After being formally announced in December 2017, the Royal Commission into Misconduct in the Banking, Superannuation, and Financial Services Industry has released its final report, which provides a solution that proposes to disallow a repeat of the many cases of misconduct the probe uncovered; the real-time sharing of information between two of Australia's regulators.
The 530-page, Volume 1 report [PDF], signed off by Commissioner Kenneth Hayne made a total of 76 recommendations, with one requesting the Australian Securities and Investments Commission (ASIC) and the Australian Prudential Regulation Authority (APRA) be required to share information via a database that both parties have access to.
Hayne suggested the scheme be founded on the premise that "joint responsibility and co-operation necessitates substantial commonality of information".
"I favour a model that prefers mandatory, rather than discretionary, sharing of information. ASIC and APRA should, to the greatest extent possible, work from a single body of relevant information," he wrote.
Currently, both ASIC and APRA are permitted to provide certain information to specified parties. As explained by the report, ASIC can disclose confidential information, including information obtained by exercise of its compulsory powers, to APRA.
APRA may also provide information to ASIC, but only if APRA is satisfied that the disclosure of the information or the production of the document will assist ASIC to perform its functions or exercise its powers.
"An inability of financial regulators to share relevant information would lead to duplication of information requests and to agencies acting without all available information," the report says. "However those provisions, while necessary, are not sufficient."
Having proposed changes to the financial services sector -- such as the Superannuation Industry (Supervision) Act 1993, which regulates Australia's super industry, as well as the Banking Executive Accountability Regime (BEAR), which establishes accountability obligations for banks -- the commissioner said he wants the regulators to work more closely together.
"To make those changes effective, the current information-sharing provisions should be changed," he wrote.
"I recommend that each regulator be subject to a requirement to notify the other whenever it forms the belief, based on information available to it, that a breach may occur, or may have occurred, in respect of which the other regulator has enforcement responsibility."
The commissioner believes a real-time platform to share data will result in regular exchanges of information.
"But more is required to ensure that as far as possible, information gaps are closed," he continued. "A change in both mindset and legislation is required. Rather than proceeding from a premise that certain information belongs to APRA or to ASIC, the preferable position is for information to be deemed to be 'financial regulator information'.
"I suspect the most efficient way of storing that information will be in a shared database."
Hayne, however, is leaving the mechanics of the system, such as how each regulator can be best made aware that documents have been uploaded to the database to further consideration.
Additionally, the report asks that the drafting of the statutory definition of "financial regulator information" be given close attention.
"There will be some documents that should not come within the shared category. But that must be the exception and not the rule," he wrote.
"The mandatory sharing of information should mean that over time a substantial corpus of material will be collected and available -- in as close to real time as technology allows -- to each regulator."
According to Hayne, if this solution is properly designed and maintained, the shared database of information will become a valuable tool for the shared and individual work of ASIC and APRA.
Specifically, the report recommends the law be amended to oblige each of APRA and ASIC to co-operate with the other, share information to the maximum extent practicable, and notify the other whenever it forms the belief that a breach in respect of which the other has enforcement responsibility may have occurred.
The report also recommends the establishment of a new oversight authority for APRA and ASIC, independent of government, to assess the effectiveness of each regulator in discharging its functions and meeting its statutory objects.
Not just 'poor computer systems'
The report, also covering the financial advice, superannuation, and insurance spaces, places a heavy emphasis on the need for banking institutions to change their internal culture.
Banks found themselves in hot water on a number of issues throughout the Royal Commission, with one being the practice of overcharging customers for financial advice they did not receive.
It was revealed that the Commonwealth Bank of Australia (CBA) was made aware in 2012 by Deloitte that it did not have the systems and monitoring in place to ensure clients were getting financial services they had paid for; that clients were habitually charged services that were not provided; and that there were ad hoc systems in place to store data that could only be checked manually.
As also reported by the ABC, CBA, alongside Westpac, the National Australia Bank, ANZ bank, and AMP, had taken more than AU$220 million from clients for services they never intended to provide.
The commission also heard that advisers at a CBA financial planning business continued to charge fees to customers they knew were deceased.
In his final report, Hayne determined that the root cause of charging fees for no service was simply greed.
"There began to emerge a narrative, reflected even in the evidence of Mr Wayne Byres, chair of [APRA], that fees for no service was all just a series of careless mistakes capable of being swept aside as 'processing errors'," the commissioner wrote, noting processing errors were also cited by NAB CEO Andrew Thorburn as a reason for charging customers fees for no service.
"It was, in his words, 'just professional negligence'. And Mr Byres said, in his statement, that 'in many cases the fees for no service issue was in large part a product of poor IT infrastructure … [and] legacy system issues'."
"I cannot and do not accept this," Hayne said.
"The amounts of money that just 'fell into the pocket' of so many large and sophisticated financial entities, the number of times it happened, and the many years over which it happened, show that it cannot be swept aside as no more than bumbling incompetence or the product of poor computer systems."
Additionally, the report requests that all financial services entities, as often as reasonably possible, take proper steps to: Assess the entity's culture and its governance; identify any problems with that culture and governance; deal with those problems; and determine whether the changes it has made have been effective.
To help encourage this behaviour, the commissioner recommends APRA build a supervisory program focused on building culture that will mitigate the risk of misconduct; use a risk‑based approach to its reviews; assess the cultural drivers of misconduct in entities; and encourage entities to give proper attention to sound management of conduct risk and improving entity governance.
The regulator has published updated information on the use of shared computing services, such as cloud, by APRA-regulated entities.
The public-private data-sharing initiative uncovered activities linked to child exploitation.
CBA will pay the largest civil penalty in Australian corporate history after previously laying blame on a coding error and disparate data.
The bank implemented the system 18 months ago to centralise the way issues were recorded and handled.