Following is APRA’s view of best practice in prudential regulation - not fully applicable yet to all our industries.
An entity’s management quality and risk control are the responsibility of the Board - this responsibility cannot be delegated downwards or outwards.
An entity’s directors, managers and advisers should have business and technical competence, personal honesty, and a capacity and willingness to avoid conflicts of interest.
Entities should be acutely aware of their obligations to all stakeholders, including depositors, policyholders, investors and the wider community.
Entities should be practising due diligence, peer review and clear documentation in the transaction of day-to-day business.
Entities should be complying promptly and fully with the spirit and intent of the regulatory requirements, not just the black-letter wording.
Entities should be providing leadership and training so that staff see the need for good practice, and for the compliance function to be commercially integrated, not bolted on.
Entities should be willing to cooperate promptly and fully with the regulator in making information available, in rectifying weaknesses and in resolving failures.
A strong compliance culture is set by example from the top of a regulated entity.
Fit and Proper tests are a key element of international best practice in financial regulation, and are aimed at getting high quality personnel at the top of an entity.
Alan Greenspan said in July: corporate governance to a very large extent reflects the character of the CEO, and lax corporate governance is a symptom of a failed CEO.
And went on: although we may not be able to change the character of corporate officers, we can change behaviour through incentives and penalties - APRA’s incentives and penalties seek to discourage secrecy, dishonesty and neglect.
APRA’s governance expectations are for directors, managers, the Auditor and Actuary, to be suitable for their role and conscious of their responsibilities, including whistle-blowing where relevant.
Fit and Proper tests for directors, managers and advisers now go well beyond the more traditional and narrow requirements of merely not having a conviction for dishonesty or a history of bankruptcy.
Suitability includes technical competence, personal honesty, and freedom from conflicts of interest. Also, Boards and managements should be well-balanced, team-oriented, and not subservient to a dominant personality.
If APRA detects a failure to exercise good risk management - for example serious problems are swept under the carpet - then we will not hesitate to deem the top personnel to be unfit, and remove them.
Regulated entities should provide annually to APRA a written Declaration of the Board certifying they have:
- complied with all relevant prudential requirements
- identified and managed all material risks
- monitored risk control performance on a regular basis
- verified the systems work in practice as intended, and
- spread a strong risk control culture across the entity.
APRA’s requirement for an annual Board Attestation is not to be taken lightly - Boards are accountable, and should do sufficient due diligence to satisfy themselves that their attestation is fair and accurate.
Certification by the Auditor is a key strand of the prudential safety net, but is working well below par in practice.
Auditors have an obligation to report on:
The Auditor should be testing adherence to, for example:
- internal risk controls to assess the overall adequacy of the risk control environment
- the regulator’s prudential requirements
- other relevant statutes & standards
- reliable statistical & financial reporting.
The Auditor should be cooperative in providing access to working papers, and participating constructively in tripartite discussions and targeted reviews - but regrettably, we aren’t always finding this in practice.
A disturbing number of auditors seem to be ignorant of the relevant statutes & standards and failing to detect & flag weaknesses such as:
- non-compliance with APRA prudential standards
- APRA returns riddled with errors & lodged late
- lack of an independent internal audit function
- delegations set at inappropriate levels of seniority
- large exposures that breach prudential limits
- inadequate controls on related lending
- inadequate controls on risky activity, and so on.
APRA is now intervening more promptly, more vigorously and more often under our existing powers than in the past, and we are developing a new comprehensive enforcement infrastructure to upgrade and standardise powers over all the regulated industries: banking, insurance and superannuation. This will require Government support to have legislative effect.
The basic powers we would hope to be using in future in the normal course of enforcement include:
- access to records and books
- appointments of independent investigators and experts
- case-by-case increases in capital requirements
- enforceable undertakings and enforceable directions,
- cease & desist notices, if we were to get this power
- licence conditions, including vetoes on business lines
- removal of unsuitable directors, managers, auditors etc.
- freezing of assets, replacing of boards, and ultimately,
- putting entities into run-off or liquidation.
The compliance function should be deeply embedded in an entity’s everyday commercial culture, and not regarded as a mere mechanical or legalistic box-ticking exercise.
The Auditor should be well-informed about the entity’s regulatory obligations, vigilant in detecting breaches and weaknesses, and always ready to qualify sign-offs - regulated entities for their part should ensure that audit obligations are clearly established in the audit engagement.
Finally, there is a strong likelihood that a commercially well-run company - in business for the long-term - is also by nature honest, open, professional and prudent.