Financial Accountability Regime (FAR) Guide 2025-2026: Accountable Persons, Obligations & Penalties

Updated March 2026 | 12 min read | By GoComply

The Financial Accountability Regime (FAR) is one of the most consequential regulatory reforms in Australian financial services in the past decade. Enacted through the Financial Accountability Regime Act 2023, FAR establishes a strengthened framework for individual and entity-level accountability across the banking, insurance, and superannuation sectors. It replaces and significantly expands the Banking Executive Accountability Regime (BEAR), which applied only to ADIs since 2018.

For compliance teams, FAR means a fundamental shift in how senior executive responsibilities are documented, monitored, and enforced. The regime is jointly administered by APRA and ASIC, with real penalties for both entities and individuals who fail to meet their obligations.

Need a quick answer about FAR obligations? Ask our AI compliance chatbot - it covers key FAR provisions, accountable person requirements, and cross-references to related prudential standards.

What FAR Replaced: The Evolution from BEAR

The Banking Executive Accountability Regime (BEAR) was introduced in 2018 following the Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry. BEAR applied exclusively to authorised deposit-taking institutions (ADIs) and imposed accountability obligations on their senior executives and directors.

While BEAR was a significant first step, it had several limitations that FAR was designed to address:

Limited scope - BEAR only applied to ADIs, leaving insurers and superannuation trustees without equivalent accountability requirements
Single regulator - BEAR was administered solely by APRA, meaning ASIC had no direct enforcement role under the regime
Narrow obligations - BEAR's accountability obligations were less prescriptive about documentation requirements such as accountability maps and statements
Limited penalty framework - BEAR penalties were capped and did not extend to the full range of enforcement tools available under FAR

FAR addresses all of these gaps by expanding coverage to three sectors, introducing joint APRA-ASIC administration, mandating detailed accountability documentation, and establishing a significantly more robust penalty regime. The policy intent is clear: every regulated financial institution in Australia must be able to demonstrate, at any point in time, exactly who is responsible for what.

Who Is Covered: Phased Implementation

FAR applies to three categories of APRA-regulated entities, with a phased implementation schedule to give smaller and less complex entities additional preparation time:

Phase 1: ADIs (Effective 15 March 2024)

All authorised deposit-taking institutions transitioned from BEAR to FAR on 15 March 2024. This includes the four major banks, regional banks, credit unions, building societies, and foreign ADIs operating in Australia. For most ADIs, the transition involved extending existing BEAR frameworks rather than building from scratch, but the expanded documentation and obligation requirements still required significant work.

Phase 2: Insurers and Superannuation Trustees (Effective 15 March 2025)

General insurers, life insurers, private health insurers, and registrable superannuation entity (RSE) licensees came under FAR on 15 March 2025. This was the more significant expansion, as these entities had no prior equivalent to BEAR and needed to build accountability frameworks from the ground up.

For insurers and super trustees that came under FAR in March 2025, the first full compliance cycle is now well underway. GoComply can scan your accountability documents to identify gaps before your next APRA engagement.

Key Entity Obligations

Accountable entities under FAR must comply with six core entity-level obligations:

Act with honesty and integrity, and with due skill, care, and diligence
Deal with APRA and ASIC in an open, constructive, and cooperative way
Take reasonable steps to prevent matters from arising that would adversely affect the entity's prudential standing or reputation
Take reasonable steps to ensure accountability obligations are complied with by the entity's accountable persons
Comply with notification requirements for accountable persons (within 14 days of changes)
Maintain and provide accountability statements and accountability maps as required

Accountable Persons: Who Qualifies and What They Must Do

The accountable persons regime is the heart of FAR. An accountable person is any individual who holds a senior executive position or has actual or effective responsibility for the management or control of a significant or substantial part of the entity's operations.

Who Is an Accountable Person?

FAR defines accountable persons through two mechanisms:

Prescribed responsibilities - specific roles that are automatically accountable person positions under the regulations (e.g., CEO, CFO, CRO, head of internal audit, responsible persons for AML/CTF compliance)
Functional test - any senior executive with actual or effective responsibility for a significant or substantial part of the entity's operations, even if their title doesn't match a prescribed role

This functional test is deliberately broad. APRA has made clear that entities cannot avoid FAR obligations by restructuring titles or reporting lines. If someone is doing the work of a senior executive, they are an accountable person regardless of what their business card says.

Accountable Person Obligations

Each accountable person must comply with four individual-level obligations:

Act with honesty and integrity, and with due skill, care, and diligence
Deal with APRA and ASIC in an open, constructive, and cooperative way
Take reasonable steps in conducting their responsibilities to prevent matters from arising that would adversely affect the entity's prudential standing or reputation
Take reasonable steps to ensure things for which they are responsible comply with relevant regulatory requirements

The "reasonable steps" standard is important. It is not strict liability - accountable persons are not automatically liable for every breach that occurs in their area. However, they must demonstrate that they took active, documented steps to prevent and detect compliance failures. Passive oversight is not sufficient.

Accountability Statements and Accountability Maps

FAR introduces two key documentation requirements that go well beyond what BEAR required. These documents must be kept current at all times and provided to APRA and ASIC on request.

Accountability Statements

Each accountable person must have a written accountability statement that clearly sets out:

The accountable person's responsibilities - what they are accountable for
The prescribed responsibilities allocated to them (if any)
Reporting lines - who they report to and who reports to them
How their responsibilities interact with other accountable persons

Accountability statements must be specific enough that any regulator reading them can immediately understand the boundaries of each person's responsibilities. Vague or overlapping statements are a red flag for both APRA and ASIC.

Accountability Maps

The entity must maintain an accountability map that provides a consolidated view of how accountability is allocated across the entire organisation. The map must include:

The reporting structure and governance framework of the entity
How responsibilities are divided among accountable persons
Identification of all accountable persons and their key responsibilities
How responsibilities relate to each other, showing there are no gaps or unallocated areas

The accountability map must demonstrate complete coverage - every material aspect of the entity's operations must be allocated to at least one accountable person. Gaps in the map are treated as gaps in accountability, and APRA will expect remediation.

Deferred Remuneration Requirements

FAR mandates that a meaningful portion of accountable persons' variable remuneration be deferred for a minimum period, creating a direct financial incentive for long-term sound management rather than short-term risk-taking.

Minimum Deferral Requirements

Variable remuneration deferral: A minimum of 40% of an accountable person's variable remuneration must be deferred for at least 4 years (6 years for certain large ADI roles)
Reduction and clawback: Deferred remuneration can be reduced or clawed back if the accountable person fails to comply with their accountability obligations, or if the entity suffers a significant loss attributable to the person's area of responsibility
Board discretion: The entity's board must have policies and processes to determine when deferred remuneration should be reduced, and must exercise genuine discretion rather than applying a formulaic approach

The deferred remuneration requirements are designed to ensure that senior executives have genuine "skin in the game" over the medium term. APRA has signalled that it will scrutinise whether entities are applying these requirements substantively or merely structuring around them.

Deferred remuneration policies are one of the most commonly flagged areas in FAR compliance reviews. Ask GoComply's chatbot about specific deferral requirements for your entity type.

APRA and ASIC Joint Administration

One of the most significant structural changes from BEAR to FAR is the introduction of joint administration by APRA and ASIC. Under BEAR, APRA was the sole administrator. Under FAR, both regulators share responsibility, with a deliberate division of focus:

APRA's Focus

Prudential soundness and financial stability
Risk management and governance obligations
Deferred remuneration compliance
Accountability mapping and structural requirements
Entity-level obligations related to prudential standing

ASIC's Focus

Consumer protection and conduct obligations
Market integrity and disclosure obligations
Individual accountability for conduct-related failures
Obligations related to dealing with regulators openly and cooperatively

In practice, this means that a single compliance failure could result in enforcement action from both regulators simultaneously. For example, a customer data breach might trigger APRA action for prudential risk management failures and ASIC action for consumer protection failures - and the relevant accountable person could face separate proceedings from each regulator.

APRA and ASIC have published a joint administration information package and have committed to coordinating their supervisory activities to minimise regulatory burden on entities. However, entities should assume that both regulators will independently assess compliance.

Penalties and Enforcement Powers

FAR significantly strengthens the penalty regime compared to BEAR, giving both APRA and ASIC a wider range of enforcement tools:

Civil Penalties

Entities: Up to 50,000 penalty units (currently $15.65 million) for breaches of entity-level obligations
Individuals: Up to 5,000 penalty units (currently $1.565 million) for breaches of accountable person obligations
Aggravated penalties: Courts can impose higher penalties where breaches are systematic, involve dishonesty, or cause significant consumer harm

Disqualification

APRA and ASIC can apply to the Federal Court to disqualify an individual from being an accountable person. This effectively ends a senior executive's career in regulated financial services and is expected to be the most powerful deterrent in the regime.

Directions Powers

APRA retains its existing directions powers under the Banking Act, Insurance Act, and SIS Act, and can issue directions specifically related to FAR obligations. This includes directing an entity to remove an accountable person or to restructure its accountability framework.

Capital Add-ons

While not a FAR-specific power, APRA can impose capital add-ons for governance and accountability failures, as it has done under CPS 234 (the Medibank $250M capital charge) and CPS 220 (Bendigo Bank $50M charge). FAR compliance failures could similarly attract capital penalties.

Common Gaps GoComply Detects in FAR Compliance

GoComply's compliance scanner analyses governance documents, board papers, accountability statements, and policy frameworks against FAR requirements. Based on scans across multiple regulated entities, these are the most commonly identified gaps:

1. Incomplete Accountability Maps

The most frequent finding is accountability maps that contain coverage gaps - material business functions or risk areas not allocated to any accountable person. Common blind spots include IT security (often assumed to sit with the CRO but not formally allocated), complaints handling, and third-party risk management.

2. Vague Accountability Statements

Statements that use generic language like "responsible for overseeing risk" without specifying which risks, which business areas, and how that responsibility is bounded. APRA expects statements to be granular enough that two accountable persons could not reasonably claim the same responsibility - or, worse, that neither claims it.

3. Missing Deferred Remuneration Policies

Entities that have not updated their remuneration frameworks to include FAR-specific deferral requirements, clawback triggers, and board discretion processes. This is particularly common among insurers and super trustees that were not previously subject to BEAR.

4. No Notification Procedures

FAR requires entities to notify APRA and ASIC within 14 days when an accountable person is appointed, changes role, or ceases to be an accountable person. Many entities lack formal procedures for triggering these notifications, relying instead on ad hoc processes that create compliance risk.

5. Accountability Obligations Not Embedded in Role Descriptions

FAR obligations should flow through into employment contracts, position descriptions, and performance frameworks for accountable persons. GoComply frequently identifies entities where FAR obligations exist in policy documents but are not reflected in the HR and governance documents that accountable persons actually interact with.

6. Inadequate Cross-Referencing with Related Standards

FAR does not exist in isolation. Accountable persons with responsibility for operational risk should have their accountability statements reference CPS 230 obligations. Those responsible for information security should reference CPS 234. Those responsible for risk management should reference CPS 220. Missing cross-references suggest a siloed approach to compliance that regulators will question.

Scan your FAR compliance documents

Upload your accountability statements, maps, and governance documents. GoComply checks against FAR requirements and flags gaps with specific regulatory references.

Start scanning free

Practical Steps for FAR Compliance

Identify all accountable persons - apply both the prescribed responsibilities list and the functional test to ensure nobody is missed
Draft accountability statements - for each accountable person, create specific statements with clear boundaries, reporting lines, and prescribed responsibility allocations
Build the accountability map - consolidate all statements into a single map and test for coverage gaps across every material business function
Update remuneration frameworks - ensure deferred remuneration policies comply with FAR minimums and include genuine board discretion for reduction and clawback
Establish notification procedures - create formal processes for notifying APRA and ASIC of accountable person changes within 14 days
Embed in HR processes - update employment contracts, position descriptions, and performance frameworks for all accountable persons
Cross-reference related standards - ensure accountability statements reference relevant prudential standards (CPS 230, CPS 234, CPS 220, CPS 510)
Regular review cycle - establish at least annual reviews of accountability statements and maps, with ad hoc updates triggered by organisational changes

Related Regulations

FAR intersects with several other standards and obligations your compliance team needs to consider holistically:

CPS 230 (Operational Risk Management) - accountable persons must be allocated responsibility for operational resilience, business continuity, and service provider management
CPS 234 (Information Security) - the accountable person for information security must be clearly identified in both the accountability map and CPS 234 compliance documentation
CPS 510 (Governance) - board composition and director responsibilities must align with FAR accountability allocations
CPS 220 (Risk Management) - the risk management framework must integrate FAR accountability structures
AML/CTF Act 2006 - FAR prescribes an accountable person responsible for AML/CTF compliance, creating a direct link to AUSTRAC obligations
Corporations Act 2001 - director duties under s180-184 operate alongside (not instead of) FAR obligations

Get instant FAR compliance answers

Ask any question about the Financial Accountability Regime and get structured answers with regulatory references in seconds.

Try the AI chatbot free

This guide is for informational purposes and does not constitute legal advice. Consult qualified compliance professionals for specific obligations. GoComply covers 37 Australian financial regulations - try the chatbot for instant clause-level answers.