FAR intersection points: Privacy laws, data protection and foreign bribery

This article was co-authored with Filip Markoski

• Introduction
• General obligations under the FAR
• Privacy Law and Data protection
• Foreign Bribery
• Staying ahead of the curve

Introduction

As of 15 March 2024, the Financial Accountability Regime (theFAR) applies to Authorised Deposit-taking Institutions (ADI). By March 2025, the FAR will apply to insurers, their non-operating holding companies and superannuation entity licensees (RSE).

Compliance with the FAR is not intended to be a siloed exercise. Crucially, accountable entities and accountable persons should understand the main interfaces between compliance with obligations under FAR and that of other regulatory obligations(including but not limited to those that are set out under section 21(1)(d) of the Financial Accountability Regime Act 2023 (Cth) (FAR Act)).¹ We focus here on how some of the FAR obligations may interface with the requirements under the privacy law regime and the foreign bribery regime. We also offer some practical insights on what entities and individuals captured by FAR may do to prepare themselves to address any FAR related risks should the organisation encounter privacy or data incidents, or potential bribery related issues.

Our overarching view is that by avoiding a tick box approach to complying with FAR obligations but rather holistically evaluating the regulatory landscape of the accountable entity's operations, accountable entities and accountable persons will find themselves better placed to assess how a material contravention of other regulatory obligations potentially impacts the accountable entity's prudential standing or reputation.

General obligations under the FAR

The objective of the regime is to strengthen the accountability framework for certain entities in the banking, insurance and superannuation industries, as well as their directors and most senior and influential executives. The FAR is designed to improve the operating culture of entities in the relevant industries, and to enhance transparency and accountability in terms of prudential and conduct-related matters.

Importantly, under FAR both accountable entities and accountable persons must take reasonable steps to prevent matters from arising which would (or would be likely to) adversely affect the accountable entity's prudential standing or prudential reputation.²

Additionally, the inclusion of specific "ADI Key Functions" relating to the register of accountable persons (such as data management, technology management, scam management, conduct and operational risk management) arguably demonstrates the focus that the regulators are likely to place on those aspects going forward.

Privacy Law and Data protection

An accountable entity will likely be an Australian Privacy Principle (APP) entity for the purposes of the Privacy Act 1988 (Cth) (Privacy Act). As part of their day-to-day operations, accountable entities are exposed to large volumes of personal information and potentially sensitive information of their customers by virtue of their centrality to the modern Australian economy. Compliance with privacy laws is integral to the operation of accountable entities and their provision of financial services, and this aligns with community expectations.

Most relevantly, APP 11 imposes obligations on APP entities to take reasonable steps to protect personal information held by the entity. Reasonable steps include implementing strategies across a whole spectrum of the business involving governance, culture, internal controls, ICT and physical security, third party provider management and management of data breaches. It also involves compliance with industry standards, including applicable prudential guidance and prudential standards which outline how regulated entities must manage risks to their information assets.³

Cyber-attacks resulting in significant data breaches have consistently made headlines in recent years. These incidents can presumably result in irreparable reputational damage, loss of revenue, customer dissatisfaction and exposure to class actions. Where an incident is a result of material non-compliance of the entity's privacy obligations in the first place, it could well carry implications for FAR compliance, where the matter may be considered as having (or likely having) an adverse impact on the accountable entity's prudential reputation.

The Australian privacy regime is set for an overhaul with potential consequences for FAR compliance.⁴ For example, the proposed requirements for organisational accountability which have been agreed in-principle by the Government mandate APP entities to appoint or designate a senior employee to cover the responsibility for privacy within the entity, with an expectation that the privacy officer would report to the highest level of management. This reflects the central role that information management practices play in our economy and the broader community expectations that businesses should be responsible stewards of personal information. Non-compliance with any such requirements is arguably likely to have an adverse impact on the accountable entity's prudential standing or prudential reputation in the broader sense.

Foreign Bribery

The new foreign bribery laws will come into effect on 8 September 2024. These laws introduce a new offence of 'failing to prevent foreign bribery' for Australian corporations (Foreign Bribery Offence) under s70.05 of the Criminal Code Act 1995 (Cth).

In short, an Australian body corporate commits a Foreign Bribery Offence if an 'associate' of the body corporate bribes a foreign public official and the Australian body corporate derives a benefit from the act of bribery.⁵ There is no requirement to establish whether the company was at fault or was otherwise involved in the illegal conduct. The defence available is demonstrating that adequate procedures were in place to prevent the act of bribery.

The Commonwealth Attorney General has released for consultation draft guidance on the steps that entities can take to demonstrate that they have in place 'adequate procedures' within their anti-bribery compliance program.⁶ This draft guidance emphasises the critical role which senior management, including executives, will need to play in ensuring organisational compliance with anti-bribery laws. The guidance outlines the practical ways in which top-level management can provide leadership to drive the formulation, implementation and promotion of effective anti-bribery policies, as well as how they can build a robust anti-bribery culture within the entity.

Given this emphasis, accountable persons should act now to assess their risk exposure to foreign bribery. This may involve a thorough analysis of the countries, sectors and regulatory environments of its offshore operations, and the extent to which third party agents are relied on and how those relationships are managed. In addition, we recommended accountable persons evaluate if their organisation's anti-bribery programs remain appropriate in light of the new foreign bribery regime, and how the program(s) help demonstrate the extent to which their obligations under the FAR are discharged.

Accountable persons should ask themselves key questions such as:

• Are regular risk assessments being conducted to understand whether there is a potential exposure to conduct amounting to foreign bribery? If so, are these risk assessments robust enough?
• Are the organisation's anti-bribery programs adequately resourced? Are the programs supported by appropriately qualified personnel with the relevant expertise?
• What are the processes that inform which local business partner(s) or agent(s) to engage with, and how is the relationship with these local parties managed? Is there regular monitoring of their activities for any potential 'red flags' (e.g. vague descriptions of services, payments to personal accounts, the amount of commission payments)? How effective are those processes?
• Does senior management (including accountable persons) have adequate oversight of the above? Are accountable persons involved in responding to breaches of anti-bribery policies?
• Are there any incentives that could lead to an increased risk of engaging in conduct that could amount to a Foreign Bribery Offence?
• Are employees and third parties aware of the channels by which potential breaches of anti-bribery policies may be confidentially reported (e.g. through whistleblowing)?
• Have you demonstrated dedication to preventing bribery and creating a culture of integrity and zero tolerance towards corruption?

Any allegation that an accountable entity may be engaging in conduct overseas that may amount to Foreign Bribery Offence will inevitably impact its reputation and prudential standing in Australia. Additionally, if an accountable entity fails to demonstrate that it has in place adequate procedures to prevent foreign bribery, there is a prima facie argument that they will have failed to take reasonable steps to protect their prudential standing and prudential reputation.

Staying ahead of the curve

As the FAR will be jointly administered by ASIC and APRA, a rise in enforcement activities should be anticipated.

To best comply with their FAR obligations, accountable entities should adopt a holistic approach to compliance. While we expect that senior management are already addressing privacy risks, attention should be devoted to preparing for the incoming foreign bribery laws. A holistic approach is particularly critical where an entity operates in an overseas market with unfamiliar local customs - a knowledge gap which could be exploited.

Accountable entities should act now to ensure they are well across the obligations of the FAR, as it applies to their entire business operations whether in Australia or abroad. Conducting regular risk assessments and scenario testing will help organisations identify their exposure to breaches of the FAR obligations (and beyond) and develop mitigation strategies.

Our global financial services regulatory team and risk advisory specialists are experienced in advising on compliance with the obligations under the FAR and its predecessor, the Banking Executive Accountability Regime. If you would like to know more about how our valuable insights can help your business, please contact one of our team members below.

Footnotes