APRA flags GCRA, climate risk and cybersecurity among its key priorities over the coming year

Overview | APRA's supervisory and policy priorities for the next 12 to 18 months 

The Australian Prudential Regulation Authority (APRA) has released two papers identifying its planned changes to the prudential framework and the key risks within the financial system on which it will focus its supervisory efforts. 

Key takeouts

  • The policy and supervision priorities identified are underpinned by the four strategic goals in APRA's Corporate Plan: 1) maintaining financial system resilience; 2) improving outcomes for superannuation members; 3) improving cyber-resilience in the financial sector; and 4) transforming governance, culture, remuneration and accountability (GCRA) across all APRA-regulated institutions.
  • Among APRA’s key cross-industry policy priorities for 2020 are initiatives aimed at driving improvements in GCRA, including finalising a more robust prudential standard on remuneration, and updating prudential standards on governance and risk management.
  • APRA’s 2020 supervision priorities include: a) maintaining financial resilience, including through increased focus on recovery and resolution planning and stress testing; b) conducting a range of governance, culture, remuneration and accountability (GCRA) related supervisory reviews and deep dives, and using entity self-assessments to drive greater accountability; c) encouraging underperforming superannuation funds to urgently 'improve member outcomes or exit the industry'; and d) more closely assessing institutions’ capability to deal with emerging and accelerating risks, such as cyber-security and climate change.
  • Climate risk: APRA has said it will release a prudential practice guide to encourage regulated entities to better prepare for climate risks and clarify regulatory expectations by the end of the year. APRA will also develop a climate stress test 'to enable a better understanding of the overall financial system’s resilience to climate-related risks'.
  • This is the first time that APRA has published its supervision priorities. Commenting on this, APRA Chair Wayne Byres said that doing so is 'intended to create greater public awareness of the types of activities our supervisors undertake, and supports our commitment to greater transparency and accountability. Our new Year in Review publication will be used to report at the end of the year on our progress against the priorities we have identified'.

Context: APRA's policy and supervisory priorities

The Australian Prudential Regulation Authority (APRA) has released two documents setting out its policy and supervision priorities for the next 12 to 18 months.

APRA says that its priorities are underpinned by the four strategic goals set out in the regulator's most recent Corporate Plan namely: 1) maintaining financial system resilience; 2) improving outcomes for superannuation members; 3) improving cyber-resilience in the financial sector; and 4) transforming governance, culture, remuneration and accountability (GCRA) across all APRA-regulated institutions.

A high level summary of some of APRA's key policy and supervisory priorities is below.

[Note: Attachment B of the policies document is a table summarising the proposed actions/timelines for delivering APRA's policy objectives. Attachment A of the supervisory document is a table summarising APRA's supervisory activities and timelines.]

Cross industry policy and supervisory priorities

1. Governance, Culture, Remuneration and Accountability (GCRA) risk

Policy priorities: revising prudential expectations: APRA plans to update core cross-industry standards to strengthen prudential expectations for governance, remuneration, accountability and non-financial risk management.

  • Revised governance standard: APRA intends to consult on changes to Prudential Standard CPS 510 in the second half of 2020. The expected effective date is 2022. The relevant superannuation standards, Prudential Standard SPS 510 Governance and Prudential Standard SPS 220 Risk Management, will also be reviewed.
  • Remuneration: APRA says that it expects to release a response paper on draft Prudential Standard CPS 511 Remuneration in the first half of 2020. The new standard is expected to be finalised in the first half of 2020. The expected effective date is July 2021. Consultation on associated reporting and disclosure requirements and prudential guidance will commence shortly thereafter.

[Note: APRA released a discussion paper and new draft Prudential Standard (CPS 511) proposing stronger and more prescriptive prudential requirements for remuneration across all APRA-regulated entities in the banking, insurance and superannuation sectors in July 2019. The deadline for submissions was the 23 October. The proposed new standard aims to address the remuneration-related recommendations made by the Financial Services Royal Commission (Recommendations 5.1, 5.2 and 5.3) as well as insights gained from the Prudential Inquiry into the Commonwealth Bank of Australia (CBA), APRA’s Review of Remuneration Practices at Large Financial Institutions and its summary of industry self-assessments of governance, accountability and culture. For a summary of APRA's proposals see: Governance News 24/07/2019.]

[Note: In a recent speech providing an update on the consultation, APRA Chair Wayne Byres said that APRA is working through the submissions received in response and is yet to finalise its approach. See: Governance News 13/11/2019.]

  • Accountability: APRA plans to consult on updates to the existing fit and proper requirements in Prudential Standard CPS 520 Fit and Proper in the second half of 2020. APRA says that given the significant overlap with the obligations of accountable persons under the Banking Executive Accountability Regime (BEAR), the updates will address potential inconsistencies and also support the alignment with the legislative requirements under the extended accountability regime (the Financial Accountability Regime (FAR)). The expected effective date is 2022.

[Note: On 22 January, the government released a proposal paper, outlining plans for the new Financial Accountability Regime (FAR) (which will replace the Banking Executive Accountability Regime (BEAR)). The new regime proposes to extend BEAR-like accountability requirements to other APRA-regulated entities and directors/senior executives in accordance with the government's response to several Hayne Commission recommendations. The due date for submissions to the proposals is 14 February. For a summary of the proposed changes, including expert insights into the broader implications for industry see: Governance News 23/01/2020.]

GCRA Risk: Supervisory priorities

From a supervisory perspective, APRA says that it is intensifying its focus on GCRA to enhance the resilience of regulated entities by: a) strengthening the prudential framework; b) sharpening APRA’s supervisory focus; and c) sharing APRA’s insights.

  • Self-assessment follow up — progress against remediation plans: APRA says that ensuring that entities appropriately address the weaknesses identified in CBA-style self-assessments remains a core supervisory focus area. As such, APRA plans to undertake a series of targeted engagements during 2020 to assess entities progress against their remediation plans. APRA says that 'more forceful supervisory actions will be considered where sufficient progress has not been made.'

  • Review into governance practices: APRA says it has also recently commenced a review to assess the effectiveness of governance arrangements across a subset of regulated entities. APRA is seeking to identify drivers of effective governance practices by reviewing: a) the value of insights gained from reviews required under Prudential Standard CPS 220 Risk management (CPS 220); b) the robustness of processes supporting the CPS 220 risk management declaration; c) the role and effectiveness of board committees; and d) processes undertaken to assess board effectiveness.

  • Deep dive risk culture reviews: APRA will be conducting 'deeper reviews of risk culture practices'. APRA says that these ‘deep dive’ risk culture reviews will be set at three per year from 2020 onwards. APRA expects that the reviews will involve a high degree of supervisory intensity, including interviews with directors, executives and staff as well as focus groups involving non-managerial staff.

  • Remuneration — assessment of CPS 511 implementation plans: APRA says that once CPS 511 is finalised it will commence an assessment of entities' implementation plans to gauge emerging market practice. APRA says that it will communicate the findings to industry to reinforce APRA’s expectations for implementation. In addition, APRA will undertake a series of 'deep dive' reviews with a focus on the design, implementation and outcomes of remuneration frameworks.

  • BEAR Review: APRA says that it is working closely with the Treasury and the Australian Securities and Investments Commission (ASIC) to extend the BEAR to the insurance and superannuation sectors. Once the proposed new legislation is finalised, APRA will start engaging with entities on planning for implementation of the regime. APRA adds that it is currently assessing how effectively BEAR has been implemented in the banking industry and plans to make the key findings of this review public by mid- 2020.

2.Financial system resilience: policy and supervisory priorities

Policy priorities include the following.

  • Risk management and operational and non-financial risks: APRA expects to consult on standards for the management of operational and other non-financial risks and compliance (Risk management CPS 220), and revised Prudential Standard CPS 231 Outsourcing and Prudential Standard CPS 232 Business Continuity Management in the second half of 2020. The expected effective date is 2022. APRA says that the relevant superannuation standards, Prudential Standard SPS 231 Outsourcing and Prudential Standard SPS 232 Business Continuity Management, will also be reviewed as part of this process.
  • Resolution framework: APRA plans to consult on a new prudential standard for recovery and resolution planning which will implement reforms from the Financial Sector Legislation Amendment (Crisis Resolution Powers and Other Measures) Act 2018 (Crisis Management Act) in the first half of 2020 with a view to finalising the standard by the end of the year. The new standard is expected to set out requirements for the development and execution of recovery and resolution plans and will apply to ADIs, general insurers and life insurers. The expected effective date for the new standard is 2022.

From a supervisory perspective, APRA observes that low interest rates, combined with limited growth, are creating a profitability challenge for many entities. APRA says that its supervision 'will be looking for signs that these pressures are inducing entities to increase their risk-taking as a means of sustaining their desired returns'.

APRA will also strengthen its own internal capabilities to deal with possible entity failures.

3. Cybersecurity

  • Cyber-security — implementation of CPS 234 and IT Risk data collection: APRA says that its current supervisory focus is on ensuring effective implementation of new standard CPS 234 Information Security. In addition, APRA says it is also developing a new data collection to gain a broader understanding of entities’ management of Information Technology (IT) risk, including cyber risk. This is expected to assist the regulator in directing supervisory resources to areas of heightened risk. APRA is currently trialling the IT risk data collection at selected insurers and large ADIs, and intends to extend the data collection to all industries in due course.
  • New data standard: APRA will consult on a new cross-industry standard on data management to improve the quality of risk data aggregation and reporting in the second half of 2020. The expected effective date is 2021/2022.

4. Climate change financial risk

  • Policy priorities: APRA intends to publish a prudential practice guide to encourage regulated entities to better prepare for climate risks and clarify regulatory expectations. This guidance is intended to assist entities in developing frameworks for the assessment and monitoring of climate-related risks, including aspects of governance, strategy, risk management, metrics and disclosure. Consultation is expected to commence in mid-2020. Guidance is expected to be finalised by the end of the year.
  • Supervisory priorities: APRA says that 'a key supervisory initiative for 2020 is to develop a climate change stress test'. The stress test is intended to enable a better understanding of the overall financial system’s resilience to climate-related risks. APRA says it is collaborating with the Reserve Bank of Australia and Australian Securities and Investment Commission on the design of the stress test. The expected commencement date is 2021.

5. Other cross industry priorities

Stress testing

  • Policy priorities: APRA intends to publish a stress testing prudential practice guide. APRA expects to consult on the prudential practice guide in the second half of 2020.
  • Supervisory priorities:
    • Banks: From 2020, APRA will transition to more frequent, annual industry stress testing for large ADIs (previously, a comprehensive industry stress test had been conducted on a three-yearly cycle, with additional, less intensive testing conducted in the intermediate years). APRA also plans to test resilience to broader stress scenarios, including the impacts from operational and climate change financial risks. APRA is also currently undertaking a stress test of the largest ADIs to assess their resilience to a severe economic downturn and significant liquidity stress. APRA says that it will be engaging directly with individual ADIs on the results of the stress test and that at the conclusion of the exercise, it plans to publish a report on its overall assessment of the banking industry's financial resilience.
    • General insurers: APRA is currently assessing selected general insurers’ internal stress testing capabilities. APRA will engage with the industry during the second half of 2020 on identified areas for improvement. In addition, in response to the recent severe bushfires and other climate-related events, APRA will be undertaking scenario analysis of insurer’s reinsurance programs, to understand the impact of further natural catastrophe events during the current financial year.Unquestionably strong capital and the Basel III reforms: APRA expects to consult further on changes to the credit risk standards, as well as its preferred option for implementing the transparency, comparability and flexibility requirements (including the capital floor), in the first half of 2020. A further round of consultation on the draft standards is also planned for later in 2020. APRA says that it plans to finalise the standards around the end of 2020, with the revised standards likely to take effect from the beginning of 2022, consistent with international timelines.
  • Measurement of capital: APRA is currently considering updates to its criteria for measuring an ADI’s regulatory capital and intends to finalise the changes to Prudential Standard APS 111 Capital Adequacy: Measurement of Capital in early 2020, with the revised standard to take effect from 1 January 2021.
  • Stored value facilities framework: APRA is reviewing its approach to regulating Purchased Payment Facilities (PPFs) to ensure it is proportionate to the risks, and appropriate in the context of the Council of Financial Regulator's (CFR’s) proposed framework and recommendations arising from the review process. APRA will consult on a revised prudential standard in the second half of 2020.
  • ADI and NOHC authorisation guidelines: APRA is reviewing its authorisation guidelines for ADIs, including for foreign ADI branches and non-operating holding companies (NOHCs). APRA intends to publish revised ADI authorisation guidelines in the first half of 2020, and revised NOHC authorisation guidelines in the second half of 2020.

Banking: supervisory priorities

  • Cyber-resilience: In addition to cross-industry initiatives on cyber resilience, APRA says it will be prioritising the review of IT risk management at large ADIs in 2020.
  • Financial resilience/crisis readiness – problem loan management review: APRA will commission an in-depth targeted review of processes for managing problem loans and collateral. The targeted review will examine whether credit systems and processes would be effective in managing the potential risks from 'less benign economic conditions'. The review will focus on the largest ADIs and is expected to be undertaken in the second half of 2020.
  • APRA will also continue to assess the long-term risk outlooks to banks’ business models throughout 2020. The outcomes of these assessments will inform APRA’s supervisory strategies for individual entities. APRA says that those with the weakest outlooks will be prioritised for more intensive scrutiny and contingency planning.

Insurance policy priorities

  • PHI Capital framework: The current consultation on the PHI capital framework will close on 27 March 2020. APRA expects to consult on draft prudential standards in the second half of 2020. The expected effective date is 2023.
  • AASB 17 and LAGIC refinements: APRA’s capital framework for insurers is based on an accounting treatment that will be revised with the introduction of AASB 17. APRA says it will continue to develop its position on the integration of AASB 17 into its capital and reporting standards in more detail over the coming year and expects to release a discussion paper in the first half of 2020. In addition, APRA will also consult on refinements to the LAGIC framework. APRA says it is currently considering stakeholder feedback on implementation timeframes, taking into account the International Accounting Standards Board’s proposed effective date for the new standard. The expected effective date for the changes, once finalised is 2023.
  • Offshore reinsurers: APRA intends to consult on the draft revised Prudential Standard LPS 117 Capital adequacy: Asset concentration risk charge (LPS 117) in the first half of 2020. The changes are expected to be finalised in the first half of 2021. The expected effective date is 2021/2022.Insurance: supervisory priorities

Insurance supervisory priorities

From a supervisory perspective, APRA identifies a number of areas of focus. These include the following.

General Insurance

  • Overseas reinsurance: APRA will be looking to increase its supervisory engagements with the parent entities of overseas reinsurance groups and the home regulators of material international reinsurers. Supervisors will also direct more time and resources to analysing overseas reinsurance group reporting and recovery planning.
  • PI and D&O review: Insurers with material professional indemnity (PI) or directors and officers (D&O) insurance will be subject to heightened supervision. APRA supervisors will engage with insurers to understand how they are responding to the risks affecting the availability and affordability of the products
  • Life insurers — IDII intervention: APRA says that the life insurance industry will remain subject to heightened supervisory intervention, in light of concerns about the sustainability of certain products, particularly individual disability income insurance (IDII). In addition to measures already in place (eg higher capital requirements) to address flaws in product design/pricing, APRA will introduce a new 'more granular IDII data collection to help monitor and assess life companies’ progress in meeting APRA’s expectations'. These issues will remain an area of focus for APRA in 2020 and that it will consider 'more forceful supervisory actions) eg issuing directions or making changes to licence conditions where APRA considers that do not met APRA's expectations. APRA says that it will also 'consider lessons learnt from the work in IDII and turn its attention to other higher risk product types, such as Total and Permanent Disability Insurance'.

Friendly societies: In the first half of 2020, APRA will release a roadmap for its approach to supervising the friendly society industry which will outline APRA’s supervisory response to industry resilience and sustainability risks. APRA says that friendly societies should expect heightened supervisory intensity in areas of: a) financial resilience; b) risk governance; c) board tenure; d) profitability and e) capital.

PHIs — resilience planning: In June 2019, APRA set out its expectations of private health insurers (PHIs) for improving their resilience to ongoing sustainability challenges. APRA required PHIs to develop strategies to address sustainability risks, as well as recovery plans. During 2020, APRA will focus on assessing industry's progress in addressing these concerns. APRA cautions that 'PHI’s that continue to take a passive approach to these risks can expect a more forceful supervisory response from APRA'.

Superannuation policy priorities

APRA says that it is 'focused on maintaining both the resilience and sustainability of the superannuation sector, and the delivery of improved outcomes for superannuation members, consistent with APRA’s strategic focus area'.

  • Enhancing the prudential framework: APRA plans to progress the 'full suite of enhancements outlined in its post-implementation review of the superannuation prudential framework' over 2020 and into 2021, including the release of a discussion paper covering the governance related prudential standards, in the first half of 2020. Enhancements to the risk management, outsourcing and business continuity management prudential standards will follow in mid to late 2020. In addition, APRA will be updating its guidance on the sole purpose test in 2020.
  • Royal Commission recommendations: APRA will continue to support the government in implementation of the Hayne Commission recommendations including recommendations to: a) expand ASIC’s role in superannuation; b) prohibit certain dual regulated entity structures (which present unmanageable conflicts of interest); c) prohibit and limit the deduction of advice fees from superannuation accounts; and d) establish a compensation scheme of last resort. APRA will also look to provide guidance to the industry regarding associated legislative changes, as required.
  • Protecting your superannuation package reforms: Over 2020, APRA will continue to work with government and industry to ensure that the policy intent of the insurance reforms is achieved, including through the issuance of further guidance as needed.

Superannuation: supervisory priorities

From a supervisory perspective, one of APRA's core areas of focus is improving outcomes for superannuation members. APRA identifies a number of aimed at intensifying its supervisory approach to this end. Measures include the following.

  • Implementation of SPS 515: ensuring that trustees effectively implement the new Prudential Standard SPS 515 Strategic Planning and Members Outcomes (SPS 515)
  • Follow up work on the fees and charges review (industry level findings will be made public in the first half of 2020)
  • Management of conflicts of interest (outsourcing review): APRA says that it has commenced an in depth review of selected large trustees’ management of outsourcing providers, focusing on related party arrangements and managing conflicts of interest. APRA plans to make its industry level findings public in early 2021.
  • Board effectiveness: APRA plans to review the effectiveness of board appointment processes and the appropriateness of tenure policies with a view to limiting actual/perceived barriers to achieving the 'optimal mix of skills and experience needed to fulfil trustee obligations'.
  • Superannuation data: APRA will be issuing periodic data collection requests of trustees as part of its project to enhance superannuation data collection.

Get unlimited access to all Global Banking Regulation Review content