Journal Issue
Share
Article

Australia

Author(s):
International Monetary Fund. Monetary and Capital Markets Department
Published Date:
February 2019
Share
  • ShareShare
Show Summary Details

Summary1

1. Since the last Financial Stability Assessment Program (FSAP), the Australian Prudential Regulation Authority (APRA) has kept an active pace in implementing reforms to enhance the resilience of the Australian financial system. APRA has implemented key elements of the international regulatory reform agenda, at times going beyond the agreed minimum standards to provide additional resilience. APRA has focused on strengthening the capital framework, implementing Basel III liquidity standards, reinforcing sound mortgage lending standards, improving governance and accountability, and strengthening crisis management and preparedness. Since some of these reforms have not been fully completed, they remain on APRA’s priority agenda. Other broad policy reforms have been also enacted, including: a cross-industry risk management standard, a governance and risk management framework for conglomerates, and a phased approach to licensing. In addition to these policy developments, APRA has also taken steps to align its resources to evolving market needs. It has restructured its specialist risk and supervision teams to develop a new risk and data analytics function, bringing together specialists in statistics, industry analysis, and risk, to best harness this collective expertise. In accordance with its risk-based approach, APRA has also focused its supervisory activities more on reviewing banks’ practices and underwriting standards in the area of residential mortgages and commercial real estate lending, in addition to other risk areas.

2. APRA has achieved a high degree of compliance with the Basel Core Principles for Effective Supervision (BCPs). Notwithstanding the revision to the BCP methodology, which raised the standards for achieving supervisory objectives, APRA has demonstrated clear progress in strengthening the effectiveness of supervision. This is most evident in the work of APRA on supervision of liquidity and credit risk, as well as the enhancement of banks’ capital adequacy requirements, including the planned implementation of an “unquestionably strong” capital framework in line with the recommendations of the 2014 Financial System Inquiry (FSI).

3. A periodic more comprehensive assessment of banks’ risk management and governance frameworks will further enhance APRA’s supervisory approach. Such an assessment would ensure that APRA’s risk-based supervisory processes remain focused on the key gaps in banks’ management and risk culture. These processes will be strengthened even further if APRA’s supervisory assessment incorporates banks’ management of nonfinancial risks, based on a closer engagement with the relevant domestic agencies, mainly the Australian Securities and Investments Commission (ASIC) and the Australian Transaction Reports and Analysis Centre (AUSTRAC).

4. One of the challenges that APRA faces and which is a global challenge for regulators is to continuously develop its resources and skillset to match the evolution in banking services and risks. This will be even more important as new players, with digitally-focused business models, enter the market under the new phased licensing regime, and as incumbent firms continue to advance the digitization of their business. APRA will need to develop its resources and skills, particularly in specialized areas such as IT, cyber risk and fintech. APRA will need to ensure that its resources remain adequate to discharge its increasing responsibilities, particularly the implementation of the new Banking Executive Accountability Regime (BEAR) and the work planned to introduce and implement a recovery and resolution planning framework. To successfully meet all these challenges and responsibilities, it is essential that APRA is granted sufficient autonomy and flexibility in its budgeting process and staffing conditions to enable it to attract and retain the skills needed for its evolving responsibilities.

Methodology

5. This assessment of the implementation of the BCP by APRA is part of the FSAP undertaken by the International Monetary Fund (IMF) in 2018. It reflects the regulatory and supervisory framework in place as of the date of the completion of the assessment. It is not intended to represent an analysis of the state of the banking sector or crisis management framework, which are addressed in the broader FSAP exercise.

6. An assessment of the effectiveness of banking supervision requires a review of the legal framework, and a detailed examination of the policies and practices of the institution(s) responsible for banking regulation and supervision. In line with the BCP methodology, the assessment focused on banking supervision and regulation in Australia and did not cover the specificities of regulation and supervision of other financial institutions. The assessors reviewed the framework of laws, regulations, manuals and other materials mainly provided by APRA and held extensive meetings with APRA officials. The assessors held also additional meetings with the Australian Treasury, the Reserve Bank of Australia (RBA), AUSTRAC, ASIC, banks, external audit firms, and the Australian Banking Association. The authorities provided a BCP self-assessment, responses to additional questionnaires, and access to supervisory documents and files, staff, and systems. In this respect, the assessors appreciate the excellent cooperation received from the authorities and extend their thanks to their staff who participated and facilitated this exercise.

7. The standards were evaluated in the context of the Australian banking system’s structure and complexity. The BCP must be capable of application to a wide range of jurisdictions whose banking sectors will inevitably include a broad spectrum of banks. To accommodate this breadth of application, according to the methodology, a proportionate approach is adopted, both in terms of the expectations on supervisors for the discharge of their own functions and in terms of the standards that supervisors impose on banks. An assessment of a country against the BCP must, therefore, recognize that its supervisory practices should be commensurate with the complexity, interconnectedness, size, risk profile, and cross-border operations of the banks being supervised. The assessment considers the context in which the supervisory practices are applied. The concept of proportionality underpins all assessment criteria. For these reasons, an assessment of one jurisdiction will not be directly comparable to that of another.

8. The current assessment is based on the 2012 version of BCPs issued by the Basel Committee on Banking Supervision (BCBS).2 Since the past assessment conducted in 2012, the BCP standard was revised and reflects the international consensus for minimum standards based on global experience. It is, therefore, important to note that this assessment cannot and should not be compared to the previous exercise, as the revised BCPs have a heightened focus on corporate governance and risk management, their practical application by the supervised institutions, and the assessment performed by the supervisory authority. The revised BCPs stress on the effectiveness of a supervisory framework not only through providing supervisors with the necessary powers to address safety and soundness concerns but also by heightening the focus on the actual use of those powers, in a forward-looking approach, and on the need for supervisors to ensure compliance with regulatory requirements and to thoroughly understand the risk profile of banks and the banking system.

9. Australia has opted to be assessed and graded against both the essential and additional criteria, the highest standards of supervision and regulation. To assess compliance, the BCP Methodology uses a set of essential and additional assessment criteria for each principle. The essential criteria (EC) were usually the only elements on which to gauge full compliance with a Core Principle (CP). The additional criteria (AC) are recommended best practices against which the authorities of some more complex financial systems may agree to be assessed and rated. The assessment of compliance with each principle is made on a qualitative basis, using a five-part rating system explained below. The assessment of compliance with each CP requires a judgment on whether the criteria are fulfilled in practice. Evidence of effective application of relevant laws and regulations is essential to confirm that the criteria are met.

10. The assessment has made use of five categories to determine compliance: compliant; largely compliant, materially noncompliant, noncompliant, and non-applicable. An assessment of “compliant” is given when all the essential and additional criteria are met without any significant deficiencies, including instances where the principle has been achieved by other means. A “largely compliant” assessment is given when only minor shortcomings are observed that do not raise any concerns about the authority’s ability and clear intent to achieve full compliance with the principle within a prescribed period of time. The assessment “largely compliant” can be used when the system does not meet all essential and additional criteria, but the overall effectiveness is sufficiently good, and no material risks are left unaddressed. A principle is considered to be “materially noncompliant” in case of severe shortcomings, despite the existence of formal rules and procedures and there is evidence that supervision has clearly been ineffective or that the shortcomings are sufficient to raise doubts about the authority’s ability to achieve compliance. A principle is assessed “noncompliant” if it is not substantially implemented, several essential criteria are not complied with, or supervision is manifestly ineffective. Finally, a category of “non-applicable” is reserved for those cases where the criteria do not relate the country’s circumstances.

11. An assessment of compliance with the BCP is not, and is not intended to be, an exact science. The assessment criteria should not be seen as a checklist approach to compliance but as a qualitative exercise involving judgement by the assessment team. While compliance with the BCP can be met in different ways, compliance with some criteria may be more critical for the effectiveness of supervision, depending on the situation and circumstances in a given jurisdiction. Hence, the number of criteria complied with is not always an indication of the overall compliance grade for any given principle. Nevertheless, by adhering to a common, agreed methodology, the assessment should provide the Australian authorities with an internationally consistent measure of the quality of their banking supervision framework in relation to the BCP, which are internationally acknowledged as minimum standards. Emphasis should be placed on the commentary that should accompany each principle grade, rather than on the grade itself.

Box 1.The 2012 Revised Core Principles

The revised BCPs reflect market and regulatory developments since the last revision, taking account of the lessons learned from the financial crisis in 2008/2009. These have also been informed by the experiences gained from FSAP assessments as well as recommendations issued by the G-20 and FSB, and take into account the importance now attached to: (i) greater supervisory intensity and allocation of adequate resources to deal effectively with systemically important banks; (ii) application of a system-wide, macro perspective to the microprudential supervision of banks to assist in identifying, analyzing, and taking pre-emptive action to address systemic risk; (iii) the increasing focus on effective crisis preparation and management, recovery and resolution measures for reducing both the probability and impact of a bank failure; and (iv) fostering robust market discipline through sound supervisory practices in the areas of corporate governance, disclosure, and transparency.

The revised BCPs strengthen the requirements for supervisors, the approaches to supervision and supervisors’ expectations of banks. The supervisors are now required to assess the risk profile of the banks not only in terms of the risks they run and the efficacy of their risk management, but also the risks they pose to the banking and the financial systems. In addition, supervisors need to consider how the macroeconomic environment, business trends, and the build-up and concentration of risk inside and outside the banking sector may affect the risk to which individual banks are exposed. While the BCP set out the powers that supervisors should have to address safety and soundness concerns, there is a heightened focus on the actual use of the powers, in a forward-looking approach through early intervention.

The number of principles has increased from 25 to 29. The number of essential criteria has expanded from 196 to 231. This includes the amalgamation of previous criteria (which means the contents are the same), and the introduction of 35 new essential criteria. In addition, for countries that may choose to be assessed against the additional criteria, there are 16 additional criteria.

While raising the bar for banking supervision, the Core Principles must be capable of application to a wide range of jurisdictions. The new methodology reinforces the concept of proportionality, both in terms of the expectations on supervisors and in terms of the standards that supervisors impose on banks. The proportionate approach allows assessments of banking supervision that are commensurate with the risk profile and systemic importance of a wide range of banks and banking systems.

Institutional and Market Structure

A. Institutional Framework for Regulation and Supervision

12. APRA is responsible for the prudential regulation and supervision of Authorized Deposit-taking Institutions (ADIs) in Australia. In addition to ADIs, APRA is responsible for the prudential oversight of general, life, and private health insurance companies, and most of the superannuation industry. In performing and exercising its functions and powers, APRA is to balance the objectives of financial safety and efficiency, competition, contestability, and competitive neutrality and, in balancing these objectives, is to promote financial stability in Australia.

13. Australia’s financial regulatory framework include three other financial sector authorities responsible for financial regulation. These are as follows:

  • The Treasury has responsibility for advising the Government on financial stability issues and on the legislative and regulatory framework underpinning financial system infrastructure.

  • The RBA is Australia’s central bank responsible for monetary policy as well as the safety and efficiency of the payments system and for overall financial stability.

  • ASIC is responsible for the registration and supervision of corporations and, in the financial sector, for licensing of financial service providers, credit providers and market conduct.

14. In addition, the Council of Financial Regulators (CFR) is the primary coordinating body for Australia’s main financial sector agencies. It comprises the RBA (Chair), APRA, ASIC, and the Treasury. The CFR ensures a structured, multilateral coordination process across the relevant agencies. However, each member is fully responsible for discharging its own responsibilities within its statutory mandate. The CFR’s objectives are to promote stability of the Australian financial system and contribute to the efficiency and effectiveness of regulation.

15. AUSTRAC administers Australia’s anti-money laundering and counter-terrorism financing laws. It is Australia’s Financial Intelligence Unit to fight serious and organized crime and terrorism financing. It is also Australia’s regulator for anti-money laundering and countering the financing of terrorism (AML/CFT), overseeing the compliance of more than 14,000 Australian businesses ranging from major banks and casinos to single-operator businesses.

16. The FSI was established in late-2013 to assess how Australia’s financial system could most effectively help the economy be productive, grow, and meet the financial needs of Australians. The Inquiry (chaired by David Murray) highlighted that the financial system needed to satisfy three principles: to efficiently allocate resources and risks; to be stable and reliable; and to be fair and accessible. The Inquiry’s key recommendations were that Australia should: continue to align its prudential framework with internationally agreed standards; maintain efforts to encourage competition; focus on fostering innovation; and move beyond relying on disclosure to regulate fair outcomes for consumers interacting with the financial system. The FSI re-affirmed that the Australian financial system’s twin peaks architecture, with independent regulators responsible for each of consumer outcomes and prudential regulation, remained appropriate. It recommended further steps to ensure Australia’s banking sector is stable and resilient in times of future financial stress, such as the establishment of an ‘unquestionably strong’ capital framework, with a baseline target in the top quartile of internationally active banks.

B. Overview of the Banking Sector

17. Banks and other ADIs are the most significant component of the system. They currently represent nearly 67.6 percent of all APRA-regulated financial system assets, equal to around 2.3 times the level of nominal GDP. Banks account for 98.8 percent of ADI assets in March 2018. The general insurance, life insurance, and superannuation industries together account for around 32.4 percent of total APRA-regulated financial assets.

18. Australia’s four major domestic banks dominate the ADI sector, accounting for 76.4 percent of total ADI assets in March 2018. Each of the major banks has consolidated group assets that rank them among the top 50 banks worldwide, but their businesses are not global and generally focus on the domestic and New Zealand markets. The rest of the ADI sector comprises 4 mid-sized banks and a few other small Australian-owned banks (9.8 percent of total ADI assets), and 51 foreign-owned banks, 44 branches, and 7 subsidiaries (12.6 percent of total ADI assets). Building societies and credit unions account for the remaining 1.2 percent of total ADI assets in Australia with their share gradually declining over the last few decades.

19. Profitability of the Australian banking system remains strong. The banking sector reported aggregated after-tax profits of A$36.4 billion in the year ended March 2018, up 9.3 percent from the previous year. The return on equity was 12.3 percent compared to 11.7 percent for all ADIs. The return on assets reached 0.8 percent compared to 0.7 percent during the previous year. The ratio of nonperforming loans (NPLs) to gross loans and advances is also at near record lows, at just under 0.4 percent, and has been at around this level since 2015.

20. Banks carry high exposure to domestic real estate and to wholesale funding markets. Residential mortgages account for over half of banks’ loans portfolio, and about a quarter of these are interest-only mortgages. Many Australian financial institutions were downgraded by credit rating agencies in 2017, largely due to concerns about their exposure to high household debt. Banks’ dependence on wholesale funding has come down in recent years but still remains high at about one-third of total liabilities, of which nearly two-thirds is from international sources, representing a diverse range of countries. Australian-owned banks have reduced their international lending exposures since 2015, except for lending to New Zealand entities, mostly via Australian banks’ subsidiaries, which has increased faster than the banks’ total assets.

21. Australia’s banking system is well-capitalized. Australian ADIs have been increasing regulatory capital since 2012 in response to the implementation of Basel III, APRA’s raising of residential mortgage risk weights applied by banks using internal models to an average of at least 25 percent, and in preparation of APRA’s ‘unquestionably strong’ capital requirements. The banks have strengthened their capital positions through equity raisings, dividend reinvestment plans and retained earnings. As of March 2018, the aggregate Tier 1 capital ratio for locally-incorporated banks was 12.6 percent of risk-weighted assets, up from 10.5 percent in March 2013. The total capital ratio was 14.8 percent.

Preconditions for Effective Banking Supervision

A. Sound and Sustainable Macroeconomic Policies

22. The Australian economy is experiencing relatively benign macroeconomic conditions with growth trending upwards while inflation remains low. Australia has delivered 26 years of uninterrupted growth, supported in part by strong exports to a dynamic Asian region. While Australia has historically benefited from vast natural resources and a strong mining industry, the modest impact of the large commodity shock between mid-2014 and 2016 reflects the increasing diversification of the economy, prompt monetary policy easing, and the benefits of a floating exchange rate, flexible labor markets, relatively high population growth, and strong institutions. Nevertheless, as in many other advanced economies since the Global Financial Crisis, the adjustment to the demand shocks has been protracted, with persistent economic slack, and average growth has been lower. Nominal and real wage growth have declined, both reflecting and contributing to inflation being below the RBA’s target range of 2 to 3 percent since 2014.

23. A housing boom has supported the economy but has led to housing market imbalances and higher household debt. House prices in the major eastern capital cities of Melbourne and Sydney have risen sharply over the past few years, driven by demand fundamentals, including lower interest rates, high population growth, and foreign investor interest, and amplified by legacy supply constraints. Household debt ratios have risen significantly since the previous FSAP and are high by international comparison.

B. Framework for Financial Stability Policy Formulation

24. Both the RBA and APRA have mandates to promote financial system stability. In promoting financial system stability, APRA is required to balance the objectives of financial safety and efficiency, competition, contestability, and competitive neutrality. ASIC and the Treasury also have roles in promoting financial stability, both independently and through their involvement in the CFR.

25. CFR is the coordinating body of the main financial sector agencies involved in promoting financial stability. The CFR’s objectives are specified in its Charter and require it to promote the stability of the Australian financial system and to contribute to the efficiency and effectiveness of financial regulation. The CFR, chaired by the RBA, typically meets four times a year, where financial and regulatory developments are discussed, including those with a bearing on financial stability. The CFR will also meet out of session if necessary. Minutes of meetings are not published. However, the RBA reports on the CFR’s activities and issues it has discussed in its half-yearly Financial Stability Review. The CFR regularly forms working groups with agreed terms of reference to undertake more detailed policy development.

26. The CFR is not a statutory body and hence, does not have a legal personality, nor does it have powers separate from its member agencies. Its members share information and views on developments in the financial system, discuss regulatory reforms and other issues related to areas where responsibilities overlap, and coordinate responses to potential threats to financial system stability. These arrangements are underpinned by a Memorandum of Understanding (MoU), which reflects the CFR agencies’ strong commitment to exchange information openly and coordinate responses to potential threats to the stability of Australia’s financial system. The 2014 FSI examined the operation of the CFR (as part of considering Australia’s financial stability institutional arrangements) to consider alternative institutional approaches but did not see a strong case for change in this area.

C. A Well-developed Public Infrastructure

Judiciary System

27. There is a strict separation between the Judiciary on the one hand, and the Parliament and Executive on the other. Only a court can exercise the judicial power of the Commonwealth to decide whether a person has contravened a law of the Australian Parliament. In exercising this power, the Australian courts uphold the principle of judicial independence which ensures judges are free from legislative and executive interference in performing their judicial functions. Publicly available reports by different third parties (such as the World Economic Forum, World Bank, and Bertelsmann Stiftung) support the independence of the Australian judicial system.

28. Disputes in Australia can be settled through the judicial system. Chapter III of the Constitution vests the judicial power of the Commonwealth of Australia in the High Court of Australia, other federal courts created by the Commonwealth Parliament, and other courts invested with federal jurisdiction. Currently there are three other federal courts, namely, the Federal Court of Australia, the Family Court of Australia, and the Federal Circuit Court of Australia. The High Court decides disputes about the meaning of the Constitution and is also the final court of appeal.

A System of Business Laws and Standards

29. Australia’s legal system provides a secure framework for the operation of contracts between parties and offers a transparent and fair mechanism for resolving disputes about contracts. Australian contract law provides rules relating to the creation, performance, and termination of rights, duties, and liabilities that are voluntarily assumed by contracting parties. The law does not lay down a comprehensive set of rights, duties, and liabilities, but rather sets out parameters within which the parties’ agreement must fall for it to be enforceable.

30. Australia has a number of options available for resolving disputes without going to a court or tribunal. These include mediation, conciliation, conferencing, neutral evaluation, and arbitration. There is generally no requirement to undertake alternative dispute resolution before seeking to resolve a dispute through the courts. However, some courts (including the Federal Court) have the power to require parties to a dispute to participate in alternative dispute resolution. In Australia, it is generally a license condition that financial firms providing financial products or services to retail clients (including consumer credit and superannuation) must have internal and external dispute resolution mechanisms available. Recent reforms establish a new single external dispute resolution mechanism (EDR) scheme for consumer and small business complaints: the Australian Financial Complaints Authority (AFCA) which replaces the two ASIC approved EDR schemes and the statutory Superannuation Complaints Tribunal. Commencing on November 1, 2018, AFCA will be free of charge for consumers to access and able to deal with a broad range of complaints (including complaints from small businesses and primary producers) about banking, credit, loans, general insurance, life insurance, financial advice, investments, stock broking, managed funds, and superannuation.

31. Property rights in Australia enjoy strong protection under the law and through oversight of the courts. The law governing property in Australia recognizes two categories of property: real property (broadly, land and land-related property) and personal property (all other forms of property). Australian courts have given a broad interpretation to the concept of property and have been vigilant in protecting property rights. Well entrenched remedies are available to redress interference with property rights.

32. The Corporations Act sets down Australia’s corporate insolvency law. Australia’s insolvency law primarily aims to provide efficient procedures for winding up companies, realizing company assets in an orderly fashion, and equitably distributing the proceeds of company assets among the company’s creditors (including employees) and shareholders. Under Australian law, an insolvent company can enter into external administration or its assets can be subject to receivership. External administration includes liquidation, voluntary administration and deeds of company arrangement.

33. The starting point for regulating financial services and products in Australia is the requirement for entities to hold a license or authorization prior to providing a financial service or product. These licenses and authorizations include: Australian financial services (AFS) license—issued by ASIC and which is required to carry on a financial services business in Australia (unless exempt); Credit license—issued by ASIC and required to engage in consumer credit activities (unless exempt); and Authorization to carry out banking or insurance business and license to be a trustee of a registrable superannuation entity (RSE)—issued by APRA and required to operate in a prudentially regulated industry.

Accounting Principles and Auditing Standards

34. Australian accounting and auditing standards are aligned to international standards. Australia adopted Australian equivalents to International Financial Reporting Standards (A-IFRS) for reporting periods beginning on or after January 1, 2005. Accounting standards in Australia are made by the Australian Accounting Standards Board (AASB). The AASB is involved in the IFRS standard-setting process and reviews the IFRS text to ensure they are appropriate for Australia’s legal, economic, and institutional environment. Australian auditing standards are made by the Auditing and Assurance Standards Board (AUASB) and are based on the International Standards on Auditing. The AUASB reviews the international standards to ensure they fit with Australia’s regulatory environment before issuing them in Australia. The Financial Reporting Council, which is the body responsible for overseeing the effectiveness of the financial reporting framework in Australia, provides oversight of AASB and AUASB activities.

35. The Corporations Act contains comprehensive requirements for the independence of auditors. These include: a general requirement for auditor independence; restrictions on auditors’ employment and the financial relationships that can exist between auditors and their clients; a two-year ‘cooling-off’ period before an audit firm partner can become an officer of a client of the audit firm; a requirement for lead and review auditors of listed companies to rotate after five years; and extensive disclosure requirements for listed companies in relation to non-audit services provided by their auditors. ASIC’s role in surveillance and enforcement of the audit process and financial reporting requirements has recently been significantly enhanced. Auditors and audit firms must be registered with ASIC before they can conduct an audit for Corporations Act purposes. ASIC registration depends on the auditor having the necessary qualifications, satisfying the auditing competency standard, and being capable of performing their duties. ASIC is also responsible for auditor oversight. It has instituted an ongoing audit inspection program to ensure audit firms are complying with their auditor independence and audit quality obligations.

36. Reforms related to Comprehensive Credit Reporting (CCR) are currently being undertaken by the Government. While there are no public credit registries in operation in Australia, there are a number of providers of negative credit reporting. The CCR reforms will involve relevant amendments to the National Consumer Protection Act and the Privacy Act. Those reforms will require large Australian banks to provide comprehensive credit information (including positive credit information) to Australia’s major private credit bureaus. The four major banks are being mandated to provide CCR information on 50 percent of their active accounts to Australia’s three largest credit bureaus by end-September 2018. CCR data on the remaining accounts must be supplied by end-September 2019.3

Payments Clearing System

37. The RBA has primary regulatory responsibility for Australia’s payments system, including systemically important payment systems. The RBA also assumes responsibility for the day-to-day operation of the high value payments system RITS. The Payments System Board determines the RBA’s payments system policy in a way that best contributes to: controlling risk in the financial system; promoting the efficiency of the payments system; and promoting competition in the market for payment services, consistent with the overall stability of the financial system. The Payments System Board comprises the Governor as chair, one other RBA appointee, an appointee from APRA, and up to five other members.

38. Most of the powers of the Payments System Board derive from the Payment Systems (Regulation) Act 1998. This Act allows the RBA to obtain information from payments system participants, to designate a payment system and to set access regimes and standards for designated payment systems. To date, these powers have been used solely in the retail space, most notably in the regulation of card schemes’ interchange fees and regulation of surcharges added by merchants to card payment transactions. Separately, the RBA is able to provide additional legal certainty regarding settlement finality in approved RTGS systems and netting arrangements.

39. Launched in February 2018, the New Payments Platform provides an open access infrastructure for fast payments in Australia. It was developed via industry collaboration to enable households, businesses, and government agencies to make simply addressed payments, with near real-time funds availability to the recipient, on a 24/7 basis. The infrastructure of the new payments platform supports the independent development of ‘overlay’ services to offer innovative payment services to end-users. The RBA built the settlement component of this platform, known as the Fast Settlement Service, which allows transactions to be settled individually on a 24/7 basis, in close to real time.

40. Clearing and settlement (CS) facilities that operate in Australia are required to be licensed or exempted under Part 7.3 of the Corporations Act. The requirement to be licensed applies to both domestic and overseas facilities. The Corporations Act establishes conditions for the licensing and operation of CS facilities in Australia and gives ASIC and the RBA separate but complementary powers and regulatory responsibilities for the supervision of CS facilities. Given this, ASIC and the RBA have agreed a MoU, which is intended to promote transparency, help prevent unnecessary duplication of effort, and minimize the regulatory burden on CS facilities.

D. Framework for Crisis Management, Recovery and Resolution

41. The CFR has focused considerable attention on Australia’s financial crisis management arrangements with a view to further strengthening the framework and ensuring alignment with international standards and best practice. The CFR members entered into an MoU on Financial Distress Management in 2008. The MoU sets out the objectives, principles, and processes for managing distress in the Australian financial system. The circumstances to which the MoU relates include, but are not limited to, financial distress in an ADI, general insurer, life insurer, superannuation fund, as well as interruptions to the smooth functioning of FMIs.

42. APRA has a wide range of statutory powers to respond to distress in its regulated financial institutions. These include powers to enforce compliance with prudential requirements and to investigate and obtain information, as well as a range of resolution powers. APRA’s powers vary depending on the type of financial institution. These include powers to obtain an enforceable undertaking and to seek court injunctions. APRA can also give directions to regulated institutions. A direction issued by APRA is binding and can be used to enforce compliance with prudential requirements and to implement elements of a resolution.

43. The legislative reforms enacted through the Financial Sector Legislation Amendment (Crisis Resolution Powers and Other Measures) Act 2018 significantly expanded crisis resolution powers, and more clearly defined APRA’s mandate regarding resolution planning. These reforms also provide APRA with formal direction powers related to resolution planning and removing barriers to the resolvability of regulated entities or groups. Such a direction could require an ADI to address barriers to orderly resolution, such as making changes to their systems, business practices, or operations in order to make them more resolvable. Following this, APRA intends to develop its formal prudential framework for resolution planning, with a view to starting consultation on a prudential framework on recovery and resolution planning in 2019.

44. APRA is currently undertaking a recovery planning program for banks. In 2011, APRA initiated the pilot and focused on the 6 largest banks, including Australia’s four D-SIBs. This was followed by extending the requirement to 12 medium-sized banks (with assets greater than A$5 billion) in 2013, and later to three key service providers. In 2016, a thematic review of recovery planning was completed which involved the 9 largest banks further developing recovery plans and APRA providing feedback based on a benchmarking exercise. APRA is currently conducting the final phase of this thematic review, with entity-specific feedback due to be provided in 2018. APRA’s recovery planning program is also applied on a case-by-case basis for smaller banks and ADIs in a way that is proportionate for the size of the entity and the risk/impact of failure.

E. Public Safety Net

45. In October 2008, the Australian Government established the Financial Claims Scheme (FCS) for ADIs and general insurers. For ADIs, the FCS protects account-holders and provides prompt access to deposits if an ADI fails. The Treasurer can declare that the FCS is activated for an ADI when APRA has determined that the ADI is insolvent and has applied to the court to be wound up. From October 2008, the FCS applies to deposit balances up to A$1 million per account-holder per ADI. The A$1 million limit was established in the context of the global financial crisis and was intended to reinforce depositor confidence. In September 2011, on the CFR’s recommendation, the Government announced that the FCS limit would be reduced to A$250,000 from February 1, 2012.

46. The FCS is post-funded. Should it become necessary, initial funding is provided for the FCS via standing appropriations under the Banking Act 1959 and Insurance Act 1973, which provide assurance that funds will be available if the FCS is activated. APRA, on behalf of the Government, is entitled to recover payouts in the winding up of the entity. In the case of ADIs, but not general insurers, APRA enjoys a priority claim on the assets of the entity for such amounts. In respect of both ADIs and general insurers, any shortfall can be recovered through an industry levy.

F. Effective Market Discipline

47. Disclosure requirements are fundamental to Australia’s regulatory regime for protecting consumers and ensuring confidence in the securities market. Market participants and investors must be provided with information on specific occasions (for example, when securities are offered, in a takeover situation, and for short sales), at regular planned intervals (for example, in annual reports), and in response to continuous disclosure obligations. Disclosure requirements are contained in the Corporations Act, and listed companies must also comply with the supplementary requirements in the relevant listing rules. Each financial year, entities that are subject to disclosure requirements must prepare a financial report and a directors’ report (containing information about operations, activities, and a range of other matters). The timeframe within which these reports must be published is specified in the Corporations Act and the relevant listing rules. There are similar requirements for half-year financial and directors’ reports.

48. Australian competition law is contained in the Competition and Consumer Act which applies to all industries, including the financial sector. The object of the Act is to enhance the welfare of Australians by promoting competition and fair trading, and by protecting consumers. The Australian Competition and Consumer Commission (ACCC) is Australia’s competition regulator. Its responsibilities include enforcing the prohibitions on anti-competitive conduct contained in the Competition and Consumer Act, including provisions preventing corporations misusing substantial market power to substantially lessen competition.

Main Findings

A. Responsibilities, Objectives, Powers, Independence (CP1–2)

49. APRA has broad powers and clear responsibilities underpinned mainly in the Banking Act and the APRA Act. In addition to promoting financial stability, the APRA Act states that this objective is to be pursued while balancing other objectives such as financial safety, efficiency, competition, contestability and competitive neutrality. This can be a challenging balance to make but APRA seems focused on financial stability even as the banking sector is becoming more open to new types of activities and to more competition. Therefore, it may be useful to consider clarifying further the primary nature of APRA’s financial stability objective and that the other objectives are subordinate to the financial stability mandate.

50. APRA has clear powers to set and enforce prudential standards, but these can be disallowed by the Parliament. APRA has been tailoring the severity and the complexity of its requirements depending on the size, systemic importance, and risk profile of ADIs. This will allow a more proportionate approach to its regulation and supervision. However, the fact that its prudential standards can be disallowed by the Parliament weakens APRA’s prudential standard setting powers in supporting the achievement of its statutory mandate even if this case seems exceptional and has not taken place to date. Having said that, APRA has successfully introduced many regulatory reforms over the last few years to implement international standards and the recommendations of the 2014 FSI.

51. APRA performs its operations based on a robust governance framework and a solid accountability mechanism. APRA has set internal policies and processes that allow efficient decision making in normal and stressed times. Governance is strengthened by internal risk management and internal audit committees consisting of a majority of independent members. APRA is subject to a strong accountability framework to the Parliament, the government, and the general public. This framework requires APRA to prepare and publish a set of reports that transparently show what priorities APRA is aiming for and how it is discharging its duties in fulfillment of these priorities and objectives.

52. While APRA may currently have a reasonable degree of independence to meet its statutory goals, there are some constraints that could potentially impact this independence. The power granted to the Minister to issue directions to APRA about policies it should pursue is a matter of potential concern (since it could lead to direct or indirect interference in APRA’s prudential standard setting powers) even if this power has never been exercised so far. Since objectives can be misaligned at times, it is always better to remove any potential loopholes in the framework. In addition, the APRA Act should require public disclosure of the reasons for removal of an APRA Member, which is a sound practice based on the Basel Core principles. The statement of expectations (SOE) issued by the Government to APRA and APRA’s reply in its statement of intent (SOI) have served as a platform to publicly present (in a media release issued by the Treasurer) the government’s priorities and how APRA would respond to them. In 2014, the Treasurer used the media release to reiterate that it is imperative that regulators act independently and objectively, but wanted to ensure the regulators took account the broader policy framework.4 Notwithstanding, it may be useful to clarify the objective of the SOE and ensure that it does not direct APRA’s priorities in a way that could conflict with its primary mandate of financial stability.

53. A more flexible and autonomous budget process and a relaxation of the constraints on the framework for staff employment and remuneration would allow APRA to better discharge its increasing responsibilities to dynamically oversee the evolving nature of banking activities. While noting that APRA has received additional budgets over the recent years to implement new initiatives and projects, APRA is subject to “efficiency dividends,” and additional budget proposals (new policy proposals) need approval by the Government. While there is some forward view of expected funding, there is uncertainty over the medium-term budget which may present difficulties for APRA’s resource planning. Therefore, it is important to provide APRA with higher flexibility and more autonomy in its budget planning and approval processes. In addition, the constraints on APRA’s staff employment and remuneration framework, such as the Australian Public Service (APS) workplace bargaining policy, limit APRA’s potential to attract and retain high quality staff. While some remuneration levers and individual flexibility arrangements seem to be available under APRA’s current enterprise agreement, the policy is creating challenges for APRA to attract and retain the highly specialized skills that it currently needs to better oversee the evolving risks in Australia’s banking sector, including those related to digital business models and cyber risk.

B. Licensing, Change in Control, and Acquisitions (CP 4–7)

54. APRA has a very thorough licensing framework. In assessing licensing applications, APRA follows criteria that are consistent with ongoing supervision requirements. It also reviews the proposed ADI strategy and financial viability, its business plan, the suitability of its owners and management, its governance framework, and its risk management framework. The removal of the minimum initial capital for licensing ADI was a step made by the government to encourage the entry in the financial system. However, APRA seems aware of the associated potential risks and it ensures that the applicants show their ability to comply with the prudential capital adequacy requirements from the start of their operations and going forward.

55. APRA has recently introduced a phased licensing regime to open the way for new market entrants. The implementation of the phased (or restricted) licensing regime will encourage more competition in the banking sector and allow a more gradual approach to licensing that ensures closer follow-up by APRA throughout the licensing phase. The new ADIs are expected to have different business models that rely more on technological innovation. APRA has put limitations on the size and operations of these restricted licensees to reduce possible financial stability risks. It also requires them to have a two-year conversion strategy (to become full ADIs) and an exit strategy (with some resolution funds) to ensure they can smoothly exit the market if necessary without causing financial stability concerns. APRA is recommended to adopt prudence as it implements this new approach. Given the expected digitally-focused business models of these new banks, APRA should also step up its efforts and build further its capacity in relation to fintech developments and associated risks, including operational, IT and cyber risk issues, to ensure it is able to adequately oversee these new firms.

56. The regime for significant change in ownership is another area where APRA’s independence and powers warrant strengthening. The change in significant ownership of banks is governed by the Financial Sector Shareholdings Act (FSSA), which gives the Treasurer the power to decide on changes in ownership stakes of more than 15 percent. While the Treasurer has delegated APRA for approving changes in significant ownership for banks with assets of less than A$1 billion, this is only a partial delegation and can be withdrawn if the Treasurer decides so. In addition, the criteria for approval of a significant change in ownership are based on “national interest” considerations which are not defined in the FSSA. Therefore, it is not clear to which extent these considerations take into account the fitness, propriety and suitability of the significant shareholders. While in practice, the Treasurer would seek APRA’s advice as to whether there are any prudential concerns in relation to decisions affecting banks with assets exceeding A$1 billion, such advice from APRA is not binding in making the Treasurer’s decisions.

C. Supervisory Cooperation and Cross Border Supervision (CP3,12,13)

57. APRA has a good level of interaction with the various domestic authorities involved in regulating and supervising financial sector issues, but these relationships can be further enhanced with some agencies. APRA has a good level of cooperation with the RBA on various financial stability and systemic risk issues. This cooperation also takes place at the CFR which provides a platform for discussion of financial stability topics among the main financial regulators. Cooperation with ASIC has been intensifying over the recent period given the increasing topics of mutual interest on market conduct and governance issues as well as on responsible lending and serviceability assessments. Building a more thorough interaction with ASIC will help further enhance APRA’s understanding of risks in the financial sector and the implications for APRA’s risk assessment of ADIs, particularly with the new Banking Executive Accountability Regime (BEAR). On the other hand, cooperation between APRA and AUSTRAC has not been as extensive and is currently primarily focused on high-level issues. Both agencies seem to be aware of the importance of stepping up the frequency and thoroughness of their interaction. This relationship should, therefore, be brought to a new operational level involving different layers of the agencies’ hierarchies so that more substantive and entity-specific issues can be discussed on a much more frequent basis.

58. APRA has developed close working relationships with foreign regulators, particularly with the Reserve Bank of New Zealand (RBNZ), given the significance of banks’ cross-border operations in New Zealand. These relationships are supported by MoUs and other letters of understanding that set the foundation for supervisory cooperation and exchange of confidential information. APRA conducts onsite reviews, particularly for the major banks’ subsidiaries in New Zealand and contacts with other relevant regulators. APRA has conducted supervisory colleges for two of its banks, but the last one was about three years ago. While recognizing the shrinking global footprint of some Australian banks may not warrant the organization of supervisory colleges for them, there are still some Australian banks with a significant cross-border presence which may benefit from active supervisory colleges. In addition, APRA should implement its plan to develop a resolution planning framework and coordinate with foreign regulatory authorities to develop resolution plans for its major cross-border banking groups.

59. APRA consolidated supervisory approach is well integrated in its supervisory practices and activities. Prudential standards and financial data are collected on a consolidated basis. APRA also reviews the oversight of a bank’s foreign operations by management and ensures that the banking group risk management framework is applied on a consolidated basis. APRA has also introduced in 2017 a governance and risk management framework for conglomerates, covering issues such as risk management, fit and proper, and governance. While this a welcome move, APRA should enhance its understanding and review of the risks that banks and banking groups can be exposed to as a result of the nonbanking activities in the wider financial group and be prepared to take actions as needed.

D. Supervisory Approach (CP 8–11)

60. APRA’s strong supervisory approach is based upon the fundamental premise that it is the responsibility of banks’ boards and management teams to ensure the firm is operating in a prudent manner and in compliance with applicable laws and prudential standards. This is supported by a host of formal requirements placed on them to ensure that processes are effective given the size and complexity of a firm and that the firm has in place the practices it needs to operate in a manner that is in compliance with standards and requirements. In further support of this approach, APRA has a reasonably full set of effective supervisory processes and tools with which to assess the firms and an appropriate set of authorities with which to enforce compliance when that is necessary. APRA prefers to address issues at the firms in a less formal way, for example through consultation and recommendation, though it does have the necessary processes in place to identify and monitor situations that may be escalating toward the need to use its formal powers.

61. A key challenge of this approach is achieving the right balance between relying on firms’ attestations/reporting and supervisors verifying with a high degree of confidence that the most critical governance, risk management, and control processes are in place and effective. APRA carries out well executed supervisory reviews of key practices based on a solid risk-focused approach. Nonetheless, supervisory oversight may benefit from a greater focus at the largest firms on periodic ‘end-to-end’ reviews across the firms of an identified set of practices APRA deems of particular importance. This could strengthen the supervisors’ confidence that processes are in place to ensure compliance with prudential requirements and standards is effective and strengthen incentives for firms to ensure they have solid practices and undertake thorough reviews of them.

62. APRA’s well-conceived and well-executed risk-focused approach to supervising the banks is a good starting point from which to address that challenge. APRA supervisors appear to have a good understanding of the banks and the risks they face. APRA has solid, if still developing practices, for analyzing emerging risks and developments across the system, which are useful for informing considerations of supervision strategy and for planning specific supervisory activities. These analytical practices will benefit from further enhancements that will require APRA to continue to refine and likely increase its required reporting from the firms and to become increasingly proficient in gathering and analyzing large data sets from its supervised firms.

63. Another challenge in APRA’s approach is finding the right balance between a desire to maintain good working relationships with firms to keep communication flowing and being willing to take strong supervisory actions when needed. As noted above, APRA’s preferred approach is working with the firms to get them to address supervisory concerns and/or weak practices. This is often reasonable and not at all unique to APRA. To the extent it could lead to delayed identification or remediation of material weaknesses at large banks it could pose a potential problem. APRA would be well advised to consider consistently supporting its partial reliance on the firms self-identifying problems through the active and quick use of stronger and/or more formal actions when it discovers a firm has been reporting and attesting incorrectly to the effectiveness of its risk governance processes. Based on that, there seems to be scope for APRA to escalate the severity of the corrective actions in a quicker and more active way if the concerned bank is not effectively cooperating. This includes escalation from ‘recommendation’ to ‘requirement’ and also using formal corrective actions, such as directions, in a more active way.

E. Corporate Governance and Internal Audit (CP 14, 26)

64. APRA has appropriate requirements for governance structures and processes, but assessments of board and senior management effectiveness need to be better informed by weaknesses observed in reviews of risk management and controls and should be given greater consideration in the overall ratings of the firms. The assessment process, PAIRS, covers all the necessary areas. However, it may at times obscure the understanding of the root causes of, or ultimate accountability for, problems at a firm. For example, with respect to assessments of the board and senior management relative to their responsibilities for ensuring effective risk management and controls, this is primarily captured in the ‘risk governance’ assessment rather than the specific assessment categories to be used for boards and senior managers. This may weaken the articulation of expectations, particularly given APRA’s supervisory philosophy which puts a strong emphasis on the role of the board and senior management. Moreover, the PAIRS process puts a relatively low weight on the assessment of the board and senior management in the overall rating. This appears to be somewhat out of alignment with APRA’s supervision philosophy and the intention expressed through CPS 220 to create strong incentives for boards and management to focus intently on their responsibilities for ensuring compliance with prudential standards.

65. APRA should better incorporate into assessments of governance the findings from assessments carried out by AUSTRAC and ASIC on AML/CTF and conduct issues, respectively. As the supervisor with responsibility for assessing overall risk management and governance practices in the banks, including assessing those ultimately responsible for these practices, APRA’s supervision process for governance should incorporate assessment of conduct risk and AML/CTF practices where material. The increased cooperation with both agencies, as mentioned above, will foster the process of developing a more comprehensive assessment of banks’ risk profiles.

66. APRA assesses the effectiveness of internal audit in a general sense and has frequent contact through ongoing supervision but does not place a high emphasis on its ability to rely on the work of the internal audit function to inform APRA assessments of control processes. APRA does not collate the conclusions from its supervisory activities into a formal risk assessment of the internal audit function. Supervisors have not done an in-depth evaluation of the overall effectiveness of internal audit functions across the major banks for a number of years. Given the responsibilities and expectations placed on boards of directors, which are expected to be informed by internal audit of weaknesses in their firms’ processes, a greater emphasis on all aspects of internal audit effectiveness as an important element of governance by the board is warranted. In addition, the prudential standards can better and more comprehensively outline the main criteria and requirements for an effective internal control environment and internal audit function.

F. Capital (CP 16)

67. APRA has a conservative regulatory capital regime and ADIs exhibit relatively strong regulatory capital ratios. APRA could increase the focus on the processes that support and inform the largest firms’ decision making around capital planning. For example, it could undertake more in- depth reviews of the inputs into and controls around ICAAPs and stress testing programs associated with assessing capital needs. The recent move towards putting in place ‘unquestionably strong’ capital benchmarks on top of the full and conservative use of Basel risk-based standards is a positive step in strengthening capital in the industry. APRA should also continue to focus on processes that help to identify risks that may emerge under stress but not be well captured in the regulatory framework. This is an important element of understanding capital at firms relative to their risks, and their capacity to continue to function under a stressful environment.

G. Risk Management (CP 17–25)

68. Supervision for risk management places a strong emphasis on the responsibilities of the board. This is well supported by a solid, if understaffed in some areas, supervision program for assessing risk management across the major risk categories. Supervisors are knowledgeable about the risks and risk management practices in the areas they cover and are well supported by detailed policies, procedures and guidance for executing supervisory reviews.

69. The increased use of ‘thematic reviews’ looking at the same set of risks and risk management practices across groups of firms is a good practice. The assessors are recommending that this practice be utilized to the greatest extent possible for the largest firms. Not only does it provide for better knowledge about the range of practices across the firms, it supports consistency of assessments.

70. Since the last FSAP assessment in 2012, APRA has issued an integrated risk management standard (CPS 220). The standard requires regular attestations and reporting of its effectiveness by the board and management relative to the size and risk profiles of the firms. This has been a positive development as firms are more focused on the importance of complying with prudential standards around risk governance, including risk management and controls requirements.

71. APRA should put more focus on assessing the various components of firms’ ICAAP and other firm-wide stress testing practices. With a heightened focus on firms achieving ‘unquestionably strong’ capital thresholds, the focus on ICAAP assessments has been reduced for the time being. Given the importance of firm-wide stress testing as a tool to identify potential risks and consider capital needs related to risks that may not be well captured in regulatory capital regimes, APRA should dedicate more time to assessing the underlying risk measurement, management, and control practices around firms use of firm-wide stress testing. This should include reviewing key inputs into these processes (including the methods and models adopted) and the governance and controls around them.

72. APRA’s supervisors have been increasingly assessing banks’ credit risk management framework and practices, particularly focusing on assessing banks’ underwriting practices and serviceability assessments. These activities were mostly performed in the form of thematically planned reviews and assessments for the major banks, focusing on residential mortgages and commercial real estate exposures. These reviews should be continued to ensure credit risk management gaps are being addressed. APRA should also consider performing more thorough periodic analysis of banks’ credit risk management frameworks, particularly for major banks. In addition, APRA should enhance its current risk reviews related to credit and concentration risk to examine the impact of concentration in common forms of collateral, particularly real estate. APRA should also go ahead with its plan to revise its prudential standards on credit quality (particularly in relation to treatment of problem assets) and related parties to be further aligned with international standards.5

73. Since the last FSAP, APRA has taken many actions to strengthen its capacity, tools, and prudential framework in relation to oversight of liquidity risk. It has established a team of risk specialists dedicated to oversight of liquidity risk. It has also implemented the LCR and the NSFR requirements for major banks. The October 2017 RCAP confirmed that Australia’s Basel III LCR is overall compliant with Basel requirements. In addition, the prudential framework provides a thorough set of requirements and guidance in relation to liquidity risk management. In addition to the regular supervisory activities on liquidity risk management, APRA’s risk specialist team produces quarterly liquidity risk review reports and dashboards showing the evolution of key liquidity risk metrics and funding metrics.

H. Disclosures and Transparency (CP 27–28)

74. APRA regulations and the Corporations Act both require significant disclosures that allow for the public to understand the conditions of and risks in the banks and banking industry. APRA requires a wide range of Pillar 3 disclosures including quantitative and qualitative elements. Banking statistics are made available to the public on a monthly and quarterly basis. All Australian incorporated banks are required to issue audited financial reports to the public on an annual and half-yearly basis. ASIC reviews external audits, including with respect to asset valuations, and carries out ongoing surveillance of financial reporting.

I. Abuse of Financial Services (CP 29)

75. While AUSTRAC has the authorities by law and rule, and the supporting processes needed to oversee money laundering and anti-terrorism financing, the significant reliance on firms self-identifying and reporting weaknesses has not always proved effective. AUSTRAC requires firms to have a senior officer responsible for ensuring compliance with all rules and laws that reports to the board on the effectiveness of all control processes. The review of these reports along with a risk-focused approach to specific supervisory reviews is a key part of the supervisory approach. Recent events have revealed that some banks processes for ensuring compliance were not working as reported, which resulted in failures to comply with rules and laws. AUSTRAC should consider steps it can take to increase the confidence it can get from firm’s internal reporting, including taking swift and formal action when it discovers banks’ control processes for ensuring compliance are missing key areas. This would likely require an end-to-end thematic review of these processes at the major banks on a periodic basis.

Detailed Assessment

76. Table 1 below provides a detailed principle-by-principle assessment of the BCP. The table is structured as follows:

  • The “description and findings” sections provide information on the legal and regulatory framework, and evidence of implementation and enforcement.

  • The “assessment” sections contain only one line, stating whether the system is “compliant,” “largely compliant,” “materially non-compliant,” “non-compliant,” or “not applicable” as described above.

  • The “comments” sections explain why a particular grading is given. These sections are judgmental and also reflect the assessment team’s views regarding strengths and areas for further improvement in each principle. Since, the primary goal of the exercise is to identify areas that would benefit from additional attention, emphasis should be placed on the comments that accompany each principle, rather than on the individual grades mentioned before.

Table 1.Australia: Detailed Assessment
A. Supervisory Powers, Responsibilities, and Functions
Principle 1Responsibilities, objectives, and powers. An effective system of banking supervision has clear responsibilities and objectives for each authority involved in the supervision of banks and banking groups.6 A suitable legal framework for banking supervision is in place to provide each responsible authority with the necessary legal powers to authorize banks, conduct ongoing supervision, address compliance with laws and undertake timely corrective actions to address safety and soundness concerns.7
Essential criteria
EC1The responsibilities and objectives of each of the authorities involved in banking supervision8 are clearly defined in legislation and publicly disclosed. Where more than one authority is responsible for supervising the banking system, a credible and publicly available framework is in place to avoid regulatory and supervisory gaps.
Description and findings re EC1In Australia, the Commonwealth legislation defines the authorities responsible for banking supervision. The Australian Prudential Regulation Authority (APRA) is responsible for the prudential regulation and supervision of Authorized Deposit-taking Institutions (ADIs). The Treasury, the Reserve Bank of Australia (RBA), and other bodies and agencies play also a role in financial regulatory and supervisory issues. The responsibilities and objectives of APRA, ASIC and the RBA are clearly defined in the different legal texts. Below is a description of the responsibilities of each of the entities.

APRA

The Australian Prudential Regulation Authority Act 1998 (APRA Act), in Section 8, establishes APRA as responsible for regulating bodies in the financial sector in accordance with other laws of the Commonwealth that provide for prudential regulation or for retirement income standards. APRA administers the Banking Act 1959 (Banking Act), the objects of which are to:
  • - protect the interests of depositors in ADIs in ways that are consistent with the continued development of a viable, competitive, and innovative banking industry; and

  • - promote financial system stability in Australia.

It is intended that APRA, in taking actions to address risks to financial system stability in Australia, may consider specific sources of systemic risks, whether geographic, sectoral, or otherwise (Subsection 2A(3) of the Banking Act).

The APRA Act (section 8) also stipulates that, in performing and exercising its functions and powers, APRA is to balance the objectives of financial safety and efficiency, competition, contestability, and competitive neutrality and, in balancing these objectives, is to promote financial system stability in Australia. In line with the Trans-Tasman cooperation agreement, APRA must also:
  • - support the New Zealand authorities in meeting their statutory responsibilities relating to prudential regulation and financial system stability in New Zealand; and

  • - to the extent reasonably practicable, avoid any action that is likely to have a detrimental effect on financial system stability in New Zealand.

The above obligation is mirrored by a reciprocal obligation on the Reserve Bank of New Zealand (RBNZ) to seek to avoid taking actions that would undermine the stability of the Australian financial system (Section 68A of the Reserve Bank of New Zealand Act 1989)

In addition, APRA administers the Financial Sector (Transfer and Restructure) Act 1999,9 which provides for voluntary transfers of business, compulsory transfers of shares and business and group restructures relating to ADIs, general insurers and life companies.

The Treasury

The Treasury has responsibility for advising the Government on financial system matters, including the legislative and regulatory framework underpinning banks and banking groups. Based on APRA Act (section 12), the Minister (Treasurer) may give APRA a written direction about policies it should pursue, or priorities it should follow, in performing or exercising any of its functions or powers. These powers are explained in more details in CP2.

Reserve Bank of Australia (RBA)

The RBA, as established by the Reserve Bank Act 1959 (RBA Act), has responsibility for monetary policy, issuing the nation’s currency and ensuring price stability, and overseeing the safety and efficiency of Australia’s payments system.

Australian Securities and Investments Commission (ASIC)

ASIC is Australia’s corporate, markets, financial services, and consumer credit regulator. It has responsibility for market integrity, consumer protection, and the regulation of investment banks and finance companies. It carries out its main function under the Australian Securities and Investments Commission Act 2001 (ASIC Act) and the Corporations Act 2001 (Corporations Act). ASIC oversees the regulation of consumer credit activities under the National Consumer Credit Protection Act 2009, aspects of insurance under the Insurance Contracts Act 1984, business name registration under the Business Names Registration Act 2011 and aspects of superannuation under the Superannuation (Resolution of Complaints) Act 1993 and Superannuation Industry (Supervision) Act 1993.

Australian Transaction Reports and Analysis Centre (AUSTRAC)

AUSTRAC is Australia’s financial intelligence agency with regulatory responsibility for anti-money laundering and countering the financing of terrorism (AML/CTF). In its role as Australia’s AML/CTF regulator, AUSTRAC oversees compliance with the Financial Transaction Reports Act 1998 and the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 by a wide range of financial services providers, including all ADIs.

Council of Financial Regulators (CFR)

APRA, ASIC, the RBA and Treasury work in close cooperation via the Council of Financial Regulators (CFR). The CFR is a non-statutory body whose role is to contribute to the efficiency and effectiveness of financial regulation and to promote stability of the Australian financial system. It is chaired by the RBA and the members share information, discuss regulatory issues and, if the need arises, coordinate responses to potential threats to financial stability. The CFR also advises Government on the adequacy of Australia’s financial regulatory arrangements.
EC 2The primary objective of banking supervision is to promote the safety and soundness of banks and the banking system. If the banking supervisor is assigned broader responsibilities, these are subordinate to the primary objective and do not conflict with it.
Description and findings re EC2The Objectives set for APRA to promote financial system stability are laid out in APRA Act as well as in the Banking Act.

Subsection 8(1) of the APRA Act states the main purposes for which APRA exists are as follows:
  • - regulating bodies in the financial sector in accordance with other laws of the Commonwealth that provide for prudential regulation or for retirement income standards;

  • - administering the financial claims schemes provided for in the Banking Act and the Insurance Act 1973 (Insurance Act);

  • - developing the administrative practices and procedures to be applied in performing that regulatory role and administration.

Subsection 8(2) says that, in performing and exercising its functions and powers, APRA is to balance the objectives of financial safety and efficiency, competition, contestability, and competitive neutrality and, in balancing these objectives, is to promote financial system stability in Australia.

The APRA Act states that APRA is to promote financial stability while balancing other objectives such as competition, contestability, and competitive neutrality. This may not be easy to achieve and require a very delicate balancing act and an adequate level of supervisory resources and skills to ensure that allowing more competition and contestability in the banking sector does not drive attention and resources away from APRA’ financial stability objective. While APRA seems focused on the sector’s financial stability, the assessors believe it would be useful to consider clarifying further the primary nature of APRA’s financial stability mandate and that the other objectives are subordinate to it. This would allow to better clarify the expectations about APRA’s responsibilities and objectives, particularly in relation to the overarching financial stability considerations in prudential policy making and supervisory decisions and processes.

In addition, subsection 12(1) of the Banking Act states it is the duty of APRA to exercise its powers and functions under Part II, Division 2 of the Banking Act, for the protection of depositors of ADIs and for the promotion of financial system stability in Australia. Part II, Division 2 sets out powers to seek information, investigate, appoint a statutory manager, give recapitalization directions and apply for the winding up of ADIs.

As mentioned in EC1, APRA must also support the New Zealand authorities in meeting their statutory responsibilities relating to prudential regulation and financial system stability in New Zealand. It should also avoid, to the extent reasonably practicable, any action that is likely to have a detrimental effect on financial system stability in New Zealand.
EC3Laws and regulations provide a framework for the supervisor to set and enforce minimum prudential standards for banks and banking groups. The supervisor has the power to increase the prudential requirements for individual banks and banking groups based on their risk profile10 and systemic importance.11
Description and findings re EC3APRA can issue legally binding prudential regulations in the form of prudential standards. APRA also issues guidance which is not legally binding in the form of prudential practice guides. Similarly, APRA has power under section 13 of the FSCODA to make reporting standards by way of legislative instrument. Prudential standards cover technical or administrative details for which primary legislation (e.g., an Act of Parliament) would be inappropriate. These are issued under section 11AF of the Banking Act 1959 (Banking Act), as amended by the Financial Sector Legislation Amendment (Crisis Resolution Powers and Other Measures), which stipulates that APRA may make prudential standards for ADIs and authorized non-operating holding companies (NOHCs). It states that APRA may, in writing, determine standards in relation to prudential matters to be complied with by:
  • - all ADIs; or

  • - all authorized NOHCs; or

  • - the subsidiaries of ADIs or authorized NOHCs; or

  • - a specified class of ADIs, authorized NOHCs or subsidiaries of ADIs or authorized NOHCs; or

  • - one or more specified ADIs, authorized NOHCs or subsidiaries of ADIs or authorized NOHCs.

APRA prudential standards cover banks as well as banking groups. In fact, APRA has a three-level definition for banks and banking groups, as follows:
  • - Level 1 means the ADI itself.

  • - Level 2 means either: the consolidation of the ADI and all its subsidiary entities other than non- consolidated subsidiaries; or, if the ADI is a subsidiary of an authorized NOHC, the consolidation of the immediate parent NOHC of the ADI and all the immediate parent NOHC’s subsidiary entities. Consolidation at Level 2 must cover the global operations of an ADI and its subsidiary entities, as well as any other controlled banking entities, securities entities and other financial entities, except for entities involved in the following business activities: insurance; acting as manager, responsible entity, approved trustee, trustee, or similar role in relation to funds management; nonfinancial (commercial) operations; and securitization special purpose vehicles.

  • - Level 3 means the conglomerate group at the widest level.

Most of APRA’s prudential standards apply to level 1 and level 2 entities, including those on capital, liquidity, large exposures, credit quality, and related parties. Some non-financial prudential requirements apply at level 1, 2, and 3 entities, such as risk management, governance, fit and proper, business continuity, and outsourcing.

APRA has broad powers to vary requirements depending on the situation of banks and banking groups. Based on section 11AF of the Banking Act, a standard may provide for APRA to exercise powers and discretions under the standard, including (but not limited to) discretions to approve, impose, adjust or exclude specific prudential requirements in relation to one or more specified ADIs or authorized NOHCs, or one or more specified subsidiaries of ADIs or authorized NOHCs. The same section of the Banking Act states that a standard may impose different requirements to be complied with in different situations or in respect of different activities, including requirements to be complied with by different classes of ADIs, authorized NOHCs or subsidiaries of ADIs or authorized NOHCs.

So, in practice, APRA uses such powers to set or increase prudential requirements based on the risk profile and systemic importance of banks and banking groups. This is mainly in relation to capital (including pillar capital add-ons) and liquidity requirements. For example, larger banks are subject to DSIB buffers, can apply advanced approaches for capital requirements, and are required to apply LCR and NSFR. Smaller banks apply the standardized approaches for capital requirements and simpler measures of liquidity (see BCP 16 and 24 for more details).

While APRA can issue prudential standards under section 11AF, prudential standards are legislative instruments under the Legislation Act 2003 and subject to Parliamentary scrutiny as provided for under section 42 of that Act. Based on this Act, legislative instruments are required to be tabled in Parliament, and are subject, with very limited exceptions, to being disallowed by the Parliament within 15 sitting days. This has not happened in practice. While this can be regarded as one component of the checks and balances in the Australian democratic process, it could result, in admittedly extreme circumstances, in the failure to introduce a key prudential standard or requirement, which could undermine the ability of APRA to achieve its statutory objectives.

Also, before a prudential standard is made, APRA must be satisfied that any appropriate and reasonably practicable consultation has been undertaken (section 17 of the Legislation Act 2003), though failure to consult does not affect the validity of a prudential standard. As per Section 50 of the Legislation Act 2003, Prudential Standards are automatically repealed after 10 years (sunsetting) if they are not revoked earlier.

Apart from APRA, the Banking Act also provides for the Government to make regulations to impose requirements relating to prudential matters (section 11A). However, there are no such regulations in effect. The Banking Act gives APRA the power to enforce prudential standards. Part II, Division 1BA (section 11CA) of the Banking Act gives APRA the power to issue directions to a body corporate that is an ADI or an authorized NOHC under certain circumstances, including: (i) if the body corporate or its subsidiary has contravened a provision of the Banking Act or the Financial Sector (Collection of Data) Act 2001; (ii) if the body corporate or its subsidiary has contravened a prudential requirement regulation or a prudential standard; (iii) if there has been, or there might be, a material deterioration in the body corporate’s financial condition or its subsidiary’s financial condition; and (iv) if the body corporate or its subsidiary is conducting its affairs in an improper or financially unsound way. When the cases involve actions by the subsidiaries of the ADI or the authorized NOHC, APRA can make a direction only if it is reasonably necessary for one or more prudential matters relating to the concerned ADI or authorized NOHC.

As per the Banking Act, the nature of directions that may be given by APRA is extensive and includes: compliance with the whole or part of the Banking Act or the FSCODA; compliance with the whole or part of a prudential requirement regulation or standard, ordering of an audit of the affairs of the body corporate at its own expense by an auditor chosen by APRA, removal of a director or senior of the body corporate or appointment of a person in these positions for such term as APRA directs, removal of an auditor of the body corporate and appointment of another according to APRA terms, prohibition of accepting deposits or borrowing money, prohibition of dividend payment or other payments to shareholders, prohibition of deposit payment or the undertaking of a financial obligation, reconstruction or amalgamation of the business, structure or organization of the body corporate or its group. Failure to comply with a direction results in an offense against the ADI, the authorized NOHC or the relevant body corporate.

Section 11AG of the Banking Act states that an ADI, authorized NOHC or a subsidiary of an ADI or authorized NOHC to which a prudential standard applies must comply with the standard. This has the effect that a breach of a prudential standard would be a breach of Section 11AG. This amounts to a breach of a provision of the Act which is a trigger for certain powers under the Banking Act, e.g., injunctions under Section 65A, revocation of authority under Section 9A(2).
EC4Banking laws, regulations and prudential standards are updated as necessary to ensure that they remain effective and relevant to changing industry and regulatory practices. These are subject to public consultation, as appropriate.
Description and findings re EC4The Treasury is responsible for providing advice to the government regarding the legislative framework for the financial system in Australia. Amendments to banking and financial laws require the approval of the Government and are made most commonly in response to recommendations made through reviews and inquiries; for example, the Financial System Inquiry (FSI) or the Parliamentary Review into the four major banks. Additionally, changes may be made at the request of the regulators.

The Treasury and CFR agencies collaborate to identify and discuss with the Government amendments to the legislative framework to ensure that the framework that underpins the financial sector continues to remain relevant and effective. Amendments to banking laws are subject to public consultation before introduction into Parliament.

The framework for the financial system was subject to a comprehensive review in 2014 and significant new reforms have been legislated. A FSI was launched in 2013 by the Treasurer to examine how the financial system could be positioned to best meet Australia’s evolving needs and support economic growth. The final report of the FSI was released in December 2014. The FSI included 44 recommendations in several financial sector areas, including on the resilience of the financial system and the strength of the regulatory system. The recommendations on financial system resilience called to enhance capital standards so that ADIs’ capital ratios are “unquestionably strong,” narrow mortgage risk weight difference between IRB and standardized ADIs, and implement a framework for minimum loss absorption and recapitalization capacity. The regulation-related recommendations focused on the need to: increase regulator accountability, provide regulators with more stable and flexible funding to effectively execute their mandate, strengthen ASIC funding and powers, strengthen the focus on competition, and increase the time to implement complex regulatory changes and conduct more frequent post-implementation reviews. Several reforms have been enacted and some are underway to implement the FSI recommendations.

The prudential framework is typically updated to respond to risks observed in the domestic and international environment, to ensure the domestic application of international standards, to update outdated standards or to align requirements across regulated industries where considered appropriate. APRA’s internal Prudential Policy Committee (PPC) monitors the age and relevance of the prudential framework. APRA’s Policy and Advice Division (PAD) is responsible for maintaining the effectiveness of prudential and reporting standards (and prudential practice guides). Within APRA, comprehensive guidance, commonly known as the ‘Red Guide,’ is available to guide the development of prudential policy. The policy development process comprises 29 key steps which are detailed in corresponding modules. The Red Guide includes a policy priority matrix which sets APRA’s prudential policy priorities (including amendments to legislation, prudential standards, reporting standards, and guidance) and which is approved biannually by APRA’s Executive Board (EB). Initiatives in the policy priority matrix are classified according to size in terms of resourcing, as well as urgency and strategic priority for APRA. Work on policy initiatives generally commences only when an item has been added to the policy priority matrix. Sound governance arrangements support the process with continuous internal consultation, project reporting requirements, and frequent communication being prominent features.

The making or amendment of legislative instruments is governed by the Legislation Act 2003, which imposes a number of requirements relating to consultation, content, and registration of legislative instruments. The Act (Chapter 3, Part 1, Section 17) stipulates that rule-makers should consult before making legislative instruments. It requires rule-makers to be satisfied that, before a legislative instrument is made, any consultation is undertaken if it is considered by the rule-maker to be appropriate and reasonably practicable to undertake. In determining whether any consultation that was undertaken is appropriate, the rule-maker may have regard to any relevant matter, including the extent to which the consultation drew on the knowledge of persons having expertise in fields relevant to the proposed instrument and ensured that persons likely to be affected by the proposed instrument had an adequate opportunity to comment on its proposed content. Based on the Legislation Act, such consultation could involve notification, either directly or by advertisement of the bodies or the organizations who are likely to be affected by the proposed legislative instrument. Such notification could also invite submissions to be made by a specified date or might invite participation in public hearings to be held concerning the proposed instrument.

APRA conducts extensive consultation before making, varying or revoking a prudential standard that is a legislative instrument. The consultation period is typically eight weeks but is often longer for major reforms. APRA addresses key comments made in submissions via a response paper which accompanies any final prudential standard released publicly. All non-confidential submissions are also published on APRA’s website.
EC5The supervisor has the power to:
  • (a) have full access to banks’ and banking groups’ Boards, management, staff and records in order to review compliance with internal rules and limits as well as external laws and regulations;

  • (b) review the overall activities of a banking group, both domestic and cross-border; and

  • (c) Supervise the activities of foreign banks incorporated in its jurisdiction.

Description and findings re EC5The Banking Act and the prudential standards provide APRA with the power to have full access to the boards, management and records of banks and banking groups. They also empower APRA to review their activities in relation to prudential matters.

Section 13 of the Banking Act requires ADIs to supply information (including books, accounts or documents) relating to the ADI’s financial stability as required by APRA in a written notice.

Section 62 of the Banking Act includes more detailed requirements about the needs for ADIs and NOHCs to supply information to APRA and give it full access to their records. It requires:
  • - an ADI, an authorized NOHC, and their subsidiaries to give APRA information in relation to them or in respect of any member of a relevant group of bodies corporate of which they are member;

  • - if an ADI is a subsidiary of a foreign corporation (whether or not the ADI is itself a foreign ADI): (i) another subsidiary of the foreign corporation (other than a body mentioned above) that is incorporated in Australia to give APRA information in respect of the subsidiary; or (ii) another subsidiary of the foreign corporation (other than a body mentioned above) that is not incorporated in Australia and carries on business in Australia to give APRA information in respect of its Australian operations; and

  • - any other person who carries on banking business in Australia to give APRA information in connection with the person’s banking business.

The section mentions that the requirement to supply information may include a requirement to supply books, accounts, or documents. It also mentions that a person commits an offence if it is required to provide APRA with information as mentioned above and fails to comply with the requirement.

Section 61 of the Banking Act gives APRA the power to appoint a person to investigate and report on prudential matters in relation to an ADI, an authorized NOHC, a subsidiary of an ADI or of an authorized NOHC, or a relevant subsidiary of a foreign corporation of which the ADI is also a subsidiary. If APRA has appointed such an investigator, the body corporate must give the investigator access to its books, accounts and documents, and must give the investigator such information and facilities as required to conduct the investigation and produce the report. A body corporate commits an offence if fails to give the appointed investigator with the needed access to books, accounts, and documents.

Prudential Standard CPS 510 Governance (CPS 510) requires directors and senior management of a locally incorporated APRA-regulated institution and the senior management of a foreign ADI to be available to meet with APRA on request. (Paras. 21 and 47 of CPS 510).

The Banking Act (Part II, Division 1A, Section 11B) gives APRA the power to monitor prudential matters. It states that APRA’s functions include:
  • - the collection and analysis of information in respect of prudential matters relating to ADIs and authorized NOHCs;

  • - the encouragement and promotion of the carrying out by ADIs and authorized NOHCs of sound practices in relation to prudential matters; and

  • - the evaluation of the effectiveness and implementation of those practices.

The Banking Act provides APRA with broad powers to supervise banks and banking groups, including review of the overall activities of a banking group, both domestic and cross-border, and supervision of the activities of foreign banks in Australia. As part of routine supervision activities to perform the above functions, APRA conducts prudential reviews and prudential consultations requiring detailed information and documents to be provided to APRA. These reviews cover ADIs whether they are banks, banking groups, or NOHCs, and the scope of these reviews covers domestic as well as cross-border activities. These reviews also cover the activities of foreign banks in Australia.

The Financial Sector (Collection of Data) Act 2001 (FSCODA) also enables APRA to collect information for the purposes of assisting APRA to perform its functions or exercise its powers under other laws.

APRA also seeks information from other jurisdictions under MoU arrangements and attends/ hosts supervisory colleges for complex institutions where information on supervisory risks and activities is exchanged (See CP 13 for more details).
EC6When, in a supervisor’s judgment, a bank is not complying with laws or regulations, or it is or is likely to be engaging in unsafe or unsound practices or actions that have the potential to jeopardize the bank or the banking system, the supervisor has the power to:
  • (a) take (and/or require a bank to take) timely corrective action;

  • (b) impose a range of sanctions;

  • (c) revoke the bank’s license; and

  • (d) cooperate and collaborate with relevant authorities to achieve an orderly resolution of the bank, including triggering resolution where appropriate.

Description and findings re EC6Corrective Action Powers and Sanctions

Part II, Division 1BA of the Banking Act provides APRA with the power to issue directions to ADIs and authorized NOHCs and subsidiaries of ADIs or authorized NOHCs, including in the following cases:
  • - The body corporate has contravened, or is likely to contravene, the provisions of the Banking Act, the FSCODA, a prudential requirement regulation, or a prudential standard;

  • - The body corporate has contravened a condition or a direction under the Banking Act or the FSCODA;

  • - The body corporate is conducting its affairs in an improper or financially unsound way or in a way that may cause or promote instability in the Australian financial system, is or is about to become unable to meet its liabilities, or there is or there might be a material deterioration in the body corporate’s financial conditions.

As previously mentioned, the directions given to a body corporate can comprise of a series of measures including: an order to comply with the Banking Act, the FSCODA, or a prudential requirement regulation or standard; an order to audit the affairs of the body corporate at its own expense; the removal of a director or senior manager of the body corporate or the appointment of person(s) as director or senior manager of the body corporate as directed by APRA; the removal of an auditor of the body corporate and appointment of another for such term as APRA directs; banning the body corporate from accepting deposits, borrowing, or undertaking any financial obligations on behalf of any person; prohibiting the payment of dividends; requiring changes to the body corporate’s systems, business practices or operations; and reconstructing, amalgamating or otherwise altering all or part of the business, structure, or organization of the body corporate or the group constituted by the body corporate and its subsidiaries. Non-compliance with a direction can result in criminal penalties.

APRA may investigate the affairs of an ADI, appoint a person to investigate the affairs of an ADI, take control of the ADI’s business or appoint an administrator to take control of the ADI’s business if:
  • - the ADI informs APRA that it is likely to become unable to meet its obligations or that it is about to suspend payment; or

  • - APRA considers that, in the absence of external support, the ADI may become unable to meet its obligations, may suspend payment, or will be unable to carry on banking business in Australia consistently with the interests of its depositors or with the stability of the financial system in Australia; or

  • - the ADI becomes unable to meet its obligations or suspends payment; or

  • - an external administrator has been appointed to a holding company of the ADI (or a similar appointment has been made in a foreign country in respect of such a holding company), and APRA considers that the appointment poses a significant threat to the operation or soundness of the ADI; the interests of depositors of the ADI; or the stability of the financial system in Australia; or

  • - If the ADI is a foreign ADI, an application for the appointment or an appointment of an external administrator or a similar procedure in relation to the foreign ADI has been made in a foreign country.

The statutory manager will remain in control until APRA considers that it is no longer necessary for a statutory manager to remain in control of the ADI’s business or if APRA has applied for the ADI to be wound up.

In addition, the Crisis Resolution Act has amended the Banking Act to give APRA additional powers for crisis management to facilitate an orderly resolution of distressed or failing regulated entities.

Under Section 21 of the Banking Act, and on application by APRA, the Federal Court of Australia may disqualify a person from being or acting as a director or senior manager of an ADI (other than a foreign ADI) or an authorized NOHC, a senior manager of the Australian operations of a foreign ADI, or an auditor of an ADI or authorized NOHC, if the Court is satisfied that the person is not fit and proper. The disqualification order may be in relation to a particular ADI or authorized NOHC, or a class or all of them.

Further, the Treasury Laws Amendment (Banking Executive Accountability and Related Measures) Act 2018 (BEAR Act) was enacted in February 2018 and becomes effective on July 1, 2018. Under the new Section 37J, APRA may disqualify a person from being or acting as an “accountable person.” The following persons are accountable persons of an ADI:
  • - an individual who holds a position in the ADI with actual or effective senior executive responsibility for management or control of the ADI, or a significant or substantial part of aspects of the ADI’s operations or corporate group; this includes: board members, general managers, senior executive responsibility for management of the ADI’s financial resources, overall risk controls and/or overall risk management arrangements of the ADI, management of the ADI’s operations, information management (including information technology systems) for the ADI, management of the ADI’s internal audit function, management of the ADI’s compliance function, management of the ADI’s human resources function; management of the ADI’s anti-money laundering function.

  • - apart from accountable persons of an ADI, the Banking Act also provides for accountable persons of an ADI’s subsidiary, where appropriate.

There are various other sanctions provided for under the Banking Act, for example, injunctions under Section 65A, issuance of directions under Section 11CA, and civil penalties.

License withdrawals

Section 9A of the Banking Act allows APRA to revoke a license to carry on banking business in Australia under certain circumstances, including for the following:
  • - if the licensed entity provided, in connection with its licensing application, information that was false or misleading in a material issue;

  • - non-compliance with the Banking Act or regulations/standards, FSCODA, a direction, a condition of its authority to carry on banking business in Australia or a provision of Australian federal law specified in regulations;

  • - where it would be contrary to the national interest, financial system stability in Australia or the interests of depositors for the authority to continue;

  • - the ADI is insolvent and unlikely to return to solvency within a reasonable period of time;

  • - if the ADI is a foreign corporation, it is unlikely to meet its liabilities in Australia and is unlikely to be able to do so within reasonable time or its authority to carry on banking business in a foreign country has been revoked or withdrawn.

Cooperation and coordination on resolution of banks

APRA is the lead resolution authority in Australia and has a wide range of enforcement and crisis management powers to deal with institutions engaging in unsafe and unsound practices or which may be failing or likely to fail. The CFR coordinates resolution activities and operates in accordance with a MoU on financial distress management, which sets out the objectives, principles, and processes for dealing with stresses in the Australian financial system. The CFR has a key relationship with the New Zealand authorities via the Trans-Tasman Council on Banking Supervision (TTBC) operating under the Memorandum of Cooperation on Trans-Tasman Bank Distress Management, which outlines principles and expectations on coordination between agencies. Additionally, a Protocol for Coordination of Crisis Communications was established in July 2014 by the TTBC setting out communication principles, areas of responsibilities, objectives, and development and coordination of media statements. TTBC agencies have progressed work in several areas relating to crisis cooperation, including resolution strategies, operational matters, and simulations. The latest TTBC crisis simulation was undertaken in September 2017.

The Crisis Resolution Act further enhanced and aligned APRA’s crisis management powers across regulated industries and strengthened the foundation for orderly resolution of financial institutions, in such a way as to protect the interests of beneficiaries. As mentioned above, APRA’s suite of resolution powers includes the right to appoint a statutory manager for problem ADIs acting with same the powers and functions of the ADI board, with the right to sell or otherwise dispose of the whole or any part of the ADI’s business. In addition, based on section 16AAA of the Banking Act, APRA can apply to the Federal Court of Australia for an order that an ADI be wound up if APRA considers that the ADI is insolvent and could not be restored to solvency within a reasonable period.

Under Section 56(5)(a) of the APRA Act, APRA can share information with a foreign agency responsible for supervising or regulating financial institutions where the information will assist the agency to perform its functions or exercise its powers. More widely, APRA’s approach to cooperation on cross-border crisis management is supported by MoUs with various domestic and international agencies.
EC7The supervisor has the power to review the activities of parent companies and of companies affiliated with parent companies to determine their impact on the safety and soundness of the bank and the banking group.
Description and findings re EC7As per section 62 of the Banking Act, APRA can seek information from:
  • - an ADI, in respect of the ADI or any member of the relevant group of bodies corporate of which the ADI is a member;

  • - an authorized NOHC, in respect of the NOHC or in respect of any member of a relevant group of bodies corporate of which the NOHC is a member;

  • - a subsidiary of an ADI or an authorized NOHC, in respect of the subsidiary or in respect of any member of a relevant group of bodies corporate of which the subsidiary is a member;

  • - Another subsidiary of the parent foreign corporation of an ADI (whether or not the ADI is itself a foreign ADI) that is incorporated in Australia or carries on business in Australia, in respect of its Australian operations;

  • - any person who carries on banking business in Australia, in connection with the person’s banking business.

As per Section 61 of the Banking Act, APRA has the power to appoint an investigator to an authorized NOHC and subsidiaries of an ADI or authorized NOHC. Further, under the Crisis Resolution Act, a new provision has been inserted in the Banking Act to allow APRA to give a notice to a holding company of an ADI to require it to ensure that it or one of its subsidiaries becomes an authorized NOHC of the ADI (Section 11AE). In addition, APRA may, at the point of authorizing an ADI, make the authority conditional on any holding company of the would-be ADI being an authorized NOHC (subsection 9AA(3)).

At the time of authorizing an ADI, APRA also receives an undertaking from the foreign parent to keep APRA informed of any significant developments adversely affecting its financial soundness and/ or reputation globally.

APRA has established MoUs with various international regulators through which it can seek information on the parent and group activities of foreign ADIs.
Assessment of Principle 1Compliant
CommentsAPRA has broad powers and clear responsibilities underpinned mainly in the Banking Act and APRA Act. APRA is responsible for the prudential regulation and supervision of ADIs. Other agencies are also involved in banking regulation. ASIC is involved in the banking sector through its role in licensing of financial service and credit providers and market conduct, while the Treasury advises the Government on legislative and regulatory framework underpinning the financial system. AUSTRAC is also relevant for banking regulation given it administers Australia’s AML/CFT laws.

The objective of APRA in promoting financial system stability is laid out in the APRA Act. The APRA Act requires APRA to pursue this objective while balancing other wider objectives such as financial safety, efficiency, competition, contestability, and competitive neutrality. In its actions, APRA seems focused on its financial stability mandate even as more competition is being allowed in the banking sector. This balancing act may not be easy to achieve at all times and may require a continuous review of the regulatory and supervisory framework as well as a regular upgrading of supervisory resources and skills to effectively achieve the ultimate financial stability objective in an environment that is increasingly focused on competition and reducing barriers to entry in the banking sector. In this context, the assessors believe that it would be useful to consider clarifying further the primary nature of APRA’s financial stability mandate and that the other objectives are subordinate to it. This would allow to better clarify the expectations about APRA’s responsibilities and objectives, particularly in relation to the overarching financial stability considerations in prudential policy making and supervisory decisions and processes.

APRA has also broad powers to review the activities of banks and banking groups and to take a range of corrective actions and sanctions in cases of breach to laws and prudential standards or to address unsafe and unsound banking practices.

Laws and regulations provide APRA with broad powers to set and enforce prudential regulations and vary their severity and complexity based on the size, systemic importance, and risk profile of ADIs on standalone and group-level basis. Prudential standards are legislative instruments, but they are subject to parliamentary scrutiny and could be disallowed by the parliament. While this seems to be exceptional and has not happened in practice, it causes a potential concern to APRA’s regulation setting powers.

Having said that, significant reforms have been passed over the recent years to strengthen the resilience of banks through the application of Basel III standards and other recommendations of the FSI, as well as to strengthen APRA’s powers particularly in relation to crisis management, resolution, and enforcing bank governance rules.

Based on the above, the main gap in relation to this principle is the need for APRA to table its prudential regulations in the Parliament, which could subject them to being disallowed by the Parliament. While this can be considered part of the checks and balances in the Australian democratic process, it could potentially lead, in extreme situations, to the failure of APRA to introduce a key prudential standard or to change a key element of its prudential framework, which could potentially limit APRA’s ability to achieve its primary objectives. The nature of this limitation is similar to the Minister’s ability to issue directions to APRA on policies it should pursue (see CP 2). To avoid double jeopardy, this issue is dealt with as part of the assessment of CP2. Based on that, a full grade has been given to this standard. Were it not for double jeopardy, this standard would have been graded as largely compliant.
Principle 2Independence, accountability, resourcing, and legal protection for supervisors. The supervisor possesses operational independence, transparent processes, sound governance, budgetary processes that do not undermine autonomy, and adequate resources, and is accountable for the discharge of its duties and use of its resources. The legal framework for banking supervision includes legal protection for the supervisor.
Essential criteria
EC1The operational independence, accountability, and governance of the supervisor are prescribed in legislation and publicly disclosed. There is no government or industry interference that compromises the operational independence of the supervisor. The supervisor has full discretion to take any supervisory actions or decisions on banks and banking groups under its supervision.
Description and findings re EC1APRA is established under Section 7 of the APRA Act. It is a statutory authority legally separate from the Commonwealth. However, for the specific purposes of the Public Governance, Performance, and Accountability Act 2013 (PGPA Act), APRA is taken to be part of the Commonwealth.

Independence

APRA’s operational processes are stipulated in the APRA Act and its prudential powers are mainly based on the Banking Act. While APRA independence was not explicitly mentioned in the APRA Act, the Act provides APRA with broad operational powers by saying that APRA has power to do anything that is necessary or convenient to be done in connection with the performance of its functions. In addition, APRA has broad powers to enforce prudential standards and take corrective actions against unsound practices (as discussed in BCP1).

The Government periodically issues a Statement of Expectations to APRA that clarifies the Government’s expectations of APRA and the implementation of its role, responsibilities, and priorities. APRA responds to the Statement of Expectations with a Statement of Intent. Both the Statement of Expectations and Statement of Intent are published on APRA’s website. These statements seem to be of a fairly high-level. They clarify the overall priorities of the Government in relation to financial sector issues and APRA’s response on how it intends to apply policies that fit the Government expectations.

The latest Government Statement of Expectations with respect to APRA was issued in 2014.12 In that statement, the Government expected that APRA takes into account the Government’s broad policy framework, including its deregulation agenda. It expected that APRA will look for opportunities to reduce compliance costs for business and the community, will comply with the Government’s enhanced regulatory impact analysis for all regulatory proposals. It also mentioned that the Government prefers a principles-based regulation and expects APRA to act in accordance with regulatory best practice in its decision-making policies and processes to maximize efficiency, effectiveness, and transparency, and minimize compliance costs. In its statement of intent, APRA responded by expressing support to the Government’s commitment to reducing red tape and compliance costs for business and the community. It mentioned that APRA was undertaking a structured consultation with the industry designed to identify specific, quantifiable options for cost savings related to APRA’s regulatory and supervisory framework that can be realized without compromising sound prudential outcomes. APRA’s statement also highlighted it adopts a risk-based approach to supervision which seeks to maintain a low incidence of failure of APRA-regulated institutions while not impeding continued improvement in efficiency or hindering competition.

APRA has the power to make Prudential Standards. It is also able to issue enforcement orders, appoint a statutory manager and to take a range of other prudential actions of its own initiative.

While APRA possesses, in practice, a reasonable degree of institutional independence in exercising its powers to determine prudential policy and in the manner in which it conducts its supervisory operations, the APRA Act puts constraints that could potentially undermine APRA’s independence in setting its policy agenda and priorities. Section 12 of the APRA Act grants the Minister the power to give APRA a written direction about policies it should pursue, or priorities it should follow, in performing or exercising any of its functions or powers. The Minister must not give such a direction unless s/he has notified APRA in writing that s/he is considering giving the direction and s/he has given the Chair an adequate opportunity to discuss with the Minister the need for the proposed direction. These directions seem to provide a direct or indirect platform to influence APRA’s policies which may limit the full independence of APRA. However, the APRA Act provides a protection layer by stipulating that the Minister must not direct APRA about a particular case, i.e., on decisions concerning individual institutions. The APRA Act requires the direction to be published in the Gazette and tabled in the Parliament, but failing to do so does not affect the validity of the direction. It is also worth noting that, to date, the Minister has never exercised this power to make directions to APRA. This written direction by the minister adds another potential constraint, on top of the Parliamentary veto powers (discussed in BCP 1), which could potentially limit APRA’s independence in relation to prudential standard setting.

The Treasurer has also an approval power for changes in ownership and merger and acquisition transactions in the financial sector. Certain smaller transactions may be delegated to APRA to approve without Government involvement. (See BCP 6 for more details)

Governance

As per the APRA Act, the governance structure of APRA comprises a full-time Executive Board of at least three and no more than five members. The Executive Board is responsible and accountable for the operations and performance of APRA. At least three of the APRA members must be appointed as full-time members, and each of the other APRA members (if any) may be appointed as a full-time or part-time member. APRA Members are appointed by the Governor-General by written instrument.

The Executive Board meets formally on a monthly basis, and more frequently as required, to discuss and resolve the major policy, supervisory and strategic issues facing APRA at the time. It also holds management meetings with APRA’s senior management at least weekly for high-level information sharing and decisions on more routine supervisory and organizational matters.

APRA Executive Board has for a long time comprised three members, a chair, a deputy chair, and a board member. At the end of May 2018, the Treasurer has introduced a new Commonwealth bill that would allow a second deputy chairperson to be appointed to APRA. The Treasury Laws Amendment (APRA Governance) Bill 2018 was introduced into the House of Representatives on May 24, 2018. If passed, the amendments will apply to the APRA Act 14 days after receiving the Royal Assent. In introducing the Draft Bill to the Parliament, the Treasurer explained that “permitting a second deputy chair to be appointed will provide greater flexibility in the way in which APRA is governed and for the allocation of responsibilities to each member. This helps to maximize the skills and capabilities available to APRA within its leadership. In so doing, the changes can facilitate more oversight of the financial sector at this critical time, as well as allow the chair to have a greater oversight of the entire system and of APRA’s overall performance. These amendments will enhance the ability of APRA to undertake its critical functions. The ability to appoint up to two deputy chairs will assist with the recruiting of very senior and experienced members as needed, and so enhance the ability of the APRA executive group to manage new or more complex issues in the future. The amendments would permit, but not require, that there be two deputy chairs, thereby providing flexibility depending on the circumstances. Similarly, the legislation does not prescribe a particular role for each deputy.”

At the end of May 2018, The Government nominated the current Treasury Deputy Secretary to become the additional Deputy Chair at APRA. This appointment will also be for a five-year term and is conditional on the approval of the Governor-General and on Parliament agreeing to the above-mentioned Bill to allow the appointment of up to two Deputy Chairs.

Accountability

There are several accountability mechanisms in place to ensure that there is adequate scrutiny over APRA’s performance against its objectives. These mainly include: the preparation and publication of APRA’s Corporate Plan every year providing a plan over the next four years, the publication of an annual performance statement that demonstrates performance against stated objectives, the obligation to report against the Australian Government’s Regulator Performance Framework, and the subjection of APRA to Australian National Audit Office (ANAO) financial and performance audits. Please refer to EC3 for more details about these various accountability elements.

In addition to the above, APRA can be asked by the Parliament to appear before House and Senate Committees on an ad hoc basis, as well as having a standing appearance before Senate Committees, three times a year, via its responsible Ministers, the Treasurer, and the Minister for Revenue and Financial Services.
EC2The process for the appointment and removal of the head(s) of the supervisory authority and members of its governing body is transparent. The head(s) of the supervisory authority is (are) appointed for a minimum term and is removed from office during his/her term only for reasons specified in law or if (s)he is not physically or mentally capable of carrying out the role or has been found guilty of misconduct. The reason(s) for removal is publicly disclosed.
Description and findings re EC2The APRA Act provides for the appointment of APRA Members, restrictions on appointments, appointments of the APRA Chair and Deputy Chair, and acting appointments.

Section 16 of APRA Act states that APRA is to consist of not fewer than three members nor more than five members. At least three of the APRA members must be appointed as full-time members, and each of the other APRA members (if any) may be appointed as a full-time or part-time member. APRA Members are appointed by the Governor-General, by written instrument, usually on the advice of the Treasurer.

As discussed in EC1, APRA Executive Board has historically consisted of three members, a Chair, a Deputy Chair, and a Board Member. This is currently the case. But the Treasurer introduced, in May 2018, a change to the APRA Act to allow appointing a second deputy Chair. The Government has nominated the second Deputy Chair, whose confirmation is subject to the enactment of the new Bill amending APRA Act and the approval of the Governor-General.

Section 17 of APRA Act puts some criteria and restrictions on the appointment of persons as APRA members, mainly as follows:
  • - The Minister is satisfied that the person is qualified for appointment by virtue of his or her knowledge or experience relevant to APRA’s functions and powers;

  • - The person cannot be appointed if s/he is a director, officer or employee of a body regulated by APRA;

  • - A person who is a director, officer or employee of a body operating in the financial sector, other than a body regulated by APRA, may be appointed as an APRA member, but only if the Minister considers that the person will not be prevented from the proper performance of the functions of the office because of resulting conflicts of interest.

Section 18 of the APRA Act states that the Governor-General appoints APRA’s Chair and Deputy Chair from among full-time APRA members, which in practice occurs based on the advice of the Treasurer.

The APRA Act (section 20) states that an APRA Member holds office for the period specified in the instrument of appointment. The period must not exceed five years. The APRA Act does not deal specifically with reappointments however reappointments occur regularly in practice.

In addition to the above, section 19 of the APRA acts grants the power to the Minister to decide on acting appointment. Based on this section, the Minister can
  • - appoint a person to act as a full-time APRA member during any period when there are fewer than five persons who are APRA members; or

  • - appoint a person to act as a part-time APRA member during any period when: (i) there are fewer than five persons who are APRA members; and (ii) there are at least 3 persons who are full-time APRA members; or

  • - appoint a person to act in the place of a full-time APRA member or part-time APRA member during any period when the APRA member is acting as Deputy Chair, is absent from duty, or is, for any reason, unable to perform the functions of his or her office.

  • - Appoint an APRA member to act as Chair or Deputy Chair in case of the vacancy of these posts or if the persons that were assuming these posts are absent from duty, or are, for any reason, unable to perform the functions of their office.

The persons appointed by the Minister under the first two points above and in case of filling a vacancy must not continue to act under the appointment for more than 12 months.

The APRA Act (section 22) stipulates that an APRA member is to be paid the remuneration that is determined by the Remuneration Tribunal as well as the allowances that are prescribed. The Remuneration Tribunal periodically publishes determinations relating to the remuneration of appointed officeholders, including APRA Board Members. Based on the APRA Act, if no determination of that remuneration by the Tribunal is in operation, the member is to be paid the remuneration that the Minister determines. However, this has not happened in practice.

The functions of an APRA member terminate immediately if he takes a position with a body regulated by APRA.

While the Governor-General is granted the power to terminate appointments, the APRA Act includes fairly strict reasons for such termination:
  • - Misbehavior, physical or mental incapacity, or bankruptcy;

  • - Extended absence for full-time members or absence from three consecutive APRA meetings for part-time members (except in cases of leave from absence);

  • - Engagement of a full-time member in another paid employment (without the Minister’s approval) or engagement of a part-time member that conflicts or could conflict with his or her APRA functions;

  • - If the member becomes a director or officer of a body operating in the financial sector (other than APRA regulated entities) and the Minister considers that this causes a conflict of interest with the APRA functions of the member;

  • - If the member has an interest that has been or should have been disclosed (to APRA members and to the minister) and this interest conflicts or could conflict with the proper performance of the member’s functions.

However, under the APRA Act, the reasons for the removal of an APRA Member do not need to be publicly disclosed. The authorities informed the assessors that while there is no express requirement to publicly disclose the reason for the removal of an APRA member, they would expect the relevant minister to make such disclosure if this power was ever exercised.
EC3The supervisor publishes its objectives and is accountable through a transparent framework for the discharge of its duties in relation to those objectives.13
Description and findings re EC3There are several accountability mechanisms in place to ensure that there is adequate scrutiny over APRA’s performance against its objectives, briefly listed below:
  • - In Australia, Commonwealth entities must prepare and publish a Corporate Plan at the beginning of the reporting cycle setting out information on key strategies and activities over a rolling four-year period. APRA corporate plan for the period 2017–21 is published on its website. APRA’s Corporate Plan includes its vision and mission statement. It also outlines how APRA will strengthen its core functions and capabilities during 2017–21 through delivery of its strategic initiatives: Enhancing leadership, culture and opportunities for APRA’s people; Honing governance and workplace effectiveness; Sharpening risk-based supervision; and Building recovery and resolution capability.

  • - APRA publishes its Annual Performance Statement which demonstrates performance against stated objectives. The annual performance statement for APRA is included in APRA’s Annual Report which is tabled in Parliament. The Annual Report also includes the Performing Entity Ratio and Money Protection Ratio which are indicative of APRA’s supervisory performance.

  • - APRA is also required to report annually against the Australian Government’s Regulator Performance Framework (RPF), which assesses Commonwealth regulators’ performance when interacting with business, the community and individuals against a common set of performance indicators. APRA’s self-assessment is externally validated by stakeholders through an approved stakeholder mechanism. The results of the validation process are incorporated in the final published version available on APRA’s website.

  • - APRA is also subject to, and adheres to, the Public Governance, Performance and Accountability Act 2013 (PGPA Act), which covers governance, performance, accountability and the management of public resources by Commonwealth departments and agencies. APRA is also subject to Australian National Audit Office (ANAO) financial and performance audits. Audit reports and transcripts of appearances before Parliament are publicly available. APRA is subject to, and complies with, the best practice regulation process administered by the Office of Best Practice Regulation. This includes cost/benefit assessments of regulatory changes and Regulation Impact Statements.

In addition to the above, APRA can be asked by the Parliament to appear before House and Senate Committees on an ad hoc basis, as well as having a standing appearance before Senate Committees, three times a year, via its responsible Ministers, the Treasurer, and the Minister for Revenue and Financial Services.
EC4The supervisor has effective internal governance and communication processes that enable supervisory decisions to be taken at a level appropriate to the significance of the issue and timely decisions to be taken in the case of an emergency. The governing body is structured to avoid any real or perceived conflicts of interest.
Description and findings re EC4The APRA act (Part 3, Division 3) includes details about the meetings of APRA Executive Board, the quorum in the meetings, the voting process in the meetings as well as the conduct of these meetings. APRA Act states that APRA must hold meetings as necessary for the efficient performance and exercise of its functions and powers. While APRA’s Chair determines the time and places of the meetings, s/he must convene a meeting if requested in writing by two or more APRA members. The Quorum for the meeting is two members if APRA consists of 3–4 members (otherwise, it is three) and decision is taken based on a majority of the votes of present and voting members.

In practice, APRA has established a Charter for the Executive Board that sets out the functions and responsibilities of the Executive Board under the APRA Act. The Executive Board meets monthly and is responsible for the operations of the agency and for overseeing delivery of services and functions against APRA’s mandate. The Executive Board Charter also includes provisions on voting powers and decision-making processes that may allow for timely decision in cases of emergency. Based on the Charter, the APRA Members seek to make decisions by consensus. Where this is not possible, questions are determined by a majority of votes of APRA Members present and voting. The person presiding at a meeting has a deliberative vote and, if necessary, a casting vote. The APRA Members have established procedures for the passing of resolutions without a formal meeting (Section 32 of the APRA Act) which include a quorum of APRA Members agreeing by way of telephone or video conference or by circular resolution.

APRA’s Executive Board is supported by a number of internal governance committees. APRA’s operations are subject to oversight by a Risk Management Committee (RMC) and an Audit Committee that comprise an independent Chair, an independent member and APRA’s Deputy Chair. The independent members of the committees are appointed by the APRA Chair. These committees are governed by internal charters describing their functions and responsibilities, the frequency and conduct of their meetings, their reporting lines, and their relationship among each other. They are supported by internal assurance functions including internal audit, risk management, and quality assurance. APRA is also subject to external audit (financial and performance) by the ANAO.

APRA has an established Enterprise Risk Management (ERM) framework and a number of policies and procedures that outline internal processes, controls, checks, and balances covering key functional/risk areas. APRA has clearly documented delegations and procedures for decision-making including decisions concerning interventions with significant impact. APRA has a framework for escalation of entities in times of stress moving from a supervisory stance of Normal to Restructure, with supervisory actions/interventions at each stage. More details on APRA supervisory decision-making procedures are found in other principles, including CPs 8,9, and 11.

As mentioned in EC2, there are several provisions in the APRA Act to avoid conflict of interest by APRA members. These include:
  • - The need for an APRA member to disclose any interest that the member has (in writing to the Minister and to each of the other APRA members) if it conflicts with the proper performance of his or her functions.

  • - The need for an APRA member to refrain from deciding on a particular matter in case of conflict of interest unless the member has disclosed that interest to the other APRA members and each of them consented to the member performing that role in deciding that matter despite the potential conflict of interest.

  • - The immediate termination of an APRA member when s/he becomes a director or officer of an APRA-regulated body.

  • - The right of the Governor-General to terminate the appointment of an APRA member when: s/he engages in another employment that conflicts or could conflict with the proper performance of his or her functions at APRA; s/he becomes a director or an officer of a financial sector entity (not regulated by APRA) and the Minister considers that this may prevent him or her from properly performing his or her functions due to resulting conflict of interest; or if the member has an interest that has been or should have been disclosed and that this interest conflicts or could conflict with the proper performance of the member’s functions.

APRA members should also abide by the APRA Code of Conduct discussed in EC5, which is also supported by an internal Disclosure of Interests Policy.
EC5The supervisor and its staff have credibility based on their professionalism and integrity. There are rules on how to avoid conflicts of interest and on the appropriate use of information obtained through work, with sanctions in place if these are not followed.
Description and findings re EC5All APRA staff are expected to demonstrate high standards in undertaking their roles to demonstrate the five core APRA Values of Integrity, Collaboration, Respect, Excellence, and Accountability and to ensure that they meet APRA’s Code of Conduct. Based on the APRA Act, the Chair must determine APRA Values and must uphold and promote them. Other APRA members and APRA Staff must also uphold these values. Discussions with banks and other stakeholders confirmed the high regard accorded to APRA staff and their skills, as well as to the professionalism shown by APRA in performing its supervisory activities.

APRA conducts biennial stakeholder surveys to seek feedback on, amongst other things, the integrity and professionalism of APRA staff. The stakeholder survey results are made public and referenced in APRA’s self-assessment against the RPF. The latest survey was published in October 2017. It covered regulated entities (RE) and knowledgeable observers (KO). While both REs and KOs had a mostly positive view of APRA’s key supervisory activities, REs were generally a little more positive than KOs. Stakeholders generally agreed that APRA staff significantly demonstrate the organization’s core values, which was an aspect of the survey results where REs were very consistently more positive than KOs. Below are the ratings assigned in respect of APRA’s core values as published in the 2017 survey.
IntegrityProfessionalismCollaborationAccountabilityForesight
REs96%94%82%79%71%
KOs82%80%68%69%57%
The APRA Act stipulates that the Chair must also determine the APRA’s Code of Conduct, which should apply to APRA members and Staff. The Code of Conduct, amongst other things, requires employees to:
  • - carry out duties and responsibilities to the highest standards of professional and personal behavior and with diligence, impartiality and responsiveness;

  • - be alert to any situations where their private interests and those of their immediate family where known (declared annually) could conflict or be perceived to be in conflict with duties performed at APRA. This is particularly relevant to ownership of interests in securities of institutions regulated by APRA and those institutions pending licensing approval;

  • - decline offers of sponsored travel and expensive gifts or hospitality. Offers of modest gifts or hospitality may be accepted;

  • - respect confidential or sensitive information they have access to and not take advantage of, or allow others to take advantage of, information or knowledge obtained during the course of their employment;

  • - note that any outside employment that threatens to conflict with the interests and responsibilities of APRA should be drawn to the attention of relevant managers; and

  • - disclose any equity holdings they have in APRA-regulated entities and abide by the Staff Disclosure of Interests Policy in acquiring financial holdings.

The APRA code of conduct requires employees to immediately report any suspected breach to their immediate manager or to the General Manager, People, and Culture. APRA takes all reports of potential Code violations seriously and, where required, will investigate complaints or alleged breaches. If an investigation is required due to a potential Code violation, APRA may suspend the concerned person’s employment while the investigation is undertaken if APRA believe, on a reasonable basis, it is appropriate to do so. Employees who breach the standards of conduct set out in the Code may face disciplinary action up to, and including, termination of employment.

Section 56 of the APRA Act imposes detailed and thorough secrecy and confidentiality obligations upon APRA members and employees in relation to protected non-public information acquired and documents reviewed in the course of performing their Duties. A person (including APRA staff and members) commits an offence and may face imprisonment for two years if this person discloses the information or produces the documents to another person, and the limited exceptions in section 56 that are necessary for the effective performance of APRA’s functions do not apply. Where a disclosure is made under an exception in section 56, conditions may be imposed on the recipient. It is an offence for the recipient to fail to comply with a condition, with a maximum penalty of two years imprisonment.

Section 57 of the APRA Act gives APRA the power to determine that a document given to APRA under a reporting standard does not contain confidential information, when APRA considers that the benefit to the public from disclosing the document or information outweighs any detriment to commercial interests that the disclosure may cause. However, APRA should give the interested parties a reasonable opportunity to make representations in relation to the confidentiality of the concerned documents or information.
EC6The supervisor has adequate resources for the conduct of effective supervision and oversight. It is financed in a manner that does not undermine its autonomy or operational independence. This includes:
  • (a) a budget that provides for staff in sufficient numbers and with skills commensurate with the risk profile and systemic importance of the banks and banking groups supervised;

  • (b) salary scales that allow it to attract and retain qualified staff;

  • (c) the ability to commission external experts with the necessary professional skills and independence, and subject to necessary confidentiality restrictions to conduct supervisory tasks;

  • (d) a budget and program for the regular training of staff;

  • (e) a technology budget sufficient to equip its staff with the tools needed to supervise the banking industry and assess individual banks and banking groups; and

  • (f) a travel budget that allows appropriate onsite work, effective cross-border cooperation and participation in domestic and international meetings of significant relevance (e.g., supervisory colleges).

Description and findings re EC6(a) APRA Budget

APRA is funded primarily by levies imposed on all regulated institutions with a smaller contribution of income from fees and charges related to the cost of providing specific services or processing specific applications. Industry levies are raised according to the Financial Institutions Supervisory Levies Collection Act 1998 and industry-specific Supervisory Levy Imposition Acts relevant to each of APRA’s regulated industries. Following consultation with industry, the Minister determines the levy rates for each regulated industry prior to the beginning of each financial year. Industry levies are based on the costs incurred in APRA discharging its duties with respect to each sector and include other industry-specific collections for other government agencies.

APRA’s budget is set by the Australian Government after consideration of funding requests proposed by APRA Members, taking into consideration organizational needs and the regulatory environment. Since APRA’s formation, successive Governments have supported APRA in this manner, ensuring that APRA’s funding is sufficient to enable it to discharge its prudential and supervisory functions. New funding/funding cuts require Government endorsement, however ongoing funding (which makes up the majority of APRA’s funding) does not need annual re-approval. Further, Government does not sign off on how APRA distributes its resources.

APRA’s financial arrangements are governed by the PGPA Act applicable to Australian Government departments and most statutory authorities. The PGPA Act imposes a range of measures designed to improve financial accountability and promote appropriate and economical use of resources by the agencies and authorities covered by the Act.

APRA is periodically subject to efficiency dividends and potential budget constraints from Government. The intended objective of those efficiency dividends is to drive efficiency savings and improve the overall budget position. As such, agencies are required to meet reductions in their base expenditure levels at a set amount per year. Based on discussions with APRA, these have generally not impacted significantly on APRA’s overall operational ability to perform its functions.

If APRA is asked to undertake new activities or considers that it is inadequately resourced to meet future demands it can submit a New Policy Proposal (NPP) to the Government. If approved by the Government, the approval of the Parliament is sought through legislation prior to appropriations being made. APRA has also received special appropriations from the Government to deal with particular matters (for example, significant additional funding was provided to enhance APRA’s ability to deal with the global financial crisis).

In the 2017–18 Federal budget, APRA obtained an additional A$40 million, approximately, of new funding over four years (of which A$7 million will be received in 2017/18) to cover a number of new initiatives as a result of its expanding areas of activity including stress testing, IT security, review of industry remuneration practices, data analytics, and financial claims scheme administration. As a result of these additional budget allocations, APRA’s expense budget will be sufficient to provide for a staffing complement of 626 staff which is a net increase of 21 staff compared to the previous budget.

While APRA’s budget has increased by an annual average of around 2.7 percent since 2014, this growth could be lower were it not for the new funding that was approved in 2017–18. In addition, the operational costs incurred per A$ 1000 of assets supervised has declined by almost a third since 2011 (it was almost 3 cents in 2011 and has become a slightly higher than 2 cents in 2017). While this may not be a perfect indicator to measure budget sufficiency, it shows that the growth in APRA’s budget and costs were far lower than the growth of the assets it supervises.

In 2014, the Government also announced that it would consider the FSI recommendation on adopting a three-year funding model for APRA and ASIC and the operational flexibility and staffing arrangements for each of the regulators after the ASIC capability review was completed. To date, the Government has no known plan to move ASIC or APRA to a three-year funding model.

Based on all the above, it seems that APRA budget is subject to a set of constraints that could potentially impact the normal operations of APRA and its ability to effectively deliver on its objectives. The need for government endorsement in case of new funding and the efficiency dividend requirements could potentially limit the ability of APRA to conduct its routine supervisory activities and take new initiatives to address any emerging issues and risks in the banking system. While noting that the successive governments have supported APRA funding and allowed, in some instances, for additional funding to cover certain initiatives, the funding process does not provide APRA with sufficient flexibility and visibility to smoothly plan its activities and perform its functions in a sufficiently autonomous way.

(b) Salary Scales to attract / retain high quality staff

APRA is strongly committed to the recruitment and retention of appropriate staff to support its objectives. The Federal Remuneration Tribunal sets pay levels for all federal statutory roles, which includes the APRA members. The remainder of the Executive Group’s remuneration is determined with reference to the financial sector market data and in line with existing pay scales within APRA. As with every other Australian Government entity since bargaining was devolved to agencies in the 1990s, consecutive Government bargaining policies have applied to APRA. The current policy is the Workplace Bargaining Policy 2018, administered by the Australian Public Service Commission (APSC). This policy imposes constraints on APRA’s employment and remuneration policies. The Policy requires the approval of the APS Commissioner prior to any proposed increase in remuneration being discussed with employees. It also sets a cap remuneration increase up to 2 percent per annum. This is a maximum cap applied across all Government agencies, including APRA, irrespective of financial market movements.

While APRA is generally able to attract and retain qualified staff and adequate skills, those policies are increasingly limiting APRA’s ability to attract and retain specialist skills and capabilities, particularly those that are in high demand or at more senior levels. APRA indicated that it has a number of remuneration levers available under its current enterprise agreement with some individual flexibility arrangements to attract targeted specific skillsets. The limits imposed on APRA staff enterprise agreement, including on remuneration adjustments and conditions, may not have to date substantially impacted the overall ability of APRA to attract and retain good and competent supervisory skills at the general level. However, the current policy seems constraining since it is creating difficulties and challenges for APRA to attract and retain highly specialized skills and appropriate talent in a competitive market.

APRA historically targets an average remuneration around the 25th percentile of the financial sector, with flexibility in pay scales at each level. However, it seems now that APRA is behind the target range and this position could worsen further with the APS limitations. APRA’s remuneration levels are to some degree aligned with the finance sector but APRA cannot match the higher end of the sector, especially in the areas of long-term incentives and bonuses. APRA conducts market surveys with respect to salaries, with the last one conducted in 2016. The survey confirmed the impact of the currently imposed limitations on APRA’s ability to attract and retain the staff it needs.

It is worthwhile noting that the APRA overall voluntary turnover rate has witnessed a fluctuating trend in the last period to reach 7.5 percent in May 2018. However, the turnover rate is higher for the risk specialist team (Risk and Data Analytics Division) and has been on an increasing trend in the last few years to reach around 13.75 percent in May 2018. These conditions may reduce the competitiveness of APRA staffing and remuneration conditions compared to the market, which could potentially impact APRA’s ability to attract and retain the needed supervisory resources and skills.

(c) The ability to Commission External Experts

The APRA Act (section 47) enables APRA to engage consultants or other people to provide advice to APRA or to perform services for APRA. These persons are subject to the secrecy obligations and confidentiality restrictions set in section 56 of the APRA Act (refer to EC5 for more details) which applies not only to APRA members and staff but to any other person who, because or in the course of his or her employment, has acquired protected information or has had access to protected documents.

APRA have not yet commissioned external experts to do supervisory work. However, it usually requires banks to engage external auditors to do limited or reasonable assurance reviews in limited aspects related to prudential issues.

(d) Training Budget and Program

APRA invests heavily in training and development and attaches high importance to developing the skills of its staff. APRA’s staff training is largely targeted at the development of core supervisory skills. Based on discussion with APRA, its training budget has remained stable and allows it to effectively train its staff and enhance their supervisory skills.

The APRA Capability Framework establishes the capabilities, skills and behaviors critical to the success of APRA. It acknowledges that different capabilities are required at different levels within APRA and within the different work areas, or functional streams, defined in the framework. Importantly, the framework sets out core behaviors that apply to all employees and are designed to reinforce APRA values.

APRA employees have access to an extensive range of in-house training programs which have been designed to ensure they develop the skills and knowledge required for their role. The training programs are offered online or as workshops and comprise a range of technical, workplace health and safety, leadership, interpersonal skills, and applications training. A comprehensive and staged curriculum aligned to APRA’s capability framework and role requirements has been designed for employees. The curriculum identifies three levels of (predominantly) technical training, outlined in a training plan for each industry. It is anticipated that employees will complete Stages 1 and 2 in their first 18 months at APRA. Experienced employees will access Stage 3 programs as per their development needs.

The curriculum is designed to build knowledge and skills related to prudential supervision and is supported by on the job activities and coaching undertaken with the guidance of the manager and peers of the targeted staff. A combination of all 3 types of learning will develop capabilities related to prudential supervision.

In recent years, APRA has invested in building its leadership and management capabilities of current and future leaders. APRA arranges a program of secondments to other prudential regulators and agencies abroad to further develop its staff.

APRA also maintains a well-regarded graduate program. Graduates undertake dedicated training on commencement and continue to receive targeted development opportunities throughout their first two years of employment with APRA.

(e) Technology Budget

APRA continues to significantly invest in its technology infrastructure including a major data modernization program to transform the way in which data from regulated institutions is collected, stored, and utilized referred to as Program Athena. Additional funding to replace APRA’s aged statistical data collection platform was provided in 2016/17.

(f) Travel Budget

APRA’s travel budget incorporates provision for onsite visits to ADIs, including visits to off-shore operations and attendance at supervisory colleges. Budget provision is also set aside for APRA staff to participate in various international committees and working groups of international standard setting bodies. Based on discussions with APRA, there does not appear to be restrictions on the travel budget but due to the requirements of the budget setting process, the funding is secured late during the year. These delays do not always allow APRA to fully execute its travel plan, including in relation to domestic travel which is a significant part of the overall budget.
EC7As part of their annual resource planning exercise, supervisors regularly take stock of existing skills and projected requirements over the short- and medium-term, taking into account relevant emerging supervisory practices. Supervisors review and implement measures to bridge any gaps in numbers and/or skill-sets identified.
Description and findings re EC7APRA’s operating divisions forecast resource needs (including skills and required capabilities) on an annual basis as part of developing business plans and as an input to determining the overall APRA budget requirement.

Where APRA does not deem its standing budget appropriation to be sufficient to meet its proposed resourcing requirements, a request for additional budget resources is submitted annually for endorsement by Government. Actuals against forecasts are monitored on a monthly basis. To further advance these processes, APRA is planning to enhance its strategic planning framework and in doing so conduct more holistic and forward-looking skills gap assessments and strategic/ workforce planning at an organizational level to better inform skills gaps/ recruitment needs and to position APRA to respond to future challenges, emerging trends/ risks and innovations as part of its broader strategic planning process.

APRA has recently hired an external consultant to assist it in developing its strategic initiatives and assessing its resource gaps as well as the skills needed in the medium-term. This study is expected to be completed in August and should inform APRA’s budget planning for the coming years.
EC8In determining supervisory programs and allocating resources, supervisors take into account the risk profile and systemic importance of individual banks and banking groups, and the different mitigation approaches available.
Description and findings re EC8APRA has a well-established risk-based framework for prudential supervision that incorporates a blend of offsite and onsite supervisory activities (see BCP 8 and 9 for full details). This framework takes into account the entity’s risk profile and impact (defined mostly based on the systemic importance of the entity) in setting the supervisory stance and allocating supervisory resources.

APRA’s risk-based approach to prudential supervision aims to ensure the most efficient allocation of resources to best achieve APRA’s supervisory objectives. APRA’s Probability and Impact Rating System (PAIRS) and Supervisory Oversight and Response System (SOARS) are key tools used to assist with resource allocation decisions.

PAIRS is APRA’s risk assessment model. It incorporates two dimensions: the probability and impact of the failure of an APRA-regulated entity. The outcomes of offsite and onsite supervisory activities are direct inputs to PAIRS. PAIRS requires supervisors to consider the inherent risks to which an institution is exposed, management and controls to mitigate those risks, capital support available to absorb unexpected losses and the institutions overall risk profile. Based on the supervisory risk assessment, each institution is assigned one of five PAIRS Probability of Failure ratings: Low, Lower Medium, Upper Medium, High, or Extreme. The impact rating is a descriptive assessment of the potential adverse consequences that could ensue from the failure of a regulated entity, including on beneficiaries, the relevant industry and financial system as a whole. Each entity is assigned one of four Impact of failure ratings: Low, Medium, High and Extreme.

The Supervisory Attention Index (SAI) is calculated as the geometric average of the probability index and the Impact Index. That is, the SAI is the square root of the product of the two Indices. Each dimension is equally weighted in the process. This implies that the relative Probability and Impact of failure are considered of roughly equal importance. The SAI is designed to assist in the assessment of the size of APRA’s supervisory task; identify individual entity and sector priorities; and assist APRA’s planning for, acquisition of and allocation of supervisory resources.

PAIRS Probability and Impact ratings are directly linked to APRA’s Supervisory Oversight and Response System (SOARS). SOARS informs the level of supervisory intensity based on the PAIRS risk assessment process. There are four SOARS supervisory stances: ‘Normal,’ ‘Oversight,’ ‘Mandated Improvement,’ and ‘Restructure’. The typical supervisory activities gradually increase in frequency, scrutiny, and use of APRA’s powers depending on the various supervisory stances.

PAIRS and SOARS inform the development of a Supervisory Action Plan (SAP). The SAP is a forward plan of supervisory activities covering the next 1–2 years. A SAP may cover a range of supervision activities/ responses to address known key risks/issues or to identify new or emerging risks. The SAP includes the timing, scope and objectives of supervision activities and links to underlying key risks/issues identified. APRA’s supervisory framework prescribes a ‘baseline’ or minimum level of supervisory activity which forms part of a SAP. The SAP identifies the key risk(s) to monitor and review, the supervisory activities to perform, their scope and timing and the resources needed to perform them. APRA also takes into account other sources of industry information when developing a SAP. This includes industry risk registers and other work conducted by APRA’s Risk & Data Analytics (RDA) division.
EC9Laws provide protection to the supervisor and its staff against lawsuits for actions taken and/or omissions made while discharging their duties in good faith. The supervisor and its staff are adequately protected against the costs of defending their actions and/or omissions made while discharging their duties in good faith.
Description and findings re EC9Section 58 of the APRA Act protects APRA members, staff, or agents from any liability for any acts or omissions in the exercise or performance, or the purported exercise or performance, of powers, functions, and duties conferred or imposed on them, provided they do not act in bad faith.

The APRA Act does not expressly indemnify APRA or its staff for any costs of defending their actions and/or omissions made while discharging their duties in good faith. Rather, APRA relies on the Legal Services Directions 2017 (LSD) issued by the Attorney General under section 55ZF of the Judiciary Act 1903. In accordance with that Act, expenditure to cover legal costs of an employee of an agency (including APRA) should normally be approved to assist an employee who is a defendant in civil or criminal proceedings if:
  • - the proceedings arose out of an incident that relates to their employment with the employing agency; and

  • - the employee acted reasonably and responsibility (i.e.,, where the employee has not engaged in serious or willful misconduct or culpable negligence).

The terms of APRA’s Directors’ and Officers’ Liability insurance policy provide cover where a director or officer is legally liable to pay for the consequences of a wrongful act.
Assessment of Principle 2Materially Non-Compliant
CommentsThe APRA Act provides APRA with broad operational powers to deliver its functions. The Banking Act also provides APRA with a good level of regulatory powers to license banks, regulate them, and apply corrective actions. The government issues a statement of expectations, every few years setting high-level guidance about the government’s priorities and expectations from APRA. APRA replies with a statement of intent, represents APRA’s position in respect of these expectations as well as by the direction powers the minister has in relation to APRA’s policies.

In addition, the APRA Act grants the minister power to give APRA a written direction about policies it should pursue, or priorities it should follow, in performing or exercising any of its functions or powers. The direction powers granted by the minister add another potential layer of control over APRA’s independence. While this power has never been exercised to date and all parties seem to agree on its highly exceptional nature, the text in the APRA Act does not perfectly convey the exceptional nature of this measure. It only says that the minister should pre-notify APRA in writing that he is considering giving the direction and give the APRA Chair adequate opportunity to discuss the direction. Since the objectives of APRA and the Treasurer may not be always aligned and could even be conflicting at times, this could potentially lead to an interference by the Treasurer in relation to APRA policy priorities or decisions, which could represent a concern for APRA’s full independence. This written direction by the minister adds another potential constraint, on top of the Parliamentary veto powers (discussed in BCP 1), which could potentially limit APRA’s independence in relation to prudential standard setting.

APRA has a robust governance framework and internal decision-making processes that ensures its effective ability to timely act in normal and emergency cases. It is subject to a strong accountability framework to the government, to the parliament, and to the general public. APRA publishes a four-year corporate plan, an annual performance statement, and an annual report. It also has to report against the Government’s regulator performance framework and is subject to financial and performance audits. In addition, it has a regular standing appearance before Senate Committees. This accountability framework provides by itself a robust and transparent set of checks and balances over APRA’s performance.

The APRA Act provides a clear picture about the process of appointment and removal of APRA members. However, there is no requirement to publicly disclose the reasons for removal if it happens in practice. APRA staff show a high-level of integrity and professionalism and they are generally highly regarded by supervised entities and other stakeholder. This is also obvious in the biennial stakeholder survey published by APRA.

APRA had maintained a relatively steady level of supervisory resources and budget, with some increase happening in the recent year. This has allowed APRA to continue to perform its objectives based on its risk-based approach, taking into account how to best allocate resources based on the risk profile and systemic importance of banks. While APRA is funded primarily by industry levies, the budget is set by the government after consideration of funding requests by APRA members. The successive governments have supported APRA and provided it with additional funding for specific tasks and projects recently. However, the need for APRA to submit a new proposal for funding increases could potentially limit the flexibility of APRA in smoothly performing its operations and implementing its initiatives. While there is some forward view of expected funding, there is uncertainty over the medium-term budget which may present difficulties for APRA’s resource planning. The current budget process does not offer a reasonable level of flexibility and autonomy for APRA to set objectives and implement them in a reliable way. The “efficiency dividend” imposed by the government pose another constraint over APRA’s budget.

APRA has been generally able to recruit and retain high caliber staff with competent skills. However, APRA’s employment framework is subject to the APS Workplace Bargaining Policy. This policy sets many constraints on staff remuneration, particularly an annual cap of 2 percent on remuneration increase, and subject the staff employment framework to a periodic approval, every three years. These limitations may have not to date substantially impacted the overall ability of APRA to attract good and competent supervisory skills at the general level. However, they are increasingly limiting APRA’s ability to retain high quality staff and causing difficulties in attracting highly specialized skills that are in high demand, such as in cyber risk and advanced risk analytics. This could potentially impact APRA’s future capacity to acquire the needed skills in a rapidly changing environment and emerging new technologies. While the overall turnover rate has been varying over the last year and reached 7.5 percent in May 2018, the turnover rate for risk specialists has been relatively higher and increasing over the last few years to reach 13.75 percent in May 2018.

Despite the above, APRA has been able to invest in training its staff and developing their skills, in accordance with a capability framework that defines the skills needed at different levels within APRA across various functional work streams.

The constraints on APRA’s prudential standard setting powers (i.e., the written directions that could be made by the minister as explained in this principle as well as the parliamentary veto powers on APRA’s prudential standards as explained in BCP 1) seem to put some potential pressure on APRA’s independence. While noting that these constraints may be regarded as part of the checks and balances in the Australian democratic process, they could result, in admittedly extreme circumstances, in the failure to introduce key prudential standards and policies, which may impact APRA’s ability to fulfill its statutory mandate.

This is also coupled with further constraints on APRA’s budget autonomy and staff employment and remuneration conditions, as discussed in detail above.

Based on that, the assessors believe that these matters cause significant concerns to APRA’s independence and its operational ability to effectively deliver on its mandate. Therefore, the assessors believe that these matters taken overall represent material non-compliance issues for this principle. As mentioned before, the grading given to this principle also take into account the limitations explained in BCP 1 in relation to the Parliament having the right to disallow APRA’s prudential standards. Therefore, a compliant grade was given to BCP 1 to avoid double jeopardy. Were it not for double jeopardy, the grade for BCP 1 would have been largely compliant.
Principle 3Cooperation and collaboration. Laws, regulations, or other arrangements provide a framework for cooperation and collaboration with relevant domestic authorities and foreign supervisors. These arrangements reflect the need to protect confidential information.14
Essential criteria
EC1Arrangements, formal or informal, are in place for cooperation, including analysis and sharing of information, and undertaking collaborative work, with all domestic authorities with responsibility for the safety and soundness of banks, other financial institutions and/or the stability of the financial system. There is evidence that these arrangements work in practice, where necessary.
Description and findings re EC1Section 56 of the APRA Act enables APRA to provide confidential information to domestic financial authorities to enable them to carry out their supervisory functions.

APRA, ASIC, the RBA and Treasury work in close cooperation via the CFR, which is the coordinating body for Australia’s financial regulators, and chaired by the RBA. The CFR provides a forum to support prompt identification of threats to the financial system and assist in facilitating coordinated responses to those threats among the agencies. However, the CFR is a forum for coordination and not a decision-making body; each CFR agency is responsible for discharging its own responsibilities. The CFR also provides advice to the Australian Government on the adequacy of Australia’s financial regulatory arrangements and oversees the objectives and implementation of financial distress management. An MoU was signed in September 2008 between the members of the CFR setting out the objectives, principles and processes for dealing with stresses in the Australian financial system. The MoU defines the responsibilities of the council and member agencies, sets out the objectives and principles of financial distress management, and determines the role of each CFR agency in detecting, assessing and responding to financial stress cases (including the coordination of responses and communication). The CFR meets on a quarterly basis. CFR working groups have also been established covering topics including housing, shadow banking, over the counter (OTC) derivatives, etc. The working groups have provided a good multilateral platform for discussion, information sharing, and joint work and analysis among various levels across the agencies.

Formal bilateral MoUs have been established to facilitate information sharing with domestic agencies. An MoU was signed with ASIC laying out the cooperation and coordination arrangements in relation to regulatory and policy development, effective information sharing and cost of information provision, and international representation, and joint activities.

In addition, a statement was issued on the relationship between APRA and ASIC. The statement clarifies the role of APRA as a prudential regulator and the role of ASIC as a conduct regulator. It lays out the cooperation and information sharing arrangements between ASIC and APRA, including on maintaining a continual dialogue and liaison meetings between both agencies at various levels, and also on proactively seeking to identify information that may be of interest to the other agency and providing it in a timely manner.

APRA and ASIC seem to coordinate closely at different levels of the two agencies. There is a semi-annual high-level meeting at the level of the Chairs of the two agencies. There is also a designated person in each agency who is in charge of the coordination with the other agency. Quarterly liaison meetings are held at different staff levels and facilitated by APRA and ASIC designated liaison representatives. These meetings cover a range of issues, including: operational level issues to discuss updates on matters of mutual interest or concern, current enforcement matters that are relevant to both agencies, and entity-specific topics particularly at the level of the largest banks to scrutinize banks’ procedures and conduct.

An MoU is also signed between the Treasury and APRA setting out the basis for policy and operational coordination between both entities. The MoU lists the responsibilities of both parties as laid out in the relevant laws and acts. It mentions that APRA members have prudential policy making responsibility for the agency (subject to override by the Treasurer only in exceptional circumstances). The MoU mentions that APRA has responsibility for developing prudential standards and prudential practice guides under its authority. APRA will consult Treasury in the substantive development of its prudential policies (whether through standards or guidelines), particularly in areas of particular significance or sensitivity where prior consultation or joint policy work will be undertaken. The MoU also lists the roles of both parties in relation to licensing of financial institutions and the cooperation arrangements in respect of financial distress and instability, including activities undertaken as part of the CFR. The MoU also states that the Treasury and APRA will consult in the exercise of operational functions, including in ensuring that appropriate estimates are prepared for annual budget purposes.

An MoU is also signed between the RBA and APRA. The MoU (signed in 1998) sets the complementary responsibilities of the RBA and APRA in relation to financial stability, the arrangements for full and timely exchange of information, and the cooperation arrangements in relation to detection of financial instability risks, regulatory policy changes, and international representation. Based on the MoU, a joint Coordination Committee is established to facilitate close cooperation between the RBA and APRA. The Committee is responsible for ensuring that appropriate arrangements are in place to respond to system stability threats and for coordinating information sharing. It also handles operational matters such as statistical collections, joint research work and participation in international fora. The Coordination Committee, for which the chair alternates between the RBA and APRA, meets every six weeks or so (or more frequently as required). APRA engages particularly with the RBA Financial Stability Department bilaterally and in the context of the CFR. This regular engagement covers the preparation of the Financial Stability Review and the Committed Liquidity Facility (discussed in CP24), among others.

An MoU was also signed in September 2016 between APRA and AUSTRAC to facilitate cooperation between both agencies. The MoU sets out the key principles for the cooperative arrangements between both agencies namely in relation to mutual access to information, privacy and secrecy of access rights, proper handling of suspicious matter reports in line with the AML/CTF Act, proper treatment of APRA confidential information and documents in line with the APRA ACT, and establishment of accountability and feedback mechanisms with respect to information sharing (see CP29 for more details).

APRA and AUSTRAC have three scheduled meetings per year between senior executives coordination meetings, which seems limited compared to the interaction APRA has with other agencies, including ASIC. These meetings discuss general issues, like updates from APRA on regulatory and supervisory developments and updates from AUSTRAC on key themes from onsite reviews. They do not go deeper to discuss specific issues at each supervised entity level, an issue that seems important since it contributes to the assessment of banks’ risk management framework by APRA. While there is ongoing engagement and dialogue between the two agencies at officer level concerning matters of mutual interest, the level of cooperation and engagement could be substantially enhanced and cover operational and bank-specific issues that could feed into the risk assessment performed by both agencies.

Regular bilateral meetings are also held between CFR agencies at various working levels. APRA has established MoUs with a number of other domestic agencies, including the Australian Competition and Consumer Commission and the Australian Bureau of Statistics. The MoUs provide a formal framework to facilitate cooperation and exchange of information. APRA also liaises with the Australian Federal Police (AFP) and the Australian Criminal Intelligence Commission (ACIC) on enforcement matters as required.
EC2Arrangements, formal or informal, are in place for cooperation, including analysis and sharing of information, and undertaking collaborative work, with relevant foreign supervisors of banks and banking groups. There is evidence that these arrangements work in practice, where necessary.
Description and findings re EC2Section 56(5)(a) of the APRA Act permits APRA to share information with a foreign agency responsible for supervising or regulating financial institutions where the information will assist the agency to perform its functions or exercise its powers.

APRA has established 33 international MoUs/Letters of Arrangement (LA), including with relevant foreign regulatory agencies that have supervisory responsibility for banking operations of material interest to APRA. This is particularly the case with New Zealand and the U.K., where most Australian banks’ overseas operations are based. Specifically, the MoU and LA cooperation arrangements cover sharing of confidential information, ongoing supervision matters and other relevant aspects such as policy development proposals. Where relevant, APRA takes part in supervisory colleges and is the home supervisor for several Australian banks which have material overseas operations.

Where APRA is of the view that a conglomerate group has material activities across more than one APRA-regulated industry and/or in one or more non-APRA regulated industries, APRA can recognize that entity as being part of Level 3 group supervision (for the purposes of a mixed financial group). APRA can request information from other foreign supervisors under these cooperation arrangements, but the scope and coverage of groups/conglomerates etc. (particularly in relation to non-financial entities) is different under the various arrangements.

Joint inspections are undertaken mostly with the foreign supervisors being in attendance. The four major banks have material operations in New Zealand. APRA has strong links with the Reserve Bank of New Zealand (RBNZ) and this is supported by information sharing arrangements, joint onsite reviews and periodic meetings to discuss prudential matters of common interest as part of regular supervision. In addition, APRA and RBNZ coordinate joint supervisory stress tests on the major banks. The TTBC has been established to facilitate a more coordinated and effective banking supervisory regime. In 2006, the Financial Sector Legislation Amendment (Trans-Tasman Banking Supervision) Act 2006 was passed in Australia and reciprocal legislation was passed in New Zealand, emphasizing the need for both countries to keep each other informed of actions that may impact on the financial stability of the other. A number of trans-Tasman crisis simulations have been undertaken to test the ability of TTBC agencies to coordinate the resolution of a distressed trans-Tasman banking group. Australia and New Zealand authorities have continued to work together through the TTBC to build on lessons learned from simulation exercises. This includes work on developing particular strategies that might be followed in the resolution of a trans-Tasman group, as well as work on the operational aspects of undertaking a coordinated response to a crisis.

APRA continues to keep abreast of and contribute to international policy and supervisory developments particularly through its membership of the BCBS and its various sub-committees and working groups and the Financial Stability Boards’ committees and working groups.
EC3The supervisor may provide confidential information to another domestic authority or foreign supervisor but must take reasonable steps to determine that any confidential information so released will be used only for bank-specific or system-wide supervisory purposes and will be treated as confidential by the receiving party.
Description and findings re EC3Section 56 of the APRA Act establishes general confidentiality obligations not only for APRA members and staff but also to all persons who, because of their employment or in the course of that employment, have acquired protected (confidential) information or has had access to protected documents. In addition, MoUs signed with domestic authorities and regulators, as well as those signed with foreign regulators, include confidentiality clauses that requires the signing parties to use their best endeavors to preserve the confidentiality of the information received under those MoUs and that any confidential information should be used exclusively for lawful supervisory purposes. Disclosure of information exchanged under the MoUs to third parties should be done only if the party is legally compelled to do so and after notification to the authority (who provided the information) indicating the nature of the information to be released and the circumstances surrounding its release. APRA believes that the framework set in the APRA Act and in the MoUs with domestic and foreign agencies provide it with a reasonable assurance that any confidential information released will be used solely for supervisory purposes and will be treated confidentially by the receiving party. The above measures are also supported by an internal procedure/ protocol around the release of confidential information.
EC4The supervisor receiving confidential information from other supervisors uses the confidential information for bank-specific or system-wide supervisory purposes only. The supervisor does not disclose confidential information received to third parties without the permission of the supervisor providing the information and is able to deny any demand (other than a court order or mandate from a legislative body) for confidential information in its possession. In the event that the supervisor is legally compelled to disclose confidential information it has received from another supervisor, the supervisor promptly notifies the originating supervisor, indicating what information it is compelled to release and the circumstances surrounding the release. Where consent to passing on confidential information is not given, the supervisor uses all reasonable means to resist such a demand or protect the confidentiality of the information.
Description and findings re EC4The APRA Act imposes strict confidentiality requirements on APRA, its staff and any other person who, because of his or her employment or in the course of that employment, acquires protected information and/or documents. These are reinforced by APRA’s Code of Conduct.

Under section 56 of the APRA Act, APRA members and staff as well as other persons cannot directly or indirectly disclose information acquired or a document received in the course of their duties to any other person or court if the information or the document is protected (i.e., contains confidential non-public information). There are very limited exceptions to this rule, for example when disclosure is made to an auditor providing professional services to an ADI if the disclosure is for the purposes of the performance of APRA’s functions, or the exercise of APRA’s powers.

Under section 56 of the APRA Act, APRA cannot be required to disclose to a court any protected information except when it is necessary to do so for the purposes of one of the laws the APRA administers. Section 56 of the APRA Act, also exempts APRA from the requirement to disclose confidential information under the Freedom of Information Act 1982.

In addition, the MoUs signed by APRA with other domestic and foreign agencies set strict confidentially rules on the disclosure of shared information and prohibits the parties (including APRA) from disclosing confidential information received from other supervisors unless required by law to do so and if so required, will promptly notify the originating supervisor.
EC5Processes are in place for the supervisor to support resolution authorities (e.g., central banks and finance ministries as appropriate) to undertake recovery and resolution planning and actions.
Description and findings re EC5In Australia, APRA is both the supervisor and resolution authority. As such, there are internal processes in place that ensure effective information-sharing and collaboration between the core supervision and resolution functions including dealing with higher risk/ problematic entities, the assessment of recovery plans and consideration of resolution options.

APRA internal framework includes escalation procedures for dealing with entities in times of stress, moving from a Supervisory Oversight and Response System (SOARS) stance of Normal to Restructure, with appropriate supervisory actions/ interventions at each stage.

APRA has established an Escalation and Enforcement Committee (EEC), chaired by the General Manager of Resolution and Enforcement, that acts as the formal escalation framework for addressing banks experiencing stress. The EEC comprises members of APRA’s supervision, resolution, and legal functions, and facilitates a coordinated and timely approach to any decisions that may involve APRA using its powers in respect of an entity. The EEC meets on a monthly basis, and maintains a watchlist of problem entities, based on the SOARS ratings and other information provided by supervisors. Escalation to the EEC will be the first step in cases where there is a reasonable prospect of APRA exercising powers in respect of an entity. This committee, although not a decision-making body, is a key advisory body in circumstances where APRA is considering taking action beyond its usual supervisory actions. The final decision rests with the ‘delegate’, who is a member of APRA’s senior management at a specified level of seniority. The delegate is usually from APRA’s frontline supervision divisions, and makes the decision in consultation with the relevant frontline supervisors, the General Manager of Resolution and Enforcement and the General Counsel, taking into account any recommendations made by the EEC.

In more severe circumstances (e.g., the imminent failure of a bank), the EEC is likely to recommend to the APRA executive board that a Financial Crisis Management Team (FCMT) is convened to oversee the resolution of the bank. This FCMT comprises senior staff from APRA’s executive and the relevant supervisory, resolution, enforcement, and legal teams. The FCMT would then provide strategic direction, take urgent critical decisions, and coordinate APRA’s engagement with other CFR agencies and the public, in respect of the resolution of the relevant bank.

APRA’s processes for handling distressed banks will also involve appropriate cooperation with other domestic agencies through the CFR, that is the primary forum to support prompt identification of threats to the financial system and assist in facilitating coordinated responses to those threats among the agencies. A MoU on Financial Distress Management among the CFR agencies sets out the principles for dealing with stresses in the financial system.

The consent of the Treasurer would be required if APRA were considering using certain resolution powers. For example, if APRA intended to direct a compulsory transfer of business from a bank, a holding company of a bank, or a subsidiary of a bank, APRA would need the consent of the Treasurer to do so. Further, the declaration of Australia’s national deposit insurance scheme (the Financial Claims Scheme) is the responsibility of the Treasurer rather than APRA.
Assessment of Principle 3Compliant
CommentsAPRA has developed cooperation agreements and MoUs with various domestic and foreign regulators. These agreements have provided a good platform for interaction, discussion, and information sharing in areas that are relevant for APRA. Cooperation has been extensive with ASIC, RBA and as part of the CFR. While there is some cooperation taking place with AUSTRAC, there is room for more frequent and entity-specific interaction that could contribute to APRA’s assessment of banks’ risk management.

APRA has established 33 international MoUs/Letters of Arrangement (LA), including with relevant foreign regulatory agencies that have supervisory responsibility for banking operations of material interest to APRA. This is particularly the case with New Zealand and the U.K., where most Australian banks’ overseas operations are based.

APRA seems also to have a good framework for exchanging confidential information with other supervisory authorities and preserving the confidentiality of such information. Being both the supervision and resolution authority, APRA has internal mechanisms and processes for dealing with distressed banks and escalating decisions to the appropriate level or body.
Principle 4Permissible activities. The permissible activities of institutions that are licensed and subject to supervision as banks are clearly defined and the use of the word “bank” in names is controlled.
Essential criteria
EC1The term “bank” is clearly defined in laws or regulations.
Description and findings re EC1While the term “Bank” is not defined in legislation, the term “banking business” is defined in Section 5 of the Banking Act as follows:
  • - a business that consists of banking within the meaning of paragraph 51(xiii) of the Constitution; or

  • - a business that is carried on by a corporation to which paragraph 51(xx) of the Constitution applies and that consists, to any extent, of:

    • both taking money on deposit (otherwise than as part-payment for identified goods or services) and making advances of money; or

    • other financial activities prescribed by the Banking Regulations for the purposes of this definition.

Paragraph 51 of the Constitution grants the Parliament legislative powers to make laws for the peace, order, and good government of the Commonwealth with respect to several listed activities and areas, of which: (xiii) banking, other than State banking; also State banking extending beyond the limits of the State concerned, the incorporation of banks, and the issue of paper money; and (xx) foreign corporations, and trading or financial corporations formed within the limits of the Commonwealth.

The Banking Act further defines the term “ADI” as a body corporate that has been granted an authority to conduct banking business in Australia.

The use of the word ‘bank’ in relation to financial business is restricted by Section 66 of the Banking Act without approval by APRA. However, section 66 expressly permits the use of the word “bank” by ADIs, while sections 66AA gives APRA specific power to restrict the use of the word bank by a particular ADI or to a class or classes of ADIs.
EC2The permissible activities of institutions that are licensed and subject to supervision as banks are clearly defined either by supervisors, or in laws, or regulations.
Description and findings re EC2ADIs authorized by APRA can carry on banking business as defined in the Banking Act in Australia. The range of permissible activities of licensed entities is not defined in laws or regulations. As mentioned in EC1, the Banking Act states that banking business involves taking money on deposits and making advances of money.

Further, subsection 66(1AC) of the Banking Act that will allow all ADIs to use the word ‘bank’ in relation to their financial business unless APRA determines otherwise under section 66AA.

The Banking Act (section 66(4)(c)) provides that ‘financial business’ means a business that:
  • - consists of, or includes, the provision of ‘financial services;’ or

  • - relates, in whole or in part, to the provision of ‘financial services.’

The term ‘financial services’ is not defined in the Banking Act. However, based on its guidelines on section 66 of the Banking Act, APRA considers that it is not possible to provide an exhaustive and prescriptive definition of the expression ‘financial services,’ but considers that the expression ‘financial services’ generally encompasses:
  • - banking business as defined in the Banking Act;

  • - the provision of financial products as defined in the Corporations Act 2001 including: financial advice and planning business, investment business, or insurance business;

  • - the provision of finance as defined in the Financial Sector (Collection of Data) Act 2001;

  • - the provision of products and services regulated under the National Consumer Credit Protection Act 2009;

  • - finance brokers;

  • - financial services comparison websites;

  • - specialist financial services directory websites;

  • - superannuation funds (except for self-managed superannuation funds);

  • - borrowing, lending, and other transactions (such as entering into hire-purchase agreements or financial leases or providing credit in other forms) in which the subject of the transaction is finance; and

  • - conduct of activities in Australia by an entity that carries on banking business in a foreign country but does not carry on banking business in Australia.

However, the above definition of “financial services” does not seem to intend to limit or specify the permissible activities of banks. Based on discussions with APRA, banks can undertake different activities without limitation. What matters for APRA is that banks, including bank Boards and senior management, understand the risks inherent in these activities and establish a sound risk management framework that is commensurate with the level and dimension of these risks.

A body corporate applying for a banking authority must give an undertaking that it will, if licensed:
  • - adhere to APRA’s prudential requirements as they relate to the proposed ADI at all times;

  • - consult APRA and be guided by it on prudential matters as they relate to the proposed ADI, including in respect of new business initiatives; and

  • - provide APRA with any information that it may require for the prudential supervision of the proposed ADI (and its consolidated group).

APRA may impose conditions on an ADI’s authority to undertake a banking business, which may include limitations on its activities. In the case of large and complex groups, APRA may request an ADI to conduct nonbanking activities in other parts of the group, for example funds management.
EC3The use of the word “bank” and any derivations such as “banking” in a name, including domain names, is limited to licensed and supervised institutions in all circumstances where the general public might otherwise be misled.
Description and findings re EC3Section 66 of the Banking Act restricts the use of words or expressions in relation to a financial business including the terms: ‘bank,’ ‘banker,’ and ‘banking,’ without receiving APRA’s consent. Section 66A of the Banking Act also restricts persons carrying on a financial business from using the expressions ‘authorized deposit-taking institution’ and ‘ADI,’ without receiving APRA’s consent (exemption).

However, the Australian Parliament has, on 15 February 2018, passed the Treasury Law Amendment (Banking Measures No. 1) Act 2018, allowing all licensed ADIs to use the word ‘bank’ in relation to their financial business unless APRA determines otherwise. This amendment, which took effect in May 2018, effectively lifted the restriction on the use of the word ‘bank’ by ADIs with less than A$50 million capital. Prior to that amendment, the granting of an ADI license did not mean that the ADI was entitled to call itself a “bank.” To do that, it needed to have APRA’s consent.

APRA has provided an exemption allowing a foreign corporation, authorized as a bank in its home country, to use the expressions ‘bank,’ ‘banker,’ or ‘banking’ in relation to raising funds in the Australian wholesale capital market through issuing securities, subject to the following conditions:
  • - the securities must be offered and/or traded in parcels of not less than A$ 500,000; and

  • - the securities and related information memorandum must clearly state that the issuer is not authorized under the Banking Act, the entity is not supervised by APRA, and the investment in the securities are not covered by depositor protection provisions.

EC4The taking of deposits from the public is reserved for institutions that are licensed and subject to supervision as banks.15
Description and findings re EC4Section 8 of the Banking Act provides that only the Reserve Bank and bodies corporate that are ADIs may carry on “banking business” (as defined in the description of EC1 of this principle) in Australia.

However, there are some deposit-taking institutions that are not licensed as banks or ADIs, and not subject to supervision under the Banking Act. These exempted entities are subject to regulation (although not supervision) by other regulators. Exemptions can be granted under Section 11 of the Banking Act. Section 11 exemptions are generally made by way of class order.

There are two exemptions currently in force, one for Registered Financial Corporations (RFCs) and the other for Religious Charitable Development Funds (RCDFs).

RFCs

Banking Exemption No. 1 of 2015 exempts registered entities from section 8 of the Banking Act hence allowing them to carry on banking business), provided they comply with the following conditions:
  • - where a registered entity offers, issues, or sells a debenture to a retail investor: the debenture must have a maturity period of at least 31 days and the retail investor must not be able to redeem any funds for 31 days from the date they are invested in the debenture.

  • - When a debenture that is issued or sold by a registered entity to a retail investor reaches maturity, the registered entity must roll over the retail investor’s funds into another debenture with a maturity period of at least 31 days or repay the retail investor’s funds.

  • - The registered entity must not offer the following facilities to retail investors in relation to an investment product: automatic Teller Machine (ATM) facilities; BPAY facilities offered by BPAY Pty Limited ACN 079 137 518; electronic funds transfer at Point of Sale facilities; or cheque account facilities.

  • - A registered entity must not use or assume the words or expressions deposit or at-call, or any other word or expression of like import, in relation to an investment product offered, issued or sold to a retail investor.

  • - Where a registered entity takes money on deposit by offering, and issuing or selling, securities, or a financial product; and the offer of the securities or the issue/sale of the financial product need disclosure to the investor respectively under Parts 6D.2 and 7.9 of the Corporations Act , a “prudential supervision warning” must be clearly and prominently set out in each disclosure document relating to the securities or product stating that: the registered entity is not authorized under the Banking Act and is not supervised by APRA, the investment will not be covered by the depositor protection provisions or by the financial claims scheme.

RFCs are subject to an Australian Financial Services (AFS) license regime under the Corporations Act regulated by ASIC and provide aggregate and non-prudential reporting to APRA in its capacity as the national statistical agency. New RFCs can be established (i.e., the exemption is not merely for pre-existing companies). Requirements are imposed by ASIC rather than APRA and relate to prospectus, disclosure, licensing arrangements.

The retail deposits held by RFCs has significantly declined since 2012 from 6.6 percent (A$2.4 billion) as a percentage of total RFC resident deposits to 1.6 percent (A$455 million) as of December 2017. This is very small in proportion to total resident deposits of over A$2 trillion held with banks as of December 2017.

RCDFs

RCDFs are not-for-profit funds set up to borrow and use money for religious and charitable purposes. Their retail products must have the sole or dominant intention of furthering the religious and charitable purposes of the Fund. They are able to continue to raise funds from retail investors under similar restrictions to those that apply to RFCs.

In accordance with the Financial System Inquiry (FSI) recommendation, there has been recent tightening of existing exemptions to more clearly differentiate the investment products that finance companies and similar entities offer to retail consumers from ADI deposits. As such the conditions of operations of RFCs and RCDFs have been tightened to ensure that the retail deposits they receive have a maturity that is longer than 30 days and to alert consumers that these institutions are not governed by the banking act. These limitations have fairly tightened the activities of these institutions and reduced their activities to a very insignificant amount relative to the size of the banking sector.

It is worth noting that the government-owned insurance and banking organization operating in the Northern Territory and which was mentioned in the previous 2012 BCP report was sold. That institution was not supervised by APRA but monitored by the Northern Territory Treasury. The institution has been sold in 2014, with the banking component run by one of the credit unions in Australia.
EC5The supervisor or licensing authority publishes or otherwise makes available a current list of licensed banks, including branches of foreign banks, operating within its jurisdiction in a way that is easily accessible to the public.
Description and findings re EC5APRA publishes and maintains a list of ADIs on its website. The register of ADIs is categorized as follows:
  • - Australian-owned banks;

  • - foreign subsidiary banks;

  • - branches of foreign banks;

  • - building societies;

  • - credit unions;

  • - restricted ADIs; and

  • - other ADIs.

APRA also maintains a list of authorized non-operating holding companies (NOHCs) on its website.
Assessment of Principle 4Compliant
CommentsThe Banking Law defines the term “banking business” and includes a general definition of the activities that can be carried on banking business. The Broad definition of institutions performing “banking business” is supplemented by guidelines issued by APRA about activities within the area of “financial services.” However, APRA usually relies on the understanding of the ADI Board about the activities they do and the risks that these entails.

While the banking Act reserves the activities of taking deposits to institutions that are licensed as ADIs, some exemptions can be granted in this respect. Exemptions are granted to RFCs and RCDFs. However, since the last FSAP, the conditions of operations of these institutions have been strictly tightened by preventing them from taking retail deposits with a maturity of less than 31 days and by obliging them to put a “prudential supervision warning” in their disclosure document clearly stating that they are not authorized under the Banking Act. This has significantly reduced the deposit of RFCs to less than 0.12 percent of the resident banking sector deposits. In addition, a state-owned institution that was not subject to APRA supervision (mentioned under the last FSAP) has been sold in 2014. All of these are positive developments since the last FSAP. The assessors thought that the conditions and scope of the activities of RFCs and RCDFs are very tight and their size is extremely small relative to the ADI sector. Based on this, the assessors believe that the current situation does not impact the compliance with the substance of this core principle.
Principle 5Licensing criteria. The licensing authority has the power to set criteria and reject applications for establishments that do not meet the criteria. At a minimum, the licensing process consists of an assessment of the ownership structure and governance (including the fitness and propriety of Board members and senior management)16 of the bank and its wider group, and its strategic and operating plan, internal controls, risk management and projected financial condition (including capital base). Where the proposed owner or parent organization is a foreign bank, the prior consent of its home supervisor is obtained.
Essential criteria
EC1The law identifies the authority responsible for granting and withdrawing a banking license. The licensing authority could be the banking supervisor or another competent authority. If the licensing authority and the supervisor are not the same, the supervisor has the right to have its views on each application considered, and its concerns addressed. In addition, the licensing authority provides the supervisor with any information that may be material to the supervision of the licensed bank. The supervisor imposes prudential conditions or limitations on the newly licensed bank, where appropriate.
Description and findings re EC1APRA is both the licensing authority and the supervisor of ADIs in Australia. Based on section 9 of the Banking Act, a body corporate which desires authority to carry on banking business in Australia may apply in writing to APRA for authority accordingly and APRA is empowered to grant or reject such authority.

APRA may impose conditions on an institution’s license under section 9AA of the Banking Act, as amended by the Financial Sector Legislation Amendment (Crisis Resolution Powers and Other Measures) Act 2018. The conditions must relate to prudential matters and they may be expressed to have effect despite anything in the prudential standards or the regulations. For instance, conditions may limit the lines of business the institution is permitted to offer, such as a foreign ADI that has conditions limiting its acceptance of deposits and other funds from Australian retail customers or an ADI that is allowed to conduct business solely in one market segment such as retail or commercial banking.

In early May 2018, APRA introduced a new phased approach to ADI licensing with two distinct licensing routes, a direct route and a restricted route. The direct route reflects the framework that was applied previously, where applicants are allowed to conduct their intended banking business from the granting of the license if they demonstrate their ability and readiness to comply with the ADI prudential framework. The restricted route allows eligible applicants to submit for a restricted ADI license to conduct limited banking business while developing their capabilities and resources and subjects them to simpler prudential requirements. Within a maximum period of two years, the restricted ADI would need to transition into an ADI full license (with or without conditions). If it is unable to meet the requirements of the prudential framework within two years, the holder of a restricted license would need to surrender its banking authority and exit the banking industry.

Restricted ADIs will be strictly limited in their activity and would not be expected to actively conduct banking business during the restricted period. The related information paper issued by APRA in May 2018 states that APRA would expect applicants using the restricted route to be at the smaller end of the banking industry and that applicants that are part of an existing ADI or foreign bank are unlikely to be eligible for the restricted route as these applicants are expected to have sufficient resources and capabilities to apply directly for an ADI license. As an indicative guide, APRA does not expect institutions applying for a restricted ADI license to have a balance sheet greater than A$100 million, which would equate to approximately A$20 million of equity under the Restricted ADI minimum capital requirements (see EC 6 and CP15 for a more detailed discussion of capital requirements). As such, institutions which have balance sheet assets greater than A$100 million; have more than A$20 million of equity; and/or have parent institutions that have an ability to invest equity of more than A$20 million in establishing an ADI subsidiary, would typically be expected to apply via the direct route.

According to APRA, the phased approach is intended to support increased competition in the banking sector by reducing barriers to new entrants to be authorized to conduct banking business, including those with innovative or otherwise non-traditional business models or those leveraging greater use of technology. The new regime allows applicants that do not have the resources or capabilities to apply for an ADI license to obtain a restricted license to begin limited operations while still developing the full range of resources and capabilities necessary to fully meet the requirements of the prudential framework. In May 2018, APRA has granted the first license under the restricted licensing regime to a digital bank.
EC2Laws or regulations give the licensing authority the power to set criteria for licensing banks. If the criteria are not fulfilled or if the information provided is inadequate, the licensing authority has the power to reject an application. If the licensing authority or supervisor determines that the license was based on false information, the license can be revoked.
Description and findings re EC2Section 9 of the Banking Act states that APRA may, by legislative instrument, set criteria for the granting of an authority to carry on banking business in Australia. While APRA has not chosen to make such a legislative instrument, it has laid out the main criteria and information requirements for granting an authority to carry on banking business. These are included in the ADI Authorization Guidelines available on APRA’s website and are discussed in the description related to the other relevant criteria of this principle.

Section 9A of the Banking Act, as amended by the Crisis Resolution Act, outlines the circumstances where APRA can withdraw or revoke an ADI’s license. In addition to APRA’s broad power to refuse applications under section 9, APRA may revoke a banking authority if the ADI has provided information that was false or misleading in connection with its application for authorization (Section 9A(2)(a) of the Banking Act as amended by the Crisis Resolution Act).

The Banking Act (Part VI) includes provisions that allows persons affected by an APRA decision who are dissatisfied with the decision to write to APRA (within 21 days) requesting it to reconsider the decision while explaining the reasons for the request. APRA must reconsider the decision and may confirm or revoke it, or even vary it as APRA sees fit. APRA should notify the person informing about the outcome of the reconsideration and the underlying reasons. If the person is still dissatisfied with APRA reconsideration, the person can apply to the Administrative Appeals Tribunal for a review of the decision.

APRA assesses, amongst other things, the applicant’s sources of initial capital, ownership, governance, risk management and internal control systems, compliance, information and accounting systems, external and internal audit arrangements, financial projections and strategic and operating plans.
EC3The criteria for issuing licenses are consistent with those applied in ongoing supervision.
Description and findings re EC3The criteria for assessing a licensing applicant are overall consistent with APRA’s ongoing supervision requirements, which are set out in the prudential framework.

The licensing criteria require an applicant to demonstrate to APRA’s satisfaction that the proposed new ADI will have strategic and financial viability, an effective risk management framework, and meet all legislative obligations and APRA’s prudential requirements at the point of licensing and on an ongoing basis. APRA has published in 2008 its ADI authorization guidelines which set criteria representing the minimum requirements for getting an authorization under the Banking Act. The guidelines expect all applicants to be able to comply with APRA prudential requirements, as set out in various prudential standards, from the commencement of their banking operations. These guidelines are in the process of being amended to take into account the new restricted ADI licensing regime.

In its licensing process, APRA focuses on the business plan of the proposed entity, its owners and controllers, its governance framework (including the board of directors and senior management), its risk management framework, its financial resources (including sources of funding), its IT and outsourcing strategies. The criteria outlined in the ADI licensing guidelines include several requirements including on capital, ownership, governance, risk management, internal control, compliance, information and accounting systems, external and internal audit arrangements, and home supervision (for foreign ADI licenses). These criteria are generally in line with the ongoing prudential standards applicable for existing ADIs.

For Restricted ADIs, the criteria in a number of areas are simpler or different at the time of granting the Restricted ADI license (i.e., initial requirements) and in the ensuing two-year period (ongoing requirements). However, at the end of the restricted period (a maximum of two years), a Restricted ADI must have met APRA’s licensing criteria and information requirements to be granted a full ADI license (with or without conditions) including compliance with APRA’s prudential requirements. If the Restricted ADI was unable to meet the licensing requirements, the Restricted ADI would cease to be an ADI.

The main areas where the criteria for restricted ADI licenses are simpler or different than those for full ADI licenses include: Board and management, capital, liquidity, risk governance, IT infrastructure, recovery plan, and business continuity plan. These requirements are outlined in the explanations to the other criteria of this principle. Applicants for restricted ADI licenses must additionally prepare a strategy outlining their plan to meet the prudential framework and transition to an ADI license by the end of the restricted period. Applicants should also submit an exit plan identifying the avenues the proposed restricted ADI would take to exit its banking business without impacting financial stability, relying on the financial claims scheme, or requiring the use of APRA’s crisis management powers.
EC4The licensing authority determines that the proposed legal, managerial, operational and ownership structures of the bank and its wider group will not hinder effective supervision on both a solo and a consolidated basis.17 The licensing authority also determines, where appropriate, that these structures will not hinder effective implementation of corrective measures in the future.
Description and findings re EC4The proposed legal, managerial, operational and ownership structures of a proposed ADI and its wider group are assessed by APRA supervisors as part of the licensing application process.

APRA requires that the application for an ADI includes among others, information on ownership, board and management of the proposed ADI as well as its business plan. This information includes a brief history of the applicant with an outline of existing operations (or the foreign bank if it is a foreign ADI), the identity of direct and ultimate substantial shareholders and their respective shareholdings and details of any related entities in Australia (or the substantial direct and ultimate shareholders of the foreign bank and their respective shareholdings for a proposed foreign ADI), an outline of the proposed organizational structure, an outline of the proposed activities and scale of operations (including details of proposed specialized services and material outsourcing arrangements), details of the risk management systems and procedures to monitor risks (including for offshore operations of proposed locally incorporated ADIs), and details of existing or proposed subsidiaries and associates. In assessing all this information, APRA ensures that the overall structure of the proposed ADI will not hinder effective supervision by APRA on both standalone and consolidated basis.

Where the applicant is part of a wider group, this includes an assessment of the group-wide operations, reporting lines and their implications for supervision of the ADI to ensure that the legal, managerial, operational, and ownership structures of the group to which an ADI is a member will not hinder effective supervision on both a solo and a consolidated basis. APRA has the power to require the holding company of the conglomerate group to be authorized as a NOHC.

A similar approach is followed for Restricted ADI applications. Applicants for a restricted ADI license should include in the application the proposed owners and controllers, as well as the proposed corporate structure. At the time of application, APRA needs to be satisfied of the sufficiency of the structure and governance of the proposed ADI, who the owners are, what capacity the owners have to support the institution and how that may change over time. Hence, the supervisors assess the ownership structure, the governance arrangements of the institutions, its risk management framework, its strategy to become a full ADI and its exit plan.

There are no shell banks operating in Australia and APRA does not allow such banks to operate.
EC5The licensing authority identifies and determines the suitability of the bank’s major shareholders, including the ultimate beneficial owners, and others that may exert significant influence. It also assesses the transparency of the ownership structure, the sources of initial capital and the ability of shareholders to provide additional financial support, where needed.
Description and findings re EC5APRA requires a licensing applicant to identify the names of substantial shareholders, both direct and ultimate, and their respective shareholdings as well as the ownership structure and source(s) of initial capital and potential additional capital sources in the future. For foreign ADI licensing applications, APRA requires to get the names of the substantial shareholders, both direct and ultimate, of the foreign bank and their respective shareholdings.

Applicants for ADI authorization are required to demonstrate that all substantial shareholders of the proposed new ADI are fit and proper in the sense of being well-established and financially sound entities of standing and substance. In the case of foreign bank applicants, this requirement applies both to the foreign bank itself and to the substantial shareholders of the foreign bank. All substantial shareholders must be able to demonstrate that their involvement in the ADI represents a long-term commitment and that they have the capacity to contribute additional capital if required. Declarations to that effect are required as part of the licensing process.

Applicants for restricted ADI licenses should clearly identify owners, including direct and ultimate owners, and controllers of the proposed ADI and its corporate structure. Applicants for a restricted ADI should provide a group structure chart showing the ownership structure of the applicant as well as any subsidiaries (of the proposed ADI and its parent) and any related companies. The chart should include details of related entities business and any proposed linkages with the applicant, e.g., outsourcing arrangements. The applicant will need to meet fit and proper requirements and satisfy APRA with respect to fitness and propriety of persons who are responsible for the management and oversight of the ADI. Shareholders of Restricted ADIs, if not able to demonstrate capacity to contribute additional capital, must demonstrate credible plans for seeking additional shareholders and divesting their shareholdings during the restricted period or according to the Financial Sector (Shareholdings) Act 1998 (FSSA).

It is worth mentioning that ownership in locally incorporated ADIs, including subsidiaries of foreign banks, is governed by the FSSA, which limits shareholdings of an individual shareholder, or group of associated shareholders, in an ADI to 15 percent of the ADI’s voting shares. Depending on the nature of the acquisition, either the Treasurer or APRA (within delegations provided by the Treasurer) may approve shareholdings in excess of 15 percent where satisfied that it is in the national interest. Under the current threshold of delegation the Treasurer has delegated approval authority to APRA in respect of ADIs with assets less than A$1 billion. For cases falling below the threshold of delegation there is no provision in the FSSA for the Treasurer to overrule APRA’s decision. However, the Treasurer can overrule the delegation such that the decision reverts to the Treasurer. In considering what is in the national interest, the Treasurer is able to consider a wide range of issues including prudential, competition and taxation effects of the proposal. For more details, please check the description to CP 6.

While the assessment of the suitability of a shareholder of more than 15 percent might be made ultimately by the Treasurer, the Treasurer will seek APRA’s opinion on the suitability of a shareholder.

APRA’s decisions to refuse a license are subject to review by Administrative Appeal Tribunal (AAT). It is possible but usually unlikely that a rejected applicant might challenge APRA’s decision.
EC6A minimum initial capital amount is stipulated for all banks.
Description and findings re EC6The ADI Authorization Guidelines specify that proposed new ADIs must have at least A$50 million in Tier 1 capital to use the word “bank” unless they are a branch of a foreign bank. However, this requirement has been recently removed. In fact, the Parliament has on February 15, 2018, passed the Treasury Law Amendment (Banking Measures No. 1) Act 2018, that lifted, effective May 2018, the restriction on the use of the word ‘bank’ by ADIs with less than A$50 million capital.

While no minimum initial capital is stipulated for new ADI, applicants must satisfy APRA that they are able to comply with APRA Prudential Standard on Capital Adequacy (APS 110) from the commencement of the proposed ADI’s banking operations. (see explanation of CP16 for more details)

Australian branches of foreign banks are not required to have or maintain endowed capital in Australia, but the foreign bank must meet the capital requirements of the home regulator, which must be comparable.

It is worth noting that licenses granted for Australian branches of foreign ADI restrict them from accepting retail deposits. APRA’s policy, as set out in the terms of authorization for each foreign ADI, is that foreign ADIs are not permitted to accept initial deposits (and other funds) from individuals and non-corporate institutions of less than A$250,000. They can, however, accept deposits and other funds in any amount from incorporated entities, non-residents and their employees. Moreover, depositors with foreign ADIs do not have the same protections under the Act as depositors with locally incorporated ADIs.

A Restricted ADI will at all times need a minimum capital of the higher of: A$3 million plus a resolution reserve; or 20 percent of adjusted assets. The resolution reserve is typically set at A$1 million, representing the likely costs of APRA resolving the entity which may, as a last resort, include administration of the Financial Claims Scheme if activated by the Australian Government. APRA retains discretion to increase the size of the resolution reserve if a Restricted ADI is deemed particularly complex to resolve. Capital for the restricted phase must meet the definition of Common Equity Tier 1 Capital.
EC7The licensing authority, at authorization, evaluates the bank’s proposed Board members and senior management as to expertise and integrity (fit and proper test), and any potential for conflicts of interest. The fit and proper criteria include: (i) skills and experience in relevant financial operations commensurate with the intended activities of the bank; and (ii) no record of criminal activities or adverse regulatory judgments that make a person unfit to uphold important positions in a bank.18 The licensing authority determines whether the bank’s Board has collective sound knowledge of the material activities the bank intends to pursue, and the associated risks.
Description and findings re EC7APRA licensing guidelines require that applicants for an ADI license satisfy APRA that they have policies in place to ensure that the persons holding key positions within the proposed ADI are fit and proper, in accordance with CPS 520. As part of the licensing process, APRA will review information provided by the applicant demonstrating the fitness and propriety of proposed directors and senior management to hold relevant positions in accordance with CPS 520. CPS 520 establishes minimum requirements for APRA-regulated institutions in determining the fitness and propriety of individuals holding positions of responsibility, but the standard states that the ultimate obligation rests with the Board of Directors (or equivalent) of a regulated institution to ensure that responsible persons, including directors and senior managers, are fit and proper.

Key requirements in CPS 520 include the obligation for a regulated institution to have a Fit and Proper Policy relating to the fitness and propriety of the institution’s responsible persons. Responsible persons of an ADI and a NOHC include, among others: directors, senior managers, appointed auditors. The Fit and Proper policy must require an assessment of fitness and propriety of a responsible person prior to initial appointment and an annual re-assessment. Information regarding responsible persons and the institution’s assessment of fitness and propriety is to be submitted to APRA.

CPS 520 sets criteria to be used in determining whether a person is fit and proper to hold a “responsible person” position, including:
  • - Possession of the competence, character, diligence, honesty, integrity and judgment to perform properly the duties of the position;

  • - The need for the person not to be disqualified under an applicable prudential act from holding the position;19 and

  • - The absence of a conflict of interest by the person in performing his duties or a prudent determination by the regulated institution that the conflict will not create a material risk preventing the person from properly performing the duties of the position.

APRA undertakes its own independent checks and detailed assessment of directors and senior management if there are concerns about an individual’s expertise and integrity. Should APRA determine that a person is not fit and proper, APRA will direct the applicant to remove the individual, and will not grant a license until satisfied that all directors and senior management are fit and proper.

APRA assesses the license application for compliance with APRA Prudential Standard on Governance (CPS 510), which requires the Board to ensure that directors and senior management of the ADI, collectively, have the full range of skills needed for the effective and prudent operation of the ADI and that each director has skills that allow them to make an effective contribution to Board deliberations. When collectively assessing the applicant’s Board, APRA considers the fitness and propriety of all proposed directors, including banking experience, based on the biographical data of key persons and fit and proper statements received from the applicant.

Since CPS 520 equally applies to restricted ADI, a similar assessment is done to check the fitness and propriety of the directors and senior managers of a restricted ADI license. CPS 510 applies to Restricted ADIs with minor concessions, particularly in relation to lower number of independent directors (minimum of two), no requirement for board committees, no policy for board renewal or procedures for assessing board performance. Therefore, the board will be collectively assessed in terms of the skills needed for the performance of its functions but in general proportionality will be applied in the assessment of the governance framework of a proposed restricted ADI. In addition, some restricted ADIs may be using the restricted phase to finalize executive appointments and staff recruitment so the assessment of the fitness and propriety of these persons will occur later in the process.

On February 7, 2018, the Parliament legislated a new Banking Executive Accountability Regime (BEAR) requiring ADIs and executives to meet certain expectations. The BEAR Act received Royal assent on March 5, 2018. This will further strengthen APRA’s fit and proper requirements and will be effective in July 2018 for major ADIs and in 2019 for remaining ADIs.
EC8The licensing authority reviews the proposed strategic and operating plans of the bank. This includes determining that an appropriate system of corporate governance, risk management, and internal controls, including those related to the detection and prevention of criminal activities, as well as the oversight of proposed outsourced functions, will be in place. The operational structure is required to reflect the scope and degree of sophistication of the proposed activities of the bank.20
Description and findings re EC8Applicants for ADI licenses should provide APRA with a set of documents and information to support their request. These include: information on the ownership, board and management of the proposed ADI; a three-year business plan that includes the business structure and financial projections of the entity; details of the risk management systems, accounting systems, business continuity plan, and internal audit and outsourcing arrangements; and other information, such as details of the proposed subsidiaries.

The licensing process involves APRA undertaking a detailed assessment of the applicant’s Board and management and the proposed governance framework, risk management and control systems, information and accounting systems and internal and external audit arrangements. This includes an assessment of the applicant’s ability to comply with all relevant prudential standards including governance, capital, internal control and audit, credit risk, market risk and operational risk standards. The assessment also covers proposed outsourcing arrangements. APRA’s assessment process is based on the principle of proportionality taking into account whether proposed plans, policies and procedures are commensurate with the nature, scale and complexity of the proposed ADI.

Business Plan

The three-year business plan should incorporate the goals of the first three years of operation of the ADI and the ADI group (where relevant), including all controlled entities. The plan must cover the structure of the business including proposed activities and provide detailed financial projections, including key financial and prudential ratios. In reviewing an applicant’s business plan, APRA has regard to the nature, scale and complexity of the proposed ADI’s business operations.

Governance

Applicants must satisfy the requirements in CPS 510 on governance regarding the composition and functioning of the Board. Applicants must also satisfy APRA that they have policies to ensure that persons who hold key positions in the ADI are fit and proper. APRA may consult other regulators (domestic and foreign) regarding the suitability of personnel for the proposed ADI.

Risk management and internal control systems

Applicants must satisfy APRA that their risk management and internal control systems are adequate and appropriate for monitoring and limiting risk exposures in relation to their domestic and, where relevant, offshore operations. This includes, in particular, the development, implementation and maintenance of policies and procedures for monitoring and managing credit risk (including policy on related party lending, large exposures, and problem asset recognition and impairment), market risk arising from banking business and trading activities, liquidity risk and operational risk (including outsourcing arrangements and business continuity management) in accordance with the requirements in the relevant APRA Prudential Standards. Applicants must be able to demonstrate to APRA’s satisfaction that risk control systems are relevant and proportionate to the risks inherent in the ADI’s proposed business strategy.

As part of the application process, APRA may carry out onsite reviews and perform tests and checks including walk through demonstrations of processes. In assessing whether the policies and procedures proposed for managing and controlling risk are adequate and appropriate for the applicant’s operations, APRA will take account the size, nature and complexity of the operations, the volume of transactions forecast to be undertaken, the proposed organizational structure and the geographical distribution of the business as set out in the business plan. In addition, foreign bank applicants must demonstrate arrangements for reporting to foreign bank parents or head offices.

Compliance

License applicants must satisfy APRA that their processes and systems are adequate and appropriate for ensuring ongoing compliance with APRA’s Prudential Standards and other relevant regulatory and legal requirements.

Information and accounting systems

Applicants must satisfy APRA that their information and accounting systems are adequate for maintaining up-to-date records of all transactions and commitments undertaken by the ADI, so as to keep management continuously and accurately informed of the ADI’s condition and the risks to which it is exposed. Specifically, applicants are required to demonstrate to APRA that proposed systems will be capable of producing all required statutory and prudential information in an accurate and timely manner from the commencement of their banking operations.

In assessing the overall adequacy of the proposed information and accounting systems, APRA will have regard to the integrity and security of the systems and arrangements for business continuity management as outlined in APRA Prudential Standard on Business Continuity Management (CPS 232). The outsourcing arrangements related to material data processing must satisfy APRA’s outsourcing requirement as set out in Prudential Standard CPS 231 Outsourcing (CPS 231).

External and internal audit arrangements

Applicants must be able to demonstrate that they can satisfy APRA’s requirements in relation to board audit committees and internal audit set out in CPS 510, and that they have in place arrangements with external auditors in accordance with the requirements set out in Prudential Standard APS 310 Audit and Related Matters (APS 310). This includes arrangements for an external auditor to report to APRA on matters relating to APRA data collections, internal controls and compliance with prudential requirements.

Restricted ADIs

For a Restricted ADI license, applicants would be required to submit a reduced set of application documentation relative to an ADI license application. The application will focus on key elements such as the business case, key senior appointments, its approach to governance, its strategic planning (which includes the business plan, financial projections, its strategy to become full ADI, and its exit plan), in addition to its risk management and information relating to proposed activities.

With respect to risk management, APRA will assess the risks the applicant expects to be exposed to during the Restricted ADI phase as well as its capabilities for managing those risks. APRA expects applicants to provide a description of the risk profile associated with its proposed strategy and business plan. This should be accompanied by a high-level description of proposed systems and controls to manage and monitor the risks. A strategy for implementing adequate systems and controls should be provided to APRA and these systems should be in place prior to conducting the banking business the Restricted ADI is licensed for.

If the information provided is of sufficient quality, APRA expects to be able to grant a Restricted ADI license more quickly than would be the case if an ADI license was sought (although a Restricted ADI would not be expected to receive a full ADI license any more quickly than an entity applying through the ADI route). A Restricted ADI will need to demonstrate ongoing capital adequacy and sufficient liquidity, and be primarily focused on building capabilities and systems, and show credible plans to progress to a full ADI license within two years.
EC9The licensing authority reviews pro forma financial statements and projections of the proposed bank. This includes an assessment of the adequacy of the financial strength to support the proposed strategic plan as well as financial information on the principal shareholders of the bank.
Description and findings re EC9APRA requires applicants to submit detailed financial projections as part of its three-year business plan. These include balance sheet, cash flow and earnings projections and key financial and prudential ratios for the proposed bank and banking group (where relevant). APRA expects the projections to include sensitivity analysis covering expected, up-side and downside scenarios. APRA requires more conservative and stressed estimates if initial projections are not perceived to be suitably robust or realistic.

Applicants for ADI authorization are required to demonstrate to APRA that all substantial shareholders are well-established and financially sound entities of standing and substance. Substantial shareholders must be able to demonstrate that their involvement with the ADI will be a long-term commitment and that they will be able to contribute additional capital should this be required. APRA supervisors assess and form a view on the quality of financial information provided as part of the licensing process.

In the case of a Restricted ADI, APRA will assess the proposed business plan. The applicants must provide a credible business plan incorporating:
  • - the rationale for applying to become an ADI;

  • - the goals of the first three years of operation;

  • - the proposed activities (including details of products and services to be offered) and target market;

  • - scale of operations and target volume of business;

  • - financial projections for at least five years, with scenario analysis setting out upside and downside cases;

  • - a demonstration that the applicant will have the skills, competence, and governance arrangements appropriate to managing a banking business, including setting out the proposed organizational structure, Board, board Committees, senior management, and governance arrangements;

  • - the likely business and regulatory risk factors and the way to monitor and control them.

  • - strategy to full compliance with the prudential framework;

  • - intended means of distribution channels;

  • - estimated number of staff; and

  • - proposed commencement of operations.

Restricted ADI shareholders are not necessarily required to be able to contribute additional capital. The restricted ADI will need to have a credible plan to raise sufficient capital to support its proposed strategic plan. If it is not successful in completing the required capital raisings then it would be expected to surrender its banking authority and cease to be an ADI.
EC10In the case of foreign banks establishing a branch or subsidiary, before issuing a license, the host supervisor establishes that no objection (or a statement of no objection) from the home supervisor has been received. For cross-border banking operations in its country, the host supervisor determines whether the home supervisor practices global consolidated supervision.
Description and findings re EC10The ADI Authorization Guidelines state that foreign bank applicants are to provide a statement of consent from the relevant home supervisor for the establishment of a banking operation in Australia. Only applicants that are authorized banks in the home country will be granted authority to operate as a foreign bank in Australia.

For foreign bank applicants, APRA must be satisfied that the home supervisor supervises the foreign bank applicant on a consolidated basis in accordance with the principles contained in the Basel Concordat, and is prepared to cooperate (in terms of the Concordat) with APRA in the supervision of the bank in Australia.
EC11The licensing authority or supervisor has policies and processes to monitor the progress of new entrants in meeting their business and strategic goals, and to determine that supervisory requirements outlined in the license approval are being met.
Description and findings re EC11New entrants are subject to ongoing supervision in accordance with APRA’s Framework for Prudential Supervision. Ongoing supervision involves the assessment of ADIs against stated strategic and business goals, monitoring compliance with APRA’s prudential framework and specific requirements imposed on an individual banking authority.

With respect to Restricted ADIs, APRA’s newly set up Licensing team will also be involved in monitoring progress against an entity’s business plan and strategy to ensure full compliance with the prudential framework in the proposed maximum of two years leading up to the full ADI license.
Assessment of Principle 5Compliant
CommentsAPRA licensing powers are derived from the Banking Act. APRA has a very thorough licensing framework and process. In assessing licensing applications, APRA follows criteria that are overall consistent with ongoing supervision requirements. It also reviews the proposed ADI strategy and financial viability, its business plan, the suitability of its owners and management, its governance framework, and its risk management framework. For foreign banks, it also ensures that there is no objection from the home supervisor and that the home authority is performing consolidated supervision. The recent change in the law allowing all ADIs to use the term “bank” negated the minimum initial capital of A$50 million that was applied to bank since there is no minimum amount of capital to be an ADI. However, as mentioned above, restricted ADIs are subject to a minimum initial capital of A$3 million plus a resolution reserve. Based on that, APRA considers the minimum initial capital for restricted ADIs to be a strict floor even for other ADI license applications. But in all cases, APRA requires that the applicants show their ability to comply with the prudential capital adequacy requirement from the start of their operations and going forward. This means that applicants can be required to have much more than the A$3 million capital if their operations warrant that. This seems an alternative way to comply with the requirement of EC6 of this CP. It is worth noting that most of the current new licensees are branches or subsidiaries of foreign banks where the licensing process involves an analysis of their foreign parent and their ability to support the bank or fund the branch.

The implementation of the restricted regime may be a step to encourage more competition in the banking sector and allow a more gradual approach to licensing that ensures closer follow-up by APRA throughout the licensing phase. The new entrants are expected to be banks with different business models that rely more on technology like fintech. APRA has taken measures to ensure that this new regime will have limited impact on financial stability issues. It has put caps on the size of these institutions, requiring them to have a conversion strategy (to become full ADI) and an exit strategy (with some resolution funds) to ensure they can smoothly exit the market without causing financial stability concerns.

Having said that, it would be recommended that APRA be prudent as it licenses new restricted ADIs to ensure the success of this framework, without causing financial stability issues in case these ADIs fail to convert to full ADIs within the targeted timeline. Given the new business model of these banks, APRA should also step up its efforts and build further its capacity in relation to IT risks, including cyber risk issues and fintech, to ensure it is able to adequately oversee these new firms.
Principle 6Transfer of significant ownership. The supervisor21 has the power to review, reject and impose prudential conditions on any proposals to transfer significant ownership or controlling interests held directly or indirectly in existing banks to other parties.
Essential criteria
EC1Laws or regulations contain clear definitions of “significant ownership” and “controlling interest.”
Description and findings re EC1The Financial Sector Shareholding Act 1998 (FSSA) includes the criteria and requirements related to transfer of significant ownership. The FSSA indirectly defines “significant ownership” through the definition of an “unacceptable shareholder situation.” Based on the FSSA, an unacceptable shareholding situation is an unapproved stake higher than 15 percent. As such, “significant ownership” is indirectly defined to be any stake higher than 15 percent.

The term “stake” is defined under the FSSA (clause 10 of Schedule 1) as the aggregate of the direct control interest in the company that a person and that person’s associates hold at a particular time, where direct control interest represents the percentage of voting power, including through an intermediate company.

The FSSA also allows the Treasurer to declare that a person has “practical control” of a financial sector company even if that person does not hold stake in the company or if the person’s stake is not more than 15 percent. This power can be exercised if the Treasurer is satisfied that:
  • - the directors of the company are accustomed, or under a formal or informal obligation, to act in accordance with the directions, instructions, or wishes of that person (alone or together with associates), or if the person (alone or together with associates) is in a position to exercise control over the company; and

  • - it is in the national interest to declare that the person has practical control of the company.

Section 22 of the FSSA explains that control includes cases of control as a result of, or by means of, trusts, agreements, arrangements, understandings, and practices, whether or not having legal or equitable force and whether or not based on legal or equitable rights.
EC2There are requirements to obtain supervisory approval or provide immediate notification of proposed changes that would result in a change in ownership, including beneficial ownership, or the exercise of voting rights over a particular threshold or change in controlling interest.
Description and findings re EC2As per the FSSA, prior approval by the Treasurer is required where a person proposes to acquire a stake in a financial sector company (including a bank or ADI) of greater than 15 percent, and also where a person proposes to increase their stake beyond the level of an existing approval. The application for approval should specify the percentage of the stake (if any) the person holds in the financial sector company and the percentage for which approval is sought, as well as the reason for making the application. Approval to hold a stake in a bank in excess of 15 percent is given only where the applicant satisfies the Treasurer or, where applicable, APRA as the Treasurer’s delegate, that the proposed acquisition is in the ‘national interest.’ The FSSA applies to both domestic and non-domestic stakeholders.

The FSSA does not include any definition or criteria that would be considered under the “national interest” requirements. Therefore, the national interest considerations seem to represent a discretion made by the Treasurer.

The power to grant approval under the FSSA is with the Treasurer. However, the Treasurer has delegated power to APRA under the FSSA in respect of applications relating to banks with assets less than A$1 billion. As a matter of practice, the Treasurer seeks APRA’s advice as to whether there are any prudential concerns in relation to decisions affecting banks with assets exceeding A$1 billion. However, APRA’s advice is not binding in making the Treasurer’s decisions. In addition, the Treasurer has always the possibility to withdraw its delegation powers given to APRA for banks with assets less than A$1 billion.

The Foreign Acquisitions and Takeovers Act 1975 (FATA) also contains general provisions related to change in control involving a foreign person to acquire interests in securities, assets or Australian land, or otherwise take action in relation to entities (being corporations and unit trusts) and businesses, that have a connection to Australia. The act specifies a threshold for actions that are significant, where the Treasurer has power to decide that the Commonwealth has no objection to the action; impose conditions on the action; or prohibit the action. This decision is primarily based on national interest considerations.

During December 2015, substantial changes were made to the Foreign Acquisitions and Takeovers Act 1975 (FATA), which resulted in certain acquisitions (foreign non-government investments in APRA-regulated entities) being carved out of the FATA, where an FSSA approval is also required. The FATA changes do not directly impact FSSA delegations, but the following practical arrangements have been made:
  • - For a greater than 15 percent stake in entities with asset size greater than A$1 billion and where there is a foreign ownership component, FATA approval is not required and the Treasurer will consider the investment under the FSSA, with input from APRA on prudential issues.

  • - For a greater than 15 percent stake in entities with asset size of A$1 billion or below and where there is a foreign ownership component FATA approval is not required and delegation is with APRA. However, given that the FSSA requires a ‘national interest’ test which is broader than an assessment of prudential issues, APRA will refer these applications to the Treasury for an initial assessment.

If the merger or acquisition would have the effect of substantially lessening competition in a market, it is prohibited under Section 50 of the Competition and Consumer Act 2010 (CCA). The Australian Competition and Consumer Commission (ACCC) assesses acquisitions for compliance with Section 50, noting that exceptions for some specific situations are provided for in the Banking Act including exceptions relating to a recapitalization direction given by APRA, a sale or disposal of part or all of an ADI’s business by an ADI statutory manager, and the Financial Claims Scheme (FCS).

In the event that an acquisition is likely to substantially lessen competition, authorization can be sought from the Australian Competition Tribunal (ACT) under Section 95AT of the CCA if the merger parties consider there will be a net benefit to the public if the merger or acquisition proceeds.
EC3The supervisor has the power to reject any proposal for a change in significant ownership, including beneficial ownership, or controlling interest, or prevent the exercise of voting rights in respect of such investments to ensure that any change in significant ownership meets criteria comparable to those used for licensing banks. If the supervisor determines that the change in significant ownership was based on false information, the supervisor has the power to reject, modify or reverse the change in significant ownership.
Description and findings re EC3Ownership of an ADI is governed by the FSSA. The restrictions set out in the FSSA apply equally to new banks and to changes in ownership of existing banks. It also applies to changes in beneficial ownership. In other terms, if the proposed change in ownership is more than 15 percent of the entity’s shares, the Treasurer has the power to reject or approve those cases. If the proposed operation pertains to a bank whose assets are less than A$1 billion, APRA has the powers to approve or reject the application based on the delegation powers it has from the Treasurer on those cases.

While a formal definition of ‘national interest’ is not captured in the FSSA, assessments commonly consider the proposed transaction in terms of prudential issues, unsuitable influential person(s), undue economic power, and whether it is considered contrary to the national interest. Proposals not considered to be in the national interest are rejected.

The Treasurer or where applicable, APRA as the Treasurer’s delegate, may revoke or vary an existing approval to hold a shareholding in excess of 15 percent if satisfied that it is in the national interest to do so, or if there has been a contravention of an existing approval. Powers also exist to obtain orders of the Federal Court of Australia including orders directing disposal of shares and orders restraining or disregarding the exercise of any rights associated with shares.
EC4The supervisor obtains from banks, through periodic reporting or onsite examinations, the names and holdings of all significant shareholders or those that exert controlling influence, including the identities of beneficial owners of shares being held by nominees, custodians, and through vehicles that might be used to disguise ownership.
Description and findings re EC4FSSA approval involves assessing a person’s stake in a financial sector company, which is the aggregate of the person’s voting power and the voting power of the person’s associates. This process of investigation over shareholders and associates provides a basis for understanding and assessing the ultimate ownership and/or control of a bank.

However, APRA does not routinely collect information on names and holdings of significant shareholders or those that exert controlling influence as part of ongoing supervision of ADIs.22 APRA can request a bank, on a case-by-case basis to provide the full details of its owners under Section 62 of the Banking Act should APRA have doubts about whether undue influence is being exerted by owners of a bank.

Under subsection 26(5) of the FSSA, regulations made for the purposes of this section may make provision for or in relation to a matter by conferring a power on the Treasurer. For example, the regulations could provide that the Treasurer may, by written notice given to a financial sector company, require the company to give the Treasurer, within the period and in the manner specified in the notice, specified information about an ownership matter relating to the company.

As noted in BCP 5, APRA has introduced a phased approach to licensing new entrants (Restricted ADIs) to the banking industry. The purpose of the Restricted ADI license is to allow applicants to obtain a license while still developing the full range of resources and capabilities necessary to meet the prudential framework. For Restricted ADIs, APRA will receive regular reporting on major shareholders and significant changes (decreases or increases) in shareholding. This is required for Restricted ADIs as they will generally have concentrated shareholding, unlike ADIs which have wider ownership.
EC5The supervisor has the power to take appropriate action to modify, reverse or otherwise address a change of control that has taken place without the necessary notification to or approval from the supervisor.
Description and findings re EC5Where a person holds a stake in a financial sector company in excess of 15 percent and the holding of that stake or a higher percentage stake has not been approved by the Treasurer, an unacceptable shareholding situation exists. The Treasurer may apply to the Federal Court for orders to remedy this situation, including the making by the Court of a divestment order. Section 11 of the FSSA makes it an offence for a person to acquire shares where the person knows or is reckless as to whether the acquisition will result in an unacceptable shareholding situation coming into being in relation to that person or a third party.

APRA has delegation from the Treasurer to make an application to the Federal Court. There is no limit on this particular delegation, so APRA could make application regardless of the size of the institution. APRA may initiate proceedings under Section 12, through a delegation the Treasurer has provided under Section 44, although, the delegate is subject to the directions of the Treasurer (if any) in exercising the delegated power (Subsection 44(2) of the FSSA).

If a merger or acquisition proceeds in breach of Section 50 of the CCA i.e., it would substantially lessen competition, the Federal Court of Australia can order divestiture of assets or declare the acquisition void on the application of the ACCC or any person.
EC6Laws or regulations or the supervisor require banks to notify the supervisor as soon as they become aware of any material information which may negatively affect the suitability of a major shareholder or a party that has a controlling interest.
Description and findings re EC6There is no explicit provision in the laws, regulations, or prudential standards that require banks to notify APRA as soon as they become aware of any material information affecting the suitability of a major shareholder or party having controlling interest.

There is a very general provision under paragraph 34 of APS 222 requiring an ADI to notify APRA of any circumstances that might reasonably be seen as having a material impact and potentially adverse consequences for an ADI in the group or for the overall group. In accordance with this, APRA’s expectation is that a bank’s Board or senior management would alert APRA in a timely manner to matters considered to have the potential to adversely impact on the bank or its reputation. This would include situations where the shareholder’s influence was exercised through Board representation and doubts were raised about governance standards or the fitness and propriety of directors (matters specifically addressed in the Prudential Standards).
Assessment of principle 6Materially Non-Compliant
CommentsThe FSSA defines the threshold beyond which the ownership stake in an ADI requires a prior approval. However, the FSSA gives the Treasurer the power to approve these cases based on national interest considerations. While the Treasurer has delegated APRA for approving changes in significant ownership for banks with assets of less than A$1 billion, this is only a partial delegation and can be withdrawn if the Treasurer decides so. While the Treasurer would ordinarily seek APRA’s advice in cases not delegated to APRA, it is left to the Treasurer whether to seek this advice and to follow it. As such, APRA has only limited control over the change in the significant shareholders.

In addition, the criteria for approval of a significant change in ownership are based on “national interest” considerations which are not defined in the FSSA. Therefore, it is not clear to which extent these considerations take into account the fitness, propriety and suitability of the significant shareholders. It is also not clear to what extent the approval applies to ultimate beneficiary owners particularly when an ADI has a complex ownership structure that includes more than two layers of ultimate beneficiary owners (i.e., multiple holding companies or corporate owners).

In cases of change in significant owners that took place without the necessary approval, APRA can act under delegation from the Treasurer to make an application to the Federal Court. However, this power to act is also depending on the continuation of the delegation it has from the Treasurer. If this delegation is withdrawn, APRA will have no powers to apply to the court to cancel or reverse an unapproved change in control.

Another gap is related to the lack of regular reporting by banks or ADIs to APRA about their significant owners, including the ultimate beneficiary owners. This does not allow APRA to know about changes in owners and examine the suitability of new shareholders as well as cases where a change in ownership happened without the needed approval. The Treasurer and APRA would rely on their powers to ask for such information on case-by-case basis or on the entity notifying them about that change.

In addition, there is no explicit provision in the laws, regulations, or prudential standards that require banks to notify APRA as soon as they become aware of any material information affecting the suitability of a major shareholder or party having controlling interest.

Based on all the above constraints and gaps, the assessors believe that there is a material non-compliance with this principle.
Principle 7Major acquisitions. The supervisor has the power to approve or reject (or recommend to the responsible authority the approval or rejection of), and impose prudential conditions on, major acquisitions or investments by a bank, against prescribed criteria, including the establishment of cross-border operations, and to determine that corporate affiliations or structures do not expose the bank to undue risks or hinder effective supervision.
Essential criteria
EC1Laws or regulations clearly define:
  • (a) what types and amounts (absolute and/or in relation to a bank’s capital) of acquisitions and investments need prior supervisory approval; and

  • (b) cases for which notification after the acquisition or investment is sufficient. Such cases are primarily activities closely related to banking and where the investment is small relative to the bank’s capital.

Description and findings re EC1Requirements for APRA approval of acquisitions and investments and notifications to APRA are set out in Prudential Standard APS 222 Associations with Related entities (APS 222). Foreign bank branches are subject to paragraphs 14 to 25 of APS 222.

Prior consultation/ approval requirements

APS 222 requires that a bank must consult with APRA before:
  • - establishing or acquiring a subsidiary (other than an entity that is to be used purely as a special purpose financing vehicle for the bank);

  • - committing to any proposal to acquire an equity interest of more than 20 percent in another entity; or

  • - taking up equity interest in an entity arising from the work-out of a problem exposure where the interest exceeds certain specified thresholds.

A bank must also obtain APRA’s prior written approval under APS 222 for:
  • - the establishment or acquisition of a regulated presence domestically or overseas; or

  • - any proposed exposures in excess of the prudential limits on exposures to related parties prescribed in APS 222.

A bank’s exposure to a related entity is the aggregate of all claims, commitments and contingent liabilities arising from on and off-balance sheet transactions (in both the banking and trading books) with the related entity.

Approval of any proposed exposure that exceeds the prescribed limits in APS 222 will only be given on an exceptional basis where APRA is satisfied that the proposed exposure may reasonably be expected not to expose the bank to excessive risk. Even in these cases, APRA may impose a higher prudential capital requirement. APRA expects banks to consult at an early stage of any such proposed activities.

As noted previously if a bank proposes to acquire a stake in an Australian financial sector company (including an ADI, general insurer, life insurer or a holding company thereof) in excess of 15 percent, the bank requires the prior approval of the Treasurer (or, where applicable, APRA as the Treasurer’s delegate) under the FSSA. Section 14 of that Act endows the Australian Treasurer with broad discretion to grant or refuse such approval on national interest grounds.

Prudential Standard 3PS 222 Intra-group Transactions and Exposures (3PS 222) requires that associations and dealings within a Level 3 group do not expose prudentially regulated institutions within the group to excessive risk. Under 3PS 222, APRA requires the ITE (intra-group transactions and exposures) policy of the Level 3 group to include limits on acceptable levels of ITEs for a level 3 institution in the level 3 group having regard to, among other things:
  • - the level 3 institution’s Board approved limits on exposures to unrelated institutions of broadly equivalent credit status; and

  • - the potential impact on the Level 3 group’s capital and liquidity positions, as well as the institution’s ability to continue operating, as a result of failure of any other institution in the group.

Where in APRA’s view, the level 3 group is exposed to a significant level of ITEs, APRA may require a level 3 Head to limit or reduce the level 3 group’s level of ITEs.

Notification requirements

An ADI must:
  • - report any equity investments that are not subject to the prior consultation requirements set out in paragraph 31 of APS 222 (as stated above) in writing to APRA within three months of undertaking the investment (paragraph 33 of APS 222);

  • - notify APRA (in accordance with section 62A of the Banking Act) of any material breach of prudential limits on exposures to related entities established in APS 222; and

  • - notify APRA of any circumstances that might reasonably be seen as having a material impact and potentially adverse consequences for an ADI in the group or for the overall group (paragraph 34 of APS 222).

EC2Laws or regulations provide criteria by which to judge individual proposals
Description and findings re EC2Criteria/guidelines to assess individual proposals are listed below.

Prudential framework

When a bank proposes to acquire a stake in an Australian financial sector company (an ADI, general insurer, life insurer or a holding company thereof) in excess of 15 percent, the prior approval of the Treasurer (or, where applicable, APRA as the Treasurer’s delegate) is required under Section 14 of the FSSA. Section 14 of that Act endows the Treasurer with broad discretion to grant or refuse such approval on grounds of national interest. (See BCP 6 for more details).

APRA aims to ensure that banks give due consideration to the risks and prudential implications associated with proposed acquisitions or investments. Given this, prudential standard CPS 220 Risk Management (CPS 220) states that APRA would expect that an ADI or Head of the Group, as part of the group risk management framework, have a comprehensive group-wide view of all material risks, including an understanding of the roles and relationships of subsidiaries to one another and to the Head of the group.

As per Prudential Practice Guide CPG 220 Risk Management (CPG 220), contagion risks arising from issues identified with related parties including any non-APRA regulated institution should be captured in assessing the risk profile of an institution.

The prudential standards do not stipulate specific criteria by which APRA should judge individual proposals. These criteria are left to APRA and are set in APRA’s internal guidelines.

Internal guidelines

Internal guidelines are in place to assist APRA supervisors in assessing individual proposals. Supervisors typically evaluate the following matters when considering whether to grant consent in respect of a bank’s proposal to proceed with an acquisition or investment:
  • - the strategic rationale of, and future business plans for, the acquisition/ investment;

  • - how the acquisition/investment is to be funded and the expected impact on capital and profitability;

  • - the quality and effectiveness of the due diligence process undertaken by the bank;

  • - in some circumstances, whether the acquisition is in the national interest, which may entail APRA supervisors assessing:

    • prudential conduct: whether the proposal is likely to adversely affect the prudential conduct of the affairs of the company in particular the bank’s capacity to meet prudential requirements, including capital position and management; group organizational structure and corporate governance, prior and subsequent to the transaction; risk management systems and controls to be applied to the new business including major changes that would occur; funding and risk appetite for the new business; fitness and propriety of key people; the position of the home supervisor where relevant; and the bank’s capacity to manage integration issues (including compatibility of IT systems, staffing, reporting to board and management);

    • unsuitable influential person: whether the proposal is likely to result in an unsuitable person being in a position of influence over the company;

    • economic power: whether the proposal is likely to unduly concentrate economic power; or

    • national interest: whether the proposal could adversely affect the stability and strength of the banking industry or the Australian financial system, whether the proposal could adversely affect the interests of deposit holders, whether the proposal is contrary to Australia’s foreign investment policy, and any other matters that are considered relevant.

When assessing the prudential conduct of the affairs of the company, the supervisor will also need to give due consideration to the:
  • - capital position: consider the amount and source of capital to be invested or the effect of any capital reductions. The capital position for regulatory capital purposes should be assessed before and after the acquisitions;

  • - capital management: consider how the companies manage their capital before and after the acquisition and look at any projected capital targets;

  • - financial viability: what will the financial performance be after the acquisition including any market forecasts;

  • - risk management: review the current Risk Management Strategy (RMS) and identify the major changes which will occur. Consider the proposed RMS for the combined entity and if this is adequate;

  • - governance: consider the governance arrangements of the entity prior and subsequent to the transaction (refer to APS 510 – Governance);

  • - fit and proper: consider the Fit and Proper policy of the entity and the fitness and propriety of the responsible persons prior and subsequent to the transaction (refer to APS 520 – Fit and Proper); and

  • - integration: key integration issues are organizational culture and design, risk management framework, systems integration, filing senior executive positions, and brand management.

EC3Consistent with the licensing requirements, among the objective criteria that the supervisor uses are that any new acquisitions and investments do not expose the bank to undue risks or hinder effective supervision. The supervisor also determines, where appropriate, that these new acquisitions and investments will not hinder effective implementation of corrective measures in the future.23 The supervisor can prohibit banks from making major acquisitions/investments (including the establishment of cross-border banking operations) in countries with laws or regulations prohibiting information flows deemed necessary for adequate consolidated supervision. The supervisor takes into consideration the effectiveness of supervision in the host country and its own ability to exercise supervision on a consolidated basis.
Description and findings re EC3In accordance with APS 222 and CPS 220, APRA considers a wide range of matters pertaining to the risks and prudential implications associated with proposed acquisitions or investments. In practice, APRA will engage with the bank to ascertain how the bank proposes to comply with APRA’s prudential requirements post-acquisition. Key areas of focus include capital position, capital management, financial viability, risk management, governance, fit and proper, and integration as outlined in EC 1 above.

APRA also assesses the existing level of the bank’s exposures to related entities and whether there will be any adverse reputational impact on the bank and how the bank proposes to manage and mitigate such impact.

If APRA is not satisfied that a bank will be able to comply with prudential or reporting requirements in respect of an acquisition or investment, APRA would not consent to the bank proceeding with a proposed acquisition. In certain circumstances, APRA has powers under Section 11CA of the Banking Act to direct a bank or authorized NOHC not to proceed with a proposed acquisition or investment, or otherwise divest itself of the relevant interest. Examples of such circumstances include the bank or NOHC having contravened a condition of its authorization, the Banking Act, or where its financial condition is materially impaired or unsound.

Where a bank wishes to acquire a significant holding in a financial institution in another country, the quality of prudential supervision in that country is one of APRA’s key considerations. In such cases, APRA would seek to discuss significant acquisitions/ investments with the relevant authorities/ agencies.

APRA supervises banks on a Level 1 and consolidated (Level 2 and Level 3 (when required)) basis irrespective of whether the holding relates to a domestic or foreign entity. APRA’s approval process would ensure that the acquisition does not jeopardize its ability to exercise consolidated supervision. Where APRA has reservations, it would respond in a manner appropriate to the circumstances. This may involve more intensive oversight of the operation of the foreign entity through the parent bank, requiring additional capital to be held or imposing specific risk management requirements. Alternatively, APRA may impose strict limits on the bank’s exposure to the foreign entity or require other measures designed to limit the risk taken by the foreign entity and/or limit the contagion risk to the parent bank.
EC4The supervisor determines that the bank has, from the outset, adequate financial, managerial, and organizational resources to handle the acquisition/investment.
Description and findings re EC4APRA has a comprehensive and structured process for assessing acquisitions/ investments. Assessments require consideration of a wide spectrum of prudential and other relevant issues including with respect to the adequacy of financial and organizational resources. Factors include but are not limited to:
  • - the quality and completeness of the due diligence process undertaken in relation to the acquisition/investment;

  • - the size, nature and strategic intent and rationale for the acquisition or investment;

  • - capital adequacy following acquisition/investment;

  • - funding and liquidity considerations;

  • - impact of the acquisition/investment on risk management systems and capabilities including proposed credit limits and delegation authorities; and

  • - governance and oversight arrangements including an ability to meet financial and prudential reporting needs as well as apply sound project management practices associated with major acquisitions/investments.

In the case of major acquisitions APRA’s practice has been to review relevant Board or committee meeting minutes and associated papers as well as key policy and strategic documentation, which typically includes:
  • - due diligence reports;

  • - capital management plans typically covering a period of three years and reflective of outcomes under different scenarios (for example, low growth, higher NPLs);

  • - revised organizational structures and associated material of roles and responsibilities and how the revised delegation structure operates;

  • - business plans;

  • - the policy framework for credit and operational risks, including aspects such as IT platforms, systems integration, customer-facing systems, etc.;

  • - project management plans and details of how the transition and integration process would be managed;

  • - revised funding plans incorporating varied scenarios and different time horizons; and

  • - plans by financial control staff detailing how financial and prudential reporting requirements would be satisfied from the outset and on an ongoing basis.

EC5The supervisor is aware of the risks that nonbanking activities can pose to a banking group and has the means to take action to mitigate those risks. The supervisor considers the ability of the bank to manage these risks prior to permitting investment in nonbanking activities.
Description and findings re EC5At the time of acquisition, APRA would assess on a risk basis whether the ADI/NOHC has a robust and comprehensive risk management framework to effectively monitor and manage contagion risk.

APRA Prudential Standard on risk management (CPS 220) requires the Board of the Head of a group to have a comprehensive group wide view of all material risks. CPS 220 also requires the Head of a group to maintain processes to coordinate the identification, measurement, evaluation, monitoring, reporting, and controlling or mitigating all material risks across the group in normal times and periods of stress.

APS 222 an ADI must satisfy APRA that it has adequate systems and controls to identify, review, monitor and manage exposures arising from dealings with related entities. APRA may require an ADI to establish additional internal controls, more robust reporting mechanisms and/or a higher PCR if APRA is not satisfied with the adequacy of the ADI’s systems and controls.

In the case of a Level 3 group, 3PS 222 states that where in APRA’s view, the Level 3 group is exposed to a significant level of ITEs, APRA may require the Level 3 Head to limit or reduce the Level 3 group’s level of ITEs.

APRA supervisors routinely monitor the level of the bank’s exposures to its related entities and request further information from the bank where required.
AC1The supervisor reviews major acquisitions or investments by other entities in the banking group to determine that these do not expose the bank to any undue risks or hinder effective supervision. The supervisor also determines, where appropriate, that these new acquisitions and investments will not hinder effective implementation of corrective measures in the future.24 Where necessary, the supervisor is able to effectively address the risks to the bank arising from such acquisitions or investments.
Description and findings re AC1To the extent that other entities are subsidiaries of a bank, the prior consultation/approval requirements under APS 222 apply. If the acquiring entity is outside the banking group and it is considered material, APRA would expect that the Head of the group informs APRA of any contagion risks and how they are being managed.

If the acquiring entity is part of the Level 3 group, APRA would expect that the Head of the group notifies APRA of the acquisition including whether the acquisition is within the ITE policy.
Assessment of Principle 7Compliant
CommentsAPRA Prudential Standard 222 establishes clear provisions on acquisitions and investments that need prior supervisory approval or prior notification to APRA. While the existing regulations and prudential standards do not exactly define the criteria by which APRA assesses individual proposals, APRA’s internal guidelines provide a detailed list of criteria and considerations to make when the supervisors assess individual cases. These includes, among others, the assessment of the prudential implications for the ADI as well as other risk management and fit and proper considerations. It may be better to list these criteria in a prudential standard to ensure that they are known by ADIs and other stakeholders. The consultative revisions to the related party framework issued by APRA on July 2, 2018, include the main criteria APRA considers in relation to major acquisitions.

In assessing the applications, APRA seems aware of the need to ensure that the proposed acquisition does not hinder the effective exercise of consolidated supervision of the acquiring entity and APRA takes into account the risks that nonbanking activities can pose to the group.
Principle 8Supervisory approach. An effective system of banking supervision requires the supervisor to develop and maintain a forward-looking assessment of the risk profile of individual banks and banking groups, proportionate to their systemic importance; identify, assess and address risks emanating from banks and the banking system as a whole; have a framework in place for early intervention; and have plans in place, in partnership with other relevant authorities, to take action to resolve banks in an orderly manner if they become non-viable.
Essential criteria
EC1The supervisor uses a methodology for determining and assessing on an ongoing basis the nature, impact and scope of the risks:
  • (a) which banks or banking groups are exposed to, including risks posed by entities in the wider group; and

  • (b) which banks or banking groups present to the safety and soundness of the banking system.

The methodology addresses, among other things, the business focus, group structure, risk profile, internal control environment, and the resolvability of banks, and permits relevant comparisons between banks. The frequency and intensity of supervision of banks and banking groups reflect the outcome of this analysis.
Description and findings re EC1APRA’s supervisory regime is principles based with little in the way of highly prescriptive standards. The principles-based philosophy is deeply ingrained in the supervisors and supervisory approach and APRA’s prudential standards clearly state and are largely focused on the underlying responsibilities of firms’ boards of directors and management team, which in a number of areas are required to provide attestations and/or regular reporting to APRA regarding the adequacy of internal processes. A significant share of APRA’s supervisory resources are focused on the large firms, including the four major banks, which together hold over 80 percent of Australia’s banking system assets.

APRA uses a risk-focused approach to supervision of ADIs. They have in place a number of practices for assessing risks to individual institutions, and also have processes for reviewing risks to the financial system as a whole. These assessments are inputs into the processes for determining supervisory activities to be undertaken by APRA, which are detailed in Supervisory Action Plans (SAP) for each firm. SAPs outline the specific supervisory activities to be carried out over a 1–2-year period. Risk assessment processes, discussed below, and resulting SAPs identify the frequency and intensity of needed supervision activities.

PAIRS is the risk assessment approach for individual ADIs, focusing on the probability of failure of an ADI and the impact of such a failure. PAIRS is expected to be a dynamic process, and to be updated as warranted by a range of supervisory work, newly available information and analysis carried out throughout the year. A review of the comprehensive PAIRS assessment must be carried out on at least an annual basis and be informed by supervisory activities, including prudential reviews and consultations (i.e., formal discussions with the firms) and analysis carried out by frontline supervisors, risk specialists, and offsite analysts. Not every PAIRS category is fully assessed each year as PAIRS updates will be performed in a risk-focused manner and those areas deemed to warrant updating as a result will be addressed.

There is no explicit requirement of a cycle during which the areas in PAIRS are covered by in-depth reviews. Monitoring and analyses of firms’ risk positions/profile, as well as an understanding of the strengths and weaknesses of firm’s risk management and control practices helps the supervisors determine which areas to cover in a given year.

PAIRS assesses three major components across ADIs and banking groups and integrates them into an overall assessment: (i) inherent risk; (ii) management and controls; and (iii) capital support. To derive those three high level assessments, PAIRS specifically includes assessments of the Board of Directors; Management; Risk Governance; Strategy and Planning; Liquidity; Operational Risk; Credit Risk; Market and Investment Risk; Insurance Risk; and Capital Support, which includes assessments of capital adequacy, earnings and “access to new capital.” Each of these areas is weighted for the purposes of coming up with an overall assessment, which is derived by a mechanical process that quantifies the assessment based on a combination of the assessments and weights of each of these areas. To promote comparability and provide for consistency of ratings across ADIs, APRA uses a common and structured process for combining assessments of these components into ‘probability of failure’ and ‘impact’ ratings. They also undertake “benchmarking” exercises across ratings for groups of firms to promote consistency. IMF assessors saw the impact of this benchmarking in revisions to ratings that APRA staff stated were driven by benchmarking.

The outcome of the PAIRS assessment process is the ratings for probability of failure and impact. APRA uses five probability of failure rating categories: ‘Low,’ ‘Lower Medium,’ ‘Upper Medium,’ ‘High,’ or ‘Extreme’ and four impact of failure ratings: ‘Low,’ ‘Medium,’ ‘High,’ and ‘Extreme.’ The impact rating is primarily a function of balance sheet size, with a focus on market share of liabilities. However, the PAIRS framework also allows for a manual adjustment to the impact scale should factors such as substitutability, interconnectedness, or complexity determine that the impact category needs to be adjusted. All of the major banks receive a high level of supervisory attention as problems at those firms would be expected to have a significant impact— all are assessed as ‘extreme’ impact. As a hypothetical example, the combination of an extreme probability of failure and an extreme impact rating would lead to the greatest level of supervisory attention.

The PAIRS assessments drive the SOARS, which is used to determine the supervisory intensity for an ADI based on the PAIRS assessment (though as noted above all major banks receive a high level of supervisory scrutiny). SOARS is comprised of four categories: ‘Normal,’ ‘Oversight,’ ‘Mandated Improvement,’ and ‘Restructure,’ with progressively greater supervisory actions, intensity and focus being required as one moves along the scale from ‘normal’ to ‘restructure.’

Supervisory Action Plans (SAP)

The SAP is the plan for supervisory activities covering the next 1–2 years. A SAP may cover a range of supervision activities to address known key risks and issues or to identify new or emerging risks. The SAP includes the timing, scope, objectives, and desired outcomes of supervision activities to address key risks and issues. SAPs may be developed for an ADI or the ADI’s full banking group. A SAP may be revised as warranted, if the supervisors feel that some issues have become more or less important. A delegated manager must sign off on any change in the initial plan—either an addition or a removal of a planned item.

APRA is continuing to work to design and implement a resolution planning regime. Currently they work collaboratively with other members of the CFR and have plans in place for coordination. In the interim, APRA has undertaken resolution planning on a case-by-case basis, and is engaged in an ongoing resolution planning project with one large bank. This project includes an assessment of the bank’s critical functions, critical shared services and overall resolvability. The outcomes of this project will inform APRA’s prudential framework for resolution planning.
EC2The supervisor has processes to understand the risk profile of banks and banking groups and employs a well-defined methodology to establish a forward-looking view of the profile. The nature of the supervisory work on each bank is based on the results of this analysis.
Description and findings re EC2The actions involved in deriving the inherent risk portion of the PAIRS assessments, discussed in CP8, EC1 above, are the primary processes for undertaking a forward-looking assessment of an ADI’s risk profile. APRA uses both onsite work and offsite supervisory assessments to assess the risk profiles of ADIs.

The overall PAIRS rating will result in a SOARS stance. Both are inputs into the SAP for each ADI. Through ongoing analyses and the supervisory assessments carried out as per the SAP, APRA maintains a view of an ADI’s risk profile.

Offsite processes for assessing ADIs’ risk profiles include analyses of information on a firm’s operations, exposures and financial condition, as well as of the current and prospective operating environments. These are supported by staff from the Risk & Data Analytics Division. These include a group of specialists in various risk classes that undertake analyses and participate in firm-specific prudential reviews and thematic reviews across groups of firms as needed, and the Strategic Intelligence who incorporate analyses of individual firms and the industry more broadly, including drawing on analyses generated by rating agencies and market participants, along with the views of the supervisors. APRA is building up its use of data driven analytical work undertaken by offsite analysts to inform considerations of supervision direction and strategy, as well as to provide tools for frontline supervisors and risk specialists to undertake analyses of various risk areas. IMF assessors were walked through work of risk specialists and the strategic intelligence unit in the Risk & Data Analytics Division which is a key participant in this evolving process.
EC3The supervisor assesses banks’ and banking groups’ compliance with prudential regulations and other legal requirements.
Description and findings re EC3APRA’s general supervision philosophy is based on the principle that the board of directors and its senior management team are responsible for ensuring the firm is run in a manner consistent with prudential and legal requirements. CPS 220, Risk Management, states that an APRA-regulated institution must have a designated compliance function that assists senior management of the institution to effectively manage all compliance risks. This includes a group-wide compliance function that manages compliance risks across the group. It is the responsibility of the firm to ensure compliance with prudential and legal requirements, and to report to APRA in cases where there has been a breach. Firms must review and report to APRA on an annual basis that their practices provide for compliance with APRA’s prudential standards. These reviews are often carried out by external parties such as accounting and financial services consulting groups.

APRA supervisors carry out reviews of an ADI’s compliance framework as part of its risk governance assessments. Such reviews focus on: (i) the setting of policies and procedures for maintaining compliance with legal and regulatory requirements; (ii) the monitoring of compliance with policies and procedures; and (iii) the reporting on legal and regulatory compliance matters to senior management and the Board. APRA supervisors focus on the sufficiency of compliance resources, the status of the compliance unit within the ADI and/or group and the adequacy of testing and supporting compliance programs. They also are expected to review the effectiveness of related oversight functions, including the role and effectiveness of internal audit. The responsibilities of internal audit are set forth in prudential standard APS 310. CEO and Board of Directors are required to provide APRA with a risk management declaration stating that, to the best of their knowledge and having made appropriate enquiries, in all material respects:

• The institution has in place systems for ensuring compliance with all prudential requirements;

• systems and resources that are in place for identifying, measuring, evaluating, monitoring, reporting, and controlling or mitigating material risks, and the risk management framework, are appropriate to the institution, given the size, business mix and complexity of the institution;

• the risk management and internal control systems in place are adequate and operating effectively;

• the institution has a risk management strategy (RMS) that complies with this Prudential Standard, and the institution has complied with each measure and control described in the RMS; and

• the APRA-regulated institution is satisfied with the efficacy of the processes and systems surrounding the production of financial and risk information at the institution.

Specific assessments of other risk management areas—e.g., credit risk, market risk, etc.—allow APRA supervisors to assess compliance with the relevant requirements in those areas. APRA regularly assesses banks’ risk management frameworks, including assessments of the effectiveness of compliance functions.

Supervised ADIs are required to submit regular reports with data that show their compliance with prudential requirements, including those for capital, liquidity, large exposures, etc. ADIs are required to report to APRA any significant breaches of prudential requirements they have identified.
EC4The supervisor takes the macroeconomic environment into account in its risk assessment of banks and banking groups. The supervisor also takes into account cross-sectoral developments, for example in nonbank financial institutions, through frequent contact with their regulators.
Description and findings re EC4APRA has a number of processes for viewing the macro environment and cross-sectoral risks. APRA’s Risk & Data Analytics Division supports supervisors by providing analyses of the macroeconomic environment, cross-sectoral developments and systemic risks, and by providing information that is meant to assist with the risk assessments and SAP development carried out by the supervisors for ADIs and banking groups. Specific products for these purposes include:

1) Quarterly Industry Outlooks—quarterly reports on the banking industry that assess key system risks are prepared by the Strategic Intelligence team within Data Analytics and provided to users in APRA.

2) ‘Analytic Dashboards, Toolkits and Exception Reports’ to allow supervisors to identify risks at an entity level and conduct peer comparisons and trend analysis to identify outliers. These tools may also be used to aggregate information to identify broader systemic risks at an industry and more macro level;

3) Industry stress test exercises which further inform supervisors of potential systemic and entity-specific vulnerabilities as an input to the ongoing assessment of an institution’s risk profile;

4) Annual banking industry reports providing an overview of key risks and the outlook for the industry;

5) the Supervision and Resolution Committee report, which provides an overview of the current state of various risk indicators as well as emerging issues that may need to be considered; and

6) meetings with the RBA and the CFR during which macro and potentially systemic issues are discussed. IMF assessors observed such discussions in the minutes of a CFR meeting. The RBA analyzes the condition of the financial system and provides information to APRA on potential risks and vulnerabilities. RBA also meets with the front-line supervisors and provides a briefing on its financial stability reports.

APRA’s ADI Industry Group meets monthly to discuss current and emerging risks in the banking industry. These discussions include consideration of macroeconomic factors that may impact the industry. Risks identified may result in a thematic review being conducted, direct action for supervisors across firms or at specific firms, or for a ‘watch’ to be placed on the risk to promote closer monitoring.

Recommended actions that result from these processes are presented to APRAs Supervision and Resolution Committee and, in case of significant recommendations or policy changes, the Prudential Policy Committee (PPC).

A recent example cited by APRA is the mortgage lending benchmarks applied to reduce the buildup of risks in banking books across the industry. These were discussed at the CFR and by the Industry Group and resulted in a working group being formed and tasked with designing and implementing the benchmarks.
EC5The supervisor, in conjunction with other relevant authorities, identifies, monitors and assesses the build-up of risks, trends and concentrations within and across the banking system as a whole. This includes, among other things, banks’ problem assets and sources of liquidity (such as domestic and foreign currency funding conditions, and costs). The supervisor incorporates this analysis into its assessment of banks and banking groups and addresses proactively any serious threat to the stability of the banking system. The supervisor communicates any significant trends or emerging risks identified to banks and to other relevant authorities with responsibilities for financial system stability.
Description and findings re EC5As discussed above in P8, EC 1, APRA monitors ADI’s risks as part of its regular on- and offsite supervision processes. Specific areas include credit risk, liquidity, market risk, capital and financial performance. The outcomes of this monitoring are direct inputs into PAIRS, which requires supervisors to assess the risks to which an institution is exposed, risk management and controls to mitigate those risks, and the capital support available to absorb losses relative to a firm’s risk profile.

The status of risks across the industry are monitored and discussed by the ADI Industry Group, which includes senior APRA staff and management. The banking industry group monitors industry performance, financial condition and emerging risks and developments across the industry and provides analyses and reports to senior management and frontline supervisors for consideration in their design of supervision strategy and action plans.

APRA’s RDA Division provides support to APRA’s frontline supervisors by monitoring the macroeconomic environment, cross sectoral developments and systemic risks. Information is provided to supervisors to assist with the ongoing risk assessment and SAP development for ADIs/ banking groups. This includes:
  • • researching and producing quarterly industry outlooks on regulated industries based on analysis of the macroeconomic environment and industry developments;

  • • developing and maintaining analytical dashboards, toolkits and exception reports to allow supervisors to identify risks at an entity level and conduct peer comparisons and trend analysis to identify outliers. These tools are also used to aggregate information to identify broader, systemic risks at an industry and more macro level. APRA’s major initiative ‘Program Athena’ is expected to further transform APRA’s analytical capabilities by modernizing the way APRA collects, stores and provides access to data;

  • • coordinating industry stress test exercises which further inform frontline supervisors of potential systemic and entity-specific vulnerabilities as an input to the ongoing assessment of an institution’s risk profile; and

  • • production of annual industry reports providing an overview of developments, key risks and the forward outlook for each industry.

In addition, APRA monitors credit growth at individual firms and across the industry; undertakes surveys on credit conditions and lending standards; and monitors asset quality metrics, credit concentrations, including large exposures, exposures to related parties and exposures to the housing market. In addition, market risk is monitored on an ongoing basis through a variety of processes, including the review of information on risks and positions provided in relation to capital calculations for advanced approaches firms.

Under the LCR regime, APRA collects and analyses data on liquidity on a regular basis. Supervisors also carry out annual thematic reviews covering liquidity risk management elements as part of the RBA’s Committed Liquidity Facility application process. APRA monitors funding profiles, including the build-up of short-term wholesale funding and currency exposures from funds raised in foreign currencies to fund Australian operations. APRA conducted a review of the liquidity risk profiles and risk management practices across the major ADIs in 2016–2017.

APRA coordinates banking industry stress tests and can use the results to make quantitative assessments of the resilience of selected ADIs when subject to stress; assess ADIs’ stress testing capabilities and provide recommendations for improvement where needed; and support APRA’s ongoing identification of current and emerging risks.

APRA and the RBA have meetings to discuss risk issues in the industry both on an ad hoc basis and as part of their participation in CFR working groups. The CFR includes the major supervisors for financial services and the RBA, and where specific areas of risks that may be of concern with respect to financial stability, CFR participants would discuss them as part of their regular meetings. CFR has a number of Working Groups, including on cyber security, housing market risks, OTC derivatives, and FMI crisis management.

In addition, APRA has bilateral liaison meetings with the RBA, Treasury and ASIC, where key industry developments and risks can be discussed.
EC6Drawing on information provided by the bank and other national supervisors, the supervisor, in conjunction with the resolution authority, assesses the bank’s resolvability where appropriate, having regard to the bank’s risk profile and systemic importance. When bank-specific barriers to orderly resolution are identified, the supervisor requires, where necessary, banks to adopt appropriate measures, such as changes to business strategies, managerial, operational and ownership structures, and internal procedures. Any such measures take into account their effect on the soundness and stability of ongoing business.
Description and findings re EC6APRA’s role and powers with respect to resolution were expanded by the Financial Sector Legislation Amendment (Crisis Resolution Powers and Other Measures) Act of 2018. APRA is the resolution authority in Australia. It is working with the other CFR agencies to identify key risks and likely crisis scenarios in the Australian financial system, and has undertaken crisis scenario table top exercises to flesh out relevant issues, sticking points, etc., and the CFR is working to develop cross-agency crisis plans and toolkits.

APRA is currently working to develop a formal supervisory framework for resolution planning and plans to begin the process of consultation on a formal framework for recovery and resolution planning in 2019.

To date, APRA has undertaken some targeted resolution planning work and currently is working on resolution planning project with one large bank. This project includes an assessment of the bank’s critical functions, critical shared services and overall resolvability. The outcomes of these efforts will inform the design of APRA’s prudential framework for recovery and resolution planning.

APRA’s planned stated approach is to work with an ADI to ensure that barriers to resolution are addressed in a way that takes into account the ‘soundness and stability’ of the ADI. In keeping with what assessors observed was APRA’s general preference to work with firms to address challenges rather than issuing prescriptive requirements, APRA anticipates that issuing a formal direction to make changes to an ADI’s systems, business practices or structure of operations would happen only as a last resort.
EC7The supervisor has a clear framework or process for handling banks in times of stress, such that any decisions to require or undertake recovery or resolution actions are made in a timely manner.
Description and findings re EC7APRA has a process for addressing banks that may be experiencing stress or are otherwise identified as having problems that may require APRA to use formal measures to force a bank to take specific actions. Enforcement and Escalation Committee (EEC) is an advisory body for actions on banks experiencing stress. The EEC includes members from supervision, resolution, and legal functions. It is expected to facilitate a coordinated and timely approach to any decisions that may involve APRA using statutory powers with respect to an ADI. Although not a decision-making body, the EEC is a key advisory body in circumstances where APRA is considering taking action beyond its usual supervisory actions.

The EEC meets on a monthly basis and maintains a ‘watch list’ of potential problem entities, based on the SOARS ratings and other information provided by supervisors. Escalation to the EEC will be the first step in cases where there is a reasonable prospect of the exercising powers in respect of an entity. In more severe circumstances (e.g., the imminent failure of an ADI) the process would be for the EEC to recommend that a Financial Crisis Management Team (FCMT), made up of APRA representatives from supervision, resolution, enforcement and legal functions, is set up to oversee the resolution of the ADI. In the event this course is taken, the FCMT is the principal decision-making body for the resolution of the ADI.

APRA’s processes for handling distressed ADIs also involves cooperation with other domestic agencies and the RBNZ for the major banks. APRA, in deciding on an appropriate course of action to resolve the ADI, would consult with the CFR. In the case of a systemic crisis, the CFR would be the vehicle through which a coordinated response to the crisis is prepared, with each agency performing its respective functions.
EC8Where the supervisor becomes aware of bank-like activities being performed fully or partially outside the regulatory perimeter, the supervisor takes appropriate steps to draw the matter to the attention of the responsible authority. Where the supervisor becomes aware of banks restructuring their activities to avoid the regulatory perimeter, the supervisor takes appropriate steps to address this.
Description and findings re EC8The use of the word ‘bank’ in the financial service business is restricted by Section 66 of the Banking Act and requires approval by APRA. Actions taken by APRA include:

• monitoring the financial services industry and reviewing intelligence on entities inappropriately using the word bank or conducting banking business without authority;

• holding discussions with bank executives to bring activities within the regulatory perimeter where concerns are identified. This could also involve introducing a capital charge for certain activities using Pillar 2;

• revising the prudential framework—the definition of a Level 2 ADI Group was broadened to incorporate wealth management holding companies to address capital arbitrage issues;

• influencing the restructure of Groups such that bank and nonbank activities are separated appropriately, and banking activities are conducted only by the banking arm; and

• introduction of the Level 3 framework for banking groups (effective July 2017), which include unregulated entities, so that APRA has a wider reach across group operations.
Assessment of Principle 8Largely Compliant
CommentsAPRA has a strong supervisory approach that provides for the identification of the significant risks facing the industry and individual banks, as well as coverage of key governance, risk management and control practices across regulated banks and banking groups. The combination of onsite and offsite reviews and analyses allows for issues to be identified either through direct interaction with supervised firms and through analyses of individual firms and the industry more broadly. The input from risk specialists and offsite analysts conducted by the RDA Division, combined with the knowledge of the ‘frontline’ supervisors on the specific practices and strategies of individual firms, provides for a broad set of perspectives when considering supervisory direction and strategy. Frontline supervisors are formally responsible for setting supervision plans, though there is expected to be broad engagement and collaboration across the different areas mentioned above and assessors did observe that supervision planning incorporated input from across groups at APRA.

APRA’s risk-focused, principles-based approach to supervision places substantial responsibilities on the firms’ boards of directors and senior management teams with respect to ensuring the firms have effective processes for identifying and managing the risks they face given their strategies, business activities and the environment in which they operate. To support this, APRA requires a variety of periodic reporting from firms on the effectiveness of their processes. APRA’s significant use of requiring firms to self-identify—with the help of internal and/or more often external parties hired by the bank to support their internal assessments— and report areas of weakness in their processes for risk management and controls and for complying with all prudential standards may be an appropriate, efficient and effective way to optimize the use of its scarce resources. Notably, this puts a high degree of importance on the strength of the practices used for carrying out these reviews and on the level of comfort APRA can take from the firms’ self-reporting on the effectiveness of their processes. The assessors believe that APRA should complement this by carrying out more in-depth reviews of key internal control processes, including risk management and governance, on a periodic basis to complement the reporting from the board and senior management and increase its confidence level in key areas of controls.

Resolution planning is a work in progress, and progress is being made on the design of a regime and work with other agencies to on cooperation and collaboration in the event a resolution situation for a large bank should present itself. It remains to be seen whether APRA would proactively require large banks and banking groups to take specific actions to enhance the possibility of effective resolution, or to lessen structural obstacles to resolution, should their work find any to be present. In the event such actions are required, APRA’s approach would be to work with banks to address challenges to resolution. If a material barrier to resolution is identified and the firm is unwilling to address the issue in question, APRA would consider the use of formal powers to achieve the necessary outcome.

Assessors viewed APRA’s approach as generally compliant with this Basel Core Principle in all areas except with respect to resolvability, which as noted remains a work in progress. In addition, the supervisory approach can include more in-depth reviews of key internal control processes and other risk areas, as noted in other parts of this assessment.
Principle 9Supervisory techniques and tools. The supervisor uses an appropriate range of techniques and tools to implement the supervisory approach and deploys supervisory resources on a proportionate basis, taking into account the risk profile and systemic importance of banks.
Essential criteria
EC1The supervisor employs an appropriate mix of onsite25 and offsite26 supervision to evaluate the condition of banks and banking groups, their risk profile, internal control environment and the corrective measures necessary to address supervisory concerns. The specific mix between onsite and offsite supervision may be determined by the particular conditions and circumstances of the country and the bank. The supervisor regularly assesses the quality, effectiveness, and integration of its onsite and offsite functions, and amends its approach, as needed.
Description and findings re EC1APRA uses a mix of onsite and offsite supervisory activities to assess ADIs, with risk assessments including onsite and offsite work and internal controls assessments, where carried out, generally undertaken via onsite processes. Assessments of financial condition and inherent risks are inputs to the PAIRS risk assessment process and incorporate both on- and offsite work, including analyses provided by the Risk & Data Analytics (RDA) areas. Frontline supervisors (i.e., those with direct responsibility for specific firms) are ultimately responsible for both the on- and offsite assessments and for the supervisory action plans for the firms. Risk specialists carry out offsite analyses and participate in onsite supervisory reviews, on both a firm-specific reviews and ‘thematic reviews’ across groups of firms. Analysts in Risk & Data Analytics Division carry out firm-specific and cross-firm monitoring and analysis which are provided to frontline supervisors, along with tools they themselves can use for analytical purposes, to inform their assessments.

The level of supervisory intensity and the key areas of focus are driven by the PAIRS assessment and the SOARS ‘stance’ that results. Focus is driven by the assessments of key drivers of risk to the firm, and supervisors’ views on the adequacy of related risk management and control practices, and intensity is specifically driven by the ‘impact’ assessment in PAIRS, with those firms determined to have the potentially greatest impact receiving the highest level of intensity and the greatest commitment of resources, all other things being equal.

On one end of the spectrum, a firm with a ‘low’ impact rating may only be subject to certain reviews once every three years and at the other end a firm with an ‘extreme’ rating may be subject to them on an annual basis. The major banks clearly receive the greatest level of attention.

In putting together SAPs supervisors are required to prioritize risks for each firm and outline their plans for the best way to address them. Supervisors are expected to update their PAIRS assessments and SAPs after the completion of each significant onsite or offsite supervisory activity, if warranted.

To ensure a minimum of regular periodic coverage of all ADIs, APRA requires supervisors to undertake an annual ‘baseline’ level of review and assessment for all ADIs and then to build supervision activities stemming from risk assessment work on top of that based on the specific activities and associated risks at the firms and on the PAIRS assessments and SOARS stances for the firms (as noted above).

Baseline activities include analysis of financial condition and operating performance (generally quarterly), prudential reviews, ‘prudential consultations’ (i.e., formal meetings with senior representatives from the firms, including the board of directors), analysis of data and information contained in reports the firms are required to submit to APRA on a regular basis (see BCP 10) and contact with home country regulators for foreign banking organizations, with the minimum frequency for these activities varied by the entity’s PAIRS impact rating—i.e., whether deemed Low, Medium, High, or Extreme.

Onsite activities include:
  • i. Prudential reviews— firm-specific onsite work to assess inherent risks and associated risk management and controls around those;

  • ii. Thematic reviews—onsite reviews (and/or offsite work) to assess specific risks and control practices across a group of firms;

  • iii. ‘prudential consultations’—formal meetings with firms’ senior management and boards of directors;

  • iv. Meetings with a firm’s external auditor; and

  • v. Less formal assessments carried out through meetings and discussions with the firms.

Offsite activities include:
  • i. Periodic analysis of prudential reports submitted by the firms. These include a mix of monthly, quarterly and annual reports. The reports analyzed include data submissions required of the firms and ADIs’ strategic plans, ICAAP reports and internal financial projections.

  • ii. Analyses of information provided for a proposal that is required to be approved by APRA—e.g., a filing for an acquisition

  • iii. Analyses of publicly-available information, including analyst reports and market data

  • iv. Meetings with foreign supervisors of foreign banks operating in APRA’s jurisdiction.

Quality Assessment

The Supervision Framework Team (SFT) is responsible for updating the supervision framework. The overall responsibility for assessing the effectiveness and improving the quality and consistency of the use of the framework occurs at three main levels: APRA management; the Supervision Framework Team; and Internal Audit.

In addition, APRA now has a Quality Assurance function that provides independent assurance that material risks are being identified and assessed and that supervisory actions are proportionate. Recommended improvements to the supervision framework could arise from the quality assessment process and be considered by the SFT and the SRC.
EC2The supervisor has a coherent process for planning and executing onsite and offsite activities. There are policies and processes to ensure that such activities are conducted on a thorough and consistent basis with clear responsibilities, objectives and outputs, and that there is effective coordination and information sharing between the onsite and offsite functions.
Description and findings re EC2The SAP, APRA’s supervisory planning document, includes plans for both onsite and offsite supervisory work. The ‘frontline supervisors’ are responsible for integrating all onsite and offsite work into one overall assessment and plan. There is no meaningful distinction between work done by onsite and offsite supervisors with respect to supervisory planning, though offsite analyses are clearly incorporated.

Supporting materials for APRA’s supervision framework include policies, procedures, guidance, and other supporting documents, covering all core supervision activities. Detailed procedures and associated guidance are available to assist supervisors with prudential reviews. The procedures outline the necessary steps to conduct a review with associated guidance on what the supervisors should consider as a part of their reviews.

Consistency is promoted through a variety of processes. The written assessments from onsite and offsite reviews, PAIRS assessments and SAPs are all subject to management review and sign-off requirements, with a higher level of sign-off required for larger entities or those with the greatest potential impact, entities with identified problems or when the assessment leads to a change in the PAIRS rating. Monthly reports of the PAIRS ratings are sent to APRA’s Executive Board, including data on the ratings and details of movements in ratings across the portfolio of ADIs. The SAPs for peer groups of ADIs are presented to the Executive Board on a periodic basis, providing for management oversight of supervisory work. IMF assessors reviewed the minutes of an Executive Board meeting where SAPs for a group of banks were discussed at length.

APRA uses benchmarking exercises to promote consistency of PAIRS ratings and supervisory actions planned in SAPs. The benchmarking exercises look across groups of similar banks and include the supervisory teams supporting their decisions regarding PAIRS ratings and in their development of SAPs. The meetings are usually facilitated by the Supervisory Framework Team (SFT), with some performed by the frontline divisions, with the intent to provide a forum to review common issues across firms, to identify outlier firms and to promote consistency of decisions, ratings and actions across like institutions. Discussions with frontline supervisors indicate some revisions to inherent risk PAIRS sub component assessments based on benchmarking discussions.
EC3The supervisor uses a variety of information to regularly review and assess the safety and soundness of banks, the evaluation of material risks, and the identification of necessary corrective actions and supervisory actions. This includes information, such as prudential reports, statistical returns, information on a bank’s related entities, and publicly available information. The supervisor determines that information provided by banks is reliable27 and obtains, as necessary, additional information on the banks and their related entities.
Description and findings re EC3Supervisors use the following to review and assess the risk profile of banks:
  • Various reports are submitted to APRA on a monthly, quarterly, semi-annual and annual basis. These cover a range of topics, including—capital, liquidity, asset quality, and loan loss provisions, statements of financial condition, statements of financial performance, reports on large exposures, and exposures to related parties.

  • APRA receives firms’ ICAAPs, risk appetite statements, business strategies, and detailed information received as part of onsite reviews, consultations, thematic reviews, and periodic meetings with representatives of an ADI;

  • reports from an ADI’s external auditor;

  • publicly available information such as annual reports;

  • detailed group structure, regulatory capital reconciliation, leverage ratios and credit risk exposures in the various Basel categories;

  • market information from banks’ public reports on performance, other public announcements, for (example, restructures, mergers), broker reports, rating agency information; and

  • additional information in times of stress, such as daily liquidity reporting.

Reliability of information provided by ADIs:

APRA uses validation rules in its data collection system to validate that the data submitted by reporting entities is internally consistent. ADIs are expected to correct reporting errors identified by the validation rules. APRA’s data quality policy describes the procedures, the roles and responsibilities of parties involved and outlines the steps required to ensure that anomalies in collected data are not errors and are explained in time to meet the required deadlines for the reports. This includes the process for adding validation checks to forms submitted by ADIs and internal checks by APRA’s data analytics function.

As required by APS 310, banks’ external auditors must provide assurance regarding the reliability of the data provided to APRA. APRA may also choose to commission a review on the accuracy of information provided or have the bank carry out a targeted review by external experts.
EC4The supervisor uses a variety of tools to regularly review and assess the safety and soundness of banks and the banking system, such as:
  • (a) analysis of financial statements and accounts;

  • (b) business model analysis;

  • (c) horizontal peer reviews;

  • (d) review of the outcome of stress tests undertaken by the bank; and

  • (e) analysis of corporate governance, including risk management and internal control systems.

The supervisor communicates its findings to the bank as appropriate and requires the bank to take action to mitigate any particular vulnerabilities that have the potential to affect its safety and soundness. The supervisor uses its analysis to determine follow-up work required, if any.
Description and findings re EC4APRA uses a variety of analyses and reviews in the development of its PAIRS and SOARS assessments— which as noted above contribute to the creation of the SAP—including analyses of financial statements, developing risks, business models, and the use of both firm-specific prudential reviews and horizontal (‘thematic’) reviews across groups of firms.

APRA reviews stress testing practices and outcomes in the context of ICAAP assessments and assessments of firms’ results when running the APRA-coordinated industry stress tests. This has not been a recent area of strong focus by APRA, as noted elsewhere in this assessment.

APRA communicates its assessments to the firms in writing via letters to management and/or the board of directors and through discussions with senior management and members of the board. These communications will include providing the suggestions, recommendations and requirements for follow up actions to be taken by the firm if determined that there is a weakness in the firm’s practices. ADIs are required to respond in writing within a specified period of time explaining the actions they will take to address the issues. Supervisory follow up on mitigating actions taken by the firms is carried out as part of the ongoing supervision of an ADI. In some cases, APRA requires internal audit to weigh in on the effectiveness of the mitigation before it would close an open item requiring action.
EC5The supervisor, in conjunction with other relevant authorities, seeks to identify, assess and mitigate any emerging risks across banks and to the banking system as a whole, potentially including conducting supervisory stress tests (on individual banks or system-wide). The supervisor communicates its findings as appropriate to either banks or the industry and requires banks to take action to mitigate any particular vulnerabilities that have the potential to affect the stability of the banking system, where appropriate. The supervisor uses its analysis to determine follow-up work required, if any.
Description and findings re EC5APRA conducts a range of offsite and onsite activities that assist in identifying, assessing and mitigating emerging risks to a specific entity and the financial system. As discussed earlier, APRA monitors ADI’s risks as part of its regular on- and offsite supervision processes. Specific areas include credit risk, liquidity, market risk, capital, and financial performance. The outcomes of this monitoring are direct inputs into PAIRS, which requires supervisors to assess the risks to which an institution is exposed, risk management and controls to mitigate those risks, the capital support available to absorb losses relative to a firm’s risk profile. The status of risks across the industry are monitored and discussed by the ADI Industry Group, which includes senior APRA staff and management.

Specifically, APRA monitors credit growth at individual firms and across the industry; undertakes surveys on credit conditions and lending standards; and monitors asset quality metrics, credit concentrations, including large exposures, exposures to related parties, and exposures to the housing market.

Under the LCR regime, APRA collects and analyses data on liquidity. Annual thematic reviews covering liquidity risk elements are conducted as part of the RBA’s Committed Liquidity Facility application process.

APRA also monitors funding profiles, including the build-up of short term wholesale funding. APRA conducted a thematic review of the liquidity risk profiles and practices of major ADIs in 2016–2017.

APRA coordinates banking industry stress tests and uses the results to make quantitative assessments of the resilience of selected ADIs when subject to stress under common severe but plausible scenarios; assess ADIs’ stress testing capabilities and provide recommendations for improvement where needed; and support APRA’s ongoing identification of current and emerging risks. Assessors did not observe in depth supervisory work assessing the firms’ capacity to carry out well controlled stress testing exercise.

APRA and the RBA have meetings to discuss risk issues in the industry both on an ad hoc basis and as part of their participation in CFR working groups. The CFR includes the major supervisors for financial services and the RBA, and where specific areas of risks that may be of concern with respect to financial stability, CFR participants would discuss them as part of their regular meetings. CFR has a number of Working Groups, including on cyber security, housing market risks, OTC derivatives, and FMI crisis management. APRA has bilateral liaison meetings with the RBA, Treasury and ASIC, where key industry developments and risks can be discussed.
EC6The supervisor evaluates the work of the bank’s internal audit function, and determines whether, and to what extent, it may rely on the internal auditors’ work to identify areas of potential risk.
Description and findings re EC6APRA supervisors include an assessment of internal audit’s capacity and stature as part of the risk governance review process in PAIRS. These assessments are expected to look at the structure and resources of the internal audit function, independence of internal audit, oversight by the board’s audit committee, the approach used by internal audit, its audit plans and the reporting of internal audit findings to the audit committee and others. Supervisors also review internal audit findings and meet with internal auditors as part of prudential reviews into specific risk categories (e.g., market, credit or operational risk). APRA may use audit findings as part of developing assessments of inherent risk and associated risk management and controls (part of the PAIRS process and prudential reviews), APRA relies primarily on its supervisory reviews and reporting/attestations from the board and management to develop its assessments, not on the work of internal audit functions.

Discussions with APRA staff indicated that there has not be significant recent focus on reviewing the internal audit functions comprehensively at the major firms, including in the context of their role in firm governance and that reliance on the work of internal audit is not a major part of their approach.

See CP 26 on Internal Audit for more details.
EC7The supervisor maintains sufficiently frequent contacts as appropriate with the bank’s Board, non-executive Board members and senior and middle management (including heads of individual business units and control functions) to develop an understanding of and assess matters such as strategy, group structure, corporate governance, performance, capital adequacy, liquidity, asset quality, risk management systems and internal controls. Where necessary, the supervisor challenges the bank’s Board and senior management on the assumptions made in setting strategies and business models.
Description and findings re EC7APRA meets regularly with ADI representatives during regular ongoing supervision processes, which provide for contact with management and discussions of corporate governance, financial performance, capital adequacy, liquidity, asset quality, risk management systems and internal controls. Further interactions with management and directors take place as a part of specific prudential reviews, prudential consultations and other meetings with management (and where needed board members) to discuss high level issues. Supervisors meet with the audit committee and the board at least once a year.
  • Prudential reviews typically involve meeting with a wide range of banking staff and senior management, including business line management, risk and compliance staff, internal audit, and back-office staff.

  • Prudential consultations are high level meetings with senior personnel, including directors and senior management, to discuss strategy and key risks/ issues. These typically happen once a year at the largest firms.

Prudential issues arising from onsite or offsite activities are communicated in writing and face-to-face meetings, including closing meetings at the end of a prudential review. Where APRA considers it necessary, issues will also be raised in a meeting with a bank’s board.

The PAIRS assessment includes an assessment of risk governance, capital, liquidity, asset quality, performance, key risks and associated risk management systems, and internal controls.

Strategy and Planning is one of the areas that is required to be assessed in PAIRS. Supervisors will assess the firm’s strategy and related assumptions as part of carrying out the annual PAIRS assessments.

As a part of the PAIRS assessments, supervisors are specifically required to consider at least annually whether their assessment of the board and senior management needs to be changed. These assessments focus largely on issues such as the structure of the board and fit and proper-related issues. Assessments of the responsibilities of these parties with respect to risk and control issues are embedded in the ‘risk governance’ assessment. APRA supervisors stated that weaknesses in the areas would inform their view of the effectiveness of board and senior management. However, this could not be directly observed in board and management ratings through a review of the PAIRS process.

IMF assessors observed that the assessment of the board and senior management with respect to their responsibilities over risk management and internal controls processes is embedded in the risk governance assessment in a way that may lead to a lack of a clear assessment and communication to the firms about the effectiveness of the board and senior management.
EC8The supervisor communicates to the bank the findings of its on- and offsite supervisory analyses in a timely manner by means of written reports or through discussions or meetings with the bank’s management. The supervisor meets with the bank’s senior management and the Board to discuss the results of supervisory examinations and the external audits, as appropriate. The supervisor also meets separately with the bank’s independent Board members, as necessary.
Description and findings re EC8APRA’s supervisors are required to send a letter outlining review findings and required remedial actions following an onsite prudential review. The letter also includes the bank’s updated PAIRS rating and SOARS stance. The letter is sent to the Chief Executive Officer or Chair of the Board, depending on the nature of the findings. Generally, an assessment resulting in a ‘requirement’ would go to the board chair and ‘suggestions’ and ‘recommendations’ would go to senior management, with recommendations expected to be tabled at board meetings. APRA supervisors stated to IMF assessors that they review board meeting minutes to make sure this occurs. A similar process is followed with respect to the outcome of a prudential consultation. A closing meeting is expected to be held at the conclusion of onsite reviews to provide an opportunity for APRA to discuss its findings with bank management. If material concerns are identified through offsite analyses, these will be raised with the relevant bank management and, if warranted, a letter is sent to the CEO or Board similar to that for an onsite review.

There is no specific requirement to meet with independent directors. For the larger firms, APRA has a standard practice of meeting with the board chairs annually—that is, the chair of the bank’s board, the chair of the audit committee and the chair of the risk committee.
EC9The supervisor undertakes appropriate and timely follow-up to check that banks have addressed supervisory concerns or implemented requirements communicated to them. This includes early escalation to the appropriate level of the supervisory authority and to the bank’s Board if action points are not addressed in an adequate or timely manner.
Description and findings re EC9Issues requiring corrective actions that are identified during APRA reviews are classified under four distinct categories—’requirement;’ ‘request for further information;’ ‘recommendation;’ and ‘suggestion.’ Areas in need of corrective actions, and the categorization of the severity of the issues, are communicated to firms at the close out of reviews and via a written report.

Requirement

The institution must undertake specific action to address the associated matter. Letters outlining the issues from reviews that lead to ‘requirements’ are sent to the chair of the board of directors. Matters resulting in a ‘Requirement’ will generally relate to either the institution’s failure to comply with legislation or Prudential Standards, or a fundamental deficiency in the entity’s risk management and/or governance practices.

Request for additional information

If an action is classified as a ‘Request for Additional Information,’ the entity is required to provide that information within the specified timeframe. Matters resulting in a ‘Request for Additional Information’ will generally be areas where information was either absent, incomplete, or inconclusive during the review period. A failure by the entity to respond to a ‘Request for Additional Information’ may result in APRA, without further notice, issuing formal notices requiring the production of information or documents. APRA has the authority to require any information from a firm that it deems necessary for its role as the prudential supervisor. APRA supervisors stated to the IMF assessors that in practice it is extremely rare to have to take a formal action to get the information they request.

Recommendation

In the case of a ‘Recommendation,’ the institution is expected to formally consider implementation of what is being recommended. Recommendations are sent in writing to the CEO and are expected to be tabled at board meetings. Matters resulting in a ‘Recommendation’ will usually relate to areas of risk management and/or governance that, while not fundamentally deficient, could be improved. A general failure by the entity to implement ‘Recommendations’ may result in a higher risk rating being assigned and, potentially, APRA exercising its formal powers such as issuing a direction for a firm to take specified actions.

APRA supervisors in discussions with IMF assessors advised that the firms should have a very strong reason to not address a recommendation. In cases where APRA believes a process must be fixed, articulating that as a ‘requirement’ would provide for a clearer understanding of the urgency with which the firm should address it.

Suggestion

If an action is classified as a ‘Suggestion,’ this represents the opportunity for the entity to move towards better practice. Subsequent follow-up action in relation to suggestions is usually performed in the context of better practice considerations and does not involve timeframes for implementation. APRA supervisors noted that in practice the use of suggestions is not widespread for the major banks.

Review reports that are sent to the institutions are stored in APRA’s electronic Information Management (IM) system. ‘Requirements’ and ‘requests for further information’ are housed in the Activity and Issues Management System (AIMS) for internal tracking purposes. In 2018, AIMS will be replaced by the ‘Supervision System Q’ where all issues arising from supervision activities will be housed and monitored.

Responses to review reports are requested from institutions within 20 business days of issuing the report. Frontline supervisors are responsible for assessing the response to the report including the implementation of corrective actions. This assessment involves determining whether further follow up action is required, including validation that corrective actions have been implemented and possible changes to the SAP to reflect the current state of the issues in the context of planned supervisory work.
EC10The supervisor requires banks to notify it in advance of any substantive changes in their activities, structure and overall condition, or as soon as they become aware of any material adverse developments, including breach of legal or prudential requirements.
Description and findings re EC10Under the standards of CPS 220, APRA-regulated institutions are required to notify APRA no more than 10 business days after becoming aware (i) of a significant breach of, or material deviation from, the risk management framework of the institution; (ii) that its risk management framework does not adequately address a material risk; and (iii) of any material or prospective material changes to the size, business mix, and complexity of the institution. In addition, ADIs must notify APRA of any major disruptions that have the potential to have a material impact on its risk profile or affect its financial soundness (CPS 232).

Under APS 222 an ADI must also:
  • notify APRA of any material breach of the prudential limits on exposures to related entities or other specific limits imposed by APRA, including actions taken or planned to deal with the breach;

  • report to APRA in writing any equity investments that are not subject to prior consultation within three months of undertaking the investment;

In determining materiality, the institution is expected to consider factors such as the number or frequency of similar breaches, the impact the breach has on the ability to conduct business, whether the breach indicates that the institution’s arrangements for ensuring regulatory compliance might be inadequate and actual or potential financial loss to deposit holders or the institution. The onus is on the bank to notify APRA. Frontline supervisors would further discuss the needed remediation actions with the bank.

If the firm becomes aware that the firm, or group member, or the group as a whole, is not in a sound financial position, the ADI is required to report this to APRA immediately.
EC11The supervisor may make use of independent third parties, such as auditors, provided there is a clear and detailed mandate for the work. However, the supervisor cannot outsource its prudential responsibilities to third parties. When using third parties, the supervisor assesses whether the output can be relied upon to the degree intended and takes into consideration the biases that may influence third parties.
Description and findings re EC11While APRA does not formally ‘rely upon’ the work of third parties, including auditors, for its prudential assessments, there are cases where such a third party’s assessment or information would be used.

APRA has the authority to appoint an external party to provide a report (‘limited assurance’) on a particular aspect of the ADI’s operations, prudential reporting, risk management systems or financial position. Supervisors would assess the output of an engagement of an external party as part of ongoing supervision activities and include the findings in the PAIRS risk assessment process, if warranted.

Under APS 310, a firm’s appointed auditor provides APRA with:
  • assurance on the quality of data collections—auditor required to provide ‘reasonable’ assurance for data sourced from accounting records and ‘limited’ assurance for data sourced from non- accounting records, such as data in risk management reporting;

  • limited assurance that internal controls designed to ensure compliance with prudential and reporting standards (at both the bank/level 2 banking group) were operating effectively throughout the financial year.

Similar requirements apply to data collections and internal controls on a level 3 basis.
EC12The supervisor has an adequate information system which facilitates the processing, monitoring and analysis of prudential information. The system aids the identification of areas requiring follow-up action.
Description and findings re EC12APRA uses several information systems to facilitate the processing, monitoring and analysis of prudential information and assist with supervisory activities, including tracking follow up items:
  • - Supervision system (Q): APRA’s system used to house all PAIRS risk assessments and SAPs including underlying key risks/ issues and supervision activities;

  • - AIMS: APRA’s system used to monitor and track supervisory issues and related actions (this system is planned to be decommissioned in 2018 with functionality and information migrated to Q);

  • - Information management (IM) electronic document management system housing all documentation relevant to each regulated institution in entity sites for ease of access and retrieval and for record keeping purposes; and

  • - A variety of dashboards, toolkits and exceptions reports to facilitate the analysis of financial data submitted to APRA by regulated institutions.

Assessors reviewed detailed reports used for tracking when issues are communicated to the firm and when they are signed off as having been addressed.
Additional criteria
AC1The supervisor has a framework for periodic independent review, for example by an internal audit function or third-party assessor, of the adequacy and effectiveness of the range of its available supervisory tools and their use, and makes changes as appropriate.
Description and findings re AC1APRA’s review framework includes a variety of practices and participants, detailed below.

Quality Assurance

APRA’s Quality Assurance (QA) team is part of APRA’s Enterprise Performance Division and plays a key role on behalf of the APRA board in providing independent assurance that material risks are being identified and assessed and that supervisory actions are proportionate. Recommended improvements to the supervision framework could arise from the QA process and be considered by the SRC.

Internal Audit

APRA’s Internal Audit evaluates the effectiveness of risk management, control and governance processes within APRA. Internal Audit operates independently to other business units and has no direct authority or responsibility for the activities it reviews. The Chief Internal Auditor has a direct reporting line to the APRA Member and has direct access to the Chair of the Audit Committee and Executive Board. Internal audit work can give rise to recommendations to improve the supervision framework for consideration by the SFT and SRC.

External audit

APRA is subject to ANAO audits the scope of which could focus on the effectiveness of APRA’s prudential supervision of regulated entities.

Risk Management Committee

APRA’S Risk Management Committee provides independent assurance and advice to the APRA Chair on APRA’s risk management and quality assurance.

Other review processes

An external review of APRA’s supervisory framework was conducted in 2014/2015 by a panel of international experts.

APRA conducts internal reviews of its supervisory practices periodically to ensure it remains up to date and in line with international supervisory best practices. To this end the supervision framework team (SFT) did a review of international supervisory practices in late 2017.
Assessment of Principle 9Compliant
CommentsAPRA has a good set of supervisory tools to allow for effective execution of their supervisory activities. The risk assessment processes used to inform PAIRS and supervisory planning efforts include a combination of the knowledge of the frontline supervisors with offsite analyses that allows for a good understanding of firm-specific and industry developments and provides a good base for supervisors’ risk-focusing efforts. In addition, practices for planning and executing supervisory reviews are strong, with a substantial amount of information gathered and reviewed prior to onsite visits so the supervisors can focus in on the key areas of review and discussion during what are generally fairly short periods of time spent onsite (3–5 days).

Assessors observed that written communications with the firms are clearly articulated through the use of ‘exception-based’ letters that highlight the weaknesses and concerns identified through the review and communicate expectations around the areas that should be addressed. Additionally, the supervisor engages in relatively frequent discussions with the firms at all levels up to and including the chair of APRA meeting with directors. The assessors’ conversations with the banks indicated that they are usually comfortable with the clarity of the issues raised and generally have a good understanding of what is expected of them.

The PAIRS rating process covers the full spectrum of areas one would expect to see assessed, and was well supported by guidance for the supervisors in carrying out the assessments. However, assessors felt that the process of rolling all the assessments up through a quantitative calculation process into one overarching rating may lead to obscuring the importance of underlying issues captured in the various assessment segments. APRA should review the PAIRS process and determine if it remains appropriate and well calibrated for their current supervision program, which has evolved significantly since the introduction of the PAIRS. APRA noted that a refresh of the PAIRS model in 2018/19 is to occur as agreed in principle at an SRC meeting in April 2018. APRA also noted that the formula supporting PAIRS ensures that where one risk category is rated poorly, the overall score remains poor.

In particular, assessments of the effectiveness of the board and senior management with respect to their responsibilities for risk management and controls are captured in the ‘risk governance’ rating. If broader changes to PAIRS are not attempted, APRA should consider basing the specific PAIRS assessments of the board and management on all of their responsibilities, rather than capturing the risk management and internal controls-related assessments under risk governance.

While APRA’s supervisors can get an indication of the effectiveness of the board and management with respect to risk management and controls through their discussions and prudential reviews on specific risk or control areas, they rely significantly on the annual and triennial reports from the firms (usually conducted by external parties) to inform a view on the firm-wide risk management and controls framework and the declaration provided regarding the effectiveness of the processes the board and management use for ensuring compliance with prudential standards.

In addition, the current relatively low weightings of the ratings of the board and senior management as inputs into the overall rating appear out of line with a supervision approach that places a very high degree of emphasis on the roles of the board and management.
Principle 10Supervisory reporting. The supervisor collects, reviews and analyses prudential reports and statistical returns28 from banks on both a solo and a consolidated basis, and independently verifies these reports through either onsite examinations or use of external experts.
Essential criteria
EC1The supervisor has the power29 to require banks to submit information, on both a solo and a consolidated basis, on their financial condition, performance, and risks, on demand and at regular intervals. These reports provide information such as on- and off-balance sheet assets and liabilities, profit and loss, capital adequacy, liquidity, large exposures, risk concentrations (including by economic sector, geography and currency), asset quality, loan loss provisioning, related party transactions, interest rate risk, and market risk.
Description and findings re EC1As per section 62 of the Banking Act and Section 13 of the Financial Sector Collection of Data Act, APRA has the authority to collect any information from banks (and holding companies for banking groups) that it finds necessary to carry out is statutory responsibilities. Section 13 requires APRA to define the reporting standards for banks. Reporting standards require a broad spectrum of information to be reported on a monthly, quarterly, semiannual or annual basis. Reporting requirements may be on both a stand-alone bank or consolidated basis. Specific periodic reports required by APRA include:
  • financial position and performance;

  • on- and off-balance sheet assets and liabilities;

  • capital adequacy (standardized and advanced measurement methodologies);

  • large exposures from both on-balance sheet and off-balance sheet items;

  • international exposures consistent with Australia’s obligation to the Bank for International Settlements (BIS) to provide aggregate international banking statistics;

  • asset quality including impaired assets and past due but ‘well secured’ facilities;

  • loan loss provisioning incorporating details of movements over time and including information on bad debts written off or recovered;

  • exposures to related entities;

  • asset risk concentrations focusing on different forms of financing arrangements (commercial, leasing, housing or personal);

  • interest rate risk including a repricing analysis completed by all banks; market risk including interest rate risk, equity position risk, foreign exchange risk and commodities risk;

  • liquidity;

  • operational risk losses;

  • and responsible persons (fit & proper).

EC2The supervisor provides reporting instructions that clearly describe the accounting standards to be used in preparing supervisory reports. Such standards are based on accounting principles and rules that are widely accepted internationally.
Description and findings re EC2Reporting standards and the instructions accompanying the reporting forms specify the information that APRA requires, the form in which it is to be presented and the accounting standards under which the information is to be prepared. Australian Accounting Standards are based on International Financial Reporting Standards (IFRS) and were adopted in January 2005.

APRA’s reporting standards are in line with Australian Accounting Standards except where there may be sound prudential reasons to require different standards. For example, under APS 220 covering Credit Quality a bank may take an additional amount of provisions as a General Reserve for Credit Losses. This is considered by APRA to be a more conservative treatment than required under Australian Accounting Standards. The General Reserve for Credit Losses item is calculated based on prudential requirements contained in APS 220.
EC3The supervisor requires banks to have sound governance structures and control processes for methodologies that produce valuations. The measurement of fair values maximizes the use of relevant and reliable inputs and is consistently applied for risk management and reporting purposes. The valuation framework and control procedures are subject to adequate independent validation and verification, either internally or by an external expert. The supervisor assesses whether the valuation used for regulatory purposes is reliable and prudent. Where the supervisor determines that valuations are not sufficiently prudent, the supervisor requires the bank to make adjustments to its reporting for capital adequacy or regulatory reporting purposes.
Description and findings re EC3APS 111 – Capital Adequacy: Measurement of Capital, APS 112 – Capital Adequacy: Standardized approach to credit risk; and APS 113 – Capital Adequacy: Internal Ratings based approach to Credit risk, all provide principles and detailed instructions for asset valuation practices. Additionally, APS 220 provides requirements for valuation of collateral for provisioning purposes and capital and prudential standard APS 116 – Capital Adequacy: Market Risk, provides requirements for valuation methodology for trading book exposures.

Banks are required to have effective governance structures for the production, assignment, verification and oversight of the valuation of financial instruments, and to have valuations captured in risk management systems. It also requires valuations to be reliable, test and review the performance of valuations and ensure adequate internal audit review of the implementation of policies and procedures for producing fair values. APS 111 also requires independent price valuations to be performed at regular intervals so that market processes or model inputs used in valuation processes are verified for accuracy.”

APRA defines valuation standards to be used in its reporting requirements. Valuation requirements are generally consistent with requirements outlined in Australian Accounting Standards, under which financial assets and liabilities can be measured using ‘fair value’, ‘cost’ or ‘amortized cost’. APRA requires banks to classify and report assets and liabilities using standard Level 1, Level 2, Level 3 fair value definitions.

APRA monitors valuations with a focus on understanding the drivers of volatility. Excessive amounts of assets with values derived from Level 3 inputs and unexplainable transfers between classifications are investigated by frontline supervisors with the assistance of the Accounting team. APRA’s Accounting team also conducts offsite accounting risk reviews, where any fair values that may affect capital are scrutinized.

APRA supervisors may undertake work on the valuation framework and methodologies of supervised institutions during onsite reviews. If APRA is not satisfied with valuation methodologies, it can make Pillar 2 capital adjustments.

APS 310 requires the external auditor to provide ‘reasonable’ and ‘limited’ assurance that statistical and financial data, which includes asset valuation, provided to APRA are reliable, that there are control policies and procedures in place designed to address compliance with prudential requirements, to provide reliable data and that prudential and reporting standards and other statutory banking requirements have been satisfied. Reasonable assurance is provided for reporting that is directly tied back to audited financial statements and limited assurance is provided for data that does not tie directly back to audited statements.
EC4The supervisor collects and analyses information from banks at a frequency commensurate with the nature of the information requested, and the risk profile and systemic importance of the bank.
Description and findings re EC4APRA collects extensive data on monthly, quarterly, semi-annual, and annual bases, with quarterly reporting for a broad spectrum of data/information. APRA takes into account the nature, scale and complexity of institutions when determining data reporting requirements. For example, reporting frequencies and requirements differ based on asset size across domestic banks, foreign bank subsidiaries, foreign bank branches, building societies and credit unions, with the balance sheet threshold for greater levels of required reporting generally being A$50 billion of assets.

The major banks are all required to submit data across the entire set of ADI reporting. APRA can and does reduce the data required to be submitted by smaller ADIs reflecting their lower scale and complexity— specific examples include Pillar 3 disclosures, leverage ratio requirements and liquidity requirements.

APRA serves as the national gatherer of statistical data and its reporting requirements consequently include the data needs of the RBA and Australian Bureau of Statistics (ABS).
EC5In order to make meaningful comparisons between banks and banking groups, the supervisor collects data from all banks and all relevant entities covered by consolidated supervision on a comparable basis and related to the same dates (stock data) and periods (flow data).
Description and findings re EC5Data collected by APRA from banks and banking groups is in a standardized form and is required to be submitted for specified periods as per the reporting standards and instructions. Standard data is collected on both a stand-alone ADI and consolidated basis, where there is a Level 2 banking group. Comparable firms’ required data are reported for the same dates and periods.

In addition, APRA uses ad hoc data collections to gather information as needed on a variety of topics, including data related to risk exposures and portfolio characteristics across firms. Ad hoc requests serve a useful purpose for supervisors in the assessment of risks at firms and across the industry. With the rapid evolution of the financial services industry it is not possible for required prudential reporting to cover all of a supervisor’s evolving data needs and the authority to gather data as needed is critical. However, ad hoc data is not subject to formal processes or expectations around data quality and review akin to formal data collections under FSCODA.
EC6The supervisor has the power to request and receive any relevant information from banks, as well as any entities in the wider group, irrespective of their activities, where the supervisor believes that it is material to the condition of the bank or banking group, or to the assessment of the risks of the bank or banking group or is needed to support resolution planning. This includes internal management information.
Description and findings re EC6As noted above, Section 62 of the Banking Act gives APRA the authority to obtain data and other information from banks or authorized non-operating holding companies (NOHCs), or the group of which the bank or NOHC is a member.

A bank may be required to provide information on itself or relative to any member of a relevant group within the corporate family of which the ADI is a member. When deemed necessary, APRA can request additional data from entities that is not set out in a reporting standard and is outside of routine collections—e.g., daily liquidity reporting.

Through written notice APRA can change the frequency of reporting requirement periods for a particular bank to require it to provide reported information more or less frequently.

ARA’s normal supervision processes includes the right to access and the use of an institution’s internal management information reports.
EC7The supervisor has the power to access30 all bank records for the furtherance of supervisory work. The supervisor also has similar access to the bank’s Board, management and staff, when required.
Description and findings re EC7Section 62 of the Banking Act authorizes APRA to have full access to all bank records.

APRA can request information from all relevant officers (directors, management, and staff) as needed.

Under Section 16B of the Banking Act, APRA is authorized to require an auditor of a bank to provide information—or produce books, accounts or documents—about a bank that APRA believes will be of assistance in performing prudential supervision.

CPS 510 requires members of the board of directors and senior management to be available to meet with APRA on request.
EC8The supervisor has a means of enforcing compliance with the requirement that the information be submitted on a timely and accurate basis. The supervisor determines the appropriate level of the bank’s senior management is responsible for the accuracy of supervisory returns, imposes sanctions for misreporting and persistent errors, and requires that inaccurate information be amended.
Description and findings re EC8APRA’s reporting standards require the submission of data for specified reporting periods and timeframes. Failure to meet the requirements of a reporting standard can result in a criminal sanction.

Section 14 of Financial Sector Collection of Data Act (FSCODA) requires the Principal Executive Officer of a bank to notify the Board of the bank, as soon as practicable, if there has been a failure to meet a reporting requirement. Failure or refusal to notify the Board is an offence under the Act.

APRA requires inaccurate information to be resubmitted by institutions. If APRA considers a reporting document to be incorrect, incomplete, or misleading, or if it otherwise does not comply with an applicable reporting standard or does not contain adequate information, APRA may issue a written notice requesting the firm to give APRA a written explanation or specific information as specified in the written notice. Should the firm fail to provide an adequate response to the notice (including failure to provide correct or complete information), APRA may then issue a written ‘direction’ for the institution to rectify any problems or for the institution to give it the required information. Failure to comply with a direction is a criminal offence. (FSCODA)

The responsibility to ensure that policies and procedures are in place for the submission of data to APRA rests with the Board and senior management of an institution. APRA may assess the adequacy and appropriateness of such policies and procedures as part of routine supervisory activities.
EC9The supervisor utilizes policies and procedures to determine the validity and integrity of supervisory information. This includes a program for the periodic verification of supervisory returns by means either of the supervisor’s own staff or of external experts.31
Description and findings re EC9APS 310 requires banks to ensure that external auditors report to APRA annually on the reliability of data submitted to APRA. In the case of certain reports that a bank must submit to APRA, the bank’s external auditor must provide ‘reasonable’ or ‘limited’ assurance that the information in those reports is reliable and in accordance with prudential and reporting standards. Specifically, ‘reasonable’ assurance applies to items that can be directly reconciled back to audited financial reports or the general ledger.

APRA has three primary ways in which it seeks to ensure the integrity of reported data:
  • i. validation rules within D2A to validate data prior to the submission of data by reporting entities.

  • ii. post submission reviews to identify potential errors, inconsistencies and/or where further information may be useful to data users—for example, where there are large variations from prior periods. Entities are expected to promptly explain, or correct, identified issues with the data.

  • iii. Quarterly Financial Analysis (QFA) during which supervisors routinely analyze information submitted via D2A for inaccuracies or non-compliance with reporting requirements.

EC10The supervisor clearly defines and documents the roles and responsibilities of external experts,32 including the scope of the work, when they are appointed to conduct supervisory tasks. The supervisor assesses the suitability of experts for the designated task(s) and the quality of the work and takes into consideration conflicts of interest that could influence the output/recommendations by external experts. External experts may be utilized for routine validation or to examine specific aspects of banks’ operations.
Description and findings re EC10The primary external party engaged in work used by APRA is the ‘appointed’ (external) auditor. APS 310— Audit and Related Matters—defines the responsibilities of ‘appointed’ auditors, which engage in two types of relevant work with respect to APRA, ‘routine’ and ‘special purpose’ engagements.

Routine engagements are intended to provide reasonable or limited assurance on statistical and financial data provided to APRA; limited assurance that there are control policies and procedures in place designed to address compliance with prudential requirements and to provide reliable data to APRA; and limited assurance that prudential and reporting standards have been complied with.

Special purpose engagements are usually targeted towards a specific area of interest for APRA. For these engagements, APRA usually specifies the scope and form of the report required from the appointed auditor. Unless otherwise specified, special purpose engagements are prepared on a limited assurance basis.

APRA prudential standard APS 310 on audit and related matters requires An ADI to ensure that its appointed auditor is a fit and proper person in accordance with the ADI’s fit and proper policy, satisfies the auditor independence requirements; and is not subject to a direction issued under the Banking Act.

APRA prudential standard CPS 510 on governance requires an APRA-regulated institution to obtain a declaration from the auditor to the effect that:
  • - the auditor is independent, both in appearance and in fact;

  • - the auditor has no conflict of interest situation; and

  • - there is nothing to the auditor’s knowledge (either in relation to the individual auditor or any audit firm or audit company of which the auditor is a member or director) that could compromise that independence.

To assess the suitability of appointed auditors, APRA checks whether ADIs have complied with the above rules in its prudential standards. For auditors appointed directly by APRA to perform special purpose engagements, it is expected that APRA follows the same rules above to ensure the suitability of the appointed auditors or experts.

APRA meets periodically with appointed external auditors, either individually or as a group, and provides feedback on their reports and discuss relevant issues of interest to both parties. These meetings may include discussions of challenges facing the banks and/or clarification of APRA’s expectations.

External experts

In addition to appointed auditors, APRA may directly engage other external experts to advise on specific supervisory matters. The use of other external experts is less frequent and usually used to supplement enforcement actions. These engagements are subject to internal control procedures. External experts used by APRA are usually ‘well-regarded’ firms that demonstrate the required skills and expertise for a specific scope of work.
EC11The supervisor requires that external experts bring to its attention promptly any material shortcomings identified during the course of any work undertaken by them for supervisory purposes.
Description and findings re EC11If an auditor has reasonable grounds for believing that a bank will or has failed to comply with the Banking Act, FSCODA, a prudential standard or the bank’s banking authority, it must write a report to APRA setting out the details of the anticipated or actual failure within 10 business days. (Section 16B of Banking Act)

Annual reports by appointed auditors must be provided to APRA and the report should highlight areas of concerns and weaknesses, as well as progress in addressing previously identified weaknesses.

When other external experts are used by APRA, any material shortcomings identified as a part of their work are expected to be promptly brought to the attention of APRA.
EC12The supervisor has a process in place to periodically review the information collected to determine that it satisfies a supervisory need.
Description and findings re EC12APRA will typically revise its data collection:
  • 1) when there is a new/revised prudential standard;

  • 2) in response to supervisory needs or risks observed in the domestic/international environment;

  • 3) to allow for the domestic application of revised international standards; when collections are outdated; or

  • 4) to align requirements across regulated industries where needed.

APRA has done extensive revisions and additions to required prudential reports over the past couple years. However, APRA often uses ad hoc information requests to supplement required periodic reporting. While ad hoc data gathering can be useful and needed, APRA would be well served by expanding its required reporting. Required periodic reports allow for more consistent and thorough data gathering across firms which would support their growing analytical work.

APRA would benefit from taking stock of its expected data needs over the next five years and gather these data through required prudential reporting. Assessors recommend that APRA take stock to the best of its ability of all expected data needs, compare then against currently required reporting, and adjust required prudential reporting to support their continuing move towards the greater use of more quantitative analytical processes to identify risks to firms and across the industry.
Assessment of Principle 10Compliant
CommentsAPRA has appropriate authority to collect the data that it needs to carry out its supervisory responsibilities. Prudential and statistical reporting by the banks provide an extensive array of information on supervised firms’ risk exposures, operating performance and financial condition.

Reliability of the data APRA receives in prudential reports is addressed primarily through requiring assurances to be provided by firms’ external auditors. APRA does have its own specific processes through which it checks the data received in prudential reports for internal consistency and anomalous and unexpected movements. In addition, frontline supervisors, risk experts and analysts work regularly with data provided by the firms and provide a further check. There is particular emphasis placed on reviewing the data associated with regulatory capital calculations by firms using internal models and for measuring compliance against prudential liquidity requirements, for example.

Given APRA’s growing use of quantitative analyses and the evolution of risk measurement techniques across the industry, including processes such as the use of stress testing to review capital sufficiency, measure risks and articulate risk appetite, it is recommended that APRA take stock of current and prospective data needs relative to current required prudential reporting and adjust prudential reports as needed.

In particular, where ad hoc data requests have been used regularly to gather data on risk positions and characteristics, APRA should consider including more of those types of data in the reporting requirements it places on supervised firms.
Principle 11Corrective and sanctioning powers of supervisors. The supervisor acts at an early stage to address unsafe and unsound practices or activities that could pose risks to banks or to the banking system. The supervisor has at its disposal an adequate range of supervisory tools to bring about timely corrective actions. This includes the ability to revoke the banking license or to recommend its revocation.
Essential criteria
EC1The supervisor raises supervisory concerns with the bank’s management or, where appropriate, the bank’s Board, at an early stage, and requires that these concerns be addressed in a timely manner. Where the supervisor requires the bank to take significant corrective actions, these are addressed in a written document to the bank’s Board. The supervisor requires the bank to submit regular written progress reports and checks that corrective actions are completed satisfactorily. The supervisor follows through conclusively and in a timely manner on matters that are identified.
Description and findings re EC1APRA sends a letter to ADIs after onsite prudential reviews and prudential consultations outlining the key issues that arose during the reviews and discussions providing detail on required remediation actions, where relevant. The letter will be sent either to the CEO or the chair of the board of directors, depending on the nature and severity of the findings. A recommendation goes to the CEO while a requirement must go to the board chair noted above (BCP 9), APRA has four different classifications for various action to be taken by a firm that are communicated as a result of a prudential review—in order of severity from most to least: ‘requirement,’ ‘request for information,’ ‘recommendation,’ and ‘suggestion.’ For reviews that result in a requirement, a letter is sent both to management and the board of directors. Management has 20 days to respond with the proposed actions to address the issues and the timeline for doing so. APRA may either accept the proposal or require the firm to design an acceptable one and resubmit, with this reaction done in writing. APRA requires the firm to provide updates on progress made relative to the proposal.

Assessors noted that the majority of issues in the communications with the firms are in the ‘recommendation’ category, including actions that APRA supervisors expect the firms to take. APRA indicated that it has a well-established approach to determining the use of ‘requirements’ and ‘recommendations’ and this is determined by a range of criteria. Typically, matters relating to ‘recommendations’ will include areas of risk management and/or governance that whilst not materially deficient, could be improved. Matters resulting in a ‘requirement’ will relate to either the entity’s failure to comply with legislation or prudential standards, or a material deficiency in the entity’s risk management and/or governance practices. A general failure by the entity to act on a ‘requirement’ could well result in formal action by APRA, e.g., direction.

While there are requirements that were also used as a means of informal corrective actions, assessors noticed that some recommendations and requirements in a number of cases take a long time to be effectively addressed. Assessors believe that there is scope to enhance APRA’s approach to corrective actions by being more proactive in taking corrective actions in an early manner, and by escalating the severity of the corrective action in a quicker and more active way if the bank is not effectively cooperating. This includes escalation to use formal corrective actions, such as directions, in a more active way. Assessors note that APRA’s approach is to work with banks to address the issues in a cooperative way, keeping the formal corrective powers as a last resort, but it may be useful to review the effectiveness of this approach in addressing weaknesses and gaps and possibly increase the appetite for using such formal actions as needed.

Onsite supervisors monitor the firm during the regular course of business for progress against the remediation actions. Supervisors use the AIMS system to monitor progress against remediation plans, including the timeline. In addition, APRA may require the firm’s internal audit, risk management or compliance functions to follow up on the remediation and provide a view as to the adequacy of the solution relative to the issue raised. Finally, the external auditor may include in its annual report (under APS310) a view as to the adequacy of the remediation efforts.

APRA management monitors internal reports on the closure/completion of supervisory issues and actions.
EC2The supervisor has available33 an appropriate range of supervisory tools for use when, in the supervisor’s judgment, a bank is not complying with laws, regulations or supervisory actions, is engaged in unsafe or unsound practices or in activities that could pose risks to the bank or the banking system, or when the interests of depositors are otherwise threatened.
Description and findings re EC2APRA prefers to resolve continuing problems through traditional supervisory actions such as more frequent prudential reviews, frequent discussions with management and the board, downward revisions of supervisory ratings, and imposition of a Pillar 2 capital charge.

If an acceptable resolution is not forthcoming, it has statutory powers that allow it to:
  • appoint a person to investigate prudential matters (Section 61 of the Banking Act);

  • issue enforceable ‘directions’ to take specific actions;

  • accept an ‘enforceable undertaking’— a written undertaking by a person in connection to a matter in which APRA has a function or power. If an undertaking is breached, a court may make orders including directing compliance, directing payment of compensation or other monies;

  • remove a director or senior manager;

  • remove an auditor;

  • effect a compulsory transfer of business of a bank; and

  • revoke a license.

Under the recently passed Banking Executive Accountability Regime (‘BEAR’), APRA has been given additional powers to investigate potential breaches of the Banking Act. These allow APRA to require a specific person to appear before an investigator and provides the power to seek to impose substantial fines on banks and to more easily disqualify ‘accountable’ persons.

If the situation warrants such a response, APRA can use the resolution powers given to it under the Banking Act to take control of the bank’s business and to appoint an administrator to take control of the bank.
EC3The supervisor has the power to act where a bank falls below established regulatory threshold requirements, including prescribed regulatory ratios or measurements. The supervisor also has the power to intervene at an early stage to require a bank to take action to prevent it from reaching its regulatory threshold requirements. The supervisor has a range of options to address such scenarios.
Description and findings re EC3APS 110 requires the Board of a bank to ensure that the bank maintains an appropriate level and quality of capital commensurate with its risks. This includes a requirement for the bank to have an ICAAP for determining its capital needs and to maintain a minimum required level of regulatory capital. APRA supervisors monitor an ADI’s capital projections and plans to identify potential vulnerabilities.

Minimum APRA capital requirements are defined by APRA in its setting of firms’ Prudential Capital Requirement (PCR). The minimum PCR ratios are as follows: common equity tier 1 ratio of 4.5 percent; tier 1 ratio of 6.0 percent; and total capital ratio of 8.0 percent. In addition, there is a capital conservation buffer requirement of no less than 2.5 percent. The sum of the common equity tier 1 PCR plus the capital conservation buffer determined by APRA will be no less than 7.0 percent.

A bank must notify APRA if it falls below or is in danger of falling below the minimum capital requirements. It must outline the actions the bank is taking and/or plans to take to address the breach. APRA will work with a bank to ensure it takes appropriate measures to restore its capital position to acceptable levels. If a bank’s capital falls below, or is likely fall below, its PCR, APRA has the authority to require a bank to take specific measures to recapitalize.

More broadly, the Banking Act gives APRA the power to enforce all prudential standards. Part II, Division 1BA (section 11CA) of the Banking Act gives APRA the power to issue legally binding directions to a corporation that is an ADI or an authorized NOHC under certain circumstances, including if the corporation or its subsidiary has contravened a prudential requirement regulation or a prudential standard; if there has been, or there might be, a material deterioration in the body corporate’s financial condition or its subsidiary’s financial condition; and if the body corporate or its subsidiary is conducting its affairs in an improper or financially unsound way.

APRA is currently in the process of implementing a recovery planning regime for situations where a firm’s prudential capital requirement (PCR) threshold limits are under threat of being breached, but there is no formal regime or specific authority to require a firm to begin to undertake the actions in a recovery plan. It does, however, have the power to require actions as set out in EC2 and EC 4, which is consistent with the types of actions that may be necessary in a recovery situation.

As noted in EC 2 above, when a firm is struggling to meet prudential standards APRA prefers to apply pressure through ratcheting up the supervisory intensity and oversight of the firm rather than formal corrective action. Responses would include carrying out more frequent prudential reviews, more frequent discussions with management and the board, downward revisions of supervisory ratings, and imposition of a Pillar 2 capital charge. In the event these practices do not work APRA would take more formal action based on the powers it has under the Banking Act, as discussed above in EC2 and CP1.
EC4The supervisor has available a broad range of possible measures to address, at an early stage, such scenarios as described in essential criterion 2 above. These measures include the ability to require a bank to take timely corrective action or to impose sanctions expeditiously. In practice, the range of measures is applied in accordance with the gravity of a situation. The supervisor provides clear prudential objectives or sets out the actions to be taken, which may include restricting the current activities of the bank, imposing more stringent prudential limits and requirements, withholding approval of new activities or acquisitions, restricting or suspending payments to shareholders or share repurchases, restricting asset transfers, barring individuals from the banking sector, replacing or restricting the powers of managers, Board members or controlling owners, facilitating a takeover by or merger with a healthier institution, providing for the interim management of the bank, and revoking or recommending the revocation of the banking license.
Description and findings re EC4In addition to the supervisory tools described above in EC2, APRA has two primary courses of action to force firms to address concerns—directions’ and ‘injunctions.’

Directions: if a bank is unable or unwilling to adequately address APRA’s concerns, APRA has formal powers to give ‘directions’ under the Banking Act. APRA may direct a bank to undertake specific actions. Direction powers may be applied to an ADI or an authorized NOHC, or a subsidiary or either.

Injunctions: APRA may apply to the federal court for an injunction against any person who is engaging or proposing to engage, directly or indirectly, in a contravention of the Banking Act, regulations, prudential standards, condition of authorization or a direction. The injunction may restrain or require a specific action.

Directions and injunctions can be used to carry out the following:
  • Restricting the current activities of the bank.

  • Restricting or suspending payments to shareholders or share repurchases.

  • Restricting asset transfers.

  • Withholding approval of new activities or acquisitions.

  • Replacing or restricting the powers of managers, Board members or controlling owners.

  • Barring individuals from the banking sector.

  • Enforceable Undertakings—an enforceable undertaking requires a person to do those things they have indicated they will do as set out in the enforceable undertaking. For example, not to act as a director of a bank. Failure to follow through on an enforceable undertaking may result in the court directing the person to comply with the undertaking.

  • Facilitating a takeover by or merger with a healthier institution.

  • Providing for the interim management of the bank—APRA may appoint an administrator to take control of an ADI if the bank is or is likely to become unable to meet its obligations.

  • Revoking a license.

  • Resolving the bank—APRA has resolution powers that include the power to take control of the bank’s business and to appoint an administrator to take control of the bank’s business.

Court direction of compliance with Banking Act

Where an ADI, authorized NOHC or subsidiary of an ADI or authorized NOHC is convicted of an offence under the Banking Act or regulations, the court may direct compliance by the firm within a time period specified by the court. If the firm fails to comply, the court may authorize APRA to assume control of, and to carry on the business of, the firm.
EC5The supervisor applies sanctions not only to the bank but, when and if necessary, also to management and/or the Board, or individuals therein.
Description and findings re EC5APRA can issue directions requiring banks to undertake certain actions or to refrain from taking certain actions (See above). Non-compliance with such a direction is an offence under the Banking Act. An officer of a bank can be guilty of the offence if the officer fails to ensure that the bank complies with the direction.

Under sections 137.1 and 137.2 of the Criminal Code Act 1995, a person is guilty of an offence punishable on conviction by imprisonment for 12 months if the person gives false or misleading information or documents to APRA, provided that such person has been notified that provision of false or misleading information constitutes an offence.

Under the Financial Sector (Collection of Data) Act 2001 (FSCODA), it is an offense for a bank not to provide APRA with information it requires within a specified period or by a particular time. The principle executive officer must notify the board of the bank if the bank has failed to provide the information. A penalty can be applied to the bank, board, management and/or individuals for breaching this requirement.

Under the recently passed Banking Executive Accountability Regime (BEAR), APRA has been given additional powers to investigate potential breaches of the Act. These allow APRA to require a specific person to appear before an investigator and provides the power to apply to a court to impose substantial fines on banks and to more easily disqualify ‘accountable’ persons.
EC6The supervisor has the power to take corrective actions, including ring-fencing of the bank from the actions of parent companies, subsidiaries, parallel-owned banking structures and other related entities in matters that could impair the safety and soundness of the bank or the banking system.
Description and findings re EC6APS 222 requires a bank to have in place processes to manage, monitor and control risks arising from its relationships with other members of a group, including but not limited to those arising from direct financial dealings with other group members. These risks include reputational, legal and operational risk arising from the relationship. It also imposes limits on exposures of a bank to related counterparties.

APRA’s ‘direction’ powers allow it to ringfence a bank from other entities in its corporate group. Specific directions can include stopping payments to group entities and preventing the bank from engaging in transactions with related entities that could adversely impact the bank and its depositors.

Under the new powers authorized by Crisis Resolution Act, APRA’s direction powers allow it to require changes to a bank or group’s structure and operations to improve resolvability.
EC7The supervisor cooperates and collaborates with relevant authorities in deciding when and how to effect the orderly resolution of a problem bank situation (which could include closure, or assisting in restructuring, or merger with a stronger institution).
Description and findings re EC7APRA is itself also the resolution authority for ADIs in Australia. So, there is no issue in relation with cooperation and collaboration for resolution actions. In addition, the collaboration and cooperation arrangements with other agencies in the context of the CFR allows APRA to coordinate with these agencies in cases of financial distress. APRA’s resolution regime is, however, a work in progress.

Australia’s four major banks have material operations in New Zealand. As part of regular supervision, APRA has strong links with the RBNZ and this is supported by information sharing arrangements, joint onsite reviews and periodic meetings to discuss prudential matters of common interest.

The CFR has a key relationship with the New Zealand authorities, which cooperate through the TTBC. A TTBC crisis simulation took place in November 2017, which focused on cooperation and coordination between the TTBC agencies focusing on testing the ability of TTBC agencies to assess and recommend resolution strategies and coordinate and collaborate on public communication strategies.

APRA’s supervisory framework includes regular assessment of a number of factors relevant to the formulation of resolution options in respect of supervised entities, including obtaining relatively comprehensive information on group structure and location of critical functions.
Additional criteria
AC1Laws or regulations guard against the supervisor unduly delaying appropriate corrective actions.
Description and findings re AC1There are no laws or regulations that define or require timeframes for prompt corrective action. As discussed above in EC 2, APRA has a range of actions it can take in the event a bank is failing to take appropriate actions or found to be operating in and unsafe manner or condition.

In APRA’s view this provides for it to apply appropriate discretion and to take measured correction action as and when it deems that to be appropriate.
AC2When taking formal corrective action in relation to a bank, the supervisor informs the supervisor of nonbank related financial entities of its actions and, where appropriate, coordinates its actions with them.
Description and findings re AC2As noted in relation to EC2, the CFR is the key forum to facilitate cooperation and coordination among domestic regulatory agencies. A formal MoU across CFR agencies details respective roles and responsibilities in the event that formal remedial action is required in crisis situations.

In the event that another regulator is involved, APRA would actively engage with the relevant agency to ensure awareness and coordination of prudential actions. In practice, there is regular dialogue with other regulatory agencies as needed depending on the circumstances.
Assessment of principle 11Compliant
CommentsAPRA has a broad range of tools and authorities across the spectrum to address problems at supervised banks, from traditional measures such as supervisory requirements to address weaknesses in areas covered by prudential standards to revoking a banking license and resolving a bank. These powers give APRA provide a strong base of support for requiring firms to address any areas of material concern.

The escalation to senior management through the placement of a bank on the EEC watchlist is a good practice and should ensure that consideration of needed supervisory responses are considered quickly and at a level of seniority that would allow for rapid decision making in the event this is needed.

APRA’s preferred approach is to identify potential concerns on and ongoing basis and work with supervised institutions to address them before a firm is in danger of breaching a prudential requirement. When possible it would seek to require a firm to address its areas of weakness and use its suasion powers as a supervisor in ways that do not require it to undertake enforcement actions that require exercising legal powers under the Banking Act. This allows for a timelier process to address deficiencies in the event a firm has the willingness and capacity to address the shortcomings causing concern. The supervision process provides for early intervention in the form of referring a firm to the watchlist of the EEC, increasing supervisory scrutiny and intensity and requiring firms to address significant deficiencies.

Among banking supervisors, this practice is not unique to APRA and can be quite effective, particularly if combined with clear articulation of the urgency, where appropriate, of achieving the supervisor’s expectations/requirements and a demonstrated willingness to use more formal legal powers or other actions that may constrain the firm from taking desired actions, when necessary.

Assessors noted that the majority of issues in the communications with the firms are in the ‘recommendation’ category, including actions that APRA supervisors expect the firms to take. APRA indicated that it has a well-established approach to determining the use of ‘requirements’ and ‘recommendations’ and this is determined by a range of criteria and their materiality, as outlined in the explanation to the essential criteria of this principle. APRA indicated that there is no lack of appetite to use ‘requirements’ where circumstances warrant it.

Assessors noted that in some cases, some actions (whether recommendations or requirements) took a relatively longer time to be addressed. Accordingly, there seems to be scope to enhance APRA’s approach to corrective actions by being more proactive in escalating the severity of the corrective action in a quicker and more active way if the bank is not effectively cooperating. This includes escalation from ‘recommendation’ to ‘requirement’ and also using formal corrective actions, such as directions, in a more active way. Assessors note that APRA’s approach is to work with banks to address the issues in a cooperative way, keeping the formal corrective powers as a last resort, but it may be useful to review the effectiveness of this approach in addressing weaknesses and gaps and possibly increase the appetite for using such formal actions as needed.
Principle 12Consolidated supervision. An essential element of banking supervision is that the supervisor supervises the banking group on a consolidated basis, adequately monitoring and, as appropriate, applying prudential standards to all aspects of the business conducted by the banking group worldwide.34
Essential criteria
EC1The supervisor understands the overall structure of the banking group and is familiar with all the material activities (including nonbanking activities) conducted by entities in the wider group, both domestic and cross-border. The supervisor understands and assesses how group-wide risks are managed and takes action when risks arising from the banking group and other entities in the wider group, in particular contagion and reputation risks, may jeopardize the safety and soundness of the bank and the banking system.
Description and findings re EC1There are several ways in which APRA supervisors understand and assess the structure of a banking group, material activities (including nonbanking) of the wider group and risks arising from the banking/wider group. These include some requirements and obligations established by prudential standards. It also includes supervisory activities conducted as part of routine supervisory activities. It may also include other requirements that APRA may impose on a case-by-case basis on entities with a complicated group structure and significant nonbanking activities.

APRA’s frontline supervisors typically receive the group structure chart, including any material revisions on an ongoing basis. Prudential standard APS 330 Disclosures (APS 330) requires banks to prepare and disclose in their Pillar 3 reports, a Regulatory Capital reconciliation, which would include a reconciliation of legal entities within the accounting group and entities within the regulatory scope of consolidation. It will also include for each entity, balance sheet assets, liabilities and principal activities.

APS 222 sets out APRA’s requirements for banks to monitor and limit their risks as a result of their associations and dealings with related entities in a consolidated group. Consolidation covers the bank’s global operations and related entities including all entities controlled (whether directly or indirectly) by the bank or its ultimate domestic parent, and the parent entity itself. For example, APS 222 requires that an ADI must consult with APRA before establishing or acquiring a subsidiary. Typically, such consultations with APRA would result in the entity providing details of the subsidiary including material activities, the risk management and governance structure and reporting lines, intra-group support arrangements, any contagion risks to the regulated entity, etc. APRA would assess any contagion risks arising from such associations, based on a range of factors such as financial strength of the group, nature of and materiality of business activities, quality of risk management and governance, operational interdependence with other regulated/unregulated parts of the group, relevant credit ratings, etc.

APS 222 also states that an ADI must notify APRA of any circumstances that might reasonably be seen as having a material impact and potentially adverse consequences for an ADI in the group or for the overall group. It also limits the exposure to related entities by setting prudential limits on such related party exposures. Any exposures in excess of these limits would require APRA approval.

Under CPS 220, an APRA-regulated institution must notify APRA as soon as practicable, and no more than ten business days, after it becomes aware of any material or prospective material changes to the size, business mix and complexity of the institution/group.

APRA supervises ADIs on a Level 1 and Level 2 (banking group) basis and where required on a Level 3 (conglomerate) group basis. APRA conducts a range of supervisory activities, including reviewing Board papers (for large and complex entities) and regular meetings with the Board and senior management, which further assists in understanding and assessing the activities and risks arising from group activities. These meetings discuss a range of issues including banks’ strategy and structure, activities, risks, and other issues impacting the group.

APRA is aware that associations between a bank and other members (including nonbanking entities) of the wider group could give rise to potential contagion risk. APRA would on a case by case basis review and discuss group activities and any exposures where it had concerns. Any contagion risks arising from the banking group including reputation risk are assessed as part of the PAIRS risk assessment framework. In addition, for some cases of banks with complicated structure and which form part of a wider group including significant nonbanking activities, APRA has taken steps to restructure the banking activities under an intermediate holding of the group to get a better understanding of the interaction between the nonbanking and banking activities of the overall group. In a one case, APRA has also required the ultimate holding company to have capital based on the aggregate of the capital requirements of the bank holding company and a capital measure applied at the level of the nonbank entities of the group. This may ensure that the capital of the ultimate holding company covers risks of nonbank entities within the group.

Noting the above, an understanding of the bank group structure especially in case of complex structures that involve a material presence of nonbanking entities is an evolving endeavor that APRA is trying to gradually enhance. This would require a mix of supervisory as well as regulatory measures and may involve actions at the level of the banking sector or on a case by case basis depending on the evolution of activities and risks.
EC2The supervisor imposes prudential standards and collects and analyses financial and other information on a consolidated basis for the banking group, covering areas such as capital adequacy, liquidity, large exposures, and exposures to related parties, lending limits and group structure.
Description and findings re EC2Under section 11AF of the Banking Act, APRA may make Prudential Standards to apply to ADIs, authorized NOHCs and their subsidiaries.

Level 1 and 2 prudential frameworks

Most of APRA’s prudential and reporting standards apply to banks on a stand-alone (Level 1) and consolidated (Level 2 banking group) basis. These standards cover a range of topics including capital adequacy, credit quality, liquidity, large exposures and associations with related entities.

Level 3 prudential framework

APRA may determine a Level 3 group where it considers that material activities are performed within the group across more than one prudentially regulated industry and/or in one or more non prudentially regulated industries, to ensure that the ability of the group’s prudentially regulated institutions to meet their obligations to depositors, policyholders or registered superannuation entities (RSE) beneficiaries is not adversely impacted by risks emanating from the group, including its non-prudentially regulated institutions. APRA has determined eight Level 3 groups.

APRA has a Level 3 conglomerate prudential framework applicable to Level 3 groups (effective since July 2017). This framework includes Prudential Standards covering risk management, business continuity management, fit and proper, outsourcing and governance. The Level 3 framework also includes standards for Heads of Level 3 groups including, aggregate group exposures, intra group transactions and exposures and audit and related matters and requirements covering the Head of a Group to identify, measure, monitor, assess and mitigate the risks of the Level 2 and Level 3 group.
EC3The supervisor reviews whether the oversight of a bank’s foreign operations by management (of the parent bank or head office and, where relevant, the holding company) is adequate having regard to their risk profile and systemic importance and there is no hindrance in host countries for the parent bank to have access to all the material information from their foreign branches and subsidiaries. The supervisor also determines that banks’ policies and processes require the local management of any cross-border operations to have the necessary expertise to manage those operations in a safe and sound manner, and in compliance with supervisory and regulatory requirements. The home supervisor takes into account the effectiveness of supervision conducted in the host countries in which its banks have material operations.
Description and findings re EC3APRA expects the parent bank to have full access to all relevant information of the overseas operations in order to be able to provide effective oversight of those operations. In addition, the parent bank’s internal audit function is expected to undertake regular reviews of those operations. APRA also has access to the parent bank’s board papers to verify the extent of discussion around foreign operations.

APRA supervisors usually check the extent of oversight of the parent banks over their foreign operations. This usually happens in prudential reviews, particularly when examining the risk management framework of banking groups. Another way of reviewing the extent of oversight of the parent bank over their cross-border entities is through the review of board papers and other bank reports, which inform APRA supervisors about the discussions and information reported to the board, and the effectiveness of the board oversight, including over foreign group entities. This issue can also be discussed in the context of the periodic consultation meetings and the regular catchups that APRA supervisors perform, particularly for the larger banks in Australia.

APRA supervisors check the fit and proper policy of banks and how it is applied across banking group entities, including the material subsidiaries. APRA also performs cross-border prudential reviews and onsite visits covering the foreign activities of ADIs. This includes particularly onsite missions to the subsidiaries of the large Australian banks in New Zealand, which represent the most significant cross-border exposure of those banks. These reviews include an assessment of the expertise and appropriateness of local management as well as the quality of reporting to, and oversight by, head office management and related reporting to the Board. While APRA considers the effectiveness of host supervisors in determining its approach to cross-border visits and reviews, this consideration also takes into account the materiality and risks of those exposures to the banking group as well as the resource implications for APRA. Given that the major cross-border operations of large Australian ADIs are in New Zealand, APRA conducts regular onsite visits and reviews covering the New Zealand operations of Australian banks and has a close relationship and supervisory cooperation with RBNZ.
EC4The home supervisor visits the foreign offices periodically, the location and frequency being determined by the risk profile and systemic importance of the foreign operation. The supervisor meets the host supervisors during these visits. The supervisor has a policy for assessing whether it needs to conduct onsite examinations of a bank’s foreign operations, or require additional reporting, and has the power and resources to take those steps as and when appropriate.
Description and findings re EC4APRA does not rely solely on the foreign regulators’ assessment in relation to the adequacy of risk management and controls of foreign entities in a banking group. APRA regularly conducts onsite prudential reviews of banks’ foreign operations determined by assessing materiality, risk profile and systemic importance. For example, APRA regularly conducts onsite reviews jointly with the RBNZ in New Zealand.

Such reviews are generally conducted with the host supervisor in attendance. APRA generally discusses and shares with the host supervisor its assessment of the effectiveness of management and activities of the foreign operations. The frequency and depth of onsite prudential reviews to banks’ offshore operations is determined by APRA’s assessment of the materiality and risk profile of these operations. Where these operations are assessed as being material or high risk, or where potential control weaknesses have been identified, APRA may decide on performing an onsite examination, depending on its resource plans and other supervisory priorities. As part of pre-review material, APRA would typically request Board and/or management reports, relevant risk management policies, relevant internal audit reports and reporting lines to head office/ the parent bank. The offsite review of the material will help APRA supervisors focus further their assessment. When APRA conducts a review of a bank’s foreign operations, it typically liaises with the host-country supervisor to discuss prudential issues.
EC5The supervisor reviews the main activities of parent companies, and of companies affiliated with the parent companies, that have a material impact on the safety and soundness of the bank and the banking group, and takes appropriate supervisory action.
Description and findings re EC5A conglomerate group domiciled in Australia is typically headed by a regulated entity (a bank, an insurer or an authorized NOHC). Membership of the conglomerate group can include non-financial (commercial) as well as financial (regulated and un-regulated) entities.

The Banking Act provides APRA with powers to authorize NOHCs and to determine Prudential Standards to apply to NOHCs and groups under the NOHC. APRA therefore has powers to review the activities of the parent (which has to be an Australian NOHC) and of the companies under the NOHC.

APRA has issued a prudential standard (3PS 222) on Intra-group Transactions and Exposures (ITEs). The key requirements of this Prudential Standard are that a Level 3 Head must have a policy for the Level 3 group that: deals with the measurement, management and monitoring of, and reporting on, intra-group transactions and exposures between members of the group; develop and implement effective systems and processes to manage, monitor and report on intra-group transactions and exposures; and meet minimum requirements with respect to dealings between institutions in the Level 3 group and certain related matters.

In cases where there is a foreign parent, APRA would expect the foreign parent to be subject to regulatory oversight broadly consistent with that applied by APRA and, if requested by APRA, to provide APRA with information concerning activities of its subsidiaries outside the Australian conglomerate group. In fact, APRA prudential standard APS001 states that, where a foreign-owned ADI has a locally incorporated NOHC parent, the conglomerate group will comprise the locally incorporated NOHC (even if it is not an authorized NOHC) and all its subsidiaries. The ADI’s foreign parent(s), the foreign parent’s overseas-based subsidiaries and their directly owned non-ADI entities operating in Australia will not form part of the conglomerate group. APRA, however, expects the foreign parent to be subject to regulatory oversight broadly consistent with that applied by APRA and, if requested by APRA, to provide APRA with information concerning activities of its subsidiaries outside the Australian conglomerate group.

APRA supervisors usually review the activities of the parent particularly if it is a NOHC and it is subject to APRA’s oversight. They also review the affiliates of the parent and their impact on the bank. When the parent is a holding company that has activities outside APRA-regulated areas, APRA frontline supervisory team will try to understand the activities of the parent and its subsidiaries and affiliates and the potential impact on the ADI. This is performed particularly during the prudential review meetings and the prudential consultation done between APRA and the ADI’s Board and Management.

APRA also has MoUs with several regulators of other jurisdictions and hosts/ participates in supervisory colleges that allow for information exchange on the parent and other members of a group. Information obtained from these supervisory processes should inform the need for supervisory action where required.
EC6The supervisor limits the range of activities the consolidated group may conduct and the locations in which activities can be conducted (including the closing of foreign offices) if it determines that:
  • (a) the safety and soundness of the bank and banking group is compromised because the activities expose the bank or banking group to excessive risk and/or are not properly managed;

  • (b) the supervision by other supervisors is not adequate relative to the risks the activities present; and/or

  • (c) the exercise of effective supervision on a consolidated basis is hindered

Description and findings re EC6APRA has broad powers under the Banking Act to limit the range of activities the consolidated group may conduct. Section 11CA(2) of the Banking Act allows APRA, amongst other things, to direct an ADI or NOHC to do, or to cause a body corporate that is its subsidiary to do, anything else as to the way in which the affairs of the body corporate are to be conducted or not conducted (Section 11CA(2)(p)), again so long as one of the triggers listed in Section 11CA(1) has occurred. This would include a material risk to the security of the body corporate’s assets, a material deterioration in the body corporate’s financial condition, the body corporate conducting its affairs in an improper or financially unsound way or in a way that may cause or promote financial instability in the Australian financial system.

APS 222, amongst other things, requires the Board of an ADI to establish, and monitor compliance with policies governing all dealings with related entities. Also, an ADI must satisfy APRA that it has adequate systems and controls to identify, review, monitor and manage exposures arising from dealings with related entities.

Under APS 222 an ADI must obtain APRA’s written approval for the establishment or acquisition of a regulated presence domestically or off-shore. Such an approval can be revoked by APRA. It would seem to follow logically that the revocation of such an approval would require the closure or sale of the establishment concerned. A breach or anticipated breach of a prudential standard would be a trigger for APRA to issue a direction under section 11CA of the Banking Act.

In practice, APRA supervisors usually review the activities of groups, including those cross-border among them. In case APRA thinks that these activities involve excessive risks, it asks the bank to enhance risk management or reduce exposures or may be other measures such as having more capital. This includes reducing exposures of cross-border subsidiaries of Australian banks in specific markets or in certain sectors in those markets. As described above, the main interest of APRA remains in the cross-border exposures of Australian banks in New Zealand, given the significance of these exposures relative to the major Australian banks.
EC7In addition to supervising on a consolidated basis, the responsible supervisor supervises individual banks in the group. The responsible supervisor supervises each bank on a stand-alone basis and understands its relationship with other members of the group.35
Description and findings re EC7APRA supervises locally incorporated ADIs and the consolidated banking group on a stand-alone and consolidated basis. Prudential standards that are applicable at level 2 basis are always usually applied at level 1 basis, i.e., at the level of the ADI itself. The supervisors usually have a good understanding of the structure of the level 2 groups and the relationship with the individual ADI with other members of the group.
Additional criteria
AC1For countries which allow corporate ownership of banks, the supervisor has the power to establish and enforce fit and proper standards for owners and senior management of parent companies.
Description and findings re AC1APRA’s prudential standard on fit and proper (CPS 520) sets out minimum requirements for APRA-regulated institutions in determining the fitness and propriety of individuals who hold positions of responsibility including senior management (including ADIs and NOHCs). In case an ADI is part of a NOHC, APRA can impose fit and proper standards on the senior managers of a NOHC. APRA is also able to check fit and proper requirements of the owners of ADIs and NOHCs, including any corporate companies, at the time of licensing (see BCP 5 for more details). However, in cases of change in control or significant ownership, APRA can enforce fit and proper rules to the extent that the approval of this change in ownership falls under the delegation APRA has from the Treasurer (i.e., if the shareholding entity has more than 15 percent of the bank’s shares and if the banks’ assets are less than A$1 billion). For the other cases, APRA looks at fit and proper requirements when advising the treasurer on significant change in ownership of ADIs exceeding the delegation asset threshold. For more details, see BCP 6.
Assessment of Principle 12Compliant
CommentsAPRA consolidated supervisory approach is well underpinned in its supervisory practices and activities. Prudential standards and financial data are collected on consolidated basis.

APRA also reviews the oversight of a bank’s foreign operations by management and ensures that the banking group risk management framework is applied on a consolidated basis. APRA conducts prudential reviews and visits covering the cross-border activities of large Australian banking groups, particularly in New Zealand where these exposures are the most relatively significant. APRA has also the powers to review the main activities of the parents of banking groups.

APRA supervisors show a good understanding of the banking group structure and the activities (including nonbanking activities) of the group and how this might impact the risk profile of the bank. APRA supervisors should continue to enhance their approach in relation to analyzing the impact of nonbanking activities over the group and be proactive in their supervisory measures and stance.
Principle 13Home-host relationships. Home and host supervisors of cross-border banking groups share information and cooperate for effective supervision of the group and group entities, and effective handling of crisis situations. Supervisors require the local operations of foreign banks to be conducted to the same standards as those required of domestic banks.
Essential criteria
EC1The home supervisor establishes bank-specific supervisory colleges for banking groups with material cross-border operations to enhance its effective oversight, taking into account the risk profile and systemic importance of the banking group and the corresponding needs of its supervisors. In its broadest sense, the host supervisor who has a relevant subsidiary or a significant branch in its jurisdiction and who, therefore, has a shared interest in the effective supervisory oversight of the banking group, is included in the college. The structure of the college reflects the nature of the banking group and the needs of its supervisors.
Description and findings re EC1APRA has conducted supervisory colleges as the home supervisor, for two banks which have material overseas operations. When APRA arranged these colleges, it invited supervisors from global locations where the bank has material operations. Specific sessions were held covering APRA’s supervisory approach, matters affecting the domestic activities of the banking group and how these activities may impact offshore locations of the group. A summary of recent prudential review findings as well as contributions from relevant regional operations are also incorporated into agendas for supervisory colleges. In addition, presentations from senior bank executives occur across a spectrum of topics designed to provide insights into global strategies and governance as well as specific risk areas and business operations. All colleges convened to date have involved confidentiality declarations or equivalent that are signed by delegates that attend the college on a meeting-by-meeting basis.

However, the last college APRA organized for one of its banks was in June 2016. Based on discussions with APRA, other factors that explain why there were no organization of supervisory colleges since June 2016 is that APRA is conducting regular onsite reviews of the major banks’ subsidiaries in New Zealand, which represent the most material cross-border exposures of Australian banks. In addition, APRA has a close supervisory cooperation with the RBNZ on these exposures. In addition, APRA covers other cross-border supervisory issues through onsite visits, particularly in Asia, and bilateral contacts, like for example with the UK PRA. Another factor that may have held back the organization of these colleges are the resource implications for APRA.

It is understandable that the nature of the cross-border operations of the four Australian major banks may favor bilateral engagements more than the organization of supervisory colleges. But APRA should consider organizing supervisory colleges for other large banks who have material cross-border operations. A regular organization of these colleges would allow APRA better interaction and engagement with foreign supervisors and may facilitate bilateral exchange even further.

Where APRA is the host supervisor, it is invited to participate in several colleges held off-shore, to gain a better understanding of regulatory and supervisory issues with the parent bank in the home jurisdiction.
EC2Home and host supervisors share appropriate information on a timely basis in line with their respective roles and responsibilities, both bilaterally and through colleges. This includes information both on the material risks and risk management practices of the banking group36 and on the supervisors’ assessments of the safety and soundness of the relevant entity under their jurisdiction. Informal or formal arrangements (such as memoranda of understanding) are in place to enable the exchange of confidential information.
Description and findings re EC2APRA’s policy is to establish MoUs, or equivalent, with all prudential supervisory agencies where material cross-border operations exist. APRA is currently a signatory to 33 bilateral and multilateral MoUs or equivalent with overseas regulators. These MoUs include provisions setting out confidentiality, purpose and use requirements in relation to the exchange of information. All banks/ banking groups are made aware of the existence of formal arrangements and MoUs are generally published on APRA’s website.

APRA has developed close working relationships with relevant domestic and foreign regulators particularly in New Zealand, the United Kingdom, the United States of America and within Asian jurisdictions to assist supervisors to assess the financial condition and risk management arrangements of consolidated banking groups. As noted previously, these are formalized under MoUs providing the foundation for cooperation including the exchange of information and investigative assistance. In addition, the memoranda enable the agencies to assist APRA in obtaining information from third parties.

Various mechanisms are used to foster the effective and timely exchange of information relevant to supervision, including teleconferences, face-to-face workshops and supervisory colleges, as well as joint participation in relevant onsite prudential reviews. There is a regular exchange of prudential information, particularly for major banks with material subsidiaries operating in overseas jurisdictions. APRA organizes conference calls with host supervisors at least annually, but more typically every three to six months. These exchanges provide opportunities for supervisors to discuss updates on the financial standing of the regulated institution and topical issues.

As a matter of practice, APRA will provide host supervisors of subsidiaries incorporated in overseas jurisdictions with its risk assessment of the parent, upon request. It is also APRA’s practice to invite a representative from the host supervisor to accompany APRA when undertaking prudential reviews of banks operating in foreign jurisdictions. In the case of host supervisors visiting Australia, presentations are made by APRA detailing its supervisory approach, particularly in relation to the Australian banks with operations in host jurisdictions.

Where it is the host supervisor, APRA advises the home supervisor of any material issues in its dealings with the local operations of a foreign bank and, upon request, shares its assessment of risks and risk management systems, including the basis used to set a prudential capital ratio (PCR) for a foreign bank subsidiary.
EC3Home and host supervisors coordinate and plan supervisory activities or undertake collaborative work if common areas of interest are identified in order to improve the effectiveness and efficiency of supervision of cross-border banking groups.
Description and findings re EC3As both a home and host supervisor, APRA seeks to coordinate and plan supervisory activities for its two global banking groups wherever possible. The level of coordination and planning undertaken between offshore regulators is determined by the size and relative importance of the business operations in the offshore locations, with operations located in New Zealand being subject to the highest degree of coordination and planning given the significance of these operations. APRA and RBNZ meet on a regular six-monthly basis to discuss supervisory issues.

APRA typically conducts onsite prudential reviews on the New Zealand operations of major Australian banks in conjunction with the RBNZ. In addition, APRA and RBNZ coordinate joint supervisory stress tests on the major banks, with some New Zealand specific scenarios included.

For the local bank which has a branch operation in the U.K., the supervisor conducts a teleconference every six months with the PRA to discuss key issues and the objectives of upcoming and the outcomes of completed supervisory activities.

As a host supervisor, the level of coordination and planning with the home supervisor is dependent upon the home regulators requirements and generally differs depending on the importance of the local operation to the group’s activities.

The banking group supervisory activities are reflected in SAPs and would include the timing, scope, objectives and desired outcomes of activities, in addition to key risks/ issues.
EC4The home supervisor develops an agreed communication strategy with the relevant host supervisors. The scope and nature of the strategy reflects the risk profile and systemic importance of the cross-border operations of the bank or banking group. Home and host supervisors also agree on the communication of views and outcomes of joint activities and college meetings to banks, where appropriate, to ensure consistency of messages on group-wide issues.
Description and findings re EC4APRA’s starting position is that communication will be timely, coordinated and focused on the information needs of stakeholders. This is explicitly stated in internal documentation prepared to guide APRA supervisors and reinforced in formal documentation jointly agreed between Australian and other regulatory authorities predominantly the RBNZ.

In cases other than New Zealand, APRA makes case-by-case judgments on a communication strategy on joint supervisory activities and/or colleges to affected banks. The typical forms of communication include a post-review report in coordination with the host supervisors, coordinating supervisory colleges to have face to face discussion on group risks and issues, and ad hoc letters of supervisory matters.
EC5Where appropriate, due to the bank’s risk profile and systemic importance, the home supervisor, working with its national resolution authorities, develops a framework for cross-border crisis cooperation and coordination among the relevant home and host authorities. The relevant authorities share information on crisis preparations from an early stage in a way that does not materially compromise the prospect of a successful resolution and subject to the application of rules on confidentiality.
Description and findings re EC5For the four major banks which are considered to be of systemic importance to the Australian economy and which have a significant presence in the New Zealand market, APRA has a good degree of cross border crisis cooperation and coordination with the New Zealand authorities—the RBNZ, the New Zealand Treasury and the New Zealand Financial Markets Authority—under the auspices of the TTBC, which was established in 2005 to enhance information sharing, promote a coordinated response to financial crises and guide policy advice to respective governments on banking supervision issues.

A formal crisis management framework reflected in a Memorandum of Cooperation has been developed to support this interaction, with this framework recently tested as part of a Trans-Tasman crisis simulation exercise in 2017. Results from this exercise confirmed that the framework works satisfactorily in practice. It was acknowledged by participants that the flow of information during the crisis exercise was acceptable. In addition, APRA has held supervisory colleges for two major banks, which included discussion on crisis management issues.
EC6Where appropriate, due to the bank’s risk profile and systemic importance, the home supervisor, working with its national resolution authorities and relevant host authorities, develops a group resolution plan. The relevant authorities share any information necessary for the development and maintenance of a credible resolution plan. Supervisors also alert and consult relevant authorities and supervisors (both home and host) promptly when taking any recovery and resolution measures.
Description and findings re EC6At present APRA does not have a formal prudential requirement for the development of group recovery or resolution plans. Despite this, each of the larger, more systemically important banks have developed recovery plans through ongoing thematic reviews, with APRA providing guidance on its expectations with regard to best practice via benchmarking exercises.

Whilst APRA has made significant progress in ensuring larger ADIs develop comprehensive and credible recovery plans, APRA is still in the early stages of development of a resolution planning framework for the larger banks involving host authorities as needed. In the medium-term, APRA intends to formalize its recovery and resolution planning framework into a prudential standard.

To date APRA has not been required to initiate any recovery or resolution measures for the larger banks which it supervises.
EC7The host supervisor’s national laws or regulations require that the cross-border operations of foreign banks are subject to prudential, inspection and regulatory reporting requirements similar to those for domestic banks.
Description and findings re EC7Authorization by APRA is required to conduct banking business in Australia. APRA may grant authorization to a foreign bank to conduct banking business in Australia either as an incorporated subsidiary in Australia or on a branch basis (‘foreign ADI’). Authorization is subject to meeting licensing requirements and compliance with APRA’s prudential framework and providing a commitment to be subject to ongoing APRA supervision. A foreign bank subsidiary is subject to the same regulatory, supervisory and reporting regime as Australian-owned banks.

Foreign ADIs with a branch authority are prohibited from financing themselves from retail sources. Specifically, foreign ADIs are prohibited from accepting deposits from individuals and non-corporates where the initial deposit amount is less than A$250,000. In addition, certain provisions in the Banking Act do not apply to foreign ADIs and foreign ADIs are exempt from APRA’s capital adequacy requirements (although the foreign bank’s parent must be subject to comparable capital adequacy standards in their home country).

Having said that, APRA applies the same supervisory approach to foreign ADIs as it does to locally incorporated banks. Foreign ADIs are subject to risk assessment using the PAIRS framework and both onsite and offsite supervisory activities are undertaken in line with SAPs.
EC8The home supervisor is given onsite access to local offices and subsidiaries of a banking group in order to facilitate their assessment of the group’s safety and soundness and compliance with customer due diligence requirements. The home supervisor informs host supervisors of intended visits to local offices and subsidiaries of banking groups.
Description and findings re EC8In its capacity as home supervisor, APRA pursues a program of onsite prudential reviews of overseas operations of Australian banks, reflective of its assessment of risks, controls and other matters. In all such cases APRA informs the host supervisor of the intended review and ensures that host authority staff have the opportunity to accompany the review team and/or take part in subsequent debrief discussions. It is routine for a representative from host supervisors to accompany APRA staff as part of its prudential reviews.

As a host supervisor, APRA facilitates any request from home country supervisors to examine the Australian operations of foreign banks. APRA reserves the right to have its staff accompany foreign supervisors on any review in Australia but may not always exercise this right. APRA takes into account such matters as the relative size of a subsidiary/branch, the scope of the intended review and its overall assessment of the local operations in its decision on whether to accompany a review. Irrespective of APRA’s participation, it is common for meetings to be held with visiting supervisors to discuss the results of reviews.
EC9The host supervisor supervises booking offices in a manner consistent with internationally agreed standards. The supervisor does not permit shell banks or the continued operation of shell banks.
Description and findings re EC9Australia does not allow the presence of shell banks or booking offices incorporated in foreign jurisdictions to operate in Australia.
EC10A supervisor that takes consequential action on the basis of information received from another supervisor consults with that supervisor, to the extent possible, before taking such action.
Description and findings re EC10APRA will form its assessment of the need for supervisory action taking into account all information available. Information provided by another supervisor will form part of that assessment.

Where supervisory action is based on information received from another supervisor, APRA will generally consult with the relevant supervisor prior to taking action. Where prior consultation is not considered appropriate, APRA will inform the relevant supervisor after the event.
Assessment of Principle 13Largely Compliant
CommentsAPRA has established MoUs with various supervisory agencies where material cross-border operations exist. In addition, APRA has developed close working relationship with foreign regulators, particularly with the RBNZ, given the significance of banks’ cross-border operations in New Zealand.

Various mechanisms are used to foster the effective and timely exchange of information relevant to supervision. In addition, onsite prudential reviews are undertaken in relation to the cross-border operations in New Zealand. APRA has conducted supervisory colleges for two of its major banks, with the last one held in June 2016. However, APRA maintains closer bilateral engagements, particularly with the RBNZ. This is an understandable approach if the cross-border operations are only material in New Zealand. However, it would be useful for APRA to consider conducting more regularly supervisory colleges particularly for large ADIs that have a material level of cross-border exposures in multiple countries or regions, a case which exists already. In doing so, it is understandable that APRA assesses the benefit of organizing such colleges depending on the structure of the banking group and the breadth and materiality of its cross-border exposures.

APRA does not have a formal prudential requirement for the development of group recovery or resolution plans. Despite this, each of the larger, more systemically important banks have developed recovery plans through ongoing thematic reviews. Having said that, APRA is yet to finalize its recovery planning framework for banks and is still in the early stages of developing the prudential framework on resolution for banks. Further development of recovery and resolution planning frameworks is a key strategic initiative for APRA captured as part of APRA’s 2017–2021 Strategic Plan.
B. Prudential Regulations and Requirements
Principle 14Corporate governance. The supervisor determines that banks and banking groups have robust corporate governance policies and processes covering, for example, strategic direction, group and organizational structure, control environment, responsibilities of the banks’ Boards and senior management,37 and compensation. These policies and processes are commensurate with the risk profile and systemic importance of the bank.
Essential criteria
EC1Laws, regulations or the supervisor establish the responsibilities of a bank’s Board and senior management with respect to corporate governance to ensure there is effective control over the bank’s entire business. The supervisor provides guidance to banks and banking groups on expectations for sound corporate governance.
Description and findings re EC1APRA’s key prudential standards in this area are CPS 510, Governance, and CPS 520, Fit and Proper.

CPS 510 outlines the minimum requirements for governance of an ADI or Group Head, and places responsibility for meeting those requirements on the board of directors.

CPS 520 places the responsibility on the board of directors for ensuring that directors and those responsible for the management and oversight of the firm are qualified, having an appropriate level of skills, knowledge and experience, and will act with honesty and integrity. Determinations of fit and proper must consider the size, complexity and risk profile of the firm or group.

CPS 510 requires that where an institution is the head of a group, the group has in place governance arrangements appropriate to the nature and scale of the group’s operations, and that the prudential standard is applied throughout the group, including for institutions that are not APRA-regulated.

Specific requirements of CPS 510 include that:
  • requirements with respect to Board size and composition are met;

  • the chairperson of the Board must be an independent director;

  • the Board must have a policy on Board renewal and procedures for assessing Board performance;

  • a Board Remuneration Committee must be established and the institution or group must have a Remuneration Policy that aligns remuneration and risk management; and

  • a Board Audit Committee and a Board Risk Committee must be established.

APRA issued guidance to directors of ADIs in October 2014, to assist the board in understanding the responsibilities placed on them under APRA’s prudential framework. APRA also issued a letter in August 2015 to clarify the roles of the board and senior management and overarching board requirements.

In February 2018, the Australian Parliament passed the Banking Executive Accountability Regime (BEAR) Act, which amended the Banking Act to impose accountability, remuneration, key personnel and notification obligations on ADIs and persons in director and senior executive roles. The Banking Act amendments provide APRA with additional powers to investigate potential breaches of the BEAR measures and extend these powers to APRA’s other supervisory functions. Changes to APRA’s governance and fit and proper prudential requirements will be considered following implementation of the BEAR.

IMF assessors had discussions with APRA staff who believe the BEAR Act, which becomes effective July 1 for the major banks, will improve governance and the supervision thereof by providing greater clarity around roles and responsibilities and associated accountability of directors and managers covered under the Act. Additionally, it will give APRA greater authority to take actions against responsible parties quickly where necessary.
EC2The supervisor regularly assesses a bank’s corporate governance policies and practices, and their implementation, and determines that the bank has robust corporate governance policies and processes commensurate with its risk profile and systemic importance. The supervisor requires banks and banking groups to correct deficiencies in a timely manner.
Description and findings re EC2APRA supervisors assess governance and the assessment feeds into the PAIRS risk assessment framework in the three individual assessment areas of ‘risk governance,’ ‘management,’ and ‘the board.’ Combined, these assessment areas are expected to generally cover the effectiveness and appropriateness of an entity’s governance framework including the roles, responsibilities, composition, structure and functioning of the board, senior management and board committees, risk culture, risk appetite, the risk management framework, the compliance function, internal audit and external audit. Supporting guidance for carrying out these assessments is comprehensive and set out in the PAIRS Assessment Guide for each individual assessment area.

APRA supervisors typically assess the governance of an institution or group through targeted onsite reviews. For example, a detailed governance review was conducted on two major banks in 2016 which included a review of risk culture, risk appetite, the three lines of defense, remuneration and compliance frameworks. Following the reviews, APRA sent each firm a letter detailing its findings, including areas for improvement, and told the banks to provide an action plan to improve their frameworks.

APRA also assesses the functioning of an institution’s governance processes using prudential consultations (discussions with directors or, more normally, senior management), reviews of board documents, prudential reviews of specific risk areas, and ongoing communications with an institution’s board and senior management. APRA executives and members meet with the board of large institutions at least once a year.

APRA has created a ‘Governance, Culture, and Remuneration’ team of specialists to increase its focus on better understanding industry practices in these areas, to conduct reviews of these practices and to further develop APRA’s supervisory approach and techniques in the supervision of governance. In 2017, APRA built on this work and began a pilot program of risk culture reviews that will continue through 2018.
EC3The supervisor determines that governance structures and processes for nominating and appointing Board members are appropriate for the bank and across the banking group. Board membership includes experienced non-executive members, where appropriate. Commensurate with the risk profile and systemic importance, Board structures include audit, risk oversight and remuneration committees with experienced non-executive members
Description and findings re EC3APRA sets out prudential requirements for board composition, renewal and performance. CPS 510 and CPS 520 specify that governance arrangements must take into account the size, complexity and risk profile of the institution. APRA assess appropriateness as part of the PAIRS rating, as described in EC 1 above. Supporting guidance for carrying out these assessments is comprehensive and set out in the PAIRS Assessment Guide for each specific assessment area.

Board Composition

The Board of a locally incorporated APRA-regulated institution must have a minimum of five directors and a majority of independent directors at all times. Variations to this requirement are as follows.
  • For a locally incorporated APRA-regulated institution that is a subsidiary of another APRA-regulated institution or overseas equivalent the Board must have a majority of non-executive directors, but these non-executive directors need not all be independent. They would be required to have at a minimum two independent directors, in addition to an independent chairperson, where the Board has up to seven members. Where the Board has more than seven members, the institution will be required to have at least three independent directors, in addition to an independent chairperson.

  • For a locally incorporated APRA-regulated institution that is a subsidiary of another entity that is not prudentially regulated the Board must have a majority of independent directors. Independent directors on the Board of the parent company or its other subsidiaries may also sit as independent directors on the Board of the institution.

  • For a foreign ADI there must also be a senior manager in Australia that is responsible for the local operation. While not a requirement, APRA states this person is normally resident in Australia.

Board Renewal

A domestic APRA-regulated institution must have in place a formal policy/process on Board renewal. It must provide details on how the board intends to renew itself in order to ensure it remains open to new ideas and independent thinking, while retaining adequate expertise. It must include the factors that would determine when an existing director is reappointed and give consideration to whether the length of service on the board could materially interfere with the director’s ability to act in the best interests of the institution.

Board Committees

As noted above in EC 1, CPS 510 requires an APRA-regulated institution to have the following committees:

Board Audit Committee: the audit committee must have at least three members, all of whom are nonexecutive directors. A majority of the directors must be independent, with the Chair being independent. The committee provides an objective nonexecutive review of the effectiveness of the group’s financial reporting and group risk management framework.

Board Risk Committee: the risk committee must have at least three members. All members must be nonexecutive directors, a majority of the members must be independent, with the Chair being independent. The committee provides objective non-executive oversight of the implementation and operation of the ADI and/or the group risk management framework.

Board Remuneration Committee: must have at least three members. All members must be non-executive members of the APRA-regulated institution and a majority must be independent. The Chairperson of the committee must be an independent director of the APRA regulated institution.
EC4Board members are suitably qualified, effective and exercise their “duty of care” and “duty of loyalty.”38
Description and findings re EC 4CPS 510 requires the board of directors to ensure that the board, collectively, has the full range of skills needed for the effective and prudent operation of the institution, and that each director has skills that allow them to make an effective contribution to Board deliberations and processes. This includes the requirements for directors, collectively, to have the necessary skills, knowledge and experience to understand the risks of the institution, including its legal and prudential obligations, and to ensure that the institution is managed in an appropriate way taking into account these risks.

APRA assesses boards through the PAIRS risk assessment process, as described above in EC 1.

Board members are subject to the ‘director’s duties requirement’ of the Corporations Act, which requires directors to exercise their powers and discharge their duties with the degree of care and diligence that a reasonable person would exercise if they were a director or officer of a corporation in similar circumstances—Section 180(1). Section 180(2) states that a director or other officer of a corporation who makes a business judgment is taken to meet these requirements if they:
  • make the judgment in good faith for a proper purpose;

  • do not have a material personal interest in the subject matter of the judgment;

  • inform themselves about the subject matter of the judgment to the extent they reasonably believe to be appropriate; and

  • rationally believe that the judgment is in the best interests of the corporation.

In addition, Section 181 of the Corporations Act states that a director must exercise their powers and discharge their duties in good faith in the best interests of the corporation and for a proper purpose.
EC5The supervisor determines that the bank’s Board approves and oversees implementation of the bank’s strategic direction, risk appetite39 and strategy, and related policies, establishes and communicates corporate culture and values (e.g., through a code of conduct), and establishes conflicts of interest policies and a strong control environment.
Description and findings re EC5APRA prudential standard CPS 510 on governance requires the Board of directors of a locally-incorporated APRA-regulated institution to be ultimately responsible for oversight of the sound and prudent management of that institution. The standard requires banks to have a formal charter that sets out the roles and responsibilities of the Board.

Based on the standard, the Board must ensure that directors and senior management of the institution collectively have the full range of skills needed for the effective and prudent operation of the institution, and that each director has skills that allow them to make an effective contribution to Board deliberations and processes. This includes the requirement for directors, collectively, to have the necessary skills, knowledge and experience to understand the risks of the institution, including its legal and prudential obligations, and to ensure that the institution is managed in an appropriate way taking into account these risks. This does not preclude the Board from supplementing its skills and knowledge by engaging external consultants and experts.

In addition, APRA prudential standard CPS 220 requires the Board to ensure that:
  • it sets the risk appetite within which it expects management to operate and approves the entity/group’s risk appetite statement and risk management strategy;

  • it forms a view of the risk culture in the entity/group, and the extent to which that culture supports the ability of the entity/group to operate consistently within its risk appetite, identify any desirable changes to the risk culture and ensures the institution takes steps to address those changes;

  • senior management of the entity/group monitor and manage all material risks consistent with the strategic objectives, risk appetite statement and policies approved by the Board;

  • the operational structure of the entity/group facilitates effective risk management;

  • policies and processes are developed for risk-taking that are consistent with the RMS and the established risk appetite;

  • sufficient resources are dedicated to risk management; and

  • it recognizes uncertainties, limitations and assumptions of the measurement of each material risk.” APRA supervisors assess practices relative to these requirements and the effective oversight provided by the board and it is captured in the PAIRS risk assessment.

APRA supervisors use a variety of techniques for these assessments, including:
  • Reviewing the annual risk management declaration required from the Board (under CPS 220). The annual declaration must address:

    • That the firm has the systems and resources needed for identifying, measuring, evaluating, monitoring, reporting, and controlling or mitigating material risks;

    • that the risk management framework is appropriate for the firm given its size, business mix and complexity;

    • that risk management and internal control systems are operating effectively and are adequate; and

    • that the firm has a risk management strategy that complies with CPS 220 and the firm has complied with each measure and control.

  • Reviewing the comprehensive independent review of the risk management framework conducted every three years as required under CPS 220 and the annual auditor assurance on compliance with prudential and reporting standards required under APS 310;

  • Targeted onsite prudential reviews that include review of board papers to enable APRA supervisors to make an assessment of approval and oversight mechanisms and information flows to and from the board; and

  • Onsite prudential consultations with senior management and/or the board.

APRA expects Boards to form a view of the risk culture in the institution, and the extent to which that culture supports the ability of the institution to operate consistently within its risk appetite, identify any desirable changes to the risk culture and ensure the institution takes steps to address those changes.

As noted above, APRA has created a team that specializes in the area of governance culture and remuneration (GCR) and they are carrying out work at firms that will inform the specifics of a developed supervisory program for this area.

Separately from their obligations under Prudential Standards, some APRA-regulated institutions have assisted with the development of, and subscribed to, codes of conduct. These codes often include commitments to customers over and above the conduct requirements in laws governing financial services.
EC6The supervisor determines that the bank’s Board, except where required otherwise by laws or regulations, has established fit and proper standards in selecting senior management, maintains plans for succession, and actively and critically oversees senior management’s execution of Board strategies, including monitoring senior management’s performance against standards established for them.
Description and findings re EC6Boards are required to have fit and proper policies for responsible persons including senior managers. Policies must include criteria to be used to determine if the senior manager is fit and proper. Boards are required to assess if directors continue to meet the fit and proper standards every year. APRA supervisors assess fit and proper as part of ongoing supervisory processes, and this is included in the PAIRS assessment of the category ‘Board.’

There is no specific prudential standard covering succession planning, though it is included in guidance and supervisors are expected to consider it as part of broader assessments of governance.

Assessors did not observe specific assessments of the board’s effectiveness in its obligation to critically oversee senior management’s execution of board strategies or monitoring senior management performance.
EC7The supervisor determines that the bank’s Board actively oversees the design and operation of the bank’s and banking group’s compensation system, and that it has appropriate incentives, which are aligned with prudent risk taking. The compensation system, and related performance standards, are consistent with long-term objectives and financial soundness of the bank and is rectified if there are deficiencies.
Description and findings re EC7For domestic ADIs CPS 510 requires that the Board (or a committee thereof) approve the firm’s remuneration policy. It requires that the remuneration policy’s performance-based components are designed to encourage behavior that supports the firm’s long term financial soundness and the risk management framework. Performance-based components of remuneration are required to align remuneration with prudent risk-taking and must incorporate adjustments to reflect the outcomes of business activities, the risks related to the business activities and the time necessary for the outcomes of those business activities to be reliably measured. In addition, the policy must provide for the Board to adjust performance-based components of remuneration downwards, to zero if appropriate, in relation to relevant persons or classes of persons, if such adjustments are necessary to protect the financial soundness of the group. The bank’s remuneration policies are to be reviewed annually and revised as necessary.

Supervisors assess remuneration arrangements including compliance with relevant prudential requirements through:
  • targeted onsite prudential reviews to assess the effectiveness of the remuneration framework;

  • review of board papers from the Board Remuneration Committee;

  • review of disclosures required under APS 330 including:

    • - qualitative information relating to the bodies that oversee remuneration; the design and structure of remuneration process, description of the ways in which current and future risks are taken into account in the remuneration process, description of the ways in which the ADI seeks to link performance during a performance measurement period with levels of remuneration and description of the ways in which the ADI seeks to adjust remuneration to take account of longer- term performance including malus and clawbacks;

    • - quantitative information including the number and amount of guaranteed bonuses awarded, termination payments, outstanding deferred remuneration split into cash, shares, or other forms, the amount of deferred remuneration paid out, breakdown of remuneration into fixed and variable, deferred and non-deferred, the amount of reductions due to ex post adjustments.

To increase its understanding of the practices across firms, APRA’s GCR team undertook a review of current remuneration practices and executive remuneration outcomes at a sample of firms in 2017. The objective of the review was to allow APRA to better gauge how remuneration related requirements and expectations are being interpreted and implemented in practice.

The review primarily focused on whether performance-based components of an entity’s remuneration framework have been designed to encourage behavior that supports the long term financial soundness and risk management framework of the entity. Outcomes from the review have been conveyed to the relevant sample institutions and APRA has issued an information paper.
EC8The supervisor determines that the bank’s Board and senior management know and understand the bank’s and banking group’s operational structure and its risks, including those arising from the use of structures that impede transparency (e.g., special-purpose or related structures). The supervisor determines that risks are effectively managed and mitigated, where appropriate.
Description and findings re EC8CPS 220 requires the Board to ensure that the operational structure of the firm allows for effective risk management including transparency around special purpose or related entity structures. The Board is required to ensure that the senior management of the institution/group monitors and manages all material risks consistent with the strategic objectives, risk appetite statement and policies approved by the board. At the time of licensing, information is sought on legal and operational structures and assessment are made to identify anything that can impede regulation including complex structures.

As a part of their regular supervisory processes, including analyses of quarterly reporting from the firms and the reviews noted above in EC 5 of CP 14, APRA supervisors review changes to operating structures and material risks arising from various parts of the group.
EC9The supervisor has the power to require changes in the composition of the bank’s Board if it believes that any individuals are not fulfilling their duties related to the satisfaction of these criteria.
Description and findings re EC9Under section 23 of the Banking Act APRA has the authority to remove either a director or a senior management executive if they are not fulfilling their duties and responsibilities. Should APRA determine that a responsible officer of a bank is not fit and proper, it may direct the bank to remove the officer, even if the bank has assessed the officer to be fit and proper. APRA also has power under subsection 11CA(2) of the Banking Act to issue a direction to a bank to remove a director from office.

Implementation of the BEAR Act, effective July 1 for the major banks, increases APRA’s authority and will make it easier to make changes to individuals in responsible capacities.
Additional criteria
AC1Laws, regulations or the supervisor require banks to notify the supervisor as soon as they become aware of any material and bona fide information that may negatively affect the fitness and propriety of a bank’s Board member or a member of the senior management.
Description and findings re AC1A bank is required to notify APRA, within 10 business days, if it becomes aware that a responsible person, which includes a board member or a member of senior management, is considered not to be fit and proper.
Assessment of Principle 14Largely Compliant
CommentsThe Corporations Act, APRA’s prudential standards and the supervisory approach articulate board and management responsibilities and emphasize the role of the board and senior management with respect to ensuring strong governance across the bank and group. Requirements for the board and board committees are appropriate, comprehensive and in line with the detailed criteria of this core principle.

As noted in the detailed assessment, APRA has a number of processes for assessing governance at the firms and its ratings framework requires supervisors to make explicit assessments of the board and management. (Specific comments about APRA’s assessment of boards and management are in CP 9). Assessors observed that this is mostly done through reviews of policies and procedures, reviews of board minutes (and other documents used by the board), board and management reporting and through regular frequent engagement with management in the course of normal supervisory processes and reviews and (less frequent) engagement with the board and chairs of board committees.

As noted above in EC5, key processes the supervisors use to assess the board with respect to its responsibilities related to the firm-wide risk management framework, including internal controls, include reviewing the annual risk management declaration, the triennial independent review of the risk management framework and the annual auditor assurance on compliance with prudential and reporting standards. This is supported by work carried out in risk-focused prudential reviews, reviews of board papers and minutes, and prudential consultations and other meetings with the firm.

This reliance on ‘self-reporting’ from the firms should be complemented by APRA undertaking more detailed thematic reviews on a periodic basis at the largest firms of key components and practices underlying firms’ processes for ensuring compliance with CPS 220 and APS 310. Additionally, given the high expectations and requirements with respect to firms self-reporting, if it were to be discovered that a firm has been reporting that it has effective practices and those are found to not be adequate (based on either APRA’s review or the assessment of independent parties), APRA should consider taking rapid and strong formal actions against the firm. As noted elsewhere in this assessment, another useful practice would be to ensure that the board and senior management assessments conducted for the PAIRS more directly and fully incorporate supervisory assessments of their effectiveness with respect to ensuring a strong RMF and the underlying practices that support it.

In addition, information on weaknesses related to risk management, controls and compliance with rules and laws based on the reviews carried out by ASIC and AUSTRAC should be used more consistently to better inform APRA’s assessment of the effectiveness of corporate governance at the firms.

The further clarity regarding responsibilities and accountability of responsible parties that will be provided by the BEAR Act will sharpen the focus of banks’ boards and management teams with respect to their specific duties and obligations. At the same time, it will require APRA to engage with the firms to ensure a strong understanding of the expectations against which they will assess them through the supervisory process under this new regime.
Principle 15Risk management process. The supervisor determines that banks40 have a comprehensive risk management process (including effective Board and senior management oversight) to identify, measure, evaluate, monitor, report and control or mitigate41 all material risks on a timely basis and to assess the adequacy of their capital and liquidity in relation to their risk profile and market and macroeconomic conditions. This extends to development and review of contingency arrangements (including robust and credible recovery plans where warranted) that take into account the specific circumstances of the bank. The risk management process is commensurate with the risk profile and systemic importance of the bank.42
Essential criteria
EC1The supervisor determines that banks have appropriate risk management strategies that have been approved by the banks’ Boards and that the Boards set a suitable risk appetite to define the level of risk the banks are willing to assume or tolerate. The supervisor also determines that the Board ensures that:
  • (a) a sound risk management culture is established throughout the bank;

  • (b) policies and processes are developed for risk-taking, that are consistent with the risk management strategy and the established risk appetite;

  • (c) uncertainties attached to risk measurement are recognized;

  • (d) appropriate limits are established that are consistent with the bank’s risk appetite, risk profile and capital strength, and that are understood by, and regularly communicated to, relevant staff; and

  • (e) senior management takes the steps necessary to monitor and control all material risks consistent with the approved strategies and risk appetite.

Description and findings re EC1APRA’s CPS 220 places the primary responsibility for ensuring an adequate risk management framework is in place on the board of directors. While the board is not expected to do the work of ADI management, it is responsible for ensuring that a framework is in place to support effective risk management and ensure the bank is meeting the expectations of CPS 220. The Board of an APRA-regulated institution must make an annual declaration to APRA on risk management, which must be signed by the Board and Board Risk Committee chairs. The key requirements of CPS 220 are that a firm must:
  • have a risk management framework (RMF) that is appropriate to size, business mix and complexity;

  • have a board-approved risk appetite statement (RAS);

  • have a board-approved risk management strategy (RMS) that describes the key elements of the RMF;

  • have a board-approved business plan detailing its plans for implementation of strategic objectives;

  • maintain adequate resources to ensure compliance with CPS 220; and

  • notify APRA when the board becomes aware of a significant breach of or deviation from the RMF, or that the RMF is not adequately addressing a material risk.

The RMF must include:
  • a RAS;

  • a RMS;

  • a business plan;

  • policies and procedures supporting clearly defined and documented roles, responsibilities and formal reporting structures for the management of material risks throughout the institution;

  • a designated and independent risk management function;

  • an Internal Capital Adequacy Assessment Process (ICAAP);

  • a management information system (MIS) that is adequate, both under normal circumstances and in periods of stress, for measuring, assessing and reporting on all material risks across the institution; and

  • a review process to ensure that the risk management framework is effective in identifying, measuring, evaluating, monitoring, reporting, and controlling or mitigating material risks.

The effectiveness of the RMF is subject to review by internal/external audit at least annually. The results of the review are reported to the Board Audit Committee, the senior officer outside of Australia (for foreign banks) or the Compliance Committee as relevant. In addition, the appropriateness, effectiveness and adequacy of a RMF must be reviewed by ‘independent, competent experts’ at least every three years. This review may be carried out by either internal parties or external experts.

It is the board of directors’ responsibility to ensure that:
  • it forms a view of the risk culture of the ADI and across the group, where applicable, and the extent to which that culture supports the ability of the entity/group to operate within its risk appetite, identify any needed changes to the risk culture and ensure the institution takes steps to address those changes;

  • senior management monitor and manage material risks consistent with the strategic objectives, the RAS and policies approved by the board;

  • the structure of the entity/group facilitates effective risk management;

  • the firm has an independent risk management function and a chief risk officer who reports directly to the executive officer and has full access to the board of directors;

  • policies and processes are developed for risk-taking that are consistent with the RMS and risk appetite;

  • sufficient resources are dedicated to risk management; and

  • it recognizes uncertainties, limitations and assumption in the measurement of material risks.

The Board is required to annually attest that the RMF is appropriate relative to firm’s size, business and complexity.

A bank’s risk profile and associated RMF are assessed in the ‘Inherent Risk’ and ‘Management and Controls’ elements of PAIRS. The assessment informs the Supervisory Oversight and Response System (SOARS) and supervisory action plans (SAPs). Supervisors are expected to take into consideration the attestation provided by the board and other independent review processes when assessing the RMF.

While APRA supervisors conduct prudential reviews that allow for assessing risk management and controls in specific areas, it is not apparent that the work carried out is sufficient to determine that, on a firm-wide basis, the board is aware of the uncertainties and weaknesses inherent in their processes and how these may impact its understanding of the adequacy of the firm’s RMF.

Consistent with the requirement that banks review and report that all processes are working effectively, supervisors do review the reports provided by the firms on the adequacy of firm-wide RMF.

To support the prudential requirements, comprehensive internal guidance is available to assist supervisors to form a view on an institution’s RMF including in the PAIRS assessment guidance.
EC2The supervisor requires banks to have comprehensive risk management policies and processes to identify, measure, evaluate, monitor, report and control or mitigate all material risks. The supervisor determines that these processes are adequate:
  • (a) to provide a comprehensive “bank-wide” view of risk across all material risk types;

  • (b) for the risk profile and systemic importance of the bank; and

  • (c) to assess risks arising from the macroeconomic environment affecting the markets in which the bank operates and to incorporate such assessments into the bank’s risk management process.

Description and findings re EC2As noted above, boards are required to ensure the firms have a comprehensive view of all material firm-wide risks and effective processes for managing and controlling them.

APRA supervisors conduct risk-focused prudential reviews that allow for assessing risk management and controls in specific areas. It is not apparent that the work carried out is sufficient to determine that, on a firm-wide basis, the board is aware of the uncertainties and weaknesses inherent in their processes and how these may impact an understanding of the firm’s risk profile.
EC3The supervisor determines that risk management strategies, policies, processes and limits are:
  • (a) properly documented;

  • (b) regularly reviewed and appropriately adjusted to reflect changing risk appetites, risk profiles and market and macroeconomic conditions; and

  • (c) communicated within the bank

The supervisor determines that exceptions to established policies, processes and limits receive the prompt attention of, and authorization by, the appropriate level of management and the bank’s Board where necessary.
Description and findings re EC3CPS 220 requires an APRA-regulated institution’s RMF to include a documented RAS, an RMS, a business plan, ICAAP and policies and procedures supporting clearly defined and documented roles, responsibilities and formal reporting structures for the management of material risks throughout the institution.

As noted above (EC1)—a bank’s risk profile and associated risk management are assessed in the ‘Inherent Risk’ and ‘Management and Controls’ elements of PAIRS. The assessment informs the Supervisory Oversight and Response System (SOARS) and supervisory action plans (SAPs) that detail the specific supervisory work to be carried out relative to risk management practices over the coming 12–24 months.

CPS 220 requires firms to have board-approved policies and procedures for risk management. These must include processes for:
  • identifying and assessing material risks and controls;

  • validation, approval and use of any models to measure components of risk;

  • establishing, implementing and testing mitigation strategies and control mechanisms for material risks;

  • monitoring, communicating and reporting risk issues, including escalation procedures for the reporting of material events and incidents;

  • identifying, monitoring and managing potential and actual conflicts of interest;

  • monitoring and ensuring ongoing compliance with all prudential requirements;

  • ensuring consistency across the risk management framework, including the components identified under paragraph 23;

  • establishing and maintaining appropriate contingency arrangements (including robust and credible recovery plans where warranted) for the operation of the risk management framework in stressed conditions; and

  • review of the risk management framework.

APRA’s supervision framework requires supervisors to make an assessment of the RMS, policies, processes and limits in context of the overall RMF and the requirements of CPS 220 and supporting guidance. Supervisors take into consideration the attestation provided by the board and other independent review processes when assessing the RMF. Additionally, APRA may appoint an auditor to assess the adequacy of a specific aspect of risk management through a special purpose engagement as authorized under APS 310.

These types of reviews are typically undertaken on an annual basis for larger banks. In addition, through ongoing supervisory activities, including monitoring risk positions and prudential reviews of individual risk areas supervisors assess the effectiveness of the risk management controls a firm has in place. The supervisor’s assessment is reflected in PAIRS. To support the prudential requirements, detailed internal guidance (including PAIRS assessment guidance) is available to assist APRA supervisors to form a view.
EC4The supervisor determines that the bank’s Board and senior management obtain sufficient information on, and understand the nature and level of risk being taken by the bank and how this risk relates to adequate levels of capital and liquidity. The supervisor also determines that the Board and senior management regularly review and understand the implications and limitations (including the risk measurement uncertainties) of the risk management information that they receive.
Description and findings re EC4APRA supervisors assess an ADI’s integrated approach to risk, capital and liquidity management relative to the requirements of CPS 220. The supervisor’s assessment is reflected in the PAIRS risk assessment, including in the ‘management and controls’ rating, which is expected to be updated after prudential reviews. To support assessments of the prudential requirements, detailed internal guidance (including the PAIRS assessment guidance and guidance on specific risk areas) is available to assist supervisors to form a view.

Firms are required to have effective ICAAPs. The ICAAP involves an integrated approach to risk management and capital management based on assessing the level of, and appetite for, risk and ensuring that the level and quality of capital is appropriate to the ADI’s risk profile, including under stress.

In addition to the ICAAP for capital, an ADI is required to maintain a board approved liquidity management policy and risk management program that identifies, measures, monitors and manages liquidity risk.

With the assistance of specialized risk teams, frontline supervisors assess these practices through ongoing supervisory processes, including meetings/discussions with representatives of the firms and onsite prudential reviews that include review of information provided to the board. Supervisors review ICAAPs and ICAAP reports and an ADIs’ liquidity and funding profiles, liquidity risk management frameworks and undertake Committed Liquidity Facility (CLF) assessments. (See BCP 24 Liquidity for more details on the CLF).

APRA coordinates industry stress tests and reviews the firms’ own stress tests. APRA evaluates whether the outcomes of an ADI’s own stress tests are considered by institutions in the context of setting capital buffers, risk management and business decision making.

Supervisors conduct regular ‘catch up’ meetings with the firms. In discussion with assessors they noted that through these discussions, and other supervisory work including reviews of reporting to the board and senior management, they gain an understanding of the board’s and management’s knowledge and understanding of the risks faced by the firm and the limitations around risk measurement practices. It is not apparent that catch-up meetings and other work allow APRA to fully determine that the board is aware of all uncertainties and weaknesses inherent in their processes—including risk measurement practices—and how these may impact its understanding of the adequacy of the firm’s RMF.
EC5The supervisor determines that banks have an appropriate internal process for assessing their overall capital and liquidity adequacy in relation to their risk appetite and risk profile. The supervisor reviews and evaluates banks’ internal capital and liquidity adequacy assessments and strategies.
Description and findings re EC5APS 110 requires that in determining capital adequacy the board will take into consideration all risks across the firm. Firms are required to have an annual ICAAP, which must include:
  • policies, procedures, systems, controls to identify, measure, monitor and manage the risks arising from the ADI’s activities;

  • a strategy to ensure that adequate capital is maintained over time in the context of the ADI’s risk profile, risk appetite, capital targets and requirements;

  • stress testing and scenario analysis relating to potential risk exposures and available capital resources; and

  • processes for reporting on the ICAAP and its outcomes to the board/senior management.

In practice, APRA supervisors review capital adequacy, buffers and trigger points and seek to ensure that capital monitoring and management is robust. Supervisors regularly assess the adequacy of capital including buffers held above the PCR via quarterly and annual financial analysis together with a review of an ADI’s strategic and business plans.

ADIs are required to have a liquidity management strategy to measure, monitor and manage liquidity risks that is commensurate with the nature, scale and complexity of the institution. In formulating this strategy, the ADI must consider its legal structure, key business lines, the breadth and diversity of markets, products and jurisdictions in which it operates and home and host regulatory requirements.
EC6Where banks use models to measure components of risk, the supervisor determines that:
  • (a) banks comply with supervisory standards on their use;

  • (b) the banks’ Boards and senior management understand the limitations and uncertainties relating to the output of the models and the risk inherent in their use; and

  • (c) banks perform regular and independent validation and testing of the models

The supervisor assesses whether the model outputs appear reasonable as a reflection of the risks assumed.
Description and findings re EC6For the use of models to determine capital against risks:

APRA allows the use of internal models to calculate regulatory capital as part of the internal ratings-based (IRB) approach to credit risk, the Advanced Measurement Approach (AMA) for operational risk and the calculation of the capital charge for IRRBB for market risk. There are currently six banks that have been approved for the use of internal models.

Use of internal models for calculating regulatory capital requirements is subject to APRA approval based on a bank meeting a set of qualifying standards. Standards and requirements are set out in prudential standards as follows: the internal ratings-based (IRB) approach to credit risk (APS 113); the Advanced Measurement Approach (AMA) for operational risk (APS 115); interest rate risk in the banking book (APS 117) and for market risk (APS 116).

In its RDA unit, APRA has three teams of specialists that review models, which are broken out by credit risk modeling, market risk modeling (including IRRBB, counterparty credit risk, XVA, and initial margining) and operational risk modeling.

Supervisors have quarterly meetings with advanced approaches firms to discuss potential or upcoming changes to these models, with the majority of model changes requiring explicit approval by APRA.

APRA conducts annual prudential reviews for advanced approaches banks use of internal models to ensure ongoing compliance with Prudential Standards. If an ADI is not complying with material aspects of the standards and the capital calculation model does not properly reflect underlying risks, APRA can revoke an approval or impose additional conditions on the approval. Where considered necessary, an ADI would be required to adopt the ‘standardized’ approach to calculating RWA and regulatory capital ratios.

For the use of models for risk measurement:

APRA’s prudential standards incorporate a requirement for an independent review of the risk management system and overall risk management process, this includes assessing the use of models for risk measurement and ensuring that firms have independent validation processes. Compliance with these prudential standards forms part of the annual assurance provided by external auditors to APRA as per APS 310. Risk specialist teams participate jointly with frontline supervisors (and modelling specialists, as needed) in regular onsite prudential reviews to assess inherent risk and related risk management and controls including how model outputs are used in decision making.

In relation to credit risk, APRA periodically reviews credit risk grading systems and scorecards used by banks for the origination and ongoing management of loans. This occurs as part of credit risk reviews (for retail scorecards) and IRB reviews (for non-retail models as these models are also used for regulatory capital purposes). APRA’s review of the credit risk grading systems and scorecards typically covers the use of the models and the associated model governance and validation framework and practices. APRA supervisors also review the model outputs and results of model monitoring and validation.

As part of benchmark onsite reviews, APRA has reviewed banks’ internal models and other risk measurement tools which are not necessarily used for regulatory capital purposes. For IRRBB and market risk models, the benchmark reviews include specific sessions which cover banks’ economic capital models and stress testing for both these areas. The onsite reviews cover and assess these economic capital models and other risk measurement tools used by the banks (e.g., stress testing and other risk measures used in day-to-day risk management such as sensitivities). Modelling limitations and visibility around these limitations (e.g., risks not in VaR) have been raised both as part of onsite reviews and are also as part of supervisory discussions on regulatory capital models.
EC7The supervisor determines that banks have information systems that are adequate (both under normal circumstances and in periods of stress) for measuring, assessing and reporting on the size, composition and quality of exposures on a bank-wide basis across all risk types, products and counterparties. The supervisor also determines that these reports reflect the bank’s risk profile and capital and liquidity needs, and are provided on a timely basis to the bank’s Board and senior management in a form suitable for their use.
Description and findings re EC7As a part of the risk governance assessments for PAIRS APRA supervisors are expected to assess whether banks and banking groups have adequate information systems for measuring, assessing and reporting on the size, composition and quality of exposures. APRA’s supervisory guidance for the PAIRS risk assessment specifically includes a section on these assessments to assist supervisors when reviewing management information provided to the board, committees and senior management, including management information systems. APRA also has a team of IT risk specialists that can assist in the assessments of banks’ management information systems.

Supervisors assess whether reporting is sufficient for the board and senior management to have an informed opinion on the institution’s risks and the effectiveness of controls in place to mitigate those risks. This will look at reporting from across the bank and the broader group and includes reviewing reports management and the board receive. This will be looked at on an enterprise-wide (or group-wide) basis. I addition, management reports addressing particular functions, sub-portfolios and exposure types are assessed as required by APRA through normal supervisory processes.

The annual declaration from the banks’ Board, which must include a specific attestation as to the establishment of systems to monitor and manage risks including through adequate and timely reporting processes, provides an additional layer of assurance.
EC8The supervisor determines that banks have adequate policies and processes to ensure that the banks’ Boards and senior management understand the risks inherent in new products,43 material modifications to existing products, and major management initiatives (such as changes in systems, processes, business model and major acquisitions). The supervisor determines that the Boards and senior management are able to monitor and manage these risks on an ongoing basis. The supervisor also determines that the bank’s policies and processes require the undertaking of any major activities of this nature to be approved by their Board or a specific committee of the Board.
Description and findings re EC8There is no specific requirement for a new product approval process in APRA’s prudential standard CPS 220.

As a part of ongoing supervision and prudential reviews and reviews of board papers, the supervisors assess risks associated with new products, material modifications to existing products and major initiatives such as changes to systems, processes, business model and major acquisitions. APRA expects ADIs to have robust product approval processes that are subject to risk assessments. Where the product exposes the entity to significant risks or is in a new and unfamiliar area of business, the ADI is expected to consult with APRA. New and varied products are also specifically covered as part of the operational risk assessment and reviews.
EC9The supervisor determines that banks have risk management functions covering all material risks with sufficient resources, independence, authority and access to the banks’ Boards to perform their duties effectively. The supervisor determines that their duties are clearly segregated from risk-taking functions in the bank and that they report on risk exposures directly to the Board and senior management. The supervisor also determines that the risk management function is subject to regular review by the internal audit function.
Description and findings re EC9Under CPS 220, firms are required to have an independent risk management function that:
  • “is responsible for assisting the board of an APRA-regulated institution, board committees of an APRA- regulated institution and senior management of the institution to maintain the RMF;

  • is appropriate to the size, business mix, and complexity of the institution;

  • is operationally independent;

  • has the necessary authority and reporting lines to the board of an APRA-regulated institution, board committees of an APRA-regulated institution and senior management of the institution to conduct its risk management activities in an effective and independent manner;

  • is resourced with staff who have clearly defined roles and responsibilities and who possess appropriate experience and qualifications to exercise those responsibilities;

  • has access to all aspects of the institution that have the potential to generate material risk, including information technology systems and systems development resources; and

  • is required to notify the board of any significant breach of, or material deviation from, the RMF.”

An assessment of compliance with the details of this prudential standard, and of the effectiveness of the risk management framework and risk management function, is subject to review by internal and/or external audit at least annually. A comprehensive and independent review of the appropriateness, effectiveness and adequacy of the RMF must also be conducted at least every three years. The results of the review must be reported to the ADI’s Audit Committee.

APRA supervisors make an assessment of the risk management function as part of its Risk Governance assessment in PAIRS. Detailed internal guidance (including PAIRS assessment guidance) is available to assist supervisors with these assessments. Meetings with internal auditors (as the third line of defense) and review of the related reports are factored into risk governance assessments by supervisors.

APRA meets regularly with CROs to discuss and assess the key risks stemming from the firm’s business activities, and the adequacy and effectiveness of the risk management function.
EC10The supervisor requires larger and more complex banks to have a dedicated risk management unit overseen by a Chief Risk Officer (CRO) or equivalent function. If the CRO of a bank is removed from his/her position for any reason, this should be done with the prior approval of the Board and generally should be disclosed publicly. The bank should also discuss the reasons for such removal with its supervisor.
Description and findings re EC10APRA requires all ADIs to have a dedicated risk management function and to designate a chief risk officer. There is no specific requirement for prior approval of the board when removing a CRO nor that there must be a public disclosure in the event of such a removal. APRA staff stated that in practice these things generally do happen.

APRA would expect the firm to discuss with the supervisors the reasons for the removal.
EC11The supervisor issues standards related to, in particular, credit risk, market risk, liquidity risk, interest rate risk in the banking book and operational risk.
Description and findings re EC11APRA’s prudential framework includes prudential standards for most material risks including credit risk, market risk, liquidity risk, and interest rate risk in the banking book. While there is no dedicated prudential standard for operational risk, APS 115 for AMA captures elements of what APRA would incorporate into an Operational Risk Management standard. CPS 220 has general principles, then there are standards for operational risk areas such as business continuity management and outsourcing. See CP25 for more details.
EC12The supervisor requires banks to have appropriate contingency arrangements, as an integral part of their risk management process, to address risks that may materialize and actions to be taken in stress conditions (including those that will pose a serious risk to their viability). If warranted by its risk profile and systemic importance, the contingency arrangements include robust and credible recovery plans that take into account the specific circumstances of the bank. The supervisor, working with resolution authorities as appropriate, assesses the adequacy of banks’ contingency arrangements in the light of their risk profile and systemic importance (including reviewing any recovery plans) and their likely feasibility during periods of stress. The supervisor seeks improvements if deficiencies are identified.
Description and findings re EC12APRA expects firms to have a range of actions available to improve their capital position in the event of a stress event, including a graduated series of triggers above capital requirements to protect against breaches of a requirement. Management actions associated with various triggers will vary according to the nature of the stress and will increase in intensity as capital declines.

APRA is currently in the process of developing a formal prudential framework for recovery planning and has developed guidance on recovery planning that will be circulated to industry.

APRA has conducted several recovery planning exercises, including a pilot review in 2011 at six of the largest ADIs, and a thematic review of the nine largest ADIs in 2016, and is currently conducting the final phase of this thematic review, with feedback to firms to come in 2018.
EC13The supervisor requires banks to have forward-looking stress testing programs, commensurate with their risk profile and systemic importance, as an integral part of their risk management process. The supervisor regularly assesses a bank’s stress testing program and determines that it captures material sources of risk and adopts plausible adverse scenarios. The supervisor also determines that the bank integrates the results into its decision-making, risk management processes (including contingency arrangements) and the assessment of its capital and liquidity levels. Where appropriate, the scope of the supervisor’s assessment includes the extent to which the stress testing program:
  • (a) promotes risk identification and control, on a bank-wide basis

  • (b) adopts suitably severe assumptions and seeks to address feedback effects and system-wide interaction between risks;

  • (c) benefits from the active involvement of the Board and senior management; and

  • (d) is appropriately documented and regularly maintained and updated.

The supervisor requires corrective action if material deficiencies are identified in a bank’s stress testing program or if the results of stress tests are not adequately taken into consideration in the bank’s decision-making process
Description and findings re EC13APRA requires firms to conduct stress tests covering various types of risk as a part of their risk management practices and for it to be a routine element of a banks’ risk management systems. In addition, annual ICAAPs include simulations of a range of adverse scenarios. Subject to review scoping, an individual bank’s approach to stress testing is discussed during onsite prudential reviews and other supervisory interactions. Supervisors review the firm’s ICCAP reports as a part of ongoing supervision.

Assessments of the use of firm-wide stress testing carried out by the firms outside the ICAAP process are limited. Assessors noted few formal reviews of ICAAP or other firm-wide stress testing related reviews in SAPs requested from APRA during the assessment or issues related to ICAAP or stress testing in a list provided of recommendations and requirements APRA has communicated to the major firms.

With a heightened focus on firms achieving ‘unquestionably strong’ capital thresholds, the focus on other assessments of capital has been reduced for the time being. Given the importance of firm-wide stress testing as a tool to identify potential risks and consider capital needs related to risks that may not be well captured in regulatory capital regimes, APRA should dedicate more time to assessing the underlying risk measurement, management and control practices around firms use of firm-wide stress testing. The role of the board and management, including its use of the results of these tests and the value of reporting it receives from internal audit reviews of these processes should be considered in assessments of governance.
EC14The supervisor assesses whether banks appropriately account for risks (including liquidity impacts) in their internal pricing, performance measurement and new product approval process for all significant business activities.
Description and findings re EC14APRA supervisors review transfer pricing arrangements/practices in their reviews of liquidity and liquidity risk management.

There is no APRA requirement to have a formal new product approval process.

APRA supervisors noted that all of the firms do have policies and processes for new product approvals and they are looked at as part of normal ongoing supervision processes.
Additional criteria
AC1The supervisor requires banks to have appropriate policies and processes for assessing other material risks not directly addressed in the subsequent Principles, such as reputational and strategic risks.
Description and findings re AC1APRA expects all material risks, including reputation, contagion and strategic risks, to be captured and addressed as part of the firm’s ICAAP. These risks would form part of determining an ADI’s capital adequacy requirements under the PCR. Currently supervisors are more focused on firms getting to ‘unquestionably strong’ thresholds than on PCR, ICAAP and internal stress testing for capital, as the unquestionably strong thresholds are reportedly higher than what would be generated by these other processes.
Assessment of Principle 15Largely Compliant
CommentsUnderlying APRA’s approach to the supervision of risk management is a strong and longstanding focus on the responsibilities of boards to ensure all appropriate processes are in place and effective. The issuance of CPS 220 since the last FSAP assessment (2012) has been a positive development. CPS 220 details the comprehensive set of policies and practices a firm must have and includes reporting requirements on the effectiveness of these practices that the firms must meet. APRA supervisors rely to a significant degree on the reporting requirements under CPS 220 to determine that a bank is in compliance with this prudential standard; they review these reports as part of their PAIRS assessment of risk governance. Discussions with supervisors and representatives of banks indicate that the release of CPS 220 has proved effective at increasing banks’ focus on financial risk management and internal controls.

This approach allows APRA to risk focus and utilize its resources on the areas it determines warrant the most direct scrutiny. As described in the detailed assessment APRA has a number of good processes for risk focusing supervisory activities, combining knowledge of the firms with assessment of risks across the industry. APRA continues to develop its offsite quantitative analytical capabilities and appears to be making good progress. The use of prudential reviews on a firm-specific basis and coordinated thematic reviews across groups of firms gives APRA a good understanding of the effectiveness of risk management practices around the areas they choose to review. Thematic reviews covering specific areas across groups of firms are a particularly useful tool for understanding the relative strengths and weaknesses cross the firms and for identifying best practices. APRA has increased the use of this type of review and should continue to do so, where possible.

APRA supervisors review firms’ internal stress testing results and discuss relevant issues with the firms. These reviews do not generally take a deep look at the inputs or review the controls around the inputs, so it may be difficult for APRA supervisors to gain confidence in the reliability of the output. Assessors observed very few recommendations or requirements for firms to address issues in their ICAAP or stress testing practices.

APRA should continue its implementation of the recovery planning program and move ahead to creation of a formal and fully documented program and expectations for the banks.
Principle 16Capital adequacy.44 The supervisor sets prudent and appropriate capital adequacy requirements for banks that reflect the risks undertaken by, and presented by, a bank in the context of the markets and macroeconomic conditions in which it operates. The supervisor defines the components of capital, bearing in mind their ability to absorb losses. At least for internationally active banks, capital requirements are not less than the applicable Basel standards.
Essential criteria
EC 1Laws, regulations or the supervisor require banks to calculate and consistently observe prescribed capital requirements, including thresholds by reference to which a bank might be subject to supervisory action. Laws, regulations or the supervisor define the qualifying components of capital, ensuring that emphasis is given to those elements of capital permanently available to absorb losses on a going concern basis.
Description and findings re EC1APRA’s regulatory capital requirements are set out in APS 110 and 111. Requirements are consistent with Basel requirements and apply on both a standalone and consolidated banking group basis. Minimum APRA capital requirements are defined by APRA in its setting of the PCR. The minimum PCR ratios are as follows: common equity tier 1 ratio of 4.5 percent; tier 1 ratio of 6.0 percent; and total capital ratio of 8.0 percent. In addition, there is a capital conservation buffer requirement of 2.5 percent unless determined otherwise by APRA. The sum of the common equity tier 1 PCR plus the capital conservation buffer (CCB) determined by APRA will be no less than 7.0 percent. Australia’s four D-SIBs are required to hold an additional one percent of CET1 capital to be applied as part of the buffer. APS 110 also requires ADIs to hold a countercyclical capital buffer, as determined by APRA, of between 0 and 2.5 percent of CET1 capital.

APRA can hold an ADI to a higher PCR if it believes there are prudential reasons for doing so. It may increase the PCR for CET1, Tier 1 or total capital on both a standalone and consolidated basis. APRA also expects ADIs to hold a sufficient management capital buffer above its PCR and to avoid falling into the buffer.

Under APS 110, capital distributions may be constrained when an ADI’s CET1 falls within the capital buffer that consists of the CCB plus any countercyclical buffer and the D-SIB buffer. Constraints are placed on dividends and share buy backs, discretionary payments on Additional Tier 1 Capital and discretionary bonus payments. APS 110 requires any capital distributions that result in reductions in capital—including dividends in excess of 100 percent of earnings in the financial year to which they relate and all share buybacks—to be approved by APRA.

ADIs must have a Board-approved ICAAP appropriate for its size, business mix and complexity of operations and group structure. This is typically provided to APRA on an annual basis and forms the basis of supervisory discussions with the firms on capital management, risk appetite and stress testing. In depth reviews of firms ICAAP processes were not observed by the assessors in SAPs for the major banks.

APRA is currently in the consultation phase of determining a minimum requirement for the tier 1 leverage ratio. There is currently no minimum leverage ratio requirement. Firms that use the IRB approach are required to publicly disclose their leverage ratios in financial reports.

As per the Financial Sector Inquiry (FSI) recommendations, APRA will implement benchmarks for “unquestionably strong” capital. ADIs are expected to meet these benchmarks by January 1, 2020. The increases in capital will differ based on whether a firm uses the advanced or standardized approach for regulatory capital calculations. Advanced approaches firms will see their capital requirements increasing by roughly 150 basis points and for standardized the increase will be approximately 50 basis points.
EC2At least for internationally active banks,45 the definitions of capital, risk coverage, method of calculation and thresholds for the prescribed requirements are not lower than those established in the applicable Basel standards.
Description and findings re EC2APRA’s regulatory capital standards apply to all banks and the definition of capital, calculation methodologies and capital ratios are consistent with all applicable Basel minimum requirements. The BCBS Regulatory Consistency Assessment Programme (RCAP) assessment of Basel III in 2014 noted that APRA had generally implemented the definition of capital in line with the Basel framework and had chosen not to permit the use of threshold deduction treatment. This represents an increase in conservatism relative to the Basel III definition of capital.

Overall APRA received a ‘largely compliant’ assessment for capital during the 2014 RCAP. The largely compliant assessment was a result of its (i) exemptions to the Basel-required deduction for indirect investments in own capital instruments under certain circumstances, and (ii) not requiring the issuance of new shares prior to a public sector injection of capital. APRA believes these are reasonable differences that are consistent with Basel rules (with respect to the exemptions) and helpful to mitigate moral hazard (with respect to the non-requirement of share issuance).

In July 2017 APRA released an information paper on ‘Strengthening banking system resilience—establishing unquestionably strong capital ratios. By January 1, 2020, APRA expects banks to meet unquestionably strong capital benchmarks, which for IRB banks will increase minimum acceptable capital by approximately 150 basis points and for standardized approach banks by approximately 50 basis points.

APRA has begun the consultation phase on Basel III capital revisions and proposed ‘unquestionably strong capital’. In February 2018 APRA released a discussion paper on ‘Revisions to the capital framework for ADIs’.
EC3The supervisor has the power to impose a specific capital charge and/or limits on all material risk exposures, if warranted, including in respect of risks that the supervisor considers not to have been adequately transferred or mitigated through transactions (e.g., securitization transactions)46 entered into by the bank. Both on-balance sheet and off-balance sheet risks are included in the calculation of prescribed capital requirements.
Description and findings re EC3APRA sets the PCR for ADIs. It has the authority to set PCRs for CET1, Tier 1 and total capital that are above the minimum prescribed levels. Capital requirements cover both on- and off-balance sheet exposures. Several prudential standards allow APRA to require higher capital levels (or other actions including increasing loan loss reserves) if deemed appropriate relative to risks.

APRA has the authority to require firms to take specific actions if it has concerns about the risk exposures of an ADI relative to capital. APRA may increase the PCR of an ADI, issue directions to the ADI to undertake specific actions to increase capital or impose other conditions on a bank.
EC4The prescribed capital requirements reflect the risk profile and systemic importance of banks47 in the context of the markets and macroeconomic conditions in which they operate and constrain the build-up of leverage in banks and the banking sector. Laws and regulations in a particular jurisdiction may set higher overall capital adequacy standards than the applicable Basel requirements.
Description and findings re EC4As noted above, APRA has the authority to set PCRs for CET1, Tier 1 and total capital for ADIs above required minimum levels. The PCR is set based on the supervisor’s assessment of an entity’s risk profile, as well as Pillar 2 assessments that inform capital needs relative to the strength of a firm’s corporate governance, senior management, risk management systems and controls. Increased risks reflecting the state of the macroeconomic environment can be used by APRA in setting firms’ PCRs individually and as a group, including the potential use of a countercyclical buffer up to 2.5 percent to raise banking sector capital requirements in periods where excess credit growth is found to be leading to an increase in systemic risk.

The decision to require a supervisory adjustment to capital, and the size of that adjustment, is based on information derived from the full range of APRA’s supervision activities, including:
  • offsite analysis;

  • reviews;

  • PAIRS assessment/SOARS stance;

  • review of the ICAAP;

  • discussions with the regulated institution;

  • any plans by the regulated institution to address APRA’s concerns, including the clarity, viability and timeliness of the plans; and

  • any other information held or sought by APRA.

Prior to requiring a supervisory adjustment to the PCR, APRA would likely first seek to have the regulated institution address the areas of concern through, for example, changes to its operations, governance or risk and capital management framework or processes.

APRA coordinates periodic industry stress tests based on macro-economic scenarios that inform its views of the vulnerabilities at individual institutions and across the financial system. Results of the stress tests can be used to inform the setting of PCRs, though this is not occurring in practice; firms and APRA are focused on meeting the unquestionably strong benchmarks, which put the firms generally well above the PCR. There is no explicit ‘post-stress requirement’ for minimum regulatory capital.

As of the end of 2017, the average total risk-based capital ratio for APRA-supervised banks was over 14.5 percent, with both large firms and smaller firms having averages above that level.
EC5The use of banks’ internal assessments of risk as inputs to the calculation of regulatory capital is approved by the supervisor. If the supervisor approves such use:
  • (a) such assessments adhere to rigorous qualifying standards;

  • (b) any cessation of such use, or any material modification of the bank’s processes and models for producing such internal assessments, are subject to the approval of the supervisor;

  • (c) the supervisor has the capacity to evaluate a bank’s internal assessment process in order to determine that the relevant qualifying standards are met and that the bank’s internal assessments can be relied upon as a reasonable reflection of the risks undertaken;

  • (d) the supervisor has the power to impose conditions on its approvals if the supervisor considers it prudent to do so; and

  • (e) if a bank does not continue to meet the qualifying standards or the conditions imposed by the supervisor on an ongoing basis, the supervisor has the power to revoke its approval.

Description and findings re EC5APRA allows the use of internal models to calculate regulatory capital as part of the internal ratings-based (IRB) approach to credit risk, the Advanced Measurement Approach (AMA) for operational risk and the calculation of the capital charge for IRRBB for market risk and traded market risk. There are currently six banks that have been approved for the use of internal models for credit risk and IRRBB and, of these, five banks for the use of AMA and traded market risk.

Use of internal models for calculating regulatory capital requirements is subject to APRA approval based on a bank meeting a set of qualifying standards. Standards and requirements are set out in prudential standards as follows: the internal ratings-based (IRB) approach to credit risk (APS 113); the Advanced Measurement Approach (AMA) for operational risk (APS 115); interest rate risk in the banking book (APS 117) and for market risk (APS 116).

As part of its RDA unit, APRA has three teams of specialists that review models, which are broken out by credit risk modeling, market risk modeling (including IRRBB, counterparty credit risk, XVA, and initial margining) and operational risk modeling.

Supervisors have quarterly meetings with advanced approaches firms to discuss potential or upcoming changes to these models, with the majority of model changes requiring explicit approval by APRA.

APRA conducts annual prudential reviews for advanced approaches banks use of internal models to ensure ongoing compliance with Prudential Standards. If an ADI is not complying with material aspects of the standards and the capital calculation model does not properly reflect underlying risks, APRA can revoke an approval or impose additional conditions on the approval. Where considered necessary, an ADI would be required to adopt the ‘standardized’ approach to calculating RWA and regulatory capital ratios.
EC6The supervisor has the power to require banks to adopt a forward-looking approach to capital management (including the conduct of appropriate stress testing).48 The supervisor has the power to require banks:
  • (a) to set capital levels and manage available capital in anticipation of possible events or changes in market conditions that could have an adverse effect; and

  • (b) to have in place feasible contingency arrangements to maintain or strengthen capital positions in times of stress, as appropriate in the light of the risk profile and systemic importance of the bank.

Description and findings re EC6APRA has the authority to make requirements as defined in EC 6.

APRA standards for capital management require a forward-looking approach such that firms will have adequate capital both during ‘normal times’ and during periods of stress. A firm’s ICAAP is the primary method for this. APS 110 outlines ICAAP requirements and requires an ADI to have a strategy for ensuring adequate capital is maintained over time, including specific capital targets relative to the ADI’s risk profile, the risk appetite set forth by the board of directors and regulatory capital requirements. Firms must have plans for meeting target levels of capital and the ability to get new capital when needed.

The ICAAP is a key input into APRA’s process for setting a firm’s PCR. The authority to set a PCR with requirements above minimum regulatory capital requirements gives APRA the ability to make the requirements forward looking and based on stress testing analyses by allowing PCRs to be set in anticipation of possible events or changes in business plans or market conditions.

IMF assessors did not see examples of the use of stress testing being done to set required capital in practice. APRA supervisors explained to assessors that since the July 2017 publication of the information paper on ‘Strengthening banking system resilience – establishing unquestionably strong capital’, APRA has focused more on firms’ plans for achieving this objective and less on the traditional use of the PCR, since the unquestionably strong capital requirement will be higher than the PCR would be set.

Notable, the information paper states that capital is more likely to be considered ‘unquestionably strong’ if firms can demonstrate they would maintain sufficient capital to be able to continue to raise funding and provide other critical economic functions during a stressful operating environment.

The Capital assessment under PAIRS takes into account APRA’s assessment of the ability of ADI to access new capital and gives it a 25 percent significance risk weight. There is value in taking into account access to new capital in assessing a firm’s capital position, in some situations. However, an assessment of access to new capital is least likely to hold up in times of significant stress to a firm, which is generally when a firm most needs it. This is a key lesson learned from the GFC and a major reason why many supervisors have focused on capitalization under stress through their stress testing programs. It may be useful for APRA to consider the extent of reliance on this metric in the assessment of a bank in PAIRS and the scope for reducing it to ensure more weight is given to the consideration on the firm’s ability to have enough capital for its needs in a variety of circumstances, including under stress.
AC1For non-internationally active banks, capital requirements, including the definition of capital, the risk coverage, the method of calculation, the scope of application and the capital required, are broadly consistent with the principles of the applicable Basel standards relevant to internationally active banks.
Description and findings re AC1APRA does not draw any distinction between internationally active and internationally non-active banks in its application of capital standards. All banks must comply with the same general prudential standards, which are consistent with applicable Basel requirements. There are six large banks that use the IRB approach. Smaller banks all use the standardized approach.
AC2The supervisor requires adequate distribution of capital within different entities of a banking group according to the allocation of risks.49
Description and findings re AC2APS 110 provides the framework for capital adequacy assessments. ADIs must maintain adequate capital on both a stand-alone and group basis. For an ADI that heads a conglomerate group, in addition to maintaining adequate capital in the ADI, it must satisfy APRA that the group has a level of capital consistent with its risk profile. For an ADI or a NOHC that is the head of a ‘level 3’ group (where the group includes an ADI), its board of directors must have a Group ICAAP reflecting the type and distribution of risks and capital resources across the group, and ensure that the group remains adequately capitalized relative to its risk profile.
Assessment of Principle 16Compliant
CommentsAPRA’s regulatory capital regime takes a conservative approach to the definition of capital and includes a conservative floor to the calculation of RWA for residential mortgages. Reported regulatory capital ratios relative to other countries are conservative as a result. In addition, the imposition of the ‘unquestionably strong capital’ benchmark adds a further buffer above Basel 3 and APRA regulatory requirements, holding Australian banks to a high capital standard relative to Basel requirements.

In addition, the process of determining the PCR allows APRA to increase required regulatory capital at individual firms. Currently, the PCR and associated practices are less of a focus than requiring firms to meet the unquestionably strong standard. As a result, APRA’s focus on the use of stress testing and ICAAP by firms to determine their capital needs has received less focus of late.

Assessors recommend that APRA continue to focus attention on stress-based measures of capital needs, firms’ internal processes for measuring capital sufficiency and capital management and planning practices. Of particular importance is the requirement that firms carry out their own capital adequacy assessments supported by strong risk measurement and management, robust internal controls and a governance process that ensure that boards make capital decisions, and APRA assesses those that require a firm to give APRA prior notice, with a strong understanding of the firm’s risks the firm faces and the challenges associated with risk measurements.
Principle 17Credit risk.50 The supervisor determines that banks have an adequate credit risk management process that takes into account their risk appetite, risk profile and market and macroeconomic conditions. This includes prudent policies and processes to identify, measure, evaluate, monitor, report and control or mitigate credit risk51 (including counterparty credit risk)52 on a timely basis. The full credit lifecycle is covered including credit underwriting, credit evaluation, and the ongoing management of the bank’s loan and investment portfolios.
Essential criteria
EC1Laws, regulations or the supervisor require banks to have appropriate credit risk management processes that provide a comprehensive bank-wide view of credit risk exposures. The supervisor determines that the processes are consistent with the risk appetite, risk profile, systemic importance and capital strength of the bank, take into account market and macroeconomic conditions and result in prudent standards of credit underwriting, evaluation, administration and monitoring.
Description and findings re EC1Several prudential standards require banks to have appropriate risk management processes that provide a comprehensive bank-wide view of credit risk exposures.

APRA prudential standard on risk management (CPS 220) requires an APRA-regulated institution (on both standalone and group-wide basis) to maintain a risk management framework (RMF) that enables it to appropriately develop and implement strategies, policies, procedures and controls to manage different types of material risks, and provides the board with a comprehensive institution-wide view of material risks. CPS 220 lists credit risk as one of the material risks that the risk management framework should address.

Based on CPS 220, the RMF must provide a structure for identifying and managing each material risk to ensure the institution is being prudently and soundly managed, having regard to the size, business mix and complexity of its operations. The RMF must include amongst other things, a risk appetite statement, policies and procedures supporting clearly defined roles and responsibilities and formal reporting structures, the management of material risks, an ICAAP, management information systems that are adequate, both in normal times and in periods of stress, for measuring, assessing and reporting on all material risks across the institution and a review process to ensure that the RMF is effective in identifying, measuring, evaluating, monitoring, reporting, and controlling or mitigating material risks. The standard also requires APRA-regulated institutions to have risk management policies and procedures, including a process for ensuring consistency across the RMF, including the components listed under the previous sentence above.

APRA prudential standard on credit quality (APS 220) includes also a number of requirements specific to credit risk management. It requires that an ADI’s credit risk management policies, procedures and controls provide for the systematic and regular monitoring of the credit risk to which it is exposed. Such policies and procedures assist the board and senior management of an ADI in obtaining on a regular basis, a view of trends and other changes in the overall nature and levels of credit risk which the ADI faces, and in assessing the adequacy of provisions, General Reserve for Credit Losses (GRCL) and capital that an ADI holds. It also requires an ADI to regularly review its credit risk management system, including measures of credit risk exposures, taking account of changing operating circumstances, activities and risks that it may face. In particular, the credit risk management system must include policies and procedures addressing the monitoring of credit quality, identification and appropriate measurement of impaired facilities in a timely manner, estimation of inherent credit risk in its business, recognition of collateral, write-down or write-off of uncollectible facilities, adequacy of provisions and reserves and adequate assessment of credit risk exposures of the ADI.

Based on APS 220, policies, procedures and controls governing credit risk monitoring must be commensurate with the scope, scale and complexity of the business undertaken by an ADI. As the scope, scale and complexity of an ADI’s business grows, the ADI must implement a more sophisticated approach towards the monitoring of its credit risk profile attuned to its increasing risk exposure. This would include a systematic classification and monitoring of its credit profile by level of risk.

In addition to CPS 220 and APS 220, APRA has updated in 2017 prudential guidelines (prudential Practice Guide APG 223) to ADIs in relation to residential mortgage lending. Given the material significance of residential mortgage loan exposures in the Australian banking system, these guidelines outlined prudent practices in the management of risks arising from lending secured by mortgages over residential properties, including owner-occupied and investment properties. For ADIs where residential mortgages form a material part of their loan portfolio, APRA expects that residential mortgage lending is specifically addressed in the ADI’s risk appetite, risk management strategy and business plan.

Restricted ADI are expected to have a simpler credit risk management framework, depending on the extent of their credit risk. The information paper issued by APRA in May 2018 on the restricted ADI licensing framework states that a Restricted ADI which intends to offer credit products during the restricted phase must have an adequate credit risk management system prior to providing credit. The credit risk management system must include policies, procedures and systems for: accurate and complete measurement of credit exposure; sound and prudent processes to value collateral held to determine security coverage; prompt identification of potential problem facilities on a timely basis including provisioning for impaired facilities; and regular monitoring of portfolio credit quality.

APRA’s supervisory framework provides detailed guidance to assist supervisors with the assessment of credit risk appetite, exposures, asset quality and an institution’s Credit Risk Management Framework (CRMF) including oversight of credit risk, policies and procedures, models and systems, valuation and provisioning. APRA’s DA team keeps a close watch on industry trends and risks and any heightened risks as a feed into PAIRS and SAPs.

APRA front-line supervisors and credit risk specialists perform a range of supervisory activities aimed at assessing banks’ credit risk exposures and credit risk management processes, with a focus on particular areas or credit types. These include the following:
  • - onsite prudential reviews on credit risk often targeting specific portfolios such as mortgages, business lending, commercial property to make an assessment of lending policies and practices, inherent risks of the portfolio, and the adequacy of management and controls;

  • - offsite thematic/benchmarking reviews on aspects of credit risk e.g., mortgage underwriting standards, commercial property, etc.;

  • - credit conditions surveys by APRA’s Data Analytics (DA) team that further inform supervisors on exposures, underwriting standards and asset quality;

  • - meetings with large complex banks, at least quarterly, to discuss material risks, including credit risk exposures, trends, changes in underwriting standards and key policies;

  • - assessment of ICAAPs/ ICAAP reports to ensure that credit risks and other material risks are captured in the capital strength (including buffers) of the bank.

The onsite prudential reviews mentioned above cover, depending on their scope, the credit strategy and the credit risk management framework related to the targeted portfolio, including the risk appetite statement, policies and procedures, and the assessment of inherent risks and related controls.
EC2The supervisor determines that a bank’s Board approves, and regularly reviews, the credit risk management strategy and significant policies and processes for assuming,53 identifying, measuring, evaluating, monitoring, reporting and controlling or mitigating credit risk (including counterparty credit risk and associated potential future exposure) and that these are consistent with the risk appetite set by the Board. The supervisor also determines that senior management implements the credit risk strategy approved by the Board and develops the aforementioned policies and processes.
Description and findings re EC2Under CPS 220, the bank’s board is ultimately responsible for the institution’s risk management framework (RMF). In particular, the board must ensure that:
  • - it sets the risk appetite under which it expects the management to operate and approves the institution’s risk appetite statement (RAS) and risk management system (RMS);

  • - the senior management monitors and manages all material risks consistent with the strategic objectives, RAS and policies approved by the board; and

  • - policies and procedures developed for risk taking are consistent with the RMS and the established risk appetite.

Based on CPS 220, The RMF is the totality of systems, structures, policies, processes and people within an institution that identify, measure, evaluate, monitor, report and control or mitigate all internal and external sources of material risk. Material risks are those that could have a material impact, both financial and non-financial, on the institution or on the interests of depositors and/or policyholders. Material risks include credit risk as per the standard.

Further, as part of the RMF, the head of a group must maintain processes to coordinate the identification, measurement, evaluation, monitoring, reporting, and controlling or mitigation of all material risks across the group, in normal times and periods of stress. CPS 220 requires the RMF to address material risks including credit risk.

APRA’s prudential and supervisory framework also specifically address counterparty credit risk arising from treasury and derivatives trading, including capital requirements for these exposures. CPS 220 and APS 220 require ADIs to subject their RMF and their credit risk framework to periodic audits and reviews to ensure they remains relevant, appropriate and consistent with the risk appetite. These include:
  • - An internal and/or external audit, conducted at least annually, to assess the compliance with, and the effectiveness of, the RMF of the entity/group. The results are to be reported to the Board Audit Committee.

  • - A regular review of its credit risk management system, including measures of credit risk exposures, taking into account changing operating circumstances, activities and risk that it may face.

  • - A comprehensive review, every three years, of the appropriateness, effectiveness and adequacy of the entity/group’s RMF by operationally independent, appropriately trained and competent persons, with the results to be reported to the Board Risk Committee. The scope of the comprehensive review must have regard to the size, business mix and complexity of the institution, the extent of any change to its operations or risk appetite, and any changes to the external environment in which the institution operates. It should at minimum assess whether: the framework is implemented and effective; it remains appropriate, taking into account the current business plan; it remains consistent with the Board’s risk appetite; it is supported by adequate resources; and the RMS accurately documents the key elements of the RMF that give effect to the strategy for managing risk.

APRA requires the board to provide a risk management declaration annually, amongst other things, that there are systems and resources in place for identifying, measuring, evaluating, monitoring, reporting, and controlling or mitigating material risks and the RMF is appropriate to the institution, having regard to the size, business mix and complexity of the entity/group.

As part of the PAIRS framework, APRA supervisors assess the oversight of credit risk by the bank’s board and senior management, the performance of credit risk management and committees, and the robustness of policies and procedures and their effective implementation. APRA supervisors assess these areas in the context of the targeted onsite prudential reviews that they do regularly over banks and which could cover particular portfolios (such as commercial real estate lending, residential mortgages, etc.) or themes (such as serviceability assessments, underwriting practices, etc.). In addition to the reviews, supervisors form an assessment of the banks’ credit risk management and oversight through their discussion with the board and senior management of banks (including through the regular prudential consultation meetings), reviews of board papers and associated reporting, and review of data and other reports provided to them on risk management.
EC3The supervisor requires, and regularly determines, that such policies and processes establish an appropriate and properly controlled credit risk environment, including:
  • (a) a well-documented and effectively implemented strategy and sound policies and processes for assuming credit risk, without undue reliance on external credit assessments;

  • (b) well defined criteria and policies and processes for approving new exposures (including prudent underwriting standards) as well as for renewing and refinancing existing exposures, and identifying the appropriate approval authority for the size and complexity of the exposures;

  • (c) effective credit administration policies and processes, including continued analysis of a borrower’s ability and willingness to repay under the terms of the debt (including review of the performance of underlying assets in the case of securitization exposures); monitoring of documentation, legal covenants, contractual requirements, collateral and other forms of credit risk mitigation; and an appropriate asset grading or classification system;

  • (d) effective information systems for accurate and timely identification, aggregation and reporting of credit risk exposures to the bank’s Board and senior management on an ongoing basis;

  • (e) prudent and appropriate credit limits, consistent with the bank’s risk appetite, risk profile and capital strength, which are understood by, and regularly communicated to, relevant staff;

  • (f) exception tracking and reporting processes that ensure prompt action at the appropriate level of the bank’s senior management or Board where necessary; and

  • (g) effective controls (including in respect of the quality, reliability and relevancy of data and in respect of validation procedures) around the use of models to identify and measure credit risk and set limits.

Description and findings re EC3The requirements in relation to the credit risk environment, including the associated policies and procedures, are included in APRA prudential standards CPS 220 and APS 220. CPS 220 requires that an APRA-regulated institution maintains a risk management strategy for the institution that addresses each material risk, including credit risk. This risk management strategy should, among others, list the policies and procedures dealing with risk management matters and which should include:
  • - the process for identifying and assessing material risks and controls;

  • - the process for the validation, approval and use of any models to measure components of risk;

  • - the process for establishing, implementing and testing mitigation strategies and control mechanisms for material risks;

  • - the process for monitoring, communicating and reporting risk issues, including escalation procedures for the reporting of material events and incidents;

  • - the process for identifying, monitoring and managing potential and actual conflicts of interest;

  • - the mechanisms in place for monitoring and ensuring ongoing compliance with all prudential requirements;

  • - the process for ensuring consistency across the risk management framework;

  • - the process for establishing and maintaining appropriate contingency arrangements (including robust and credible recovery plans where warranted for the operation of the risk management framework in stressed conditions); and

  • - the process for review of the risk management framework.

CPS 220 requires that the RAS convey, for each material risk (including credit risk), the maximum level of risk that the institution is willing to operate within, expressed as a risk limit and based on its risk appetite, risk profile and capital strength (risk tolerance). The RAS should also include:
  • - the process for ensuring that risk tolerances are set at an appropriate level, based on an estimate of the impact in the event that a risk tolerance is breached, and the likelihood that each material risk is realized;

  • - the process for monitoring compliance with each risk tolerance and for taking appropriate action in the event that it is breached; and

  • - the timing and process for review of the risk appetite and risk tolerances.

APS 220 requires that the bank’s credit risk management system must include policies and procedures that address, amongst other things, monitoring of credit quality, recognition of inherent credit risk in its business, recognition of collateral, identification and appropriate measurement of impaired facilities, write¬down or write-off of uncollectible facilities, validation of credit assessment and provisioning and reserve processes, adequacy of provisions and reserves and production of data/other information required to adequately assess the credit risk exposure of an ADI including levels of impairment, accounting for asset impairment and reporting to APRA.

The standard also requires ADIs to have policies and procedures to ensure timely responses to identified material changes in their credit risk profile. As part of its credit risk management system, the ADI must establish criteria for identifying and reporting to senior management and the Board those credit exposures deemed to be a source of concern. The criteria must be approved by the Board. Such criteria would be used as a trigger to consider whether to change the pattern and frequency of monitoring of such credit exposures, to undertake corrective actions or to change levels of provisioning and capital held against potential losses.

APS 220 requires that an ADI’s credit risk monitoring include measures to:
  • - enable the ADI to understand the current financial condition of an entity which is party to a facility provided by the ADI;

  • - monitor compliance with existing covenants attached to facilities provided by the ADI;

  • - assess, where applicable, the value of collateral held and the collateral coverage relative to an entity’s current condition;

  • - identify contractual payment delinquencies and classify potential problem facilities on a timely basis; consider the impact of the use of the fair value on an entity’s financial results and whether this may have a material bearing on the ADI’s assessment, on a continuing basis, of the credit status of an entity, where entities make a significant use of fair value (as applied under Australian Accounting Standards); and

  • - ensure prompt application of appropriate remedial management actions.

According to APS 220, APRA expects that the credit risk management system of an ADI with more substantial and complex credit risk exposures would include a well-structured credit-risk grading system, approved by the Board and notified to APRA. Such a system would include risk grading all credit exposures and regular review of such gradings including whenever relevant new information is received. Smaller exposures that are homogeneous and have similar risk characteristics, such as housing loans, credit cards, leases and hire purchase may, however, be grouped and be risk graded on a portfolio basis

Onsite credit risk prudential reviews provide regular opportunities for APRA to assess a bank’s credit risk control environment. Internal supervisory guidance provides a structured basis for supervisors to make assessments and form judgments on a bank’s credit risk management framework. The onsite review process includes a comprehensive or targeted review of relevant documentation, with individual bank’s policies and procedures assessed against APRA requirements and those of the bank’s peers. Onsite reviews will also typically include a review of a selection of credit files in order to assess how well the credit control framework operates in practice.

During onsite credit risk prudential reviews, supervisors typically assess the inherent risks and management and controls, including the following (not exhaustive):
  • - credit risk strategy, target growth and hurdle rates, business /portfolio performance, etc.;

  • - risk management and governance including setting of risk appetite and how it cascades down into risk tolerances, the RMS, and overall RMF including Board and senior management oversight;

  • - credit policies and the interface with the ADIs’ code of conduct. This includes dealing with conflicts of interest, lending principles, definitions (e.g., commercial loans and residential loans), country and cross border/transfer risk, serviceability, financial ratios to be satisfied by a borrower, acceptable collateral, third party security, loan grading and scorecards, valuation and provisioning and review procedures;

  • - exceptions to policies and overrides and approval processes;

  • - MIS including reporting to the board/senior management on various aspects such as portfolio performance analytics, reporting against risk tolerances and risk appetite, systems capability and data quality; and

  • - independent reports from assurance functions.

Supervisors request information prior to an onsite prudential review covering these areas. In addition, thematic reviews are conducted where industry risks/ issues have been identified, for example, serviceability on housing loans.
EC4The supervisor determines that banks have policies and processes to monitor the total indebtedness of entities to which they extend credit and any risk factors that may result in default including significant unhedged foreign exchange risk.
Description and findings re EC4APRA expects banks to consider a client’s total indebtedness and servicing obligations before granting any credit. It is typical for banks to require prospective borrowers to provide full details of their financial position and of other borrowings, commensurate with the requirements of the product on offer. This is also expected under the ‘responsible lending’ obligations outlined in association with the National Consumer Credit legislative framework.

As part of onsite prudential reviews supervisors will routinely consider a bank’s credit evaluation and approval policies and processes as well as the robustness of the associated RMF. This would include an assessment of a bank’s management information system for capturing and managing credit exposures on an aggregate basis.

APRA expects that credit risk arising from exposures is identified, monitored, evaluated, measured and mitigated to the extent possible including adequate policies and procedures to monitor credit risk (inclusive of significant unhedged foreign exchange risk).

However, there seems to be limitations on the extent to which banks can monitor the total indebtedness of their borrowers, due to the lack of a comprehensive credit reporting system (currently underway) that provides positive credit data and reports in that respect. Therefore, banks primarily rely on the information disclosed by their clients about their total risk exposure. In addition, supervisors assess the quality of the bank’s loan portfolio and factors that may result in default as part of the quarterly risk reviews and in the course of the targeted prudential reviews performed by them. These assessments include an overall analysis of the levels and trends of delinquencies, peer analysis, analysis of credit migrations from the portfolio, correlation between credit quality and growth in lending, and trends and changes in loan pricing methods, portfolio management, and outcomes of stress tests.
EC5The supervisor requires that banks make credit decisions free of conflicts of interest and on an arm’s length basis.
Description and findings re EC5APRA would expect banks to have in place a conflicts of interest policy and procedures to ensure credit is extended on an arm’s-length basis.

CPS 220 requires that an APRA-regulated institution maintains a risk management strategy that addresses each material risk, including credit risk. This risk management strategy should, among others, list the policies and procedures dealing with risk management matters, which include inter alias the process for identifying, monitoring and managing potential and actual conflicts of interest.

In addition, APRA’s internal supervisory guidance highlights the importance that supervisors should attach to examining whether banks have a clear credit policy that includes, among others, the ways that a bank deals with conflict of interest in the context of its credit decision making processes.
EC6The supervisor requires that the credit policy prescribes that major credit risk exposures exceeding a certain amount or percentage of the bank’s capital are to be decided by the bank’s Board or senior management. The same applies to credit risk exposures that are especially risky or otherwise not in line with the mainstream of the bank’s activities.
Description and findings re EC6Prudential Standard APS 221 Large Exposures (APS 221) requires the board to be responsible for establishing and monitoring compliance with policies governing large exposures and risk concentrations of the ADI. The Board must ensure that these policies are reviewed regularly (at least annually) and that they remain adequate and appropriate for the ADI. The large exposure policy must cover the following: exposure limits for various types of counterparties, groups of related counterparties, industry sectors, countries, asset classes commensurate with the ADI’s capital base and balance sheet size; the circumstances in which the above exposure limits may be exceeded, the authority required to approve such excesses (e.g., Board/Board Committee); and procedures for identifying, reviewing, controlling and reporting on large exposures.

However, the prudential standards do not require that exposures exceeding certain limits or thresholds of the bank’s capital to be decided upon by the banks’ boards. APRA supervisors recognize that the credit decision making processes, levels and delegations differ among banks. Therefore, they assess whether a bank has a proper credit risk management framework that includes, among others, sound decision making processes that ensure that larger or riskier loans are reviewed by higher management levels or possibly at various committee levels.
EC7The supervisor has full access to information in the credit and investment portfolios and to the bank officers involved in assuming, managing, controlling and reporting on credit risk.
Description and findings re EC7As mentioned in CP1 (EC5), the Banking Act provides APRA with the power to have full access to the management and records of banks and banking groups. Section 13 of the Banking Act requires ADIs to supply information (including books, accounts or documents) relating to the ADI’s financial stability as required by APRA in a written notice.

Section 62 of the Banking Act includes more detailed requirements about the needs for ADIs and NOHCs, and their subsidiaries, to supply information to APRA and give it full access to their records. The section mentions that the requirement to supply information may include a requirement to supply books, accounts, or documents. It also mentions that a person commits an offence if it is required to provide APRA with information as mentioned above and fails to comply with the requirement.

In practice, APRA has full access to information concerning a bank’s credit and investment portfolios and to all relevant staff. APRA commonly meets relevant senior management during onsite prudential reviews and, as required, as part of other supervisory activities. Onsite prudential reviews also provide an opportunity to meet directly with lending officers and other personnel involved in the credit assessment process as required.

It is typical for APRA to request a wide range of information prior to undertaking an onsite credit risk prudential review. The request is typically tailored to reflect the scope of the review but commonly includes copies of policies and procedures, product profiles, management and board reports, papers submitted to relevant risk committees, reports of internal and external parties, system descriptions and information on exposures to facilitate file selection for review whilst onsite where this is planned.

Supervisors also benefit from a wide range of information drawn from both publicly available information and data provided directly to APRA. The latter includes a comprehensive suite of prudential returns provided at different frequencies given the predominance of credit risk for banks.

Ad hoc information requests, including at times of heightened market unease, provide another adjunct to data provided on a regular basis. Specific obligations placed on auditors under APS 310 provide another layer of control in support of the integrity of data submitted.
EC8The supervisor requires banks to include their credit risk exposures into their stress testing programs for risk management purposes.
Description and findings re EC8APRA Prudential Standard CPS 220 on risk management states that the RMF of an APRA-regulated institution must include forward-looking scenario analysis and stress testing programs, commensurate with the institution’s size, business mix and complexity, and which are based on severe but plausible assumptions. As per the standard, the RMF must, at a minimum, address the material risks, including credit risk.

According to the prudential Practice Guide on Internal Capital Adequacy Assessment Process and Supervisory Review (CPG 110), APRA expects that the ICAAP will consider all risks to which the regulated institution is exposed. As an indication, for ADIs, this will include credit risk, liquidity risk, market risk, interest rate risk in the banking book and risks associated with securitization.

APRA expects stress test results to inform the banks’ approach to capital, credit and liquidity management. APRA also coordinates stress tests to assess the resilience and capital strength of an entity/industry and outputs from this exercise inform the assessment of capital strength. Stress tests for banks are conducted at least annually. APRA’s DA team regularly (annually for ADIs) coordinates industry stress tests to assess the vulnerabilities of the entity and the financial system. The scenarios are developed in conjunction with the RBA.

As per APS 113 Internal Ratings Based Approach to Credit Risk (APS 113), an ADI that has received IRB approval from APRA must have in place sound stress testing processes for use in the assessment of its capital adequacy including the sufficiency of the IRB capital requirement. Stress testing must include identification of possible events or severe changes in economic conditions that would have unfavorable effects on the ADI’s credit exposures and assessment of the ADI’s ability to withstand such events or changes. Scenarios that could be used for this purpose are economic or industry downturns, market-risk events and liquidity conditions.
Assessment of Principle 17Compliant
CommentAPRA prudential standards CPS 220 on risk management and APS 220 on credit quality provide a thorough framework setting the risk management requirements and expectations in relation to credit risk in ADIs. In addition, the prudential guidelines issued by APRA in relation to residential mortgage lending provided another dimension of ensuring a proper management of credit risk in ADIs.

With credit risk being the main driver of ADIs’ risk profile, APRA activities have been focused on reviewing credit risk management frameworks, and credit exposures of ADIs. This included a series of reviews for major ADIs performed on thematic basis. These reviews focused in the last period on the residential mortgage loans and commercial real estate lending sectors. They included assessment of the underwriting standards in these areas as well as the serviceability of these loans. Also, the prudential consultation meetings and the regular catchups performed by APRA frontline supervisors have also touched extensively on these aspects over the recent period.

While underwriting standards are being tightened and banks’ practices in relation to serviceability assessments are improving, APRA should continue its close watch on these areas to ensure that banks have fixed the deficiencies in their systems and practices. APRA supervisors should continue to ensure the proper oversight of banks’ boards to ensure firms implement programs to enhance their underwriting practices and reduce their credit concentration risks. While focusing on these specific areas, it may be useful for APRA supervisors to perform on a periodic basis (and depending on the risk profile of ADIs) a deep dive into an ADI credit risk management framework and practices to identify any key gaps in the ADI management of their credit risk and apply remedial measures as needed. APRA should also consider issuing guidelines to ADIs on CRE lending. It may be useful to include the main guidelines related to residential mortgages and new requirements on CRE lending in the planned revisions to APS220.
Principle 18Problem assets, provisions and reserves.54 The supervisor determines that banks have adequate policies and processes for the early identification and management of problem assets, and the maintenance of adequate provisions and reserves.55
Essential criteria
EC1Laws, regulations or the supervisor require banks to formulate policies and processes for identifying and managing problem assets. In addition, laws, regulations or the supervisor require regular review by banks of their problem assets (at an individual level or at a portfolio level for assets with homogenous characteristics) and asset classification, provisioning and write-offs.
Description and findings re EC1APS 220 states that an ADI must have policies and procedures to ensure the timely and reliable recognition of impaired facilities, incorporating, as appropriate, the exercise of experienced credit judgement. Such policies and procedures must provide a documented analytical framework approved by an ADI’s board for assessing impairment including policies and procedures to:
  • - identify facilities that are impaired;

  • - determine whether facilities are assessed for impairment on an individual or collective basis;

  • - determine how the amount of any impairment is measured; and

  • - provide for review of amounts of impairment of facilities and methodologies used in calculating measures of impairment.

Policies and procedures must be applied consistently.

Unless APRA agrees otherwise, in writing, an ADI must establish and apply its own policies and procedures for determining impairment of facilities and associated provisions relying on its own methodologies, supported by robust internal controls and in accordance with Australian Accounting Standards. Where APRA considers that a simple overall approach to determining specific provisions is acceptable for measuring the capital adequacy of an ADI, or APRA judges an ADI’s own practices for identifying specific provisions to be inadequate in view of its credit risk profile, APRA may permit, or require, an ADI to implement a prescribed provisioning approach. However, this prescribed provisioning approach is applied only for very small ADIs like credit unions. This approach is detailed in an appendix to APS 220 based on which APRA specifies a number of categories of past due facilities and sets the criteria for classification into these categories as well as the provisioning levels to be taken for each of them.

APS 220 requires an ADI to regularly review its credit risk monitoring system, taking into account changing operating circumstances, activities and risks. The credit risk monitoring system must amongst other things produce information on:
  • - impaired and past due facilities;

  • - fair value of security held against impaired facilities;

  • - status (updated at appropriate intervals) of other sources of cash flows upon which an ADI might rely in determining incurred or estimated future credit losses on facilities;

  • - estimated future credit losses reflecting the inherent credit risk in its business; and

  • - value of specific provisions and general reserve for credit losses (GRCL) recorded for capital purposes.

As mentioned in CP17, APS 220 states that APRA expects that the credit risk management system of an ADI with more substantial and complex credit risk exposures would include a well-structured credit-risk grading system, approved by the Board and notified to APRA. Such a system would include risk grading all credit exposures and regular review of such gradings including whenever relevant new information is received. Smaller exposures that are homogeneous and have similar risk characteristics, such as housing loans, credit cards, leases and hire purchase may, however, be grouped and be risk graded on a portfolio basis.

In order to have an acceptable measure of impairment for reporting to APRA, APS 220 requires an ADI to have policies and procedures, approved by the Board, which provide for prudent and realistic measures of the impairment of facilities incorporating, as appropriate, the exercise of experienced credit judgements and valuation of collateral. Such measures must incorporate estimates of future cash flows (including principal and income) from affected facilities. The policies and procedures must ensure that provisions reported to APRA by the ADI are maintained at levels so that facility values, earnings and capital appropriately reflect the quality of the ADI’s credit portfolio. The adequacy of measures of impaired facilities must be reviewed at regular intervals and be subject to independent oversight.

APRA is currently updating APS 220 to reflect the BCBS paper on ‘Guidance on credit risk and expected credit losses’ issued in December 2015 and ‘Guidelines on the Prudential treatment of problem assets’ issued in April 2017.
EC2The supervisor determines the adequacy of a bank’s policies and processes for grading and classifying its assets and establishing appropriate and robust provisioning levels. The reviews supporting the supervisor’s opinion may be conducted by external experts, with the supervisor reviewing the work of the external experts to determine the adequacy of the bank’s policies and processes
Description and findings re EC2APS 220 requires that policies and procedures applied to the assessment and reporting of impaired assets, specific provisions and the GRCL must be rigorous and appropriate to the risks involved and must generate adequate provisioning and reserve outcomes. Where APRA considers that:

(a) the policies and procedures applied;

(b) the levels of impaired assets and estimated credit future losses, specific provisions and the GRCL reported by an ADI; or

(c) the consequential level of an ADI’s earnings and capital adequacy reported to APRA

do not meet the requirements of this Prudential Standard or may adversely reflect on the measurement of an ADI’s capital adequacy or its safety and soundness, APRA may seek to exercise powers available to it to require an ADI to adopt amended or alternate policies and procedures; to increase the amounts of impaired assets, specific provisions and GRCL; or to otherwise increase its capital.

APRA regularly reviews a bank’s credit risk grading system and impairment and provisioning policies and procedures during risk-focused onsite credit risk prudential reviews and thematic review supervision activities.

However, APRA does not have a formal methodology to validate the overall sufficiency of loan provisions nor a loan classification system. APRA’s approach is to conduct a high-level assessment of the total provisions compared to the historical loss rate (which in recent years have been fairly low). During onsite prudential reviews, APRA reviews the reasonableness of the methodology used by the bank to determine its collective provisions. APRA also reviews the approach used to determine the individually assessed provisions.

As part of the onsite review process, APRA will review problem loans (including identification, and estimation of specific provisions). This review includes assessing the methodology to calculate specific and collective provisions, reviewing files to determine if the specific provisions calculated are reasonable, and providing an opinion on the sufficiency of provisions (including specific and General Reserves for Credit Losses (GRCL). APRA assesses an ADI’s Credit Risk Grading System (CRGS) including the extent of coverage of the portfolio/exposures, the granularity of grades, the links to impaired assets, reporting and monitoring, the links to provisioning and capital adequacy. For advanced modelling banks, APRA’s credit risk analytics team also reviews whether there is meaningful assessment and differentiation of risk, calibration, margin of conservatism and validation.

APRA supervisors also review the adequacy of provisioning policies including the reliability of assessment of impairment of facilities, estimates of future cash flows, collateral including valuation, classification of provisions into specific and collective and allocation of provisions into the GRCL. If APRA considers that provisions are inadequate, it may require the bank to hold more provisions or deduct the amount from CET1. However, APRA generally relies on whether the provisioning for loans is adequate from an accounting perspective, relying on the calculations made by banks and the opinions of banks’ external auditors in this respect. In case APRA supervisors believe that loan classification and provisioning should be adjusted, they can ask banks to do so or to increase their capital. However, this does not happen usually, and APRA has not recently taken actions in this respect.

APRA also performs some analysis of the regular data submitted by banks to do an overall and comparative assessment of credit quality and provisions. Banks must provide quarterly reporting covering their impaired facilities [in ARF 220.0] and movements in provisions for impairment (in ARF 220.5). Banks applying the simpler Prescribed Provisioning methodology submit [ARF 220.3]. Data submitted is subject to external audit testing under APS 310.

Supervisors assess on a quarterly basis the data provided in ARF 220.0 (which includes among other things impaired facilities, specific provisions raised and security held) via a standardized dashboard, to determine any possible shortfall in specific provisions for impaired facilities. Peer group analysis is also undertaken and supervisors follow up with institutions on risks/ issues identified. Perceived shortfalls can be followed up via offsite or onsite supervisory work. For advanced banks, APRA’s Credit Risk Analytics team reviews quarterly data provided in ARF 113.0 to monitor expected losses relative to bank provision levels.

Where APRA forms a view that under-provisioning may be occurring across ADIs, APRA may require banks to conduct a special purpose engagement through the auditor to assess provisioning methodologies, reporting, etc. While APRA’s assessment of the adequacy of a bank’s CRGS and impairment and provisioning policies is predominantly based on its internal supervisory processes, the provision of audit opinions provides a further level of oversight. For example, audit standards require auditors to comment on inadequate provisioning for statutory financial reporting purposes.

The outcomes of onsite and offsite supervisory processes feed into PAIRS where a credit risk assessment is made by supervisors (both inherent risk and related management and controls). The PAIRS risk assessment then informs the planning of supervisory activities as part of developing a SAP.
EC3The supervisor determines that the bank’s system for classification and provisioning takes into account off-balance sheet exposures.56
Description and findings re EC3Under APS 220, the definition of impaired assets includes any facility (on or off-balance sheet), when there is doubt over the timely collection of the full amount of cash flows contracted to be received by the ADI. Doubt will exist with respect to a facility (on or off-balance sheet) where there is objective evidence of impairment of the facility as a result of one or more events that have occurred and that have an impact on cash flows from the facility that can be reliably estimated. In such circumstances, the estimated cash flows will fall short of the full amount of the cash flows contractually due to be received. Off-balance sheet facilities are regarded as impaired if the ADI is unlikely to receive timely payment of the full amounts which it has exchanged or is contracted in advance.

According to APS 220, the principal off-balance sheet facilities captured by this standard are direct credit substitutes and commitments. Direct credit substitutes (e.g., guarantees and standby letters of credit) are usually converted into on-balance sheet exposures when they are drawn. However, there may be circumstances when an ADI is reasonably certain that such instruments will be called upon at a future date because of uncertainty about the financial standing of the entity which they support, and there may also be cause to believe that the ADI may not be able to recoup, in a timely manner, the full amounts it may be required to advance. In such cases, the facilities in question must be regarded as impaired.

The standard also states that loan commitment facilities that are irrevocable must also be classified as impaired facilities if the creditworthiness of an entity has deteriorated to an extent that the timely repayment in full by the entity of any potential loan drawdown or associated interest payments or fees is in doubt.

If an ADI has doubts regarding the receipt, in full, in a timely manner, of cash flow entitlements which are or will be due from a counterparty to a derivative transaction, it must treat such an exposure as impaired. In this regard, ADIs must calculate their derivative transaction exposures to counterparties for purposes of measuring impairment (and provisioning) using the current exposure or mark-to-market method, or a method approved in advance by APRA. Derivative transaction exposures must be revalued regularly so as to maintain reasonably current assessments of the extent of credit risk attaching to these transactions.

APRA requires reporting of impaired assets and provisioning to include both on and off-balance sheet exposures. APRA’s assessment of the bank’s system for impaired assets and provisioning cover also off-balance sheet exposures.
EC4The supervisor determines that banks have appropriate policies and processes to ensure that provisions and write-offs are timely and reflect realistic repayment and recovery expectations, taking into account market and macroeconomic conditions.
Description and findings re EC4APS 220 requires a bank to report specific provisions and a GRCL that, together, are adequate at all times to absorb credit losses given the facts and circumstances applicable at the time. Losses include those identified as being incurred and incurred-but-not-yet-reported as well as credit losses estimated but not certain to arise in the future. APRA requires provisions and reserves to cover inherent credit risk in a bank’s business extending over the life of all individual facilities making up its credit portfolio. APRA’s requirements are more conservative than the ‘incurred loss’ approach inherent in accounting for financial instruments captured under International Accounting Standard (IAS) 39 and its Australian equivalent AASB 139 Financial Instruments: Recognition and Measurement.

The new financial instruments accounting standard IFRS 9 and its Australian equivalent AASB 9, effective from January 2018 (although many Australian banks will not apply it until after July 2018 because of the difference in the start of their financial year), introduces a forward looking expected credit loss model (ECL) for loan loss provisioning. APRA expects that ADIs’ regulatory provisioning approach will comply with the new accounting impairment measurement requirements and also meet the BCBS guidance on expected credit losses. APRA has recently released two letters to industry setting out APRA’s expectations regarding ECL provisions.

APS 220 still does not take into account the requirements of IFRS 9 and the equivalent Australian accounting standard AASB 9. It requires ADIs to report two types of provisions, a specific provision and a GRCL provision that are based to some extent on IAS 39 concepts. As per the standard, the individually assessed provisions (based on accounting standards) should be considered as specific provisions. In addition, the collective provisions that were required based on IAS39 are considered either specific provisions or GRCL. If an individual facility is subjected to a collective assessment and the facility is individually assessed as impaired, the collective provisions of this facility should be included as specific provisions. Where a collective provision relates to possible losses on facilities in a group of facilities, then the provision is eligible within GRCL if the losses are expected but not certain to arise; and the facilities are currently meeting their contractual terms (which is defined as not past due for more than 90 days).

The APS 220 includes some form of expected loss concepts but it does not seem a requirement. It states that, unless otherwise agreed with APRA, an ADI must undertake an assessment of the credit losses that are prudently estimated but not certain to arise in the future over the full life of all individual facilities which make up the business of the ADI. Such estimated future credit losses reflect the credit risk inherent in the ADI’s business. Estimated future credit losses on facilities may be adjusted to account for any impairment already recognized in specific provisions and capital of the ADI.

APRA plans to revise its prudential standard to incorporate Basel guidelines on prudential treatment of problem assets and on credit risk and accounting for expected loss. In the meantime, APRA issued a letter to ADIs clarifying the regulatory treatment of accounting provisions based on IFRS 9 /AASB 9. It generally expects ADIs to classify stage 1 12-month ECL provisions as GRCL, Stage 2 lifetime ECL provisions as specific provisions (except for those against unidentified borrowers which remain as GRCL), and stage 3 provisions on NPLs as specific provisions.

APS 220 sets out elements that a bank’s provisioning and reserving policies and procedures must cover. APRA expects that provisions reflect realistic repayment and recovery expectations, although it is acknowledged that there is a high degree of professional judgment involved. APRA expects the bank’s board and senior management to ensure that adequate provisioning is an integral part of the credit risk management framework.

APS 220 requires banks’ documented credit policies and procedures to address, among other things, write¬down or write-off of uncollectable facilities. Write-offs are reported to APRA each quarter via reporting form ARS 220.5 and reviewed by APRA supervisors as part of routine analysis activities. This information is also subject to review by the appointed auditor as required by APS 310.

Onsite prudential reviews provide an opportunity to assess the application of provisioning and write-off policies in practice including compliance with prudential requirements. Onsite supervisory activities confirm that provisioning is reasonable and prudent and fully reflects all relevant information and changing circumstances and there is effective oversight by the bank’s management and board.
EC5The supervisor determines that banks have appropriate policies and processes, and organizational resources for the early identification of deteriorating assets, for ongoing oversight of problem assets, and for collecting on past due obligations. For portfolios of credit exposures with homogeneous characteristics, the exposures are classified when payments are contractually in arrears for a minimum number of days (e.g., 30, 60, 90 days). The supervisor tests banks’ treatment of assets with a view to identifying any material circumvention of the classification and provisioning standards (e.g., rescheduling, refinancing or reclassification of loans).
Description and findings re EC5APRA supervisors assess an ADI’s problem asset management policies and processes via onsite prudential reviews. Pre-review documentation is requested and reviewed as part of the onsite review process. Topics routinely assessed include: governance and oversight; credit quality; quality of systems; adequacy of collection and other problem asset policies and procedures; collection strategies; structure and resources; delegated credit authority framework; problem asset recognition; and provisioning methodologies.

APRA expects banks to have robust resource management and contingency plans. The adequacy of and flexibility in resourcing of collection/ problem asset management business units are reviewed during onsite prudential reviews, depending on the scope of such reviews and to what extent they cover problem asset impairment and provisioning.

While APRA supervisors may also collect watch list credit reports including 30, 60, and 90 days past due, such reports are not currently required on a regular basis but may be requested on ad hoc basis. Onsite reviews may target the effectiveness of processes for particular portfolios (for example commercial property) and discussion of issues with CROs/chief credit risk officers. In preparation for such meetings, APRA requests watch list/problem asset monitoring reports.

APRA does not explicitly require that portfolios of credit exposures with homogeneous characteristics be classified when payments are contractually in arrears for a minimum number of days (e.g., 30, 60, 90 days). This depends on banks’ credit rating and assessment systems. While 90 days is the general threshold for classifying a facility as impaired, APS 220 states that a facility must be classified as impaired regardless of whether it is 90 days or more past due, when there is doubt as to whether the full amounts due, including interest and other payments due, will be achieved in a timely manner. This is the case even if the full extent of the loss cannot be clearly determined. According to APS 220, ADIs are expected to have in place appropriate systems to adequately manage past due facilities with a view to minimize the migration to impaired asset status. An ADI must, therefore, be able to identify, monitor and regularly report to APRA as required, the performance of past due facilities, including importantly, those facilities not required to be treated as impaired assets.

Banks are required to report impaired, restructured facilities in reporting form ARF 220.0 on a quarterly basis. APRA supervisors monitor these reports to review cases where reported asset quality may be distorted by various means inconsistent with normal commercial terms and the economic substance of the underlying transaction. This information is assessed by supervisors to determine whether changes to APRA’s risk assessment are warranted. Trends in banks’ asset quality data are routinely reviewed by supervisors from both an institutional and industry perspective. Various publicly available sources of delinquency data supplement information derived from prudential returns and obtained from banks’ management reports.
EC6The supervisor obtains information on a regular basis, and in relevant detail, or has full access to information concerning the classification of assets and provisioning. The supervisor requires banks to have adequate documentation to support their classification and provisioning levels.
Description and findings re EC6APRA requires banks to submit prudential returns detailing impaired assets and the level and movements in provisioning each quarter via reporting forms ARF 220.0 and ARF 220.5 respectively. However, these reports seem quite generic. They require information on impaired facilities, restructured items, some distribution by loan types, and movements in provisioning. They, however, do not show more granular level of details such as past due loans (by days past-due), some loan types (such as commercial real estate loans), geographic location, etc.

Banks accredited to use the IRB approaches for regulatory capital adequacy purposes must regularly submit to APRA a comprehensive suite of prudential reports split predominantly by Basel II asset categories. APRA supervisors also seek information on an ad hoc basis. APRA has the right to require further information as needed and does, for example, obtain copies of management reports on asset quality.

APRA requires banks to have adequate supporting documentation for asset classification and provisioning processes. APS 220 addresses the documentation requirements in several respects. It states that policies and procedures covering the recognition (including measurement) of impairment of facilities, and the specific provisions which flow from such impairment, must be well documented with clear explanations of supporting analysis and rationale. The estimates of future cash flows (including their timing) should also be documented and based on prudent assumptions. The standard also requires the scope for the exercise of discretion in assessing impairment to be prudently limited and documented to enable an understanding of the procedures and judgements which are exercised by management. It also requires that an ADI’s exercise of judgment in overseeing the recognition and provisioning of impaired facilities be: based on supportable assumptions, having regard to all relevant circumstances and supported by adequate documentation; conducted with prudence; and documented sufficiently to enable an understanding of why such judgements have been exercised.
EC7The supervisor assesses whether the classification of the assets and the provisioning is adequate for prudential purposes. If asset classifications are inaccurate or provisions are deemed to be inadequate for prudential purposes (e.g., if the supervisor considers existing or anticipated deterioration in asset quality to be of concern or if the provisions do not fully reflect losses expected to be incurred), the supervisor has the power to require the bank to adjust its classifications of individual assets, increase its levels of provisioning, reserves or capital and, if necessary, impose other remedial measures.
Description and findings re EC7APRA generally assesses the adequacy of the classification of assets and provisioning as part of ongoing supervisory activities including review of banks’ credit risk grading, asset recognition and provisioning methodologies. However, APRA does not have a formal methodology to validate the overall sufficiency of loan provisions nor a loan classification system. It generally relies on whether the provisioning for loans is adequate from an accounting perspective, relying on the calculations made by banks and the opinions of banks’ external auditors in this respect

APS 220 states that policies and procedures applied to the assessment and reporting of impaired assets, specific provisions and the GRCL must be rigorous and appropriate to the risks involved and must generate adequate provisioning and reserve outcomes. Based on APS 220, if APRA considers that the policies and procedures and the level of impaired assets and provisions of an ADI do not meet the requirements of the standard, APRA may exercise its powers to require an ADI to: adopt amended or alternate policies and procedures; to increase the amount of impaired assets, specific provisions and GRCL; or to otherwise increase its capital.

As mentioned in EC2, APRA supervisors generally examine during some of their prudential inspections (depending on the inspection theme and scope) the adequacy of provisioning policies including the reliability of the assessment of impairment of facilities, estimates of future cash flows, collateral including valuation, classification of provisions into specific and collective and allocation of provisions into the GRCL. If APRA considers that provisions are inadequate, it may require the bank to hold more provisions or deduct from CET1. However, APRA generally relies on whether the provisioning for loans is adequate from an accounting perspective, relying on the calculations made by banks and the opinions of banks’ external auditors in this respect. In case APRA supervisors believe that loan classification and provisioning should be adjusted, they can ask banks to do so or to increase their capital. However, this does not happen usually, and APRA has not recently taken actions in this respect.

Supervisors assess on a quarterly basis the data provided in ARF 220.0 (which includes among other things impaired facilities, specific provisions raised, and security held) via a standardized dashboard, to determine any possible shortfall in specific provisions for impaired facilities. Peer group analysis is also undertaken, and supervisors follow up with institutions on risks/ issues identified. For IRB banks, APRA’s Credit Risk Analytics team reviews quarterly reported data to monitor expected losses relative to bank provisioning levels.

The Banking Act empowers APRA to direct banks to comply with the Prudential Standards including those relating to credit quality, problem asset recognition and provisioning. APRA also has a general power to issue directions to banks as to the way their business affairs are conducted provided a relevant statutory ‘trigger’ exists in practice. However, banks generally accept APRA’s specific requirements as to appropriate provisioning levels and problem credit categorization without the need for APRA to invoke formal powers.
EC8The supervisor requires banks to have appropriate mechanisms in place for regularly assessing the value of risk mitigants, including guarantees, credit derivatives and collateral. The valuation of collateral reflects the net realizable value, taking into account prevailing market conditions.
Description and findings re EC8The prudential framework outlines extensive requirements for the recognition of risk mitigants and collateral support as per prudential standard APS 112 Capital Adequacy: Standardized Approach to Credit Risk (APS 112) and APS 113 Capital Adequacy: Internal Ratings-based Approach to Credit Risk (APS 113).

APS 220 and associated guidance respectively state APRA’s requirements and expectations regarding banks’ policies and procedures for establishing, recording and reviewing the value of collateral held and supporting security valuation practices.

APS 220 specifically requires an ADI to have policies and procedures for establishing, recording and reviewing the value of collateral held against facilities provided to entities. This includes the valuation of any security held. These policies and procedures must include as a minimum: the acceptability of various forms of collateral and the circumstances in which it may be used; the valuation of collateral (prior to entering into any facility and over the life of the facility) on a prudent basis and with regard to the time, costs and difficulties involved in generating payments through access to this collateral; and procedures for ensuring that the collateral is, and continues to be, enforceable and realizable.

Based on the standard, the timing and intensity of review of collateral values must take into account the reliance placed on collateral values in estimating future cash flows. The standard holds the Board and senior management of an ADI responsible of ensuring that the values of collateral used are timely, reliable and the ADI’s access to collateral is assured when the value of collateral materially underpins estimates of future cash flows.

The standard requires all assets taken as security by an ADI to be valued, wherever possible, at their fair value, taking into the costs of accessing and selling security and any other uncertainties relevant to the value of the security.

A range of possible collateral support, including secured interests in assets, mortgage insurance, cash collateral, guarantees, put options and interest servicing arrangements are recognized in APS 220. While APRA does not specifically require revaluations, APS 220 requires the reliability of valuations, which implies that banks need to regularly revalue collateral.

Onsite prudential reviews routinely involve assessing banks’ collateral management systems. APRA has also in recent times issued a prudential practice guide on mortgages, which included guidance on the valuation of collateral.
EC9Laws, regulations or the supervisor establish criteria for assets to be:
  • (a) identified as a problem asset (e.g., a loan is identified as a problem asset when there is reason to believe that all amounts due, including principal and interest, will not be collected in accordance with the contractual terms of the loan agreement); and

  • (b) reclassified as performing (e.g., a loan is reclassified as performing when all arrears have been cleared and the loan has been brought fully current, repayments have been made in a timely manner over a continuous repayment period and continued collection, in accordance with the contractual terms, is expected).

Description and findings re EC9It is worth noting first that APRA prudential requirements generally take an accounting view as a starting point to identify problem assets and reclassification into performing assets, APRA is not limited to that view and may require the recognition of assets as impaired notwithstanding their treatment under accounting standards.

APS 220 sets out various factors that affect the collectability of facilities and which can be considered in gauging impairment. These include, but are not limited to:
  • - indications of significant financial difficulty of a party to a facility;

  • - breach of contract, such as a default or delinquency in interest or principal;

  • - likelihood of bankruptcy or other financial reorganization of a party to a facility;

  • - concessions in terms of a facility (for example: interest or principal payments) granted to a party to a facility relating to such a party’s financial difficulties;

  • - changes or trends in default rates on categories of facilities which might be assessed for impairment on a collective basis;

  • - any identified changes in the value of collateral or other sources of security which might bear on the collectability of facilities;

  • - disappearance of an active market in assets (including derivatives) held by a bank relating to a given counterparty; and

  • - any other matter that might reasonably suggest to a bank that a party to a facility may be unlikely to meet its contractual obligations.

APS 220 states that the recognition and measurement of impairment in practice cannot be based totally on formulas or rules. Assessment of the level of impairment on a facility will often require a mix of documented sound policies and procedures and the application of experienced credit judgement by management of an ADI. The standard says that the scope for the exercise of discretion in assessing impairment must be prudently limited and documentation must be in place to enable an understanding of the procedures and judgements which are exercised by management.

The standard also mentions that a facility must be classified as impaired regardless of whether it is 90 days or more past due, when there is doubt as to whether the full amounts due, including interest and other payments due, will be achieved in a timely manner. This is the case even if the full extent of the loss cannot be clearly determined.

Requirements for restoring facilities to non-impaired status are also set out in APS 220. For a facility to be classified as impaired to be restored to non-impaired status, at least one of the following conditions must be satisfied:
  • - a facility has returned to being fully compliant with its original contractual terms;

  • - a facility has been formally restructured and meets the criteria required for such a facility to be treated as non-impaired;

  • - for a facility which has been classified as impaired because of arrears past due 90 days, all unpaid amounts have been reduced to below the dollar equivalent of 90 days’ worth of contractual payments, provided the payment of arrears has not resulted from a further advance by the ADI. Alternatively, the facility may be reasonably considered to be well secured;

  • - for a facility classified as impaired as a result of write-offs, the facility has to be fully performing for six months (or three payment cycles, whichever is the longer);

  • - for a facility subject to a specific provision, the provisions are no longer applicable to the facility.

Based on the standard, it seems that loans that are considered well secured may not be necessarily considered as impaired, which does not seem in line with good credit risk and impairment practices. APRA explained that this is planned to be addressed in the revisions that will be brought to APS 220.

In order for a facility classified as impaired to return to non-impaired status, an ADI must also in all circumstances:
  • - have formed a view that the entity is capable of fully servicing all its future obligations in a timely manner under the facility or the ADI will otherwise receive the full amounts due in a timely manner as a result of access to collateral covering the facility; and

  • - no longer maintains a provision assessed on an individual basis against the facility.

Underlying evidence must support the view that there is no doubt about an entity meeting its future obligations. For revolving facilities which are not well secured, drawings must have returned within approved limits for a facility to return to non-impaired status.
EC10The supervisor determines that the bank’s Board obtains timely and appropriate information on the condition of the bank’s asset portfolio, including classification of assets, the level of provisions and reserves and major problem assets. The information includes, at a minimum, summary results of the latest asset review process, comparative trends in the overall quality of problem assets, and measurements of existing or anticipated deterioration in asset quality and losses expected to be incurred.
Description and findings re EC10APRA APS 220 lists some requirements in relation to credit risk reporting to an ADI board. It states that, as part of its credit risk management system, the ADI must establish criteria for identifying and reporting to senior management and the Board those credit exposures deemed to be a source of concern. Approved by the Board, such criteria would be used as a trigger to consider whether to change the pattern and frequency of monitoring of such credit exposures, to undertake corrective actions or to change levels of provisioning and capital held against potential losses. An ADI’s provisioning and reserving policies and procedures must among others:
  • - provide for the validation of credit risk models and other statistical techniques used to determine levels of credit risk, estimated impairment of facilities, specific provisions and the GRCL. Validation and relevant statistical analysis must be conducted on a timely basis and must provide for periodic independent review (e.g., by internal and external audit) with the results of such processes reported to the Board and senior management;

  • - outline the information to be provided on estimated impairment of facilities, specific provisions and GRCL, and credit quality more generally, to the Board and senior management. This must include frequency of reporting and processes to ensure the completeness and accuracy of relevant information flows. In addition, information must allow compliance with the policies and procedures approved by the Board, with respect to credit risk management to be monitored.

The quality and frequency of board reporting in relation to asset quality is assessed as part of onsite credit risk prudential reviews. Copies of regular board reporting packs, papers discussing emerging/other issues, relevant audit and internal credit risk review reports routinely feature in pre-review information requests made by APRA. Internal APRA guidance outlines matters to be considered by supervisors in forming judgments on board awareness of credit issues. Particular attention is given to:
  • - the types of information that are being captured in credit risk reports and escalation of issues;

  • - the trigger points by which senior management and the board will be informed about emerging credit risk issues; and

  • - examples where management/ board have had to act in relation to credit risk issues.

EC11The supervisor requires that valuation, classification and provisioning, at least for significant exposures, are conducted on an individual item basis. For this purpose, supervisors require banks to set an appropriate threshold for the purpose of identifying significant exposures and to regularly review the level of the threshold.
Description and findings re EC11Consistent with the provisions of the Australian equivalents to International Financial Reporting Standards, APS 220 allows banks to manage facilities on an individual or portfolio basis. Provisioning may be assessed in a similar manner. Based on APS 220, APRA expects that facilities representing more significant levels of potential credit losses will be managed on an individual basis. No specific level is prescribed, reflecting the variations in size and operations of ADIs to which the standard applies and the principles-based approach to supervision that APRA seeks to pursue.

An ADI’s credit risk management system must include documented policies and procedures addressing the adequacy of provisions and reserves covering existing and estimated future credit losses and the timely establishment of such provisions and reserves. This includes assessment and establishment of a GRCL and provisions associated with its credit portfolio, assessed both on an individual and, where relevant, collective basis.

APRA does not require banks to set thresholds on facilities that would be assessed on an individual item basis. According to APS 220, policies and procedures covering the recognition (including measurement) of impairment of facilities, and the specific provisions which flow from such impairment, must, among others, address the basis to be used for determining whether facilities are managed on an individual or portfolio (collective) basis, and whether measures of impairment and provisions are to be assessed on an individual or collective basis (including processes for deciding to change assessing provisions from a collective basis to an individual facility basis).

Subsequently, an ADI must be able to satisfy APRA, if required, that its policies for determining whether a facility is managed on an individual or portfolio basis, and whether it is provisioned on an individual or portfolio basis, provide for prudent oversight of the credit risk associated with the level of exposures represented by an individual facility. This is particularly important where potential losses from an individual facility may be material having regard, for example, to the capital base, earnings capability, size or market profile of an ADI.

In retail, for residential mortgages, some type of valuation is required to test whether the loan is 90 days and ‘well secured’. File reviews undertaken by APRA as part of onsite credit reviews will include examples of exposures on both an individual and portfolio-managed basis.
EC12The supervisor regularly assesses any trends and concentrations in risk and risk build-up across the banking sector in relation to banks’ problem assets and takes into account any observed concentration in the risk mitigation strategies adopted by banks and the potential effect on the efficacy of the mitigant in reducing loss. The supervisor considers the adequacy of provisions and reserves at the bank and banking system level in the light of this assessment.
Description and findings re EC12APRA monitors in its quarterly risk reviews credit risk build up in an institution and across the industry. Risk concentrations in relation to problem assets are mainly monitored through the industry credit risk reviews performed at the level of the major banks. These include defaulted assets (showing trends in defaulted assets and LGD) for the main banks. These provide some generic comparison but do not allow a deeper review such as the potential effect on the efficacy of the collateral in reducing the losses. This could be a main factor in Australia given that an important amount of the portfolio is composed of residential mortgages. In addition, it is not clear to what extent these reports are being used to guide the work of the supervisor in assessing the adequacy of provisions and reserves at the bank and the banking system.

The supervisors also perform other activities to inform their understanding about the trends and concentration in risk and risk build up in the banking sector. These activities include:
  • - onsite credit risk prudential reviews which involves analysis of offsite information including reports to the bank’s board on concentrations and problem assets, discussions with senior executives and file reviews;

  • - analysis of regular and ad hoc data received from banks on impaired assets and provisioning and regular monitoring of industry data by APRA’s DA team;

  • - analysis of more systemic risks via thematic reviews; and

  • - annual stress tests conducted on banks.

Through these mechanisms, supervisors in recent times have observed buildup in concentrations in investment housing, interest only housing and commercial property. Several prudential and supervisory measures have been undertaken to further monitor and limit these concentrations. For example, a separate team was set up within APRA’s DA team to monitor housing lending. Further, several prudential measures have recently been undertaken to limit the growth of interest only housing loans and investment loans. APRA has also taken measures to strengthen the risk weighted assets framework for housing.

APRA also assesses risk mitigation strategies by reference to:
  • - enforceable documentation: checking the internal processes of ADIs and internal audit reports to ensure that ADIs have enforceable credit documentation;

  • - security: given that most of the security relating to housing, business and commercial real estate (CRE) is property, APRA assesses internal policies and processes around valuation, accepting and reviewing security and cases where security has been enforced; on property security, concentrations by type of property (residential, commercial, industrial, CRE development) and by geography is reviewed and would form part of APRA’s credit risk assessment captured in PAIRS;

  • - risk transfer: where the credit assessment is based on a guarantor’s rating (e.g., overseas parent guaranteeing a subsidiary), documentation may be assessed on a case by case basis, and where relevant, country risk concentration may be assessed.

Assessment of Principle 18Largely Compliant
CommentsThe problem asset policies and practices in Australia are mainly driven by accounting considerations. APS 220 provides the main rules on how to treat impaired assets and how to map the accounting provisions into specific provisions and GRCL. It also asks ADI to have policies and procedures to ensure the timely and reliable recognition of impaired facilities. APS 220 is still based mainly on IAS 39 where it deals with incurred provisions and it seems to give the option to banks (without requiring them) to apply expected loss provisioning. APRA has issued some guidelines to banks on how to map their new provisioning levels under IFRS 9 / AASB 9 in relation to prudential requirements. These are temporary fixes as APRA is working on amending APS 220.

In addition, the standard discusses requirements for classifying loans as impaired but also includes some concepts that do not seem in line with sound practices such as mentioning that loans that are considered well secured may not be necessarily considered as impaired. Therefore, APS 220 includes some outdated concepts and rules and needs to be revised to fully embrace the expected loss provisioning approach and to incorporate sound loan loss classification policies and provisioning and practices. Having said that, it is worth noting that banks usually apply accounting rules on impairment and would not be waiting the new APS 220 to apply the expected loss provisioning concepts provided in international and Australian accounting rules.

APRA supervisors review loan provisioning policies and practices but APRA does not have a formal methodology for assessing the adequacy of loan loss provisions. This review is done by supervisors either in the context of their quarterly financial analysis or during thematic reviews. It includes assessing the methodology to calculate specific and collective provisions, reviewing files to determine if the specific provisions calculated are reasonable, and providing an opinion on the sufficiency of provisions (including specific provisions and GRCL). For advanced modelling banks, APRA’s Credit Risk Analytics team also reviews whether there is meaningful assessment and differentiation of risk, calibration, margin of conservatism and validation. While APRA can require banks to adjust their loan classification and provisioning levels, this does rarely happen in practice. Banks are required to report their impaired and restructured facilities on a quarterly basis based on a preset form. However, the form can be further detailed to include some categorization by number of past due days, type of loan, such as impaired CRE loans, and by geographic area.

APRA risk teams also prepare a quarterly risk review that includes among others risk concentration in relation to problem assets particularly for the large banks. These reviews provide some generic comparison of statistics across large banks but they can be enhanced to provide a deeper analysis on other issues, such as the potential effect on the efficacy of the collateral in reducing loan losses.
Principle 19Concentration risk and large exposure limits. The supervisor determines that banks have adequate policies and processes to identify, measure, evaluate, monitor, report and control or mitigate concentrations of risk on a timely basis. Supervisors set prudential limits to restrict bank exposures to single counterparties or
groups of connected counterparties.57
Essential criteria
EC1Laws, regulations or the supervisor require banks to have policies and processes that provide a comprehensive bank-wide view of significant sources of concentration risk.58 Exposures arising from off-balance sheet as well as on-balance sheet items and from contingent liabilities are captured.
Description and findings re EC1The prudential standard APS 221 on large exposures has been recently revised to incorporate the Basel III standard on large exposure and is effective starting January 1st, 2019. In this standard and the rest of the document, we refer to the current standard that applies until end-2018 as APS 221 and to the revised one which comes into effect starting January 1st, 2019 as “revised APS 221”

APS 221 states that an ADI is exposed to various forms of risk concentrations with the potential to incur significant losses that could materially threaten the ADI’s financial strength. Risk concentrations may arise from excessive exposures to individual counterparties, groups of related counterparties, groups of counterparties with similar characteristics (e.g., counterparties in specific geographical regions or industry sectors) or to particular asset classes (e.g., property holdings or other investments). Safeguarding against risk concentrations to particular counterparties, industries, countries and asset classes must form an essential component of an ADI’s risk management strategy required under CPS 220. As such, an ADI’s large exposure policy must cover:
  • - exposure limits for various types of counterparties including governments; ADIs and foreign equivalents; corporate and individual borrowers; groups of related counterparties; individual industry sectors (where applicable); individual countries (where applicable); and various asset classes, that are commensurate with the ADI’s risk appetite, risk profile, capital and balance sheet size;

  • - the circumstances in which the above exposure limits may be exceeded and the authority required for approving such excesses e.g., by the ADI’s board/ board committee; and

  • - the procedures for identifying, measuring, evaluating, monitoring, controlling and reporting large exposures of the ADI.

APS 221 requires the exposures to include the aggregate of all claims, commitments and contingent liabilities arising from on- and off-balance sheet transactions (in both the banking and trading books) with the counterparty or group of related counterparties,

The revised APS 221 did not change much in relation to the above requirements. It just detailed further the types of counterparties that should be subject to exposure limits (adding government related entities and credit risk mitigation providers). It also elaborated further on country and transfer risks (see CP21 for more details).
EC2The supervisor determines that a bank’s information systems identify and aggregate on a timely basis, and facilitate active management of, exposures creating risk concentrations and large exposure59 to single counterparties or groups of connected counterparties.
Description and findings re EC2APS 221 requires an ADI to ensure that adequate systems and controls are in place to identify, measure, monitor and report on large exposures and risk concentrations in a timely manner. Large exposures and risk concentrations must be reviewed by the ADI at least annually.

APRA supervisors include in their thematic reviews an assessment of concentration risk management. Consideration is given to prudential limits and the bank’s adherence to its large exposure and aggregation (group of connected counterparties) policy. Supervisors also review concentrations data submitted to APRA on a quarterly basis via reporting form ARF 221. APRA also reviews management information flows to governance committees and the board on concentrations as part of onsite reviews. The results of onsite and offsite supervisory processes feed into PAIRS where a credit risk assessment is made by supervisors (both inherent risk and related management and controls). The PAIRS risk assessment then informs the planning of supervisory activities as part of developing a SAP.

One of the areas where APRA supervisors are currently focusing upon is the concentration in CRE lending. Thematic reviews have been performed over the last two years to monitor exposures and practices in that regard. Following that, APRA teams discussed setting some internal triggers to monitor concentration in CRE lending and supervisory responses in that regard.
EC3The supervisor determines that a bank’s risk management policies and processes establish thresholds for acceptable concentrations of risk, reflecting the bank’s risk appetite, risk profile and capital strength, which are understood by, and regularly communicated to, relevant staff. The supervisor also determines that the bank’s policies and processes require all material concentrations to be regularly reviewed and reported to the bank’s Board.
Description and findings re EC3APS 221 requires the Board of directors (Board) of an ADI to be ultimately responsible for the oversight of the ADI’s large exposures and risk concentrations and for approving policies governing large exposures and risk concentrations of the ADI. The Board must ensure that these policies are reviewed regularly (at least annually) and that they remain adequate and appropriate for the ADI’s risk appetite, risk profile, capital and balance sheet size. As noted in EC1, the standard also requires ADIs to have a board approved policy detailing exposure limits for various types of counterparties and asset classes that are commensurate with the ADI’s risk appetite, risk profile, capital and balance sheet size.

CPS 220 requires a bank to maintain a RMF that enables it to develop and implement strategies, policies, procedures and controls to manage material risks (including concentration risk, if material) and provides the board with a comprehensive institution/group wide view of material risks. The RMF must at a minimum include a board approved RAS, policies and procedures to manage material risks and a MIS that is adequate under normal periods and during times of stress for measuring, assessing and reporting on all material risks across the institution/group. The MIS must provide the Board, the board committees, and the senior management of the APRA regulated institution with regular, accurate, and timely information concerning the institution’s risk profile.

Assessment of risk concentrations is commonly incorporated into APRA’s regular assessments of banks’ credit risk management systems. Information on risk concentrations more broadly is obtained and discussed at annual prudential consultations, other prudential meetings and during onsite prudential reviews. Supervisory guidance requires supervisors to consider a variety of sources of risk concentrations including industry, country and asset class (including securitization activity), as well as indirect concentrations related to collateral type. APRA’s supervisors exercise their professional judgment by challenging the basis of aggregation and the existence of apparent weaknesses in a bank’s processes and practices.

APRA’s regular onsite prudential reviews routinely incorporate an assessment of the thresholds, policies and processes used by a bank to manage risk concentrations. Undue risk concentrations or shortcomings in management practices and processes identified during onsite reviews may lead to APRA issuing an ADI with requirements, recommendations or other actions. APRA may impose a higher capital ratio in circumstances where APRA considers that the bank is exposed to a significant level of risk concentration. APRA may also direct a bank to take measures to reduce its level of risk concentration where needed.
EC4The supervisor regularly obtains information that enables concentrations within a bank’s portfolio, including sectoral, geographical and currency exposures, to be reviewed.
Description and findings re EC4Information on banks’ large exposures is reported to APRA each quarter via reporting form ARF 221.0 Large Exposures, which provides information on: the ten largest exposures and those exceeding 10 percent or 5 percent of the capital base, respectively for locally incorporated ADIs and for nonbank ADIs (at both solo and banking group levels); the 20 largest exposures for foreign ADIs, and large liability exposures.

Other information and data are regularly submitted to APRA and allow the calculation of concentration in specific sector, countries, maturities, and asset categories. These include the following data, among others: Claims and Liabilities by currency, counterparty, country and financial instrument; Claims by remaining maturity and country, and by sector of borrower and country; residential mortgage lending; commercial property lending, etc.

APRA may impose additional reporting requirements on banks to obtain any information deemed necessary in relation to large exposures or risk concentrations. For example, APRA has in recent times sought additional information on housing and commercial property and for information on an ad hoc basis on housing and commercial property concentrations.
EC5In respect of credit exposure to single counterparties or groups of connected counterparties, laws or regulations explicitly define, or the supervisor has the power to define, a “group of connected counterparties” to reflect actual risk exposure. The supervisor may exercise discretion in applying this definition on a case by case basis.
Description and findings re EC5According to APS 221, a group of related counterparties is deemed to exist where two or more individual counterparties are linked by: cross guarantees; common ownership or management; the ability to exercise control over the other(s), whether direct or indirect; financial interdependency such that the financial soundness of any of them may affect the financial soundness of the other(s); or other connections or relationships which, according to an ADI’s assessment, identify the counterparties as constituting a single risk.

As a general rule, family members are not to be treated as connected where they have independent retail relationships with an ADI (although an ADI may choose to treat such exposures as connected if it considers it appropriate to do so).

The revised APS 221 has revised the definition of connected counterparty, largely adopting the definition set in the BCBS standard on large exposures, but with carve outs for retail exposures. It is worth noting that the revised definition of a group of connected parties will apply starting January 1st, 2020; hence the definition laid out in the current APS 221 will remain in effect until December 31st, 2019.

Based on the revised standard, a group of connected counterparties exists if two or more individual counterparties are linked by:
  • - a control relationship, i.e., one of the counterparties has direct or indirect control over the other counterparty or if both counterparties are directly or indirectly controlled by another entity (control exists in case of majority voting rights; significant influence on the senior management of the counterparty or in the appointment or removal of persons from the counterparty’s board, board committees, or management)

  • - an economic interdependence relationship, which exists if, in the ADI’s assessment, the financial soundness of a counterparty could materially affect the financial soundness of another counterparty. The revised APS 221 standard lists cases where economic interdependence usually exists, which are in line with the Basel Large exposure standard. However, a carveout for exposures to retail counterparties is given in this area. In fact, the standard mentions that, if an ADI’s exposure to a non-retail counterparty exceeds five percent of the ADI’s tier 1 capital, the ADI must identify all non-retail counterparties linked by an interdependence relationship to that counterparty.

  • - other connections or relationships which, according to an ADI’s assessment, identify the counterparties as constituting a single risk.

While the current standard does not explicitly give discretion to APRA in applying this definition on a case by case basis, the revised standard does include such discretion. It states that APRA may require an ADI to treat counterparties as a group of connected parties if, in APRA’s view, they meet the criteria set in the standard.
EC6Laws, regulations or the supervisor set prudent and appropriate60 requirements to control and constrain large credit exposures to a single counterparty or a group of connected counterparties. “Exposures” for this purpose include all claims and transactions (including those giving rise to counterparty credit risk exposure), on-balance sheet as well as off-balance sheet. The supervisor determines that senior management monitors these limits and that they are not exceeded on a solo or consolidated basis.
Description and findings re EC6According to APS 221, the aggregate exposure of an ADI to a counterparty or a group of related counterparties is subject to the following limits which are applied both at level 1 (solo bank) and level 2 (banking group):
  • - external parties (other than governments, central banks and ADIs or equivalent overseas deposit-taking institutions) unrelated to the ADI – 25 percent of Regulatory Capital;

  • - unrelated ADI (or equivalent overseas deposit-taking institution) and its subsidiaries – 50 percent of Regulatory Capital, with aggregate exposure to non-deposit-taking subsidiaries capped at 25 percent of Regulatory Capital; and

  • - foreign parents and their subsidiaries – 50 percent of Regulatory Capital, with aggregate exposure to non-deposit-taking subsidiaries capped at 25 percent of Regulatory Capital.

The exposures represent the aggregate of all claims, commitments and contingent liabilities arising from on-and off-balance transactions (in both the banking and trading books). The last limit mentioned above appears a limit more on related parties than on large exposures. The revised APS 221 merges the limit on exposures to foreign parents and their subsidiaries with the general and more conservative 25 percent limit on exposures to counterparties and groups of connected counterparties.

The revised APS 221 defines a large exposure to a counterparty or a group of related counterparties as being an exposure greater than or equal to 10 percent of an ADI’s Tier 1 Capital. The 10 percent threshold applies to a bank’s exposure at Level 1 (solo bank) and Level 2 (banking group).

The revised APS 221 restricts the aggregate exposure of an ADI to a counterparty or group of connected counterparties to 25 percent of the ADI’s Tier 1 Capital except:
  • - exposures to foreign governments or central banks that receive a zero percent risk-weight, which must not exceed 50 percent of the ADI’s Tier 1 Capital; and

  • - where the ADI has been determined by APRA to be a domestic systemically important bank (D-SIB), exposures to any other ADI determined by APRA to be a D-SIB must not exceed 20 percent of the ADI’s Tier 1 Capital.

These limits apply to an ADI’s large exposures at both Level 1 (solo bank) and level 2 (banking group) net of eligible CRM techniques and excluded exposures. In addition, APRA may set specific limits on an ADI’s exposures to particular counterparties, groups of connected counterparties, industry sectors, countries or asset classes, including property holdings and any other investments, having regard to the ADI’s individual circumstances.

In measuring large exposures, an ADI must include all on-balance sheet exposures and off-balance sheet exposures in both the banking book and trading book and instruments that would give rise to counterparty credit risk.
EC7The supervisor requires banks to include the impact of significant risk concentrations into their stress testing programs for risk management purposes.
Description and findings re EC7Based on both current and revised APS 221, an ADI’s policies must include stress testing and scenario analysis of the ADI’s large exposures and risk concentrations to assess the impact of changes in market conditions and key risk factors on its risk profile, capital and earnings e.g., economic cycles, interest rates, liquidity conditions or other market movements.

APRA’s DA team regularly (annually for ADIs) coordinates industry stress tests to assess the vulnerabilities of an entity and the financial system. Scenarios are developed in conjunction with the RBA and the RBNZ. A key objective of the scenario design is testing the resilience of entities and the industry to a severe but plausible scenario and targeting/ investigating the more material risk concentrations facing the industry. For example, residential mortgages (particularly investor and interest only mortgages) has been a key focus for all recent stress tests (including specifically looking at the additional loss if large counterparties defaulted as a sensitivity test). The results of stress tests are reflected in ongoing supervisory activities and engagement with the Board/ senior management of an ADI on its approach to capital and credit risk management.
Additional criteria
AC1In respect of credit exposure to single counterparties or groups of connected counterparties, banks are required to adhere to the following:
  • (a) 10 percent or more of a bank’s capital is defined as a large exposure; and

  • (b) 25 percent of a bank’s capital is the limit for an individual large exposure to a private sector nonbank counterparty or a group of connected counterparties.

Minor deviations from these limits may be acceptable, especially if explicitly temporary or related to very small or specialized banks.
Description and findings re AC1Based on the current APS 221, an exposure to a counterparty or a group of related counterparties is considered a large exposure if it is greater than or equal to 10 percent of an ADI’s regulatory capital.

The revised APS 221 has revised the threshold for a large exposure to be 10 percent of an ADI’s Tier 1 Capital. In both standards, the large exposure is defined at both level 1 (solo bank) and level 2 (banking group) entities.

As mentioned in EC 6, the current APS 221 limits large exposures to external parties [unrelated to the ADI] (other than governments, central banks and ADIs or equivalent overseas deposit-taking institutions) to 25 percent of Regulatory Capital. Also, the revised APS 221 has adjusted the limit to become 25 percent of an ADI’s tier 1 capital, in line with the Basel standard on large exposures.
Assessment of Principle 19Compliant
CommentsThe revised standard APS 221 issued by APRA on large exposures in December 2017 and which becomes effective in January 2019 adopts the new Basel Framework on large exposure. There is one deviation related to the carveout of retail exposures from definition of connected parties in the context of an economic interdependence relationship.

The current and revised standards include thorough requirements on the need for banks to have policies and processes for managing concentration risk. The limits have been revised to incorporate the ones established in the Basel standard on large exposures. Supervisors conducted thematic reviews particularly on CRE lending concentration and the actions to be taken to increase oversight of banks with higher concentration.

In addition, APRA receives regular reporting on various types of concentration risk. APRA requires banks to include concentration risk in their stress testing programmes and APRA DA team coordinates stress tests, including some sensitivity analysis scenarios, to assess the resilience of banks to concentration risks, for example in relation to residential mortgages.
Principle 20Transactions with related parties. In order to prevent abuses arising in transactions with related parties61 and to address the risk of conflict of interest, the supervisor requires banks to enter into any transactions with related parties62 on an arm’s length basis; to monitor these transactions; to take appropriate steps to control or mitigate the risks; and to write off exposures to related parties in accordance with standard policies and processes.
Essential criteria
EC1Laws or regulations provide, or the supervisor has the power to prescribe, a comprehensive definition of “related parties”. This considers the parties identified in the footnote to the Principle. The supervisor may exercise discretion in applying this definition on a case by case basis.
Description and findings re EC1APRA’s prudential standard (APS 222) sets requirements on associations with related entities. APS 222 treats all entities controlled, whether directly or indirectly, by a bank or its ultimate domestic parent as a ‘related entity’ of the bank. A related entity excludes subsidiaries of ADIs that form part of the extended licensed entity, and the foreign parent(s) of an ADI, the foreign parent’s overseas-based subsidiaries and their directly owned non-ADI entities operating in Australia. Furthermore, APS 222 provides for APRA to deem other entities (and their subsidiaries) to be related entities. Discretion is exercised on a case-by-case basis.

As it shows above, APRA’s definition of related parties deviates significantly from the definition set by this principle. It does not capture an ADI’s major shareholders, board members, senior and key staff, their direct and related interests, and their close family members, as well as corresponding persons in affiliated companies. It also seems to exclude some entities from the definition such as ADIs’ subsidiaries forming part of the extended licensed entity, foreign parents of an ADI, the foreign parent overseas subsidiaries, and their directly owned non-ADI entities operating in Australia.

It is worth noting that exposures to foreign parents and their subsidiaries have been addressed in the standard on large exposures APS 221 which sets out prudential limits on these exposures (see CP 19), although these exposures should be naturally be considered as related parties

APRA has released for consultation on July 2, 2018, a revised draft APS 222 that broadens the definition of related parties to capture entities (including individuals), revises the limits on exposures to related entities, includes additional requirements on contagion risk, addresses risks arising from subsidiaries that hold or invest assets treated as part of an ADI’s extended licensed entity, and updates reporting requirements to align with the proposed amendments.
EC2Laws, regulations or the supervisor require that transactions with related parties are not undertaken on more favorable terms (e.g., in credit assessment, tenor, interest rates, fees, amortization schedules, requirement for collateral) than corresponding transactions with non-related counterparties.63
Description and findings re EC2APS 222 requires that an ADI’s Board policies on dealings with related entities to include several minimum requirements, one of which is the need for the ADI to address risks arising from dealings with related entities as strictly as it would address risk exposures to unrelated entities. Terms or conditions imposed by an ADI in relation to its dealings with related entities that are inconsistent with the benchmark for unrelated entries must be approved by the board of the bank with justifications fully and clearly documented in a register which is to be made available for inspection by APRA, if requested.

Prudential standard 3PS 222 Intra-group Transactions and Exposures (3PS 222), requires the head of the Level 3 group to ensure that associations and dealings within the Level 3 group do not expose prudentially regulated institutions within the group to excessive risk. It states that if a prudentially regulated institution in the Level 3 group proposes to accept terms and conditions, in dealing with Level 3 institutions in the group, that are not consistent with terms and conditions that would be negotiated on an arms-length basis in such a dealing, those terms and conditions must first be approved by the Board of the Level 3 Head with justification fully and clearly documented.
EC3The supervisor requires that transactions with related parties and the write-off of related-party exposures exceeding specified amounts or otherwise posing special risks are subject to prior approval by the bank’s Board. The supervisor requires that Board members with conflicts of interest are excluded from the approval process of granting and managing related party transactions.
Description and findings re EC3APS 222 covers in several aspects the need for an ADI to give due consideration to the risks associated with the group of which it is a member and not to be exposed to excessive risk as a result of its associations and dealings with related parties.

The standard requires that the Board of an ADI establish, and monitor compliance with, policies governing all dealings with related entities. These policies must, as a minimum, include:
  • - a requirement that the ADI address risks arising from dealings with related entities as strictly as it would address its risk exposures to unrelated entities (refer to EC2);

  • - prudent limits on exposures to related entities at both an individual and aggregate level;

  • - procedures for resolving any conflict of interest arising from such dealings;

  • - requirements relating to exposures generated from an ADI’s participation in group operations; and

  • - requirements relating to the transparency of third-party dealings associated with related entities.

The standard states that terms or conditions imposed by an ADI in relation to its dealings with related entities that are inconsistent with the benchmark for unrelated entities must be approved by the Board of the ADI with justifications fully and clearly documented in a register. The ADI must make this register available for inspection by APRA if so requested.

APS 222 does not require that related-Party transactions and write-off of related party exposures exceeding certain amounts or posing special risks be subject to prior approval by the board.

APS 222 also requires the Board of an ADI to have regard to the following in determining limits on acceptable levels of exposure to related entities:
  • - the level of exposures which would be approved for unrelated entities of broadly equivalent credit status; and

  • - the impact on the ADI’s stand-alone capital and liquidity positions, as well as its ability to continue operating, in the event of a failure of any related entity to which the ADI is exposed.

An ADI must satisfy APRA that it has adequate systems and controls to identify, review, monitor and manage exposures arising from dealings with related entities.

APS 220 emphasizes that the board is responsible for ensuring that a bank has in place credit risk management policies, procedures and controls appropriate to the complexity, scope and scale of its business. The write-down or write-off of uncollectable facilities is specifically noted as being a component of the bank’s credit risk management system, which must be documented in policies and procedures. APRA’s current requirements do not prescribe that board approval is specifically required for a given level of write¬off of related-party exposures.

The standards do not explicitly require that Board members with conflicts of interest be excluded from the approval process of granting and managing related party transactions. However, as noted above, APS 222 requires that an ADI’s board policies on related-entity dealings include procedures for resolving any conflict of interest arising from such dealings and transparency requirements in relation to such dealings.
EC4The supervisor determines that banks have policies and processes to prevent persons benefiting from the transaction and/or persons related to such a person from being part of the process of granting and managing the transaction.
Description and findings re EC4The board of a bank must establish and monitor compliance with policies governing all dealings with related entities and ensure that a bank has in place appropriate credit risk management policies, procedures and controls.

APRA regards the adequacy of separation of duties and appropriateness of reporting lines relevant to areas of a bank dealing with credit provision and exposure management as an integral component of a sound credit risk management framework. Supervisors assess credit policies to ensure that credit approvers are clear of conflicts of interest and that appropriate mechanisms are in place to define, manage and report on conflicts as necessary. APRA would expect banks to have a code of conduct which describes how conflicts of interest are to be addressed. The quality of a bank’s credit approval and account/portfolio management practices are topics routinely assessed during onsite credit risk prudential reviews.
EC5Laws or regulations set, or the supervisor has the power to set on a general or case by case basis, limits for exposures to related parties, to deduct such exposures from capital when assessing capital adequacy, or to require collateralization of such exposures. When limits are set on aggregate exposures to related parties, those are at least as strict as those for single counterparties or groups of connected counterparties.
Description and findings re EC5Various prudential limits on specific intra-group exposures are outlined in APS 222 (all set on level 1 basis), as follows:
  • - 50 percent of regulatory capital to an individual related bank;

  • - 150 percent of regulatory capital for aggregate exposure to all related banks;

  • - 25 percent of regulatory Capital to other individual regulated related entity (other than a related bank or related overseas-based equivalent);

  • - 15 percent of regulatory capital to individual unregulated related entity; and

  • - 35 percent of regulatory capital aggregate exposure to all related entities (other than related banks and related overseas-based equivalents).

Some of the limits above seem to be higher than what is mentioned in the criterion. In fact, the criterion mentions that limit on aggregate exposures to related parties must be at least as strict as those for single counterparties or groups of connected counterparties. The limit on aggregate exposures to all related entities (35 percent of regulatory capital) is higher than the limit on groups of connected counterparties which was set at 25 percent of Tier 1 Capital (as per the revised APS 221).

Any proposed exposure in excess of prescribed limits requires APRA’s prior approval. Approval will only be granted on an exceptional basis and only after APRA has been convinced that the bank is not exposed to excessive risk.

Based on APS 222, APRA may, in writing, set specific limits on an ADI’s exposures to related ADIs, other related entities, a group of related ADIs, or a group of related entities, on a case-by-case basis, having regard to the ADI’s individual circumstances.

The Banking Act provides that APRA may make Prudential Standards, including standards that apply only to an individual bank.

In the event that APRA is not satisfied that a bank has adequate systems and controls to address the risks arising from dealings with related entities, APRA has powers that would enable it to require the bank to put in place additional internal controls, a more robust reporting mechanism or impose a higher PCR. APRA may also direct a bank to take measures to reduce its level of risk concentration.

As mentioned earlier, the limits described above will undergo revision under the revised draft APS 222 which was released for consultation by APRA on July 2, 2018. The proposed limits mostly reduce the maximum level of exposures to related ADIs but the limits for other related entities have been largely kept the same, with the limits applied based on Tier 1 capital rather than regulatory capital.
EC6The supervisor determines that banks have policies and processes to identify individual exposures to and transactions with related parties as well as the total amount of exposures, and to monitor and report on them through an independent credit review or audit process. The supervisor determines that exceptions to policies, processes and limits are reported to the appropriate level of the bank’s senior management and, if necessary, to the Board, for timely action. The supervisor also determines that senior management monitors related party transactions on an ongoing basis, and that the Board also provides oversight of these transactions.
Description and findings re EC6Depending on the theme of their credit risk prudential reviews, APRA supervisors review the nature and extent of related exposures. The supervisors assess whether the ADI is able to identify and group related party exposures where they constitute a single risk for the purposes of individual customer and customer group credit approval, monitoring, review and portfolio management and reporting. They also review if the ADI’s policies and processes ensure the accurate identification, measurement and recording of exposures which constitute single risks to facilitate their effective approval and management and ensure compliance with the single risk aggregation requirements of APRA Prudential Standard APS 221 Large Exposures.
EC7The supervisor obtains and reviews information on aggregate exposures to related parties.
Description and findings re EC7All Australian-owned banks and foreign subsidiary banks must submit reporting form ARF 222.0 Exposures to Related Entities (ARF 222.0) quarterly to APRA. Foreign banks are required to submit Part C of the reporting form.

Among other things, ARF 222.0 requires banks to list the ten largest exposures to related entities, ten largest exposures to Extended Licensed Entity (ELE)-eligible subsidiaries and exposures to head office, overseas branches or Australian and overseas subsidiaries. Reported information is reviewed by supervisors as part of offsite supervision.

APRA supervisors may also request/ review internal credit risk reporting packs from institutions used for management reporting purposes where considered necessary.
Assessment of Principle 20Largely Compliant
CommentsAPRA supervisors perform activities covering related party transactions and loans and assess the banks’ policies in this regard. APS 222 sets requirements on associations with related entities. It includes a definition of related parties that comprises all entities controlled by the bank or its ultimate domestic parent. It does not include all the parties identified in the footnote to this principle such as major individual shareholders, board members, senior and key staff, and their direct and indirect related interests, as well as corresponding persons in affiliated entities.

The standard requires some rules in relation to conducting transactions on an arm’s length basis, and procedures for resolving conflicts of interest. The standard also requires that the Board of an ADI establish, and monitor compliance with, policies governing all dealings with related entities. However, the standard does not require that related party transactions and their write-offs be approved by the board of the ADI.

The standard sets limits on individual and aggregate exposures to related parties but these limits are generally higher from the ones applied in the prudential standard on large exposure. APRA receives regular information on related party exposures.

As mentioned earlier, APRA has released on July 2, 2018, for consultation a revised draft prudential standard that addresses many of the above-mentioned gaps.
Principle 21Country and transfer risks. The supervisor determines that banks have adequate policies and processes to identify, measure, evaluate, monitor, report and control or mitigate country risk64 and transfer risk65 in their international lending and investment activities on a timely basis.
Essential criteria
EC1The supervisor determines that a bank’s policies and processes give due regard to the identification, measurement, evaluation, monitoring, reporting and control or mitigation of country risk and transfer risk. The supervisor also determines that the processes are consistent with the risk profile, systemic importance and risk appetite of the bank, take into account market and macroeconomic conditions and provide a comprehensive bank-wide view of country and transfer risk exposure. Exposures (including, where relevant, intra-group exposures) are identified, monitored and managed on a regional and an individual country basis (in addition to the end-borrower/end-counterparty basis). Banks are required to monitor and evaluate developments in country risk and in transfer risk and apply appropriate countermeasures.
Description and findings re EC1As with all key risk areas, the overarching prudential standards for credit risk management are outlined in APS 220. APRA does not specifically highlight country and transfer risks in APS 220. APS 221, which outlines standards and expectations for measuring and monitoring large risk concentrations, includes potential credit exposure concentrations to individual countries and ‘geographic regions’. In fact, the current APS 221 requires the ADI’s large exposure policy to include, as a minimum, individual countries among others. The revised APS 221 goes even beyond by requiring that ADI’s policies on large exposures and risk concentrations to cover, as a minimum, individual countries (among others). The standard also mentions that the limits for individual countries should consider, amongst other things, any potential transfer risks where a borrower is not able to convert local currency into foreign exchange and consequently would be unable to make debt service payments to the ADI.

Assessments of credit risk management are expected to look at risk management of all credit exposure types to inform supervisors’ inherent credit risk assessment within PAIRS. APRA’s periodic onsite credit risk prudential reviews assess a firm’s credit risk management framework, and where warranted in the context of risk-focused supervision, this would include the review of policies and processes for addressing country and transfer risk. APRA expects a firm’s credit policies to cover country and transfer risk associated with lending and other transactions giving rise to credit risk, where appropriate.

Banks report foreign country claims, off-balance sheet commitments and risk transfers to APRA on a quarterly basis in reporting form ARF 731.3 (International Exposures). They are reported on an immediate borrower basis by maturity and on an ultimate risk basis by country and categorized by counterparty sector (for example banks, public sector or nonbank private sector). A distinction is made between cross-border and local claims. Off-balance sheet information is categorized as derivative contracts, guarantees and credit commitments. The data submitted in this reporting is reviewed by supervisors as part of offsite supervision and is also provided to the RBA for the purposes of financial stability analyses.

Under the revised APS 221 banks will be required to have adequate processes to identify, measure, monitor, report and control counterparty exposures regardless of their source.
EC2The supervisor determines that banks’ strategies, policies and processes for the management of country and transfer risks have been approved by the banks’ Boards and that the Boards oversee management in a way that ensures that these policies and processes are implemented effectively and fully integrated into the banks’ overall risk management process.
Description and findings re EC2APRA’s supervision framework guidance states that an ADI’s board-approved credit policies should consider country and cross border/transfer risk associated with lending and other transactions giving rise to credit risk, where appropriate. The policies should specify acceptable country exposures, detail country size limits and outline monitoring processes. APRA’s regular onsite credit risk prudential reviews assess an ADI’s credit risk management framework. A bank’s policies and processes for addressing country and transfer risk will be considered in these assessments if deemed material from a risk-based supervisory perspective.

APRA reviews the country risk management framework along with the relevant risk appetite, procedures, limits, and reporting along with its assessment of banks’ risk management, particularly credit risk. There are also times where supervisors perform a focused review the country risk management framework of a bank and assess the main gap sin that framework. Accordingly, corrective actions like recommendations or requirements were issued in that respect. as mentioned before, the main country exposure that banks have is to New Zealand. At the consolidated level, assets in New Zealand represent about 10 percent of the banks’ overall assets in December 2017. Banks are exposed to a lower extent to the United States, the United Kingdom, and Japan. However, on the domestic level, banks have a very limited country exposure of around 11.5 percent of assets in December 2017.
EC3The supervisor determines that banks have information systems, risk management systems and internal control systems that accurately aggregate, monitor and report country exposures on a timely basis; and ensure adherence to established country exposure limits.
Description and findings re EC3APRA uses onsite credit risk reviews to assess if banks have the information, risk management and internal control systems needed to monitor and report on exposures relative to a firm’s risk appetite. These reviews would include assessments of these practices for country and transfer risk exposures, where relevant. Assessors viewed examples of prudential reports where APRA supervisors assessed the country risk framework in banks by looking at the extent to which the banks’ risk management framework addressed country risk issues. Supervisors also look at the process for setting country limits and tolerances and the extent to which banks are exposed to these risks and abided by the set limits, if any.

Portfolio risk management capabilities are routinely considered as part of credit risk prudential reviews. Targeted operational and Information Technology (IT) related risk reviews may also assist supervisors to come to a view on the overall integrity of risk management information systems. For the few larger banks where country exposures are considered more significant (typically to NZ, the US and the UK) supervisory discussions with institutions include instances of limit breaches and associated remedial action. Often cross-border exposures are reflective of group strategic initiatives involving overseas operations or trade flows. It is APRA’s practice to conduct prudential reviews of major overseas operations of Australian banks.
EC4There is supervisory oversight of the setting of appropriate provisions against country risk and transfer risk. There are different international practices that are all acceptable as long as they lead to risk-based results. These include:
  • (a) The supervisor (or some other official authority) decides on appropriate minimum provisioning by regularly setting fixed percentages for exposures to each country taking into account prevailing conditions. The supervisor reviews minimum provisioning levels where appropriate.

  • (b) The supervisor (or some other official authority) regularly sets percentage ranges for each country, taking into account prevailing conditions and the banks may decide, within these ranges, which provisioning to apply for the individual exposures. The supervisor reviews percentage ranges for provisioning purposes where appropriate.

  • (c) The bank itself (or some other body such as the national bankers’ association) sets percentages or guidelines or even decides for each individual loan on the appropriate provisioning. The adequacy of the provisioning will then be judged by the external auditor and/or by the supervisor.

Description and findings re EC4APRA’s framework does not explicitly require provisioning for country and transfer risk exposures. APRA expects banks to set sufficient provisioning levels covering all credit loss exposures, including international exposures, in accordance with APS 220. APRA requires the level of provisions and the GRCL to be regularly reviewed to ensure that provisions and reserves are consistent with current expectations of credit losses. As mentioned in CP18, APRA supervisors rely to a large extent on the adequacy of provisioning as determined by the application of accounting principles. APRA supervisors apply some analysis tools and historical comparison to assess whether provisions seem at a reasonable level. Provisioning levels are reviewed periodically to assess if provisioning and reserve levels are consistent with expected losses.

Prudential forms submitted to APRA applicable to asset quality and provisioning are subject to review by the appointed auditor as per APS 310. A bank’s external auditors will also consider provisioning levels as part of their annual audit of the financial accounts.
EC5The supervisor requires banks to include appropriate scenarios into their stress testing programs to reflect country and transfer risk analysis for risk management purposes.
Description and findings re EC5APRA has no specific requirement that firms’ stress testing programs include scenarios to capture country and transfer risks, though APRA would ‘expects’ firms to include them in their stress testing if they are material risks to a firm. In fact, APRA requests banks to provide their assumptions for overseas economic parameters for countries where there are material exposures to determine whether they are being appropriately stressed. While APRA would expect ADIs to consider any material country and transfer risk in its own stress testing scenarios it is not a prudential requirement.

The review of an ADIs stress testing program and scenarios is complemented by APRA’s DA team coordinating regular stress tests using various macroeconomic scenarios and assesses impacts on provisioning and capital, profitability and liquidity. On occasion, the scenarios are also country specific. As part of APRA stress tests, DA has always specified a detailed scenario for New Zealand in collaboration with the RBNZ.

Supervisors also regularly monitor the impact of events on country exposures for example when major political announcements are made.
EC6The supervisor regularly obtains and reviews sufficient information on a timely basis on the country risk and transfer risk of banks. The supervisor also has the power to obtain additional information, as needed (e.g., in crisis situations).
Description and findings re EC6APRA gets a lot of reports on foreign exposures, including those used for BIS statistics packages. The reports cover Australian banks’ foreign exposures by country and provide information on country and transfer risk exposures. APRA has enhanced its bank reporting requirements on International Banking Statistics (IBS) in accordance with BIS enhancements. The first reporting period for the new reporting requirements was the period ending 31 December 2017.

Specific required reporting includes:

ARS 731.1 International Banking Statistics – Locational Data

ARS 731.3a International Banking Statistics – Immediate and Ultimate Risk Exposures – Domestic Entity

ARS 731.3b International Banking Statistics – Immediate and Ultimate Risk Exposures – Foreign Entity

ARS 731.4 International Banking Statistics – Balance Sheet Items; and

ARS 325.0 International Operations

Under the FSCODA and Section 62 of the Banking Act, APRA has the power to seek any additional information as needed. Assessors observed that APRA’s RDA team monitors trends in country and transfer risks on an industry-wide basis. APRA can seek further information from the industry as needed.
Assessment of Principle 21Compliant
CommentsWhile APRA does not currently have an explicit prudential standard with respect to country and transfer risks, the overarching risk management standards in CPS 220, as well standards for credit risk management, and specifically large exposures, seem sufficient for the assessment of firm’s practices around these risks given the relatively small share of exposures in this category.

Assessors observed the assessment of country risk as a part of broader credit risk management reviews, including assessing country risk appetite, limits, and incorporation in stress testing.
Principle 22Market risk. The supervisor determines that banks have an adequate market risk management process that takes into account their risk appetite, risk profile, and market and macroeconomic conditions and the risk of a significant deterioration in market liquidity. This includes prudent policies and processes to identify, measure, evaluate, monitor, report and control or mitigate market risks on a timely basis.
Essential criteria
EC1Laws, regulations or the supervisor require banks to have appropriate market risk management processes that provide a comprehensive bank-wide view of market risk exposure. The supervisor determines that these processes are consistent with the risk appetite, risk profile, systemic importance and capital strength of the bank; take into account market and macroeconomic conditions and the risk of a significant deterioration in market liquidity; and clearly articulate the roles and responsibilities for identification, measuring, monitoring and control of market risk.
Description and findings re EC1Market risk exposures are relatively small at the major domestic banks, with four of the five banks having total market risk RWA of roughly 2.5 percent of total firm RWA and one with about 4 percent of total RWA.

The main requirements in relation to establishing an appropriate market risk management framework and processes are derived from the general requirements of APRA prudential standard CPS 220. As per CPS 220, an APRA-regulated institution’s RMF must, at a minimum, include amongst other things, a risk management strategy and policies and procedures supporting clearly defined and documented roles, responsibilities and formal reporting structures for the management of material risks, including market risk. CPS 220 states that an APRA-regulated institution must maintain an appropriate, clear and concise risk appetite statement for the institution that addresses the institution’s material risks (including market risk). The Board is responsible for setting the risk appetite of the institution and must approve the institution’s risk appetite statement. For more details, see CP15.

Market risk management is also specifically covered under Prudential Standard APS 116, Capital Adequacy: Market Risk (APS 116), and assessments are supported by Prudential Practice Guide APG 116, which covers traded market risk and provides guidance on governance, market risk policies and valuation requirements. Since it is a capital standard, APS 116 does not apply to local branches of foreign banks. However, APRA applies similar qualitative standards to foreign bank branches as applied to domestic firms.

APRA conducts onsite prudential reviews of market risk management processes for banks with trading exposures, including domestic banks (and relevant subsidiaries) and local branches of foreign banks. These reviews are required by internal program guidelines to be carried out at least once every three years. Domestic banks with large trading operations and IRB approval for capital requirements are reviewed more frequently. Frontline supervisors are supported in these reviews by market risk and modelling specialists. Onsite reviews include discussions with representatives from front office, risk management and support staff, including IT, accounting, product control and internal audit.

In addition, APRA conducts targeted reviews on particular trading activities or on related thematic issues, where these are identified as warranted.

APRA supervisors are expected to assess market risks in the context of a firm’s ICAAP as part of ongoing supervision. Regular stress tests are conducted by regulated institutions to assess capital adequacy in a stressed scenario. The scenarios would cover market risks where applicable.

For domestic firms with large trading operations using advanced approaches to capital adequacy calculation, there are also regular discussions (quarterly or semi-annually) between front office and market risk executives at the bank, APRA frontline supervisors and APRA market risk and modelling specialists. These meetings provide information for APRA for its market risk monitoring efforts on both a firm-specific and industry basis. They typically would cover market conditions and emerging concerns/issues; changes in a firm’s operational structure and relevant staff; changes to management information systems, risk management frameworks and risk models (including proposed upcoming changes); recent trading performance and risk metrics; and changes in strategy, new products and markets.

In addition, APRA’s market risk and model specialists review quarterly regulatory reporting on market risk for both advanced-approaches and standardized banks. This is done to identify and understand any significant changes to market risk exposures. The analysis is shared with frontline supervisors who will assess whether additional supervisory attention is warranted. Significant changes showing up in quarterly reports will lead to discussions with the firms to clarify the drivers of the changes.

All banks are required to inform APRA of any changes to trading book policy statements and if there are any material changes to risk measurement and management systems, internal models or their market risk profiles. (APS 116)
EC2The supervisor determines that banks’ strategies, policies and processes for the management of market risk have been approved by the banks’ Boards and that the Boards oversee management in a way that ensures that these policies and processes are implemented effectively and fully integrated into the banks’ overall risk management process.
Description and findings re EC2As with all major risks, under CPS 220 the board of directors is responsible for the institution’s risk management framework and the oversight of management in executing the board-approved policies and procedures. The board is expected to set a risk appetite within which it expects management to operate and to approve the firm’s risk appetite statement and risk management framework. Senior management is expected to monitor and manage all material risks consistent with the firm’s strategic objectives and risk appetite.

Supervisors assess board and management awareness of market risk issues and the quality and appropriateness of management information systems and reporting. Internal guidance requires supervisors to assess how board and management articulate processes they need to stay informed of issues and how the board ensures that market risks are well-understood and monitored. Board and relevant committee reports from risk management and other relevant areas (e.g.,, internal and external audit) and the overall risk governance framework are routinely reviewed as part of ongoing supervision assessments. Supervisors also meet with the boards of major banks on an annual basis and discussions include material risk management issues.

Under APS 116, the board is responsible for approving strategies and policies specific to market risk and ensuring that senior management takes the steps necessary to monitor and control these risks. In particular, the board, or a board committee, is required to ensure that a firm has in place adequate systems to identify, measure and manage market risk, including identifying related responsibilities, providing adequate separation of duties and avoiding conflicts of interest.

Onsite prudential reviews involving market risk and model specialists include detailed supervisory review of relevant areas such as market risk appetite (and limit framework), board and management awareness, governance structure and delegated authorities, policy and procedures, reporting to management and the board and the escalation of material breaches to the board.
EC3The supervisor determines that the bank’s policies and processes establish an appropriate and properly controlled market risk environment including:
  • (a) effective information systems for accurate and timely identification, aggregation, monitoring and reporting of market risk exposure to the bank’s Board and senior management;

  • (b) appropriate market risk limits consistent with the bank’s risk appetite, risk profile and capital strength, and with the management’s ability to manage market risk and which are understood by, and regularly communicated to, relevant staff;

  • (c) exception tracking and reporting processes that ensure prompt action at the appropriate level of the bank’s senior management or Board, where necessary;

  • (d) effective controls around the use of models to identify and measure market risk, and set limits; and

  • (e) sound policies and processes for allocation of exposures to the trading book.

Description and findings re EC3APRA requires firms to have management information systems (MIS) that are adequate under normal circumstances, and in periods of stress, for measuring, assessing and reporting on all material risks across the institution. Risk management policies that include a limit framework must be approved by the board. All banks with trading operations are expected to have a clearly articulated risk appetite statement supported by relevant market risk limits that are consistent with the risk appetite. Banks’ MIS are expected to include exception tracking and prompt action to address over-limit exposures. Banks are required to inform APRA if there are material changes to the limit framework and the RAS (at least annually).

APRA prudential reviews include an assessment of market risk limit frameworks relative to the size, complexity and risk profile of the bank, the nature and frequency of limit breaches, reporting to management and the board, including the escalation of material limit breaches to the board.

Onsite and offsite work is used to assess the bank’s inherent market risk (which is done as part of PAIRS) and adequacy of related risk management and controls. This includes review of both qualitative and quantitative risk management practices, including models used to identify and measure market risk and limitations of these models.
EC4The supervisor determines that there are systems and controls to ensure that bank’ marked-to-market positions are revalued frequently. The supervisor also determines that all transactions are captured on a timely basis and that the valuation process uses consistent and prudent practices, and reliable market data verified by a function independent of the relevant risk-taking business units (or, in the absence of market prices, internal or industry-accepted models). To the extent that the bank relies on modeling for the purposes of valuation, the bank is required to ensure that the model is validated by a function independent of the relevant risk-taking businesses units. The supervisor requires banks to establish and maintain policies and processes for considering valuation adjustments for positions that otherwise cannot be prudently valued, including concentrated, less liquid, and stale positions.
Description and findings re EC4APRA supervisors assess information systems, procedures and controls around trade capture, collection of market rates, valuation methodologies, and valuation reserves as part of their onsite reviews of market risk. Supervisors review information on valuation governance, valuation policies, recent minutes and reporting for the group responsible for valuation oversight, relevant internal audit reports, and reports on valuation adjustments and reserves. Reviews will also assess whether, as per APS 111 requirements (covering the use of fair values), institutions have effective independent price verification processes and that all valuation and risk models are independently validated.

APS 116 requires firms to:
  • have policies for valuation methodologies including the treatment of illiquid instruments in the trading book and policies for reserves or provisions to be held against mark-to-market P&L;

  • have policies governing the trading book that cover the extent to which valuations can be validated externally in a consistent manner. This covers the source of rates used and the independent verification of those rates, and the independent validation of valuation models that are used for financial reporting and risk measurement purposes; and

  • actively monitor market liquidity of trading positions, including assessments of the quality and availability of market inputs to the valuation process.

EC5The supervisor determines that banks hold appropriate levels of capital against unexpected losses and make appropriate valuation adjustments for uncertainties in determining the fair value of assets and liabilities.
Description and findings re EC5APRA assesses banks’ capital adequacy through the setting of the PCR, which includes an assessment of banks’ ICAAP, actual capital relative to required regulatory capital and an assessment of inherent risks relative to risk management and controls. Each of these requires an assessment of capital relative to risks and potential losses, with the latter of the three considering firms controls and mitigation processes in place to guard against unexpected or outsized losses.

APRA’s regulatory capital requirements for market risk exposures were viewed as compliant with the Basel framework during the RCAP assessment in 2014. Practices have not changed significantly since that review.

APRA’s market risk specialists review regulatory reports on a quarterly basis to assess reported capital against requirements and that any material changes to the market risk capital requirement for banks using advanced- and standardized approaches are clearly understood and make sense. Any questions that arise would be raised to the frontline supervisors or, if viewed as warranted, discussed with the staff at the firms.

They also conduct regular technical reviews of any changes made to internal models by the banks. APRA approval is required for all material changes. Banks using advanced approaches are required to have policies outlining their definition of a material model change and model issues/limitations. Model changes are generally discussed as part of regular meetings with representatives at the firms.

APRA supervisors collect data on fair value measures for assets classified as Level 1, 2, and 3 under the standard fair value definitions. Level 3 assets are a relatively small share of assets. Where there is a high level/share of level 3 assets, APRA can, following a review if warranted, require the ADI to make valuation adjustments and/or increase the firm’s capital requirements.
EC6The supervisor requires banks to include market risk exposure into their stress testing programs for risk management purposes.
Description and findings re EC6Under APS 116, APRA requires that an ADI must have a routine and robust program of stress testing as a supplement to the risk analysis based on the day-to-day output of the risk measurement model. The results of stress testing exercises must be used in the internal assessment of capital adequacy and reflected in the policies and limits set by management and the board, or board committee. The results of stress testing must be routinely communicated to senior management and, periodically, to the ADI’s board, or a board committee.

The use of scenario analysis and stress testing and its integration with risk management practices and internal ADI assessments of needed capital buffers are assessed as part of onsite reviews and regular ongoing supervision, including market risk-specific reviews and reviews of a firm’s ICAAP. APRA supervisors are expected to review market risk stress testing reports provided to management and committees of boards of directors on a periodic basis.

Banks approved to use internal models to calculate regulatory capital requirements are required by APRA to carry out stress tests in a format specified by APRA on a quarterly basis. These stress tests generally use a shock of a matrix of price and volatility movements for risk factors on a stand-alone basis within each significant asset class. Outcomes are assessed as part of the quarterly review of regulatory reporting conducted by market risk and models’ specialists.

Expectations with respect to the use of stress testing for market risk differs across institution and are based on the size, nature and complexity of a firm’s trading exposures.
Assessment of Principle 22Compliant
CommentsAPRA has a solid set of processes with respect to market risk management and assessors observed that staff in this area had a strong understanding of the key issues with respect to measuring and managing exposures related to trading activities. Supervisors routinely monitor market risk positions/exposures, review firms’ models for calculating market-risk and counterparty credit exposure related capital needs, banks’ related stress-testing output, risk appetite statements and exposures against board-approved limits.
Principle 23Interest rate risk in the banking book. The supervisor determines that banks have adequate systems to identify, measure, evaluate, monitor, report, and control or mitigate interest rate risk66 in the banking book on a timely basis. These systems take into account the bank’s risk appetite, risk profile, and market and macroeconomic conditions.
Essential criteria
EC1Laws, regulations or the supervisor require banks to have an appropriate interest rate risk strategy and interest rate risk management framework that provides a comprehensive bank-wide view of interest rate risk. This includes policies and processes to identify, measure, evaluate, monitor, report and control or mitigate material sources of interest rate risk. The supervisor determines that the bank’s strategy, policies and processes are consistent with the risk appetite, risk profile and systemic importance of the bank, take into account market and macroeconomic conditions, and are regularly reviewed and appropriately adjusted, where necessary, with the bank’s changing risk profile and market developments.
Description and findings re EC1The main qualitative requirements in relation to establishing an appropriate risk management framework and processes for Interest Rate in the Banking Book (IRRBB) are derived from the general requirements of APRA prudential standard CPS 220. As per CPS 220, an APRA-regulated institution’s RMF must, at a minimum, include amongst other things, a risk management strategy and policies and procedures supporting clearly defined and documented roles, responsibilities and formal reporting structures for the management of material risks. CPS 220 states that an APRA-regulated institution must maintain an appropriate, clear and concise risk appetite statement for the institution that addresses the institution’s material risks. The Board is responsible for setting the risk appetite of the institution and must approve the institution’s risk appetite statement. For more details, see CP15.

IRRBB for advanced approaches banks is specifically addressed by APS 117—Capital Adequacy: Interest Rate Risk in the Banking Book. APRA approaches IRRBB as a Pillar 1 risk under the Basel II framework and requires banks using advanced approaches to hold capital against IRRBB. Based on APS 117, an ADI that has sought model approval from APRA to use an internal ratings-based approach to credit risk or an advanced measurement approach to operational risk must also apply for model approval to use an internal model approach to IRRBB for Regulatory Capital purposes. An ADI that has received model approval may rely on its own internal estimate based on the approved model of IRRBB for determining its IRRBB capital requirement.

An ADI must be able to demonstrate that its IRRBB capital requirement, as determined by its internal model, meets a soundness standard based on a 99 percent confidence level and a one-year holding period (the soundness standard). Capital needs must be calculated against repricing risk, yield curve risk, and unless specifically exempted by APRA, basis and optionality risks.

For standardized banks, IRRBB is addressed through APS 110, which requires that a bank have adequate systems and procedures to identify, measure, monitor and manage the risks arising from the bank’s activities on a continuous basis to ensure that capital is held at a level consistent with the bank’s risk profile. IRRBB is a material risk for all banks and it is expected that all will meet this standard. While not formally subject to APS 117, APRA still expects standardized banks to conform to the general principles for interest rate risk measurement, management and monitoring that are outlined in APS 117.

As with all key risks facing a firm, the principles and requirements of CPS 220 apply to IRRBB. As noted throughout, CPS 220 requires that an APRA-regulated institution maintain a risk management framework that enables it to develop and implement strategies, policies, procedures and controls to manage its material risks. It is the responsibility of the board to ensure this is in place. The framework must be subject to periodic independent review.

Where applicable, APRA monitors IRRBB exposures at the Level 2 consolidation.

Banks are required to submit form ARF 117, ‘Repricing Analysis’, as appropriate, on a quarterly basis. ARF 117 breaks out the repricing gap into 14 different time buckets and 35 different categories of assets and liabilities, separately for each currency. This submission contains a range of information on IRRBB for both advanced and standardized banks. Specifically, it includes data on repricing and yield curve (RYC) risk, basis risk, optionality risk and embedded gains and losses. A key metric applied in APRA’s analysis is economic value sensitivity (EVS), with a requirement to assess the impact of a +/- 200 basis point parallel shift in the curve, which all firms must report. Firms are also expected to internally assess the earnings impact related to net interest income (NII) from a change in interest rates. Firms are not required to report the NII impact to APRA, but APRA will consider NII models and management practices when reviewing a firm’s interest rate risk framework.

Market risk specialists review reported regulatory data on a quarterly basis to assess changes in IRRBB risk profile and to identify outliers from an IRRBB risk exposure perspective. This reporting is shared with frontline supervisors to inform supervisory action plans.

Onsite prudential reviews are undertaken at both advanced and standardized banks to assess IRRBB risk management in particular, and Asset and Liability Management (ALM) practices more generally. Prudential reviews are conducted by frontline supervisors with support from market risk and models’ specialists.

APRA also monitors IRRBB across the industry. The Market Risk and Models team prepares a quarterly report that summarizes and analyses the quarterly data submissions from all ADIs across the industry.
EC2The supervisor determines that a bank’s strategy, policies and processes for the management of interest rate risk have been approved, and are regularly reviewed, by the bank’s Board. The supervisor also determines that senior management ensures that the strategy, policies and processes are developed and implemented effectively.
Description and findings re EC2APS 117 addresses the responsibilities of the board and senior management with respect to IRRBB. It states that the board must include IRRBB in the setting of its risk appetite, and have board-approved IRRBB exposure limits. The board or a board committee is expected to be actively involved in the oversight of the bank’s approach to managing IRRBB, as with all material risks. CPS 220 requires board approval of all major risk policies and active board oversight of associated risk management systems, processes and risks. APRA expects board approval and oversight of strategy, policies and processes for risk identification, measurement, monitoring and control of IRRBB, at ADIs where it is a material risk.

APRA’s internal supervisory guidance outlines the areas to be reviewed when assessing IRRBB, particularly when undertaking onsite reviews. These include seeking evidence that the board approves, and periodically reviews, the risk appetite for interest rate risk, the interest rate risk strategy and policies and processes for the identification, measurement, monitoring and control of interest rate risk.

Supervisors are also expected to assess if management ensures that the interest rate risk strategy, policies and processes are developed, implemented and aligned with the firm’ risk appetite. These assessments will typically be informed by reviews of board or board committee meeting minutes and associated papers as well as the reporting used by management and the board to monitor and oversee interest rate risk.
EC3The supervisor determines that banks’ policies and processes establish an appropriate and properly controlled interest rate risk environment including:
  • (a) comprehensive and appropriate interest rate risk measurement systems;

  • (b) regular review, and independent (internal or external) validation, of any models used by the functions tasked with managing interest rate risk (including review of key model assumptions);

  • (c) appropriate limits, approved by the banks’ Boards and senior management, that reflect the banks’ risk appetite, risk profile and capital strength, and are understood by, and regularly communicated to, relevant staff;

  • (d) effective exception tracking and reporting processes which ensure prompt action at the appropriate level of the banks’ senior management or Boards where necessary; and

  • (e) effective information systems for accurate and timely identification, aggregation, monitoring and reporting of interest rate risk exposure to the banks’ Boards and senior management.

Description and findings re EC3The standards for measuring regulatory capital for IRRBB, as well as other related requirements for advanced approaches banks, are covered in APS 117. APG 117 provides details on the expectations for meeting those standards. Key expectations detailed in APS 117 cover:
  • IRRBB measurement system track record—including back-testing;

  • data required for IRRBB measurement and reporting, and supporting data policies;

  • requirements for the internal models approach;

  • modelling repricing and yield curve risks—the key metrics used;

  • modelling basis and optionality risks—required unless given a specific exemption;

  • material model change policy—all IRRBB internal model changes must be approved by APRA;

  • calculating the IRRBB capital requirement—99 percent confidence, 1-year holding period;

  • the use of stress testing for IRRBB; and

  • requirements for model validation and an independent triennial review.

Supervisors expect standardized banks to have “adequate systems and procedures to identify, measure, monitor, and manage the risks arising from the bank’s activities on a continuous basis, commensurate with the size and complexity of the risks faced by the bank.”

Assessments of IRRBB measurement and control processes occurs through normal supervisory activities, including offsite analyses and onsite prudential reviews. In-depth onsite reviews of banks’ RMFs for IRRBB are generally conducted with greater frequency for banks using the advanced approaches, larger standardized banks and standardized banks which have been identified by supervisors as having a higher IRRBB risk profile (which is identified through quarterly reviews of ARF 117) or weak risk management practices.

Reviews of banks’ interest rate RMFs will generally look at:
  • risk appetite and the associated limit framework;

  • data and systems used for measurement and management;

  • governance structure, management function and resourcing;

  • policy framework and procedures;

  • risk measurement (both earnings and economic value perspective);

  • stress testing practices;

  • monitoring, reporting and escalation of limit excesses; and

  • transfer pricing.

Risk models and measurement systems are required to measure IRR exposures against board or Asset-Liability Committee (ALCO) approved limits. The technical review of IRRBB models is conducted by APRA market risk and models specialists and all material changes to internal models used for the IRRBB capital requirement must be approved by APRA.

Supervisors assess whether model assumptions are documented and periodically approved by the board or ALCO. Particular attention is directed to the sensitivity of assumptions to a change in customer behavior to market rate changes and to behavioral assumptions such as the repricing assumptions used for loans and noninterest-bearing deposits. Models are required to be subject to periodic validation.

Supervisors expect banks to demonstrate effective and approved limit framework exists which is consistent to the board’s approved risk appetite, and that the limit framework does not expose a bank to excessive levels of risk either in terms of capital or earnings volatility. Limits are expected to be communicated to and understood by all relevant staff. Limits excesses are expected to be transparent and addressed in a timely manner. Reporting lines are expected to foster escalation and responsibilities in the face of exceptions should be clear. The ALCO (or similar governance committee) is expected to exercise due oversight and receive regular reporting on IRRBB risk exposures and management issues.
EC4The supervisor requires banks to include appropriate scenarios into their stress testing programs to measure their vulnerability to loss under adverse interest rate movements.
Description and findings re EC4Advanced approaches firms are required to stress test for IRRBB (APS 117). This must include consideration of the impact of a breakdown in key modelling assumptions, as well as the use of scenarios covering sudden unexpected changes in the level of interest rates and in the shape and slope of the yield curve. Stress testing results must be communicated to senior management and the Board or a Board committee.

APRA supervisors review interest rate risk models to measure the IRR exposure of the balance sheet under stressful scenarios against board-approved stress-based limits. This may include stressing the balance sheet profile to changes in assumptions of the model, product mismatches in certain time periods, range of shocks to market rates, changes in loan prepayment factors and deposit retention rates.

For standardized banks there is no specific IRRBB stress testing requirement.

All banks are required to report ARF 117 which includes, among other things, the impact of a ±200 basis point parallel move in rates on the banking book. Supervisors are expected to review ARF 117 reporting.

IRRBB scenarios were also considered as part of the 2017 industry stress test conducted by APRA.
Additional criteria
AC1The supervisor obtains from banks the results of their internal interest rate risk measurement systems, expressed in terms of the threat to economic value, including using a standardized interest rate shock on the banking book.
Description and findings re AC1As noted above, APS 117 requires that firms using internal models for determining IRRBB capital specifically measure the maximum potential change in economic value as a consequence of changes in interest rates, at a 99 percent confidence level and over a one-year holding period. The capital charge for IRRBB is regularly reported to, and reviewed by, APRA supervisors.

All banks must report the impact of a ±200bp parallel move in the curve in quarterly submissions of ARF 117.
AC2The supervisor assesses whether the internal capital measurement systems of banks adequately capture interest rate risk in the banking book.
Description and findings re AC2APS 110 requires banks to have an Internal Capital Adequacy Assessment Process (ICAAP) that is meant to ensure that capital is sufficient given a bank’s risk profile. IRRBB is expected to be covered in a bank’s ICAAP. APRA regularly reviews banks’ ICAAPs as part of normal supervisory activity and the assessment is a key input into setting a bank’s PCR and in deriving a PAIRS rating.

APRA uses the reported results of the ±200bp parallel shift in the curve (reporting form AFR 117) to identify outlier firms for which additional supervisory attention may be warranted. Banks identified as outliers need to demonstrate why the results of this standardized measure do not apply in their case and to provide details and justification for the use of alternative measures. The outcomes of these processes will influence APRA’s risk assessment and PAIRs.

Market risk and models specialists assess internal economic capital models of advanced approaches banks for IRRBB and explore the methodology and main differences relative to the models used for regulatory capital purposes.
Assessment of Principle 23Compliant
CommentsAPRA has guidance on interest rate risk management and banks are expected to capture interest rate risk in their ICAAP. IRRBB is captured in regulatory capital requirements as a Pillar 1 element for banks using advanced approaches. As with market risk, supervisors carry out a range of activities in this area including monitoring and analysis and reviews. Extensive prudential reporting is required and supports ongoing monitoring efforts.
Principle 24Liquidity risk. The supervisor sets prudent and appropriate liquidity requirements (which can include either quantitative or qualitative requirements or both) for banks that reflect the liquidity needs of the bank. The supervisor determines that banks have a strategy that enables prudent management of liquidity risk and compliance with liquidity requirements. The strategy takes into account the bank’s risk profile as well as market and macroeconomic conditions and includes prudent policies and processes, consistent with the bank’s risk appetite, to identify, measure, evaluate, monitor, report and control or mitigate liquidity risk over an appropriate set of time horizons. At least for internationally active banks, liquidity requirements are not lower than the applicable Basel standards.
Essential criteria
EC1Laws, regulations or the supervisor require banks to consistently observe prescribed liquidity requirements including thresholds by reference to which a bank is subject to supervisory action. At least for internationally active banks, the prescribed requirements are not lower than, and the supervisor uses a range of liquidity monitoring tools no less extensive than, those prescribed in the applicable Basel standards.
Description and findings re EC1Liquidity requirements for ADIs are set out in Prudential Standard APS 210 Liquidity (APS 210). Prudential Practice Guide APG 210 Liquidity sets out supplementary guidance on APRA’s view of sound practice. APS 210 requires ADIs to have a framework to measure, monitor and manage liquidity corresponding to the nature, scale and complexity of operations.

Consistent with the Basel liquidity framework, APRA requires large and more complex ADIs to maintain an LCR of at least 100 percent, absent a situation of financial stress, and an NSFR of at least 100 percent.

For smaller and less complex ADIs, APRA may determine an ADI as a Minimum Liquidity Holding (MLH) ADI. Under this regime, an ADI must hold a minimum of nine percent of its liabilities in specified liquid assets. APS 210 defines liabilities in this context as total on-balance sheet liabilities and irrevocable commitments.

According to APRA, The LCR versus MLH determination is based on the ADI’s size and complexity with respect to liquidity risk. While there are no fixed triggers, large and complex ADIs are designated as LCR ADIs. To assess complexity, APRA considers the ADI’s business model, funding sources and international activities.

An RCAP assessment of Basel III LCR regulations was performed in October 2017. It assessed APRA’s LCR rules as ‘compliant’ in terms of consistency and application of the Basel minimum requirements. The components of the LCR for liquidity outflows, liquidity inflows, and the LCR disclosure requirements were assessed as compliant while the other component, high quality liquid assets (HQLA), was assessed as largely compliant (LC). This is because APRA allows the inclusion of all securities eligible for market operations with the RBNZ, (a jurisdiction which has not implemented the LCR regime), to be counted towards HQLA notwithstanding that some of these securities would not meet the requirements of HQLA in the Basel LCR standard.

APRA has chosen to apply the NSFR to ADIs to which the LCR applies, which are larger, more complex ADIs that generally access international capital markets to fund a portion of funding requirements. In the interests of efficiency and minimizing regulatory burden, the NSFR is not applicable to smaller ADIs with simple business models.

APRA’s NSFR rules comply with Basel principles with adjustments to appropriately reflect Australian conditions. While the available stable funding (ASF) and required stable funding (RSF) factors prescribed by APRA are consistent with the Basel framework, APRA has used national discretion in the following areas, as allowed under the Basel framework:
  • - interdependent assets and liabilities may be recognized on a case-by-case basis based on an ADI demonstrating to APRA’s satisfaction that the criteria are met in full and there are no perverse incentives or unintended consequences that would result from recognition of assets and liabilities as interdependent; and

  • - treatment of certain off-balance exposures, particularly the application of a 1percent Required Stable Funding (RSF) factor for unconditionally revocable credit and liquidity facilities and an RSF factor of 100 percent to trade finance related obligations and guarantees and letters of credit unrelated to trade finance obligations using the actual net outflows for these obligations in the most recent 12-month period.

APRA collects information and monitors an ADI’s liquidity through a number of metrics which is consistent with Basel requirements/ principles/ guidance including: contractual maturity mismatch; available unencumbered assets; LCR by significant currency; and concentration of funding.

APRA’s suite of liquidity reporting forms have recently been updated, with an effective date of January 1, 2018. The primary changes to the liquidity reporting forms are to include the NSFR, add HQLA 2B to the LCR reporting forms, and enhance daily liquidity reporting requirements.

APRA liquidity reporting comprises an all currency LCR which includes significant currency HQLA/outflows/ inflows (ARF 210.1A), Australian dollar LCR (ARF 210.1B), spot contractual funded balance sheet maturity (ARF 210.3) and a funded balance sheet forecast (ARF 210.4). APRA also collects information relating to ADIs’ large liability exposures (ARF 210 from 1 January 2018).

In addition, funding concentrations are assessed as part of routine supervision, primarily during onsite prudential reviews.

APRA’s DA team produces a Market and Economic toolkit to assist supervisors to identify and assess entity specific risks and monitor risks on a regular basis.

Intra-day liquidity management is primarily the responsibility of the RBA which has put in place robust reporting and monitoring processes. In addition, APRA requires ADIs to explicitly consider intraday liquidity risk in formulating their liquidity management strategy and contingency funding plans in accordance with APS 210 and APG 210. These requirements are monitored through regular liquidity meetings, generally quarterly for larger, complex ADIs and during onsite prudential reviews, albeit less frequently, in the case of smaller ADIs.
EC2The prescribed liquidity requirements reflect the liquidity risk profile of banks (including on- and off-balance sheet risks) in the context of the markets and macroeconomic conditions in which they operate.
Description and findings re EC2APRA’s liquidity regime takes into account the size and the complexity of ADIs including the liquidity risk they pose to the system. In particular:
  • - larger, more complex locally incorporated ADIs are required to maintain LCR and NSFR ratios above 100 percent;

  • - less complex, smaller domestic and foreign ADIs have been approved to use the MLH regime (as outlined in EC1);

  • - MLH ADIs are not subject to the NSFR prudential requirement; nevertheless, they are still required to ensure that their activities are funded with stable sources of funding (APS 210); and

  • - a modified liquid assets requirement (40 percent LCR) applies to foreign ADIs. This recognizes that a foreign ADI is able to place reliance on the liquidity of the broader banking group of which it forms a part.

Further, APS 210 states that an ADI must maintain a liquidity risk management framework commensurate with the level and extent of liquidity risk to which the ADI is exposed from its activities. It also requires ADIs to have a robust framework for comprehensively projecting cash flows arising from assets, liabilities and off-balance sheet items.

The liquidity requirements in APS 210 are tailored to the Australian market and macroeconomic environment. This includes setting a Committed Liquidity Facility (CLF) in conjunction with the RBA, to cover any shortfall between available HQLA and net cash outflows. APRA supervisors and support teams undertake a continual review of market developments, changes in financial market conditions as well as changes in risk management practices of an entity. Where warranted, a range of measures are available to APRA, including: increasing minimum liquidity requirements; or imposing enhanced liquidity reporting requirements through ARF 210.5 and additional reporting for larger institutions during periods of volatile funding markets.

APRA has also set up an alternative liquidity assets regime (option 1 under Basel guidance), the CLF in conjunction with the RBA that can be counted towards the regulatory requirement. See below for further details of CLF.

CLF

APRA’s liquidity framework defines Australian dollar HQLA to include government securities and semi-government and central bank liabilities. The supply of HQLA securities in Australian dollars is insufficient to meet aggregate demand for liquid assets under the LCR. This is primarily due to a relatively low level of government debt at less than circa 40 percent of total GDP and 15 percent of total ADI assets.

The RBA commits to provide pre‑specified amounts of Australian dollar liquidity to ADIs against a range of assets under repurchase agreement. This commitment is subject to the ADI having positive net worth. The facility is provided for a fee of 15 basis points. CLF eligible assets include all debt securities accepted for the RBA’s market operations.

Based on a rigorous review process by APRA, the size of the CLF commitment for the covered ADIs is determined on an annual basis. Supervisors and the specialist liquidity risk team undertake an assessment of ADIs’ funding plans under various scenarios, their fitness with strategic and business plans and ensuring that the ADI has taken ‘all reasonable steps’ to minimize its CLF through its own balance sheet management. APRA will only grant the full amount of CLF applied for where it is satisfied with the ADI’s proposed actions.

The total CLF requirement of the Australian banking system is also determined on a yearly basis and is based on the RBA’s assessment of government and semi-government securities that can reasonably be held by ADIs without unduly affecting market functioning. As the CLF alone will not allow an LCR ADI to meet its minimum 100 percent LCR requirement, an LCR ADI must also hold HQLA. Foreign ADIs are not eligible for CLF and are required to meet a 40 percent LCR.
EC3The supervisor determines that banks have a robust liquidity management framework that requires the banks to maintain sufficient liquidity to withstand a range of stress events, and includes appropriate policies and processes for managing liquidity risk that have been approved by the banks’ Boards. The supervisor also determines that these policies and processes provide a comprehensive bank-wide view of liquidity risk and are consistent with the banks’ risk profile and systemic importance
Description and findings re EC3APRA’s expectations with respect to the liquidity risk management framework (LRMF) of an ADI are set out in APS 210, and relate to the adequacy and appropriateness of the framework, its integration into the ADI’s overall risk management process and various aspects of the management of liquidity risk within an ADI.

Under CPS 220 an ADI is required to develop and implement strategies, policies, procedures and controls to manage different types of material risks including liquidity and provide the Board with a comprehensive institution-wide view of material risks. CPS 220 mandates that for all material risks including liquidity risk, ADIs should:
  • - maintain an RMF that is appropriate to the size, business mix and complexity of the institution or group, as relevant;

  • - maintain a Board approved risk appetite statement;

  • - maintain a Board approved risk management strategy that describes the key elements of the risk management framework that give effect to the approach to managing risk;

  • - maintain a Board approved business plan that sets out the approach for the implementation of the strategic objectives of the institution or group; and

  • - undertake a comprehensive review, every three years, to ensure that RMF remains relevant.

APG 210 provides further guidance on implementation of the various elements of the framework. APRA’s supervision framework provides guidance to supervisors on the assessment of inherent liquidity risks and the liquidity risk management framework including governance and oversight, policies and procedures, limits and triggers, scenario analysis, contingency arrangements and any review findings from internal/ external audit. This guidance assists APRA supervisors in assessing and rating liquidity risk and related management and controls.

Supervisors ensure that an ADI’s RMF, including the framework for funding and liquidity risk, remain relevant, appropriate and consistent with the risk appetite through regular engagement through the year and periodic onsite visits and liquidity risk reviews. During liquidity risk reviews supervisors focus on (not an exhaustive list): funding; LCR assumptions; liquidity risk appetite and limits; contingency funding arrangements; the treasury function; liquidity reporting and data quality; and the adequacy of controls under the three lines of defense.

To assess the adequacy of the LRMF supervisors also review internal and/or external audit for an ADI’s compliance with, and the effectiveness of the RMF of the entity/group under CPS 220. The supervisors also examine the comprehensive review of the appropriateness, effectiveness and adequacy of the entity/group’s RMF by an operationally independent, appropriately trained and a competent person every three years as required under CPS 220.

APRA coordinates stress tests which include funding and liquidity stresses to assess the resilience of the entity/industry and outputs from this exercise to inform APRA supervisors of the liquidity resilience of the entities. Stress tests for ADIs are held at least annually. APRA’s DA team keeps a close watch on industry trends and risks. APRA’s dedicated liquidity risk specialist team has undertaken a number of industry thematic reviews. Heightened industry risks are captured through SAPs and subject to supervisory activities. These processes assist APRA’s frontline supervisors to assess whether ADIs have a robust liquidity management framework consistent with the ADIs’ risk profile and systemic importance.
EC4The supervisor determines that banks’ liquidity strategy, policies and processes establish an appropriate and properly controlled liquidity risk environment including:
  • (a) clear articulation of an overall liquidity risk appetite that is appropriate for the banks’ business and their role in the financial system and that is approved by the banks’ Boards;

  • (b) sound day-to-day, and where appropriate intraday, liquidity risk management practices;

  • (c) effective information systems to enable active identification, aggregation, monitoring and control of liquidity risk exposures and funding needs (including active management of collateral positions) bank- wide;

  • (d) adequate oversight by the banks’ Boards in ensuring that management effectively implements policies and processes for the management of liquidity risk in a manner consistent with the banks’ liquidity risk appetite; and

  • (e) regular review by the banks’ Boards (at least annually) and appropriate adjustment of the banks’ strategy, policies and processes for the management of liquidity risk in the light of the banks’ changing risk profile and external developments in the markets and macroeconomic conditions in which they operate.

Description and findings re EC4APS 210 requires an ADI to maintain a liquidity risk management framework commensurate with the level and extent of liquidity risk to which the ADI is exposed from its activities. Based on APS 210, the liquidity risk management framework must include, at a minimum: a statement of the ADI’s liquidity risk tolerance, approved by the Board; the liquidity management strategy and policy of the ADI, approved by the Board; the ADI’s operating standards (e.g., in the form of policies, procedures and controls) for identifying, measuring, monitoring and controlling its liquidity risk in accordance with its liquidity risk tolerance; the ADI’s funding strategy, approved by the Board; and a contingency funding plan.

APS 210 also requires the Board to ensure that senior management and other relevant personnel have the necessary experience to manage liquidity risk, and the ADI’s liquidity risk management framework and liquidity risk management practices are documented and reviewed at least annually. The Board must review regular reports on the liquidity position of the ADI and, where necessary, information on new or emerging liquidity risks.

APS 210 requires an ADI’s senior management to: develop a liquidity management strategy, policies and processes in accordance with the Board-approved liquidity tolerance; ensure that the ADI maintains sufficient liquidity at all times; determine the structure, responsibilities and controls for managing liquidity risk and for overseeing the liquidity positions of all legal entities, branches and subsidiaries in the jurisdictions in which the ADI is active, and outline these elements clearly in the ADI’s liquidity policies; ensure that the ADI has adequate internal controls to ensure the integrity of its liquidity risk management processes; ensure that stress tests, contingency funding plans and holdings of liquid assets are effective and appropriate for the ADI; establish a set of reporting criteria specifying the scope, manner and frequency of reporting for various recipients (such as the Board, senior management and the asset/liability committee) including the parties responsible for preparing the reports; establish specific procedures and approvals necessary for exceptions to policies and limits, including escalation procedures and follow-up actions to be taken for breaches of limits; closely monitor current trends and potential market developments that may present significant, unprecedented and complex challenges for managing liquidity risk so that appropriate and timely changes to the liquidity management strategy may be made as needed; and continuously review information on the ADI’s liquidity developments and report to the Board on a regular basis.

APS 210 also requires that the liquidity management strategy include specific policies on liquidity management, such as: the composition and maturity of assets and liabilities; the diversity and stability of funding sources; the approach to managing liquidity in different currencies, across borders, and across business lines and legal entities; and the approach to intraday liquidity management.

APRA supervisors use a variety of offsite and onsite tools to monitor the adequacy and appropriateness of an ADI’s liquidity risk framework. These largely include review of prudential returns submitted to APRA and additional regular/ ad-hoc information provided by ADIs on a periodic basis including annual CLF applications, contingency funding plans, risk appetite statements, funding and liquidity policies and procedures, annual funding plans and strategy documents, information requested for prudential and thematic reviews and audit reports.

APRA views the Liquidity Risk Appetite Statement (LRAS) as an important element of an ADI’s LRMF. APS 210 outlines the role of the Board and management in setting liquidity risk tolerances, along with other operational requirements. APRA’s expectations on setting the risk appetite for material risks (including liquidity risk) in the context of the entity’s overall risk management framework are documented in APG 210, CPS 220 and internal supervisory guidance material.

For all ADIs the assessment of an ADI’s liquidity risk appetite (LRA) forms an important component of supervisory assessment. For larger more complex ADIs, supervisory attention on LRA is high due to its role in APRA’s assessment of the ADI’s CLF facility. Supervisors undertake an extensive assessment of Board approved LRASs which ADIs submit annually. They evaluate whether the LRAS of an ADI reflects projected cash flows estimates, perform a ‘sense check’ on the overall LRAS (i.e., is it a binding and meaningful document that outlines the ADI’s appetite for liquidity risk), evaluate whether the LRAS considers metrics around target AUD-LCR and/or all currencies-LCR, consider if the LRASs specify any buffers for the AUD-LCR and/or all currencies and whether the buffer is appropriate in size; assess if the LRAS comments on the ADI’s dependence on the CLF; and ensure that LRAS has coverage related to non-AUD outflows where relevant.

APS 210 requires an ADI to maintain a reliable management information system that provides the board, senior management and other appropriate personnel with timely and forward-looking information on the liquidity position of the ADI. APG 210 further clarifies the requirement for ongoing commitment and investment in adequate and appropriate infrastructures, processes and information collection. APRA supervisors assess the ability of the ADIs’ IT systems through the accuracy and timeliness of their liquidity reporting and through periodic onsite visits. They also rely on APRA’s IT risk specialist resources to evaluate any proposed system changes and how it will affect the ADIs’ ability to measure and monitor liquidity risk.

Supervisors ensure the adequacy of review and oversight by the board through annual declaration by the board and head of a group under CPS 220 that the ADIs’ policies and procedures to manage all material risk including funding and liquidity risk are appropriate to the size and complexity of the business and that its business plans and risk management strategies are aligned to these risks. As part of its regular onsite review, Supervisors also review the reporting from management to the Board to ensure it contains sufficient information for the Board to understand the risks, the bank’s current positions and mitigations in place.
EC5The supervisor requires banks to establish, and regularly review, funding strategies, and policies and processes for the ongoing measurement and monitoring of funding requirements and the effective management of funding risk. The policies and processes include consideration of how other risks (e.g., credit, market, operational, and reputation risk) may impact the bank’s overall liquidity strategy, and include:
  • (a) an analysis of funding requirements under alternative scenarios;

  • (b) the maintenance of a cushion of high quality, unencumbered, liquid assets that can be used, without impediment, to obtain funding in times of stress;

  • (c) diversification in the sources (including counterparties, instruments, currencies and markets) and tenor of funding, and regular review of concentration limits;

  • (d) regular efforts to establish and maintain relationships with liability holders; and

  • (e) regular assessment of the capacity to sell assets.

Description and findings re EC5APS 210 requires the ADI to develop and document a three-year funding strategy, which must be provided to APRA on request. The funding strategy must be reviewed and approved by the Board, at least annually, and supported by robust assumptions in line with the ADI’s liquidity management strategy and business objectives.

It must be reviewed and updated, at least annually, to account for, at a minimum, changed funding conditions and/or a change in the ADI’s strategy. An ADI must advise APRA of any material changes to the ADI’s funding strategy.

APS 210 requires ADIs to maintain an ongoing presence in its chosen funding markets and strong relationships with funds providers and regularly gauge their capacity to raise funds quickly. They must identify the main factors that affect their ability to raise funds and monitor those factors closely to ensure that estimates of fund raising capacity remain valid. APS 210 requires an ADI to have a liquidity/funding management strategy in place such that diversity and stability of funding can be maintained. ADI liquidity risk management policies and procedures should formalize limits on funding concentrations. It is a key requirement under APS 210 for an ADI to maintain a robust funding structure under a variety of scenarios. LCR ADIs are required to conduct entity wide stress tests to ensure adequate funding is in place.

Since January 2018, larger, more complex ADIs are required to maintain an NSFR greater than 100 percent. The NSFR regime requires an ADI to maintain a stable funding profile in relation to the composition of its assets and on- and off-balance sheet activities.

Since the previous 2012 Australian FSAP, the funding composition of ADIs has changed considerably. In the lead up to the introduction of NSFR, Australian ADIs have increased their funding from more stable sources such as deposits, equity and long-term wholesale debt, while sourcing a lower share of funding from short-term wholesale markets.

Regulatory changes have also resulted in certain macro level changes in the Australian market place. For instance, 30-day bank bills, which accounted for a quarter of ADI funding, have disappeared as a funding source as they generate a 100 percent LCR requirement, hence not providing any stable funding.

While retail deposit raising strategies are important, in practice APRA observes that ADIs, particularly large ADIs, will maintain relationships with wholesale investors either directly or indirectly through their program lead managers and dealer panels. More generally, ADIs will search out potential new investor segments in order to broaden their investor universe for future debt issues.

APS 210 requires ADIs to have a robust framework in place to project cash flows arising from assets and liabilities. As discussed in EC7 the framework mandates a variety of stress tests to be undertaken by ADIs to test their ability to function under various stress scenarios which would require the sale of assets. The Australian regulation does not include the condition that ADIs periodically monetize a sample of HQLA in order to test access to the market and minimize the risk of negative signaling during a period of actual stress. However, this may not be material given that about half of HQLA (excluding the CLF) is denominated in Australian dollars and frequently repo-ed with the RBA. Of the non-Australian dollar denominated and foreign central bank balance HQLA, approximately 77 percent is comprised of zero percent risk weighted securities issued by a foreign sovereign which can be repo-ed with the local central bank.

Supervisors assess ADIs’ adherence to APRA requirements through regulatory reporting under the ARF 210 suite of reports and through additional management reports which are regularly requested from larger, more complex institutions.

For domestic LCR ADIs, supervisors commonly use the annual CLF assessment process to conduct any thematic analysis deemed necessary. For example, the latest CLF process included the collection of additional details for the LCR treatment of derivatives and operational deposits. Supervisors and liquidity risk specialists often question and challenge the assumptions put forward by ADIs during the engagement with ADIs which follows these assessments.

For all ADIs, funding policies and practices are assessed during the review of pre-visit material submitted by ADIs for their periodic prudential reviews and extensively discussed during the onsite meetings. Supervisors typically use the periodic (often quarterly) face to face liquidity meetings with ADIs to discuss an ADI’s latest wholesale funding initiatives and the extent of an ADI’s debt investor relationship management activities. ADIs’ funding and investor engagement is also discussed on an on-going basis.

APRA, in conjunction with the RBA regularly (annually for ADIs), coordinates industry stress tests to assess the vulnerabilities of the entity and system. These tests are used as a forward looking analytical tool, aimed at understanding and managing prudential risks including funding and liquidity. Through the results of these tests, supervisors assess any interconnections and linkages of funding risks with other risks. They ensure that such risks are also well understood and incorporated in the funding strategies and policies through post-testing engagement and discussions with the ADIs.
EC6The supervisor determines that banks have robust liquidity contingency funding plans to handle liquidity problems. The supervisor determines that the bank’s contingency funding plan is formally articulated, adequately documented and sets out the bank’s strategy for addressing liquidity shortfalls in a range of stress environments without placing reliance on lender of last resort support. The supervisor also determines that the bank’s contingency funding plan establishes clear lines of responsibility, includes clear communication plans (including communication with the supervisor) and is regularly tested and updated to ensure it is operationally robust. The supervisor assesses whether, in the light of the bank’s risk profile and systemic importance, the bank’s contingency funding plan is feasible and requires the bank to address any deficiencies.
Description and findings re EC6APS 210 requires an ADI’s Board and senior management to ensure that its LRMF includes a contingency funding plan (CFP) that sets out strategies for addressing shortfalls in stressed situations. The plan should:
  • - be commensurate with its complexity, risk profile, scope of operations and role in the financial systems in which it operates;

  • - articulate available contingency funding sources and the amount of funds an ADI estimates can be derived from these sources, including clear escalation/prioritization procedures detailing when and how each of the actions can and must be activated and the lead time needed to tap additional funds from each of the contingency sources;

  • - provide a framework with a high degree of flexibility so that an ADI can respond quickly in a variety of situations;

  • - include policies to manage a range of stress environments and strategies for addressing liquidity shortfalls in stressed situations, including clear lines of responsibility and clear invocation and escalation procedures;

  • - for ADIs with retail operations, seek to ensure that retail depositors may retrieve their deposits in the event of a loss of market confidence in the ADI, as quickly and as conveniently as is practicable in the circumstances; and

  • - be reviewed and tested annually or more frequently, if required, and be approved by the board.

APG 210 provides extensive guidance on the operational aspects of an ADI’s CFP. In practice, the CFP is most commonly assessed at the time of onsite reviews undertaken jointly by the supervisory team and the liquidity risk specialists. Supervisors often discuss and engage with the ADI in order to confirm roles and responsibilities, clear escalation paths and the adequacy of the contingency arrangements. Supervisors also ensure that the CFP is being adequately tested as a part of an ADI’s stress testing programme.
EC7The supervisor requires banks to include a variety of short-term and protracted bank-specific and market-wide liquidity stress scenarios (individually and in combination), using conservative and regularly reviewed assumptions, into their stress testing programs for risk management purposes. The supervisor determines that the results of the stress tests are used by the bank to adjust its liquidity risk management strategies, policies and positions and to develop effective contingency funding plans.
Description and findings re EC7APRA requires a variety of stress testing regimes to be adopted by the banks in the management of their liquidity risk.

Entity stress tests

Under APS 210, LCR ADIs are also required, to conduct stress tests on a regular basis for a variety of short-term and protracted institution-specific and market-wide stress scenarios (individually and in combination) to identify sources of potential liquidity strain and to ensure that current exposures remain in accordance with the ADI’s liquidity risk tolerance.

APG 210 also provides further guidance and states that stress scenarios should cover risks at different levels of granularity; these include customer type, product, business, currency and entity-specific stress events. The materiality of particular business areas and their vulnerability to liquidity stress related conditions will give guidance to the types of scenarios that could be run.

APRA stress tests

APRA, in conjunction with the RBA, coordinates stress tests (approximately once per annum) which aim to assess the vulnerabilities of the system and individual entities. The scope of these tests, which were limited to the larger entities in the past, have been enhanced to include Australian mutual ADIs in the last two years. Foreign ADIs have not so far been included in any such exercise. APRA expects stress test results to inform the ADIs’ approach to all material risks including liquidity management.

APRA stress tests include the impact on the ability of ADIs to fund themselves under periods of protracted stress and the impact on their LCR and NSFR ratios. APRA’s liquidity risk specialists provide their input to the assumptions which underpin the funding and liquidity elements of the stress tests and in advising the supervisors with respect to follow up actions with their entities.

Supervisors use stress test results to guide a number of their supervisory activities such as discussions with the entity, reviews, etc. In particular, the ability of the ADI to conduct and integrate stress tests into its RMF and use the results to guide its funding and liquidity strategies forms a key component of supervisory assessments.

Other supervisory assessments are conducted onsite during periodic reviews when supervisors may engage with treasury and funding staff in face to face discussions to review and challenge the stress test assumptions, their severity and coverage. Liquidity risk specialist teams are also involved during this process.

With respect to smaller and foreign ADIs, supervisors use their discretion in requiring compliance with stress testing requirements based on entity size, its funding profile (i.e., the proportion of parent funding) and inclusion in parent’s stress testing.
EC8The supervisor identifies those banks carrying out significant foreign currency liquidity transformation. Where a bank’s foreign currency business is significant, or the bank has significant exposure in a given currency, the supervisor requires the bank to undertake separate analysis of its strategy and monitor its liquidity needs separately for each such significant currency. This includes the use of stress testing to determine the appropriateness of mismatches in that currency and, where appropriate, the setting and regular review of limits on the size of its cash flow mismatches for foreign currencies in aggregate and for each significant currency individually. In such cases, the supervisor also monitors the bank’s liquidity needs in each significant currency and evaluates the bank’s ability to transfer liquidity from one currency to another across jurisdictions and legal entities.
Description and findings re EC8Under APS 210, APRA expects ADIs active in multiple currencies, to maintain liquid assets consistent with the distribution of its liquidity needs by currency.

Large and complex Australian ADIs, certain regional ADIs and foreign subsidiary ADIs typically raise funds offshore to meet some of their local funding needs and or to fund their operations in multiple jurisdictions. ADIs are required to set their own risk appetite with respect to an acceptable level of currency mismatches for each currency in which there is material activity including a separate analysis of the strategy in each of these currencies taking into account potential constraints in times of stress.

APG 210 further clarifies these expectations. ADIs’ liquidity strategies are expected to take into account a variety of operational restrictions in their ability to liquidate assets in a time of stress, as well as time zone differences, currency conversion risks and the level of government debt issues in the relevant jurisdiction of where this risk resides. ADIs are also expected to undertake stress tests capturing risks including their funding and FX mismatch risks in domestic and offshore locations on a Level 1 and Level 2 basis.

The extent of FX liquidity risk is contained within a limited subset of ADIs. Supervisors look for adequate policies, procedure and frameworks to manage FX risks, in particular, the ability to raise funds in foreign currency markets, the ability to transfer a liquidity surplus from one currency to another and across jurisdictions and legal entities, the likely convertibility of currencies in which the ADI is active (including the potential for impairment or closure of foreign exchange markets for particular currency pairs), and the capacity to manage risks arising from currency mismatches, including from risks of sudden changes in exchange rates or market liquidity, or both, that could materially affect liquidity mismatches and the effectiveness of foreign currency hedges.

Supervisory engagement can take the form of onsite reviews, periodic usually quarterly face to face liquidity updates often supported by liquidity risk specialists, off site desk reviews such as assessments of the ADIs’ annual application for CLF. This latter process typically includes extensive assessment of the domestic and FX funding profile of the ADIs. Where ADIs have significant offshore operations, APRA conducts onsite reviews which may be targeted towards specific risk facing the operation including gaining assurance regarding ADIs’ ability to fund itself in other jurisdictions and manage their FX mismatch risk.
Additional criteria
AC1The supervisor determines that banks’ levels of encumbered balance-sheet assets are managed within acceptable limits to mitigate the risks posed by excessive levels of encumbrance in terms of the impact on the banks’ cost of funding and the implications for the sustainability of their long-term liquidity position. The supervisor requires banks to commit to adequate disclosure and to set appropriate limits to mitigate identified risks.
Description and findings re AC1Under the LCR regime covering over 90 percent of Australian ADI assets, ADIs are required to hold unencumbered HQLAs to cover net cash outflows in a 30-day stress event. APS 210 requires these assets to be legally and contractually available. Further, ADIs that make use of the CLF in meeting their LCR are required to have a stock of unencumbered assets as collateral. Requirements around operational separation of encumbered and unencumbered assets are set out in APS 210.

In addition, APS 330 requires locally incorporated ADIs to make certain disclosures to the public to contribute to the transparency of financial markets and to enhance market discipline. There is coverage of encumbered assets through disclosures pertaining to LCR, leverage ratio, and securitization. Where supervisors identify potential risks posed by excessive encumbrances, specific requirements regarding monitoring and reporting of encumbered assets are put in place.
Assessment of Principle 24Compliant
CommentsSince the last FSAP, APRA has taken many actions to strengthen its capacity, tools, and prudential framework in relation to oversight of liquidity risk. It has established a team of risk specialists dedicated to liquidity risk. It has also implemented the LCR and the NSFR requirements and applied them for large more complex ADIs.

The October 2017 RCAP confirmed that Australia’s Basel III LCR is overall compliant with Basel requirements. In addition, the prudential framework, particularly APS 210 and APG 210, provides a thorough set of requirements and guidance in relation to liquidity risk management.

APRA front line supervisors usually assess liquidity risk management framework at banks and follow-up with banks any gap identified during the prudential review. In addition, the liquidity risk specialist team produces quarterly liquidity risk review reports and dashboard showing the evolution of key liquidity risk metrics and funding metrics, with comparison across banks and an identification of outlier banks.
Principle 25Operational risk. The supervisor determines that banks have an adequate operational risk management framework that takes into account their risk appetite, risk profile and market and macroeconomic conditions. This includes prudent policies and processes to identify, assess, evaluate, monitor, report, and control or mitigate operational risk67 on a timely basis.
Essential criteria
EC1Law, regulations or the supervisor require banks to have appropriate operational risk management strategies, policies and processes to identify, assess, evaluate, monitor, report and control or mitigate operational risk. The supervisor determines that the bank’s strategy, policies and processes are consistent with the bank’s risk profile, systemic importance, risk appetite and capital strength, take into account market and macroeconomic conditions, and address all major aspects of operational risk prevalent in the businesses of the bank on a bank-wide basis (including periods when operational risk could increase).
Description and findings re EC1There is currently no specific prudential standard issued by APRA on operational risk management although APS 115 Capital adequacy: Advanced Measurement Approaches to Operational Risk covers a number of elements of operational risk management. The main framework established by CPS 220 on risk management applies in relation to operational risks issues since the CPS 220 has identified operational risk as a material risk. APRA requires ADIs to have a framework to identify, measure, evaluate, monitor, control and report on operational risk commensurate with the nature, scale and complexity of its operations.

As per CPS 220, an APRA-regulated institution’s RMF must, at a minimum, include amongst other things, a risk management strategy and policies and procedures supporting clearly defined and documented roles, responsibilities and formal reporting structures for the management of material risks, including operational risk.

APRA Prudential Standard APS 115 on advanced measurement approaches (AMA) to operational risk include specific requirements related to operational risk management. It requires an ADI with AMA approval to have in place an operational risk management framework that is sufficiently robust to facilitate quantitative estimates of the ADI’s Operational risk regulatory capital that are sound, relevant and verifiable. APRA must be satisfied that the ADI’s operational risk management framework is suitably rigorous and consistent with the complexity of the ADI’s business. The ADI will also be required to demonstrate the processes that are undertaken to ensure the operational risk management framework has continued relevance to the ADI’s operations.

The Standard also requires the ADI’s operational risk measurement system to be:
  • - conceptually sound, comprehensive, consistently implemented, transparent and capable of independent review and validation; and

  • - sufficiently comprehensive to capture all material sources of operational risk across the ADI, including those events that can lead to rare and severe operational risk losses.

APRA’s framework for prudential supervision provides internal guidance to support supervisors in their assessment of operational risk (including IT risk), both the inherent risk factors and related management and controls. Supervisors assess the various components of inherent risks, including history of transaction processing or process management failures, risk of internal and external fraud, and IT system environment and issues. Operational risk management and controls are also assessed including the board and management oversight, the operational risk framework, internal controls, in addition to business continuing management and outsourcing arrangements.

Supervisors make assessments of operational risk as part of ongoing supervisory activities. The assessment process, depending on the entity and observation by the supervisor, may include onsite prudential reviews which cover operational and IT risks. The regular interaction with the banks’ boards and managers also provides another platform for discussing the operational risk exposure of the bank and operational risk management issues. APRA has dedicated Operational Risk and IT Risk specialists that are available to assist frontline supervisors with supervisory assessments and activities as needed. In performing its activities, APRA focuses, among others, on the board oversight of operational risk, e.g., the board awareness of firm’s operational risk profile and reporting to the Board on operational risk issues. The outcomes of supervisory activities are incorporated into PAIRS as an input to determining an institution’s overall risk profile.

APRA is planning to develop a prudential standard covering various aspects of operational risk management.
EC2The supervisor requires banks’ strategies, policies and processes for the management of operational risk (including the banks’ risk appetite for operational risk) to be approved and regularly reviewed by the banks’ Boards. The supervisor also requires that the Board oversees management in ensuring that these policies and processes are implemented effectively.
Description and findings re EC2As per CPS 220, the board of an APRA-regulated institution is ultimately responsible for the institution’s RMF and the oversight of its operation by management. CPS 220 also requires the board to ensure that senior management monitor and manage all material risks (including operational risk) consistent with the strategic objectives, RAS and policies approved by the board.

The board must make an annual declaration to APRA on risk management (referred to as the risk management declaration) that must satisfy the requirements set out in Attachment A to CPS 220. ADIs must ensure that compliance with, and effectiveness of, the RMF (inclusive of operational risk) is subject to review by internal and/or external audit at least annually. The results of this review must be reported to the institution’s board Audit Committee, the senior officer outside of Australia or Compliance Committee, as relevant. ADIs must ensure that the appropriateness, effectiveness and adequacy of its RMF (inclusive of operational risk) is subject to a comprehensive review by operationally independent, appropriately trained and competent persons at least every three years.

In addition to CPS 220, attachments to APS 115 define the roles and responsibilities of the Board and Senior Management for ADI implementing AMA. The standard requires an ADI’s Board to be responsible for the overall operational risk profile of the ADI and the ADI’s operational risk management framework. Accordingly, the Board must make clear its appetite for operational risk, including operational risk loss reporting thresholds. The Board or a Board committee must be actively involved in the oversight of the ADI’s approach to managing and measuring operational risk.

The standard also states that an ADI’s operational risk management framework must be approved by the Board, or a Board committee. In the latter case, the committee must have clearly defined responsibilities, operational risk loss thresholds for reporting to the Board and performance obligations. The approved framework must clearly articulate respective responsibilities and reporting relationships. To ensure the continued effectiveness of the operational risk management framework, the standard requires the Board, or Board committee, to ensure that the framework is subject to periodic validation and review by a suitable independent party. It also requires an ADI’s Board, or Board committee, to review operational risk management reports on a regular basis and satisfy itself that this risk is appropriately managed. Senior management must have a thorough understanding of the ADI’s operational risk management framework (to the extent that it relates to risk areas within their responsibilities), be actively involved in its implementation and ensure its effective operation over time.
EC3The supervisor determines that the approved strategy and significant policies and processes for the management of operational risk are implemented effectively by management and fully integrated into the bank’s overall risk management process.
Description and findings re EC3As part of its ongoing supervisory activities, APRA routinely assesses the board’s involvement in setting and overseeing an ADI’s operational RMF and profile. Such assessments involve reviewing amongst other things the board’s role in setting risk management strategies, policies and appetite; responsibilities and the effectiveness of, including quality of reporting to, Board risk committees; and oversight processes for the effective implementation of strategies, policies and procedures by management. This work can be done through a range of supervisory activities and processes, particularly onsite prudential reviews.

A range of activities such as walkthroughs, discussions with key personnel and review of evidence are undertaken onsite to gain assurance that operational risk strategies, policies and processes have been effectively implemented and integrated in practice. APRA’s operational risk specialists assist frontline supervisors to make such assessments as needed based on the institutions’ nature, scale and complexity of operations. The outcomes of supervisory activities are captured in PAIRS.
EC4The supervisor reviews the quality and comprehensiveness of the bank’s disaster recovery and business continuity plans to assess their feasibility in scenarios of severe business disruption which might plausibly affect the bank. In so doing, the supervisor determines that the bank is able to operate as a going concern and minimize losses, including those that may arise from disturbances to payment and settlement systems, in the event of severe business disruption.
Description and findings re EC4Prudential requirements in relation to disaster recovery and business continuity are set out in CPS 232 Business Continuity Management (CPS 232). CPS 232 is supplemented by guidance contained in CPG 233 Pandemic Planning.

CPS 232 requires each APRA-regulated institution and Head of a group to implement a whole-of-business approach to business continuity management that is appropriate to the nature and scale of the operations. The standard requires the board of an APRA regulated institution and the Board of a Head of a group, respectively, to have ultimate responsibility for the business continuity of the institution or group. The key requirements of this Prudential Standard are that an APRA-regulated institution and a Head of a group must:
  • - maintain a business continuity management policy for the institution or group, approved by the Board;

  • - identify, assess and manage potential business continuity risks to ensure that it is able to meet its financial and service obligations to its depositors, policyholders and other stakeholders;

  • - consider business continuity risks and controls as part of its risk management framework;

  • - maintain a business continuity plan that documents procedures and information which enable the institution to manage business disruptions;

  • - review the business continuity plan annually and periodically arrange for its review by the internal audit function or an appropriate external expert; and

  • - notify APRA in the event of certain disruptions.

Evaluation of an ADI’s business continuity forms part of operational risk assessments. Frontline supervisors, with the support of internal operational risk specialists, periodically review the quality and comprehensiveness of an ADI’s business continuity processes during onsite prudential reviews. It is also common for business continuity test results and relevant internal/external audit reports to be reviewed as part of onsite activities.

APRA is planning to expand the prudential framework relating to operational risk. This will include updating/ expanding prudential practice guides concerning disaster recovery and business continuity.
EC5The supervisor determines that banks have established appropriate information technology policies and processes to identify, assess, monitor and manage technology risks. The supervisor also determines that banks have appropriate and sound information technology infrastructure to meet their current and projected business requirements (under normal circumstances and in periods of stress), which ensures data and system integrity, security and availability and supports integrated and comprehensive risk management.
Description and findings re EC5As part of routine supervisory activities, APRA supervisors assess the adequacy and appropriateness of an ADI’s policies, processes and IT (information and information technology) management and controls relative to the nature, scale, and complexity of its operations to support current and future business needs. APRA has a specialist IT risk team consisting of 6–7 people that provides support to frontline supervisors in undertaking these assessments, the outcomes of which are captured in PAIRS. These assessments are usually done in the form of IT-focused prudential reviews and cover aspects such as systems’ resilience, systems’ recovery, information security, board and management oversight, IT Governance, IT risk management, IT infrastructure, IT security, as well as disaster recovery issues.

APRA has issued a number of prudential practice guides (PPGs) and information papers that provide guidance to ADIs in the following areas relating to information technology. These include an Information Paper on outsourcing involving shared computer services (including cloud), a Prudential Practice Guide (CPG 234) on management of Security Risk in Information and Information Technology; a Prudential Practice Guide (CPG 235) on Managing Data Risk, and an Information Paper on the results of a Cyber Security Survey (including practices for sound cyber security risk management).

There has been recently a particular focus by APRA on IT-related risks including for example communications on Cyber security, Fintech solutions, Swift/payments and the New Payments Platform. In March 2018, APRA publicly consulted on a new cross-industry prudential standard on information security (draft Prudential Standard CPS 234 Information Security (draft CPS 234).

APRA will need to potentially invest more resources and skills in IT risk (including cybersecurity and fintech), given the increase use of IT technology and digital banking, and particularly in light of the entrance of new restricted ADIs in the form of fintech and digital banks.
EC6The supervisor determines that banks have appropriate and effective information systems to:
  • (a) monitor operational risk;

  • (b) compile and analyze operational risk data; and

  • (c) facilitate appropriate reporting mechanisms at the banks’ Boards, senior management and business line levels that support proactive management of operational risk.

Description and findings re EC6As outlined in the previous criteria, APRA has two teams of operational risk and IT risk specialists that assist frontline supervisors in performing focused and thematic assessment of operational risk issues at ADIs. These reviews look at the ADI’s operational risk management framework. As part of this work, they look at the bank’s information system to manage operational risk and the extent to which these systems capture the different elements of the operational risk management strategy such as risk and control self-assessment, key indicators, incident management, change management, and action management. They examine the risk reports to the relevant board and management risk committees and whether they provide a holistic and forward-looking view of the operational risk profile, including potentially severe losses, to support decision making and oversight of risks.

Supervisors also assess if the operational risk reporting is supported by a robust data management framework that enables the aggregation of exposures and risk measures across business lines, prompt reporting of limit breaches, and forward- looking scenario analysis and stress testing. They examine the quality and assess the timely and accurate measurement, assessment and reporting on all material risks to provide a sound basis for decision making. PAIRS captures the outcomes of assessments of reporting mechanisms and an institution’s data management framework.
EC7The supervisor requires that banks have appropriate reporting mechanisms to keep the supervisor apprised of developments affecting operational risk at banks in their jurisdictions.
Description and findings re EC7APRA receives information relating to the operational risk charge for capital adequacy purposes on a quarterly basis from ADIs including data on operational risk losses. Supervisors use this information to gain insights into operational risk drivers for individual ADIs which feed into the determination of an institution’s overall risk profile. The data submitted to APRA is subject to audit testing.

An APRA-regulated institution must on adoption, and following any material revisions, submit to APRA a copy of its RAS, business plan and RMS as soon as practicable, and no more than 10 business days after board approval. Notification is also required when the institution becomes aware of any material or prospective material changes to the size, business mix and complexity of the institution.

Where an APRA-regulated institution conducts business in a jurisdiction outside Australia, it must notify APRA as soon as practicable, and no more than 10 business days, after it becomes aware that its right to conduct business in that jurisdiction has been materially affected by the law of that jurisdiction or its right to conduct business has ceased.

CPS 232 also requires an ADI to notify APRA of a major disruption that has the potential to have a material impact on the institution’s risk profile or affect its financial soundness. The institution must then notify APRA when normal operations resume.

AMA banks are required to report to APRA on a periodic basis operational risk loss amounts for loss events that exceed an ADI’s global reporting threshold.

Frontline supervisors keep up to date with institutional developments as part of routine offsite and onsite supervisory work to supplement formal notification arrangements.
EC8The supervisor determines that banks have established appropriate policies and processes to assess, manage and monitor outsourced activities. The outsourcing risk management program covers:
  • (a) conducting appropriate due diligence for selecting potential service providers;

  • (b) structuring the outsourcing arrangement;

  • (c) managing and monitoring the risks associated with the outsourcing arrangement;

  • (d) ensuring an effective control environment; and

  • (e) establishing viable contingency planning.

Outsourcing policies and processes require the bank to have comprehensive contracts and/or service level agreements with a clear allocation of responsibilities between the outsourcing provider and the bank.
Description and findings re EC8Prudential requirements for outsourcing arrangements are set out in CPS 231. Related guidance can be found in Prudential Practice Guide on Outsourcing (PPG 231).

The overarching objective of CPS 231 is that all outsourcing arrangements involving material business activities entered into by an APRA-regulated institution be subject to appropriate due diligence, approval and ongoing monitoring. A ‘material business activity’ is one that has the potential, if disrupted, to have a significant impact on the regulated institution’s business operations or its ability to manage risks effectively.

The key requirements of CPS 231 are that a regulated institution must:
  • - have a policy, approved by the board, relating to outsourcing of material business activities;

  • - have sufficient monitoring processes in place to manage the outsourcing of material business activities;

  • - for all outsourcing of material business activities with third parties, have a legally binding agreement in place, unless otherwise agreed by APRA;

  • - consult with APRA prior to entering into agreements to outsource material business activities to service providers that conduct their activities outside Australia; and

  • - notify APRA after entering into agreements to outsource material business activities.

A regulated institution must be able to demonstrate to APRA that it has:
  • - prepared a business case for outsourcing the material business activity;

  • - undertaken a tender or other selection process for selecting the service providers;

  • - undertaken a due diligence review of the chosen service provider;

  • - Involved the board, board committee, or senior manager with delegated authority from the Board, in approving the agreement;

  • - considered all the matters that must be included in the outsourcing agreement itself;

  • - established procedures for monitoring performance under the outsourcing agreement on a continuing basis;

  • - addressed the renewal process for outsourcing agreements and how the renewal will be conducted; and

  • - developed contingency plans that would enable the outsourced business activity to be provided by an alternative service provider or brought in-house if required.

All regulated institutions are encouraged to consult with APRA prior to the use of shared computing services involving heightened inherent risks (refer Information Paper on outsourcing involving shared computer services including cloud).

Material outsourcing agreements are reviewed by APRA supervisors to ensure business disruption and continuity plans are appropriately captured. The assessment of an institution’s outsourcing policies, processes and/or activities including compliance with prudential requirements may also form part of the scope of an onsite prudential review. Internal supervisory guidance assists supervisors with the assessment process. APRA also reviews material from regulated institutions that are considering outsourcing material business activities to service providers that conduct their activities outside Australia. CPS 231 allows APRA to have access to an institution’s documentation and information relating to outsourcing arrangements and onsite visits to the service provider, if necessary.
Additional criteria
AC1The supervisor regularly identifies any common points of exposure to operational risk or potential vulnerability (e.g., outsourcing of key operations by many banks to a common service provider or disruption to outsourcing providers of payment and settlement activities).
Description and findings re AC1Operational risk specialists provide ongoing support to frontline supervisors in their assessment of operational risk and related management and controls. Risk specialists participate in a number of reviews across ADIs and are able to harness this knowledge to identify common points of exposure and vulnerabilities from a more systemic perspective. This knowledge is a useful input to the construction of the ADI industry risk register where industry risks are identified and agreed and then assigned a risk owner to map out a program of work to address identified risks.

Horizontal/thematic reviews are considered when developing actions to address identified industry risks. APRA has increased the use of thematic risk reviews over the last few years. Supervisors look for opportunities to undertake thematic reviews (e.g., major bank supervisors have performed supervisory work around IT risk in a thematic way, cyber security survey of a sample of regulated institutions, including major banks). Further opportunities exist to identify common points of exposure across ADIs and determine efficient and effective supervisory actions to address those risks. APRA’s newly formed RDA Division will play a key role in this process.
Assessment of Principle 25Compliant
CommentsWhile APRA has no dedicated prudential standard covering operational risk management, its CPS 220 provides a good overall framework for risk management requirements, including material risks such as operational risks. In addition, the AMA standard (APS 115) provides a broad range of operational risk management requirements. APRA has also issued prudential standards on business continuity management and outsourcing arrangements. These standards, taken overall, provide a reasonable set of prudential requirements in relation to operational risk management. APRA’s RDA division includes a number of specialized risk teams including one specialized in operational risk i and the other specialized in IT risk. These teams assist frontline line supervisors in assessing the various aspects of operational risk and IT risk in banks. Prudential reviews covering mainly the largest banks have focused on examining banks’ IT risks as well as banks’ operational risk frameworks. These reviews cover the board and management oversight of operational risk as well as the board awareness of the bank’s risk profile and the reporting it gets in relation to operational risk.

Further, reviews cover IT risks focusing on several aspects such as governance, risk management, infrastructure and security. APRA receives regular reporting in relation to operational risk, including operational loss data. Risk specialists are increasingly looking at common points of exposure and vulnerabilities from a more systemic perspective.

APRA has also been recently focusing on other aspects of IT-related risks including for example communications on Cyber security, Fintech solutions, Swift/payments. Recently, APRA issued a consultative document in March 2018 to implement a cross industry framework for information security requirements.

As APRA develops its approach further and as the market evolves further to greater use of technology in banking services, APRA should continue to strengthen/ expand its IT risk team and building further their skills, particularly in the area of cyber risk and fintech. APRA is also encouraged to continue developing its analytical toolkit to have a better idea on common or systemic operational risk issues. Work on developing a prudential standard on operational risk management should also continue to progress.
Principle 26Internal control and audit. The supervisor determines that banks have adequate internal control frameworks to establish and maintain a properly controlled operating environment for the conduct of their business taking into account their risk profile. These include clear arrangements for delegating authority and responsibility; separation of the functions that involve committing the bank, paying away its funds, and accounting for its assets and liabilities; reconciliation of these processes; safeguarding the bank’s assets; and appropriate independent68 internal audit and compliance functions to test adherence to these controls as well as applicable laws and regulations.
Essential criteria
EC1Laws, regulations or the supervisor require banks to have internal control frameworks that are adequate to establish a properly controlled operating environment for the conduct of their business, taking into account their risk profile. These controls are the responsibility of the bank’s Board and/or senior management and deal with organizational structure, accounting policies and processes, checks and balances, and the safeguarding of assets and investments (including measures for the prevention and early detection and reporting of misuse such as fraud, embezzlement, unauthorized trading and computer intrusion). More specifically, these controls address:
  • (a) organizational structure: definitions of duties and responsibilities, including clear delegation of authority (e.g., clear loan approval limits), decision-making policies and processes, separation of critical functions (e.g., business origination, payments, reconciliation, risk management, accounting, audit and compliance);

  • (b) accounting policies and processes: reconciliation of accounts, control lists, information for management;

  • (c) checks and balances (or “four eyes principle”): segregation of duties, cross-checking, dual control of assets, double signatures; and

  • (d) safeguarding assets and investments: including physical control and computer access.

Description and findings re EC1The APRA prudential framework does not explicitly include provisions addressing directly the points mentioned in this essential criterion. However, these points are covered indirectly through the various prudential standards of APRA that are related to risk management and governance, in addition to APRA’s supervisory approach that focuses substantially on assessing controls related to each risk and the net inherent risks after taking into account the effectiveness of the firm’s risk controls and mitigants.

As per the prudential framework, the board of an APRA regulated institution is ultimately responsible for its sound and prudent management. CPS 220 requires the board to ensure that the senior management of the institution monitor and manage all material risks consistent with the strategic objectives, RAS and policies approved by the Board.

CPS 220 requires an APRA-regulated institution to have systems for identifying, measuring, evaluating, monitoring, reporting, and controlling or mitigating material risks that may affect its ability, or the ability of the group it heads, to meet its obligations to depositors. These systems, including policies, processes and people supporting them, comprise an institution’s risk management framework. Policies and procedures supporting a firm’s RMF must include processes for identifying, controlling and mitigating risks, as well as mechanisms for monitoring compliance with prudential requirements.

As per CPS 220, policies and procedures must include:

- the process for identifying and assessing material risks and controls;

- the process for the validation, approval and use of any models to measure components of risk;

- the process for establishing, implementing and testing mitigation strategies and control mechanisms for material risks;

- the process for monitoring, communicating and reporting risk issues, including escalation procedures for the reporting of material events and incidents;

- the process for identifying, monitoring and managing potential and actual conflicts of interest;

- the mechanisms in place for monitoring and ensuring ongoing compliance with all prudential requirements;

- the process for ensuring consistency across the risk management framework;

- the process for establishing and maintaining appropriate contingency arrangements (including robust and credible recovery plans where warranted) for the operation of the risk management framework in stressed conditions; and

- the process for review of the risk management framework.

The board is required to annually attest that risk management and internal control systems are operating effectively and are adequate relative to the risk profile of the institution. Additionally, every three years (at a minimum) the firm is responsible for ensuring there is a comprehensive review of the appropriateness, effectiveness and adequacy of its RMF by independent experts. This is often done by third party specialists.

During onsite risk reviews, APRA supervisors with the help of specialist risk teams, make an assessment of the adequacy of the RMF, which includes an assessment of the internal control framework. This would include forming an opinion on mitigating controls relative to various risks. The assessment of internal controls forms part of the assessment of ‘Risk Governance’ in the PAIRS framework.
EC2The supervisor determines that there is an appropriate balance in the skills and resources of the back office, control functions and operational management relative to the business origination units. The supervisor also determines that the staff of the back office and control functions have sufficient expertise and authority within the organization (and, where appropriate, in the case of control functions, sufficient access to the bank’s Board) to be an effective check and balance to the business origination units.
Description and findings re EC2APRA takes a risk-based approach to the review of an institution’s back office, control functions and operational management to ensure they are operating effectively. Supervisors assess the appropriateness of key individuals for their roles and the relative sufficiency of resources including suitably qualified staff with the necessary skills, experience and technical capabilities. Supervisors also review access and information flows/reporting to the board.

Onsite prudential reviews assess the adequacy of the control environment, and relevant internal and external audit assessments and reports. However, this is done in the context of the specific theme that the inspection is covering. For example, if a specific prudential review is covering a certain area of credit risk, such as CRE or residential mortgage, supervisors assess the firm’s inherent risk and the control framework around that inherent risk. The control framework assessment includes various components in that case such as the policies and procedures, the limits, the delegation of authority and responsibility, etc. if there are issues related to the expertise and authority of the back-office and control functions in relation to that risk area, these are usually covered during the prudential review. This assessment is then taken into account in the PAIRS assessment in the risk governance section and will impact the bank’s PAIRS grading.

Following the inspection, a letter communicates the findings to the bank (as discussed in CPs 8–9) and includes actions that the bank should take (mainly in the form of recommendations or requirements). These actions include among other issues related to the control framework around the specific risk or theme covered in the prudential review.
EC3The supervisor determines that banks have an adequately staffed, permanent and independent compliance function69 that assists senior management in managing effectively the compliance risks faced by the bank. The supervisor determines that staff within the compliance function are suitably trained, have relevant experience and have sufficient authority within the bank to perform their role effectively. The supervisor determines that the bank’s Board exercises oversight of the management of the compliance function.
Description and findings re EC3APRA regulated firms are required to have a designated compliance function that has a reporting line independent of the business lines. APRA is not prescriptive in defining the specific structure of the function and banks are not required to have a specific compliance officer. For example, the chief risk officer can also be responsible for the compliance function. APRA supervisors are expected to assess whether the firm has sufficient resources to carry out effective compliance risk management.

APRA assesses the effectiveness of the compliance function and the contribution that it makes to the risk management framework of the bank through onsite prudential reviews, meetings with bank personnel with relevant responsibilities (both through regular supervisory contacts and in the course of prudential reviews of individual risk and associated risk management areas). APRA assessments of compliance functions include assessing the function’s independence, including reporting lines independent of the business lines, oversight and support provided by the Board and senior management to the compliance function and whether sufficient information is provided to the Board given its oversight responsibilities.
EC4The supervisor determines that banks have an independent, permanent and effective internal audit function70 charged with:
  • (a) assessing whether existing policies, processes and internal controls (including risk management, compliance and corporate governance processes) are effective, appropriate and remain sufficient for the bank’s business; and

  • (b) ensuring that policies and processes are complied with.

Description and findings re EC4APRA requires firms to have an independent internal audit function unless it specifically receives an exemption from that requirement from APRA (CPS 510). According to APRA, there are no current cases of a bank having received such an exemption. There is no prudential standard that describe in full details the responsibilities of the internal audit function. However, some responsibilities have been cited separately in various prudential standards. APRA prudential standard APS 310 on audit and related matters requires an ADI to ensure that the scope of internal audit includes a review of the policies, processes and controls put in place by management to ensure compliance with APRA’s prudential requirements. APRA prudential standard CPS 510 on governance requires the internal audit function to evaluate the adequacy and effectiveness of a firm’s RMF. To fulfil its functions, the internal auditor must, at all times, have full access to the institution’s business lines and risk control and support functions, including at the banking group level.

The Board audit committee is required to review internal and external audit plans, and to ensure that they cover all material risks and financial reporting requirements of the institution. It is also responsible for reviewing the findings of audits and ensuring that issues are being managed and rectified in an appropriate and timely manner. The audit committee is required to ensure the adequacy and independence of the internal and external audit functions and the internal auditor must have a reporting line and full and direct access to the audit committee.

Supervisors assess the internal audit function as part of ongoing supervision and it informs their ‘risk governance’ assessment for PAIRS. There is detailed guidance provided to supervisors that covers the areas supervisors should consider during these PAIRS assessments. Supervisors meet with internal audit as part of routine activities and in the context of more formal prudential reviews, during which internal audit’s work in a relevant area will be reviewed and discussed. However, APRA does not perform dedicated activities to comprehensively assess the work of the internal audit function and whether it is effectively performing its full range of responsibilities.
EC5The supervisor determines that the internal audit function:
  • (a) has sufficient resources, and staff that are suitably trained and have relevant experience to understand and evaluate the business they are auditing;

  • (b) has appropriate independence with reporting lines to the bank’s Board or to an audit committee of the Board, and has status within the bank to ensure that senior management reacts to and acts upon its recommendations;

  • (c) is kept informed in a timely manner of any material changes made to the bank’s risk management strategy, policies or processes;

  • (d) has full access to and communication with any member of staff as well as full access to records, files or data of the bank and its affiliates, whenever relevant to the performance of its duties;

  • (e) employs a methodology that identifies the material risks run by the bank;

  • (f) prepares an audit plan, which is reviewed regularly, based on its own risk assessment and allocates its resources accordingly; and

  • (g) has the authority to assess any outsourced functions.

Description and findings re EC5APRA’s internal supervisory guidance provides assistance to supervisors when reviewing the following in relation to internal audit:
  • nature, structure and resources: supervisors assess the structure and resourcing of the internal audit function including key staff, their roles and responsibilities and skills and experience and determine the extent to which the structure and resourcing are commensurate with the nature and complexity of the institution’s operations.

  • independence and challenge: supervisors assess the extent to which the internal audit function provides an independent opinion to management and the Board Audit Committee as well as challenge management where relevant.

  • audit approach: the supervisors also assess the nature of the internal audit approach, whether it is compliance, review or risk-based. They also see if the Board Audit Committee endorses the internal audit approach and plan.

  • planning and reporting: supervisors review if the head of the internal audit function regularly reports findings to the Board Audit Committee and the extent to which serious issues are elevated to senior management and the Board Audit Committee without delay.

APRA prudential standard on outsourcing CPS 231 requires an institution’s internal audit function to review any proposed outsourcing of a material business activity and regularly review and report to the Board or Board Audit Committee on compliance with the institution’s outsourcing policy.

APRA supervisors take a risk-based approach to the review of an institution’s internal audit function. During onsite reviews, APRA reviews the work of internal audit and holds closed sessions with the internal auditor where considered necessary. The scope of this assessment is not comprehensive and does not cover all the activities of the internal audit function. It looks at aspects related to internal audit activities that are relevant to the risk area or theme covered by the prudential review. The outcomes of this work are an input into the PAIRS risk assessment process under the risk governance category.
Assessment of Principle 26Largely Compliant
CommentsPrudential standards place requirements on boards and management to have in place an appropriate set of internal controls given the size, complexity and risk profile of the firm. Internal and external audit both are expected to play a significant role with respect to assessing these controls and reporting to the board and, in the case of external audit, to APRA. However, as discussed in EC1 and EC4, the main requirements in relation to internal control and internal audit are either not explicitly spelled out or not comprehensively included in APRA prudential standards. While expectations of banks and supervisors may be clear about these areas, it would be advisable to clarify the requirements in relation to internal control and internal audit in a more comprehensive way in APRA prudential standards.

Supervisors speak with internal audit and review audit work primarily in association with specific risk or control areas they look at in prudential and other reviews. Supervisors draw conclusions on the effectiveness of internal audit as part of risk reviews, although they do not collate these conclusions in a formal assessment of internal audit.

Explicit reviews on internal audit effectiveness and the role of the board in ensuring internal audit has appropriate stature, resources (both quantity and appropriate expertise) and access through deep reviews of the function have not been a consistent area of focus for APRA supervisors.

Internal audit assessments primarily occur as part of the risk governance PAIRS assessments. The direct linkage between assessments of internal audit and assessments of the board could be strengthened, particularly given the key role the board must play under APRA standards in providing APRA with assurance that it has all controls needed to effectively comply with prudential standards.

In addition, while audit and controls are assessed in the course of onsite reviews, APRA should consider carrying out periodic in-depth reviews of key control functions and internal audit. This would allow APRA to have a more comprehensive view about the effectiveness of the internal audit function (based on the points listed in EC5) and the gaps that need to be addressed in this respect.
Principle 27Financial reporting and external audit. The supervisor determines that banks and banking groups maintain adequate and reliable records, prepare financial statements in accordance with accounting policies and practices that are widely accepted internationally and annually publish information that fairly reflects their financial condition and performance and bears an independent external auditor’s opinion. The supervisor also determines that banks and parent companies of banking groups have adequate governance and oversight of the external audit function.
Essential criteria
EC1The supervisor71 holds the bank’s Board and management responsible for ensuring that financial statements are prepared in accordance with accounting policies and practices that are widely accepted internationally and that these are supported by recordkeeping systems in order to produce adequate and reliable data.
Description and findings re EC1The Corporations Act requires banks to prepare financial reports using standards that are in compliance with IFRS. Banks’ boards of directors are required to make an annual declaration of compliance with all applicable accounting standards. APRA relies primarily on the requirements of the Corporations Act and ASIC oversight to ensure that the directors’ reports and financial statements publicly issued by a bank are reliable and receive proper external audit scrutiny and verification. ASIC conducts ongoing risk-based surveillance of financial reports, reviews selected audits, and advises APRA of any concerns raised through its monitoring and review processes.

For supervisory reporting, data submitted to APRA must be subject to processes and controls developed by the bank for the internal review and authorization of the information. Under the reporting standards (ARS), the board and senior management are responsible for ensuring that adequate policies and procedures are in place for controls around these data.
EC2The supervisor holds the bank’s Board and management responsible for ensuring that the financial statements issued annually to the public bear an independent external auditor’s opinion as a result of an audit conducted in accordance with internationally accepted auditing practices and standards.
Description and findings re EC2All Australian incorporated banks are required to issue audited financial reports to the public on an annual basis and audited or reviewed financial reports at the half-year. This requirement is governed by Chapter 2M of the Corporations Act and is under the authority of ASIC. The annual financial report must be audited (as per Section 301) and include an audit opinion. The half-year financial report must be reviewed by the external auditor, at a minimum.

If ASIC has any concerns about a bank’s financial reporting it is expected they will inform APRA.
EC3The supervisor determines that banks use valuation practices consistent with accounting standards widely accepted internationally. The supervisor also determines that the framework, structure and processes for fair value estimation are subject to independent verification and validation, and that banks document any significant differences between the valuations used for financial reporting purposes and for regulatory purposes.
Description and findings re EC3The obligation for bank’s financial report to be audited is set out in the Corporations Act administered by ASIC. Under Chapter 2M of the Corporations Act, all Australian incorporated banks are required to issue financial reports to the public on an annual and half-yearly basis. The annual financial report must be audited (as per Section 301) and include an audit opinion. The half-year financial report must be audited or reviewed by the auditor.

APS 310 requires the appointed auditor (i.e., external auditor) to provide assurance that statistical and financial data provided to APRA are reliable, that there are control policies and procedures in place designed to address compliance with prudential requirements, to provide reliable data and that prudential and reporting standards and other statutory banking requirements have been satisfied.
EC4Laws or regulations set, or the supervisor has the power to establish the scope of external audits of banks and the standards to be followed in performing such audits. These require the use of a risk and materiality based approach in planning and performing the external audit.
Description and findings re EC4Financial statements and the engagement of external auditors are based on standards issued by the Auditing and Assurance Standards Board (AUASB) and are in line with auditing standards issued by the International Auditing and Assurance Standards Board.
EC5Supervisory guidelines or local auditing standards determine that audits cover areas such as the loan portfolio, loan loss provisions, nonperforming assets, asset valuations, trading and other securities activities, derivatives, asset securitizations, consolidation of and other involvement with off-balance sheet vehicles and the adequacy of internal controls over financial reporting.
Description and findings re EC5Prudential standard APS 310 details expectations and requirements of audit coverage and reporting. These requirements include the coverage of the loan portfolio, loan loss provisions, nonperforming assets, asset valuations, trading and other securities activities, derivatives, asset securitizations, consolidation of (and other involvement with) off-balance sheet vehicles, as well as the adequacy of internal controls around financial and prudential reporting to APRA.

Australian auditors are required to comply with AUASB auditing standards, which align with the IAASB auditing standards and covering each of the areas highlighted in this criterion.
EC6The supervisor has the power to reject and rescind the appointment of an external auditor who is deemed to have inadequate expertise or independence, or who is not subject to or does not adhere to established professional standards.
Description and findings re EC6Both APRA and ASIC can take actions that lead to removal of an auditor.

Section 17 of the Banking Act gives APRA the authority to remove a person from the position of auditor of a bank if APRA finds that the person has failed to adequately and properly perform the functions and duties of the position and does not meet the fit and proper criteria set out in the Prudential Standards.

ASIC or APRA can ask the ‘Companies Auditors Disciplinary Board’ to cancel or suspend an auditor’s registration if they fail to meet their duties or are not fit and proper (section 1292 of the Corporations Act).

Auditors are required to comply with the independence requirements of the Corporations Act, which include audit partner rotation for listed entities, and independence requirements for business, employment and business relationships. The professional code of ethics for auditors covers auditor independence and has the force of law under the Corporations Act through legally enforceable auditing standards. Auditors must provide an independence declaration, which is published with the financial report.
EC7The supervisor determines that banks rotate their external auditors (either the firm or individuals within the firm) from time to time.
Description and findings re EC7Individuals with a ‘significant role’ in an audit can only carry out the audit for five consecutive years and for only five years out of any seven-year period. This is covered in APRA’s CPS 510 and Section 324DA of the Corporations Act. This rule does not apply to audit firms, but to individuals at audit firms only. An exemption may be granted if an individual provides services that are otherwise not readily available or when there are no other registered auditors available to provide adequate services. APRA stated that in practice this is rare.

The Corporations Act requires the rotation of the lead and review partners on an audit after five years for publicly listed banks.
EC8The supervisor meets periodically with external audit firms to discuss issues of common interest relating to bank operations.
Description and findings re EC8APRA meets with the major audit firms as a group at least twice per year to discuss emerging issues and/or make any necessary clarifications on compliance and reporting obligations. APRA accounting staff told assessors they meet regularly with auditors and had met with the industry seven times in the last two years.

APRA meets regularly with banks and their auditors to discuss the external auditor’s annual prudential assurance report, or issues related to a special purpose engagement, if applicable. These meetings include discussions of issues identified during the course of the auditor’s financial report audit, as well as deficiencies in control frameworks related to prudential reporting or any other audit work requested by APRA as part of a special purpose engagement.

APRA may also meet with the appointed auditor bilaterally, if needed.
EC9The supervisor requires the external auditor, directly or through the bank, to report to the supervisor matters of material significance, for example failure to comply with the licensing criteria or breaches of banking or other laws, significant deficiencies and control weaknesses in the bank’s financial reporting process or other matters that they believe are likely to be of material significance to the functions of the supervisor. Laws or regulations provide that auditors who make any such reports in good faith cannot be held liable for breach of a duty of confidentiality.
Description and findings re EC9Under Section 16BA of the Banking Act, auditors must inform APRA if they have reason to believe that a bank is insolvent, or if there is a significant risk that it will become insolvent, or if an ‘existing or proposed state of affairs may materially prejudice the interests of depositors of the bank’. Matters considered likely to ‘materially prejudice the interests of depositors’ generally are those related to capital adequacy, solvency and others that may affect a firm on a going concern basis.

Auditors must also inform APRA if they have grounds to believe that a bank has not complied with a provision of the Banking Act, the Banking Regulations of 2016, or FSCODA; a Prudential Standard; or a direction issued by APRA under its authorities in the Banking Act. Under Section 70A of the Banking Act, auditors who report ‘in good faith’ cannot be held liable for breach of confidentiality.

Section 311 of the Corporations Act requires an auditor to report to ASIC within 28 days if they have reason to suspect a firm is failing to meet provisions of the Corporations Act. This duty applies to audits of annual financial reports and to the audit or review of a semi-annual financial reports required by the Corporations Act. Examples that would require notification would be failing to comply with accounting standards or ‘true and fair view’ requirements.
Additional criteria
AC1The supervisor has the power to access external auditors’ working papers, where necessary.
Description and findings re AC1Both ASIC and APRA have the authority to require access to auditors workpapers.

Section 16B of the Banking Act gives APRA the authority to require auditors to provide information, produce books, accounts or documents about specified entities. This applies to external auditors of banks, holding companies or their subsidiaries, and to external auditors of foreign bank subsidiaries incorporated or doing business in Australia.

ASIC has the power to access external auditors’ working papers under Section 30A of the ASIC Act.
Assessment of Principle 27Compliant
CommentsUnder the Corporations Act, ASIC is the regulator responsible for external audits. All Australian incorporated banks are required to issue audited financial reports to the public on an annual basis and audited or reviewed financial reports at the half-year. ASIC reviews external audits, including with respect to asset valuations, and carries out ongoing surveillance of financial reporting. ASIC and APRA have regular interaction and ASIC is expected to inform APRA if anything of concern arises in its reviews of banks’ financial reporting.

Supervisors at APRA have regular engagement with external auditors. This includes discussions about work the external auditors have done at specific firms, as well as broader meetings through which APRA can hear about issues raising concerns among auditors and can provide clarification on its expectations. Discussions occur on a regular basis and also when the auditor is either required to report to APRA or has been used by the bank to review its compliance with prudential standards. Prudential standards and laws require the external auditor to report to APRA in a situation where it believes a firm is not complying with prudential requirements.
Principle 28Disclosure and transparency. The supervisor determines that banks and banking groups regularly publish information on a consolidated and, where appropriate, solo basis that is easily accessible and fairly reflects their financial condition, performance, risk exposures, risk management strategies, and corporate governance policies and processes.
Essential criteria
EC1Laws, regulations or the supervisor require periodic public disclosures72 of information by banks on a consolidated and, where appropriate, solo basis that adequately reflect the bank’s true financial condition and performance, and adhere to standards promoting comparability, relevance, reliability and timeliness of the information disclosed.
Description and findings re EC1APS 330 details APRA’s required public disclosures for ADIs. APS 330 requires the publication of information on a quarterly, semi-annual and annual basis. Disclosures are made on a consolidated group basis except for smaller ADIs where disclosures are generally made on a solo (ADI) basis. Under APS 330 all ADIs must disclose their: risk profile; risk management practices; capital adequacy; capital instruments; and remuneration practices.

For those firms to which they apply, an ADI must report information on its leverage ratio; liquidity coverage ratio (LCR); Net Stable Funding Ration (NSFR): and G-SIB indicators’ (there are currently no Australian GSIBs).

As discussed in CP 27 above, under the Corporations Act, all Australian-incorporated banks are required to issue audited financial reports to the public on an annual basis and to issue semi-annual reports that are at least reviewed by its auditor. Annual and semi-annual financial reports are available to the public from ASICs public register. Financial reports must comply with Australian accounting standards, which are consistent with International Financial Reporting Standards.

Under the Corporations Act, a publicly listed bank in Australia is also required to make timely disclosures to inform the market of developments that would have a material effect on the value of the firm’s securities. From a Pillar 3 perspective APRA has issued prudential standards requiring public disclosures to promote market discipline. The key requirements of this Prudential Standard are that a firm must disclose:
  • “the composition of its regulatory capital in a standard form;

  • a reconciliation between the composition of its regulatory capital and its audited financial statements;

  • the full terms and conditions of its regulatory capital instruments and the main features of these instruments in a standard form;

  • quantitative and qualitative information about its capital adequacy, credit and other risks, with the extent of disclosure dependent on whether it has approval to use ‘advanced approaches’ to measure credit risk and operational risk;

  • where applicable, quantitative and qualitative information on its liquidity coverage ratio;

  • where applicable, net stable funding ratio;

  • where applicable, quantitative and qualitative information about its leverage ratio;

  • quantitative and qualitative information on its approach to remuneration, including aggregate information on its remuneration of senior managers and material risk-takers; and

  • where applicable, quantitative information on the global systemically important banks indicators.”

EC2The supervisor determines that the required disclosures include both qualitative and quantitative information on a bank’s financial performance, financial position, risk management strategies and practices, risk exposures, aggregate exposures to related parties, transactions with related parties, accounting policies, and basic business, management, governance and remuneration. The scope and content of information provided and the level of disaggregation and detail is commensurate with the risk profile and systemic importance of the bank.
Description and findings re EC2Disclosure requirements are substantial and covered both by APRA prudential requirements and the requirements of the Corporations Act. APRA required disclosures include the following:

Capital-related disclosures (under Attachment A and B of APS 330):

All ADIs must prepare and disclose a Regulatory Capital reconciliation and a capital disclosure template. This is a reconciliation of all regulatory capital elements to the ADI’s balance sheet in its audited financial statements. All ADIs must also disclose the full terms and conditions of instruments included in their regulatory capital. The disclosures must be updated within seven calendar days if a new capital instrument is issued and included in regulatory capital or a capital instrument is redeemed, converted into Common Equity Tier 1 Capital, written off or otherwise changed.

Risk exposures and assessment (under Attachment C and D of APS 330):

Minimum requirements are higher for banks using the advanced approaches to measure credit and operational risk. Advanced banks are required to disclose more information and to do so more often. Both quantitative and qualitative disclosures are required. For risk disclosures in each area an ADI must describe its risk management objectives and policies, including:
  • strategies and processes;

  • the structure and organisation of the relevant risk management function;

  • the scope and nature of risk reporting and/or measurement systems; and

  • policies for hedging and/or mitigating risk and strategies and processes for monitoring the continuing effectiveness of hedges and mitigants.

Leverage ratio disclosure (under Attachment E of APS 330):

Advanced approaches banks must make leverage ratio-related disclosures.

LCR disclosure (under Attachment F of APS 330):

ADIs subject to the LCR must make LCR quantitative and related qualitative disclosures and Net Stable Funding Requirements.

Remuneration (under Attachment G of APS 330):

All ADIs are required to make qualitative and quantitative disclosures on remuneration.

G-SIBs (under Attachment H):

If required by APRA, an ADI must make the disclosures of the information used for the identification of a potential G-SIBs. There are currently no G-SIBs among Australian domestic banks.

The Corporations Act requires banks’ financial reports to comply with all disclosure requirements of accounting standards that are consistent with the IFRS. Publicly listed banks are required by section 299A of the Act to include an operating and financial review that covers business strategies and prospects.
EC3Laws, regulations or the supervisor require banks to disclose all material entities in the group structure.
Description and findings re EC3There are no specific prudential reporting requirements on the corporate structure of banks. Reporting on bank structure and legal entities is required under the Corporations Act. Under the Corporations Act, financial reports must disclose certain interests in other entities in accordance with accounting standards.

APRA does require a regulatory capital reconciliation report that shows the reconciliation of regulatory capital elements to accounting standards-based capital. This includes a list of legal entities that are included within the accounting scope of consolidation but excluded from the regulatory scope of consolidation and vice-versa. For each entity that is not in the regulatory consolidated group, ADIs must disclose total balance sheet assets; total balance sheet liabilities; and the main activities of the entity. Regulatory capital reconciliations must also provide details of any restrictions, or other major impediments, on the transfer of funds or regulatory capital within the group.
EC4The supervisor or another government agency effectively reviews and enforces compliance with disclosure standards.
Description and findings re EC4The Banking Act gives APRA the authority to require banks to comply with the disclosure requirements of APS 330 (described above), and APRA may require the ADI to address weaknesses in disclosures or disclose further information if it is not satisfied with its prudential disclosures.

The Corporations Act requires all ADIs to report audited financial statements in accordance with Australian Accounting Standards (AAS). Failure to comply with the accounting standards and provisions in Corporations Act provides grounds for ASIC action. ASIC conducts reviews of financial statements through its surveillance program. Remedial actions are required if significant concerns are identified.
EC5The supervisor or other relevant bodies regularly publishes information on the banking system in aggregate to facilitate public understanding of the banking system and the exercise of market discipline. Such information includes aggregate data on balance sheet indicators and statistical parameters that reflect the principal aspects of banks’ operations (balance sheet structure, capital ratios, income earning capacity, and risk profiles).
Description and findings re EC5APRA issues statistical publications on a monthly and quarterly basis. These provide both individual bank and aggregate banking sector data, including assets and liabilities, loans and advances, capital adequacy, financial performance and impaired assets. APRA also publishes articles that provide information on APRA policy initiatives and developments in regulated industries.

The RBA also provides more extensive aggregate information on the banking system in its semi-annual Financial Stability Review and provides extensive data on the banking sector on its website.
Additional criteria
AC1The disclosure requirements imposed promote disclosure of information that will help in understanding a bank’s risk exposures during a financial reporting period, for example on average exposures or turnover during the reporting period.
Description and findings re AC1Risk exposures are disclosed quarterly, semi-annually and annually. Information is required to be disclosed on the stock of exposures at the end of the period. Period-to-period changes in the stock of exposures provides information that allows analysts to calculate turnover from quarter end to quarter end, for example, but does not provide for an understanding of how exposures may change during the course each reporting period.
Assessment of Principle 28Compliant
CommentsAPRA regulations and the Corporations Act both require significant disclosures by banks that allow for the public to understand the condition of and risks in the banks and banking industry. Banking statistics are made available to the public on a monthly and quarterly basis.
Principle 29Abuse of financial services. The supervisor determines that banks have adequate policies and processes, including strict customer due diligence (CDD) rules to promote high ethical and professional standards in the financial sector and prevent the bank from being used, intentionally or unintentionally, for criminal activities.73
Essential criteria
EC1Laws or regulations establish the duties, responsibilities and powers of the supervisor related to the supervision of banks’ internal controls and enforcement of the relevant laws and regulations regarding criminal activities.
Description and findings re EC1Australia’s anti money laundering and counterterrorism financing statutory regime consists of the Anti-Money Laundering and Counter-Terrorism Financing Act (AML/CTF Act), Anti-Money Laundering and Counter-Terrorism Financing Rules (AML/CTF Rules), the Anti-Money Laundering and Counter-Terrorism Financing Regulation (AML/CTF Regulations) and the Financial Transaction Reports Act (FTR Act).

AUSTRAC is Australia’s AML/CTF regulator, supervisor and financial intelligence unit (FIU). It was established under the FTR Act and operates under authority of the AML/CTF Act. AUSTRAC oversees over 14,000 reporting entities in the banking and other financial, remittance, gambling, digital currency exchange and bullion sectors. AUSTRAC has supervisory and regulatory responsibility for anti-money laundering and counter-terrorism financing (AML/CTF). In its role as Australia’s AML/CTF regulator, AUSTRAC oversees compliance with the Financial Transaction Reports Act 1998 and the AML-CTF Act 2006 by a wide range of financial services providers, including all ADIs. It has broad regulatory powers. AUSTRAC does not have criminal law enforcement authorities and does not carry out criminal investigations. It refers matters potentially involving criminal activity to law enforcement agencies.

AUSTRAC assesses compliance with AML/CTF obligations and can take enforcement actions when non-compliance with the Act and the Rules is identified. In performing its regulatory functions, AUSTRAC must ensure that the AML/CTF regime supports economic efficiency and competitive neutrality.

The AML/CTF Act and Rules require covered entities to:
  • enroll with AUSTRAC;

  • register to provide certain services (remittance services and digital currency exchange);

  • conduct customer identification and verification, as well as ongoing due diligence;

  • report suspicious matters, certain transactions above a threshold and all international funds transfer instructions;

  • develop and maintain a AML/CTF program; and

  • make and retain certain records for seven years.

EC2The supervisor determines that banks have adequate policies and processes that promote high ethical and professional standards and prevent the bank from being used, intentionally or unintentionally, for criminal activities. This includes the prevention and detection of criminal activity and reporting of such suspected activities to the appropriate authorities.
Description and findings re EC2As noted above in EC 1, AUSTRAC requires banks (and others) to have AML/ATF programs in place. AML programs are expected to address the full operational details of how firms will meet their compliance obligations and how they will manage the risk of products or services being misused for ML/TF. Expectations for these programs include policies and processes for the practices banks need to have to ensure compliance with requirements. Firms must establish oversight by senior management and ensure that there is an employee due diligence program and that staff are trained to detect ML/TF risk behavior. Banks are required to regularly review the effectiveness of their policies and practices, as well as their compliance with their obligations under the Act and the rules.
EC3In addition to reporting to the financial intelligence unit or other designated authorities, banks report to the banking supervisor suspicious activities and incidents of fraud when such activities/incidents are material to the safety, soundness or reputation of the bank.74
Description and findings re EC3Under APRA’s prudential standards (APS 222), ADI’s must notify APRA of any circumstances that might reasonably be seen as having material impact and potentially adverse consequences for the firm or its group.

With specific respect to AML/CTF, banks are required to report to AUSTRAC about suspicious activities. In discussions with the assessors, AUSTRAC stated it would alert APRA if it discovered something ‘material’. If something is reported to AUSTRAC it would be put into AUSTRAC’s monitoring system. APRA has access to this system so would be able to see reports of suspicious activities if it reviews the system.

According to AUSTRAC staff, AML/CTF laws do not require self-disclosure of matters that may be important for prudential purposes.

APRA and AUSTRAC have an MoU in place and do meet periodically to discuss issues of relevance to each party, though assessors got the clear impression that coordination and communication could be improved.
EC4If the supervisor becomes aware of any additional suspicious transactions, it informs the financial intelligence unit and, if applicable, other designated authority of such transactions. In addition, the supervisor, directly or indirectly, shares information related to suspected or actual criminal activities with relevant authorities.
Description and findings re EC4As noted above, AUSTRAC is both the regulator/supervisor and the financial intelligence unit. AUSTRAC refers legal matters to law enforcement agencies.

Any information it may collect in either of its roles can be accessed by APRA and ASIC.
EC5The supervisor determines that banks establish CDD policies and processes that are well documented and communicated to all relevant staff. The supervisor also determines that such policies and processes are integrated into the bank’s overall risk management and there are appropriate steps to identify, assess, monitor, manage and mitigate risks of money laundering and the financing of terrorism with respect to customers, countries and regions, as well as to products, services, transactions and delivery channels on an ongoing basis. The CDD management program, on a group-wide basis, has as its essential elements:
  • (a) a customer acceptance policy that identifies business relationships that the bank will not accept based on identified risks;

  • (b) a customer identification, verification and due diligence programme on an ongoing basis; this encompasses verification of beneficial ownership, understanding the purpose and nature of the business relationship, and risk-based reviews to ensure that records are updated and relevant;

  • (c) policies and processes to monitor and recognize unusual or potentially suspicious transactions;

  • (d) enhanced due diligence on high-risk accounts (e.g., escalation to the bank’s senior management level of decisions on entering into business relationships with these accounts or maintaining such relationships when an existing relationship becomes high-risk);

  • (e) enhanced due diligence on politically exposed persons (including, among other things, escalation to the bank’s senior management level of decisions on entering into business relationships with these persons); and

  • (f) clear rules on what records must be kept on CDD and individual transactions and their retention period. Such records have at least a five-year retention period.

Description and findings re EC5The AML/CTF Act requires reporting entities to adopt and maintain an AML/CTF program (Part 7 of the AML/CTF Act). The program establishes the operational framework for reporting entities to meet their AML/CTF Act compliance obligations and sets out how reporting entities manage the risk of their products or services being misused for ML/TF.

AML/CTF programs comprise two parts:
  • - Part A covers how a reporting entity identifies, manages and reduces the ML/TF risks it faces, (See Chapters 8 and 9 of the AML/CTF Rules);

  • - Part B covers the reporting entity’s CDD procedures (Chapter 4 and 15 of the AML/CTF Rules).

The AML/CTF Rules specify the primary components to be included within an AML/CTF program. Reporting entities can have different types of AML/CTF programs depending on whether they are an individual entity or a member of a designated business group (DBG).

Part A of an AML/CTF program covers identifying, managing and reducing the money laundering and terrorism financing risk faced by a reporting entity which must include a risk-based transaction monitoring program. The transaction monitoring program:
  • must include appropriate risk-based systems and controls to monitor the transactions of customers;

  • must identify transactions that are considered to be suspicious;

  • should be capable of identifying complex, unusually large transactions and unusual patterns of transactions which have no apparent economic or visible lawful purpose.

Part B of an AML/CTF program must include an enhanced customer due diligence (ECDD) program, through which the firm must carry out further customer identification and verification measures for high risk situations. Requirements for carrying out a set of practices in this regard apply under the following circumstances:
  • the firm determines the ML/TF risk associated with dealing with a certain customer is high;

  • a designated service is being provided to a customer who is, or has a beneficial owner who is, a foreign politically exposed person (PEP);

  • when a suspicious matter reporting (SMR) obligation arises; and

  • if it is entering or proposing to enter into a transaction, and one party to the transaction is in, or is incorporated in, a prescribed foreign country.

Under these circumstances AUSTRAC rules require a firm to:
  • Seek further information from the customer or third-party sources.

  • Undertake more detailed analysis of the customer’s information and beneficial owner information, including, where appropriate, taking reasonable measures to identify the source of wealth and source of funds for the customer and each beneficial owner.

  • Verify or re-verify customer information in accordance with the reporting entity’s customer identification procedures.

  • Verify or re-verify beneficial owner information in accordance AML/CTF rule requirements.

  • Undertake more detailed analysis and monitoring of the customer’s transactions.

  • Seek senior management approval for (a) continuing a business relationship with a customer, (b) whether a transaction should be processed, and (c) whether the specific designated service should continue to be provided to the customer.

A firm’s AML/CTF program is required to cover customer due diligence (CDD) procedures. They are required to establish and document their customer due diligence (CDD) procedures and to ensure they know their customers and understand their customers’ financial activities.

Politically Exposed Persons (PEP)

A bank must have specific procedures to identify whether any individual customer or beneficial owner is a PEP, or an associate of a PEP. The firm must undertake an identification process before it provides the customer with a designated service, or as soon as practicable afterwards. The firm is also required to: obtain senior management approval before establishing or continuing a business relationship with the customer and before providing, or continuing to provide, a designated service to the customer; take reasonable measures to establish the customer’s source of wealth and source of funds; comply with enhanced customer due diligence requirements under AML/CTF Rules.

The AML/CTF Act includes record keeping requirements as follows:
  • Transaction records that relate to providing a designated service to a customer.

  • Records about electronic funds transfer instructions must be kept for seven years after the transfer.

  • Records of customer identification procedures must be kept for the life of the customer relationship and for seven years after the reporting entity ceases to provide designated services to the customer.

  • Records of the adoption of an AML/CTF program and a copy of an AML/CTF program.

  • Records about due diligence assessments of correspondent banking relationships.

AUSTRAC’s supervisory approach

One of AUSTRAC’s key regulatory goals as AML/CTF supervisor is to develop reporting entities understanding of ML/TF risks and to strengthen their AML/CTF programs through educating and monitoring reporting entities, as well as working with reporting entities to improve compliance in order to ultimately combat and disrupt money laundering and terrorism financing. AUSTRAC conducts a range of supervisory activities to improve and promote compliance with AML/CTF obligations.

AUSTRAC has initiated the introduction of its ‘Smarter Regulation’ program to enhance its regulatory model (i.e., approach to supervision and enforcement). Elements of the model have been co-designed with industry partners.

In 2017, AUSTRAC further enhanced its supervisory framework through the development and introduction of the Breach Evaluation and Response framework. This constitutes an intelligence-led risk-based framework which targets efforts where ML/TF risks are identified as being at their highest. It provides AUSTRAC with a method to make an evidence-based risk-assessment in the context of a ML/TF regulatory breach. It gives AUSTRAC a structured decision-making process to determine a proportionate response where compliance failure has been identified or detected.

AUSTRAC requires reporting entities to have AML/CTF programs which include appropriate risk-based systems and controls that help the entity to identify, manage and mitigate the risk they face that the provision of their services might involve or facilitate money laundering or terrorism financing.

AUSTRAC staff stated that a number of years ago they had focused on reviewing the firms’ controls around AML/CTF programs and worked with the firms to understand and put in place good practices. They take comfort now from the required annual independent reviews (‘compliance reporting’) conducted by third parties. These reviews are not conducted with any level of assurance around the effectiveness of the control processes but rather provide details on what the reviewers found. AUSTRAC reviews the reports and may follow up if issues are identified or if the review report appears less comprehensive than what is needed.

While they used to do a regular cycle of reviews of firms’ compliance, AUSTRAC uses more of a risk-focused approach for determining what work to carry out directly. They receive substantial amounts of data and information in their role as the financial intelligence unit and through required reporting on suspicious matters. This helps them assess the risks and allows for an understanding of the effectiveness of the program at specific firms since firms without good programs usually do not provide good or comprehensive information and data.

Reporting entities are required to address compliance deficiencies identified by AUSTRAC and in some circumstances will require the reporting entity to enter into a formal remediation program. AUSTRAC oversees the progress by the reporting entity to address deficiencies subject to the remediation program.

AUSTRAC plans to conduct a review of the independent review process across the 18 largest reporting entities in the coming year.

However, in discussions with APRA and AUSTRAC staff, assessors noted that determining if a bank’s policies and processes for compliance with AML/CTF are ‘integrated into the bank’s overall risk management’ is not routinely done. While there is an MoU between APRA and AUSTRAC as well as regular liaison meetings, there is a need to improve this coordination in a way that allows a better integration of AUSTRAC assessment of AML/CTF systems in the assessment of banks’ risk management done by APRA. In the context of other core principles, the assessors have recommended that APRA utilize information developed by AUSTRAC through its assessments of AML/CTF compliance to inform APRA’s views of a banks internal controls and risk governance.
EC6The supervisor determines that banks have in addition to normal due diligence, specific policies and processes regarding correspondent banking. Such policies and processes include:
  • (a) gathering sufficient information about their respondent banks to understand fully the nature of their business and customer base, and how they are supervised; and

  • (b) not establishing or continuing correspondent relationships with those that do not have adequate controls against criminal activities or that are not effectively supervised by the relevant authorities, or with those banks that are considered to be shell banks.

Description and findings re EC6Under the AML/FTC Act, a financial institution must not enter into correspondent banking relationships without determining to the best of its ability that the other institution is a shell bank or has a correspondent banking relationship with a shell bank. Before a bank enters into a correspondent banking relationship, it must carry out a preliminary assessment of the risk it may face that the relationship could involve or facilitate money laundering or the financing of terrorism. It must then carry out a thorough due diligence assessment if it deems warranted by the preliminary risk assessment.

The AML/CTF Act requires that a senior officer of the financial institution approve any correspondent banking relationship entered into. The senior officer must take into account the matters specified in Chapter 3 of the AML/CTF Rules as described above.

After a bank enters into a correspondent banking relationship, it is required to conduct regular risk assessments of the potential for the relationship to involve or facilitate money laundering or the financing of terrorism. The bank may then have to conduct regular due diligence assessments, if warranted by the results of the risk assessment.

In 2017, AUSTRAC conducted supervisory work on correspondent banking at 39 reporting entities that maintained correspondent banking relationships. The purpose of the work was to:
  • provide information to reporting entities to help them better understand the nature and extent of ML/TF risks presented by correspondent banking relationships and how these risks can be mitigated and managed, and

  • collect information about correspondent banking practices to inform the government and policy makers.

Assessors reviewed sample results of that work and observed that firms received recommendations from AUSTRAC related to, among other things, shell banks, correspondent banking due diligence and record keeping.
EC7The supervisor determines that banks have sufficient controls and systems to prevent, identify and report potential abuses of financial services, including money laundering and the financing of terrorism.
Description and findings re EC7Reporting entities must have in place AML/CTF programs which include appropriate risk-based systems or controls which help the entity to identify, manage and mitigate the risk they face that provision of their services might involve or facilitate money laundering or terrorism financing.

The AML/CTF Act and Rules