Home | Databases | WorldLII | Search | Feedback University of Sydney Law Research Series

Kinley, David; Sheehan, Kym --- "ESG risk is a core concern for financial services regulation" [2022] USydLRS 1

Last Updated: 13 May 2022

The University of Sydney Law School

The University of Sydney Law Research Series (USydLRS)

No. 22/01

April 2022

ESG risk is a core concern for financial services regulation

David Kinley and Kym Sheehan

This paper can be downloaded without charge

at: The University of Sydney Law Research Series

ESG risk is a core concern for financial services regulation

Professor David Kinley (Sydney Law School) and Dr Kym Sheehan (Newcastle Law School)

22 April 2022

This is our submission in response to the Australian Law Reform Commission’s Background Paper FSL5 Risk and Reform in Australian Financial Services Law (March 2022).

In it we suggest that a much wider and deeper consideration of ESG risk management throughout the financial services sector in Australia and overseas is not just desirable but necessary.

Our submission focuses first on the broad question of ‘social’ risk factors (the ‘S’ in ESG) for the sector and, in that regard, specifically on the human rights impacts of financial services and their regulation. And secondly on the particular ‘conduct and product risks’ within financial services that impact directly or indirectly on relevant human rights concerns.

In addition to a range of international and domestic sources, our submission draws directly on the research, data and findings that comprise our Financial Services Human Rights Benchmark (FSHRB) launched in May 2021 measuring the levels of human rights risk management and compliance of the largest 22 financial services entities listed on the Australian Stock Exchange.

ESG risk is a core concern for financial services regulation
Professor David Kinley (Sydney Law School) and Dr Kym Sheehan (Newcastle Law School)

22 April 2022

Our submission

This submission responds to the ALRC Background Paper FSL5 Risk and Reform in Australian Financial Services Law (March 2022).

In it we draw on the research, data and findings that comprise our Financial Services Human Rights Benchmark (FSHRB) launched in May 2021 measuring the levels of human rights risk management and compliance of the largest 22 financial services entities listed on the ASX.

We note that the Terms of Reference for the FSL Inquiry direct the Commission to examine, inter alia:

(i) “the continuing emergence of new business models, technologies and practices”; and

(ii) “how best to maintain regulatory flexibility to clarify technical detail and address atypical or unforeseen circumstances and unintended consequences of regulatory arrangements” regarding “the coherence of the regulatory design and hierarchy of laws, covering primary law provisions, regulations, class orders, and standards.”

As such and given especially that this BP is concerned expressly with financial services risk, we are surprised to see that the BP barely mentions the management of ESG risk, let alone offering any concerted consideration of its relevance to corporations and financial services regulation.

Our submission suggests that a much wider and deeper consideration of this critical and fast-growing matter of concern throughout the FS sector in Australia and overseas, is not just desirable but necessary. In consequence, our submission focuses on first the broad question of ‘social’ risk factors (the ‘S’ in ESG) for the sector and, in that regard, specifically on the human rights impacts of financial services and their regulation. And secondly on the particular ‘conduct and product risks’ within financial services that impact directly or indirectly on relevant human rights concerns.
ESG context – global

ESG risks are no longer peripheral matters consigned to the ‘non-financial’ basket of board room and management concerns. Evidence of the relevance and impact of ESG concerns is today increasingly found not only in the policies and practices of financial services providers themselves – the UN’s Principles of Responsible Investment global database on ESG-related policies of leading finance and investment entities notes that more than 750 such policies have been created since 2000^[1] – but also in the professional services that advise them and in the regulatory architecture that governs them.

From headlines in BlackRock’s Larry Fink’s annual letters to CEOs,^[2] financial institutions everywhere advertising their ESG credentials^[3] and leading law and accounting firms competing to provide ESG services to financial corporate clients,^[4] to lawmakers and regulators across Europe where various countries now oblige corporations (including financial service entities) to undertake environmental and social due diligence,^[5] the management of ESG risks is manifestly of serious concern throughout the sector.

Further, the European Commission has recently released a draft Directive mandating such corporate due diligence practices across the EU with the object “to better integrate risk management and mitigation processes of human rights and environmental risks and impacts, including those stemming from value chains, into corporate strategies”.^[6] Besides expanding ESG due diligence beyond environmental risks to include, expressly, human rights risks, this so-called mHREDD Directive will likely have “significant implications for Australian businesses”,^[7] including Australian financial services entities with significant international operations. Most especially, in this respect, the mHREDD will augment existing EU risk management mandates on sustainability-related disclosure in the financial services sector.^[8]

ESG context - Australia

ESG concerns are already reflected in Australia’s ‘twin peaks’ model of financial regulation. Thus, under the Corporations Act (Part 7.9) financial product disclosures must include “the extent to which labour standards or environmental, social or ethical considerations are taken into account in the selection, retention or realisation of the investment”.^[9] And while APRA’s recent Prudential Practice Guide (CPG 229) on Climate Change Financial Risks (Nov. 2021) does not impose any new regulatory requirements or obligations, it is intended to “assist APRA-regulated entities to manage climate-related risks and opportunities within their existing risk management and governance practices,”^[10] including, specifically, compliance with “Prudential Standards CPS 220 Risk Management (CPS 220), SPS 220 Risk Management (SPS 220), CPS 510 Governance (CPS 510), SPS 510 Governance (SPS 510)”.^[11]

Additionally, there is a host of academic,^[12] practitioner^[13] and NGO^[14] commentaries on ESG practices in the financial services sector in Australia, as well as the Hutley Opinion (updated April 2021) on the scope of directors’ duties under the Corporations Act to encompass environmental and climate change considerations, alongside a similar legal opinion being actively canvassed regarding human rights risks for directors across multiple jurisdictions.^[15]

Relevance of human rights risk (the ‘S’ in ESG)

No matter the expansion of ESG research and practice throughout the finance sector, the ‘social’ in ESG remains the least explored and least understood of the three elements. It is in this regard that there is a growing interest both in the impact of finance on human rights and on the role that human rights can and do play in financial sector practices and regulation.^[16]

As we noted in our submission to the Hayne Royal Commission in 2018:

“Misconduct in financial services and behaviour that fails to meet community expectations are not just matters of legality and professional ethics: they concern infringements of peoples’ basic human rights. The revelations of Banking and Financial Services Royal Commission Interim Report have illustrated the often raw human consequences of malfeasance by our banks, insurers, super funds and financial advisers, which, we argue, run deeper than transgressions of relevant corporate or commercial laws. Such conduct frequently undermines established human rights laws and standards.” ^[17]

That submission was based on our analysis of some 314 cases of misconduct recorded by ASIC between January 2017 and September 2018, in which we found that in all cases involving relationships between a financial services entity and its customers or clients (some 255 of the 314 cases), at least one, and in most instances, more than one of (then) four identified human rights categories were adversely affected. This work paved the way for what was to become the Financial Services Human Rights Benchmark (in which we expanded the human rights categories to six).

Risk and the financial services human rights benchmark (FSHRB)

The Financial Services Human Rights Benchmark (FSHRB) is a world first benchmark designed to specifically measure the human rights performance of financial services entities (FSEs). We measure human rights performance against 6 human rights categories across 5 domains where FSEs impact human rights, using 5 factors to assess risk, outcome and impacts, with indicators (proxies) to measure factor performance within each domain. For convenience, we call this the 655i benchmark model. It’s a simple way to remember the key elements of the benchmark.

Figure 1: 655i model

We measure risk management using three factors – Governance, Policy Positions and Due Diligence – and assess these factors for each domain using a specific set of indicators for that domain.^[18]

Our first benchmarking report released in 2021 for the 2019 financial year (a key year being the year in which the Hayne Royal Commission Final Report was released) indicates that not one of the 22 ASX-listed FSEs in our sample identified human rights as a material non-financial risk for their business. Our sample FSEs typically adopted the ‘risk-trifecta’ of operational, compliance and conduct risk most frequently identified as material sources of non-financial risk.^[19] We note the definitions of those terms as follows:

Figure 2: Non-financial risk trifecta defined

Each category within the non-financial risk trifecta would appear to implicitly require consideration of human rights risk. Sexual harassment, breach of financial services laws requiring extensive customer remediation, misuse of customer information, breaches of privacy, and wage underpayment could each fit within two, if not all three of these risk categories. As defined above, none of the three risk categories specifically identify risk topics (such as human rights risk, climate change risk, technology risk). This raises the question of how risks are identified by and within our sample FSEs so that they can be adequately managed by each entity.

We observed our sample FSEs adopt the Three Lines of Defence (3LOD) approach to risk management. As we noted in our Year 1 report^[23]

This standard corporate model allocates responsibilities for risk from frontline management/business units as ‘risk owners’ (line 1), through risk management and compliance functions (line 2), to internal audit function (line 3), using a policy framework and risk identification and ranking methodologies. As noted, for example, in AMP’s 2019 Corporate Governance Statement, “The ‘three lines of defence’ approach is designed to provide assurance to management and the board that risks are identified, managed and reported effectively.” APRA has identified the 3LOD framework as providing an effective framework for risk management^[24] Yet the 3LOD framework appears to operate alongside a separate internal risk governance framework that includes the Board.^[25]

This somewhat dislocated approach - risk identification via 3LOD at first line, risk accountability via the separate risk governance process - might help explain why closer attention isn’t being paid to human rights risk, with appropriate risk identification, adequate resourcing and accountability.

Risk identification within FSEs has to also consider risk culture^[26] and how it is managed within FSEs. APRA’s research indicates risk culture work is undertaken by the second line of defence (risk function) with the board setting the FSE’s risk appetite (relevant to both product risk and conduct risk).^[27] In considering the laws surrounding product design and development, consideration should be given to how this work is undertaken within FSEs. As we note in our Year 1 report,

Noting the importance that the Hayne Royal Commission attached to so-called ‘norms of conduct’,^[28] we argue that merely achieving adherence to the law by demonstrating these norms (which simply restate the existing laws) won’t be sufficient to achieve improved human rights performance by FSEs. And while it is clear that these norms of conduct dovetail nicely with the risk trifecta of operational, compliance and conduct risk, the norms are less helpful when considering risk topics as diffuse as human rights risk or climate change risk.

Considerations of the financial services laws around product risk and conduct risk must appreciate how risk is managed within FSEs. While chapter 7 operates independently from APRA’s prudential regime, we see merit in aiming for consistency across these different regulatory regimes.

A human rights approach to product and conduct risk

An issue we addressed in our benchmark is how to translate financial services law concepts to human rights impacts. Research we conducted as part of our work designing the FSHRB considered actual or potential breaches of Corporations Act 2001 (Cth), chapter 7 as identified in ASIC media releases which we then translated firstly into conduct concepts (a shorthand way of classifying the particular conduct, noting that some of these descriptions would fall within the ALRC’s category of product risk).^[29] This typology is reproduced below .

We then considered the types of human rights impacts arising from these types of conduct across our six human rights categories.^[30]

Figure 3: Our 6 human rights categories

Economic security is an important human rights category for financial services. It’s a principal reason why a person engages with financial services in the first place, typically with the expectation of securing economic advantages (including minimising economic disadvantages). Product risk could adopt a similar ‘aim’ for financial products – that they contribute towards the person prudently promoting their economic security and thus provide a yardstick against which to measure any product. This human rights category does not operate in the vacuum.

Our research also identified Privacy and Information as another important category of human rights. Our research found that privacy and information rights are often linked to economic security, in particular whether and how the features of a product (such as a CFD) or the process of obtaining a product (conflicted advice) lead to the informed consent of the customer purchasing the product. In other words, privacy and information rights have both product and conduct risk implications.

The category of Anti-discrimination has implications for product risk (the product discriminates unfairly against the person based on race, gender or disability – for instance, insurance or superannuation products penalising women on the basis of gaps in their contributions) and conduct risk (website offering the products is not able to be read by technology used by vision impaired persons; financial intermediary unfairly exploits cultural sensitivities to ‘sorry business’ to offer funeral insurance to indigenous youths).

The category of Voice and participation reflects the need for the customer’s voice to be heard at all stages in their relationship with the FSE and for their participation in all decisions that impact on their relationship with the FSE. We note here the work of the Australian Human Rights Commission on AI-informed decisions by corporations and other private sector entities should ensure people affected by these decisions are (i) made aware of the decision and how AI was used in the decision-making process; (ii) be provided with reasons or an explanation for the decision; and (iii) have an avenue to appeal to an independent external body for a review of that decision and to correct the decision if necessary.^[31]

We learned of the ways financial services can impact Health and safety from several case studies presented at the Hayne Royal Commission as the customers experienced stress and anxiety from the losses they suffered in relying upon the financial advice they were given by AFS-licensed individuals and firms. It can also occur when the insurance product purchased by a retail customer does not provide the expected benefit to cover a health-related claim because the definitions of health are out of date and do not reflect current medical thinking.

A feature of financial services regulation is the use of alternatives to court-based remedies found in internal customer complaint mechanisms as well as the external AFCA mechanism. Our human rights category of Right to remedy emphasises the necessity of an effective remedy - namely, one that provides a timely and appropriate means of redress not only when human rights laws are contravened but also when human rights standards are adversely impacted. Any consideration of chapter 7 needs to keep in mind the time and cost involved for a person to obtain a remedy.

Advantages of a human rights approach to risk in financial services

A human rights approach to risk in financial services offers several advantages over an approach that focuses narrowly on features of the financial product or the process by which it is acquired.

1. It focuses on the person with the aim of at a minimum of doing no harm while also aiming for an improvement in the person’s welfare via financial services. Arguably no amount of regulation – be it disclosure-based or DDO – can assist where there is a risk of significant harm to the person. Such products should not be offered; any conduct that would create such a negative impact must not be engaged in.

2. It provides a yardstick to assess the products being offered and the process of obtaining these products. The goal of ensuring the promotion of a person’s economic security by strictly minimising the risk of adverse financial impacts ought to be readily acceptable to the financial services sector and understood by persons engaging with the sector.

3. It places the right to an effective remedy within the regulatory regime governing the financial services sector. Thereby consideration is given not only to the type of remedy but also to the method of accessing the remedy. It allows for use of alternatives to court-based remedies. It recognises that the point of impact can arise short of a breach of the law and would encourage FSEs to adopt appropriate measures to respond to adverse impacts.

4. It can keep pace with technology and address its impact on customers by providing a person-centric approach to the law.

Conclusion

It is our suggestion therefore both that ESG ought to be a matter of significant concern for this Inquiry and that an analysis of social risk viewed through the lens of how financial services impact on human rights standards is not only necessary but feasible. We believe human rights can readily be accommodated within a guiding set of principles for chapter 7 as illustrated by our earlier comments in this submission as well as by our research for the Financial Services Human Rights Benchmark.

^[1] PRI, Regulation Database.
^[2] For example: “[a]s stewards of our clients’ capital, we ask businesses to demonstrate how they’re going to deliver on their responsibility to shareholders, including through sound environmental, social, and governance practices and policies”, per Larry Fink’s 2022 Letter to CEOs
^[3] There are various ways in which financial institutions use reports to illustrate their approach and record in ESG, see ANZ, Macquarie Group, NAB, or more specifically their approach to green, social and sustainability funding, see CBA, or investing see AMP Capital (to be known as Collimate Capital following its demerger from AMP).

[4] For example, KPMG’s warning that “major Australian banks must transform their organisations to meet growing stakeholders ESG expectations,” and a headline item in Ashurst’s recent ESG and Financial Regulation briefing declared that “ESG data and related expectations - an expansion of the regulatory perimeter and expectations”.

^[5] See the Business and Human Rights Resource Centre’s Mandatory Due Diligence Portal
^[6] Proposal for a Corporate Sustainability Due Diligence and Amending Directive (EU) 2019/1937 (23 February 2022), at p.3.
^[7] Could mandatory human rights and environmental due diligence be coming to Australia?, Corrs Chambers Westgarth (25 Feb 2022). The Directive’s reach, as noted in the Briefing, will encompass Australian businesses that “have an established direct or indirect business relationship with any of the EU entities or non-EU entities caught by the Directive’s employee and financial thresholds, and form part of that entity’s value chain, including upstream and downstream activities related to the production and provision of goods and services.”
^[8] Regulation (EU) 2019/2088 (27 November 2019).
^[9] Section 103D(1)(l), Corporations Act, and accompanying ASIC, Regulatory Guide 65: Section 1013DA disclosure guidelines, (November 2011).
^[10] APRA finalises prudential guidance on managing the financial risks of climate change, Media Release, 26 Nov. 2021.
^[11] CPG 229, at 4.
^[12] For example, Lloyd Freeburn & Ian Ramsey, “An Analysis of ESG Shareholder Resolutions in Australia”[2021] UNSWLawJl 40; , (2021) 44(3) UNSWLJ 1142, and Ismail Sila & Kemal Cek, “The Impact of Environmental, Social and Governance Dimensions of Corporate Social Responsibility on Economic Performance: Australian Evidence” (2017) 120 Procedia Computer Science, 797-804. Also ACSI, Shareholder Resolutions in Australia: Is there a Better Way? (2017).
^[13] Environmental, Social and Governance Law in Australia 2022, an International Comparative Legal Guide published by Global Law Group.
^[14] See, for example, a recent statement from Business for Social Responsibility (BSR) (which represents businesses in the civil society sphere) noting that worldwide “ESG-labelled [sic] funds and ESG assets [are] on track to exceed US$50 trillion by 2025,” which “serves as a blaring market signal to investors, companies, and regulators on the importance of managing business impacts on people and the planet.” BSR, Bridging the Human Rights Gap in ESG, 22 March 2022.
^[15] Robert McCorquodale & Stuart Neely, “Directors Duties and Human Rights Impacts: A Comparative Approach”, (2022) 1 Journal of Corporate Law Studies (online publication 7 Feb. 2022).
^[16] In respect of which, see the ground-breaking Casey O’Connor & Sarah Labowitz, Putting the ‘S’ in ESG: Measuring Human Rights Performance for Investors (March 2017)
^[17] See Submission in response to the Interim Report, Royal Commission into Misconduct in the Banking and Financial Services Sector (26 October 2018).
^[18] Refer to Appendix 1 of our Methodology Report (available to download from the FSHRB website here) for our generic lists of governance Indicators (13 indicators), policy positions (7 indicators) and due diligence (13 indicators).
^[19] This approach is found in the Prudential Inquiry into the Commonwealth Bank of Australia and endorsed by APRA in its subsequent self-assessments, ASIC and APRA.
^[20] Basel Committee on Banking Supervision, Principles for the Sound Management of Operational Risk, June 2011, 3.
^[21] Basel Committee on Banking Supervision, Compliance and the Compliance Function in Banks, April 2005, 7.
^[22] Australian Securities and Investments Commission, Market Supervision Update Issue 57 – Conduct Risk, March 2015.
^[23] Financial Services Human Rights Benchmark, Year 1 Report (December 2020), 7.
^[24] Australian Prudential Regulatory Authority, Prudential Practice Guide CPG 220 Risk Management, April 2018, [4].
^[25] Risk governance can be defined as 'the formal structure used to support risk-based decision making and oversee risk management across the Group’s operations. This consists of Board and management committees, delegations of authority for decision making, management structures and related reporting,' per NAB 2021 Corporate Governance Statement, 18.
^[26] We adopt APRA’s definition of risk culture as ‘the norms of behaviour for individuals and groups that shape the ability to identify, understand, openly discuss, escalate and act on an entity’s current and future challenges and risks. Risk culture is not separate to organisational culture but reflects the influence of organisational culture on how risks are managed.’ APRA, Transforming governance, culture, remuneration and accountability: APRA’s approach, Information Paper (2019), 8.
^[27] APRA 2014, 16. We note their 2019 review of a sample of FSEs’ self-assessments found that FSEs ‘either struggled to articulate their assessment of culture or provided little evidence to support their assessment.’ APRA 2019, 10.
^[28] The six norms are: obey the law, do not mislead or deceive; act fairly; provide services that are fit for purpose; deliver services with reasonable care and skill; and act in the best interests of the other when acting for another: Royal Commission Final Report, February 2019, 375.
^[29] Kym Sheehan and David Kinley, ‘Community Expectations: Putting people before profit means taking human rights seriously’ The University of Sydney Law School Legal Studies Research Paper Series No. 18/73 (November 2018), 9 (Fig. A-1)
https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3279869
^[30] The six human rights categories used in the benchmark are, for the most part, composites of specific individual human rights found in both international human rights laws and relevant Australian laws. They have been chosen because they are the most relevant to the core business operations of financial service entities, and they have been categorised in a way that makes them intelligible to non-human rights specialists in and around the finance sector. Refer to our Methodology Report (available here) for further information on these categories.
^[31] Australian Human Rights Commission, Human Rights and Technology Final Report (2021), 73.