In response to the recommendations of both the Financial Services Royal Commission and the APRA Capability Review, The Australian Prudential Regulation Authority (APRA) has released an information paperoutlining the regulator's, 'stronger, more transparent' regulatory approach to governance, culture, remuneration and accountability (GCRA) risk.
Build resilience and restore trust
APRA says that the revised and more intensive approach is intended to 'strengthen the resilience of financial institutions, including addressing, and ideally preventing, issues such as poor risk governance, misaligned incentives and misconduct that have undermined public confidence in the financial sector over recent years'.
Ultimate responsibility lies with the board, but APRA will act where necessary
APRA states that it considers that 'the board is ultimately accountable, together with senior management, for the management of risk, whether financial or non-financial and the outcomes that result from it' and that this continues to be the basis of APRA's 'supervisory philosophy'.
Having said this, APRA states that 'where a regulated entity fails to address poor GCRA practices, APRA is prepared to use its regulatory powers to compel the entity to take action. This is essential for both strengthening the resilience of regulated entities and restoring community trust in the financial system as a whole'.
The three planks underpinning APRA's new approach
APRA's strategy is underpinned by three commitments: 1) strengthening the prudential framework to lift minimum GCRA standards; 2) intensifying the supervisory focus on GCRA through 'refreshing existing practices' and integrating supervision of GCRA into day to day supervision of entities; and 3) disclosure: sharing insights and GCRA best practices publicly.
How APRA plans to transform GCRA practices
Governance roadmap
- Update CPS 510/220: APRA will amend the prudential standards to incorporate 'the lessons from the [Financial Services] Royal Commission and self-assessments', and ensure they remain fit for purpose. Areas for review will include the effectiveness of board obligations in relation to risk culture, the relative emphasis on financial and non-financial risks, and the 'clear need to strengthen the requirements in relation to compliance and audit functions'.
- Incorporation of CGRA declarations and self-assessments into CPS 220: APRA says it intends to incorporate GCRA declarations and self-assessments into the supervision framework, building on the existing process of risk management declarations under CPS 220. Subject to consultation on the exact nature of the new requirements, APRA says this could involve: a) annual GCRA declarations from the boards of regulated entities, similar to the declarations provided for risk management under CPS 220; b) periodic GCRA self-assessments, as well as independent reviews, to support annual declarations; c) engagement with independent experts to assist with APRA’s assessment of entities’ self-assessments, including benchmarking segments of the industry to highlight good and bad GCRA practices; d) follow-up actions from these assessments incorporated into APRA’s ongoing supervision; and e) more formal supervisory actions applied to entities that fail to make sufficient progress in rectifying deficiencies. APRA says that it will consult with industry about how these expectations will be included in the prudential framework and seek feedback about how the process can best be integrated with existing declaration and review requirements in CPS 220.
- Self-assessment follow up: APRA has been undertaking 'targeted' prudential engagements with entities that completed a self-assessment to assess the progress of remediation plans since June 2019. The information paper indicates that this work is expected to be continuing.
- Phased thematic review to identify drivers of effective governance practices: APRA has already commenced, and will continue work on, a phased thematic review into the drivers of effective governance practices. The review includes consideration of various issues including for example, the processes supporting the CPS 220 risk management declaration and the effectiveness/role of board committees and processes undertaken to assess board effectiveness. This work is expected to be completed after July 2021.
- 'Deep dive’ prudential reviews of the major banks’ compliance functions. APRA indicates that one 'onsite compliance review' commenced after June 2019 and is expected to be completed by June 2020.
Risk culture roadmap
- APRA will conduct three 'deep dive risk culture reviews' per year from 2020 onwards. One review is expected to be completed in 2019.
- Develop and establish an industry-wide tool(s) to benchmark risk culture across industry sectors and cohorts of entities. A prototype is to be created before December 2020. APRA says that it used a version of the tool for the Prudential Inquiry and will seek to adapt it for industry wide use. Ahead of the wider roll out, APRA says it will test the tool by undertaking an initial survey of a small sample of entities in 2020, with a view to including a broader sample of entities in subsequent surveys.
- Update CPS 220: APRA says it will review the effectiveness of board obligations in CPS 220 (from a risk culture perspective) to ensure it remains fit for purpose. In terms of timing, APRA appears to indicate that the consultation package will be released after June 2020 and be completed after June 2021.
- APRA says it will uplift the internal capability of APRA supervisors through 'baseline training'
Remuneration roadmap
- Implementing 'more prescriptive remuneration requirements': APRA plans to respond to the feedback received in response to proposed remuneration reforms/finalise the draft standard in 'early 2020'. The report appears to indicate that this will occur before June 2020.
[Note: APRA released a discussion paper and new draft Prudential Standard (CPS 511) proposing stronger and more prescriptive prudential requirements for remuneration across all APRA-regulated entities in the banking, insurance and superannuation sectors in July. The deadline for submissions was the 23 October. The proposed new standard aims to address the remuneration-related recommendations made by the Financial Services Royal Commission (Recommendations 5.1, 5.2 and 5.3) as well as insights gained from the Prudential Inquiry into the Commonwealth Bank of Australia (CBA), APRA’s Review of Remuneration Practices at Large Financial Institutionsand its summary of industry self-assessments of governance, accountability and culture.
[Note: APRA In a recent speech providing an update on the consultation, APRA Chair Wayne Byres said that APRA is working through the submissions received in response and is yet to finalise its approach.]
- 'Proactive industry consultation' approach: APRA comments that given the extent of change proposed, APRA undertook an extensive consultative process including holding industry webinars and individuals meetings. APRA says that it intends to continue this 'active consultation approach for upcoming releases of the draft remuneration prudential practice guide and remuneration disclosure and reporting requirements'.
- Post-implementation review: APRA says that it plans to assess implementation plans from a sample of regulated entities (once the final standard is released) and publish an information paper based on the findings, to reinforce APRA's expectations on implementation to the broader industry. The process will both give APRA an opportunity 'take pre-emptive action to address any shortfalls' in implementation, and provide insights into emerging market practice APRA states.
- 'Deep dive' effectiveness reviews: APRA says it will carry out ‘deep dive’ effectiveness reviews once the final standard is implemented that will focus on the design, implementation and outcomes of remuneration frameworks. APRA will 'scope' these 'deep dive' reviews from June 2021.
- Uplift the internal capability of APRA supervisors through 'baseline training'.
Accountability roadmap
- Develop an accountability regime for all APRA regulated entities: APRA says it plans to work with government and Treasury, and with ASIC to develop an accountability regime for all APRA regulated entities. No firm timeframe is given. APRA says, is 'a matter for government'.
[Note: The government's roadmap for implementing the Financial Services Royal Commission's recommendations indicates that it legislation to implement this measure will be consulted on and introduced by the end of 2020.]
- On-site reviews of BEAR implementation: Finally, APRA will assess the outcomes of the implementation of the banking executive accountability regime legislation (BEAR) through conducting on-site reviews at large ADIs commencing 'in the second half of 2019' and concluding by June 2020. Assessing actions taken by large ADIs to embed the regime, and cascade accountability through the entity will be a key are of focus.
- Lift internal capability: APRA says it will lift its internal capability to assess regulated entities' approach to the implementation of the Accountability Regime through ongoing training.
Prepared to name names: APRA's approach to GCRA-related disclosure
APRA says that a 'key pillar' of its new strategy is to share GCRA insights and practices publicly.
APRA notes that determining what GCRA information should be disclosed requires the regulator to 'balance a range of considerations' including (for example): whether disclosure could adversely impact the financial stability of an individual entity and/or the strategic position of an entity. However, APRA said that notwithstanding these considerations, it considers that 'there is scope' to increase the extent of information about APRA's GCRA activities and findings, including in relation to individual entities.
In addition, APRA suggests that there is 'potentially scope for entities to self-disclose a greater range of information'.
Accordingly, under APRA's revised supervisory approach APRA plans to publicly disclose: GCRA investigations and prudential inquiries (subject in some cases to the approval of the Attorney General), GCRA 'deep dives' and thematic reviews (including entity specific findings of better or poorer practice), GCRA related self-assessments and GCRA self-disclosures.
In the case of GCRA related self-assessments regulated entities will be informed at the commencement of the processes of the extent and nature of APRA’s requirements in respect of public disclosure.
[Note: Figure 10 at p19 outlinesout APRA's future approach to GCRA-related disclosure.]
Release of GCRA information papers: APRA says it plans to release four information papers on culture, governance accountability and remuneration from next year.
[Note: Figure 11 at p20 sets out a timeline/provides some detail on what will be included in each of the papers.]
Use of CBA-style prudential inquiries?
Recommendation 4.2 of the Capability Review recommended that APRA embed CBA-style prudential inquiries and entity self-assessments into its supervisory toolkit. In response, APRA says that it will both include CBA style prudential inquiries 'as part of its supervisory toolkit' and publicly disclose the outcomes.
However, the report also states that APRA considers 'a full scale Prudential Inquiry similar to that conducted for CBA as being at the highest intensity end of the scale for addressing CGRA issues'.
As such, APRA says that 'they are most likely to be targeted at cases where issues have been identified that are serious, complex and potentially indicative of systemic GCRA problems within the regulated entity that have, or could, diminish the prudential standing of the entity'.
Given this, APRA says that though 'they will be an important tool that APRA can utilise when circumstances warrant such an approach', where a CBA-style inquiry is not warranted, ASIC has the option to utilise a program of 'more targeted "deep dive" prudential reviews'.
These 'deep dive' reviews will deploy some of the tools and elements used in the Prudential Inquiry, such as interviews with directors and senior managers, staff surveys, and analysis of case studies.
Insights from these activities will be used to inform the structure and design of the self-assessment process that APRA is considering rolling out across the sector, as well as the focus of thematic reviews.
APRA/ASIC cooperation
The paper states that APRA and ASIC will cooperate on GCRA issues as part of a broader refresh of the cooperation arrangements between the two entities and accordingly, both entities have committed to a number of actions to strengthen collaboration between them including among other things, by enhancing inter-agency information sharing on GCRA and other regulatory matters.
[Note: Figure 12 at p21 sets out APRA and ASIC's respective roles with respect to management of each GCRA component.]
Context
[Note: Appendix A at p27 explains how APRA's new approach responds to the Financial Services Royal Commission recommendations (5.1 and 5.2 (supervision of remuneration), 5.3 (revised prudential standards and guidance) and 5.7 (supervision of culture/governance). Appendix B (at p29) explains how the new approach responds to the recommendations of the APRA Capability Review.]
- In addition, APRA's revised approach takes into account 'leading international practices' in managing GCRA risk. Among other things, APRA says that it is considering the benefits associated with observing board meetings (consistent with leading international practices).