regulators
(Image: Unsplash/Floriane Vita)

We can all see how last year’s banking royal commission has shaken up Australia’s financial services sector and its regulators. But less understood is the extent to which the royal commission is fundamentally altering the relationships between regulators and the regulated in industries far and wide.

From food safety to privacy protection to telecommunications provision, every form of regulation has stakeholders that need to rethink the way they operate in the light of the royal commission (formally the Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry). Regulators that previously used a light touch in overseeing industries will now face a growing expectation of enforcement, while regulated entities that previously took a casual approach to compliance will find a far less sympathetic environment.

Regulators and industries that fail to respond to the shift may soon find themselves facing immense social, political and economic pressure to act.

Royal Commission found regulators too often a soft touch

When he delivered his recommendations in February 2019, Justice Kenneth Hayne was unsparing when it came to the key regulators in the banking sector, particularly the Australian Securities and Investments Commission.

Several aspects of Justice Hayne’s commentary have broader application to regulators in all sectors.

For starters, regulated entities are not clients and regulators do not provide services. The client of the regulator is the government, and through it all citizens; regulated entities are not clients and should not be treated as such. While efforts should be made to streamline compliance processes, this should not come at the expense of robust monitoring. Dissatisfaction from a regulated entity is not necessarily a sign of a flawed process; it may, in fact, indicate the opposite.

It is also imperative that regulators are prepared to enforce the law. Too often legal enforcement is used as a last resort when all other options have failed. Instead, regulators should treat legal enforcement of responsibilities as a starting point, and only when there are good reasons to not proceed should an alternative be sought. Justice Hayne recommended (6.2) that ASIC should adopt an approach to enforcement that takes as a starting point the question of whether a court should determine the consequences of a contravention. A watchdog unwilling to bark is of little use.

When it does use discretion, a regulator needs clear objectives. A regulator that opts to not pursue legal enforcement needs to be clear about what it is hoping to achieve. While restoration for consumers is an important objective, regulators cannot lose sight of the role of deterrence in delivering better outcomes across whole industries. Justice Hayne recommended (6.2) that ASIC’s enforcement approach should recognise the importance of general and specific deterrence.

Meanwhile, a reluctance to accept an occasional loss is leaving regulators too cautious. Many regulators are reluctant to pursue legal action due to the risk that a loss would be costly and harmful to their reputation. But by taking such a strong aversion to a loss they are denying themselves potential successes. Regulators need a cultural willingness to tolerate losses.

Fundamentally, the culture of an industry can be shaped by regulatory action — and inaction. Through a reluctance to enforce regulations, ASIC had unwittingly encouraged the industry to continue to push the boundaries of what it could get away with, and thereby enabled a risk-seeking culture.

The royal commission went further than just identifying the shortfalls in regulatory practice; it also identified the barriers to effective enforcement.

One major constraint was a lack of resources to undertake tasks along the integrated compliance spectrum. Legal action can obviously be expensive, and a lack of funding left some regulators unable to pursue enforcement. Over time, through lack of use, the capabilities to pursue legal action were eroded, leaving some regulators reliant on external legal teams rather than their own staff. Enforcement policies and procedures had also become neglected, sometimes not kept up to date and fully functional.

Regulators will need to shift their posture regarding enforcement

So what will be the impact of the royal commission on regulators across all sectors? Our expectation is that regulators will be compelled to shift their posture regarding enforcement. We expect this to manifest itself in three ways, each reflecting an additional requirement of regulators.

  1. Improved capacity, capability and processes to take enforcement action. This improvement will involve making resources available for enforcement, developing the capability of their teams to undertake it credibly, and creating a culture that is supportive. Many regulated entities have deep pockets and an army of lawyers, so regulators need to be prepared to fight. Given some regulators currently take little or no enforcement action, this shift is significant.
  2. A data capability to inform effective regulation. While there is a lot of rhetorical support for risk- and outcome-based regulation, few regulators have the data to make informed decisions about those risks and outcomes. Regulators need to develop their data analytics capability, and then use that capability to acquire and analyse the data available to them. That analysis then needs to inform the regulatory strategy so that resources match the level of risk.
  3. Improved governance and decision-making. The decision to take enforcement action, or chose another approach, needs to be grounded in clear decision-making processes and authority that is independent. It should also be supported by a clear enforcement policy that is publicly available.

Regulated entities should position themselves for change

As for regulated entities, they can expect the relationship with regulators to change, and that breaches of the law will enjoy far less tolerance. Here are four things they need to prepare for:

  1. Breaches to be met with enforcement action. Where previously regulators’ default setting may have been to use education and persuasion, now the default will be to seek enforcement, and only when there is a compelling reason not to act will regulators use those other tools. Regulated entities, therefore, need to be more vigilant in policing their own behaviour, knowing that second chances and slaps on the wrist will be rarer.
  2. Regulators to prioritise deterrence. Previously the regulatory response to conduct likely focused on the detail of that particular conduct, and so there was a disincentive to enforcement action if the scale was small. But in seeking to send a deterrence message, regulators are more likely to take enforcement action. Regulated entities would be wise to communicate that they get the message and are acting accordingly.
  3. A regulator with greater powers. Governments are particularly attuned to the outcomes of the royal commission and are expected to strengthen regulators’ powers and increase the available remedies (including the size of penalties). Furthermore, these changes are likely to take place without the wide-ranging stakeholder consultation previously typical. Governments – and the citizens to whom they are accountable – are determined to demonstrate that they are acting to protect the public and have little appetite for cosy collaboration.
  4. Recalculating their risk equation. Every regulated entity needs to ask itself, is the consequence of a breach greater than the cost of compliance? With the increased consequence of a breach, the recalculation is likely to lead to regulated entities taking a more cautious approach to behaviour at the margins. Carrying on as if is better to ask for forgiveness than permission will be far more costly.

Business-as-usual is unlikely to return

The watershed changes identified are premised on the idea that the royal commission will seep deep into the public consciousness and lead to sustained changes in behaviour. Of course, it is possible the lessons are quickly forgotten and things return to business as usual.

But any regulator or regulated entity acting on this assumption leaves themselves highly vulnerable to a big shock. The new environment provides opportunities, but only to those who are prepared.

This piece was first published on The Mandarin