On 6 March 2025, The Australian Prudential Regulation Authority (APRA) released its 'Governance Review – Discussion Paper', the first significant update to APRA's governance standards in over a decade. While the timeline for consultation and implementation is generous, there are things regulated entities should be doing now in response to the announcements. This article begins with practical actions for entities to prioritise and then explores APRA's concerns and proposals in more detail.

What should regulated entities be doing now?

1. Consider impact of the 8 proposals: The impact of the proposals should be considered by regulated entities in the context of their own organisations. Artefacts that may need to be revisited to align with APRA's expectations include the Fit & Proper Policy, Conflicts Policy, Board Renewal Policy, delegations framework, board committee charters, role descriptions, any skills matrices and FAR accountability statements and mapping. APRA considers that the proposals should not pose a material change for entities with mature governance frameworks and practices, but this should be tested.
2. Review and uplift governance frameworks: Regulated entities should take the opportunity to review their governance frameworks and practices to identify any areas for uplift. APRA's focus on governance, culture, remuneration and accountability is not new. APRA's attention to these areas intensified in response to the Hayne Royal Commission and has become central to APRA's regulatory role, consistent with international standards. Entities should consider the Discussion Paper to be a signal from APRA of its focus on governance as part of its supervision and enforcement priorities.
3. Consider application to outsourcing arrangements: APRA has not commented on whether it will expect entities to impose similar governance requirements upon their outsourced service providers. Nevertheless, APRA's increased focus on governance may lead entities to ask whether the governance arrangements adopted by their services providers are fit-for-purpose. Some parts of the APRA regulated sector regularly outsource services. For example, outsourcing of material services (including investment management, custody, and fund administration) is a major feature of the superannuation industry. Accordingly, governance failures in respect of these outsourced service providers may have an outsized impact on the performance of the superannuation fund as a whole.

Background: APRA's proposals in brief

Proposal 1: Skills and capabilities

Require regulated entities to:

• identify and document the skills and capabilities necessary for the board overall, and for each individual director;
• evaluate existing skills and capabilities of boards and individual directors; and
• take active steps to address gaps through professional development, succession planning and appointments.

Proposal 2: Fitness and propriety

• Require regulated entities to meet higher minimum requirements to ensure fitness and propriety of their responsible persons.
• Require SFIs, and non-SFIs under heightened supervision, to engage proactively with APRA on potential appointments.

Proposal 3: Conflicts management

• Extend current RSE licensee conflict management requirements to banks and insurers so they are also required to:

• proactively identify actual and potential conflicts of interest and duty;
• avoid or prudently manage conflicts; and
• take remedial action when conflicts are not disclosed or managed properly.

• Require regulated entities to consider perceived conflicts, in addition to actual and potential conflicts.

Proposal 4: Independence (banks and insurers only)

Strengthen independence on regulated entity boards by:

• requiring that at least two of their independent directors (including the chair) are not members of any other board within the entity’s group;
• making minor amendments to the independence criteria, including extending the prohibition on directors who are substantial shareholders in a regulated entity or group from being considered independent, to include material holdings of any type of security; and
• extending the current requirement for bank and insurer boards to have a majority of independent directors to include boards of entities with a parent that is regulated by APRA or an overseas equivalent.

Proposal 5: Board performance review

Require SFIs to commission a qualified independent third-party performance assessment at least every three years which covers the board, committees and individual directors.

Proposal 6: Role clarity

• Define APRA’s core expectations of the board, the chair and senior management.
• Provide additional guidance on which APRA requirements may be delegated to board committees and senior management.

Proposal 7: Board committees

• Extend the current requirement for bank and insurer boards to have separate risk and audit committees, to apply to SFI RSE licensees as well. Repeal this requirement for non-SFI banks and insurers, allowing flexibility for smaller entities.
• Mandate that only full board members can be voting members of APRA-required board committees.

Proposal 8: Director tenure and board renewal

• Impose a lifetime default tenure limit of 10 years for non-executive directors at a regulated entity.
• Require regulated entities to establish a robust, forward-looking process for board renewal.

APRA's proposals – what problems is APRA seeking to address and what does it mean in practice?

Proposal 1: Skills and capabilities

Regulated entities to: identify and document the skills and capabilities necessary for the board overall and for each individual director; evaluate existing skills and capabilities of the board and individual directors; and take active steps to address gaps through professional development, succession planning, and appointments

Summary of APRA's concern and proposed solution

While CPS 510 (Governance) currently requires Boards to collectively have the necessary skills, knowledge and experience to manage regulated entities appropriately, entities have discretion as to how to comply with requirement. APRA has reportedly observed shortcomings in the effectiveness of these processes, including:

• failure to specify minimum skills and capabilities that individual directors need to fulfil their role;
• not verifying skills or capabilities, often relying heavily on self-assessments; and
• failure to take steps to address gaps and weaknesses through professional development and succession planning.

APRA proposes to require all regulated entities to identify and document, on an ongoing basis, the skills, capabilities and behavioural attributes that the board needs to deliver its organisational strategy and perform its role. APRA's expectations include the following:

• these attributes should be clearly defined and documented in a skills matrix and should include specific expectations for the chair, chairs of board committees and other individual directors;
• skills should be measurable and verifiable, and behavioural attributes should be observable;
• the targeted skills, capabilities and minimum criteria should be proportionate to an entity’s business needs, size and complexity;
• entities should be able to demonstrate to APRA that they are taking active steps to remedy gaps through professional development, succession planning and new appointments; and
• in considering nominees to the board, APRA expects entities to consider existing skills gaps so that each new appointment makes progress towards addressing them.

What does this mean in practice?

APRA's proposal largely restates existing good practice regarding skill and capability requirements for directors, albeit with greater emphasis on the need for rigorous assessment of these requirements and evidencing that entities are taking steps to address gaps. It follows that, in order to achieve APRA's objective, the matrix would need to be used as a meaningful governance tool and not simply a compliance checklist reflecting current board composition. Notably, the proposal goes further than the current requirement for a skills matrix under the ASX Corporate Governance Principles & Recommendations, which requires only collective information about the board rather than individual information about directors (a topic which has been the subject of some debate).

There may be some practicalities that follow from the proposal. This proposal may be perceived to limit the potential candidate pool, particularly when coupled with the proposed new independence requirements (see Proposal 4 below) and tenure cap (see Proposal 8 below). It will be important for there to continue to be a pathway available for professionals from non-regulated entities to join the industry, and to facilitate the board nominees of private investors. If these proposals are adopted, it may be that, at least for some sectors, a more proactive approach to developing a pipeline of suitable board candidates would be needed.

APRA's proposal does not suggest that it should receive copies of an entity's skills matrix, but there is some interplay between the requirement for a skills matrix and APRA's desire for proactive engagement on potential appointments (see Proposal 2 below).

Some entities may consider that APRA's focus on skills and qualifications does not sufficiently value directors who can bring different perspectives, thought and relevant practical and lived experiences (particularly representing the 'voice of the member') to a board, but who may not necessarily have financial, risk or governance qualification or expertise to perform well against a defined skills matrix.

Proposal 2: Fitness and propriety

(a) Regulated entities to meet higher minimum requirements to ensure fitness and propriety of their responsible persons.

(b) SFIs (and non-SFIs under heightened supervision) to engage proactively with APRA on potential appointments.

Summary of APRA's concern and proposed solution

APRA has observed substantial differences in how regulated entities conduct fit and proper assessments. Particular weaknesses include:

• entities being focussed on process compliance rather than outcomes;
• taking a narrow view of what constitutes fitness and propriety;
• little consideration of the capacity of directors to balance multiple roles and professional obligations;
• limited verification with excessive reliance on self-assessments; and
• treating annual reviews of incumbent responsible persons as cursory exercises (rather than a continuous obligations to ensure the ongoing fitness and propriety of those individuals).

APRA has also indicated that, occasionally, entities have been reluctant to engage with APRA about its concerns as to the fitness and propriety of potential board appointees, or unwilling to reassess a responsible person's fitness and propriety where concerns emerge.

APRA proposes to strengthen baseline expectations for fitness and propriety by (among other things):

• being more specific about what fit and proper means, and the need to verify conclusions. APRA proposes to incorporate existing guidance and additional matters into the standard for consideration, such as:

• actual, potential and perceived conflicts of interest and duties;
• criminal and conduct records, for example contraventions arising out of civil, criminal or regulatory matters that may give rise to concerns;
• character or regulatory references to evaluate performance in other roles, including the financial and reputational performance of previous organisations;

• the ability to commit sufficient time to their role, including consideration of specific roles on other boards, for example chair or committee chair; and
• reputational risk;

clarifying triggers for a fit and proper reassessment (e.g., if there are grounds to believe that an individual is not meeting their obligations under FAR, or otherwise not meeting minimum fitness or performance expectations); and

• requiring regulated entities to notify APRA when concerns arise that may reasonably impact a person’s fitness and propriety, before a determination has been reached.

APRA also proposes to:

• enable APRA to require an entity-led reassessment if concerns about a responsible person or candidate are not addressed by the entity in a timely manner; and
• require that SFIs (and non-SFIs subject to heightened supervision) keep APRA informed of succession plans and nominations prior to appointment or public announcement.

APRA has signalled that, if it is not satisfied with a regulated entity's proposed or incumbent responsible person(s) or board performance, APRA will share its views with the regulated entity and, if the entity does not act to address concerns, this will inform the intensity of APRA supervision.

What does this mean in practice?

This proposal is much more prescriptive than the current regime although we expect a lot of entities may come close to complying with many of these requirements already. There is also interplay between the new requirements and the accountable person suitability requirements under FAR.

Some elements of the proposal do raise questions to be considered, including:

• the requirement to notify APRA when concerns arise that may reasonably impact a person's fitness and propriety, even before a determination has been reached, could be challenging to operationalise and may raise concerns for responsible persons that potentially prejudicial but unsubstantiated information may be shared with APRA; and
• the use of references from previous organisations raises questions as to confidentiality obligations that may apply to that information, and whether any protections may be available for those disclosing the relevant information.

This proposal should be viewed in the context of the entity's accountability obligations under FAR which already include taking reasonable steps to deal with APRA in an open, constructive and cooperative way and to prevent matters from arising that would adversely affect the prudential standing or prudential reputation of the entity (which should include ensuring that its most senior officers are suitable to be an accountable person).

Proposal 3: Conflicts management

(a) Extend current RSE licensee conflict management requirements to banks and insurers so they are also required to: proactively identify actual and potential conflicts of interest and duty; avoid or prudently manage conflicts; and take remedial action when conflicts are not disclosed or managed properly.

(b) Require regulated entities to consider perceived conflicts, in addition to actual and potential conflicts.

Summary of APRA's concern and proposed solution

At a high level, to be considered fit and proper, responsible persons of banks, insurers and RSE licensees must either have no conflict of interest in performing their duties or, if the person has a conflict, it would be prudent for a regulated entity to conclude that the conflict will not create a material risk that the person will fail to perform their duties properly.

More broadly, RSE licensees are also subject to more detailed conflict management prudential obligations (under SPS 521) than banks and insurers (under CPS 220). SPS 521 requires RSE licensees to:

• have a conflicts management framework to identify, assess, mitigate, manage and monitor all conflicts;
• develop, implement and review a conflicts management policy that is approved by the board;
• identify all relevant duties and relevant interests; and
• develop registers of relevant duties and relevant interests and make them public.

APRA proposes to create a single cross-industry set of requirements which would include a strengthened version of the requirements in SPS 521 that currently apply only to RSE licensees.

The current requirements will be strengthened by incorporating some existing guidance, in particular guidance that, as well as actual conflicts, potential or perceived conflicts and conflicts that affect the reputation of the business should be actively managed.

What does this mean in practice?

We expect many regulated entities would already be close to meeting the proposed new expectations. The elevated requirement for regulated entities to consider perceived conflicts is broadly consistent with the general law, although is likely to raise inevitable questions in practice.

If this proposal is ultimately adopted, it may be necessary to make consequential amendments to the general obligation on AFSL holders to manage conflicts under section 912A(1)(aa) of the Corporations Act to provide an exemption for APRA-regulated entities so as to avoid regulatory duplication or ambiguity. This would be consistent with the approach taken to other aspects of an AFSL holder's general obligations (for example, the obligation to have adequate risk management systems and the need to have adequate resources).

Proposal 4: Independence

Strengthen independence on banking and insurance boards by: requiring that at least two of their independent directors (including the chair) are not members of any other board within the entity’s group; making minor amendments to the independence criteria, including extending the prohibition on directors who are substantial shareholders in a regulated entity or group from being considered independent, to include material holdings of any type of security; and extending the current requirement for bank and insurer boards to have a majority of independent directors to include boards of entities with a parent that is regulated by APRA or an overseas equivalent

APRA is seeking feedback on a proposed revised definition of 'independence' (set out below):

‘a non-executive director who is not an employee of the entity, or the group to which it belongs, and who is free from any business or personal relationship that interferes, or could reasonably be perceived to interfere, with their exercise of objective judgement or acting in the interests of the regulated entity.’

Summary of APRA's concern and proposed solution

Intra-group conflicts

APRA has observed instances of poor conflict management where entities do not fully consider potential or actual intra-group conflicts, particularly in the context of board members. APRA considers that the current prudential standard does not take sufficient account of the potential for conflict between the interests of different group entities (particularly where the interests of the regulated entity and other group entities are not aligned).

CPS 510 requires boards of banks and insurers to have an independent chair and a majority of independent directors and allows the independent directors on the board of the parent company or its other subsidiaries to sit as independent directors on the board of the regulated entity. The Discussion Paper outlines the various options considered by APRA to address the issue of intra-group conflicts, and ultimately proposes to mandate that on each regulated entity board, at least two of the independent directors (including the chair) must not be directors on any other board within the relevant group.

Changes to independence criteria

CPS 510 prohibits directors who are (or are directly associated with) 'substantial shareholders' in a regulated entity from being considered independent, being in broad terms a 5% shareholding. However, this prohibition does not extend to holdings of other types of securities. APRA proposes to update the independence criteria such that substantial holders of any security (debt or equity) issued by the regulated entity or the group to which it belongs cannot be considered independent, as APRA is concerned that holding other types of securities may create conflicts.

Composition of subsidiary boards

CPS 510 sets different requirements for bank and insurer entity boards – while boards in banking and insurance must generally have a majority of independent directors, locally incorporated entities that are subsidiaries of a prudentially regulated parent must have a majority of NEDs, but they do not all need to be independent. For consistency, APRA proposes that the boards of subsidiaries of parents regulated by APRA or an overseas equivalent must have a majority of independent directors.

APRA cannot amend legislation and so, for RSE licensees, the existing 'independence' requirements in the Superannuation Industry (Supervision) Act 1993 (Cth) (SIS Act) will continue to apply to superannuation trustees.

What does this mean in practice?

The proposal around subsidiary board composition is most likely to impact local banking and insurer subsidiaries of foreign regulated entities and domestic groups with NOHCs, who will need to revisit the make-up of their boards.

The proposal also raises the bar for what is meant by 'independent', and raises questions as to the nature of the conflicts that are said to arise by virtue of holding securities (such as non-voting debt securities). It is possible that the proposal could possibly make it more difficult to identify and attract eligible directors while also satisfying the skills, expertise and tenure requirements (see Proposals 1 and 8).

The independence requirements which are imposed upon directors of superannuation trustees under the SIS Act will continue to be significantly weaker than those which apply to banks or insurers (under the Prudential Standards), or which are expected of listed companies (under the ASX Corporate Governance Principles & Recommendations). The limitations of the SIS Act independence requirements have been notorious for a long time – for example, the 2009-10 Super System Review recommended amending the SIS Act to require that one-third of the Board of each superannuation trustee should comprise directors who are 'independent' of the fund and its related parties. This recommendation was never implemented, and the independence requirements that apply to superannuation trustees will continue to be unique among APRA-regulated industries.

Proposal 5: Board performance review

Require SFIs to commission a qualified independent third-party performance assessment at least every three years which covers the board, committees and individual directors

Summary of APRA's concern and proposed solution

APRA standards currently require boards of all regulated entities to have procedures for assessing board and individual director performance at least annually. APRA considers there to be three key areas where board assessments can improve:

• assessments focus on the collective board and do not capture committee and individual director performance;
• assessments are not informed by robust evidence, instead relying solely on self-assessments or peer input; and
• chairs fail to take a leadership role, either in the assessment process or in ensuring that emerging recommendations are addressed.

In response, APRA proposes to require SFIs to:

• commission external independent performance assessments of boards, committees and individual directors by credible and appropriately qualified experts every three years;
• have their chair take a leading and accountable role for the satisfactory completion of performance assessments and for ensuring that recommendations are addressed appropriately; and
• submit the independent triennial report to APRA.

Given the anticipated rigour of the triennial review, APRA expects to narrow the scope of annual performance assessments for SFIs (to focus on progress on recommendations from the independent assessment).

While non-SFIs would not be expressly required to undertake external board assessments, APRA has indicated that it still expects non-SFIs to improve the overall quality and rigour of their annual performance reviews and that chairs of non-SFIs take active leadership of the process and resulting programme. This position is proposed to be reflected in guidance.

What does this mean in practice?

We expect many regulated entities may already be close to meeting the proposed new requirements, although individual director reviews are perhaps currently less common than reviews of the board as a whole.

As is currently the case, any board reviews should take into account the horizon of board decision making so as to ensure that today's board is not punished for past mistakes while also ensuring that boards continue to be held accountable.

Proposal 6: Role clarity

(a) Define APRA’s core expectations of the board, the chair and senior management.

(b) Provide additional guidance on which APRA requirements may be delegated to board committees and senior management.

Summary of APRA's concern and proposed solution

APRA proposes to require a clear articulation of the primary roles of the board, the chair and senior management. APRA has signalled that the purpose of the proposal is to be clear on APRA’s expectations, to facilitate better delegation to board committees and management and to empower boards to spend more time on forward-looking strategy, risk and oversight.

Responsibilities APRA considers to be central to the board include:

• articulating the purpose and values of the entity, and desired culture;
• overseeing development, approval and execution of the entity’s strategy, objectives and risk appetite;
• overseeing the effectiveness of governance and risk management frameworks; and
• providing leadership and constructive challenge to senior management.

APRA also proposes to identify the core responsibilities of the chair which it expects would include responsibility for culture, board performance and fit and proper assessments.

With respect to the role of senior management, APRA proposes an outcomes-focused definition that supports the execution of the regulated entity’s activities in line with the board-approved strategy, risk appetite, culture and values, and ensures senior management deals with the board in a clear, timely and transparent manner. According to the Discussion Paper, senior management should be responsible for briefing the board effectively, with succinct and relevant information to support decision making, rather than briefing with a view to satisfy compliance requirements.

In terms of delegation, while the prudential standards contemplate boards delegating certain functions to senior management and board committees, APRA is seeking feedback on more specific examples of processes and policies APRA has assigned to the board that would be appropriate for delegation to committees or senior management.

What does this mean in practice?

Clarification of chair, board and senior management roles may be welcomed. APRA's articulation of these roles may be relatively high level and principles-based so as to enable boards to continue to determine for themselves which matters to reserve for itself and which to delegate to board committees and senior management. This is consistent with the fundamental legal principle that responsibility for guiding and monitoring the entity rests with the relevant board.

Proposal 7: Board committees

(a) Extend the current requirement for bank and insurer boards to have separate risk and audit committees, to apply to SFI RSE licensees as well. Repeal this requirement for non-SFI banks and insurers, allowing flexibility for smaller entities.

(b) Mandate that only full board members can be voting members of APRA-required board committees.

Summary of APRA's concern and proposed solution

Separation of audit and risk committees

ADI and insurance boards are currently required to maintain separate risk and audit committees in line with the three lines of defence model. By comparison, RSE licensee boards are only required to have an audit committee whose responsibilities include risk. In some cases where there is no separate risk committee, APRA has observed weaker risk oversight and risk capability.

While having separate risk and audit committees is better practice, APRA recognises that this may create additional cost and complexity for smaller entities. Accordingly, APRA proposes:

• requiring RSE licensees that are SFIs to maintain separate risk and audit committees; and
• removing the requirement for banks and insurers that are not SFIs to continue to need to separate the audit and risk committees.

Board committee voting

While APRA is not opposed to external advisers attending and advising board committees, APRA's view is that external advisers should not be full voting members and should not be relied upon to resolve critical board skills gaps. In particular, APRA asserts that boards should address gaps in skills and capabilities through appropriate director appointments, succession planning and training. Advisers can continue to attend committee meetings and provide advice but APRA's intention is that restricting voting to full board members would ensure clear board accountability.

What does this mean in practice?

This proposal signals a desire by APRA for greater consistency across regulated industries. Smaller institutions grappling with Prudential Standard CPS 230 (Operational Risk Management) (which involves contributions from both risk and audit) are likely to welcome the exemption from needing to have separate audit and risk committees.

Proposal 8: Director tenure and board renewal

(a) Impose a lifetime default tenure limit of 10 years for non-executive directors

(b) Regulated entities should establish a robust, forward-looking process for board renewal

Summary of APRA's concern and proposed solution

CPS 510 requires that Boards have a formal board renewal policy which must (among other things) consider whether a director's tenure could materially interfere (or be perceived to materially interfere) with their ability to act in the best interests of the entity. In the case of RSE licensees, any such policy must also state maximum tenure limits.

APRA considers that appropriate limits on director tenure are an important part of good governance and that overly long tenure has the potential to erode a director’s capacity to exercise impartial judgment, challenge management effectively and limit openness to new ideas and different approaches. Accordingly, APRA proposes to introduce a 10-year lifetime tenure limit on a regulated entity board for non-executive directors, with the possibility of a 2 year extension at APRA’s discretion.

In terms of board renewal more generally, APRA has observed shortcomings including a lack of specificity about appointment processes, limited connection to board skills matrices and a lack of early and effective succession planning. APRA therefore proposes to extend the current prudential requirements to expressly require:

• consideration of the full cycle from nomination and appointments through to succession planning;
• detail on director nominations, appointment process, length of term and maximum number of terms; and
• how results of board and director performance assessments will feed into succession planning and renewal.

What does this mean in practice?

The introduction of a cap on director tenure was extensively discussed in the context of an update to the ASX Corporate Governance Principles & Recommendations a number of years ago, and ultimately not included. The prevailing view seemed to be that appropriate tenure (including impact on independence) should be assessed on a case by case basis, having regard to the circumstances of the particular director and the composition of the board as a whole. As reported in the press, based on current regulated entity board compositions, this proposal would have consequences for many long-standing directors who would collectively hold a wealth of industry experience.

It is not uncommon for a director to serve on the board for a term or two before being appointed as chair – a limitation on overall board tenure is therefore also likely to impact not only the pool of potential candidates for chair, but also the tenure of chairs. This is relevant given boards are intended to focus on longer-term strategic matters that take time to execute.

The desire to limit tenure will need to be carefully balanced against the proposal that regulated entities need to take active steps to address skills and capabilities gaps (see Proposal 1 above), particularly in light of APRA's observation in the Discussion Paper that (in broad terms) some boards have minimal or no contemporary industry experience.

Please reach out at any time to discuss what the proposed changes could mean for you.