Diffused Accountability – Is Recalibration Overdue?

Individual accountability regimes and supervisory approaches need to keep pace with technological change in financial services

The Global Financial Crisis served as a catalyst for policymakers to focus on accountabilities – simply put, ensuring that by nailing down who is responsible for what within firms, governance within firms and regulators' supervision could be more effective.

This moved beyond the traditional model of regulating institutions and their boards, to include key individuals like business-line managing directors and individuals in positions with authority to commit their firms to significant transactions and the concomitant risks. Depending on the jurisdiction, these individuals below Board level have been referred to as 'senior managers' (UK), 'managers-in-charge' (Hong Kong), or 'accountable persons' (Australia) or as 'material risk takers'. The policy rationale here was to drive stronger and sounder governance and risk culture in the financial services sector in an environment where public trust in financial institutions has deteriorated.

While the regimes globally are at various stages of maturity, a common issue is that pinpointing accountabilities remains a key challenge for regulators. This is further complicated by the increasing reliance which traditional financial services institutions have on third parties, particularly for provision of key technology. Accountability regimes and / or (where expectations have not been codified) the supervisory expectations of individuals in key roles remain premised on there being clear, direct, solid and / or dotted lines for reporting and escalation within firms. In practice, accountability may be much more diffused, looking more like nets than simple straight lines due to rising complexity in, for example, supply chains, product structures, and digital delivery channels. Very frequently, in practice there is some ambiguity about who is – or should be – the accountable, responsible individual.

The ecosystem for individual accountability is changing

Increasingly, regulators are under pressure (from the public, governments and other stakeholders) to hold individuals within financial services institutions to account for the conduct that occurs in their supply chains, even if the conduct is that of a third party and even if that third party is separately regulated. Many jurisdictions are seeing an increase in enforcement activity which concerns outsourced or third party provider services. For example, the Australian Securities and Investments Commission (ASIC) has imposed fines and commenced litigation against multiple superannuation trustees in the last twelve months for claims processing delays caused by their administrators. It has also pursued several life insurers for the funding of customer remediation for the mis-selling of life insurance by a third party licensed distributor.

While the global pandemic may have increased focus on (the then nascent regulatory concept of) operational resilience, it continues to be a key priority for regulators across Australia, Hong Kong, the UK and Europe. This matters because operational resilience regimes and supervisory expectations acknowledge that there will be reliance on outsourcers and third party providers in financial services. These regimes may be the best articulation to date of the regulatory expectations on individuals' accountability within regulated financial services firms when third parties are involved.

Examples include:

• the Australian Prudential Regulation Authority's (APRA's) Prudential Standards CPS 230 Operational Risk Management and CPS 234 Information Security impose obligations on regulated entities to implement robust frameworks to manage third party material service providers and information security systems;
• the Hong Kong Monetary Authority's (HKMA's) Supervisory Policy Manual Modules OR-1 and OR-2 set out expectations on the key elements of effective operational risk management and general principles to consider when developing an operational resilience framework;
• the Monetary Authority of Singapore's (MAS') Notice 658 Management of Outsourced Relevant Services for Banks and its guidelines on outsourcing for other types of institutions require the establishment and implementation of suitable frameworks to manage third party material service providers and information security systems;
• the UK's Prudential Regulation Authority (PRA) has set out in Supervisory Statement 2/21 (SS2/21) its requirements that firms take proactive steps to ensure the continuity of critical services; and
• the EU's Digital Operational Resilience Act (DORA) requires firms to establish robust ICT risk management frameworks, incident response mechanisms, and continuous governance, risk, and compliance policies and practices.

These regimes push against the regulatory perimeter by requiring that regulated entities take proactive steps to undertake due diligence, monitoring and oversight of the performance of services by the third parties they engage, and by holding them to account for failures when the appropriate steps have not been taken.

This inevitably has an impact on individual accountability across a range of key jurisdictions – including the Senior Managers Regime in the UK, the Individual Accountability and Conduct Regime in Singapore and the Financial Accountability Regime in Australia. All expand the net of individual accountability in financial services institutions, stretching accountability beyond the traditional board level accountability (which was often 'collective accountability') to executives, directors, senior managers and others.

Shared responsibility

The push for individual accountability does not sit easily with the complexity and realities of managing modern financial services institutions. It is interesting that, having been introduced after the Global Financial Crisis with the intention of enabling regulators to take more effective action against individuals, the UK's Senior Managers Regime has seen markedly less action against individuals than was anticipated. Perhaps in response to the inherent challenges, the regulatory narrative regarding the regime has pivoted in recent years to focus on its success in providing clarity in risk and governance structures.

Ultimately, the tangible value of individual accountability regimes may be how they have helped regulated entities to better articulate responsibilities and, in seeking to do that articulation, to identify areas where assigning accountability is complex.

Individual accountability regimes also overlook the realities of collective or distributed decision-making, which are common in most sophisticated firms. We have seen this play out across the industry across our global network, most recently in Australia in the implementation of the Financial Accountability Regime. By way of an example, when a firm was entering into a material administration agreement, it was common for there to be joint decision-makers (most commonly the Chief Operating Officer, Chief Financial Officer and the Chief Technology Officer) responsible for negotiation and sign-off of the agreement; in these circumstances, there is overlap and sharing of accountability.

Suppliers and providers and vendors, oh my!

The increasing reliance on third parties to facilitate the delivery of financial services adds even more complexity to individual accountability – to borrow from the Wizard of Oz, 'we're not in Kansas anymore!'

It is clear from experience in negotiating and contracting with key global suppliers of services and technology that the negotiating leverage typically sits with the supplier and not the financial services institution (with some limited exceptions). Leverage such as this usually derives from both the size and scale of suppliers, as well as the finite number in the market.

In these circumstances, resting accountability solely with (or mostly with) key individuals within a regulated firm is unlikely to be sufficient to ensure good governance, risk management and customer outcomes across the entirety of the supply chain. Suppliers also lack a direct channel of engagement with the regulators, instead relying on firms to interpret and deliver messages. There are some legitimate policy questions here:

• Should limitations be placed on individual accountability in light of the increasingly complex structures for providing financial services, dependence on third parties, significant concentration risk and the challenges in relation to transparency and explainability of technology? And, if so, how should these be calibrated to ensure appropriate outcomes for financial services end-users?
• Thoughts often leap to enforcement action and monetary penalties when things go awry. However, as some regulators indicate a shift to being 'outcomes-focused', it begs the question as to whether incidents in or affecting the supply chain should not be approached more collaboratively with an eye to 'learning and improving' rather than 'blaming and fining'.

Where to from here?

The complexity of modern management means that individual accountability regimes may not always be the most effective regulatory enforcement tool. While individual accountability regimes have played an important role in improving governance through clearer articulation of responsibilities, financial services are provided in an increasingly complex ecosystem of collective decision-making and integrated supply chains.

While the Financial Accountability Regime in Australia is in its relative infancy (albeit being an evolution from an earlier regime), more established regimes in the UK and Hong Kong provide useful data on the challenges associated with regulating individual accountability. Ultimately the focus of regulators and regulation in this arena should remain on driving sound decision-making and risk culture within regulated sectors.

Some efforts are being made to tackle the conundrum posed by the fact that neither financial institutions nor the individuals working within them have sufficient leverage or capacity to incentivise the governance and conduct of unregulated third-parties on whose services they depend.

In the UK, in line with a recently introduced legislative regime, the financial services regulators will have oversight of critical third parties (CTPs) following their designation by HM Treasury. This will enable the regulators to apply rules to gather information from, and take enforcement action against CTPs in connection with the services they provide to financial market infrastructures (FMIs) and regulated firms. Likewise in the EU, designated critical ICT third-party providers (CTPPs) will be subject to oversight under DORA.

Both regimes are in their infancy – in the UK, HM Treasury is expected to make its first CTP designations in 2026. The European Supervisory Authorities (ESAs) released a list of 19 designated CTPPs at the end of 2025, a key step in implementing the DORA oversight framework. How these regimes will work in practice, and the impact they will have on the balance of accountability between financial services firms and their providers remains to be seen.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.