A closer look at why compliance is only the beginning of the journey. With Liana Brover and May Lee.

At the October 2025 ASFA Legislation Discussion Group, we hosted an insightful deep dive into the Financial Accountability Regime (FAR) and the evolving landscape of risk culture in superannuation. If you’re still catching your breath after implementing your Statement of Accountabilities or wrangling senior executives to sign off on yet another list of “must-dos”, you’re not alone. But as the dust settles, it’s becoming clear that mere compliance is far from enough.

Below, we break down and expand upon the lively discussion between governance advisor Liana Brover and business psychology consultant May Lee — ably corralled by host Sarah Penn — on how the intent behind FAR runs well beyond ticking regulatory boxes, and why the “C word” (culture… and, yes, compliance) must become part of your organisation’s DNA if you’re to avoid the pitfalls seen across the financial services industry in recent years.

What’s the Big Deal With Accountability Anyway?

Let’s turn back a few pages. FAR was introduced, not simply to add another regulatory regime, but as a direct response to a history of misconduct in the Australian financial sector. It is, to put it mildly, about time. Financial services, both in Australia and oversea, had been plagued by a recurring cast of issues - boards prioritising profits over ethics, an unhealthy focus on short-term incentives, and governance frameworks that looked better in policy documents than in actual practice.

As Liana Brover reminded us, Hayne’s Royal Commission cut right to the heart of the matter. While financial penalties often rained down on the organisations, very rarely did directors or senior execs see meaningful consequences (other than perhaps moving on to another plush job or bonus package). This mismatch between individual behaviour and organisational impact led to an understandable public outcry: someone (preferably the right someone) must be held accountable.

What Hayne distilled, and what FAR seeks to target, can be boiled down to three drivers of misconduct: governance, remuneration, and culture. And sitting at the centre is Accountability, the critical lever that brings these pillars to life by driving leaders to be more diligent in how they think, decide and act, and in doing so improves the culture and the risk behaviours across the whole business

FAR: More than Just a Compliance Exercise

Having put the structures in place, it’s tempting to pat yourself on the back and move on: “Policies drafted? Tick. Accountabilities mapped? Tick. Senior management briefed? Tick.” But this approach, warns Brover, misses the point.

The real litmus test (and here’s where organisations so often stumble) is whether the design has made its way off the paper and into day-to-day behaviour.

Think ANZ. Earlier this year, ANZ faced a public reckoning when an Independent Review of its Global Markets Division revealed what many may find familiar: while frameworks and policies were well designed and documented, their effectiveness was undermined by inconsistent implementation on the ground.

Examples highlighted by Brover included: Three Lines of Defence model that was well designed but, in practice, risk ownership was unclear and inconsistently applied. Remuneration frameworks, although clearly spelt out, were not used as intended, with variable pay decisions at times driven largely by financial performance with limited consideration of non-financial risks.

While the Board was active in overseeing non-financial risk, reporting often lacked thematic insights and trend analysis, making it harder to interrogate and challenge the evolving risk profile.  And although there was “no widespread systemic misconduct,” the perception by staff was that leadership acted too slowly, and not decisively enough, on reported issues, leading to a loss of trust in leaders and loss of confidence in risk governance and people management.

The moral? In an era of FAR, having it “written down somewhere” is only half the job. If no one’s reading it, challenging it, or feels personally responsible for bringing the policy to life, then the regime’s promise of improved culture and accountability isn’t being delivered.

Risk Culture: Not Just for the Risk Team Anymore

May Lee took the mic to reinforce the central point: risk culture is a subset of organisational culture, and it cannot be isolated as “something for the risk function” to manage in splendid regulatory isolation.

In fact, Lee argued that collecting risk data is just the beginning. While there’s value in surveys and compliance audits (those surface-level numbers), qualitative insights—stories, narrative, deep dives—are what help you uncover the “why” behind the numbers. A glowing engagement score may flatter the enterprise, but if there are pockets of dysfunction, red flags, or unaddressed poor behaviour lurking beneath, you’re missing what really matters.

And therein lies the difficulty: real cultural change is not checklist-friendly. It requires multiple modes of assessment, integration of both quantitative and narrative data, and—perhaps most importantly—leadership at all levels role-modelling the right behaviours. Without the tone from the top, even the best-intentioned program descends quickly into “tick the box and move on” territory.

The Compliance Conundrum: Risk, Compliance, and Where the Two Meet

One audience member cut to the chase: isn’t the C word—compliance—key here too? In a regulatory landscape dominated by duties to members and ever-stringent standards, how do you balance the inevitable costs of uplifting compliance functions with a trustee’s fiduciary duty to spend prudently?

Brover’s take is pragmatic: while compliance is non-negotiable (and sits within the broader non-financial risk category), FAR challenges us to go further. Compliance processes alone won’t keep you out of court or the newspaper—especially if the culture they’re meant to foster never embeds across the organisation, from the boardroom to the frontline.

As recent cases have shown, organisations can have all the right policies, processes and checklists in place, yet still fall foul of the law, usually due to “people issues”—misunderstandings, poor communication, failure to be proactive on issues,  or missed red flags that not even the best-designed regime can catch if the culture isn’t right.

Meanwhile, Lee provided a practical note: a mature approach combines compliance, risk, and culture into a single, cross-functional framework. That means people and risk teams working in lockstep, breaking down silos, and ensuring that data collection (from engagement to psychosocial safety to compliance audits) feeds a holistic culture assessment.

Implementation Matters: Making FAR Stick

A recurring frustration is the “that’s not my job anymore, it’s not on my SOA” pushback. When implementation is poorly managed, FAR can actually worsen siloed thinking and lead to an accountability hot potato.

Brover suggests this points to a regime not properly internalised or understood. For FAR to be real, it can’t be limited to doing specific tasks; it must shape how leaders think, act and work together.  Accountability must be modelled by senior executives and reinforced across teams so that personal responsibility, sound judgement and open communication become the norm, not the exception. Otherwise, the whole exercise risks becoming another bureaucratic reshuffle, rather than a springboard for real, positive change.

Key Questions and Takeaways

In closing, the speakers prompted attendees (and now, you, dear reader) to reflect:

• How has FAR actually advanced accountability in your business - beyond the compliance tick-box?

• Is FAR well-understood across all levels, or is it still seen as an “add-on” for the risk and governance teams?

• How robust is your measurement of risk culture? Are you leaning too heavily on numbers and missing the narrative?

• What can you do, in your own role, to make risk culture and accountability more than just buzzwords?

Final Thoughts: Raising the Bar, Not Just the Paperwork

In the wake of FAR’s implementation, the message is clear: accountability, risk, and compliance are deeply interwoven with the very culture of superannuation organisations. If the lessons of the Royal Commission and APRA’s recent interventions teach us anything, it’s that good risk culture demands more than elegant procedures and frequently-updated policies.

The real win? Embedding culture so firmly that “doing the right thing” is instinctive, not just an exercise in passing the next audit. Consider this your invitation to look beyond FAR - and, just maybe, to set a new benchmark for how accountability and culture are lived every day in super.

— Any comments in this article are our own and do not constitute legal or compliance advice. For copies of the slides or further discussion, feel free to reach out to the speakers.