APG 520 Fit and Proper

The Fit and Proper Policy of a regulated institution assists it in prudently managing the risk that responsible persons are not fit and proper. It will form a part of the institution’s broader risk management system.

A Fit and Proper Policy may be developed and implemented as a group policy provided the regulated institution meets the requirements of APS 520, including paragraph 4 of that standard.

A regulated institution may consider extending its assessment process for fitness and propriety to a wider range of persons than is required under APS 520. The assessment process for responsible persons under the Fit and Proper Policy could be adapted for this purpose.

The responsible persons of a regulated institution are those persons whose conduct is most likely to have a significant impact on its sound and prudent management. For a locally-incorporated ADI or an authorised NOHC these persons generally comprise directors, senior managers, auditors and persons who perform certain functions in relation to subsidiaries. For a foreign ADI as defined in subsection 5(1) of the Banking Act 1959 (the Act) the responsible persons generally comprise senior managers of the Australian operations who are ordinarily resident in Australia, auditors, and persons ordinarily resident in Australia who perform certain functions in relation to subsidiaries.

Under APS 520, consideration of whether a particular individual is a responsible person takes into account the person’s functions and duties and not simply their position title. In the case of a regulated institution with subsidiaries, consideration also takes into account whether the conduct of persons in the subsidiaries could materially damage the regulated institution.

APRA envisages that, for ADIs that are not foreign ADIs, senior managers will include managers reporting directly to the Chief Executive Officer and those responsible for key aspects of risk management. Ordinarily, persons other than these would be unlikely to meet the definition of senior manager.

For foreign ADIs, senior managers will include the key people resident in Australia. The number of senior managers within a foreign ADI will depend on the scale of its operations.

The application of certain provisions of APS 520 is limited to people who are ordinarily resident in Australia. As a guide, a person might be considered ordinarily resident if they are likely to be in Australia for a majority of days in any 12-month period.

APRA envisages that only a limited number of the most senior people within a subsidiary would perform activities that have the ability to materially impact on the business or financial standing of the regulated institution for the purposes of subparagraphs 8(d) or 9(c) of APS 520. It may be the case that no person in a given subsidiary meets this criterion.

A regulated institution may seek guidance from APRA if it is unsure whether a particular person meets the definition of a responsible person.

Under paragraph 12 of APS 520, APRA has the power to determine that additional persons are responsible persons. APRA does not expect that it would routinely use this power or use it to substantially increase the scope of the Prudential Standard. APRA will consult with a regulated institution before making a determination.

Under APS 520 the skills and experience required by each responsible person depends on the person’s role. This, in turn, is affected by the role undertaken by other responsible persons. For example, a director is generally expected to understand the role and responsibilities of a director and have a general knowledge of the institution, its business and its regulatory environment. However, each director is not generally expected to have all the competencies that the Board collectively needs if other directors have those competencies or they are obtained from external consultants or experts.

APS 520 requires that, under its Fit and Proper Policy, a regulated institution will consider the nature and extent of a number of matters in conducting fit and proper assessments. Such matters ordinarily include, when relevant:

the person’s character, competence and experience relative to the duties involved, including whether the person:

possesses the necessary skills, knowledge, expertise, diligence and soundness of judgement to undertake and fulfil the particular duties and responsibilities of the role in question; and

has demonstrated the appropriate competence and integrity in fulfilling occupational, managerial or professional responsibilities previously and/or in the conduct of his or her current duties; and

whether the person:

has demonstrated a lack of willingness to comply with legal obligations, regulatory requirements or professional standards, or been obstructive, misleading or untruthful in dealing with regulatory bodies or a court;

has breached a fiduciary obligation;

has perpetrated or participated in negligent, deceitful, or otherwise discreditable business or professional practices;

has been reprimanded, or disqualified, or removed, by a professional or regulatory body in relation to matters relating to the person’s honesty, integrity or business conduct;

has seriously or persistently failed to manage personal debts or financial affairs satisfactorily in circumstances where such failure caused loss to others;

has been substantially involved in the management of a business or company which has failed, where that failure has been occasioned in part by deficiencies in that management;

is of bad repute in any business or financial community or any market; or

was the subject of civil or criminal proceedings or enforcement action, in relation to the management of an entity, or commercial or professional activities, which were determined adversely to the person (including by the person consenting to an order or direction, or giving an undertaking, not to engage in unlawful or improper conduct) and which reflected adversely on the person’s competence, diligence, judgement, honesty or integrity.

Conduct and events that took place overseas may also be relevant to the assessment.

When documenting the competencies required for each responsible person position, a regulated institution might consider documenting any training or induction processes required for each position, on appointment to the position and on an ongoing basis.

APS 520 defines responsible auditors as those auditors who provide any report required to be prepared by an auditor under the Act or Prudential Standards, or Reporting Standards made under the Financial Sector (Collection of Data) Act 2001. The requirements applying to responsible auditors under APS 520 apply only to an auditor who provides these reports. The provisions applying to responsible auditors do not apply to auditors more generally or to those auditors who are responsible persons for other reasons.

The additional criteria require certain levels of experience. This may include experience with banking businesses outside Australia. In such cases, the regulated institution will need to consider the extent to which the person can demonstrate competency that relates specifically to Australian conditions, including Australia’s prudential and regulatory requirements.

The fit and proper criteria in APS 520 require the regulated institution to assess whether responsible persons meet certain requirements. If insufficient information is available to enable the regulated institution to prudently conclude that those requirements are met, particularly as a result of lack of cooperation by the person, the criteria are not met.

APRA does not require a regulated institution to necessarily bar or remove a person from a responsible person position solely on the basis that one of the matters listed at paragraph 13 has occurred. Depending on the circumstances, a listed matter may not be relevant to that assessment. Where a matter is relevant,the regulated institution may consider it in conjunction with other relevant matters such as materiality, elapsed time since the event, and repetition or duration of the behaviour. APS 520 requires a regulated institution to apply prudent judgement in determining whether the person could be considered fit and proper for the responsible person position.

A person may be assessed as unfit for a particular responsible person position because of a lack of competence for that position or because of a conflict of interest that applies to the duties of that position. However, the person may still be fit and proper for another responsible person position because the competencies or conflicts were specific to the position. However, where a person is found to be not fit and proper due to a lack of character, diligence, honesty, integrity or judgement, that person will normally not be suitable for any responsible person position.

When assessing a person’s fitness and propriety, a regulated institution need not make enquiries about a matter that is unlikely to be material. A regulated institution will need to weigh the burden of documenting information and the risk of unnecessary disclosure of personal information with the possibility that this information might be material.

An annual performance review will typically be the appropriate time for the annual assessment of a responsible person’s fitness and propriety. However, if material information adverse to the assessment becomes known to an institution during the year, APS 520 requires that steps be taken without waiting for the annual performance review.

The Fit and Proper Policy may require persons to provide attestations relating to some or all of the matters required to be considered as part of a fit and proper assessment and specified at paragraph 13.

For a new appointment to a responsible person position, attestations or representations may assist in satisfying the requirement to make reasonable enquiries under paragraph 29 of APS 520. However, APRA does not envisage that attestations and representations would be sufficient for a regulated institution to fully satisfy itself of a responsible person’s fitness and propriety on initial assessment. An initial assessment is likely to at least include Australian criminal record checks, as well as evidence of material qualifications.

Attestations or representations may be appropriate for interim appointments. If an attestation is later discovered to have been given in the knowledge that it was false, this will very likely indicate that the person should be removed. If a regulated institution appoints a person to a responsible position without an assessment and it is later discovered that the person was disqualified under the Act from holding the position, both the person and the regulated institution may commit an offence under the Act.

Attestations and representations covering the matters in paragraph 13 would generally be sufficient for an annual review of a responsible person’s fitness and propriety. However, these representations may not be conclusive e.g. if a person responsible for making the assessment becomes aware of any material matter not previously identified or considered.

For an auditor that is a responsible person, representations from a firm of which the auditor is a member may assist in assessing fitness and propriety.

In making an assessment under its Fit and Proper Policy, a regulated institution may consider, where prudent, taking into account other assessments of fitness and propriety or information collected for such assessments. In determining the weight to be given to other assessments, the regulated institution will ordinarily have regard to the time elapsed since the assessment was made and whether the criteria applied were comparable and relevant. In considering whether it would be prudent to take into account previously collected information, a regulated institution will ordinarily consider whether the information remains current. It is likely that such information would substitute for some, but not all, of the enquiries necessary for the institution’s own fit and proper assessment.

For example, for those responsible persons who are responsible officers of the holder of an Australian Financial Services Licence, relevant information may have been gathered during the licensing process and this information may be taken into account if the regulated institution believes that the information remains current.

Information gathered in support of an application for registration as a company auditor may assist a regulated institution in determining fitness and propriety of a responsible auditor. The Australian Securities & Investments Commission’s assessment of the fitness and propriety of a company auditor may be taken into account in a regulated institution’s own assessment of the responsible auditor’s fitness and propriety.

Where a regulated institution becomes aware of information that could lead to an assessment that a person is not fit and proper, taking reasonable steps as required under APS 520 will generally include providing the person with a fair opportunity to put matters to the institution.

Regulated institutions have obligations under the Privacy Act 1988 (Privacy Act) relating to how they collect and use information about responsible persons. The obligations include informing responsible persons that information will be collected about them and the ways which the information may be used and disclosed. Regulated institutions may need to take steps to ensure compliance with the Privacy Act such as with National Privacy Principles 1.3 and 1.5 in Schedule 1.

In some instances a regulated institution may have information about a person that has not been collected for assessing fitness and propriety. Where this information is relevant, APS 520 may require the use of that information for assessing fitness and propriety. The Privacy Act includes exemptions from the National Privacy Principles for conduct required by law, such as the requirement of the Act to comply with Prudential Standards. Where relevant, a regulated institution may consider seeking its own legal advice on these issues.

As a law of the Commonwealth, APS 520 may override inconsistent State and Territory laws, if those laws are incapable of operating concurrently with APS 520. For example, it may be necessary to read down a State law relating to employment where there is apparent inconsistency with APS 520, but where the position is unclear legal advice should be obtained. Accordingly, the Fit and Proper Policy of a regulated institution needs to meet the requirements of, and be implemented in a way that complies with, APS 520 in all respects, even if it would breach a contract or apparently conflict with another law (other than a law of the Commonwealth). This applies regardless of whether the contractual relationships are in place as envisaged by paragraph 35.

To assist in complying with its Fit and Proper Policy, a regulated institution may consider putting in place appropriate contractual or other relationships. This may include responsible persons agreeing:

to provide any assistance that the regulated institution needs, to obtain information for the implementation of its Fit and Proper Policy or APS 520, including giving consents and taking steps to ensure that any person providing information in good faith will not be made liable for providing that information; and

not to seek damages or any other remedy from the regulated institution for implementing its Fit and Proper Policy or seeking to do so in good faith.

It may be necessary to amend the constitution of a regulated institution to ensure directors take office under terms that enable the regulated institution to ensure compliance with its Fit and Proper Policy. APRA does not require a regulated institution to convene an extraordinary meeting of its members only to consider such an amendment. However, a regulated institution will still need to consider whether its constitution requires such a meeting.

The steps that a regulated institution takes to ensure that a person does not hold a responsible person position for which they are not fit and proper may include:

not appointing the person or terminating their engagement;

redefining the person’s responsibilities pending further enquiries by the regulated institution or until the person receives further training or experience; or

if there are no effective steps prudently available, taking steps to facilitate APRA independently considering the person’s fitness and propriety. This in itself would not satisfy the regulated institution’s obligations to notify APRA of information under APS 520.

APRA has powers under the Act to:

direct an ADI to remove its auditor;[1]

direct a locally incorporated ADI or an authorised NOHC to remove a director or senior manager of the ADI or authorised NOHC;[2]

direct a foreign ADI to remove a senior manager of its Australian operations;[3]

apply to the Federal Court of Australia to disqualify a person from being, or acting as, a director or senior manager or auditor of a locally incorporated ADI or authorised NOHC, or a senior manager of the Australian operations of a foreign ADI;[4] and

direct a regulated institution to remove a director, senior manager or auditor or ensure that any subsidiary of the regulated institution does so if APS 520 has not been complied with.[5]

APRA may give a direction of the kind referred to in paragraph 38(a) if APRA is satisfied that the person:

has failed to perform adequately and properly the functions and duties of the position of auditor as required under the Act or the prudential standards; or

does not meet one or more of the criteria for fitness and propriety in paragraphs 18 and 19 of APS 520; or

either:

is disqualified under section 21 of the Act from being or acting as an auditor of the ADI; or

is otherwise a disqualified person.[6]

APRA may give a direction of the kind referred to in paragraph 38 (b) and (c) if APRA is satisfied that the person:

either:

is disqualified under section 21 of the Act from being or acting as a director or senior manager of the ADI or NOHC; or

is otherwise a disqualified person; or

does not meet one or more of the criteria for fitness and propriety in paragraph 18 of APS 520.[7]

APRA may give a direction of the kind referred to in paragraph 38(e) if it considers that a circumstance of the kind set out in section 11CA of the Act exists or is likely to exist in relation to a regulated institution.

A person is also automatically disqualified in certain circumstances from being a director, senior manager or auditor of a locally incorporated ADI or authorised NOHC or a senior manager of the Australian operations of a foreign ADI.[8]

The Federal Court of Australia may, on application from APRA, disqualify a person referred to in paragraph 38(d) if it is satisfied that:

the person is not a fit and proper person to be or act as such a person; and

the disqualification is justified.[9]

A regulated institution is not excused from meeting its obligations under APS 520 on the basis that APRA has powers under the Act to direct the removal of a person. APRA expects institutions to take the action needed so that only a person who is fit and proper acts in a responsible person position.

APRA’s powers apply independently of a regulated institution’s powers and duties when a responsible person is not fit and proper. APRA is not required to wait until a regulated institution has considered whether a responsible person is fit and proper. However, APRA will generally consult with a regulated institution and will not normally act to remove a responsible person until the regulated institution has had sufficient time to complete its consideration.

If a person whom APRA considers is not fit and proper is not removed from holding a responsible person position by the institution, APRA will exercise its powers as appropriate. For example, APRA may use its powers if a regulated institution faces difficulties in removing a director who is not fit and proper.

When assessing whether a person is fit and proper for a particular responsible person position or more generally, APRA will consider, among other matters, the matters listed at paragraph 13 to the extent that they are relevant.

If a regulated institution considers that a responsible person is fit and proper for a responsible person position but APRA considers otherwise, APRA may notify the institution that APRA will exercise its powers if certain requirements are not satisfied. Requirements that may be applied include limits to the areas or activities in which the person can work, further training or specific reporting or other requirements that APRA believes are appropriate. In exceptional circumstances, APRA may exercise its powers without notification.

It is not necessary for a person to be a past, current or immediately prospective responsible person for APRA to consider that person’s fitness and propriety. In some circumstances, APRA will need to identify persons who are not fit and proper in order to ensure they are not able to hold responsible person positions in the future.

A person affected by a decision made by APRA referred to in paragraphs 38 (a)–(c) and (e) may request that APRA review that decision. If APRA confirms or varies the decision, or fails to revoke the decision within 21 days, the person affected by the decision may then make an application to the Administrative Appeals Tribunal.[10] The process for reconsideration and review is set out under Part VI of the Act.

Regulated institutions are required, under paragraphs 40 and 41 of APS 520, to provide certain information to APRA and ensure that this information remains current. To assist regulated institutions in complying with this requirement, APRA provides an annual form containing the most recent information provided to APRA regarding those in responsible person positions. The regulated institution can use this form to ensure that the information provided to APRA is correct. Information on this process, and a standard form, are available on APRA’s web site at www.apra.gov.au.

If a regulated institution believes that a person has information that is likely to be material to a fit and proper assessment that it has not been able to obtain, the regulated institution would be expected to discuss the matter with APRA.

The following are examples of information that APRA may require the regulated institution to obtain under paragraph 44 of APS 520:

specified information and documentation on any criminal record or civil finding and any prospective criminal or civil proceedings to which the person may be subject (the requirement to provide this information will be in accordance with Part VIIC of the Crimes Act 1914 (Crimes Act));[11]

specified information from law enforcement agencies, other regulators, current and former employers of the person, professional associations and others whom APRA believes may have relevant information; and

the reasons for the resignation, retirement or removal of a responsible person.

APRA may make other enquiries to enable it to assess the fitness and propriety of a responsible person.

If permitted by law, APRA may provide a regulated institution with information it obtains about the fitness and propriety of a responsible person. APRA does not expect that it would ordinarily provide information other than information that is publicly available, such as the disqualification register on the APRA web site.

In reference to paragraph 46 in APS 520, APRA will consider applications that candidly disclose all information that the regulated institution has, or can obtain by reasonable enquiry, that may be relevant to APRA’s consideration of the application.