HSBC chair Graham Bradley AM FAICD on APRA's Prudential Report into Commonwealth Bank's misconduct and the implications for financial institution directors.
The trust deficit
The report by the panel headed by former Australian Prudential Regulation Authority (APRA) chair Dr John Laker AO is the most compelling analysis of corporate governance at a major public company ever published. Indeed, its scope and public release are unprecedented. It will undoubtedly be influential in the approach and policies of corporate regulators around the world.
As a major financial institution — a “financial icon” — the report notes a succession of conduct and compliance issues, stating that “CBA has fallen from grace”. The Australian Transaction Reports and Analysis Centre (Austrac) legal action (in June an agreement was reached on a $700m penalty to resolve Federal Court proceedings related to money laundering and counter-terrorism) was a recent high-profile example.
The report focuses on CBA’s management of non-financial risks (operational, compliance and conduct risks). It states that these risks were neither clearly understood nor owned, the frameworks for managing them were cumbersome and incomplete, and CBA’s leadership was slow to recognise and address emerging threats to the bank’s reputation.
The panel identified a number of what it described as “telltale markers” of poor governance including:
- Inadequate oversight and challenge by the board and its committees
- Unclear accountabilities and lack of executive ownership of key risks
- Weaknesses in how risk issues were identified and escalated
- Lack of urgency in management and resolution of risk issues
- Overly complex and bureaucratic decision-making, which (puzzlingly) “favoured collaboration over timely and effective outcomes and slowed the detection of risk failings”
- An operational risk-management framework that worked better on paper than in practice
- A remuneration framework that had little “sting for senior managers and… provided incentives to staff that did not necessarily produce good customer outcomes”.
All of this is against a backdrop of CBA’s continued financial success, no large loss-making events in relation to operational risks, and “industry-leading customer satisfaction scores”.
This last feature is dismissed by the panel with a statement that “the customer voice (in particular, customer complaints) did not always ring loudly in decision-making forums and product design”.
The panel concluded that cultural factors lay at the heart of CBA’s shortcomings. In criticising the lack of rigour and urgency on the part of the board and its committees, the panel acknowledged “one of the challenges facing all boards is ensuring strong oversight of senior management whilst still preserving an appropriate separation from managerial responsibilities. The panel accepts that a board must have a high degree of trust in the executives that it has appointed. However, the degree of trust needs to be continually tested and validated through appropriate metrics and constructive challenge by directors who collectively must have appropriate levels of expertise and experience”.
The bank’s board audit committee (BAC) came in for particular criticism for exhibiting “a lack of rigour and urgency in holding management to account in addressing and closing out audit issues”. The panel criticised the BAC members for not being routinely provided with, nor requesting, full copies of red audit reports, but relying merely on summaries, and for not calling the owners of issues raised in red audit reports to appear directly before the BAC.
Similarly, the board risk committee (BRC) was criticised for not policing closure of material control weaknesses reported to the committee. Also, the chair of the BRC had a reputation as an industry expert, as did the chief risk officer, and while this expertise was a strength, the two provided a “scholarly gravitas” that stifled the level of challenge at the committee meetings.
As with the BAC, the BRC was criticised for lack of clarity in terms of formal accountability, for a lack of candour in messaging from management, for a lack of benchmarking and for a high degree of overconfidence in management reporting.
Implications for financial institution directors
There is much food for thought in the APRA report. Coupled with Royal Commission evidence, company directors will no doubt ponder the implications for their roles for many months to come. It is early days, but here are a few preliminary comments:
- Boards will need to spend more time reflecting on how they are setting and demonstrating “cultural tone from the top”.
- Boards will need to pay increased attention to devising and monitoring measures that illuminate culture and behaviour across their organisations.
- Directors will need to be more visibly engaged around operational risk, customer complaints and feedback, and regulatory compliance. Board and committee minutes will need to more fully articulate how directors are questioning and challenging management on these matters.
- Generally, more time will need to be devoted to BAC and BRC meetings, which will need to engage in greater detail around items such as internal audit reports, regulatory correspondence and instances of non-compliance with policies and controls, in much the same depth that many companies now interrogate safety incidents.
- Boards will need to engage in more rigorous and detailed analysis to justify remuneration decisions, overlaying a conduct and risk lens across traditional financial objectives.
- Nominations committees will need to work harder to identify and recruit director candidates with deep industry experience in considering the skills of the board as a whole.
- All directors, particularly chairs, will need to carefully manage the risk of becoming quasi-executive as they spend more time engaging more deeply with management.
Implications for the financial sector
- It is going to get harder to recruit well-qualified directors for financial institutions group (FIG) companies, due to both the greater time demands and reputational risk involved.
- Inevitably, government will be pressured into giving both the Australian Securities and Investments Commission and APRA even greater powers, prosecution penalties and resources to more deeply interrogate financial companies, all of which will lead to increased costs of compliance teams and top management distraction.
It will be important for the continued efficiency of our financial sector that governments and regulators use any new powers judiciously and with restraint.
- It is likely that “community expectations” must now take prominence in addition to prudential risk management when it comes to approving loans and financial products. “Community expectations” will be difficult to define and subject to special interest group lobbying.
- Lending decisions will be delayed and more costly as banks have to gather more evidence in relation to serviceability. The full burden of this will fall on big banks; smaller institutions could fall outside the spotlight, putting larger institutions at a competitive disadvantage.
- The importance of positive credit reporting will be highlighted. Not all banks have signed up to the voluntary code as yet, but all should.
Brush up on the Royal Commission's fourth round of hearings here.
CBA cleans house
In late June, the Australian Prudential Regulation Authority endorsed the Commonwealth Bank’s (CBA) remedial action plan in response to the 35 recommendations of the prudential inquiry into the bank’s governance, culture and accountability.
The remedial action plan provides a program of change to improve the way the bank runs its business, manages risk and works with regulators.
- Strengthening governance and oversight
- Achieving better customer and risk outcomes
- Building a more accountable, transparent and customer-focused culture
- Taking a proactive approach to risk.
The CBA board determined that there should be collective and individual accountability for both current and former executives for the report’s findings, and the poor risk and customer outcomes that have occurred.
Accordingly, senior executive remuneration consequences will be more than $60 million — from reductions to variable remuneration and/or partial or full lapsing of outstanding deferred variable remuneration awards. This includes the actions taken by the CBA board in August 2017 to reduce non-executive director fees, and reduce to zero the short-term variable remuneration for group executives for the past financial year.
CBA will provide an update on the investment underway to implement the plan as part of its annual results on 8 August.
APRA chair Wayne Byres said the inquiry panel’s findings show CBA’s governance, culture and accountability frameworks and practices are in need of considerable improvement.
“As the panel notes,” he said, “CBA has itself identified and begun taking steps to address many of these issues, but there is much to do and a risk that the same issues which have led to the need for the Inquiry undermine the bank’s efforts to comprehensively and effectively respond to the recommendations of the panel.
“As a result, CBA has given to APRA an enforceable undertaking, which establishes a framework by which CBA will demonstrate it is addressing the full set of recommendations made by the panel in a timely manner. Until such times as these recommendations are addressed to APRA’s satisfaction, an add-on to CBA’s operational risk capital requirement will continue to apply.
“CBA is a well-capitalised and financially sound institution, but CBA itself had acknowledged shortcomings in governance, culture and accountability ahead of this inquiry. The comprehensive review, and set of recommendations set out by the panel, provides CBA with a clear path towards restoring its public standing.”
Already a member?
Login to view this content