More stick than carrot What is bad conduct today becomes subject to legislation and regulation tomorrow. The belief that principles-based legislation and self-regulation provide sufficient levers to ensure good corporate culture and behaviour is giving way to a return to black letter law, more directive regulation and more powerful regulators obliged to enforce it. There seems little doubt that the financial services Royal Commission will result in a major reset of the regulatory environment – and not only for financial institutions. The Treasury (RC Background Paper 24, July 13, 2018), has already flagged three options for corporate reform: direct regulation of corporate government mechanisms; extending the BEAR (the Banking Executive Accountability Regime) or a like regime beyond ADIs (Authorised Deposit-taking Institutions) to a wider range of entities; and enhancing remuneration disclosure requirements. These may be the bare minimum reforms that will flow from the Royal Commission, whose interim report says: ‘The [unlawful] conduct … is inextricably connected with remuneration practices, with deficiencies in governance and risk management and with the culture of the entities concerned.’ [Vol1, p301] If the 1980s were the era of deregulation, we are now in an era of reregulation. Governments are stepping in with legislation not only in banking but across the board in areas such as national security, counter-terrorism, anti-money laundering, fraud, anti-slavery, privacy and the wild west of cyber. This is a global trend. Risks of rushing to regulate The last major federal government review of regulation was held in 2006, by the ProductivityCommission. Twelve years later, its report, Rethinking Regulation, still resonates. Problems with design of regulation include unclear or questionable objectives; a failure to target the regulation sufficiently; undue prescription; excessive reporting requirements; overlap, duplication or inconsistency with other regulations, within or between jurisdictions; poorly expressed and confusing use of terms, including inconsistent definitions, and unwarranted differentiation of local regulation from international standards. Problems with administration and enforcement included heavy-handedness and undue legalism; failure to use risk assessment when determining how stringently or widely to enforce a regulation; poor and ineffective communication; and a lack of certainty and guidance to business about compliance requirements. The 2014 National Commission of Audit largely reflected these findings, also saying: ‘Poor or unpredictable regulation also adds to risk.’[Vol1, p16] Despite the Australian Government’s subsequent deregulation policy, including decisions taken between 2013 and 2016 that it claims will reduce the regulatory burden by a net $5.8 billion a year when implemented, few could argue that these problems have evaporated. What it costs The cost of regulatory compliance is notoriously difficult to calculate. Estimates vary and don’t compare apples with apples. In a submission to the David Thodey-chaired review of the Australian Public Service in August 2018, two senior Treasury officials, David McCullough and Tom Reid, said that in 2013 the stock of Commonwealth regulation was calculated to impose aggregate compliance costs of around $65 billion a year on the Australian economy: ‘This calculation was based on estimates and survey data, and is not a true market calculation (in the sense that it includes costs of private citizens not typically included in GDP calculations) but is nevertheless a staggering number.’ They also observed that most of the attention in regulatory reform in Australia had been on managing the flow of new regulations but very little on ensuring the quality and efficacy of the stock of existing regulations: ‘To use an old analogy, reducing the flow of pollutants coming into the lake from a tainted river without also taking action to clean the lake itself means the water stays dirty for a very long time.’ They put the absolute value of both increases and decreases in regulation over 18 months between January 1, 2016 and June 30, 2017 at $1.1 billion. In 2014, Deloitte Access Economics said regulation cost the Australian economy some $250 billion a year. Two thirds was self-imposed internal red tape, including in HR, Finance, IT, executive and government compliance, legal and marketing. It would be hard to argue that the entire cost of regulation, not least the $160 billion worth of business’s self-imposed red tape, was well spent given the risk outcomes we are observing. Adding in the millions of dollars now being spent on remediation programs in the wake of many corporate scandals, the costs can only be ballooning. Unforeseen consequences Looking to the future, McCullough and Reid said no rule-maker (including the Parliament) could predict how a set of rules would operate in all possible situations into the indefinite future: ‘Even the best designed regulations decay over time as the world changes, new business models emerge and new technologies are invented. Regulations conceived for static business models, earlier economic conditions or different societal and technological contexts, can quickly become outdated or inapplicable.’ New situations, they said, would inevitably arise that were not expected when the rules were written, and the rules may be interpreted, applied or responded to in unanticipated ways: ‘Further, as recent developments in the field of behavioural economics are showing, people are unpredictable: often responding to regulatory interventions in counter-intuitive, unexpected ways.’ [ibid] This is a timely warning as governments across the world try to regulate the digital economy and control data risks. Examples include: The European GDPR (General Data Protection Regulation) and the US CLOUD (Clarifying Lawful Overseas Use of Data) Act. Both will affect businesses in our own back yard. In the quest for both transparency and the responsible use of data, the Australian Government is adopting two key recommendations from the Productivity Commission’s 2017 Data Use and Availability report: legislation to remove barriers to data sharing and integration across major public-interest data sets, and to create ‘trusted user’ access; and a legislated general right for consumers to exercise join control in the sharing and use of their data. The Australian Prudential Regulation Authority’s draft prudential standard, CPS 234, puts boards on notice for their companies having appropriate cyber security capabilities. Mandatory reporting of cyber breaches to the Office of the Australian Information Commissioner has been in place since February. Meanwhile, the full risks and consequences of these, and other, new regulatory measures are yet to unfold.