Information paper - Authorised deposit-taking institutions: guide for directors

An excel version of the Guide for ADI Directors is available below:

Introduction

This information paper assists directors of authorised deposit-taking institutions (ADIs) in understanding their obligations under APRA’s prudential framework. It brings together, in one place, material requirements and guidance for ADI boards from APRA’s prudential standards and prudential practice guides (PPGs).

It includes: 

• The role of directors at an ADI: Overarching guidance for directors to assist Boards in providing effective oversight of an ADI. This guidance is derived from APRA’s Aid for Directors, which was originally published in 2014.
   
• Specific obligations: A comprehensive list of material requirements and guidance for Boards currently contained in APRA’s prudential standards and PPGs. 

This Guide does not introduce new requirements or guidance, beyond those that have already been published. It is confined to prudential requirements that have been established by APRA, and excludes obligations that come from primary legislation.¹

This Guide is intended for information purposes only and does not take the place of any APRA prudential standard or guidance or establish any formal requirements beyond those already set in the prudential standards. For the purposes of understanding the detailed requirements, refer to the prudential standards and guidance directly.

The Guide for ADI Directors is presented in an integrated manner, with enforceable requirements from prudential standards at the start of each section in blue boxes followed by the relevant accompanying guidance below.

Version: 30 September 2022

This version of the Guide is based on prudential standards that were in force at 30 September 2022. It also includes prudential standards that have been recently finalised, which are due to come into effect in 2023.² Requirements that are still subject to consultation have not been included.

APRA will regularly update this Guide as changes are made to the prudential framework, so that the compilation remains current. Broader context surrounding the particular obligations included in this Guide can be found in the underlying prudential standards and PPGs.
 

Figure 1: Summary of APRA requirements 

Chapter 1 - The role of directors at an ADI

This chapter provides general guidance to assist directors in providing effective oversight of an ADI. Content is based on APRA’s Aid for Directors, which is a general guide first published in 2014.

Aid for Directors

APRA’s approach to supervision is built on the premise that the board and management of an APRA-regulated entity are primarily responsible for the entity’s financial soundness and prudent risk management. 

With this in mind, APRA imposes various requirements and duties on boards, in addition to those that apply to all entities under the Corporations Act and other legislation. APRA’s requirements form part of a framework which is designed to protect the interests of depositors within a stable, efficient and competitive financial system. 

The additional obligations imposed under APRA’s prudential framework, while substantial, can be readily met by a well-functioning board that has an appropriate mix of skills and experience amongst its directors and strong support from management. 

This chapter is intended to help directors of the board of an ADI understand the additional responsibility placed on them under APRA’s prudential framework. It assumes that the director is otherwise an experienced board practitioner, and familiar with directors’ duties more generally.  

What is the purpose of APRA regulation?

ADIs are subject to the governance requirements that apply to any other company, including the Corporations Act. For those companies that are publicly listed, the Australian Securities Exchange Corporate Governance Council’s Corporate Governance Principles and Recommendations are also relevant.³  

Beyond the general obligations that apply to all corporations, ADIs are also subject to prudential regulation by APRA. There are two primary purposes that prudential regulation seeks to fulfil: 

• To protect the interests of depositors: The efficient functioning of the financial system is dependent on the promises to depositors being met in full and on time. It is also critical that depositors have confidence in the safety of future payments due to them. Yet many lack the capacity, due to the nature of their interests and the complexity of banking businesses, to make informed judgements about the financial soundness and longer- term viability of the financial institutions with which they deal. Through setting appropriate standards and undertaking active supervision, prudential regulation seeks to instil confidence in the community that regulated institutions are operating in a safe and sound manner. 
   
• To promote financial stability: The cost of, and potential disruption from, the failure of a financial institution may be significantly greater than that of a normal commercial enterprise – beyond the impact on its own depositors or other creditors. This is because the failure of one financial institution may have flow-on impacts on other financial institutions through direct inter-linkages or as a result of loss of consumer confidence. By setting minimum standards, prudential regulation seeks to ensure that the risks of financial instability, and the wider costs to the community of such instability, are adequately taken into account in the way in which financial institutions operate. 

Further, there can be inherent conflicts between the interests of shareholders, management and depositors, and these need to be managed fairly. APRA’s prudential framework therefore holds ADIs to high standards in terms of governance and prudent management. Boards play a critical role in ensuring those standards are met.

What is the legal basis of the prudential framework?

The prudential framework for ADIs is set out in a three-tiered framework of legislation, prudential standards and PPGs. 
There are three foundational pieces of legislation on which APRA’s activities are based: 

• the Australian Prudential Regulation Authority Act 1998 (APRA Act) sets out APRA’s broad objectives and powers; 
   
• the Banking Act provides for prudential supervision of ADIs by APRA, and establishes that APRA must exercise its powers and functions for the protection of depositors and for the promotion of financial system stability; and
   
• the FSCOD Act deals specifically with APRA’s powers to collect a range of financial and other data from regulated institutions. 

Under the APRA Act, APRA’s purposes include regulating bodies in the financial sector where the law provides for their prudential regulation. The Act requires APRA to do so while balancing the objectives of financial safety and efficiency, competition, contestability and competitive neutrality, and in balancing those objectives, to promote financial system stability. 

Under the APRA Act, APRA has the power to make prudential standards. Prudential standards are a form of regulation that has the force of law and are used by APRA to establish certain minimum financial and operational requirements which ADIs must comply with. 

In some areas, APRA has introduced cross-industry prudential standards, including for governance and risk management, where the fundamental principles that regulated institutions must adhere do not materially vary by industry. Prudential standards that apply on a cross-industry basis can be identified by the prefix ‘CPS’. 

Some prudential standards, on the other hand, are applicable only to a particular industry sector, reflecting the inherent differences between the respective industries. For example, minimum capital requirements are set out in separate industry-based capital standards, given the different nature of the risks faced by different types of institutions. Prudential standards that apply to ADIs only can be identified by the prefix ‘APS’.

To ensure prudential requirements are proportionately applied, there are some provisions in the prudential standards that only apply to SFIs (i.e. larger, more complex organisations). In the case of ADIs, an SFI means an ADI that is either: 

• not a foreign ADI and has total assets in excess of AUD $20 billion; or
   
• determined as such by APRA, having regard to matters such as complexity in its operations or its membership of a group.

Finally, APRA also develops PPGs to support implementation of the prudential standards. As the name implies, these provide guidance only and do not have the force of law. PPGs are intended to outline APRA’s view of how prudential requirements could be met and provide information on good practice within the industry. Regulated institutions are not obliged to adopt the guidance and are free to demonstrate that the requirements of the prudential standards are otherwise met. Nevertheless, the PPGs may provide institutions (and their boards) with helpful information on how to meet prudential requirements.

What role does a board need to play in ensuring compliance with the prudential framework?

The role of a board in meeting APRA’s prudential requirements is no different to that of a board in meeting other legal obligations that are placed upon it and the institution for which the board is responsible. 

APRA does not expect directors to have a detailed knowledge of each of the relevant laws and prudential standards. It is important, however, that the board satisfies itself that the institution and its management have effective processes and procedures in place to meet APRA’s prudential requirements, including those that are specific to the board. It is also important that the board satisfies itself that any breaches of the requirements will be promptly identified and reported to it, and to regulators such as APRA, as appropriate. 

Meeting these requirements will, as well as ensuring compliance with the prudential standards, also aid directors in meeting their obligations under the Banking Executive Accountability Regime. 

The prudential standards will sometimes set down quite particular responsibilities for the board. For example, the board may be assigned specific responsibility for a matter. This means that the board is expected to be ultimately accountable, and to remain in a position where it can justify the actions and decisions of the institution in relation to that matter. In other cases, the standards may require the board to ensure that a particular matter is addressed or action is taken. This means that the board should take all reasonable steps and make all appropriate enquiries so that the board can determine, to the best of its knowledge, that the stated matter has been properly addressed. At other times, the standards may require the board to set, approve or review a policy or oversee particular work undertaken by management. 

What are the key areas where APRA’s prudential standards impose requirements on boards? 

Adequate financial strength, robust risk management and sound governance are critical to ensuring the promises made to depositors are met within a safe, efficient and competitive financial system. 

Robust risk management, which incorporates both a framework for risk measurement and controls and a healthy risk culture, helps reduce the likelihood of a damaging incident or an ill-conceived business strategy that might impair the financial health of a regulated institution. Adequate financial strength ensures that, when unexpected losses are incurred, the institution has the financial capacity and resilience to continue without its ability to meet its promises to depositors being compromised. Sound governance provides oversight of these critical aspects of an institution’s operations, and ensures they are maintained in the face of ever-changing strategic, competitive and environmental pressures. 

APRA’s general philosophy is to allow regulated institutions the freedom to conduct their affairs as they see fit, provided they can demonstrate sound governance arrangements, robust risk management capabilities and adequate financial strength. Unsurprisingly, therefore, the prudential standards give considerable attention to governance, risk management and financial resilience and in particular the role of the board in each of these areas. 

Financial resilience

Adequate financial resilience and sound financial management are fundamental to the ongoing health of an ADI. In particular, it is vital that adequate capital is maintained against the risks associated with its activities and that the minimum requirements in this respect as set down in the prudential standards are met. The board is responsible for ensuring that appropriate financial and capital management policies are established, and for effective oversight of management’s implementation of these policies. 

As an example, under the prudential standards capital is managed in a formal sense through the Internal Capital Adequacy Assessment Process (ICAAP). Through the ICAAP, the board sets the capital management strategy and key capital targets. In doing this, the board is expected to satisfy itself that the institution’s capital targets are consistent with its risk appetite, including its tolerance for potential breaches of regulatory capital requirements, and to have a robust understanding of how the institution’s balance sheet would respond to various stresses. 

The board is expected to be actively engaged in the development, finalisation and review of the ICAAP and to be in a position to robustly challenge the assumptions and methodologies behind the ICAAP and the associated documentation. However, management – supported by external advice if needed - would normally provide all the analysis and support needed by the board. 

An institution’s ICAAP must be approved by the board whenever significant changes are made. The board is also expected to oversee the ongoing implementation of the ICAAP and satisfy itself that the necessary supporting processes are established and operating effectively. 

Governance

Good governance is critical to the long-term viability of any company. APRA’s prudential standards require that ADIs have a rigorous governance framework, founded on the premise that a well-governed institution is an important source of protection for the interests of depositors. Prudential standards cover the following in particular:

• composition of the board (including board renewal); 
   
• conflicts of interest; 
   
• fitness and propriety; and 
   
• remuneration of senior management and other key staff. 

They also cover matters such as board committee composition and board performance.

Within a group of companies, there can be more than one APRA-regulated institution. Sometimes these will be in the same industry segment e.g. a domestic bank owned by an overseas parent bank and sometimes they will straddle more than one industry segment (e.g. banking and life insurance). In such cases, a subsidiary within a financial group is often asked to work with group policies and align themselves with other operational processes, from their parent company. APRA acknowledges this can be entirely appropriate and indeed may add strength to the oversight and control framework. However, the board of an APRA-regulated institution that is asked to adopt a group policy cannot abrogate its regulatory responsibilities. It must still satisfy itself that the group’s policy is ‘fit for purpose’, i.e. it is appropriate for the institution and will meet all regulatory requirements for that institution.

Risk management

Significant financial and other risks are inherent in the business models of financial institutions. Robust risk management therefore lies at the heart of the prudent management of an APRA-regulated institution. APRA’s prudential standards expect that the nature of all the institution’s material activities and risks are known and well-understood, and that there are robust structures for the management and reporting of those risks.

The prudential standards make it clear that the board must oversee, and is ultimately responsible for, the establishment and maintenance of an effective risk management framework.⁴ The board is expected to provide clear direction and leadership for the institution in its approach to risk management. Amongst other things, this includes setting a clearly articulated risk appetite so that the boundaries within which management may operate are clear.⁵ It also involves overseeing the implementation and ongoing operation of a robust and effective risk management strategy that seeks to ensure the institution remains within that appetite.

No control framework will be truly effective if an institution’s culture is not appropriately aligned to it. The board therefore has a very important task in this respect: it needs to form a view of the risk culture in the institution⁶, and the extent to which that culture supports the ability of the institution to operate consistently within its risk appetite, identify any desirable changes to the risk culture and ensure the institution takes steps to address those changes.

What sort of engagement does APRA expect to have with boards?

APRA interacts with regulated institutions at various levels and with varying frequencies. For many institutions, APRA will look to meet with the board at least once a year. For larger institutions, this will often be supplemented with additional discussions with the chair of the board and/or the chairs of the audit and risk committees. These meetings provide an opportunity for directors to hear directly from APRA about its views on the risk profile of the institution and for APRA to better understand the board’s thinking, priorities and approach. They also afford the board an opportunity to raise matters directly with APRA. 

APRA seeks to have an open and constructive relationship with the board. It also seeks the board’s assistance in ensuring management maintain an open and candid relationship with APRA and that information of prudential concern is promptly communicated. Certain individuals (such as auditors and actuaries) also have statutory obligations to report information to APRA in some circumstances. 

APRA seeks to work with the boards and management of institutions as they take appropriate steps to address issues. Accordingly, when APRA makes supervisory interventions, they are proportionate to the outcomes desired and may range from making recommendations or suggestions through to imposing requirements or taking enforcement action when issues are more serious or not being adequately addressed in a timely manner. 

As APRA undertakes its prudential activities – particularly those that involve having supervisors spending time on-site within a regulated institution – it will often send a written report outlining the findings of the review to the institution. Depending on the nature of the findings these may be sent to the Chair or the Chief Executive, but regardless it is expected that the reports would be tabled at the next available board meeting so that the board is aware of the issues raised. The board should pay particular attention to any requirements set down by APRA in these reports. There typically will be various other formal communications with an institution, and the Chief Executive Officer is expected to exercise discretion in deciding which of these will be referred to the board. 

As with legal requirements more generally, boards are expected to satisfy themselves that appropriate processes are in place to respond to issues raised by APRA, and that where remedial action is needed it is undertaken in a timely manner.

Footnotes

¹ For example, it excludes obligations that are in the Banking Act 1959 (Banking Act), Financial Sector (Collection of Data) Act 2001 (FSCOD Act), the Financial Sector (Shareholdings) Act 1998, or the Corporations Act 2001 (Corporations Act).

² This includes: Prudential Standard CPS 511 Remuneration; Prudential Standard APS 113 Capital Adequacy: Internal Ratings-based Approach to Credit Risk; and those listed at ADI capital reforms: Consequential amendments | APRA

³ A working knowledge of general directors’ duties set out in the Corporations Act and, for directors of listed companies, the Australian Securities Exchange Corporate Governance Council’s Corporate Governance Principles and Recommendations is assumed. See ASX Corporate Governance Council.

⁴ APRA defines the risk management framework as ‘the totality of systems, structures, policies, processes and people within an APRA-regulated institution that identify, measure, evaluate, monitor, report and control or mitigate all internal and external sources of material risk’.

⁵ The risk appetite is captured in a formal risk appetite statement. Amongst other things, this must convey the degree of risk that the institution is prepared to accept in pursuit of its strategic objectives and business plan, giving consideration to the interests of depositors and/or policyholders.

⁶ Risk culture refers to ‘the norms of behaviour for individuals and groups within an organisation that determine the collective ability to identify, understand, openly discuss and act on the organisation’s current and future risks.’ Institute of International Finance (2009) “Reform in the Financial Services Industry: Strengthening Practices for a More Stable System”.

Chapter 2 - Financial resilience

2.1       APS 110 Capital Adequacy (2023) 

Board oversight⁷ 

APG 110 

1.    APS 110 sets out APRA’s requirements for capital adequacy for ADIs. Under APS 110, ADIs must maintain adequate capital for the risks associated with their activities. The ultimate responsibility for the prudent management of capital rests with the ADI’s Board. (APG 110, paragraph 1)

30.    A prudent ADI would, however, adopt a cautious approach to capital distributions during a period of stress even if it is operating above these levels. The Board of a prudent ADI would typically consider moderating dividend payout ratios, and considering the use of dividend reinvestment plans and other capital management initiatives to reinforce capital positions.⁹ (APG 110, paragraph 30)

CPG 110

1.    Under the capital standards, the Board of a regulated institution has primary responsibility for the capital management of that institution. This obligation goes beyond the need to ensure compliance with regulatory capital requirements and requires the Board to ensure that each regulated institution holds capital resources commensurate with its risk profile. (CPG 110, paragraph 1)

3.    While the ICAAP may be developed by the regulated institution’s senior management with input from relevant areas and experts across the organisation (including the Appointed Actuary where relevant), the capital standards require the Board to be actively engaged in the development and finalisation of the ICAAP and the oversight of its implementation on an ongoing basis. (CPG 110, paragraph 3)

4.    APRA expects the Board to robustly challenge the assumptions and methodologies behind the ICAAP and the associated documentation. APRA expects the Board to understand and to be able to explain the key aspects of the ICAAP and why it is considered appropriate for the institution. (CPG 110, paragraph 4) 

6.    The Board is responsible for the risk appetite of a regulated institution and for ensuring that the institution has an appropriate risk management framework. Risk appetite is a fundamental part of both risk management and capital management. (CPG 110, paragraph 6)

13.    Under the capital standards, the ICAAP of a regulated institution must be appropriate for its size, business mix and complexity. Each institution’s ICAAP will be tailored to the circumstances of the institution. For more complex institutions, appropriately sophisticated processes are expected; for simpler institutions with limited product offerings and simple investment structures, simplified approaches may suffice. The complexity or otherwise of an institution’s ICAAP will be expected to reflect the Board’s and senior management’s view of the institution’s functional complexity. (CPG 110, paragraph 13)

20.    APRA expects that the Board will satisfy itself that the capital targets are in line with the risk appetite. This will include consideration of the Board’s appetite for potential breaches of regulatory capital requirements. (CPG 110, paragraph 20)

25.    To avert capital falling below target operating levels and, in the most severe case, breaching regulatory requirements, an institution is required under the capital standards to have capital triggers in place. These triggers are intended to serve as early warning indicators and thereby provide the Board and senior management with time to rectify problems and restore capital while the institution continues to operate. (CPG 110, paragraph 25)

41.    An ICAAP summary statement is a high-level document that describes and summarises the capital assessment and management processes of the regulated institution. It serves as a roadmap to the ICAAP that allows the Board and APRA to understand the capital management processes of the institution. APRA anticipates that the ICAAP summary statement will refer to other policies and procedures, but will be relatively self-contained. (CPG 110, paragraph 41)

Board approval

APG 110
 

24.    An ADI that is operating with capital ratios in the regulatory capital buffer range, or that expects to do so, would agree a capital restoration path back out of the range with APRA. To support this, a prudent ADI would provide capital projections, based on a range of scenarios and approved by the Board, to APRA. (APG 110, paragraph 24)

CPG 110

2.    Consistent with that overarching responsibility, the capital standards require each regulated institution to have an ICAAP that has been approved by its Board. (CPG 110, paragraph 2)

16.    Under the capital standards, a regulated institution may make use of a group ICAAP or components of that ICAAP. In doing so, the Board of each regulated institution in the group is still required to ensure that the ICAAP is appropriate and meets the requirements of the capital standards in relation to the institution. (CPG 110, paragraph 16)

Information for the Board

CPG 110

17.    A regulated institution’s ICAAP will include a range of processes and systems for assessing capital requirements relative to the risks to which the institution is exposed, setting target capital levels, projecting and monitoring the capital position, taking action if capital levels fall below target levels, and reporting on the process and its outcomes to the Board. These underlying processes will ordinarily be documented in various policies and procedural documents. (CPG 110, paragraph 17) 

33.  The capital standards require a regulated institution to include stress testing and scenario analysis in its ICAAP. Stress testing and scenario analysis can assist in the formulation of capital targets and trigger levels by: being readily understandable to the Board and senior management. (CPG 110, paragraph 33(f))

40.     APRA expects that a regulated institution will have in place processes to report the outcomes of the review to the Board and senior management, as well as processes to assess and respond to any recommendations for change arising out of the review. (CPG 110, paragraph 40)

2.2       APS 111 Measurement of Capital (2023)

Board approval

Information for the Board

2.3       APS 113 Capital Adequacy: Internal Ratings-based Approach to Credit Risk (2023)

Board oversight

APG 113

D.1.    APRA expects an ADI seeking approval to use an internal ratings-based (IRB) approach for regulatory capital purposes to demonstrate that the:

(a)    use of risk-based capital and associated risk-adjusted performance measurement permeates the management of its business; and

(b)    Board and senior management are willing and able to incorporate the quantification of risk into management processes and decision-making.¹² (APG 113, Attachment D.1)

Board approval

Information for the Board

APG 113

3.    APS 113 (paragraphs 20-23) details requirements relating to the role of the Board in the governance and oversight of an ADI’s rating systems and risk estimates. Information provided to the Board for this purpose should be sufficient to enable directors to actively discuss and confirm, at least annually, the continuing appropriateness, effectiveness and integrity of the rating systems and risk estimates. Such information would generally include reporting from risk management as well as internal audit. (APG 113, paragraph 3)

9.    On an annual basis, the internal audit function would usually collate audit findings relevant to APS 113 to provide a holistic view of the effectiveness of the ADI’s rating systems and risk estimates for relevant stakeholders, including the Board and senior management. This would include a summary of audit reviews, action plans and the status of audit findings. APRA expects that material issues would be promptly escalated by internal audit and rectified by the ADI. (APG 113, paragraph 9)

D.4.    APRA expects an ADI’s formal application for IRB approval to contain the information in Table 11. To the extent possible, supporting documentation contained in an ADI’s formal IRB application would have been developed for internal purposes rather than IRB approval. Any summary documents requested by APRA are intended to be tools aimed at guiding APRA to the appropriate source documents such as policies, internal reports and Board briefing material. APRA expects the ADI to use cross-referencing extensively to avoid undue repetition or duplication in the documentation.¹³ (APG 113, Attachment D.4.)

2.4       APS 116 Capital Adequacy: Market Risk (2023) 

Board oversight

Board approval

Information for the Board

2.5       APS 117 Capital Adequacy: Interest Rate Risk in the Banking Book (Advanced ADIs) (2013)  

Board oversight

Board approval

Information for the Board

APG 117

20.    Attachment A to APS 117 states that an ADI’s Board of directors, or committee thereof, must review on a regular basis IRRBB management reports and satisfy itself that this risk is being appropriately managed. As good practice, APRA envisages that such reviews would occur on at least a quarterly basis. (APG 117, paragraph 20) 

2.6       APS 180 Capital Adequacy: Counterparty Credit Risk (2023) 

Information for the Board

2.7       APS 210 Liquidity (2023) 

Board oversight

APG 210

4.    An ADI is expected to take into account its business objectives and strategic direction with the aim of achieving certain budgetary and financial performance outcomes. Critical to this process is the Board’s risk tolerance, which informs the acceptability of risks, including liquidity risk, associated with planned business activities. The risk tolerance will generally also reflect the ADI’s financial condition and funding capacity as well as its role in the financial system. (APG 210, paragraph 4)

Board approval

APG 210

1.    An ADI’s liquidity risk tolerance defines the level of liquidity risk that the ADI is willing to assume. APS 210 requires that the liquidity risk tolerance be set by the Board and that it is documented and appropriate for an ADI’s operations and strategy and its role in the financial system. (APG 210, paragraph 1)

2.    The Board-approved risk appetite statement will normally include an articulation of liquidity risk appetite and identify its liquidity risk tolerance. (APG 210, paragraph 2)

50.    The Board-approved funding strategy will generally include both qualitative and quantitative items, key outcomes and the strategies that will be used to achieve the outcomes. The funding strategy would combine expected funding outcomes with sensitivity analysis. The strategy would include the base-case balance sheet projection, consistent with an ADI’s medium-term business plan, that represents the ADI’s best estimate of its future funding needs and sources, as well as key sensitivities in the base case. (APG 210, paragraph 50)

Information for the Board

2.8       APS 120 Securitisation (2023) 

Board oversight

APG 120

60.    APS 120 requires that an ADI must not provide, or knowingly allow the perception to arise that it will provide, support to a securitisation in excess of the ADI’s explicit contractual obligations. To do so would be to provide implicit support. In addition, the Board of directors and senior management must put policies and procedures in place that outline how the ADI will ensure it is not providing implicit support for a securitisation. (APG 120, paragraph 60)

66.    APS 120 provides that, in certain circumstances, APRA may impose quantitative or qualitative limits on an ADI’s securitisation activities. Such restrictions could include prohibiting an ADI from undertaking further securitisation activity until the Board of directors and senior management of the ADI can establish they have an appropriate understanding of the ADI's securitisation structures, activities and exposures (APG 120, paragraph 66)

2.9       APS 121 Covered Bonds (2023) 

Board oversight

footnotes

⁷ Ensure when used in relation to a responsibility of the Board, means to take all reasonable steps and make all reasonable enquiries as are appropriate for a board so that the board can determine, to the best of its knowledge, that the stated matter has been properly addressed (Prudential Standard APS 001 Definitions).

⁸ Unless otherwise indicated, a reference to the Board of an ADI in this Prudential Standard is also a reference, where relevant, to the Board of the entity that heads the Level 2 group.

⁹ APRA may impose restrictions on capital distributions even where an ADI’s CET 1 ratio is above the buffer range, under APS 110 (Attachment B, paragraph 4).

¹⁰ Minimum requirements for the ICAAP are set out at APS 110 paragraph 17.

¹¹ Under APS 110, paragraph 20, An ADI must, on an annual basis, prepare a report on the implementation of its ICAAP (ICAAP report). A copy of the ICAAP report must be provided to APRA no later than three months from the end of the period covered by that report.   

¹² See also: APG 113, Attachment D, Table 10. Elements of a qualifying management system

¹³ See also: APG 113, Attachment D, Table 11. IRB application documentation.

¹⁴ As per APS 001, the senior officer outside Australia is the senior nominated officer of a foreign ADI (whether a director or senior executive) outside Australia with delegated authority from the Board to be responsible for overseeing the Australian branch operation.
 

Chapter 3 - Risk management
 

3.1       CPS 220 Risk management (2019)

Board oversight 

CPG 220

9.    In order to be effective, risk management functions would have:

(a)    adequately experienced staff with relevant technical knowledge who facilitate the development, ongoing review and validation of the risk management framework; and

(b)    appropriate seniority and authority, with access to the responsible board committees. (CPG 220, paragraph 9)

15.    Under CPS 220, the Board is ultimately responsible for the risk management framework of the APRA-regulated institution and is responsible for the oversight of its operation by management. An institution must have, at all times, a risk management framework that governs the way the institution manages risks arising in the institution. Together, the Board Risk Committee and Board Audit Committee assist the Board in its oversight of the operation by management of the overall risk management framework. (CPG 220, paragraph 15)

16.    The Board Audit Committee assists the Board to fulfil its corporate governance and oversight responsibilities in relation to an entity’s financial reporting, internal control system, risk management framework and internal and external audit functions (i.e. independent assurance). (CPG 220, paragraph 16)

19.    The Board approval and oversight responsibilities for the risk management framework are unaffected if risk management and business operations are outsourced to a third party or are performed by another part of a group. (CPG 220, paragraph 19)

20.    In determining whether the Board has met its responsibilities under CPS 220, APRA will assess the steps taken by the Board to ensure it meets those responsibilities. For example, APRA expects senior management to report on the material risks and escalate material risk issues to the Board or the Board Risk Committee level. The Board and/or Board Risk Committee could also obtain independent views and reports as they deem appropriate, as well as consider risk issues escalated from the risk management function. APRA expects that the Board would clearly communicate its expectations in respect of the reporting and escalation to be provided by management, the risk management function(s) and internal audit. Where the Board considers that the risk reporting is ineffective or that material risk issues have failed to be escalated, APRA expects the Board to adopt all appropriate measures (including directions for management remedial actions and reports) to identify and address the reasons for the failure. (CPG 220, paragraph 20)

21.    CPS 220 requires a Board to ensure that they form a view of the risk culture in the institution and the extent to which that culture supports the ability of the institution to operate consistently within its risk appetite, identify any desirable changes to the risk culture and ensure the institution takes steps to address those changes. APRA’s view is that a sound risk culture is a core element of an effective risk management framework. Risk culture refers ’the norms of behaviour for individuals and groups within an organisation that determine the collective ability to identify, understand, openly discuss and act on the organisation’s current and future risk’.¹⁶ APRA expects that the Board would have a view of the risk culture that is appropriate for ensuring that the institution operates within the risk appetite. (CPG 220, paragraph 21)

22.    An institution’s risk culture is strongly influenced by the ‘tone at the top’. APRA expects the Board and senior management to demonstrate their commitment to risk management and foster a sound risk management environment in which staff will be actively engaged with risk management processes and outcomes, and a risk management function that is influential and respected. The development of the risk culture is likely to occur through an iterative process involving both the Board and senior management. (CPG 220, paragraph 22)

27.    CPS 220 allows an APRA-regulated institution that is part of a group to meet the requirements of the standard on a group basis provided that the Board of the institution is satisfied that the requirements are met in respect to that institution. (CPG 220, paragraph 27)

34.    CPS 220 requires the Board to ensure that it recognises uncertainties, limitations and assumptions attached to the measurement of each material risk. In addition to recognition of these matters by the Board, APRA expects that they would be well understood within the institution. (CPG 220, paragraph 34)

36.    Stress testing, including both scenario analysis and sensitivity analysis is used to assess a range of potential impacts as a result of different material risks. Stress testing is important in considering potential changes that could occur in the external operating environment, and provides a more forward looking view of an APRA-regulated institution’s risk profile. APRA expects that stress testing would be based on a combination of robust modelling and informed expert judgement, with effective senior management engagement and appropriate Board oversight. (CPG 220, paragraph 36)

38.    The risk management framework supports the Board and senior management in obtaining an appropriate view of the APRA-regulated institution’s overall risk profile. Reporting facilitates decision-making and oversight, taking into consideration the overall structure and nature of the institution’s business and different approaches to managing different material risks. In understanding the overall risk profile of the institution, specific consideration would be given to:

(a)    identifying risks throughout the institution that, in combination, may have a material impact on the institution;

(b)    understanding the interaction of material risks throughout the institution. For example, a failure in processes or systems (operational risk) may result in excess claims being paid (underwriting risk); and

(c)    risks of contagion arising from issues identified with related parties (including any non-APRA-regulated activities). (CPG 220, paragraph 38)

46.    The risk appetite statement is used to communicate the Board’s expectations of how much risk the APRA-regulated institution is willing to accept. APRA notes that, in practice it is likely that the risk appetite and risk appetite statement will be developed through an iterative process involving the Board and management. APRA’s view is that a reasonable and easily understood risk appetite statement that aligns to the approaches used to identify, assess and manage material risk is fundamental to risk management. (CPG 220, paragraph 46)

48.    The development and review of an APRA-regulated institution’s risk appetite statement will generally be performed as part of the strategic and business planning process. The risk appetite statement would provide relevant information on the Board’s expectations regarding the risk appetite, and would in turn be updated to reflect any changes as a result of the strategic and business planning process. (CPG 220, paragraph 48)

49.     APRA expects that the Board would be actively engaged with management in developing and reviewing the risk appetite statement, and would be able to demonstrate ownership of the statement. APRA considers that this might be achieved, in part, through reporting and communication processes and structures that enable the Board and/or Board Risk Committee to:

(a)    identify the APRA-regulated institution’s overall current risk profile and how this compares to its risk appetite and capital strength;

(b)    be satisfied that senior management’s interpretation and application of the risk appetite and tolerances is appropriate; and 

(c)    appropriately align risk appetite to the approach adopted in the risk management framework for assessing, monitoring and managing the different material risks. (CPG 220, paragraph 49)

70.    CPS 220 sets out requirements for the independence of the Chief Risk Officer (CRO) and specifies roles that cannot also be performed by the CRO. CPS 220 recognises that an APRA-regulated institution may seek approval for alternative arrangements to those required. This may be where the institution is materially constrained in appointing a CRO who is free from conflicts of interest, or for other reasons particular to that institution. APRA expects these instances normally to be limited to smaller and less complex institutions, but will consider applications from all APRA-regulated institutions, provided the applicant clearly sets out the exceptional circumstances that might warrant APRA considering the alternative proposal. Where an institution seeks an alternative arrangement under CPS 220, the Board is expected to demonstrate to APRA that it has undertaken a process to identify conflicts, has established structural oversight and controls to mitigate the additional risk and is satisfied that the risk management framework will ensure these mitigants are adhered to. APRA will assess the appropriateness of alternative arrangements on a case-by-case basis. APRA expects that the Board would take into account the following controls and other mitigating factors that manage conflicts of interests including, but not limited to:

(a)    alternative sources of risk-based challenge to business lines;

(b)    the resources allocated to risk management;

(c)    executive level engagement in risk issues;

(d)    the strength of compliance and audit mechanisms;

(e)    oversight from the Board and its committees;

(f)    the experience and capabilities of the other risk management function personnel; and

(g)    the robustness of the regulated institution’s and, where appropriate, the group’s risk management framework. (CPG 220, paragraph 70)

Board approval

CPG 220

18.    The Board is directly responsible for the broader strategy of the APRA-regulated institution and is required to approve the risk appetite statement, business plan and risk management strategy. Effective design of these documents and related processes by the institution will facilitate their integration, with each process appropriately supporting the others. (CPG 220, paragraph 18)

61.    APRA expects that a risk management strategy would contain sufficient information to communicate, in general terms the APRA-regulated institution’s approach to risk management. This includes how it identifies, measures, evaluates, monitors, reports and controls or mitigates the material risks of its operations. CPS 220 requires that the risk management strategy list the policies and procedures dealing with risk management matters. Where these policies and procedures require Board approval under other prudential standards, approval of the strategy does not negate the Board’s responsibility to approve those individual documents. (CPG 220, paragraph 61)

Information for the Board

CPG 220 

6.    A key tenet of the three lines of defence model is that business management cannot abrogate its responsibility for risk management. The first line of defence is responsible for:

(a)    effective implementation of the risk management framework, including reporting and escalation of relevant information to responsible senior management, the second line of defence or as far as the board committees or the Board¹⁹, as necessary; and

(b)    managing risk in a way that is consistent and integrated with the risk management framework. (CPG 220, paragraph 6)

8.    The second line of defence comprises the specialist risk management function(s) that are functionally independent of the first line of defence. The second line of defence supports the Board and its committees by:

(a)    developing risk management policies, systems and processes to facilitate a consistent approach to the identification, assessment and management of risks;

(b)    providing specialist advice and training to the Board, board committees and first line of defence on risk-related matters;

(c)    objective review and challenge of:
 
(i)    the consistent and effective implementation of the risk management framework throughout the APRA-regulated institution; and
 
(ii)    the data and information captured as part of the risk management framework which are used in the decision-making processes within the business, in particular the completeness and appropriateness of the risk identification and analysis, ongoing effectiveness of risk controls, and prioritisation and management of action plans; and

(d)    oversight of the level of risk in the institution and its relationship to the risk appetite, and any necessary reporting and escalation to the Board or its committees. (CPG 220, paragraph 8)

11.    The third line of defence comprises the function(s) that, in accordance with CPS 220, provide to the Board and its committees:

(a)    at least annually, independent assurance that the risk management framework has been complied with and is operating effectively; and

(b)    at least every three years, a comprehensive review of the appropriateness, effectiveness and adequacy of the risk management framework. (CPG 220, paragraph 11)

17.    Consistent with normal practice, for the purpose of discharging its responsibilities, the Board is able to obtain such recommendations and advice from board committees, external advisers and management as it considers prudent. The Board is entitled to place reasonable reliance on those inputs, provided directors approach their tasks with an enquiring mind and make an independent assessment of the matters for decision. (CPG 220, paragraph 17)

35.    Risk can arise from structures that impede transparency, such as special-purpose or related structures. APRA expects that the APRA-regulated institution’s operational structure and associated risks would be well understood in the institution, recognised by the Board, taken into account in the risk management framework and reported, as appropriate (including to the Board or its committees where necessary). (CPG 220, paragraph 35)

43.    Fundamental to an effective risk management framework is a sound business plan that is consistent and integrated with the risk management strategy and risk appetite statement. APRA expects that the APRA-regulated institution’s risk management framework will provide relevant information to senior management and the Board to facilitate their respective roles in the strategy and business planning process (e.g. areas of increased risk, changes in the environment, prioritisation and allocation of resources). APRA also expects that the relevant components of the risk management framework would be reviewed in the context of the institution’s strategic and business planning processes. (CPG 220, paragraph 43)

52.    An APRA-regulated institution would generally use a variety of approaches and processes to assess different material risks. An institution with the capability to use risk quantification techniques would generally use them in the setting and monitoring of its risk appetite statement. Risk quantification techniques may provide an institution with assurance that the risk does not exceed the institution’s risk tolerance and/or risk capacity. These techniques may not be appropriate for all types of risk. APRA expects senior management to assess the appropriateness of such techniques before they are adopted and on an ongoing basis. APRA expects that the results of such analysis and testing would be reported to the Board and/or Board Risk Committee and be taken into account when establishing or reviewing the risk appetite statement. APRA expects the Board and/or Board Risk Committee to recognise the limitations and assumptions relating to any models used to measure components of risk that could materially affect its decision-making. (CPG 220, para 52)

62.    A key role of an APRA-regulated institution’s risk management function is to provide independent and objective review and challenge, oversight, monitoring and reporting in relation to material risks arising from the institution’s operations. An additional responsibility is to provide technical support and assist the Board, relevant committees and senior management to fulfil their respective roles in relation to the risk management framework. (CPG 220, paragraph 62)

63.    APRA expects the risk management function would also facilitate the building of risk management capabilities throughout the APRA-regulated institution by providing specialist education, training and advice to directors, senior management and staff of the institution. It would also typically facilitate the development of the Board’s view of risk culture. (CPG 220, paragraph 63)

66.    APRA expects the risk management function to have sufficient stature, authority and resourcing to support sound risk-based decision-making. This is reflected in the requirement in CPS 220 that the CRO must have authority to provide effective challenge to activities and decisions that may materially affect the institution’s risk profile. (CPG 220, paragraph 66)

67.    This can be further evidenced by a CRO who is appropriately skilled, unencumbered by conflicts of interest with their risk management role and can speak with candour to the CEO, the Board and relevant committees. Under a three lines of defence model, the role and responsibilities of the CRO are clearly within the second line. (CPG 220, paragraph 67)

71.    CPS 220 requires that the risk management function, via a CRO, has direct and unfettered access to the CEO, Board, Board Risk Committee and senior management. CPS 220 also requires the reporting line for the risk management function to be independent from business lines and to directly report to the CEO. Where an APRA-regulated institution is part of a group, including a Level 2 and/or Level 3 group, the CRO of that institution may report to the group CRO as long as the group CRO reports directly to the group CEO. (CPG 220, paragraph 71)

77.    APRA expects an APRA-regulated institution’s risk management framework to ensure that the Board and senior management receive regular, concise and meaningful assessment of actual risks relative to the institution’s risk appetite and the operation and effectiveness of controls. (CPG 220, paragraph 77)

84.    APRA will accept annual reviews that explore particular elements of the risk management framework in depth and on a rotational basis. For example, if an institution’s risk management framework has six material elements, it may choose to review two of these every year. The structure of such a program of review is at the discretion of the regulated institution. The annual review sign-off would include those reviews conducted during the year since the previous such sign-off. APRA expects that all elements of the risk management framework would be subject to review at least every three years. This review must be reported to the Board Audit Committee or, in the case of a foreign ADI, to the Senior Officer Outside of Australia. (CPG 220, paragraph 84)

86.    CPS 220 requires the comprehensive review to be conducted by operationally independent, appropriately trained and competent persons at least every three years. There is no requirement that the comprehensive review must be undertaken by a party external to the institution. This review must be reported to the Board Risk Committee or, in the case of foreign ADIs, to the Senior Officer Outside of Australia. (CPG 220, paragraph 86)

87.    APRA expects the comprehensive review to include a comparison of the institution’s current practice against any identified better practice. Where any gaps are identified, APRA expects the review to outline steps to address these differences or identify why changing current practice is not considered appropriate. The review may draw upon the APRA-regulated institution’s internal resources, such as internal audit reports, to the extent that the independence of the review is not undermined. This forward-looking review is intended to assist the Board Risk Committee to oversee the implementation and appropriateness of the institution’s risk management framework, while any compliance issues identified would be reported to the Board Audit Committee. (CPG 220, paragraph 87)

Risk management declaration, notifications and submissions

CPG 220

93.    CPS 220 requires the Board to provide APRA with a risk management declaration on an annual basis. While this declaration does not have to be audited, APRA expects that the Board would have obtained reasonable assurance and, if necessary, considered independent advice on the matters covered by the declaration, prior to the signing of the declaration by the required signatories. The extent of enquiry required prior to making the declaration is a matter for the judgment of each Board of an APRA-regulated institution. The wording of the declaration allows materiality to be taken into account when making the declaration. (CPG 220, paragraph 93)

94.    CPS 220 allows an APRA-regulated institution’s risk management declaration to be encompassed in the risk management declaration documentation of a Level 2 and/or Level 3 group where applicable. Where a Level 1 institution’s declaration is encompassed within the group declaration, the Level 1 institution’s Board remains responsible for any qualifications in the declaration that relate to that institution. Where a risk management declaration is made on a Level 2 and/or Level 3 group basis, CPS 220 requires any qualification to identify whether it related to the Level 1 institution or the group’s risk management framework. A qualification for the institution may not mean that a group-wide qualification needs to be made, and vice versa. However, where a group’s Board has taken the decision that a qualification at the institution level does not result in a group declaration qualification, the reason for this decision would be articulated. (CPG 220, paragraph 94)

100.    APRA expects that an APRA-regulated institution would be in regular dialogue with its supervisors about potential material changes to the institution. APRA expects that, at the latest, notification in accordance with the requirements in CPS 220 would be made within 10 business days of the Board becoming aware of a current or proposed material change to the institution’s risk profile or business operations. (CPG 220, paragraph 100) 

3.2       APS 220 Credit quality (2023)

Board oversight

APG 220

20.    A prudent Board would be alert to pressures on credit standards that could emerge, particularly as competition intensifies or market conditions shift. Ambitious lending growth plans, such as above system targets, can create pressures on credit standards. (APG 220, paragraph 20)

21.    It is prudent for the Board to also be alert to emerging signs of credit deterioration, and to hold senior management to account for timely action. This could include having appropriate checks in place to maintain an independent perspective on credit quality and lending practices across the credit portfolio. (APG 220, paragraph 21)

Board approval

APG 220

7.    APS 220 requires the credit risk appetite statement to be reviewed and approved by the Board on at least an annual basis. This review process would typically be incorporated into, or aligned with, an ADI’s strategic and business planning process. (APG 220, paragraph 7)

18.    The Board does not have direct day-to-day responsibility for credit risk management. However, APS 220 requires the Board to review and approve the credit risk appetite and credit risk management strategy, and ensure that senior management has the capability and resources to effectively manage credit risk. It is important that the Board clearly set expectations for the monitoring and reporting of the credit risk appetite and management strategy. A prudent Board would also set clear expectations for the timely escalation of credit risk issues by senior management, including findings from internal and external credit risk reviews. (APG 220, paragraph 18)

Information for the Board

APG 220

19.    While the Board may obtain advice on credit risk issues from Board committees, external advisers and senior management, it is important that the Board does not accept recommendations without due scrutiny and challenge. (APG 220, paragraph 19)

74.    Risk grades are useful in tracking the quality of the credit portfolio and help in identifying necessary changes to the credit risk management strategy. Good practice is for the Board and senior management to receive regular reports on trends in risk grades to support their oversight of the credit portfolio. (APG 220, paragraph 74)

81.    APS 220 requires an ADI to establish a system of independent, regular reviews of credit risk management processes and practices, with the results communicated directly to the Board and senior management. (APG 220, paragraph 81)

82.    It is good practice for internal reviews of credit risk to be conducted by personnel that are independent from the business function. This provides a more objective assessment. Internal reviews can be used to evaluate the overall credit administration process, determine the accuracy of internal credit risk grades (where applicable), and confirm whether policies are being followed in practice. It is good practice for the credit review function to report directly to either the Board, the Risk or Audit committee, or senior management without lending authority, such as senior management within the risk control function. (APG 220, paragraph 82)

3.3       APG 223 Residential Mortgage Lending (2023) 

Board oversight

3.    Where residential mortgage lending forms a material proportion of an ADI’s lending portfolio and therefore a risk that may have a material impact on the ADI, APRA expects that the Board would take reasonable steps to satisfy itself as to the level of risk in the ADI’s residential mortgage lending portfolio and the effectiveness of its risk management framework. This would, at the very least, include:

(a)    specifically addressing residential mortgage lending in the ADI’s risk appetite, risk management strategy and business plans;

(b)    seeking assurances from senior management that the approved risk appetite is communicated to relevant persons involved in residential mortgage lending and is appropriately reflected in the ADI’s policies and procedures; and

(c)    seeking assurances from senior management that there is a robust management information system in place that:

(i)    tracks material risks against risk appetite;

(ii)    provides periodic reporting on compliance with policies and procedures, reasons for significant breaches or material deviations and updates on actions being taken to rectify breaches or deviations; and

(iii)    provides accurate, timely and relevant information on the performance and risk profile of the residential mortgage lending portfolio. (APG 223, paragraph 3)

9.    Typically, senior management is responsible for monitoring compliance with material policies, procedures and risk limits and reporting material breaches or overrides to the Board. Further, where risk limits are routinely breached or policies and procedures overridden, senior management and the Board could consider whether this is indicative of a less prudent lending culture than that reflected in its risk appetite and what steps could be necessary to remedy any identified deficiency. (APG 223, paragraph 9)

77.    A prudent ADI would monitor exposures by loan-to-valuation ratio (LVR) bands over time. Significant increases in high LVR lending would typically be a trigger for senior management to review risk targets and internal controls over high LVR lending, with Board oversight. APRA has not formally defined ‘high LVR lending’, but experience shows that LVRs above 90 per cent (including capitalised LMI premium or other fees) clearly expose an ADI to a higher risk of loss. (APG 223, paragraph 77)

Board approval

17.    Prudential Standard CPS 510 Governance (CPS 510) requires the Board-approved ADI remuneration policy to be aligned with prudent risk-taking. CPS 510 requires the remuneration policy to apply to responsible persons, risk and financial control personnel and all other persons whose activities may affect the financial soundness of the regulated institution. Where the residential mortgage lending portfolio is material, a prudent ADI would apply its remuneration policy to the persons involved in residential mortgage lending. This would include remuneration of third parties, particularly mortgage broker firms, when they are responsible for origination of a material proportion of the residential mortgage loan portfolio. For the avoidance of doubt, the ADI remuneration policy is intended to capture an ADI’s engagement with its brokers, not how a broking firm pays its staff. Alternatively, the ADI may address such remuneration arrangements within its risk management framework with appropriate senior management or Board oversight. (APG 223, paragraph 17)

Information for the Board

10.    In order to establish robust oversight, the Board and senior management would receive regular, concise and meaningful assessment of actual risks relative to the ADI’s risk appetite and of the operation and effectiveness of internal controls. The information would be provided in a timely manner to facilitate early corrective action. (APG 223, paragraph 10)

11.    A prudent ADI would have controls in relation to its residential mortgage portfolio that have appropriate regard to the level of risk within the portfolio. Portfolios that have higher inherent risk, for example where the portfolio is usually operating at the higher end of risk limits, would typically be accompanied by stronger controls, including: increased monitoring and more granular reporting to the Board and senior management. (APG 223, paragraph 11(b))

12.    Consistent with CPS 220, the aspects of the risk management framework that apply to the residential mortgage lending portfolio would be subject to a comprehensive review by an operationally independent and competent person at least every three years. The person would report the results of reviews to the Board, providing an independent and objective evaluation of the appropriateness, adequacy and effectiveness of the risk management framework with respect to the portfolio. (APG 223, paragraph 12)

15.    Further, a prudent ADI would have analytical capability that allows it to monitor, analyse and report key metrics against risk appetite and to assess the residential mortgage portfolio at both the individual loan level and portfolio level. The data, when collectively presented to the Board and senior management, would enable an accurate and meaningful assessment of the residential mortgage portfolio. A history of low defaults does not justify under-investment in management information systems. (APG 223, paragraph 15)

22.    When an ADI is increasing its residential mortgage lending rapidly or at a rate materially faster than its competitors, either across the portfolio or in particular segments or geographical areas, a prudent Board would seek explanation as to why this is the case. Rapid relative growth could be due to an unintended deterioration in the ADI’s loan origination practices, in which case APRA expects that an ADI’s risk management framework would facilitate rapid and effective measures to mitigate any consequences. (APG 223, paragraph 22)

51.    Good practice is for regular override reporting to be provided to senior management and to the Board. Such reporting would include:

(a)    delinquency rates for residential mortgage loans approved as overrides and exceptions;

(b)    tracking against risk tolerance limits for overrides;

(c)    reasons for overrides; and

(d)    distribution of overrides across business units, products, locations, third-party originators and, where relevant, ADI officers associated with a disproportionate number of overrides. (APG 223, paragraph 51) 

93.    An ADI following good practice would include a carefully considered collections strategy in its credit risk management framework for residential mortgage lending. The framework could include: appropriate reporting to senior management and the Board on delinquencies, including recoveries and cost of collections. (APG 223, paragraph 93 (e))

99.    Results from portfolio stress tests enable the Board and senior management to review an ADI’s risk appetite, capital adequacy and relevant strategic business decisions in both current and potential environments. For example, stress tests might identify vulnerabilities in certain product or borrower segments that would prompt an ADI to tighten its loan origination criteria or lower risk appetite limits on those products. (APG 223, paragraph 99)

101.    Stress testing arrangements include well-documented policies and procedures governing the stress testing program, including timely communication of the stress test results to the Board, senior management and other relevant staff. When reporting results, sufficient information would be provided to enable the Board and senior management to understand and challenge stress test assumptions and conclusions. This includes quantitative information on the scenario, results, capital impact, key assumptions and recommended actions arising from the stress tests. (APG 223, paragraph 101)

3.4       APS 221 Large exposures (2023) 

Board oversight²²

Board approval

3.5       APS 222 Associations with Related Entities (2022)

Board oversight

Board approval

3.6       CPS 226 Margining and Risk Mitigation for Non-Centrally Cleared Derivatives (2023) 

Information for the Board

3.7       CPG 229 Climate Change Financial Risks (2021)

Board oversight

8.    Climate change may also give rise to liability risks which have implications for businesses and directors’ duties. Liability risks stem from the potential for litigation where institutions and boards do not adequately consider or respond to the impacts of climate change. (CPG 229, paragraph 8)

13.    Prudential standards CPS 510 and SPS 510 set out the minimum governance requirements of an APRA-regulated institution. The ultimate responsibility for the sound and prudent management of an APRA-regulated institution’s business operations rests with its board of directors²⁵. APRA therefore considers it prudent practice for the board to seek to understand and regularly assess the financial risks arising from climate change that affect the institution, now and into the future. (CPG 229, paragraph 13)

14.    APRA is of the view that climate risks can and should be managed within an institution’s overall business strategy and risk appetite, and a board should be able to evidence its ongoing oversight of these risks. (CPG 229, paragraph 14)

15.    The board of an institution may delegate certain functions of the management of climate risks but, as with other risks, needs to maintain mechanisms for monitoring the exercise of this delegated authority. Board-level engagement is important to ensure that work on climate risks holds sufficient standing within an institution, and gives the board the requisite institution-wide insights to strategically respond to the risks. (CPG 229, paragraph 15)

16.    In fulfilling its obligations under CPS 510 and SPS 510, a prudent board is, in overseeing the management of climate risks, likely to:

(a)    ensure an appropriate understanding of, and opportunity to discuss, climate risk at the board and sub-committee levels, which may include appropriate training for board members; 

(b)    set clear roles and responsibilities of senior management in the management of climate risks, and hold senior management to account for these responsibilities; 

(c)    re-evaluate the risks, opportunities and accountabilities arising from climate change on a periodic basis, and consider these risks and opportunities in approving the institution’s strategies and business plans; 

(d)    take both a shorter-term view (consistent with the institution’s regular business planning horizon) and longer-term view when assessing the impact of climate risks and opportunities; and

(e)    ensure that, where climate risks are found to be material, the institution’s risk appetite framework incorporates the risk exposure limits and thresholds for the financial risks that the institution is willing to bear. (CPG 229, paragraph 16)

18.    Under CPS 220 and SPS 220, the board of an APRA-regulated institution is ultimately responsible for both the institution’s risk management framework, and for the oversight of its operation by management. Senior management of the institution monitor and manage all material risks consistent with the strategic objectives, risk appetite statement and policies approved by the board. APRA considers it prudent for climate risks to be considered within an institution’s existing framework, including the board-approved risk appetite statement, risk management strategy and business plan. (CPG 229, paragraph 18) 

Information for the Board

17.    In light of the board responsibilities set out in Paragraph 16, an institution’s senior management would typically be responsible for: 

(a)    applying an institution’s risk management framework to assess and manage climate risk exposures on an ongoing basis, including developing and implementing appropriate policies; 

(b)    regularly reviewing the effectiveness of the framework, policies, tools, and metrics and targets, and making appropriate revisions; 

(c)    providing recommendations to the board on the institution’s objectives, plans, strategic options and policies as they relate to climate risks that are assessed to be material. This may include the establishment and use of relevant tools, models, and metrics and targets to monitor exposures to climate risks so as to enable the board to make informed decisions in a timely manner; and 

(d)    ensuring that adequate resources, skills and expertise are allocated to the management of climate risks, including thorough training and capacity building amongst relevant staff. (CPG 229, paragraph 17)

20.    APRA considers that prudent practice would be for an institution to evidence the management of climate risks within its written risk management policies, management information, and board risk reports. Where climate risks are material, this may require updating existing risk management policies and procedures. (CPG 229, paragraph 20)

31.    Given the evolving understanding of climate change, a prudent institution would ensure that climate risk data, metrics and targets were updated regularly to support decision-making by the institution’s board and senior management. It would also consider the circumstances which might trigger a review of its strategy or engagement with customers and counterparties. (CPG 229, paragraph 31)

35.    To facilitate well-informed decision-making, APRA expects that a prudent institution would establish procedures to routinely provide relevant information on its material climate risk exposures, including monitoring and mitigation actions, to the board and senior management. This information would allow the board and senior management to understand and review the activities, and to make decisions consistent with the institution’s overall risk appetite and risk management approach. (CPG 229, paragraph 35)

46.    A prudent institution would maintain appropriate documentation of the method and results of its climate risk scenario analysis and stress testing, including an assessment of the limitations of the analysis for assessing the climate risks faced by the institution. Material results should be communicated to the institution’s board and senior management, and used to inform business planning and strategy setting, as well as setting and reviewing the institution’s overall climate risk management approach. (CPG 229, paragraph 46)

3.8       CPS 231 Outsourcing (2017) 

Board oversight

Board approval

CPG 231

7.    When a regulated institution decides to enter into an outsourcing agreement, there are a number of factors that may be appropriate for the Board to consider in addition to those outlined in the Prudential Standards.³⁰

Information for the Board

CPG 231

21.    When assessing options for outsourcing material business activities, it is good practice to establish an outsourcing team consisting of individuals from the relevant business area(s) and others with the necessary skills to assess the risks involved in outsourcing. They may include specialists in the relevant risk areas and external experts. This team would ensure that the outsourcing policy is followed at all times, including assessment of the initial tender and due diligence processes, evaluation of the outsourcing options, and making recommendations to senior management and the Board on the outsourcing proposal. (CPG 231, paragraph 21)

3.9       CPS 234 Information Security (2019) 

Board oversight

CPG 234

8.    Under CPS 234, the Board of an APRA-regulated entity is ultimately responsible for the information security of the entity. In order for a Board to be able to more effectively discharge its responsibilities (including oversight, seeking assurance and, as appropriate, challenging management), it could consider the following:

(a)    roles and responsibilities – clearly outline for management how the Board expects to be engaged, including delegation of responsibilities, escalation of risks, issues and reporting requirements (including schedule, format, scope and content). Refer to Attachment H for common examples of the types of information that the Board might find useful to effectively fulfil its role and discharge its responsibilities;

(b)    information security capability – consider the sufficiency of the regulated entity’s information security capability in relation to vulnerabilities and threats; ensure sufficiency of investment to support the information security capability; and review progress with respect to execution of the information security strategy;

(c)    policy framework - whether information security policies reflect Board expectations;

(d)    implementation of controls - regularly seek assurance from and, as appropriate, challenge management on reporting regarding the effectiveness of the information security control environment and the overall health of the entity’s information assets;

(e)    testing control effectiveness - regularly seek assurance from and, as appropriate, challenge management on the sufficiency of testing coverage across the control environment; form a view as to the effectiveness of the information security controls based on the results of the testing conducted; and

(f)    internal audit - consider the sufficiency of internal audit’s coverage, skills, capacity and capabilities with respect to the provision of independent assurance that information security is maintained; form a view as to the effectiveness of information security controls based on audit conclusions; and consider where further assurance, including through expert opinion or other means, is warranted. (CPG 234, paragraph 8)

9.    In considering the above, the Board would normally take into account the use of third parties and related parties (including group functions) by the APRA-regulated entity. (CPG 234, paragraph 9)

10.    APRA does not seek to impose restrictions on a Board’s ability to delegate information security roles and responsibilities to Board sub-committees, management committees or individuals. However, APRA expects that a Board would clearly outline how it expects to be engaged with respect to information security, including escalation of risks, issues and reporting. Refer to Attachment H for common examples of the types of information that the Board might find useful in this regard. (CPG 234, paragraph 10)

11.    Definition of information security-related roles and responsibilities is typically achieved through a combination of role statements, policy statements, reporting lines and charters of governing bodies. Common governing bodies and individuals with decision-making, approval, oversight, operations and other information security roles and responsibilities typically include:

(a)    information security steering/oversight committee;

(b)    risk management committee (Board and management level);

(c)    Board audit committee;

(d)    executive management/executive management committee;

(e)    chief information officer /IT manager;

(f)    chief information security officer/IT security manager;

(g)    information security operations/administration; and

(h)    management (business and IT). (CPG 234, paragraph 11)

20.    Under CPS 234, an APRA-regulated entity must actively maintain an information security capability with respect to changes in vulnerabilities and threats. Accordingly, an entity would typically adopt an adaptive and forward-looking approach to maintaining its information security capability, including ongoing investment in resources, skills and controls. This would commonly be achieved through the execution of an information security strategy which responds to the changing environment throughout the year. The strategy could be informed by existing and emerging information security vulnerabilities and threats, contemporary industry practices, information security incidents, both internal and external, and known information security issues. Oversight of execution of the strategy is normally the responsibility of the Board or a delegated governing body with representation from across the organisation. (CPG 234, paragraph 20)

83.    Internal audit is an important vehicle by which the Board can gain assurance that information security is maintained. This assurance would typically be achieved through the inclusion of information security within the APRA-regulated entity’s internal audit plan. The Board could also choose to gain assurance through expert opinion or other means to complement the assurance provided by the internal audit function. This typically occurs where the required skills do not reside within the internal audit function or the area subject to audit pertains to third parties or related parties. (CPG 234, paragraph 83)

Information for the Board

CPG 234

13.    The Board, governing bodies and individuals would typically define their information requirements (e.g. schedule, format, scope and content) to ensure they are provided with sufficient and timely information to effectively discharge their information security roles and responsibilities. Reporting to governing bodies would normally be supported by defined escalation paths and thresholds. An APRA-regulated entity could benefit from implementing processes for periodic review of audience relevance and fitness for use. (CPG 234, paragraph 13)

71.    An APRA-regulated entity would typically have clear accountability and communication strategies to limit the impact of information security incidents. Under CPS 234, this includes escalation and reporting of information security incidents to the Board, other governing bodies and individuals responsible for information security incident management and oversight, as appropriate. A regulated entity could also include customer communication as part of any such communication strategy where appropriate. Incident response plans would also typically assist in compliance with regulatory notification requirements. (CPG 234, paragraph 71)

86.    Under CPS 234, an APRA-regulated entity’s internal audit function must assess the information security control assurance provided by a third party or related party in certain circumstances. Where that assessment identifies material deficiencies in the information security control assurance provided by the third party or related party, or no assurance is available, this would typically be highlighted in reporting to the Board. (CPG 234, paragraph 86)

3.10       CPG 235 Managing Data Risk (2013) 

Board oversight

5.    As with any process, governance is vital to ensure that data risk management and related business processes are properly designed and operating effectively to meet the needs of the regulated entity. In APRA’s view, effective governance of data risk management would be aligned to the broader corporate governance frameworks and involve the clear articulation of Board and senior management responsibilities and expectations, formally delegated powers of authority and regular oversight. (CPG 235, paragraph 5)

20.    In order to ensure that data risk management is not conducted in an ad hoc and fragmented manner, a regulated entity would typically adopt a systematic and formalised approach that ensures data risk is taken into consideration as part of its change management and business-as-usual processes. This could be encapsulated in a formally approved data risk management framework outlining the entity’s approach to managing data risk that: includes the expectations of the Board and senior management. (CPG 235, paragraph 20(c))

Board approval

50.    In APRA’s view, the following would normally be applied to the assessment and ongoing management of outsourced/offshored data management responsibilities: Board/senior management’s understanding, acceptance and approval of the resulting risk profile.  (CPG 235, paragraph 50 (f))

Information for the Board

61.     Subject to the nature of the data, a regulated entity would: have clear accountability and communication strategies to limit the impact of data issues. This would typically include defined mechanisms and thresholds for escalation and reporting to the Board and senior management, and customer communication where appropriate. Issue management strategies would also typically assist in compliance with regulatory and legal requirements. (CPG 235, paragraph 61(a))

3.11       CPS 232 Business Continuity Management (2017)

Board oversight

Board approval

Information for the Board

Footnotes

¹⁵ A reference to the Board in the case of a foreign ADI, is a reference to the senior officer outside Australia.

¹⁶ Refer to the Institute of International Finance (2009) “Reform in the financial services industry: Strengthening Practices for a More Stable System”.

¹⁷ As per, CPS 220, paragraph 31, an APRA-regulated institution must maintain a written plan for the institution that sets out its approach for the implementation of its strategic objectives (business plan).

¹⁸ As per CPS 220, paragraph 45, a comprehensive review of the risk management framework must be conducted at least every three years by operationally independent, appropriately trained and competent persons.

¹⁹ For the purposes of this PPG, a reference to the Board, in the case of a foreign ADI, is a reference to the Senior Officer Outside of Australia (as applicable) as referred to in Prudential Standard CPS 510 Governance.

²⁰ Where relevant, any qualification of a risk management declaration must identify where the material deviation has occurred and whether it was on a Level 1/individual APRA-regulated institution basis and/or group basis.

²¹ The requirements to be met by the Board must, in the case of a foreign ADI, be read subject to Prudential Standard CPS 510 Governance (CPS 510), which requires a foreign ADI to nominate a senior officer (whether a director or senior executive) outside Australia with delegated authority.

²² APS 221 paragraph 22 sets out factors that may give rise to control relationships. This includes with respect to the Board.

²³ Attachment B of APS 222 sets out particular requirements, including with respect to the Board, that apply to an ADI’s associations with a funds management vehicle that is a related entity of the ADI. Attachment C sets out requirements relating to an Extended Licensed Entity.

²⁴ As per APS 222, Footnote 1, a reference to the Board in the case of a foreign ADI, is a reference to the senior officer outside Australia.

²⁵ For the purposes of this PPG, a reference to the board, in the case of a foreign ADI, is a reference to the Senior Officer Outside of Australia as referred to in Prudential Standard CPS 510 Governance.

²⁶ For details of the risk management framework for regulated institutions refer to Prudential Standard CPS 220 Risk Management.

²⁷ Related body corporate has the meaning given in section 50 of the Corporations Act 2001.

²⁸ A reference to the Board in the case of a foreign ADI is a reference to the senior officer outside Australia.

²⁹ For the purposes of this Prudential Standard, ‘third party’ is a reference to an institution that is not the APRA-regulated institution or a related body corporate of the APRA-regulated institution.

³⁰ Refer to CPG 231, paragraphs 8-21

³¹ A reference to the Board in the case of a foreign ADI, is a reference to the senior officer outside Australia.

³² For the purposes of this Prudential Standard, governing bodies and individuals includes committees, working groups and forums.

³³ Refer to Prudential Standard CPS 231 Outsourcing (CPS 231) for further information on requirements relating to outsourcing.

³⁴ For details of the risk management framework for regulated institutions refer to Prudential Standard CPS 220 Risk Management.

³⁵ A reference to the Board in the case of a foreign ADI is a reference to the senior officer outside Australia.

³⁶ A material change to business operations includes a change in a material outsourcing arrangement. Refer to CPS 231 for further information on outsourcing.
 

Chapter 4 - Governance
 

4.1       CPS 510 Governance (2019)³⁷

Board oversight

Board approval

Board committees, composition and representation

Board composition

Director independence, and definition of non-executive director 

Board representation

Board Audit Committee

Board Risk Committee

4.2       CPS 511 Remuneration (2023)

Board oversight

CPG 511

6.    SFI specific requirements include establishing a Board Remuneration Committee, applying a material weight to non-financial measures in variable remuneration arrangements, applying minimum deferral periods and clawback arrangements, and periodically reviewing the remuneration framework. (CPG 511, paragraph 6, (SFIs only))

8.    Under CPS 511, the Board, or relevant oversight function, is ultimately responsible for the entity’s remuneration framework and its effective application.⁴⁷ (CPG 511, paragraph 8)

9.    APRA expects Boards to ensure that remuneration practices are well supported by broader frameworks and policies that influence behaviour, beyond financial rewards. This includes clear accountabilities and expectations for risk management, effective consequence management and a strong tone from the top on risk culture. (CPG 511, paragraph 9)

10.    In providing oversight of remuneration, other prudential standards and guidance are also applicable, in particular requirements on governance and risk management. Broader regulatory requirements and expectations, including guidance provided by the Australian Securities and Investments Commission (ASIC), are also relevant for the Board.⁴⁸ (CPG 511, paragraph 10)

17.    There may be occasions where the Board would need to exercise its discretion to challenge and override remuneration recommendations, and make downward adjustments for individuals, cohorts or all personnel. (CPG 511, paragraph 17)

27.    Specified roles are defined in CPS 511 and are intended to capture those individuals and cohorts who can have a material influence on the performance and risk profile of the entity, in both the short and long-term. Specified roles comprise senior managers, executive directors, material risk-takers (including highly-paid material risk-takers) and all risk and financial control personnel. (CPG 511, paragraph 27)

34.    A prudent Board would closely monitor the remuneration of risk and financial control personnel as a cohort, to ensure arrangements are adequate to attract and retain suitably qualified, skilled and experienced staff.⁴⁹ (CPG 511, paragraph 34)

60.    In assessing whether material weight⁵⁰ is being applied effectively in the design and determination of variable remuneration outcomes, a prudent Board would consider whether the weighting: 

(a)    is a sufficient incentive to influence an individual’s behaviour, priorities and decisions; 

(b)    is robust and cannot be overshadowed or diminished by performance or outperformance on financial measures; 

(c)    is applied to measures over which the individual has a reasonable degree of control and influence; 

(d)    is applied to measures that effectively support the objectives of the remuneration framework, including risk management; and 

(e)    has been demonstrated to work in practice to incentivise prudent outcomes over time, where this is possible to determine. (CPG 511, paragraph 60, SFIs only)

62.    A prudent Board would establish clear guidelines to ensure appropriate weight is applied to non-financial measures in the determination of variable remuneration. This could include a minimum level or range. Good practice would be for the Board to review these guidelines on an annual basis to ensure it is operating as intended in driving expected behaviours. (CPG 511, paragraph 62, SFIs only)

63.    To assess whether the weighting for non-financial measures is driving intended behaviours and outcomes in practice, a prudent Board would consider how effectively risk and conduct is managed. Reporting on non-financial measures for the entity as a whole, as well as aggregate information on risk adjustments, would support this assessment. Entities with a high reliance on downward adjustments for adverse risk and conduct outcomes would investigate root causes and, where appropriate, consider if the weighting to non-financial measures needs to be increased or the design improved. (CPG 511, paragraph 63, SFIs only)

82.    In gauging the severity of a case⁵¹, a prudent entity would consider a range of factors. This would include the expected or actual impact on the entity’s reputation, customers or beneficiaries and prudential standing, as well as any financial loss. An individual’s contribution to circumstances which led to the adverse outcome would also be considered, potentially including inaction. Good practice would be to develop a severity scale, with example cases and any precedents, to guide decision-making on the level of severity and indicative remuneration impacts that would be expected to result. This scale would support a Board in applying proportionate downward-adjustments to variable remuneration, and in applying consistency across different cases. (CPG 511, paragraph 82)

88.    The scope of the triennial review would encompass the role of the Board, the design of remuneration arrangements, and the effectiveness of risk and conduct adjustments. This would include any key design features, such as the definition of material risk-takers and the application of non-financial measures. The review would also assess the appropriateness of any remuneration adjustments made, to ensure that triggers and criteria for downward adjustments are prudently calibrated. (CPG 511, paragraph 88, SFIs only)

89.    CPS 511 requires the triennial review to be conducted by operationally independent, appropriately experienced and competent persons. A prudent entity may consider the use of external expertise to meet this requirement. Where internal staff conduct the review, a prudent Board would gain assurance that they are operationally independent and are able to provide an objective review, with the requisite skills, experience and expertise. (CPG 511, paragraph 89, SFIs only)

Board approval

CPG 511

18.    A prudent Board would be actively engaged in the oversight of key remuneration decisions, providing robust challenge and independent scrutiny. Board oversight and discretion to adjust variable remuneration would be particularly relevant in unusual or exceptional circumstances. These circumstances may include: 

(a)   material cases of adverse risk or conduct outcomes, especially where these have impacted the entity’s prudential standing or prudential reputation;

(b)  periods of stress in which the entity may be experiencing negative financial performance and erosion of its regulatory capital base; and 

(c)  periods of stress in which the entity is provided with exceptional public sector support. (CPG 511, paragraph 18)

19.    It is important that the Board uses its discretion in a timely and informed manner, rather than acting only on the basis of realised outcomes. For example, it could be appropriate for a Board to reduce pre-emptively variable remuneration during a period of stress, rather than waiting for losses to be realised.⁵³ It would not be prudent to act only once risk issues are made public, to adopt management recommendations without challenge, or to excuse poor risk outcomes on the basis of good intent. (CPG 511, paragraph 19)

25.    An entity that is part of a wider corporate group may adopt and apply the group remuneration policy, provided that it meets the requirements of CPS 511 and has been approved by the Board. Good practice would be for the entity to assess how the policy complies with each requirement of CPS 511, is appropriate for its specific business activities and risk profile, and meets the spirit and intent of the standard. (CPG 511, paragraph 25)

26.    Under CPS 511, the variable remuneration outcomes for persons in specified roles must be approved by the Board, on either an individual or cohort basis. APRA expects the remuneration policy would define the particular specified roles for the entity, and summarise the remuneration arrangements for these roles. (CPG 511, paragraph 26)

29.    As set out in CPS 511, the variable remuneration outcomes of all material risk-takers must be approved by the Board on a cohort basis.⁵⁴ Good practice is to develop, disclose and keep under review a threshold definition for material risk-takers, including quantitative indicators and qualitative criteria for the identification of such roles. (CPG 511, paragraph 29)

38.    A prudent entity would take reasonable steps to identify which service providers may give rise to material conflicts or risks. This may include a materiality threshold or definition, approved by the Board, which would be used to identify the scale and nature of service providers that are likely to present a material conflict or risk. (CPG 511, paragraph 38)

Information for the Board

CPG 511

20.    It is the responsibility of the Board and RemCo to guide management on the reporting it needs to fulfil its role. A prudent Board and RemCo would regularly review the information they are provided with to ensure that reporting is sufficient and insightful. Poor quality, inadequate, incomplete or voluminous reporting can significantly hamper oversight and challenge. (CPG 511, paragraph 20)

77.    A prudent Board would consider a wide range of evidence and ensure appropriate mechanisms are in place to escalate issues. Good practice would be to consider, for example, known incidents, findings from audits and regulatory reviews, product failures, trends in conduct or risk incidents. APRA expects that a risk adjustment would be considered, for an individual or cohort, in the event of a breach of a prudential standard or other regulation. (CPG 511, paragraph 77)

Board Remuneration Committee 

SFIs only

CPG 511

11.   Under CPS 511, the Board of a SFI is required to establish a Board Remuneration Committee (RemCo) to oversee the design and implementation of the remuneration framework. The RemCo is responsible for making recommendations to the Board annually on the remuneration arrangements and variable remuneration outcomes for persons in specified roles. (CPG 511, paragraph 11)

12.   A prudent Board would ensure that the RemCo is composed of members with the appropriate skills, experience and expertise to exercise competent and independent judgment. This includes a clear understanding of what constitutes good risk management. (CPG 511, paragraph 12)

14.   In determining the variable remuneration outcomes for individuals and cohorts in specified roles, the assessment of performance and risk is a critical input. It is important for the RemCo to ensure it understands the performance and risk outcomes for persons in specified roles, as well as for the entity overall. (CPG 511, paragraph 14)

15.    APRA expects that the assessment of performance and risk would include direct input from senior risk management personnel, and not be based on self-assessments alone. Good practice would be for risk and internal audit executives to present a comprehensive assessment of key risk and audit metrics on at least an annual basis, to inform remuneration decision making and outcomes. (CPG 511, paragraph 15)

16.   Under CPS 511, the RemCo must consult the Board Risk Committee and CRO to enable risk outcomes to be appropriately reflected in remuneration outcomes for persons in specified roles. The use of joint meetings with the Board Risk Committee can be an effective mechanism for providing insights into risk considerations for the RemCo. It would not be prudent to rely on cross-membership between the RemCo and the Board Risk Committee as the sole means of providing a view on risk. (CPG 511, paragraph 16)

21.   Good practice would be for the RemCo to be provided with formal documented performance and risk assessments for individuals in specified roles, and summaries for relevant cohorts such as risk and financial control personnel. This would include clear qualitative and quantitative assessments for measures that have formed the basis of decisions, including key metrics, and an outline of how assessments have flowed through to remuneration outcomes.⁵⁷ It would not be prudent to rely on verbal discussion and generalised attestations as evidence of performance or risk assessments, or high-level summaries of major incidents. (CPG 511, paragraph 21)

22.    Good practice for cohorts would be to assess, on an aggregated basis by business unit or role type, similar information to that which is reviewed for individual remuneration decisions. Additional information may also be useful, such as trends and outliers, summary indicators that show distributions, averages or medians, and other data-driven insights. (CPG 511, paragraph 22)

Non-SFIs

CPG 511

13.   While the Board of a non-SFI is not required to establish a RemCo, it must put in place arrangements to meet the requirements of CPS 511 and ensure there is appropriate oversight of the remuneration framework and key remuneration decisions. (CPG 511, paragraph 13)

4.3       APS 330 Public disclosure (2018) 

Board oversight

Board approval

4.4       CPS 520 Fit and proper (2019) 

Board oversight

Board approval

Information for the Board

4.5       APS 310 Audit (2023) 

Information for the Board^60,61  

23.    An ADI must ensure that the appointed auditor has access to all data, information, reports and staff of the ADI that the appointed auditor reasonably believes is necessary to fulfil its role and responsibilities under this Prudential Standard. This includes access to the ADI’s Board, Board Committees and internal auditors as required. (APS 310, paragraph 23)

25.    An ADI must ensure that the following are provided to its Board or Board Audit Committee (if not already sighted by the Board or Board Audit Committee):

(a)    reports provided by the appointed auditor in accordance with this Prudential Standard, and any associated assessments and other material provided by an appointed auditor to the ADI on request;

(b)    commentary or responses provided by APRA to the ADI on reports provided by the appointed auditor, and any associated assessments and other material; and

(c)    any commentary or response on the reports, associated assessments and other material provided by the appointed auditor that are given to APRA by the ADI. (APS 310, paragraph 25)

35.    The responsibilities of the appointed auditor include reporting simultaneously (subject to paragraph 32) to APRA and the ADI’s Board (or Board Audit Committee), within three months of the end of the financial year of the ADI⁶², on:

(a)    the matters relating to APRA data collections; and

(b)    internal controls at both Level 1 and the Level 2 group;

as referred to in paragraph 36. For this purpose, APRA data collections means any data collected in accordance with the Financial Sector (Collection of Data) Act 2001 (FSCODA). (APS 310, paragraph 35)

40.    Under the responsibilities of an appointed auditor for a special purpose engagement, the auditor's report must be submitted, within three months of the date of the notice commissioning the report, simultaneously to APRA and to the Board (or Board Audit Committee) of the ADI, unless otherwise determined by APRA, and advised to the ADI, by notice in writing (subject to paragraph 32). (APS 310, paragraph 40)

footnotes

³⁷ CPS 510 requirements relating to remuneration have not been included (paragraphs 12, 13(a), 52, 56, 58, 62, 65-72), given APRA’s intention to retire these once CPS 511 comes into force, refer to: APRA releases final remuneration prudential standard

³⁸ Independent of the APRA-regulated entity means that the auditor has been assessed as independent in terms of paragraph 80 of this Prudential Standard.

³⁹ ‘Subsidiary' means a subsidiary within the meaning of the Corporations Act 2001 (Corporations Act).

⁴⁰ An ‘overseas equivalent’ is an entity which is not authorised in Australia but is authorised and subject to prudential regulation in a foreign country.

⁴¹ Lead auditor means the registered company auditor who is primarily responsible to the audit firm or the audit company for the conduct of audit work conducted in relation to the Prudential Acts, prudential standards or reporting standards.

⁴² Review auditor means the registered company auditor (if any) who is primarily responsible to the individual auditor, audit firm or audit company for reviewing audit work conducted in relation to the Prudential Acts, prudential standards or reporting standards.

⁴³ For the purpose of this Attachment, a 'substantial shareholder' is a person with a substantial holding as defined in section 9 of the Corporations Act.

⁴⁴ Note that, where the proportionate shareholding does not equate to a whole number, it may be rounded to the nearest whole number.

⁴⁵ APES 110 Code of Ethics for Professional Accountants was issued by the Accounting Professional and Ethical Standards Board in December 2010.

⁴⁶ Refer to CPS 220.

⁴⁷ Relevant oversight function is defined in CPS 511. It is only applicable to foreign ADIs. Consistent with CPS 511 requirements, references to the Board and Board Remuneration Committee in this guidance refer to the relevant oversight function, where appropriate.

⁴⁸ This would include ASIC guidance in Information Sheet 245 Board oversight of executive variable pay decisions, the Australian Securities Exchange’s (ASX) Corporate Governance Council’s Corporate Governance Principles and Recommendations, and the Financial Stability Board’s (FSB) Principles of Sound Compensation Practices.

⁴⁹ Risk and financial control personnel are defined in CPS 511 as persons whose primary role is in risk management, compliance, internal audit, financial control or actuarial control.

⁵⁰ As per CPS 511, paragraph 32(a) [SFIs only], in determining each component of a person’s variable remuneration, material weight must be given to non-financial measures where the remuneration is performance related.

⁵¹ As per, CPS 511 paragraphs 36 and 68, an APRA-regulated entity must take reasonable steps to appropriately adjust variable remuneration downwards when, as a minimum, any of the criteria specified in paragraph 35 (or 67) are satisfied.

⁵² Paragraph 50(a)/74(a) of this Prudential Standard does not apply to a senior manager that is a senior officer outside Australia of a foreign ADI.

⁵³ For an ADI, good practice would be to take a forward-looking approach to reductions in discretionary bonus payments to staff, before being formally required to by the constraints imposed by the capital conservation buffer regime as set out in Prudential Standard APS 110 Capital Adequacy.

⁵⁴ A material risk-taker is defined in CPS 511 as a person whose activities have a material potential impact on the entity’s risk profile, performance and long-term soundness.

⁵⁵ Consultation with a Board Risk Committee does not apply to a foreign ADI.

⁵⁶ For the avoidance of doubt, paragraph 48(a) of this Prudential Standard applies to a senior manager who is a senior officer outside Australia of a foreign ADI.

⁵⁷ A prudent Board would challenge any adjustments to quantitative metrics. This would include in particular any adjustments to profit measures that could affect whether hurdles for variable remuneration are met.

⁵⁸ A reference to the Board in the case of a foreign ADI is a reference to the senior officer outside Australia.

⁵⁹ Related body corporate has the meaning given in section 50 of the Corporations Act 2001 (Corporations Act).

⁶⁰ As per APS 310, paragraph 7, in the case of a foreign ADI, a reference to the Board or a Board Committee in this Prudential Standard will be taken to refer to the senior officer outside Australia to whom authority has been delegated in accordance with Prudential Standard CPS 510 Governance (CPS 510). For a foreign ADI, a reference to the CEO refers to the senior manager in Australia with overall responsibility for the conduct of the foreign ADI’s Australian operations.

⁶¹ APS 310 paragraphs 5, 6 and 21 include additional requirements relating to non-operating holding companies (NOHCs).

⁶² For non-disclosing entities the relevant period is four months.

Chapter 5 - Resolution

5.1       APS 910 Financial Claims Scheme (2013) 

Board oversight

Chapter 6 - For Boards of Level 3 groups and purchased payment facility (PPF) providers
 

6.1       3PS 310 Audit (2017)

Information for the Board

6.2       3PS 221 Aggregate risk exposures (2017)

Board oversight

3PG 221

1.    The Board of a Level 3 Head (the Board) is responsible for the effective management of material risks posed to the Level 3 group. The Board is best positioned to have a holistic view of the risks posed to the group, and oversee controls to ensure that the group does not assume risks beyond its risk appetite. (3PG 221, paragraph 1) 

2.    3PS 221 requires a Level 3 Head to establish and maintain an aggregate risk exposures policy. The policy is a part of the group’s risk management framework and supports the ability to identify, measure, aggregate, manage and report on material aggregate risk exposures. An aggregate risk exposure refers to risks external to the Level 3 group that have the potential to result in losses for the Level 3 group, and can arise from the external exposures to prudentially regulated and non-prudentially regulated institutions. Risk data aggregation capabilities and risk reporting practices support the Board in making appropriate risk-based decisions in normal times and in periods of stress. (3PG 221, paragraph 2)

3.    Material aggregate risks include those that could have a material impact, both financial and operational, on the Level 3 group or on a prudentially regulated institution in the group. APRA expects that the Board would determine what it considers to be a material aggregate risk, and that this would vary according to the group’s risk profile. Where an institution is considered to have business operations that are material to the Level 3 group, a material external risk to that institution would normally constitute a material aggregate risk exposure for the group. (3PG 221, paragraph 3)

4.    The materiality of an aggregate risk exposure depends on the size, nature and complexity of the exposure to the group. Where a material aggregate risk exposure is identified, the Board would also need to understand the material drivers of this risk. For instance, decision-makers may need to understand whether the aggregate risk exposure is comprised of a high number of small exposures or a low number of material individual risk exposures. (3PG 221, paragraph 4)

7.    The Board is responsible for determining the appropriate level of aggregate risk exposures. The policy would be expected to outline the governance arrangements for procedures, systems and controls that are in place for the appropriate management of exposures. The Board is required to approve this policy but can delegate implementation of policy and oversight of exposures to a board committee, such as the Board Risk Committee. (3PG 221, paragraph 7)

10.    3PS 221 requires the aggregate risk exposures policy to include exposure limits that are commensurate with the Level 3 group’s capital strength, risk appetite, risk profile, and the size, business mix and complexity of the group. A Board may consider how exposures of the Level 3 group interact to change the aggregate risk of the group. For instance, an exposure to an overseas counterparty would be considered as part of a limit to that counterparty and to the relevant geographical location. APRA expects that the Level 3 Head would have processes to confirm that the classifications of risks facilitate an appropriate assessment of the risk profile and to ensure the group does not assume more risk than its risk appetite. (3PG 221, paragraph 10)

11.    3PS 221 requires the aggregate risk exposures policy to outline the roles and responsibilities of the Board, its board committees, and senior management of the Level 3 group. APRA expects a Level 3 Head would also consider the role of the group’s risk management function in supporting the management of material aggregate risk exposures. (3PG 221, paragraph 11)

12.    APRA expects the Board and senior management of the Level 3 group to understand the limitations and assumptions relating to material aggregated risk exposures. A Level 3 Head is expected to use stress testing and scenario analysis to assess the adequacy of its aggregation capabilities and risk reporting. The results of these assessments would feed into the Board’s awareness of aggregate risk exposures and would prompt consideration as to the Board’s appetite for these exposures and the appropriateness of limits. In addition, these assessments would highlight any limitations with aggregation capabilities and risk reporting in periods of stress. (3PG 221, paragraph 12)

18.    APRA expects a Level 3 group to have practices and procedures to identify data deficiencies and, where necessary, implement an improvement program so that data management does not impede effective risk management. Where there is a deficiency in data quality, APRA expects the Board to allocate sufficient oversight and resources for rectification. APRA expects that a Level 3 group would already have the data necessary for appropriate risk aggregation and that this data would not be encumbered by unnecessary barriers to retrieval, or rely on onerous manual adjustments for collation. (3PG 221, paragraph 18)

Board approval

Information for the Board

3PG 221

5.    A Level 3 Head’s governance arrangements, risk data aggregation capabilities and reporting would reflect how the Board makes decisions and oversees aggregate risk exposures. APRA expects that risk aggregation capabilities and risk reporting are relevant, appropriate for the intended purpose and meet business specifications (i.e. fit-for-purpose) for the needs of the Board and other decision-makers in the Level 3 group. (3PG 221 paragraph 5)

19.    Good practice is that risk reporting is accurate, comprehensive, clear and useful, and can be provided to decision-makers on a timely basis. Risk reporting would be based on adequate aggregate risk data capabilities and be presented in a manner that is clear, concise and useful to the intended recipient. A Level 3 Head would determine respective risk reporting requirements that best suit the needs of its Board and the group’s senior management given the size, business mix and complexity of the group. (3PG 221, paragraph 19)

20.    APRA expects a Level 3 Head to have access to and commission both regular and flexible ad hoc reporting. The frequency of risk reporting depends on the needs of decision-makers. APRA expects reporting on material aggregate risk exposures to be presented to the Board at least quarterly. In periods of stress, given the speed of decision-making likely to be needed and that the nature of aggregate risks can change quickly, the frequency of reporting would be expected to increase. (3PG 221, paragraph 20)

21.    The reporting of aggregate risk exposures to the Board would have sufficient breadth to provide the Board with a holistic view of the aggregate risk exposure profile of the Level 3 group. APRA expects that the Board would request reports for more detail on individual exposures or particular risk categories, accompanied by meetings with relevant senior management. Reporting would support the Board in understanding, and the senior management of the Level 3 group in understanding and tracking, aggregate risk exposures against the group’s risk appetite and capital strength. (3PG 221, paragraph 21)

6.3       3PS 222 Intra-group Transactions and Exposures (2017)

Board oversight

3PG 222

1.    ITEs expose Level 3 institutions in a Level 3 group to contagion risks. Where an institution is facing financial or operational stress, this may affect other institutions within the group with material ITEs to that institution. Therefore, the Board of a Level 3 Head (the Board) needs to understand the material ITEs within the group and manage the associated risks prudently. ITEs that can pose a risk of contagion would include, for example:

(a)    equity investments;

(b)    loan or funding arrangements;

(c)    reinsurance arrangements;

(d)    guarantees or indemnities; and

(e)    operational risks from intra-group service provision. (3PG 222, paragraph 1)

4.    Material ITEs include those that would have a potential to have a material impact, both financial and operational, on the Level 3 group or a prudentially regulated institution in the group. APRA expects that the Board would determine what it considers to be a material ITE, and that this would vary according to the group’s risk profile. Where an institution is considered to have business operations that are material to the Level 3 group, a material ITE to that institution would constitute a material ITE for the group. (3PG 222, paragraph 4) 

5.    The materiality of an ITE depends on the size, nature and complexity of the exposure to the group. Where a material ITE is identified, the Board would also need to understand the material drivers of this risk. For instance, decision makers may need to understand whether the ITE is comprised of a high number of low risk intra-group arrangements or a low number of material individual risk exposures. (3PG 222, paragraph 5) 

8.    APRA expects the Board to have a holistic view of material ITEs within the group and establish a framework to monitor and control the associated risks. The Board would consider the group’s critical business operations and assess the potential impact of a stress on these operations to the group. (3PG 222, paragraph 8)

18.    APRA expects a Level 3 group to have practices and procedures to identify data deficiencies and, where necessary, implement an improvement program so that data management does not impede effective risk management.⁶⁴ Where there is a deficiency in data quality, APRA expects the Board to allocate sufficient oversight and resources for rectification. APRA expects that a Level 3 group would already have data on material ITEs and expects that this data would not be encumbered by unnecessary barriers to retrieval, or rely on onerous manual adjustments for collation. (3PG 222, paragraph 18) 

Board approval

3PG 222

10.     The risks associated with ITEs could be magnified where the transactions with related parties have not been conducted on an arms-length basis or on equivalent terms and conditions given to third parties. APRA expects a Level 3 Head to have processes and controls to mitigate such risks. In accordance with 3PS 222, the Board is required to approve these non-arm’s length transactions. (3PG 222, paragraph 10)

Information for the Board

3PG 222

6.     A Level 3 Head’s governance arrangements, data capabilities, and reporting in relation to ITEs would reflect how the Board makes decisions and oversees material ITEs. APRA expects data capabilities and ITE risk reporting to be relevant and appropriate for the intended purpose and to meet business specifications (i.e. fit-for-purpose) for the needs of the Board and other decision makers in the Level 3 group. (3PG 222, paragraph 6)

9.     APRA expects a Level 3 Head to use stress testing and scenario analysis to assess the adequacy of its data capabilities and risk reporting on ITEs. The results of these assessments would feed into the Board’s awareness of material ITEs and would prompt consideration as to the Board’s appetite for these exposures and the appropriateness of limits. (3PG 222, paragraph 9) 

19.   Good practice is that risk reporting is accurate, comprehensive, clear and useful, and can be provided to decision makers on a timely basis. Risk reporting would be based on risk data and be presented in a manner that is clear, concise, and useful to the intended recipient. A Level 3 Head would determine respective risk reporting requirements that best suit the needs of its Board and senior management of the Level 3 group given the size, business mix and complexity of the group. (3PG 222, paragraph 19)

20.     APRA expects a Level 3 Head to have access to commission both regular and flexible ad hoc reporting. The frequency of risk reporting depends on the needs of decision makers. APRA expects reporting on the group’s material ITEs to the Board at least quarterly. In periods of stress, given the speed of decision-making likely to be needed and that the nature of risk can change quickly, the frequency of reporting would be expected to increase in such circumstances. (3PG 222, paragraph 20)

21.     The reporting of material ITEs to the Board would have sufficient breadth to provide the Board with a coordinated view of the roles and relationships between subsidiaries to one another and to the Level 3 Head. This coordinated view would assist the Board in understanding, and senior management of the Level 3 group in understanding and tracking, how ITEs affect the risk profile of prudentially regulated institutions within the group. (3PG 222, paragraph 21)

22.     APRA expects that the Board would request reports on material individual ITEs or the ITEs to particular institutions, accompanied by meetings with relevant senior management. Reporting would support the Board in understanding, and the Level 3 group’s senior management in understanding and tracking, of ITEs against the group’s risk appetite and capital strength. (3PG 222, paragraph 22)

6.4       APS 610 Prudential requirements for providers of purchased payment facilities (2015) 

Footnotes

⁶³ For a Level 3 Head that is an ADI or non-operating holding company authorised under the Banking Act that is not a disclosing entity within the meaning of the Corporations Act 2001, the relevant period is four months.

⁶⁴Refer to CPG 235.

Glossary