BANKING ROYAL COMMISSION Ken Hayne
Kenneth Hayne, banking royal commissioner.

Unless you’re a regulation nut, you won’t know what the enforcement pyramid is. But it’s at the heart of the framework Australian governments establish to protect consumers. And in financial services, it’s completely useless. We need a new regulatory shape.

The pyramid has self-regulation and what’s called co-regulation at the bottom, in which companies police themselves or report breaches to a regulator or are subject to a complaints mechanism, then there are mid-tier powers for more substantial breaches — enforceable undertakings, or licence conditions, or “speeding ticket” infringement notices. Then, for more serious breaches or repeat offenders, there are civil penalties, then at the very top, criminal penalties that can see large fines and, potentially, jail time or the corporate version thereof — removal of licences or prohibition from trading. This image, from a paper by Aakash Desai and Australian regulatory guru Ian Ramsay, illustrates it:

This has been the regulatory approach for financial services: in addition to consumer complaints to regulators, banks and other financial service providers are expected to police themselves and report breaches to regulators, who — theoretically — may investigate themselves and respond with escalating sanctions.

But as is now apparent, financial services regulation isn’t a pyramid. It’s more like a very, very thin trapezoid made up entirely of the bottom tier of self-reporting. The constant evidence from the royal commission has been the obstinate refusal of the consumer finance regulator ASIC, or the prudential regulator APRA, to take any kind of strong enforcement action against big banks or insurers guilty of serial and major breaches of the law. But a report from ASIC yesterday illustrates the extraordinary contempt with which those companies treat their self-reporting obligations.

The report revealed it takes big institutions an average of 2145 days — or almost six years – between the first breach and the first compensation payment to customers. And according to ASIC, “the major financial groups took an average of 1726 days (median: 1148 days) to identify an incident that was later determined to be a significant breach”. They undertake long investigations — 150 days — before they report breaches, and one in seven breaches is reported later than the legally required 10 days.

And this is quite deliberate. One of the big banks, Westpac, is able to compensate people significantly more quickly than the others. And smaller institutions investigate and report breaches and compensate people much more quickly. The big financial institutions simply refuse to regulate themselves properly, despite having billions more in profits than smaller rivals who take their regulatory options more seriously.

It’s clear that the pyramid needs to be ditched. Self-regulation and co-regulation have demonstrably failed. The entire bottom tier of the pyramid needs to be removed. The base must be mid-tier regulation — the automatic infringement notices, enforceable undertakings. Then civil penalties and criminal penalties, with a regulator far readier to resort to those measures. The pyramid shouldn’t taper anywhere near as much as it currently does.

And there’s a way to compel banks to speed up compensation and force them to co-operate more readily with inquiries by regulators. In response to a complaint, the regulator makes a preliminary estimate of what it believes the compensation for a breach, if found, should be, then compels the bank to hand over that sum. And that’s not returned until the bank resolves the complaint satisfactorily, with the regulator keeping the interest. ASIC concludes that the delays they examined related to complaints and breaches worth $500 million. That would be a substantial incentive for banks to speed up their dilatory internal processes.

The only problem is that the government has imposed a peculiar limitation on the royal commission in the terms of references, which includes this:

The Commission is not required to inquire into, and may not make recommendations in relation to macro-prudential policy, regulation or oversight.

The thrust of this is understandable: to avoid bringing into question the prudential regulation of the sector, especially banks, and the overall objectives of prudential regulation and monetary policy more generally. But the changes needed to get rid of self-regulation and get the enforcement framework working again are likely to relate very clearly to macro-prudential policy and oversight. We’ll find out on Friday, in the commission’s interim report, how Kenneth Hayne proposes to resolve that tension.