In brief - On 29 August 2019 the Australian Prudential Regulation Authority (APRA) issued its 2019-2023 Corporate Plan (Plan)
The Plan sets out APRA’s priorities for the 2019-2023 planning period relevant to achieving its regulatory and supervisory purpose and in consideration of the Australian Government’s Statement of Expectations for APRA and APRA’s Statement of Intent published in September 2018.
Interestingly but not expectantly, the spectre of the Banking Royal Commission is present in the Plan's overall tone as the Plan acknowledges that "community trust in the fairness of the financial system has been eroded, and regulators like APRA need to play a role in restoring that trust' and as a consequence APRA intends to "more clearly identify the expected outcomes for the Australian community".
In this regard, APRA's Plan will focus on 4 strategic areas:
- maintaining financial system resilience
- improving outcomes for superannuation members
- improving cyber-resilience across the financial system, and
- transforming governance, culture, remuneration and accountability across all regulated financial institutions
Key Implications of APRA's Corporate Plan
The Plan affirms support for all the recommendations arising from the Banking Royal Commission and Capability Review directed at APRA.
Notably the following new regulatory themes emerge.
APRA's Corporate Plan is focussed on delivering community outcomes
Aside from its dedicated prudential raison d'etre of maintaining financial safety across APRA-regulated financial institutions and the stability of the financial system, the Plan identifies a renewed focus on delivering 'community outcomes'.
This presumably stems from the terms of reference and recommendations of the Banking Royal Commission and appears to import a concept of community standards and expectations which encompasses the conduct, practices, behaviour or business activities of financial services entities.
However notwithstanding the shift to take into account 'community standards and expectations', it is anticipated that APRA's overall focus will be tempered by its statutory limits which mandate the classes of the community which are subject to consideration under the prudential regulatory regime, namely Australian depositors, insurance policyholders and superannuation members by fostering the resilience of APRA-regulated financial institutions and the Australian financial system.
Regulation to address conduct issues raised by the Banking Royal Commission
The Plan acknowledges and responds to the impact of the Banking Royal Commission recommendations and emphasises that "financial institutions must act to improve their conduct and there is a greater expectation of deterrent and punitive enforcement action by all regulators, which has been facilitated by recent legislative changes".
In addition, the Plan contemplates increased coordination and more explicit collaboration between APRA and its peer regulators in the context of the increasing prevalence of shared responsibilities and issues of common interest amongst those regulators.
Broadening of APRA's Remit - GCRA
The Plan contains a specific strategic objective which marks a substantive shift in policy considerations and a broadening of APRA's remit to "transform governance, culture, remuneration and accountability across all regulated institutions" referred to as 'GCRA'.
In this regard, APRA's traditional focus on financial stability and supervision will continue but will be expanded to take into account broader systemic factors such as culture and governance in the financial services sector, cyber security and non-financial risks.
In practice and based on the Plan, this is likely to take the following forms:
(i) a prudential requirement for stronger governance and control of non-financial risks by APRA-regulated institutions;
(ii) a policy emphasis on implementing remuneration frameworks that reward good outcomes and impose consequences for poor behaviour;
(iii) embedding a ‘constructively tough’ mindset to the supervision of GCRA across APRA, including "empowering supervisors with market intelligence to identify GCRA outliers and to take action where appropriate";
(iv) the adoption by APRA a ‘whole of system’ mindset through a more deliberate approach to collaborating with peer domestic and international agencies on a broader range of risks and mitigation activities;
(v) the ongoing strengthening of APRA’s engagement with ASIC, particularly in areas of common interest such as enforcement, superannuation and GCRA.
APRA Corporate Plan to address cyber security and privacy challenges
The Plan recognises and envisages the impact of:
(vi) new types of entities seeking to enter the financial services sector such as fintechs, tech giants; and
(vii) ‘Open Banking’ reforms and the Consumer Data Right;
Both of which will have the potential to significantly alter the competitive landscape and bring additional technology, security and privacy challenges.
In this regard, amongst other things, the Plan affirms that APRA will:
(i) actively supervise the adoption of a new prudential standard CPS 234 Information Security;
(ii) target areas of weakness and actively supervise APRA-regulated institutions to address basic cyber hygiene issues and maintain ‘fit for purpose’ response plans for plausible cyber incidents;
(iii) take steps to improve cyber resilience and to transform its data into a strategic asset by further developing its data strategy and to make greater and more effective use and sharing of data, in consultation with key stakeholders including industry participants and other regulatory agencies.
Banking Executive Accountability Regime (BEAR)
The Plan also builds upon the recommended outcomes of the Banking Royal Commission which identified that "too little attention has been given to the evident connections between compensation, incentive and remuneration practices and regulatory, compliance and conduct risks”.
Consequently, the Plan affirms the continuing implementation of APRA’s new and expanded functions, including "rolling-out the BEAR across all APRA-regulated industries to heighten standards of accountability".
Likely Impact of APRA's Corporate Plan
In the immediate short term we anticipate the following impact on financial services institutions and providers:
- a shift and expansion in APRA's remit to encompass the prudential assessment of 'GCRA' compliance
- increased coordination and more explicit collaboration between APRA and its peer regulators, including active management of its data into a strategic asset for supervisory and enforcement purposes
- the centrality of regulatory enforcement as a tool to improve prudential conduct and compliance
- transform data-enabled decision-making
- continuing scrutiny of compensation, incentive and remuneration practices and the implementation of BEAR
- a regulatory and prudential policy emphasis on information security and cybersecurity
- increased transparency on regulatory outcomes
This is commentary published by Colin Biggers & Paisley for general information purposes only. This should not be relied on as specific advice. You should seek your own legal and other advice for any question, or for any specific situation or proposal, before making any final decision. The content also is subject to change. A person listed may not be admitted as a lawyer in all States and Territories. © Colin Biggers & Paisley, Australia 2022.