- Compliance and Regulation
The Australian Prudential Regulatory Authority (APRA) will be continuing its twin themes of “protecting the community today” and ensuring the Australian financial system is “prepared for tomorrow” which are both accentuated in its Corporate Plan for the 2022-23 year. APRA have highlighted the significant shift in economic outlook due to various global factors such as the lingering effects of COVID-19 and the strained supply chains as a result of Russia’s invasion of the Ukraine. In turn, it is a priority for APRA to maintain the resilience of the Australian financial system. There remains a strong emphasis on embedding and driving strong governance, risk culture, remuneration and accountability (GCRA) across the banking, insurance and superannuation industries. With the introduction of CPS 230, APRA will be consolidating existing CPS standards into one with a focus on strengthening operational risk management within the banking, insurance and superannuation industries. Organisations in these sectors should be aware of the CPS 230 updates to their existing frameworks. APRA will continue to dedicate supervisory and regulatory attention to the following:
There also continues to be a heightened focus on operational and technological resilience within Australia’s financial system through delivery of its cyber security strategy via the planned embedding of Prudential Standard CPS 234 Information Security by assessing compliance independently. APRA will be increasing data-driven supervision scrutiny and intensity through the sharing of aggregated data insights with industry to promote benchmarking and self-assessment. Government agencies such as the Department of Home Affairs and the Australian Cyber Security Centre will also collaborate with APRA and the Council of Financial Regulators (CFR) to uplift the response and coordination mechanisms to improve cyber resilience across the Australian financial system.
APRA | 2023 Strategic Outlook
APRA’s priority for 2023 is to embed GCRA practices across the banking industry while also upgrading the business continuity and contingency practices of banks with a focus on recovery planning, operational resilience, and critical function resolvability. APRA will also look to embed key prudential reforms including “unquestionably strong” capital ratios, the requirements under Basel III and Prudential Standard CPS 511 Remuneration.
APRA will continue to rectify sub-standard practices via robust supervision, strengthened prudential standards and reinforcing the minimum expectations for factors such as investment governance, financial resilience, strategic planning and business performance review practices, insights and actions. APRA’s focus on superannuation is indicated through their first annual performance test where 10 of the 13 MySuper products that failed have either merged, exited or committed to transfer their members to better performing funds.
APRA will look to strengthen governance, risk management and business strategy practices across the insurance industry, including addressing the deficiencies in self-assessment undertaken by general insurers. They will also aim to improve resilience and reduce the risk/impact of a disorderly exit of an insurer through ensuring that there are effective continuity, recovery and resolution plans in place.
Uplifting APRA’s Capabilities
There are three objectives for APRA’s modernization of its prudential architecture:
- Better regulation: ensuring that existing prudential guidance and standards are easier to navigate, understand and comply with.
- A digital first approach: supporting better regulation and operational efficiency using Artificial Intelligence (AI), regtech and suptech.
- New risks, new rules: The development of regulation that caters to new risks without adding complexity to the existing framework.
Through enabling better data-driven decisions by stakeholders via an investment in uplifting its data analytics capability, APRA will use deeper and richer data to enhance its supervisory outcomes through initiatives such as augmenting its Supervisory Risk and Intensity (SRI) model.
ASIC and DoF
The Australia Securities & Investment Commission (ASIC) has introduced its Enforcement Priorities for 2023, specifically centring on protecting consumers from financial harm and upholding the integrity of Australia’s financial markets. This will be the first time that ASIC has identified specific areas of enforcement (and will continue in future years) in order to provide a clear indication as to the direction of ASIC’s expertise and resources.
2023 Enforcement Priorities
These Enforcement Priorities for 2023 include (specific to the banking, insurance and superannuation sectors):
- Enforcement action targeting poor design, pricing and distribution of financial products.
- Misconduct in the superannuation sector – this includes misleading conduct and poor governance.
- Governance and director’s duties failures.
- Combating and disrupting investment scams.
Note: The full list of priorities can be found on https://asic.gov.au/about-asic/asic-investigations-and-enforcement/asic-enforcement-priorities/.
Whilst the enforcement priorities will change year to year, the five enduring priorities will remain, consisting of the following:
- Misconduct around damage to market integrity
- Misconduct as to the impact on First Nations people
- Misconduct around high risk of significant consumer harm
- Systemic compliance failures by large financial institutions and;
- New/emerging conduct risks within the financial system.
In alignment with section 16 of the Public Governance, Performance and Accountability Act 2013 (Cth) (PGPA), the Department of Finance (DoF) has released the revised Commonwealth Risk Management Policy which takes effect from 1 January 2023. The key changes are as follows:
- There is a new element requiring entities to regularly review control effectiveness.
- There is a new element requiring entities to have arrangements in place for identifying, managing and escalating emerging risks.
- The inclusion of specific risk management responsibilities that should be defined in an entity’s risk management framework.
- The simplification and consolidation of existing elements, including the use of clearer language and a reduction in complex risk terminology.
The scope and application of the Commonwealth Risk Management Policy requires non-corporate Commonwealth entities to comply with the Policy whilst corporate Commonwealth entities are not required to comply but should align their risk management frameworks and systems with this policy for good practice. This Policy is intended for use by accountable authorities, senior executives, risk practitioners, officials responsible for government operations/projects/programs/regulations and audit and/or committee members.