountability be set for the delivery of the remediation initiatives. CBA updated its accountability statements accordingly and clarified that the CEO is accountable for ‘overseeing the risk and compliance management and control of the Group including… delivery of the Remedial Action Plan’. In addition, 30 per cent of the CEO’s short-term variable remuneration in 2020 was based on progress towards implementing the RAP.
WBC failure to meet legal reporting requirements: In 2019, APRA issued infringement notices on WBC and two of its subsidiaries for failing to meet their legal obligation toreport data to APRA. APRA requested WBC to clarify the accountable person responsible for this breach and to take action to address this issue.
WBC Court Enforceable Undertaking (CEU): In 2020, APRA agreed to a CEU from WBC pledging to address its risk governance deficiencies and to prepare a written integrated remediation plan. In the CEU, WBC undertakes to make changes to the accountability statements of relevant accountable persons to reflect accountability for completion of remediation activities, and to give significant weight to the completion of these activities in remuneration scorecards for relevant staff.

Attachment A: Review approach

A.1. Overview of review approach

APRA included ANZ, CBA and NAB in the thematic review because the BEAR was implemented one year earlier for large ADIs than for other ADIs. WBC was excluded from this review due to an ongoing investigation into potential breaches of the Act. The onsite sessions of the review took place between December 2019 and February 2020.
A cross divisional project team of frontline supervisors and risk specialists was established to conduct the review in collaboration with the responsible supervisors of the ADIs.
The preparation and release of this paper was delayed by six months due to COVID-19. Due to this delay, APRA prepared a summary of the key actions that the ADIs have taken since the review, or committed to take, to address the feedback they were provided. This is included in Attachment B. ADIs were provided with one week to provide feedback on factual errors on a redacted version of the Information Paper and its attachments, prior to release.

A.2. Pre-review

APRA requested detailed documentation from the ADIs, including a self-assessment of implementation of the BEAR, internal policies and procedures to implement the BEAR, and independent reports available to assess the implementation of the BEAR. APRA’s letters to ADIs advised that observations from this review may be reflected in an Information Paper.
Importantly, APRA’s approach to the design of this review was not intended to test the large ADIs compliance with the BEAR, provide guidance to accountable persons on the adequacy of reasonable steps, or investigate potential breaches of the BEAR.

A.3. Onsite review

The formal sessions for each ADI took place over one and half days with representatives from the ADIs. APRA also had a closed session with senior internal audit staff at each ADI. The formal sessions were complemented by one-hour interviews with four executive and two nonexecutive accountable persons at each ADI. During these interviews, APRA inquired about the accountable person’s view of the impact of the BEAR, perspective on their accountability obligations, and approach to delivering their obligations. APRA also presented executive accountable persons with a hypothetical case study to understand individual perspectives on how accountability would be allocated in specific circumstances.

A.4. Post review assessment

APRA assessed each of the ADIs approach to implementation of the BEAR and identified thematic and ADI-specific observations. A formal feedback meeting was held with each ADI following the final onsite engagements. This was followed by a formal letter in June 2020.

Attachment B: ADI commitments to address feedback, as at December 2020

APRA prepared a summary of the key actions that the ADIs have taken since the review, or committed to take, to address the feedback they were provided in this review below. The ADIs reviewed the factual accuracy of these commitments ahead of publication.
APRA will assess the effectiveness of the actions and their outcomes, and continue to engage with the ADIs on progress made through its ongoing supervisory activities.
ANZ’s commitments, as at December 2020
Support for BEAR
Complete
  • Centralised BEAR function resources have increased by one FTE and recruitment is underway for another resource.
In progress
  • Formalising a ‘BEAR Governance Forum’ to meet every quarter. This will aim to share best practices and promote greater consistency of approach by accountable persons to demonstrate reasonable steps taken to meet their BEAR obligations.
Defining accountability
Complete
  • Agreed an end-to-end ownership model for technology assets.
  • Completed a cyber scenario exercise with accountable persons and relevant teams to test roles and responsibilities in a major incident.
In progress
  • Enhancing its programme of scenario analysis for directors and executive accountable persons. This will include scenarios on technology, operations and will consider handover points between its business and technology functions.
Delivering accountability
Completed
  • Designed an enhanced approach to cascading executive accountable persons’ responsibilities to direct reports in a tailored manner, and describing accountability practices taken by the accountable persons to deliver on their BEAR obligations.
In progress
  • Piloting the enhanced approach described above.
  • Developing enhanced guidance and support for accountable persons on delivering reasonable steps.
Consequence management
Complete
  • Updated the processes used to investigate accountability for potential BEAR and non-BEAR breaches, to reduce the potential for conflicts of interest.
In progress
  • Plans to review relevant policies to simplify its process where appropriate.
CBA’s commitments, as at December 2020
Support for BEAR
Complete
  • Centralised BEAR function resources have increased by two FTE.
  • Created an ‘accountability hub’ as a central repository for accountabilityrelated guidance, templates and resources, and enhanced training for roles supporting or reporting to accountable persons.
In progress
  • Piloted periodic monitoring through a ‘deep dive’ of the reasonable steps framework of an accountable person, and plans to expand this to other accountable persons in 2021.
Defining accountability
Complete
  • Completed a scenario testing workshop with a group of executive accountable persons and relevant direct reports.
  • Completed a holistic review across accountability statements.
In progress
  • Plans to conduct separate scenario testing with the CBA board in 2021 with testing for all accountable persons and key direct reports to follow on a periodic basis.
Delivering accountability
Complete
• Updated BEAR policies and procedures, including to require executive accountable persons to use documentation to show how responsibilities have been cascaded to the next two layers of management.
Consequence management
Complete
• Expanded the composition of the group committee that requests a formal investigation into potential BEAR breaches by including an additional business unit group executive. The specific executive will rotate periodically and aims to broaden the committee’s perspective and ensure a quorum is maintained in the event of a conflict of interest.
NAB’s commitments, as at December 2020
Support for BEAR
Complete
  • Centralised BEAR function resources have increased by two FTE and recruitment is underway for a further one FTE.
In progress
  • Plans to review and update its approach to conducting assurance on the implementation of the BEAR in 2021.
Defining accountability
Complete
  • Implemented a customer-centric organisational structure with clearer endto-end accountabilities.
In progress
  • Plans to enhance its approach to scenario analysis, and to start conducting targeted scenario testing with executives that directly report to accountable persons in 2021.
Delivering accountability
In progress
• Plans to review its existing process for accountable persons to delegate responsibilities to direct reports to identify potential improvements in 2021.
Consequence management
Complete
  • Implemented changes to improve its capabilities to monitor information sources, assess matters for potential BEAR breaches, and to track BEAR matters of interest.
  • Developed more detailed guidance and tools to support the assessment of potential BEAR breaches.