11 Negotiating Cooperation Agreements: The Experience of the Australian Prudential Regulation Authority (APRA)
- International Monetary Fund
- Published Date:
- June 2007
1.1. This chapter discusses the role of formal cooperation agreements in facilitating international regulatory cooperation. It does so drawing on the experience of the Australian Prudential Regulation Authority (APR A).
2. APRA’s Confidentiality Requirements
2.1. APRA was established in 1998 from 11 predecessor agencies. The current functions of APRA were previously undertaken by a range of bodies, including the Reserve Bank of Australia (RBA), the Insurance and Superannuation Commission (ISC), and various state regulatory agencies. APRA is an integrated prudential authority to the extent that it covers authorized deposit-taking institutions (banks, credit unions, and building societies), life and general insurance, and certain superannuation (pension) funds. Unlike many other integrated regulators, however, APRA does not cover securities business.
2.2. APRA and its staff are subject to secrecy requirements. Taking advantage of the relatively recent provenance of the legislation establishing the regulatory authority, the requirements have been updated to bring them up to current international standards.
2.3. APRA “staff, members and other officers” are prohibited from disclosing “protected information” and “protected documents” by Section 56 of the APRA Act 1998. Information or a document will be protected if
2.3.1. it was acquired by APRA for the purpose of a “prudential regulation framework law”; and
2.3.2. it relates to:
the affairs of a body regulated by APRA (i.e., a bank or other authorized deposit-taking institution, a life or general insurer, or a superannuation entity); or
the affairs of a registered entity (e.g., a finance company or money market corporation); or
a body corporate related at any time to a regulated body or registered entity; or
a person who is, has been, or proposes to be a customer of a regulated body or registered entity.
2.4. In simple terms, information or a document provided by an overseas regulatory agency to APRA about a particular financial institution to assist APRA in regulating it will usually be protected from disclosure. Breach of this secrecy provision is a criminal offense, carrying a penalty of imprisonment for up to two years. There are particular situations, however, where information or documents can be released without infringing Section 56. This includes situations where:
2.4.1. the disclosure is “for the purposes of” a prudential regulation framework law. This will depend on the particular instance of disclosure. The precise ambit of this exception has not been tested but includes instances where a prudential regulation framework law:
specifically provides for the disclosure—for example, Section 131A of the Superannuation Industry (Supervision) Act 1993 (SIS Act) provides that APRA may give information to a relevant professional body about an actuary’s or auditor’s failure to comply with certain duties in relation to a regulated superannuation fund; or
necessarily contemplates a disclosure—for example, the Insurance Act 1973 and the Banking Act 1959 provide that certain decisions are reviewable by the Administrative Appeals Tribunal, and it would be necessary for APRA to provide all relevant documents to the tribunal for this purpose;
2.4.2. the disclosure occurs with the written consent of the person or financial institution concerned;
2.4.3. the disclosure is to, and will assist, a “financial sector supervisory agency,” either Australian or overseas;
2.4.4. the disclosure is to, and will assist, bodies prescribed by regulation under Section 56, for example: the Reserve Bank of Australia;
the Australian Bureau of Statistics;
the Australian Federal Police or a State or Territory Police Force;
the Department of Treasury;
a Commission of Inquiry, established under the Royal Commissions Act 1902;
the Australian Transaction Report and Analysis Center (AUSTRAC), Australia’s financial intelligence unit;
the Council of Financial Regulators; and
the Australian Crime Commission.
2.4.5. the disclosure is authorized by an instrument in writing made by APRA or its delegate under the APRA Act;
2.4.6. the disclosure is to an APRA member or staff member for the purposes of the performance of APRA’s functions or the exercise of its powers;
2.4.7. the information is a summary or aggregate such that information relating to any particular person cannot be found out;
2.4.8. the information consists of contact details for persons who perform public functions for the financial institutions concerned; and
2.4.9. the information relates to whether or not a regulated entity complies with a particular section of a prudential regulation framework law.
2.5. From the preceding, it can be seen that APRA may provide protected information and documents to certain other domestic agencies to assist them in their powers and functions. Employees of an agency who receive such information or documents will, themselves, be bound by the act, and will not be able to release the information other than under an exception to Section 56 or where the release is for the purpose for which APRA gave the agency the information.
3. APRA’s Powers to Assist Foreign Regulators
3.1. APRA can exercise its powers under the various acts it administers to obtain information from regulated entities. Apart from limited powers under the Mutual Assistance in Business Regulation Act (MABRA), APRA does not have the power to obtain information from a regulated entity on behalf of an overseas regulator, unless the information was required for its own supervisory purposes under one of these acts. If APRA has already obtained information for its own supervisory purposes, however, then it will be able to share this information with an overseas regulator to assist the latter to perform its functions. Protected information includes customer information, but, again (except under MABRA), APRA would need this for its own purposes before it could seek this from an institution.
3.2. APRA has power to take enforcement action, issue directions, etc. but can do so only in accordance with the various acts that it administers. APRA cannot prevent an entity from engaging in particular conduct solely because of concerns raised by an overseas regulator—the conduct must empower APRA, under domestic legislation, to take such action.
3.3. The legal provisions (gateways) are written in a way that does not require APRA to enter into a Memorandum of Understanding (MoU) in order to share regulatory information. APRA has, in the past, experienced relatively good cooperation on information sharing with most regulators. There have been a small number of exceptions. One concerned sensitivity by a requested authority about exchanging information, especially documents, from one host supervisor of a specific institution to another, owing perhaps to concerns about responsibilities to the home supervisor. Other examples were with respect to insurance firms. In some of these instances, the desire of the requested authority to protect confidentiality of the information requested was one reason for not meeting a request. This is an issue for many countries, since most jurisdictions have limits to the protections they can offer, as mentioned above for APRA. So although an agency can undertake to do all it can to protect information, there is usually some risk of release and even a chance, in some circumstances, that the information might become public.
3.4. In other cases, there is a requirement that an MoU be in place and that equivalency of protections be established for information to be exchanged. It can be a slow process where equivalency is to be established, given that there may be limited resources available in either jurisdiction for a proper analysis of equivalence. A number of jurisdictions have indicated a willingness to put MoUs in place but also explained that other jurisdictions have priority, either because assessed cross-border risks are higher or simply because discussions with them commenced earlier. In yet other cases, legal constraints have been mentioned.
3.5. On the question of how concerns about confidentiality can best be addressed, in APRA’s case there has been no practical example of forced disclosure of exchanged information against APRA’s wishes. Assurances to this effect are a source of some comfort to peer regulators commencing discussions. Beyond this, counterparts can only undertake to protect the information within the powers they have—for example, seeking to obtain confidentiality orders in court hearings, parliamentary hearings, etc. if documents have to be disclosed and obtaining prior consent before disclosing them voluntarily to third parties (a standard provision of most MoUs).
3.6. As mentioned previously, APRA also is subject to the Mutual Assistance in Business Regulation Act 1998. This sets out a process for overseas regulators, for business law purposes, to seek assistance from APRA (and other Australian agencies subject to the act) to obtain documents or take testimony on behalf of (or in the presence of) the overseas financial sector supervisory agency. This is a fairly complicated process, requiring consent by the Attorney General of Australia. A person called to give oral testimony cannot reasonably refuse to do so. Importantly, the information cannot be used as evidence for criminal purposes (on grounds that evidence obtained for one purpose cannot be used for another), and undertakings to this effect from the overseas regulator would be required. Again, APRA has had no experience in handling a request under this legislation. There is similar legislation in Australia covering gathering of information for overseas jurisdictions for criminal purposes, but this is beyond the scope of APRA.
3.7. APRA has no responsibility for securities matters—these are the responsibility of the Australian Securities and Investment Commission. Also, APRA has no legislative responsibilities for anti-money laundering/combating the financing of terrorism (AML/CFT). These responsibilities fall to AUSTRAC, which receives reports of both all cash transactions of $10,000 and over and all other suspicious transactions. APRA has an interest in an authorized entity’s policies and procedures for AML purposes, such as know-your-customer (KYC) arrangements and codes of conduct, but this is a high-level interest considered along with other governance matters from the general operational risk point of view and is relevant only in the same way any other legal or compliance risk is relevant in our assessment of a regulated entity’s failure probability. APRA meets with AUSTRAC on an ad hoc basis. One quirk in Australia’s legislative arrangements is the fact that APRA can refer matters to AUSTRAC, but not the other way around.
4. Memoranda of Understanding
4.1. Without a requirement to have MoUs, it might be assumed that APRA had little reason to pursue them. However, one prime driver pressing APRA to do so was the HIH Royal Commission Report (on the failure of the HIH Insurance Group). The report noted that APRA had minimal formal information-sharing agreements in place and recommended that APRA seek to conclude MoUs with key counterparties in order to improve the exchange of confidential information.
4.2. APRA concluded that it could not properly enter into MoUs with other regulators without conducting a due diligence process designed to establish the limits facing a counterparty in meeting undertakings in an MoU—particularly the protection of information. The due-diligence process, by its very nature, involves useful learning about relevant arrangements in the counterpart jurisdictions. So APRA has established an MoU program to
4.2.1. understand the reach of applicable legislation and other legal instruments, and administrative practices applying to professional secrecy and related matters in counterpart jurisdictions, including the limits to confidentiality;
4.2.2. meet conditionality requirements in other jurisdictions to enable them to share confidential information;
4.2.3. inform others of the limits to APRA’s ability to resist disclosure (for example, a request from a royal commission or from parliament);
4.2.4. set up contacts and establish the procedures for formal information sharing, if required; and
4.2.5. flag that there are other gateways, in particular circumstances—in particular, for taking testimony.
4.3. Most regulators have a general obligation in their legislation prohibiting them from disclosing confidential information to third parties. However, most, if not all, have exceptions to this rule. The extent of the exceptions varies from jurisdiction to jurisdiction. Therefore, a simple assurance that a secrecy obligation exists in a jurisdiction is insufficient to fully understand the circumstances in which a counterpart may be compelled or obliged to share information. Further, MoUs are not legally binding and generally do not contain a strict obligation prohibiting disclosure—rather it is on a “best endeavors” basis, meaning that each party will use their best endeavors to preserve confidentiality. As such, it is important to understand the circumstances in which other jurisdictions are compelled to disclose. The equivalency process enables APRA to be fully aware of these circumstances and may influence what types of conditions we impose on information being released.
4.4. It is important to note that APRA has not yet processed any inward international requests under these formal arrangements, and we have no reason to expect this to change. APRA routinely receives and responds to informal requests, however. In fact, APRA would prefer to keep information exchanges informal, since this is easier, quicker, more flexible (tends to be confined to existing information), and less process driven, but regards it as useful to have MoUs in place in case of need.
4.5. APRA also has MoUs with seven domestic agencies, including the Reserve Bank of Australia, the Australian Securities and Investments Commission (ASIC), the Australian Competition and Consumer Commission, and a number of state bodies. It is common, especially with ASIC, to share information under the MoU as well as informally.
4.6. APRA is at a relatively early stage in its process of putting MoUs in place, having adopted its current policy toward MoUs in 2003. Prior to this, there was only one MoU—with the Bank of England (which transferred to the U.K. Financial Services Authority (FSA)). This MoU covered only banking. Now APRA has two MoUs in place: one with the U.K. FSA (covering all corresponding remits) and one with the Reserve Bank of New Zealand (covering banking). Several more are at various stages of development.
5. Concluding an MoU
5.1. The process of concluding an MoU involves several steps.
5.2. APRA first determined which jurisdictions and regulators were the highest priorities for an MoU. For the business case to set such priorities, APRA looked at the extent and risk profiles of business under-taken by entities from Australia in the overseas jurisdiction and of the business undertaken in Australia by the entities from the overseas jurisdiction.
5.3. Following an approach to the counterparty authority, there has been a range of responses in addition to those we are working with to conclude MoUs. Some were not interested. Others have said they would do so if it were essential to information sharing (e.g., required by law) but preferred not to. Others agreed in principle but invited APRA to wait for them to conclude MoUs with others already in their queues. Given that APRA has limited resources for this work, the consequential delays have not been a problem. In addition to the jurisdictions at the top of its own list, APRA itself has been approached by a number of other jurisdictions. For some of these, it is not clear to APRA that there is a solid business case for us to go through the process of concluding an MoU. For others, we have had to signal that we would be happy to work toward establishing one in due course, but that there are other jurisdictions ahead of them in the queue for the present.
5.4. The second step, once a jurisdiction indicates it is ready to commence discussions, is to conduct a due diligence process on professional secrecy and related arrangements, including the purposes for which information may be used.
5.5. Our Office of General Counsel took the view that it would be inefficient for his staff to attempt to assess the law and practice in target overseas jurisdictions. Consequently, we decided we would seek the relevant information from our counterparts via questionnaire. APRA also completed a similar questionnaire for Australia to use in assisting counterparts with their due-diligence processes. We also produced a general description of arrangements in Australia. Thereafter, there is an interactive process to clarify the situation.
5.6. The third step was to determine in which negotiations APRA would seek to build on preexisting MoUs, amended as appropriate, to try to get some early runs on the board. Such preexisting models included the following:
5.6.1. MoUs based on Basel Core Principles to cover banking only;
5.6.2. the IAIS (International Association of Insurance Supervisors) model for insurance regulators; and
5.6.3. a case-by-case approach otherwise for integrated regulators based, where possible, on drafts they might have.
5.7. The fourth step was to ensure that the MoUs contained the necessary provisions. APRA seeks the usual provisions on such aspects as
5.7.1. constraints on onward transfer;
5.7.2. clearance where there may be a third-party request;
5.7.3. circumstances where information disclosed could be passed to another authority without APRA’s permission (for example, where the information revealed a suspicion that had to be reported under AML/CFT obligations, the information revealed unlawful activity in the recipient’s jurisdiction, the disclosure was required by law, or disclosure was necessary to fulfill the purpose for which the information was requested in the first place);
5.7.4. consultation about on-site inspections in the counterpart jurisdiction;
5.7.5. whether assistance is limited to information exchange or other possible forms of assistance; and
5.7.6. allowance for cost sharing.
5.8. Australia has also been keen to ensure the widest possible coverage of types of information, including types of institutions. Consequently, we have expanded coverage expressly to cover conglomerate operations, corporates/noncorporates, reinsurance entities, and sister affiliates (i.e., host-to-host exchanges to allow discussions on related entities operating elsewhere than in the home jurisdiction).
5.9. Protected information includes information on customers of institutions if relevant, for example, to a prudential concern, so this, too, would be covered by an MoU. Institutions, however, tend to be very cautious about supplying customer information owing to privacy concerns.
5.10. APRA is careful not to promise what it cannot deliver. The MoU cannot override domestic legislation. APRA must be able to refuse to assist on public policy grounds if they apply—so every MoU obligation is on a best endeavors basis.
6. Streamlining the Approach
6.1. More recently, APRA has started to think that there might be value in generalizing this type of approach—particularly for integrated regulators, such as APRA, that have limited resources to put into the process of negotiating MoUs or that have just recently been formed. This would need to be a modular approach to cover the breadth of different remits in the growing population of integrated regulators.
6.2. It would also be of particular interest for a compendium of respective law and practice on professional secrecy and other questions related to information exchange to be prepared by survey to assist regulators in their due diligence work on other jurisdictions.
6.3. One of the key issues involved in information sharing in the context of the safety and soundness of financial institutions (an important concern of banking and insurance supervisors) is that it is unlikely regulators will feel confident sharing information about stability problems with all others who have a legitimate interest. We have to be realistic about that. There is, however, much that can be done short of exchanging doubts about stability. For example, regulators can look at internal procedures to ensure appropriate flags are raised where there are policies under development or where other events occur that affect other jurisdictions, and pass along information about those developments.
6.4. Beyond this, there is much serious work to be done on cross-border cooperation and coordination, especially developing information exchange protocols where there is a business case for them. This should include frontline supervision in respect of institution-specific material and crisis-management arrangements. Policy development should also be undertaken where harmonization is needed for competitive equity and to minimize compliance costs. MoUs and their related due diligence can be seen as a first step in developing regulatory relationships that will underpin higher-level cooperation over time.