“set capital standards such that Australian authorised deposit-taking institution capital ratios are unquestionably strong.”
Although Australia has no G-SIBs, the FSI recommended the implementation of a domestic TLAC framework in line with emerging international practice. The Government’s response endorsed APRA to implement this recommendation, and I am sure we will not be alone in extending the TLAC regime beyond G-SIBs.
Assuming the international ground rules are settled by the end of this year, APRA will begin discussions on an Australian framework for loss absorbing and recapitalisation capacity during the course of 2016, in consultation with the members of the Council of Financial Regulators, and other interested stakeholders. The FSI suggested that Australia should not get ahead of international developments, and this is an area - perhaps more than most others - where the devil is in the detail, so it makes good sense that we hasten slowly.
Inevitably, there are going to be some tricky technical issues to resolve, including clarity over the mechanisms and triggers under which holders of particular instruments will absorb losses. On this issue, we are seeing a range of approaches internationally: from purely contractual triggers to statutory tools which vary widely in their scope. Given these global developments, we will have the benefit of a variety of thinking in this area as we progress our work.
But as well as monitoring international developments, it will clearly be important to consider what best suits the particular characteristics of the Australian financial system. This will include consideration of the increased ‘going concern’ loss absorbency being provided by our work to ensure Australian ADIs have unquestionably strong capital ratios. In addition, we already have a form of ‘gone concern’ loss absorbency through Tier 2 capital instruments, so the interaction with the capital framework will be an important consideration, as will providing for appropriate transition periods for building up any additional loss absorbing capacity.
Powers for dealing with failing firms
Moving beyond TLAC, and to issues that extend beyond ADIs, APRA’s current crisis resolution powers are a vital but often overlooked component of the prudential framework.
The global financial crisis put the spotlight on the lack of credible resolution options in many jurisdictions: indeed, the inability of regulators to resolve failing financial firms often exacerbated the crisis, and quickly led to the need for significant public sector support. The FSB has since established the Key Attributes of Effective Resolution Regimes (Key Attributes) to provide an international standard on financial crisis resolution. As noted in the FSI’s Final Report, there are some gaps and deficiencies in the Australian resolution framework when compared with the Key Attributes. We were therefore pleased to see the Government endorse improvements to APRA’s crisis management powers as a matter of priority.
Many of these legislative measures were initially raised in a September 2012 Consultation Paper, Strengthening APRA’s Crisis Management Powers, and included broader investigation powers; strengthened directions powers; improved group resolution powers; enhanced powers to deal with branches of foreign banks; and more robust immunities to statutory and judicial managers.
Cumulatively, these proposals will significantly enhance APRA’s resolution toolkit and align our powers more closely with international expectations. We certainly hope to use these powers rarely, but ensuring our capacity to deal with a distressed firm is robust and effective is a low-cost investment in protecting the interests of beneficiaries of regulated firms, and the stability of the financial system more broadly, without putting taxpayer funds at risk.
Of course, having a wide set of powers is not all that is needed. Crisis planning is also a critical, and the Key Attributes require jurisdictions to put in place processes for recovery and resolution planning for relevant firms. On recovery planning, APRA will be working further with larger ADIs (and in due course other relevant firms) to ensure they have plans that are credible – that is, a realistic and continuously-reviewed menu of actions that can be practically implemented in stressed operating conditions. On resolution planning, we will be commencing more detailed work on the planning required to ensure that we are able to use our resolution powers when needed. Although resolution plans are the responsibility of regulators, these plans will require the input of relevant firms and, potentially, consideration of pre-positioning measures that could help to improve resolvability.
Governance and culture
Regulators have a task to reduce the risk of a repeat of the sins of the past, but so do financial firms themselves.
I’ve made the point elsewhere that building up capital and liquidity, and ensuring loss absorbing capacity in the event of failure, will undoubtedly make for a more resilient financial system, but they will only offer a partial remedy to the problems that were experienced unless there are behavioural changes within financial firms as well. At the heart of that challenge are the related topics of governance, culture and remuneration. That is why we have recently created a new team within APRA to provide dedicated expertise on these issues. To be clear, we are not proposing significant new policy here: the team’s work will primarily focus, at least in its early stages, on improving our supervisory scrutiny of the specific requirements set out in existing prudential standards.
Under the broad heading of governance, culture and remuneration, we obviously can’t do everything and be everywhere at once. Our immediate priority is the area of risk culture, and in particular how banks and insurers are implementing the requirements of CPS220 Risk Management. As many of you know, this standard came into effect at the beginning of this year and, amongst other things, contains an ostensibly simple requirement for Boards to form a view of the risk culture in the firm, and the extent to which that culture supports the ability of the firm to operate consistently within its risk appetite.
Forming a view sounds relatively simple, but making sure that the Board’s view of risk culture is well-informed and reliable is more challenging. Therefore our first step will be to undertake a stocktake of practices that Boards are employing to fulfil this obligation. This stocktake will not only help us to refine and hone our supervisory approach to assessing risk culture, but will also hopefully help firms benchmark their own practices and understand a little better how they stack up against their peers.
Our next area of priority will be to review the current state of remuneration arrangements within ADIs and insurers. Specific requirements came into force in 2010 with the goal of ensuring personal rewards appropriately take account of risk-taking behaviour. These requirements are no longer new, so we will be looking to see that after the initial period of implementation, they are now fully in force and meaningfully applied. We’ll also be comparing Australian approaches with current and emerging international thinking – not necessarily to copy what’s done offshore, but at least make sure we are fully aware of differences in industry and regulatory practices and satisfy ourselves that we are not falling ‘behind the game’ due to any inattention to the issue.
The final issue I wanted to touch on is technology, particularly as the organisers of this event were keen to make technology a theme for the discussions. There is no doubt that technology, the innovations it brings, and the way in which it is changing the way financial services are provided, are increasingly topical. But, without in any way dismissing the increasing importance of the issue, it is not new.
APRA has employed a small but proactive team of IT experts for about the past 15 years, and the effective management of technology-related issues has always been a large part of their agenda. For example, on the risk side of things we have for a long time been focussed on ensuring that boards are educated and well-informed regarding cyber-risk; management has strategies and plans to address the evolving forms of cyber-risk; firms undertake penetration testing (ethical hacking), vulnerability management and testing, and have a systematic approach to managing and securing operating systems and software; and firms are able to detect cyber incidents in a timely manner, and possess response and recovery capability for plausible scenarios. We have done this not just for APRA-regulated firms, but also on occasion for systemically-important service providers.
We have used this work to develop guidance on good practice. For example, in 2010 we published a practice guide CPG 234 Management of Security Risk in Information and Information Technology. This is both principles- and risk-based, and continues to be relevant despite the rapidly evolving environment. More recently, we have published an information paper on Outsourcing involving Shared Computing Services (including Cloud). Outsourcing of various technology functions to service providers is not new, but the information paper responds to a trend for sharing services across a larger cross-section of entities (including non-financial industry entities) and the introduction of higher-order shared computing services (e.g. software). We have no wish to try to hold back the tide; we simply wish to ensure that the risks it involves are managed adequately. That will remain a major focus in the year ahead.
As firms continue to increase the openness of their systems (including greater use of digital channels), regulators like APRA need to evolve their supervisory approaches to respond to the changing risk profile. Moreover, we also need to monitor the broader strategic shifts that are underway, given the potential for new technologies to challenge the revenue streams of existing financial firms. New entrants and innovations that nip at the heels of the existing players, and keep them on their toes, are a positive for the Australia community. We should welcome them. But we also need to watch for the emergence of new risks, and the transfer of activities outside the regulatory net that the community expects to be appropriately regulated. Like regulated firms, we regulators will also need to be on our toes.
The issues that I have discussed today will certainly keep us all busy in 2016. And that is without a large number of other items that I’ve not had time to mention. However, if we can make good progress on these six issues over the course of the next year, we will not only have achieved a great deal, we will have substantially improved the resilience of the financial system, to the benefit of the entire Australian community.
1 The upcoming changes to APRA’s securitisation standard, in which we have proposed the introduction of simple funding-only securitisations, is being designed with, amongst other things, this in mind.
Contact APRA | 1300 55 88 49 | GPO Box 9836 Sydney NSW