APRA supervisory and policy priorities for H1 2024 released

4 minute read 31.01.2024 Kate Hilder, Siobhan Doherty

GRCA, operational resilience, climate and cyber included among APRA's top supervision and policy priorities for the next six months.

Ahead of the release of APRA's 2024-25 Corporate Plan (which is due for release at the end of August), the regulator has released a letter to industry outlining its supervision and policy priorities for the next six months. We've highlighted the key points below.

Six cross-sector priority areas

1. Governance, Culture, Remuneration, Accountability (GCRA)

APRA has flagged plans to:

Commence a 'broad review of governance requirements': The review will include reviewing governance requirements in Prudential Standard CPS 510 Governance, Prudential Standard CPS 520 Fit and Proper (as well as in other relevant standards). Beginning in the second quarter of 2024, APRA will begin to consult with industry, ahead of the planned release of a discussion paper.

Sharpen its focus on GRCA in supervisory engagements: The letter states that:

'GCRA components will be heightened in supervisory engagements, including for entities that are implementing material risk transformation projects'.

Undertake risk culture surveys: Insurers requested to be involved in the next round of risk culture surveys will hear from APRA in the first half of 2024.

Run a 'Pulse survey' pilot: From 'the middle of 2024', APRA plans to run a pilot round of 'pulse surveys' for selected entities. This will involve participating entities conducting their own surveys (including 'a small number of key risk culture questions' supplied by APRA) and providing their findings to APRA.

2. Operational resilience (CPS 230 implementation)

Implementation of new cross industry prudential standard CPS 230 Operational Risk Management (CPS 230) which will come into effect from 1 July 2025 is also highlighted as a priority. For more on CPS 230 read: APRA's new operational risk standard finalised and CPS 230: The Practical Playbook

To support preparation for implementation of the new requirements:

APRA plans to finalise guidance (CPG 230) to support entities to transition to the new requirements 'in the first half of 2024'. APRA states that the finalised guidance will include guidance to 'support implementation for smaller, less complex entities'.
APRA reiterates that entities should be proactive in preparing for the new requirements including through 'identifying critical operations and material service providers and building organisational awareness'.
Entities should 'expect further engagement on operational resilience through 2024 to assist readiness' including 'meetings with selected entities' and 'webinars to assess and assist readiness'. APRA also plans to host information roundtables to help prepare entities for the new requirements in CPS 230.

3. Climate risk

APRA has flagged plans to:

Undertake a review of CPG 229:The letter flags that APRA is reviewing the effectiveness of Prudential Practice Guide CPG 229 Climate Change Financial Risks (CPG 229) and plans to engage with industry as part of the review process. 'Embedding climate risk considerations clearly in risk management frameworks' is identified as a key focus of the review. For clarity, APRA confirms that it does not intend to commence formal consultation on any changes in the first half of 2024.

Roll out a (Voluntary) Climate Risk Self-Assessment survey:Entities will be asked to participate in the voluntary exercise. Participation will, APRA states,

'provide entities with insights on their alignment to the principles in CPG 229 as well as allow for valuable industry-level insights into the ongoing maturity of climate risk management'.

Continue work on the insurance Climate Vulnerability Assessment (CVA)which will assess the potential impacts of climate change on home insurance affordability out to 2050 is also a priority over the next six months.

4. Financial Accountability Regime (FAR) implementation

The FAR which will replace and expand on the existing BEAR will come into effect from March 2024 for banks and from March 2025 for the insurance and superannuation sectors (read: FAR status update: FAR Bills now law).

To support entities in their preparations for the changes APRA and ASIC plan to:

(For banks): Release the Regulator rules and Transitional Rules
(For insurers and superannuation funds): Release an 'information package in early 2024' and host a series of webinars.

5. Recovery and Resolution

Implementation of Prudential Standard CPS 190 Recovery and Exit Planning and Prudential Standard CPS 900 Resolution Planning is flagged as a priority over the next six months. For context, CPS 190 and CPS 900 came into effect for banks and insurers on 1 January 2024 and will commence for superannuation licensees from 1 January 2025.

APRA's letter states that:

'Some banks and insurers may need to refine their approach to recovery and exit planning.'

Ahead of the commencement of the new requirements for superannuation licensees, APRA has said it plans to engage 'to drive an uplift in industry approaches to meeting the expectations in the new standards'.

APRA also plans to ask 'SFIs for information to prioritise entities for future resolution planning' and to continue 'bespoke resolution planning with a small number of entities'.

6. Cyber-resilience

CPS 234 Information Security (CPS 234) compliance is flagged as a focus.

The letter notes that all remaining CPS 234 tripartite assessments are due to be submitted to APRA in the next six months. APRA cautions that

'Where entities are found to have significant vulnerabilities, APRA will take a proportionate response and may intensify supervision, require root cause analysis, request remediation plans, and consider enforcement action'.

Sector-specific priorities

Banking sector specific priorities

Interest rate risk in the banking book (IRRBB), regulatory capital, liquidity, implementation of proposed reforms to the payments licensing regime, cryptoassets and stress-testing are identified as key priorities over the next six months.

On crypto assets, APRA flags plans to consult on the prudential treatment of cryptoassets 'in 2024', with new requirements planned to apply from 2025. The new prudential requirements are planned to be based on the Basel Committee's finalised standard for the prudential treatment of banks' exposures to crypto-assets.
On stress-testing, APRA plans to conduct a banking stress test in mid-2024 with systemically important banks. The letter states that 'the scope of entities involved will be determined in early 2024 and entities will be notified'.

Insurance sector

The letter flags four insurance-sector specific areas of focus: 1) general insurance affordability and availability; 2) life insurance sustainability; 3) the availability of a range of retirement products for retirees and private health insurance; and 4) private health insurance capital reforms.

Superannuation sector
1) Investment governance; 2) 'superannuation transparency' (addressing underperformance); 3) uplifting practices to support better retirement incomes; and 4) financial resilience are flagged as key priorities in this context.

On financial resilience, APRA plans to consult on revisions to Prudential Standard SPS 114 Operational Risk Financial Requirement and associated guidance in 2024.

APRA stands ready to adjust these priorities 'as needed'

The letter makes clear that the priorities outlined above are intended to respond to the challenges in the current environment – eg the 'growing reliance on digital technologies by entities and the community', to integrate 'lessons' learned eg lessons from last year’s global banking turmoil and to progress certain policy priorities.

APRA states that it will

'remain adaptable to changes in the external environment and will adjust these priorities as needed, to ensure the industries it regulates can continue to respond to new and emerging risks'.

[Source: APRA letter to industry 31/01/2024]