APRA targets non-financial risk, cyber-resilience, superannuation

9 minute read  03.09.2019 Kate Hilder, Mark Standen
Overview | APRA Corporate Plan 2019-2023

Key takeouts

  • In its 2019-23 corporate plan, informed by six separate reviews and inquires over the last 18 months, the Australian Prudential Regulation Authority (APRA) has identified four strategic priorities: 1) maintaining financial system resilience; 2) improving outcomes for superannuation members; 3) improving cyber-resilience across the financial system; and 4) transforming governance, culture, remuneration and accountability across all APRA regulated entities. 
  • APRA says that these four strategic focus areas are not intended to be an exhaustive list, they 'do not represent all outcome areas where APRA has a responsibility or will direct its attention'  
  • APRA says that the achievement of the plan will require an uplift in APRA's internal capabilities in the following areas: 1) improving and broadening of risk based supervision; 2) improvement of APRA's resolution capability; 3) improvement of external engagement and collaboration; 4) transformation of data-enabled decision making within the regulator; and 5) 'transforming' APRA leadership, people and culture. The plan comes into immediate effect

On 29 August, the Australian Prudential Regulation Authority (APRA) released its corporate plan for the next four years. A high level overview is below.

Core mandate unchanged (but modernisation is required)

Though APRA's core mandate — to 'maintain the safety and resilience of the financial system' — is unchanged, the regulator writes that is operating within an increasingly complex and challenging environment and also under heightened scrutiny. In consequence, the regulator says that it will need to 'progressively transform', and to 'modernise and adapt' to ensure it remains fit for the future.

'Australia’s financial system remains in good health, but we can’t take that for granted. As macroeconomic and geopolitical risks play out, as technological innovation transforms the industry, and as new risks such as cyber and climate change grow, we must have the right skills and resourcing to continue protecting bank depositors, insurance policyholders and superannuation members. The new Corporate Plan acknowledges increased expectations of APRA, and fulfils the recommendations of the Royal Commission and Capability Review. Amongst other things, we will place greater emphasis on the supervision of ‘non-financial risks’ such as culture and accountability, and take a “constructively tough” enforcement approach when breaches of our prudential standards occur' APRA Chair Wayne Byres said.

Four key focus areas

The plan identifies four strategic areas of focus for the next four years to 'strengthen outcomes of the Australian community'. They are: 1) maintaining financial system resilience; 2) improving outcomes for superannuation members; 3) improving cyber-resilience across the financial system; and 4) transforming governance, culture, remuneration and accountability across all APRA regulated entities.

APRA states that the areas identified are not intended to be an exhaustive list of the areas in which it will direct its attention.

APRA Chair Wayne Byres commented that 'APRA is well aware of the heightened expectations of the organisation, and will be regularly reporting on the progress we are making in delivering better community outcomes across the four areas of strategic focus we have called out. Although it is ultimately up to financial institutions to strengthen community trust in the industry, regulators have an important role to play. In delivering on this Corporate Plan, APRA will be better equipped to ensure the entities we regulate are not only financially resilient, but also have frameworks, systems and cultures in place designed to reduce the risk of misconduct and poor consumer outcomes'.

Some key actions and timeframes

[Note: The report includes a 'roadmap for change' (at p22) identifying specific actions under each of the four focus areas and completion timeframes for some of these actions.]

1. Maintain financial system resilience

APRA will look to 'evolve its supervision and policy position to uphold the resilience of APRA-regulated financial institutions and the Australian financial system' through strengthening capital requirements for authorised-deposit taking institutions (ADIs) as well as undertaking other targeted activities including (among others) ensuring robust governance practices and operational controls and systems are in place in superannuation funds to safeguard members' funds from 'theft or loss' and improving recovery planning across all APRA-regulated industries.

Specific actions and completion dates

The plan includes hard completion dates for some actions.  

By June 2020: Move from three yearly to an annual stress testing cycle for ADIs 

By June 2021: Complete the external audit review of ADIs covering the management of problem assets

By June 2022:

  • Improve the data submitted by ADIs to enhance the prudential supervision of the industry by APRA
  • Implement changes to strengthen the capital prudential standards that apply to ADIs
  • Manage the reliance on overseas reinsurance by general insurers and renew the value that insurance products provide to consumers
  • Uplift the maturity or risk governance and drive sustainable products offered by life insurers
  • Implement new capital prudential standards that apply to private health insurers

By June 2023: Strengthen governance and risk management practices in the superannuation industry

2. Improve outcomes for superannuation fund members

APRA says that it focussed on 'actively' driving 'a superannuation trustee culture of continuous improvement in delivering quality outcomes to superannuation members, including addressing underperformance in the superannuation industry'. The plan outlines a number of actions to aimed at achieving this outcome. These include the following.

  • Implementation of SPS 515 Strategic Planning and Member Outcomes and the legislated outcomes assessment, as well as 'deep dives into industry practices' in key areas.
  • Improving the transparency of superannuation performance by collecting and publishing additional new and more detailed data and benchmarking performance and outcomes in key areas (investment performance, expenses, insurance and sustainability)

[Note: The Australian Prudential Regulation Authority (APRA) launched a consultation in April to clarify how Prudential Standard SPS 515 Strategic Planning and Member Outcomes (SPS 515) would interact with the government’s new legislated outcomes assessment (following the passage of Treasury Laws Amendment (Improving Accountability and Member Outcomes in Superannuation Measures No 1) Act 2019). APRA finalised changes to SPS 515 on 28 August. In addition, the regulator said that it will publish more detailed information about fund performance. This is covered in a separate post in the 04/09/2019 issue of Governance News.]

  • Enhancing transparency around supervisory actions and emerging areas of best practice identified through industry-wide reviews to influence industry practices
  • Integrating APRA’s assessment of member outcomes into APRA’s risk assessment and response models and new enforcement approach
  • Facilitating the resolution or exit of persistently underperforming superannuation funds.

Specific actions and completion dates

The plan includes hard completion dates for the following actions.

By December 2021: 

  • Improving the quality and consistency of superannuation data submitted to APRA
  • Increasing transparency by publishing data for MySuper and Choice superannuation products. 

By June 2022:

  • Publishing additional data on APRA's assessment of superannuation performance
  • Improving the transparency of supervisory actions taken by APRA and publish the results of benchmarking exercises
  • Facilitating the resolution/managed exit of persistently underperforming superannuation funds or products
  • By June 2023:
    • Facilitating the implementation of legislation and strengthen prudential standards
    • Conducting thematic and deep dive reviews into trustee practices

3. Improving cyber resilience across the financial system

APRA will seek to reduce the impact of cyber incidents to the Australian community and financial system by ensuring that APRA-regulated financial institutions are proactively undertaking continual actions to strengthen their cyber resilience.

APRA says that it will refresh and execute its multi-year cyber strategy, which will include:

  • Enforcing minimum standards and influencing sound practices: APRA will supervise the adoption of the new prudential standard CPS 234 Information Security and target areas of weakness with clear guidance to industry. Active supervision will ensure APRA-regulated institutions address basic cyber hygiene issues and maintain ‘fit for purpose’ response plans for plausible cyber incidents.
  • Use data driven insights to interrogate cyber resilience data to prioritise and tailor supervisory activities. In the longer term, APRA says that this will inform baseline metrics against which APRA regulated institutions will be benchmarked and held to account for maintaining sound cyber defences.
  • Collaborating with peer regulatory agencies for better cyber resilience outcomes, including by executing the work plan of the Council of Financial Regulators Cyber Security Working Group, and engaging with other agencies, international peers and industry experts.
  • Bolstering APRA’s ability to assess the cyber resilience of regulated institutions by uplifting organisational capability and by leveraging third party expertise for deeper assessments where necessary.
  • Uplifting APRA’s cyber incident response capabilities to respond swiftly and decisively to cyber incidents that have materially impacted APRA regulated institutions.

No hard completion dates appear to be included for this work.  

4.  Transform governance, culture, remuneration and accountability (GCRA) across APRA regulated entities

The plan includes a number of actions under APRA's 'multi-year GCRA strategy'. These include:

  • strengthening the prudential framework by 'uplifting and clarifying prudential expectations and guidance relating to GCRA', and working with government on planned initiatives to extend the legislated accountability regime to all APRA-regulated institutions
  • sharing more frequent GCRA insights with external stakeholders to reinforce prudential expectations, with a view to continuing to uplift the management of non-financial risks by APRA regulated institutions
  • sharpening prudential supervision of GCRA through intensifying focus on risk management outcomes including: a) refreshing supervisory tools and approaches, which includes targeted use of regulatory technology, to transform supervision of GCRA; b) undertaking intensive reviews and prudential inquiries as appropriate to identify and require action where the poor management of GCRA risks is identified; and c) embedding a ‘constructively tough’ mindset to the supervision of GCRA across APRA.

The roadmap sets out hard completion dates for two actions:

  • By June 2020: Implementing intensive supervisory reviews (three entities per year)
  • By Jan 2021: Implementing a revised prudential standard

Lifting APRA internal capability

APRA notes that the execution of the strategy will require lifting internal capability at the regulator in key areas. These include: a) improving and broadening risk-based supervision; b) improving APRA's resolution capability; c) improving APRA's external engagement and collaboration; d) data enabled decision making; and e) transforming APRA leadership, people and culture.

Resourcing

The report notes that APRA has received/will receive over the next four years increased funding, primarily to implement measures in response to the Financial Services Royal Commission and to APRA's new and expanded functions including rolling out the Banking Executive Accountability Regime (BEAR) across all APRA regulated sectors. The initiatives that informed these funding increases have been incorporated into APRA's 2019-2023 Corporate plan.

However, following the Capability Review, APRA noted that it would require additional funding or legislative and/or policy changes, to effectively implement all the recommendations arising from that review.  Noting the government's indication that it will consider the need for any additional funding as part of the 2020-21 budget process, APRA said it will assess any implications to its four-year plan at that time.

Performance measures?

Chapter 5 of the plan sets out the measures against which APRA will measure its own performance against the plan.

Contact

Tags

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1laWQiOiI1MDY4OWQ2Mi1hMDlmLTQyNGEtYjIyYy1mYzljOWI4NDcwMzYiLCJyb2xlIjoiQXBpVXNlciIsIm5iZiI6MTczMDgyMjk2MSwiZXhwIjoxNzMwODI0MTYxLCJpYXQiOjE3MzA4MjI5NjEsImlzcyI6Imh0dHBzOi8vd3d3Lm1pbnRlcmVsbGlzb24uY29tL2FydGljbGVzL3N1bW1hcnktb2YtYXByYS1jb3Jwb3JhdGUtcGxhbi0yMDE5LTIwMjMiLCJhdWQiOiJodHRwczovL3d3dy5taW50ZXJlbGxpc29uLmNvbS9hcnRpY2xlcy9zdW1tYXJ5LW9mLWFwcmEtY29ycG9yYXRlLXBsYW4tMjAxOS0yMDIzIn0.Fw-Dn10G2QFprNVVpROdoioZDuoIOH6zvPgMC4mnvfE
https://www.minterellison.com/articles/summary-of-apra-corporate-plan-2019-2023