Information paper

An Aid for Directors of ADIs and Insurers

  • Banking
  • Current
    1 October 2014
An Aid for Directors of ADIs and insurers

About this aid

APRA’s approach to supervision is built on the premise that the board and management of an APRA-regulated entity are primarily responsible for the entity’s financial soundness and prudent risk management.
With this in mind, APRA imposes various requirements and duties on boards, in addition to those that apply to all entities under the Corporations Act 2001. These requirements form part of a framework which is designed to protect the interests of ADI depositors and insurance policyholders and to support a stable, efficient and competitive financial system.
APRA does not expect that, in meeting these additional obligations, the board takes on responsibilities that fall within the province of management under generally accepted practice.
The additional obligations imposed under APRA’s prudential framework, while substantial, can be readily met by a well-functioning board that has an appropriate mix of skills and experience amongst its directors and strong support from management.
This Aid sets out the additional obligations in general terms, and is intended to help directors of the board of an ADI or insurance company understand the additional responsibility placed on them under APRA’s prudential framework. It assumes that the director is otherwise an experienced board practitioner, and familiar with directors’ duties more generally 
[1]
This Aid is intended for information purposes only, and does not take the place of any APRA prudential standard or guidance, or establish any formal requirements beyond those already set in the prudential standards. For the purposes of understanding the detailed requirements, directors should refer to the prudential standards and guidance directly

What is the purpose of APRA regulation?

Authorised deposit-taking institutions (ADIs) and life and general insurance companies are subject to the governance requirements that apply to any other company, including the Corporations Act 2001 (Corporations Act). For those companies that are publicly listed, the Australian Securities
Exchange Corporate Governance Council’s Corporate Governance Principles and Recommendations are also relevant.
ADIs and insurance companies are also subject to prudential regulation by APRA. There are two primary purposes that prudential regulation seeks to fulfil:
[2]
This Aid assumes a working knowledge of general directors’ duties set out in the Corporations Act 2001 and, for directors of listed companies, the Australian Securities Exchange Corporate Governance Council’s Corporate Governance Principles and Recommendations. See http://www.asx.com.au/regulation/corporate-governancecouncil.htm  
  • To protect the interests of depositors and policyholders
[3]
Proceeds of policies may be payable to beneficiaries other than the policyholder. For simplicity, ‘policyholders’ is used in this document to refer to any beneficiary of an insurance policy.
The efficient functioning of the financial system is dependent on the promises to depositors and policyholders being met in full and on time. It is also critical that they have confidence in the safety of future payments due to them. Yet many lack the capacity, due to the nature of their interests and the complexity of banking and insurance businesses, to make informed judgements about the financial soundness and longer term viability of the financial institutions with which they deal. Through setting appropriate standards and undertaking active supervision, prudential regulation seeks to instil confidence in the community that regulated institutions are operating in a safe and sound manner.
  • To promote financial stability
The cost of, and potential disruption from, the failure of a financial institution may be significantly greater than that of a normal commercial enterprise – beyond the impact on its own depositors, policyholders or other creditors. This is because the failure of one financial institution may have flow-on impacts on other financial institutions through direct inter-linkages or as a result of loss of consumer confidence. By setting minimum standards, prudential regulation seeks to ensure that the risks of financial instability, and the wider costs to the community of such instability, are adequately taken into account in the way in which financial institutions operate.
Further, there can be inherent conflicts between the interests of shareholders, management and depositors or policyholders, and these need to be managed fairly.
APRA’s prudential framework therefore holds ADIs and insurance companies to high standards in terms of governance and prudent management. Boards play a critical role in ensuring those standards are met.

What is the applicable legal framework?

The prudential framework for regulated entities is set out in a three-tiered framework of legislation, prudential standards and prudential practice guides.
There are two general pieces of legislation on which APRA’s activities are based:
  • the Australian Prudential Regulation Authority Act 1998 (APRA Act) sets out APRA’s broad objectives and powers; and
  • the Financial Sector (Collection of Data) Act 2001 deals specifically with APRA’s powers to collect a range of financial and other data from regulated institutions.
Under the APRA Act, APRA’s purposes include regulating bodies in the financial sector where the law provides for their prudential regulation. The Act requires APRA to do so while balancing the objectives of financial safety and efficiency, competition, contestability and competitive neutrality, and in balancing those objectives, to promote financial system stability.
In addition, there are key Acts, each specific to an industry sector (referred to collectively as the Industry Acts in this Aid):
  • for ADIs, the Banking Act 1959 provides for prudential supervision by APRA, and establishes that APRA must exercise its powers and functions for the protection of depositors and for the promotion of financial system stability;
  • for general insurers, the Insurance Act 1973 addresses the interests of policyholders by, amongst other things, imposing primary responsibility for protecting the interests of policyholders on the directors and senior management; and
  • for life companies, the Life Insurance Act 1995 makes it clear that directors owe an explicit duty to take reasonable care, and use due diligence, to see that, in the investment, administration and management of the assets of a statutory fund, the life company gives priority to the interests of policyholders over interests of shareholders where relevant.
The APRA Act and the Industry Acts give a range of powers to APRA. In particular, they give APRA the power to make prudential standards. Prudential standards have the force of law, and are used by APRA to establish certain minimum financial and operational requirements with which regulated institutions must comply.
APRA has introduced cross-industry prudential standards in areas such as governance and risk management, where the fundamental principles to which regulated institutions should adhere do not materially vary by industry. Some prudential standards, on the other hand, are applicable only to a particular industry sector, reflecting the inherent differences between the respective industries. For example, while each industry sector has to meet minimum capital requirements to be authorised by APRA, the specific requirements are set out in separate capital standards for ADIs, general insurers and life companies respectively, given the different nature of the risks faced by each type of institution.
APRA also develops prudential practice guides to support implementation of the prudential standards. As the name implies, these provide guidance only and do not have the force of law. The guidance is intended to outline APRA’s view of how prudential requirements could be met and provide information on good practice within the industry. Regulated institutions are not obliged to adopt the guidance, and are free to demonstrate that the requirements of the prudential standards are otherwise met. Nevertheless, the guides may provide institutions (and their boards) with helpful information on how to meet prudential requirements.

What role does a board need to play in ensuring compliance with the prudential framework?

The basic role of a board in meeting APRA’s prudential requirements is no different to that of a board in meeting other legal obligations that are placed upon it and the institution for which the board is responsible.
APRA does not expect directors to have a detailed knowledge of each of the relevant laws and prudential standards. It is important, however, that the board satisfies itself that the institution and its management have effective processes and procedures in place to meet APRA’s prudential requirements, including those that are specific to the board. It is also important that the board satisfies itself that any breaches of the requirements will be promptly identified and reported to it, and to APRA, as appropriate.
The prudential standards will sometimes set down quite particular responsibilities for the board. For example, the board may be assigned specific responsibility for a matter. This means that the board is expected to be ultimately and finally accountable, and to remain in a position so as to be able to justify the actions and decisions of the institution in relation to that matter. In other cases, the standards may require the board to ensure that a particular matter is addressed or action taken. This means that the board should take all reasonable steps and make all appropriate enquiries so that the board can determine, to the best of its knowledge, that the stated matter has been properly addressed. At other times, the standards may provide for the board to set, approve or review a policy or oversee particular work undertaken by management.

What are the key areas where APRA’s prudential standards impose requirements on boards?

Adequate financial strength, robust risk management, and sound governance are critical to ensuring the promises made to depositors and policyholders are met within a safe, efficient and competitive financial system. Robust risk management – which incorporates both a framework for risk measurement and controls and a healthy risk culture – helps reduce the likelihood of a damaging incident or ill-conceived business strategy that might impair the financial health of a regulated institution. Adequate financial strength ensures that, when unexpected losses are incurred, the institution has the financial capacity and resilience to continue without its ability to meet its promises to depositors or policyholders being questioned. Sound governance provides oversight of these critical aspects of an institution’s operations, and ensures they are maintained in the face of ever-changing strategic, competitive and environmental pressures.
APRA’s general philosophy is to allow regulated institutions the freedom to conduct their affairs as they see fit, provided they can demonstrate sound governance arrangements, robust risk management capabilities, and adequate financial strength. Unsurprisingly, therefore, the prudential standards give considerable attention to governance, risk management and financial management, including capital adequacy, and in particular the role of the board in each of these areas.
Governance
Good governance is critical to the long-term viability of any company. APRA’s prudential standards require that regulated institutions have a rigorous governance framework, founded on the premise that a well-governed institution is an important source of protection for the interests of depositors and policyholders. Prudential standards cover the following in particular:
  • composition of the board (including board renewal);
  • conflicts of interest;
  • fitness and propriety; and
  • remuneration of senior management and other key staff.
They also cover matters such as board committee composition, and board performance.
Within a group of companies, there can be more than one APRA-regulated institution. Sometimes these will be in the same industry segment (e.g. general insurance), and sometimes they will straddle more than one industry segment (e.g. banking and life insurance). In such cases, a subsidiary within a broader financial group is often asked to work with group policies, and align themselves with other operational processes, from their parent company. APRA acknowledges this can be entirely appropriate, and indeed may add strength to the oversight and control framework. The board of an APRA-regulated institution that is asked to adopt a group policy cannot abrogate its regulatory responsibilities. It must still satisfy itself that the group’s policy is ‘fit for purpose’, i.e. it is appropriate for the institution and will meet all regulatory requirements for that institution.
Risk Management
Significant financial and other risks are inherent in the business models of financial institutions. Robust risk management therefore lies at the heart of the prudent management of an APRAregulated institution. APRA’s prudential standards expect that the nature of all the institution’s material activities and risks are known and wellunderstood, and that there are robust structures for the management and reporting of those risks.
The prudential standards make it clear that the board must oversee, and is ultimately responsible for, the establishment and maintenance of an effective risk management framework. The board is expected to provide clear direction and leadership for the institution in its approach to risk management. Amongst other things, this includes setting a clearly articulated risk appetite so that the boundaries within which management may operate are clear. It also involves overseeing the implementation and ongoing operation of a robust and effective risk management strategy that seeks to ensure the institution remains within that appetite.
No control framework will be truly effective if an institution’s culture is not appropriately aligned to it. The board therefore has a very important task in this respect: it needs to form a view of the risk culture in the institution, and the extent to which that culture supports the ability of the institution to operate consistently within its risk appetite, identify any desirable changes to the risk culture and ensure the institution takes steps to address those changes.
Financial Strength
For the reasons noted earlier, adequate financial strength and sound financial management are fundamental to the ongoing health of an ADI or insurance company. In particular, it is vital that adequate capital is maintained against the risks associated with its activities and that the minimum requirements in this respect as set down in the prudential standards are met. The board is responsible for ensuring that appropriate financial and capital management policies are established, and for effective oversight of management’s implementation of these policies.
As an example, under the prudential standards capital is managed in a formal sense through the Internal Capital Adequacy Assessment Process (ICAAP). Through the ICAAP, the board sets the capital management strategy and key capital targets. In doing this, the board is expected to satisfy itself that the institution’s capital targets are consistent with its risk appetite, including its tolerance for potential breaches of regulatory capital requirements, and to have a robust understanding of how the institution’s balance sheet would respond to various stresses.
The board is expected to be actively engaged in the development, finalisation and review of the ICAAP and to be in a position to robustly challenge the assumptions and methodologies behind the ICAAP and the associated documentation. However, management – supported by external advice if needed - would normally provide all the analysis and support needed by the board.
An institution’s ICAAP must be approved by the board whenever significant changes are made. The board is also expected to oversee the ongoing implementation of the ICAAP, and satisfy itself that the necessary supporting processes are established and operating effectively.
[4]
APRA defines the risk management framework as ‘the totality of systems, structures, policies, processes and people within an APRA-regulated institution that identify, measure, evaluate, monitor, report and control or mitigate all internal and external sources of material risk’.
[5]
The risk appetite is captured in a formal risk appetite statement. Amongst other things, this must convey the degree of risk that the institution is prepared to accept in pursuit of its strategic objectives and business plan, giving consideration to the interests of depositors and/or policyholders.
[6]
Risk culture refers to ‘the norms of behaviour for individuals and groups within an organisation that determine the collective ability to identify, understand, openly discuss and act on the organisation’s current and future risks.’ Institute of International Finance (2009) “Reform in the Financial Services Industry: Strengthening Practices for a More Stable System”.

What sort of engagement does APRA expect to have with boards?

APRA interacts with regulated institutions at various levels and with varying frequencies. For many institutions, APRA will look to meet with the board at least once a year. For larger institutions, this will often be supplemented with additional discussions with the chair of the board and/or the chairs of the audit and risk committees. These meetings provide an opportunity for directors to hear directly from APRA about its views on the risk profile of the institution and for APRA to better understand the board’s thinking, priorities and approach. They also afford the board an opportunity to raise matters directly with APRA.
APRA seeks to have an open and constructive relationship with the board. It also seeks the board’s assistance in ensuring management maintain an open and candid relationship with APRA and that information of prudential concern is promptly communicated. Certain individuals (such as auditors and actuaries) also have statutory obligations to report information to APRA in some circumstances.
APRA seeks to work with the boards and management of institutions as they take appropriate steps to address issues, rather than to use its formal enforcement powers. Accordingly, when APRA makes supervisory interventions they are proportionate to the outcomes desired and may range from making recommendations or suggestions through to imposing requirements or taking enforcement action when issues are more serious or not being adequately addressed in a timely manner.
As APRA undertakes its prudential activities - particularly those that involve having supervisors spending time on-site within a regulated institution – it will often send a written report outlining the findings of the review to the institution. Depending on the nature of the findings these may be sent to the Chairman or the Chief Executive, but regardless it is expected that the reports would be tabled at the next available board meeting so that the board is aware of the issues raised. The board should pay particular attention to any requirements set down by APRA in these reports. There typically will be various other formal communications with an institution, and the Chief Executive Officer is expected to exercise discretion in deciding which of these will be referred to the board.
As with legal requirements more generally, boards are expected to satisfy themselves that appropriate processes are in place to respond to issues raised by APRA, and that where remedial action is needed it is undertaken in a timely manner.