Prudential practice guide

APG 220 Credit risk management

  • Banking
  • Current
    1 January 2022
Prudential framework pillars
Risk Management
Credit Risk
Supporting

About this guide

Prudential practice guides (PPGs) provide guidance on APRA’s view of sound practice in particular areas. PPGs frequently discuss legal requirements from legislation, regulations, or APRA’s prudential standards, but do not themselves create enforceable requirements.
Prudential Standard APS 220 Credit Risk Management (APS 220) sets out APRA’s requirements for an authorised deposit-taking institution (ADI) to implement a credit risk management framework that is appropriate to its size, business mix and complexity. It covers all types of lending undertaken by ADIs, including lending to households, small businesses and large corporates.
This PPG, Prudential Practice Guide APG 220 Credit Risk Management (APG 220), provides guidance on sound practice to support APS 220. It should be read in conjunction with other relevant prudential standards and PPGs, including:
Subject to the requirements of APS 220 and CPS 220, an ADI has the flexibility to structure its business operations in the way most suited to achieving its strategic objectives. Not all practices outlined in this PPG will be relevant for every ADI and some aspects may vary depending upon the size, business mix and complexity of the ADI’s operations.
Disclaimer and copyright
This prudential practice guide is not legal advice and users are encouraged to obtain professional advice about the application of any legislation or prudential standard relevant to their particular circumstances and to exercise their own skill and care in relation to any material contained in this guide.
APRA disclaims any liability for any loss or damage arising out of any use of this prudential practice guide.

© Australian Prudential Regulation Authority (APRA)

This work is licensed under the Creative Commons Attribution 3.0 Australia Licence (CCBY 3.0). This licence allows you to copy, distribute and adapt this work, provided you attribute the work and do not suggest that APRA endorses you or your work. To view a full copy of the terms of this licence, visit https://creativecommons.org/licenses/by/3.0/au/ 

Glossary

ADI
Authorised deposit-taking institution as defined in the Banking Act 1959.
APS 220
Prudential Standard APS 220 Credit Risk Management
Basel Committee
Basel Committee on Banking Supervision
Board
Board of directors
CPS 220
Prudential Standard CPS 220 Risk Management
Loan-to-valuation ratio
(LVR)
The ratio of the amount of the loan outstanding to the value of the property securing the loan.
Non-performing
An exposure that is in default, as defined in APS 220.
Overrides, exceptions and waivers
Approval of an exposure that is outside an ADI’s lending policy.
Past-due
Where any amount due under a contract (interest, principal, fee or other amount) has not been paid in full at the date when it was due. An exposure is considered past-due from the first day of missed payment.
90 days past due
An exposure subject to a regular repayment schedule is considered 90 days past-due when: at least 90 calendar days have elapsed since the due date of a contractual payment which has not been met in full; and the total amount unpaid outside contractual arrangements is equivalent to at least 90 days’ worth of contractual payments.
Restructured
An exposure where: a borrower is experiencing financial difficulty or hardship in meeting its financial commitments; and the ADI grants a concession to the borrower that it would not otherwise consider.

Introduction

Effective credit risk management is a fundamental component of an ADI’s long-run financial soundness and financial stability. Credit risk is most simply described as the potential that a borrower or counterparty will fail to meet its obligations in accordance with agreed terms.
For ADIs in Australia, loans are typically the largest asset on their balance sheets. Some ADIs may need to manage credit risk in banking book and trading book activities, and in off-balance sheet and contingent exposures.
This PPG sets out good practice in credit risk management, to support APS 220. It covers the life-cycle of lending, from credit origination to controls and monitoring. It includes guidance on managing non-performing loans, restructured exposures and credit losses.

Credit risk management framework

APS 220 requires an ADI to implement a credit risk management framework that is appropriate to its size, business mix and complexity. The framework must include a credit risk appetite statement, credit risk management strategy, credit risk policies and processes, a credit risk management function, a management information system and an independent review process.
An ADI may have credit exposures in a range of geographical locations within Australia and overseas. Good practice is for an ADI’s credit risk management framework to recognise the risks in different locations. Local economic, social, climatic, political and other conditions may impact risk profile.

Credit risk appetite

Under APS 220, an ADI must maintain an appropriate and well-documented credit risk appetite statement as part of its credit risk management framework. The credit risk appetite statement articulates the degree of credit risk the ADI is prepared to accept, and the process for managing within this appetite.
[1]
Such a statement need not be a stand-alone document, where set out in the ADI’s over-arching risk appetite statement required under CPS 220.
APS 220 requires the credit risk appetite statement to be reviewed and approved by the Board on at least an annual basis. This review process would typically be incorporated into, or aligned with, an ADI’s strategic and business planning process.
An ADI may express its credit risk appetite in a number of ways. This may include highlevel qualitative statements that capture the ADI’s attitude to and level of acceptance of credit risk. An ADI may also express its risk appetite at a granular level across particular divisional and business units.
It is prudent practice for the credit risk appetite statement to include quantitative triggers. It is prudent practice for these to be expressed as a measurable level to enable a clear and transparent monitoring process. Triggers can also be used to establish an escalation framework within risk appetite. The Prudential Practice Guide Risk Management CPG 220 (CPG 220) provides further guidance on good practice on risk appetite.
Internal risk appetite limits
An important element of credit risk management is the establishment of internal limits to manage portfolio risk. APS 220 requires an ADI to set prudent limits on exposures, including to higher risk borrowers, products and activities and particular industry sectors and geographies, where appropriate. These limits may be set and defined in various ways, and should be calibrated with reference to the ADI’s over-arching credit risk appetite.
Good practice is to consider portfolio limits for:
exposures to borrowers that have higher risk characteristics, such as high leverage, high loan-to-valuation ratios, and sub-investment grade ratings;
exposures to higher risk loan types, such as unsecured, long-tenor, nonamortising, third-party originated, speculative development and peer-to-peer lending;
exposures to particular industry sector and geographic concentrations, to promote diversification;
overrides to lending policy, which APRA expects would be strictly contained so as not to undermine the intent of the core policy; and
portfolio defaults, arrears or other measures of credit quality.
APG 223 provides further guidance for risk limits for residential mortgage lending. It is also good practice for ADIs with trading books and off-balance sheet exposures to consider limits to manage the credit risk of these activities, including counterparty credit risk.
A prudent ADI would review internal limits on at least an annual basis, to take into account any changes in the external environment, strategy, target risk profile and risk appetite. As part of this, any increases in limits would be subject to due scrutiny and challenge. In particular, it would not be prudent to increase limits solely on the basis of stronger customer demand or competition.
It is good practice for ADIs to consider the results of stress testing in the overall limit setting process, as this can indicate the level of potential losses from high concentrations or a shift in portfolio composition.

Credit risk management strategy

APS 220 requires an ADI to maintain an appropriate and well-documented credit risk management strategy. The credit risk management strategy need not be a stand-alone document, and could be included as a clearly defined section within the ADI’s overarching risk management strategy required under CPS 220. It is prudent practice for the credit risk management strategy to cover all activities which expose an ADI to credit risk.
APRA expects that an ADI’s credit risk management strategy contains sufficient information to outline, in general terms, the ADI’s approach to credit risk management. This would typically include the approach to maintaining risk within appetite, including strategies for credit origination, assessment, target portfolio mix and target markets.
It is important that the credit risk management strategy considers the potential for unexpected shifts in the economic and credit cycles, which can have significant impacts on credit quality and activities. It is prudent practice for an ADI to regularly review and update contingency plans for how it would adapt credit activities and resourcing for a period of stress, including any increase in hardship support, collections and problem loan management.

Role of the Board

The Board does not have direct day-to-day responsibility for credit risk management. However, APS 220 requires the Board to review and approve the credit risk appetite and credit risk management strategy, and ensure that senior management has the capability and resources to effectively manage credit risk. It is important that the Board clearly set expectations for the monitoring and reporting of the credit risk appetite and management strategy. A prudent Board would also set clear expectations for the timely escalation of credit risk issues by senior management, including findings from internal and external credit risk reviews.
While the Board may obtain advice on credit risk issues from Board committees, external advisers and senior management, it is important that the Board does not accept recommendations without due scrutiny and challenge.
A prudent Board would be alert to pressures on credit standards that could emerge, particularly as competition intensifies or market conditions shift. Ambitious lending growth plans, such as above system targets, can create pressures on credit standards.
It is prudent for the Board to also be alert to emerging signs of credit deterioration, and to hold senior management to account for timely action. This could include having appropriate checks in place to maintain an independent perspective on credit quality and lending practices across the credit portfolio.

Credit risk management function

APS 220 requires an ADI to have a designated credit risk management function, appropriate to its size, business mix and complexity. Some small ADIs may not have dedicated credit risk management staff or may outsource aspects of credit risk management. In these circumstances, it is important that appropriate controls are put in place, including clearly defined accountabilities for oversight. Under APS 220, an ADI must establish a system of independent and regular reviews of its credit management processes and practices.

Credit risk policies and processes

The design and implementation of written policies and processes is a key component of an effective credit risk management framework. These policies and processes support the identification, measurement, monitoring, reporting and controlling or mitigating of credit risk.
Good practice is for credit risk policies to be communicated throughout the ADI, implemented through appropriate processes and controls, monitored for compliance, and regularly updated to take into account changing internal and external circumstances. It is important for policies to cover risks associated with exposures on an individual basis and the portfolio as a whole. This includes the approach to diversification.
For credit risk exposures that are located outside traditional home markets, it is prudent for ADIs to consider additional sources of credit risk, such as those associated with the location of the exposure or the conditions in the local market. A prudent ADI would also consider the location of the credit origination team; there may be additional risks where these are not located in local markets.
APRA expects ADIs to develop a clear understanding of the credit risk involved in more complex credit structures, such as structured asset finance or project finance. The credit risk associated with these loans may be less obvious and require more complex analysis than for more traditional credit assessments. Although more complex credit assessments may require tailored policies, processes and controls, the basic principles of credit risk management would still typically apply.
It is prudent practice for new credit products and activities to be subject to significant planning and careful oversight to ensure risks are appropriately identified before implementation. APRA expects ADIs to develop sound policies, processes and controls before introducing new products or activities. This includes having in place appropriate operating capacity and systems, and appropriate sign-offs by relevant functional areas.

Credit origination

ADIs may use various direct and indirect channels for credit origination. The credit assessment and approval criteria are a critical mechanism for the control of credit risk, and the management of risk within risk appetite.

Use of third parties

Loans sourced via a third party, such as a broker or introducer, can be subject to higher inherent credit risk. Without appropriate controls, there is a risk that incentive arrangements can promote inappropriate behaviours, loose credit standards, poor monitoring and the potential for application fraud. It is prudent practice for ADIs to subject third-party originated exposures to enhanced monitoring and controls.
It is important that ADIs establish formal processes for approving or certifying third parties, in line with the objectives of the credit risk management strategy. Under APS 220, an ADI must have prudent policies and processes to verify the accuracy and completeness of any borrower information provided by the third party and the outcomes of these processes must be documented.
In some circumstances, an ADI may have direct exposure to credit risk through a third party, such as an on-line lending platform. For such lending, APRA expects ADIs to have undertaken a comprehensive assessment of the associated risks. Prior to entering into these arrangements, it is prudent for ADIs to conduct appropriate due diligence and implement appropriate controls. This could include, for example, establishing contract provisions that impose obligations on the third party to notify the ADI of, and seek the ADI’s consent to, any material changes to its credit risk policies.
[2]
Under these arrangements, requests from borrowers for loans are made and then matched against offers from the ADI to fund (partially or fully) the loans. The platform operator or other third party typically undertakes the credit assessment and approval of the underlying borrowers under its own credit risk policies and processes. This type of lending is often referred to as peer-to-peer or marketplace lending.

Credit assessment and approval

Well-defined credit assessment and approval criteria are essential to sound credit risk management, supported by clear roles and responsibilities within the ADI. An ADI’s assessment and approval criteria would typically set out who is eligible for credit and the appropriate exposure amount, what types of credit are available, and under what terms and conditions exposures may be approved.
APS 220 sets out the various factors and criteria that must be considered and documented in assessing and approving credit risk exposures. The criteria are principles-based and intended to be applied in a manner proportionate to the nature, type and size of the exposure.
Some credit products may warrant a more in-depth analysis and others a more streamlined credit assessment. For example, it is prudent practice to conduct a more comprehensive credit assessment for a corporate loan, compared to a small unsecured personal loan. An ADI would also need to exercise more specialist credit judgement for more complex loans.
It is important that ADIs assess whether it is likely that an individual would be able to meet loan repayments without substantial hardship. A prudent ADI would consider a range of indicators of substantial hardship, including at a minimum:
an individual could only meet their financial obligations under the credit contract by selling their principal place of residence; and at the time of making the assessment, the individual does not intend to sell their principal place of residence to meet those financial obligations; or
an individual could only comply with their financial obligations under the contract by failing to meet their obligations to make rental payments in relation to the consumer’s principal place of residence.
For credit cards, an indicator of substantial hardship would include where an individual could not comply with an obligation to repay an amount equal to the credit limit of the contract within 3 years.
Exposures to individuals
Exposures to individuals typically include loans to households. An ADI may utilise various methods of assessing an individual’s capacity to service an exposure. Good practice on key elements of a serviceability assessment is outlined in the table below, against the criteria outlined in APS 220 which must be considered where relevant. For residential mortgage lending, APG 223 includes further details on good practice, including for the assessment and verification of income, living expenses and other debt commitments.
Table 1: Serviceability assessments
Assessment rates
An ADI’s credit assessment must consider the borrower’s repayment capacity under a scenario of higher interest rates. A prudent ADI would use:
  • an interest rate buffer. The buffer would reflect the potential for interest rates to change over several years, and be applied to the interest rate on the loan to be paid by the borrower; and
  • an interest rate floor. The interest rate floor would take into account the outlook for interest rates and other factors, such as long-run averages. This is particularly relevant during a low interest rate environment.
 
A prudent ADI would apply interest rate buffers and floors to both a borrower’s new and existing debt commitments. It is not prudent practice for interest rate buffers or floors to be adjusted on an individual borrower basis.
Income
An ADI’s credit assessment must also consider the borrower’s repayment capacity under a scenario of lower incomes or cash flows, particularly for less stable income or cash flow sources. It is prudent practice to apply a ‘haircut’ or discount to income and cash flow from less reliable sources. This includes income earned from overtime or bonuses, which can vary and be uncertain. Rental income would also be discounted to account for possible tenant vacancies and property management costs and maintenance.
Expenses
An ADI’s credit assessment must consider the borrower’s expenses, including the collection of reasonable estimates. Expense benchmarks must not be used as a substitute for an ADI making reasonable enquiries of a borrower’s expenses. A prudent ADI would monitor reliance on living expense benchmarks. Reliance solely on these benchmarks generally would not meet APRA’s expectations for sound risk management.
Other existing debts
A prudent ADI would have effective processes to verify a potential borrower’s existing debt commitments. This includes taking reasonable steps to identify any undeclared debt commitments, including the use of comprehensive credit reporting data.
Net income surplus
ADIs generally use some form of net income surplus (NIS) model to make an assessment as to whether the borrower can service a particular loan, based on the nature of the borrower’s income and expenses. Good practice is to ensure that the borrower retains a reasonable income buffer above expenses to account for unexpected changes in income or expenses as well as for savings purposes. It would be prudent for ADIs to monitor the level of, and trends for, lending to borrowers with minimal income buffers. High or increasing levels of marginal borrowers may indicate elevated serviceability risk.
Under APS 220, ADIs must also consider the structure of loan repayments when assessing serviceability. For exposures with an interest-only period that subsequently converts to principal and interest payments, the borrower’s repayment capacity must be assessed on a principal and interest basis of repayment. Prudent practice is to assess repayments on a principal and interest basis for the specific term over which the principal and interest repayments apply, excluding the interest-only period. For exposures with a fixed rate of interest that subsequently converts to a floating interest rate, the serviceability assessment must also consider this scenario.
Exposures other than to individuals
Exposures other than to individuals typically include loans to small-to-medium enterprises and corporate borrowers. For these borrowers, an ADI may assess credit risk profile by analysing key financial statements (balance sheet, profit or loss and cash flow statements), projections and business plans.
Typically, ADIs will use a range of financial ratios to support their credit risk assessment. Key areas of focus might include interest coverage, gearing and leverage, which can be compared to relevant industry benchmarks. It is important that differences in industry sectors and sub-sectors are taken into account, to reflect underlying differences in, for example, the stability of earnings, nature of risks and previous repayment capacity.
Credit assessments will vary depending on the nature and complexity of the customer and transactions. For existing businesses, an ADI might use historical and forecast financial performance of the business for the credit assessment. Start-up businesses would, however, typically provide cash flow projections only. Good practice would be to review and challenge cash flow projections to ensure they are reasonable and not based on optimistic assumptions.
For complex lending arrangements, it may be more difficult to reliably assess cash flow estimates. This could include, for example, where there is participation in project finance, lending in support of private equity transactions and asset leasing. In such cases, it is good practice to consider scenario and sensitivity analysis. For asset leasing, it is prudent practice for an ADI lessor to assess the creditworthiness of the lessee and, in the case of an operating lease, the residual asset risk associated with the underlying asset.
Covenants are an important tool designed to limit an ADI’s exposure to changes in the future risk profile of a borrower to an acceptable level. It is prudent practice for covenants to reflect the nature, type and size of the risk and relevant laws, regulations and banking codes that apply to it. It is important for ADIs to set covenants at an appropriate level so as to effectively mitigate risks, and that the ADI has the ability to track compliance with covenants over time.
Collateral and guarantees
Under APS 220, ADIs must assess credit risk primarily on the strength of a borrower’s repayment capacity. Prudent ADIs would also utilise transaction structures, collateral and guarantees to help mitigate risks in individual exposures, where appropriate.
There may be some limited instances where a reliance on collateral for serviceability could be appropriate. This may include limited recourse lending, prime brokerage facilities, margin lending and other similar product types. APRA expects ADIs to subject these product types to appropriate policies, processes and controls to ensure accurate assessments of their underlying credit risk. APRA would not expect this type of assessment to be reflective of broader portfolio management.
It is prudent practice to use external valuations to determine security value. Where an ADI uses internal valuations, it is important that there are no conflicts of interest. If an internal valuation is to be used then it is prudent for this to be conducted by personnel who are independent of the origination, assessment and approval process.
APRA expects that ADIs using automated valuation methods (AVMs) would regularly assess the reliability of estimates produced. Good practice would be for this assessment to be conducted by an independent model validation function. Higher confidence scores would generally indicate greater probable accuracy. Estimates that fall within a narrow deviation of actual market value would similarly indicate higher confidence in AVMs. It is prudent practice for ADIs to set tolerances around acceptable confidence scores and deviations from actual market values. It is important that the data used in AVMs is current, accurate, comprehensive and timely, and properties are comparable, in terms of locality, condition and marketability.
APS 220 requires insurance of a property asset taken as security to be maintained under the contractual terms of the exposure. It is prudent practice to confirm insurance arrangements at the outset and regularly review as appropriate based on the nature of the exposure and collateral.
Where guarantees are a part of the credit contract, it is good practice to review and assess the level of coverage provided in relation to the credit-quality and legal capacity of the guarantor. Reliance on implied support could expose the ADI to material risk.
Credit approval
ADIs often benefit from the establishment of specialist credit committees or groups to analyse and approve certain higher risk exposures, including for significant product lines, large exposures and exposures to particular industrial and geographical sectors. It is good practice for these committees to be governed by an agreed terms of reference, which clearly outlines roles and responsibilities, and is subject to regular review.
It is good practice for policies to set out the minimum information and documentation needed to approve new exposures, renew existing exposures and modify the terms and conditions of previously approved exposures. This information may also inform internal credit risk grades. For automated decisioning solutions, APRA expects that the development of scorecards and policy rules would involve careful analysis by a qualified and experienced credit analyst.
A prudent credit assessment and approval process would establish accountability for decisions taken and designate who has authority to approve exposures or modifications in credit terms. ADIs typically utilise a combination of individual signature authority, dual or joint authorities, and a credit committee or group, depending upon the size and nature of the exposure. Sound practice is for approval authorities to be commensurate with the expertise of the individuals involved, and for credit decisions to be free from conflicts of interest. Hindsight reviews are an important control, as outlined in paragraph 84.
Where appropriate, ADIs may utilise an automatic decision engine for credit applications. It is prudent practice for ADIs to maintain processes and systems to regularly review the appropriateness of the parameters of such systems and to ensure that loan approvals are aligned with the ADI’s credit risk appetite statement. Good practice is for credit applications assessed by an automatic decision engine to take into consideration any existing related loan exposures and their performance.
Some ADIs may participate in loan syndications. In these transactions, it is generally not prudent for ADIs to place undue reliance on the credit risk analysis undertaken by the lead underwriter or on external credit ratings. It is prudent practice for all syndicate participants to perform their own due diligence, including independent credit risk analysis and review of syndicate terms, prior to committing to the syndication. It is important that ADIs participating in loan syndications analyse the risk and return on these loans in the same manner as directly sourced loans.

Credit administration

APS 220 requires ADIs to have an appropriate system for the ongoing administration of the credit portfolio. Once an exposure is approved, it is usually the responsibility of the business unit, often in conjunction with a credit administration support team, to ensure that the exposure is properly monitored and managed. This includes keeping the credit file up to date and obtaining current financial information.
In large ADIs, responsibilities for the various components of credit administration are usually assigned to different areas. In small ADIs, a few individuals might handle several of the functional areas. Where individuals perform sensitive functions such as custody of key documents, transferring funds or entering limits into a database, it is prudent that they report to managers who are independent of the business origination and credit approval processes.
A prudent ADI would make sure that credit files include all of the information necessary to ascertain the financial condition of the borrower as well as sufficient information to track the decisions made and the history of the exposure. For example, credit files may include financial statements, financial analysis and internal credit risk grading documentation (where applicable), internal memoranda, reference letters, and valuations and appraisals. Under APS 220, the credit risk review function must determine that credit administration is complete, and that all approvals and other necessary documents have been obtained.
Good practice in credit administration includes monitoring on an ongoing basis any underlying collateral and guarantees. Such monitoring would assist the ADI in making necessary modifications to contractual arrangements (for example, restructured or ‘hardship’ exposures) as well as maintaining adequate provisions for expected credit losses. In assigning these responsibilities, senior management would need to mitigate any conflicts of interest.

Management systems

Under APS 220, an ADI must have a management information system that enables accurate measurement of credit risk. This includes systems covering loan origination, core banking, portfolio management, collections, collateral management, exceptions and problem loan management.
It is important that ADIs’ systems can identify, on a timely basis, when exposures are approaching risk limits. APRA expects that risk limit measurement systems would monitor all credit exposures, including on- and off-balance sheet activities, through appropriate aggregation.
APRA expects ADIs to have appropriate systems for monitoring the risk and performance of individual loans, cohorts of loans of similar risk characteristics, and the loan portfolio in aggregate. The sophistication of the system would reflect the nature, size and complexity of the ADI’s credit activities.

Monitoring credit risk

APS 220 requires ADIs to have an appropriate system for monitoring the risks of credit exposures, and determining the adequacy of provisions. These processes would typically define criteria for identifying and reporting potential problem exposures to ensure there is a timely response. Appropriate responses include, for example, more frequent monitoring as well as possible corrective action, re-classification and changes in provisioning.
A prudent ADI would be able to monitor and analyse credit risk at the individual borrower and portfolio level, to assess risk and identify any concentrations. Good practice is for the analysis of credit risk data to be undertaken regularly, with results reviewed against relevant limits. Robust data, subject to regular validation, is a critical input into credit risk measurement.
The effectiveness of an ADI’s credit risk measurement process is highly dependent on the quality of management information systems. Accurate and timely information is critical to an ADI’s ability to understand the composition and risk profile of loan portfolios, determine capital adequacy and maintain performance within risk appetite.
Early identification of a deterioration in loan quality is important to sound credit risk management. A prudent ADI would develop forward-looking indicators of loan quality, and would not rely solely on arrears and other lagging metrics. These indicators would help identify borrowers at heightened risk of encountering future financial difficulty.
Such indicators could include, for example, rapid loan growth, growing concentrations in particular exposures and large or rising overrides, waivers or exceptions to credit policies. Trends in the economic and credit cycle are also important indicators of future loan quality, and peer comparisons can help to identify areas of potential weaknesses. A prudent ADI would consider various indicators, such as:
the levels, trends and forecasts of non-performing loans at various stages, including restructured, hardship, watch-list, past-due, and write-offs;
provision coverage ratios;
credit migration for the portfolios; and
outcomes from internal and external reviews of portfolios.
APRA expects ADIs to monitor trends in requests for, and approvals of, restructured exposures and to conduct regular assessments of the default and loss characteristics of these exposures. Good practice is for ADIs to monitor key metrics such as: number, dollar amount and reasons for new requests for restructured or ‘hardship’ concessions, by product type; number, dollar amount and types of new and outstanding restructured or ‘hardship’ concessions granted; and cure rates, provisions and ultimate loss rates on these exposures.

Credit risk grading

As the scope, scale and complexity of an ADI’s business grows, APRA expects ADIs to implement more sophisticated approaches to monitoring and managing credit risk. As outlined in APS 220, where appropriate for the scope, scale and complexity of its operations, this must include an internal credit risk grading system.
An effective internal credit risk grading system can provide for greater differentiation in the degree of credit risk between exposures, and provide a more accurate determination of the overall characteristics of the credit portfolio, such as concentrations, problem exposures and the adequacy of provisions.
Typically, a credit risk grading system categorises exposures into various risk grades. Good practice is for risk grades to be clearly defined. Simpler systems might be based on fewer categories. For ADIs with larger or more complex portfolios, APRA expects that systems will have a higher number of gradations for exposures, in order to properly differentiate the relative credit risk they pose. The risk grading of more homogenous exposures may be undertaken on a segment level or portfolio basis.
In order to facilitate early identification of changes in risk profile, a prudent credit risk grading system would be responsive to indicators of potential or actual deterioration in credit risk. Examples of specific indicators could include qualitative factors such as management quality, loss of key customers, increased competition or quantitative factors such as reduction in sales or profits, deterioration in key financial metrics and arrears. Exposures would be assigned a new risk grade when conditions either improve or deteriorate.
APRA expects that exposures with deteriorating or weaker risk grades would be subject to additional oversight and monitoring. This might include, for example, inclusion on a watch-list.
Risk grades are useful in tracking the quality of the credit portfolio and help in identifying necessary changes to the credit risk management strategy. Good practice is for the Board and senior management to receive regular reports on trends in risk grades to support their oversight of the credit portfolio.
Maintaining an appropriate credit risk grading system involves effective development, validation, operation and oversight, supported by clearly defined and documented policies, processes and responsibilities. APRA expects personnel to have the appropriate knowledge, skills, tools and resources to carry out their responsibilities. Responsibility for setting or confirming risk grades would typically rest with a credit review function independent of the area that originated the graded exposure.
Under APS 220, ADIs must undertake regular portfolio level and risk specific stress testing of its credit exposures. A prudent ADI would use stress tests to assess risk appetite, capital adequacy and relevant strategic business decisions under potential stressed conditions. For example, stress tests might identify vulnerabilities in certain loan portfolios that would prompt an ADI to tighten its loan origination criteria or lower its risk appetite limits on particular products.

Concentration risk

Concentrations to particular borrowers with similar risk characteristics can present a significant source of credit risk, if not managed prudently. This could include, for example, borrowers in similar industries, regions, loan types or products. Concentrations can also occur in exposures with the same maturity.
Some ADIs lending strategies may expose them to high concentrations in particular geographical locations, industries or borrowers. Concentrations can also stem from more complex or subtle linkages among exposures in the portfolio. A high level of concentration increases the risk that problems in one industry, product or region can have a large impact on an ADI’s financial soundness.
Reducing exposures to a particular group of borrowers is one means of reducing the risks associated with high concentrations. ADIs may also make use of alternatives, such as pricing for the additional risk, increased holdings of capital or using loan syndications to reduce dependency on a particular sector of the economy, industry or group of related borrowers. It would not be prudent for ADIs to engage in credit activities they do not fully understand or expand into unfamiliar markets simply for the sake of diversification. This is especially important for small ADIs; there is limited benefit in diversification, unless an ADI is actually decreasing risk.
ADIs may also use more complex mechanisms to manage credit concentrations and other portfolio issues. These include asset sales, credit derivatives, securitisation programs and other secondary loan markets. However, these mechanisms can also introduce new risks that must be identified and managed. APRA expects ADIs to have adequate policies and processes and controls in place to identify and manage these risks.

Controls over credit risk

Reviews of credit risk management processes

APS 220 requires an ADI to establish a system of independent, regular reviews of credit risk management processes and practices, with the results communicated directly to the Board and senior management.
It is good practice for internal reviews of credit risk to be conducted by personnel that are independent from the business function. This provides a more objective assessment. Internal reviews can be used to evaluate the overall credit administration process, determine the accuracy of internal credit risk grades (where applicable), and confirm whether policies are being followed in practice. It is good practice for the credit review function to report directly to either the Board, the Risk or Audit committee, or senior management without lending authority, such as senior management within the risk control function.
Internal reviews of credit risk processes may focus on the degree of compliance with the ADI’s credit policies and processes, authorisation guidelines and the accuracy of risk reporting. Such reviews would assist management in identifying areas of weakness in the credit policies and processes.
A prudent ADI would ‘hindsight’ credit decisions to detect anomalies in credit decisions, including on a sample basis. It is important that remedial actions are implemented where weaknesses are identified. The focus of hindsight reviews may include:
an evaluation of individual lender and business unit against their key performance indicators, such as credit policy and compliance metrics;
compliance with regulatory requirements; and
an assessment of the continued relevance and appropriateness of existing credit risk policies and processes.
For small ADIs, it may be appropriate for internal reviews of credit risk to be outsourced. Where ADIs outsource these reviews, the ADI would need to have regard to Prudential Standard CPS 231 Outsourcing.

Controls and limits

Under APS 220, ADIs must establish and enforce internal credit controls and limits. Such controls and limits assist management in controlling credit risk, identifying emerging risks, and managing exposures within risk appetite.
The management, monitoring and reporting of overrides, exceptions or waivers is fundamental to ensuring credit policies are followed in practice. A disconnect between lending policies and lending practices can lead to a significant increase in credit risk. A prudent ADI would monitor the frequency, reasoning and materiality of overrides, exceptions or waivers, including where ADIs use automated decision models. It is prudent for risk appetite limits to appropriately reflect the maximum level of allowable overrides, exceptions or waivers.

Remedial action

Early identification of a deterioration in loan quality or increasing problem exposures can improve options for remediating the exposure and managing the risk. It is prudent practice for ADIs to have a robust remedial management process, with clearly defined triggers for action, and for this to be administered through the credit administration and problem recognition systems.
Internal credit risk grading systems and watch-lists can play a key role in identifying portfolio deterioration. To ensure that these processes are effective in the early identification of potentially problematic loans, it is prudent for definitions and criteria to be regularly updated or refreshed.
Credit risk policies also typically set out how the ADI plans to manage problem exposures. Responsibility for managing problem exposures may be assigned to the originating business function, a specialised workout section, or a combination of the two, depending upon the size and nature of the exposure and the reason for its problems.
APS 220 requires ADIs to have an effective workout program for problem exposures, with the segregation of the workout function from the area that originated the exposure. The additional resources, expertise and more concentrated focus of a specialised workout section can help improve collection results, including developing strategies for rehabilitating, restructuring or increasing the amount of repayment ultimately collected.
It is good practice for experienced and skilled collections staff to manage higher risk and more problematic credit exposures. The demand for collections expertise and functions is likely to be lumpy, and significantly increased during times of economic stress. It is prudent practice for ADIs to develop plans for scaling up collections functions and expertise in response to potential shocks. It would not be prudent to assume external expertise is readily available during periods of stress.

Non-performing exposures

APS 220 defines non-performing exposures as exposures in default, based on whether the ADI considers the borrower is unlikely to repay in full and/or is 90 days or more past due. This definition is applied at the level of the borrower, other than for exposures to individuals, which can be applied at the level of a particular credit obligation.
[3]
Subsidiaries in jurisdictions outside of Australia may use the national regulator’s number of days past-due, where it is different to 90 days, to determine whether an exposure to an individual or a public sector entity is non-performing.
At the level of the borrower, if one exposure within a group is deemed non-performing, this does not mean that all related borrowers within the group would automatically be considered non-performing. However, a prudent ADI would assess the credit worthiness of other entities from the same group, taking into account a range of factors. As an example, extension of the non-performing classification would generally not apply if:
the various facilities are not cross-collateralised;
there are no cross-guarantee arrangements between the related entities;
there are no cross-default provisions; and
there are no financial interdependencies between facilities.
Under APS 220 an ADI must treat a borrower as non-performing if they are unlikely to repay, even if they are not 90 days or more past due. Collateralisation does not play a direct role in determining whether an exposure is non-performing, but it may have an indirect influence on a borrower’s repayment behaviour.
In assessing a borrower’s unlikeliness to pay, a prudent ADI would consider a comprehensive analysis of the financial situation of the borrower. This analysis would focus on, for example, patterns of payment behaviours in past circumstances, new facts that change the borrower’s situation, and forward projections.
For exposures to individuals, this analysis may include trends in financial ratios, such as the debt service coverage ratio, debt to income ratio, loan-to-valuation ratio, credit scores and any other relevant indicators. For other exposures, analysis may include consideration of leverage, such as the ratios of debt to equity, debt to earnings or interest payments relative to earnings. ADIs might also consider liquidity, including cash flow ratios.
Contractual features of the exposure, such as interest-only terms, would not automatically impact the assessment of a borrower’s likeliness to repay. This assessment would be influenced by analysis of payment behaviours or the financial situation of the borrower.

Restructured exposures

Under APS 220, an exposure is restructured where a borrower is in financial difficulty and an ADI grants a concession that it would not otherwise consider. These concessions would typically not be commercially available to borrowers in good financial standing. Under APS 220, the definition of restructuring applies to all types of credit exposures, including loans, debt securities and off-balance sheet items such as loan commitments and financial guarantees.
It is important for ADIs to have a thorough understanding of the risk profile of exposures where a restructure is granted and ensure that risks are appropriately reflected in internal management reporting, provisioning and capital adequacy.
A concession granted due to a borrower’s financial difficulty could be triggered by:
changes in the conditions of the existing contract, giving considerably more favourable terms to the borrower;
a supplementary agreement, or a new contract to refinance the current transaction; or
the exercise of clauses embedded in the contract that enable the borrower to modify the terms and conditions of its contract or to take on additional loans, debt securities or off-balance sheet items at its own discretion.
There are many types of concession granted by ADIs, or exercised by borrowers in existing contracts. Not all concessions lead to a reduction in the net present value of the exposure, and therefore require the recognition of a loss by the ADI.
The following list provides examples of possible indicators of financial difficulty, but is not intended to constitute an exhaustive list. In particular, financial difficulty can be identified even in the absence of arrears on an exposure:
a borrower is currently past-due on any of its exposures;
a borrower is not currently past-due, but it is probable that the borrower will be past-due on any of its exposures in the foreseeable future without the concession, for example, when there has been a pattern of delinquency in payments on its exposures;
a borrower’s outstanding securities have been delisted, are in the process of being delisted, or are under threat of being delisted from an exchange due to noncompliance with the listing requirements or for financial reasons;
on the basis of actual performance, estimates and projections that encompass the borrower’s current capabilities, the ADI forecasts that the borrower’s committed or available cash flows will be insufficient to service its loans or debt securities (both interest and principal) in accordance with the contractual terms of the existing agreement for the foreseeable future;
a borrower’s existing exposures are categorised as exposures that have already evidenced difficulty in the borrower’s ability to repay in accordance with the classification of exposures under APS 220;
a borrower’s exposures are non-performing or would be classified as nonperforming without the concession;
the borrower cannot obtain funds from sources at an effective interest rate equal to the current market interest rate for similar loans or debt securities for a borrower of good standing; and
the borrower has defaulted on other obligations.
Restructured exposures may be classified as ’performing’ or ’non-performing’ for regulatory reporting purposes. The appropriate classification will depend on the status of the exposure at the time when concession is granted and the borrower’s payment history or creditworthiness after the extension of the concession.
Under APS 220, a restructured exposure may cease being categorised as such when all payments have been met, under the revised contractual terms, for a minimum duration of six months and the borrower has resolved its financial difficulty.

Credit risk and accounting for credit losses

The Basel Committee’s ‘Guidance on credit risk and accounting for expected credit losses’, 18 December 2015, sets out guidance on sound credit risk practices associated with the implementation and ongoing application of expected credit loss accounting frameworks. APRA expects ADIs to have regard to this guidance when applying expected credit loss accounting standards.
The failure to identify and recognise a deterioration in credit quality in a timely manner can adversely affect an ADI’s capital adequacy, and hinder appropriate risk assessment and control of an ADI’s credit risk exposure. The involvement of an ADI’s credit risk management function in the assessment and measurement of expected credit losses is essential to ensuring adequate provisions in accordance with the applicable accounting framework.
An expected credit loss approach is intended to be forward-looking. This means that it is unnecessary for a trigger event to have occurred before credit losses are reported for accounting purposes. As with accounting standard requirements, APRA expects ADIs to base their measurements of expected credit loss on reasonable and supportable information, including historical, current and forecast information.