The "fit and proper" banker - new standards start in October

By Narelle Smythe.

Key Points:
The new standards focus not on job title but the job actually performed.

Who should manage an authorised deposit-taking institution ("ADI")?

Finalised versions of APRA’s "fit and proper" prudential standards were released on 2 March 2006, to come into effect on 1 October 2006. Affecting senior management of regulated institutions, the final version of Prudential Standard APS 520 - Fit and Proper requires them to develop a Fit and Proper policy and to review their staff’s fitness annually.

Who has to be fit and proper?

Directors, senior managers and auditors are covered by the standard, as are persons who perform activities for a subsidiary of the regulated institution where those activities may materially affect the whole, or a substantial part, of the business of the regulated institution or its financial standing, either directly or indirectly. Responsible persons for foreign ADIs are also covered by the standard.

Crucially, however, people outside these categories can also be responsible persons. The standard says that if a person plays a significant role in the management or control of the regulated institution, or that the person’s activities may materially impact on prudential matters, then APRA can determine that the person is a responsible person. Non-employees such as contractors or consultants therefore can be responsible persons.

What is "fit and proper"?

The draft proposed that disqualifying behaviour should include serious or persistent failure to manage their own debt or personal affairs "in accordance with their contractual or other legal obligations [where] … such failure caused loss to others". This has been retained. On the other hand, disqualifying behaviours do not automatically disqualify senior managers, so regulated institutions could still employ senior managers who have done the disqualifying acts. Although this decision belongs to the regulated institution in the first instance, APRA can override it and remove and disqualify the senior manager.

A regulated institution should ordinarily consider the person’s character, competence and experience relative to the duties involved, including whether the person:

• possesses the necessary skills, knowledge, expertise, diligence and soundness of judgement to undertake and fulfil the particular duties and responsibilities of the role in question; and
• has demonstrated the appropriate competence and integrity in fulfilling occupational, managerial or professional responsibilities previously and/or in the conduct of his or her current duties; and

whether the person:

• has demonstrated a lack of willingness to comply with legal obligations, regulatory requirements or professional standards, or been obstructive, misleading or untruthful in dealing with regulatory bodies or a court;
• has breached a fiduciary obligation;
• has perpetrated or participated in negligent, deceitful, or otherwise discreditable business or professional practices;
• has been reprimanded, or disqualified, or removed, by a professional or regulatory body in relation to matters relating to the person’s honesty, integrity or business conduct;
• has seriously or persistently failed to manage personal debts or financial affairs satisfactorily in circumstances where such failure caused loss to others;
• has been substantially involved in the management of a business or company which has failed, where that failure has been occasioned in part by deficiencies in that management;
• is of bad repute in any business or financial community or any market; or
• was the subject of civil or criminal proceedings or enforcement action, in relation to the management of an entity, or commercial or professional activities, which were determined adversely to the person (including by the person consenting to an order or direction, or giving an undertaking, not to engage in unlawful or improper conduct) and which reflected adversely on the person’s competence, diligence, judgement, honesty or integrity.

A responsible person should have no conflicts of interest either, although that in itself is not disqualifying if it would be prudent for the regulated institution to conclude that the conflict will not create a material risk that the person will fail to perform properly the duties of the position. There are also additional criteria for Approved Actuaries and Approved Auditors.

Developing a Fit and Proper Policy

Each regulated institution must develop a Fit and Proper Policy, approved by its Board, communicated to all responsible persons, and integrated into its risk management system.

The Policy must set out the process for assessing whether a person is fit and proper, including:

• who conducts the assessments
• what information will be obtained and how it will be obtained (keeping in mind legal requirements such as the Privacy Act)
• what will be considered
• the decision-making processes (which should be fair to the person under investigation)
• what actions will be taken if a person fails the assessment
• whistleblowing provisions to encourage people to give information as to a person's fitness for office.

Reviewing senior management's fitness for office

Within 28 days of the 1 October start date, regulated institutions must tell APRA, for each responsible person, the person’s full name, date of birth, position and main responsibilities, and whether he or she has been assessed under the Fit and Proper Policy.

So, even if a review has been done within the last year, another might be needed if the first one was not as thorough as required by this new standard.

Responsible persons must be reviewed annually. If a person is assessed as fit and proper, but the regulated institution then discovers something which calls that into question, it must re-do the assessment.

The Policy must also set out a document retention policy for documents relied upon for the assessment. This is not only for current responsible persons but also the recently past responsible persons.

APRA must be told of any changes within 28 days. If a responsible person fails the assessment, APRA must be told within 10 business days.

What to do now

As the Prudential Standard requires a Fit and Proper Policy based upon the Standard's minimum requirements, and that the Policy be part of the risk management system, regulated institutions should make sure that their policies are in place by 1 October and reviews are done within time.

For further information, please contact Narelle Smythe.