Remediation Round-Up: Dealing with regulators

This article is a part of our Remediation Round-Up series which explores potential issues for financial services licensees when conducting remediation and ways to optimise the design of remediation programs.

Issues to consider

• When considering breach reporting to regulators, what are your potential obligations to remediate affected clients and how will you involve the regulators in a potential remediation program?
• Is there likely to be resistance from the regulators against the proposed approach to remediation and, if so, should an independent legal opinion be obtained?
• How will proposed reforms to ASIC’s directions power and the introduction of FAR need to be addressed within your organisation?

Regulators

The key regulators that financial services licensees must deal with in relation to client remediation programs are ASIC and APRA (where the licensee is APRA-regulated, for instance, if they are a trustee of a super fund). It is very important that regulators are brought on board and consulted about a significant remediation program.

Breach report

A remediation program will generally follow a licensee’s breach report to ASIC or APRA. The breach report may detail, at a high level, the actual or potential financial loss to clients. For the purposes of remediating clients, however, the loss to each affected client should be calculated as part of the remediation program and use an appropriate methodology. The analysis for the purpose of breach reporting may form a basis for those more detailed.

The question of whether remediation is in order may be raised by ASIC or APRA after receiving a breach report that details actual or likely client loss, but in practice many licensees consider remediation in the lead up to the breach report and as part of their internal review of the matter given that remediation prior to the breach report may influence the ‘significance’ of a breach. In some circumstances the regulators will expressly request or require a licensee to remediate clients.

Regulatory risk

When interacting with ASIC or APRA in relation to breach reporting and remediation, regulatory risk should be front of mind for any licensee.

Regulatory risk is the risk of adverse outcomes that may be experienced by a licensee not merely from breaches of law but from the regulator taking issue with a licensee’s conduct or interpretation of law.

Regulatory risk most usually takes its form in the following respects:

• the regulator disagrees with a particular legal interpretation taken by the licensee;
• the regulator focuses on criteria beyond the legal position, such as consumer outcomes or community expectations;
• the regulator seeks to enforce its particular expectation of licensee conduct, regardless of the actual legal position; and
• reputational risk which may be experienced by the licensee where the regulator publicly announces that it is investigating the licensee’s conduct.

There are a number of tools available to licensees to minimise regulatory risk when faced with the daunting prospect of informing ASIC or APRA of a breach of law and a proposed approach to remediation.

Perhaps the most important tool is the ability for the licensee to obtain an independent legal opinion setting out a clear interpretation of the relevant law, a strong opinion on whether there has been a breach, and a well thought-through recommendation for how the licensee should deal with any breach. This legal opinion could be obtained from financial services specialist lawyers, and where the interpretation of the law might differ from the regulator’s, with sign-off or separate opinion from a senior barrister.

Even where a regulator seeks to enforce conduct beyond the true legal requirements, having a strong view of the legal position which, if the licensee wishes to waive privilege, may be shared with the regulator, helps to even the power disparity and may be utilised in future negotiations between the regulator and licensee.

Proposed Reforms

The reforms recommended by the Royal Commission include a new ASIC directions power which will allow ASIC to issue a direction to a financial services licensee, where ASIC has reason to suspect that the licensee is in breach or has breached a financial services law, to:

• assess the extent of the contravention;
• identify persons who have suffered loss or damage as a result of the contravention; and
• establish and implement a specified program to compensate those persons.

This proposed power may be used, for instance, where a licensee has submitted a breach report but fails to satisfy ASIC that it will implement an appropriate remediation program in respect of the breach. This power, when enacted, will remain in the background of any interaction with the regulators concerning breaches of financial services laws.

Also note that a licensee may report misconduct by another licensee, and this may form the basis of ASIC’s suspicion of a breach. Proactive engagement with the regulators about breaches will therefore become even more necessary after the implementation of these reforms.

Financial Accountability Regime implications

In January 2020, Treasury released a consultation paper on a regime to extend the Banking Executive Accountability Regime to all APRA-regulated entities, called the Financial Accountability Regime, or ‘FAR’. In the consultation paper, Treasury proposed to introduce an end-to-end product responsibility as part of the responsibilities prescribed to senior executives, and that this responsibility could include any customer remediation in respect of the relevant product or product group. More importantly, the consultation paper proposes to designate particular responsibility for management of client or member remediation programs, which will mean that accountability failures in such programs will have consequences for the senior executive who was responsible for them.