APRA releases CBA Prudential Inquiry Final Report and accepts Enforceable Undertaking from CBA
APRA announced the Prudential Inquiry on 28 August 2017 to examine the frameworks and practices in relation to the governance, culture and accountability within the CBA group, following a number of incidents that damaged the reputation and public standing of the bank. A Panel to conduct the inquiry – comprising Dr John Laker AO, Chairman of the Banking and Finance Oath, company director Jillian Broadbent AO and Professor Graeme Samuel AC, Professorial Fellow in the Monash Business School – was appointed on 8 September 2017 and the Inquiry’s investigative work began the following month. A Progress Report was released on 1 February 2018.
The Final Report is comprehensive and contains a large number of findings and recommendations. Its overarching conclusion is that "CBA’s continued financial success dulled the senses of the institution", particularly in relation to the management of non-financial risks.
The Report also found a number of prominent cultural themes such as a widespread sense of complacency, a reactive stance in dealing with risks, being insular and not learning from experiences and mistakes, and an overly collegial and collaborative working environment which lessened the opportunity for constructive criticism, timely decision-making and a focus on outcomes.
The Report raises a number of matters of prudential concern. In response, CBA has acknowledged APRA’s concerns and has offered an Enforceable Undertaking (EU) under which CBA’s remedial action in response to the report will be monitored. APRA has also applied a $1 billion add-on to CBA’s minimum capital requirement.
As some of the recommendations deal with the way in which CBA interacts with customers, APRA will work closely with the Australian Securities and Investments Commission (ASIC) to ensure that the recommendations are addressed in full.
The Final Report’s findings
Over the past six months, the Panel examined the underlying reasons behind a series of incidents at CBA that have significantly damaged its reputation and public standing.
It found there was a complex interplay of organisational and cultural factors at work, but that a common theme from the Panel’s analysis and review was that CBA’s continued financial success dulled the institution’s senses to signals that might have otherwise alerted the Board and senior executives to a deterioration in CBA’s risk profile. This dulling was particularly apparent in CBA’s management of non-financial risks, i.e. its operational, compliance and conduct risks.
"These risks were neither clearly understood nor owned, the frameworks for managing them were cumbersome and incomplete, and senior leadership was slow to recognise, and address, emerging threats to CBA’s reputation. The consequences of this slowness were not grasped," the Report stated.
The Panel identified:
- inadequate oversight and challenge by the Board and its committees of emerging non-financial risks;
- unclear accountabilities, starting with a lack of ownership of key risks at the Executive Committee level;
- weaknesses in how issues, incidents and risks were identified and escalated through the institution and a lack of urgency in their subsequent management and resolution;
- overly complex and bureaucratic decision-making processes that favoured collaboration over timely and effective outcomes and slowed the detection of risk failings;
- an operational risk management framework that worked better on paper than in practice, supported by an immature and under-resourced compliance function; and
- a remuneration framework that, at least until the AUSTRAC action, had little sting for senior managers and above when poor risk or customer outcomes materialised (and, until recently, provided incentives to staff that did not necessarily produce good customer outcomes).
The Final Report includes numerous recommendations for addressing these issues within CBA, focusing on five key levers:
- more rigorous Board and Executive Committee level governance of non-financial risks;
- exacting accountability standards reinforced by remuneration practices;
- a substantial upgrading of the authority and capability of the operational risk management and compliance functions;
- injection into CBA’s DNA of the "should we" question in relation to all dealings with and decisions on customers; and
- cultural change that moves the dial from reactive and complacent to empowered, challenging and striving for best practice in risk identification and remediation.
APRA Chairman Wayne Byres said the Inquiry Panel’s findings show CBA’s governance, culture and accountability frameworks and practices are in need of considerable improvement.
"As the Panel notes, CBA has itself identified and begun taking steps to address many of these issues, but there is much to do and a risk that the same issues which have led to the need for the Inquiry undermine the bank’s efforts to comprehensively and effectively respond to the recommendations of the Panel.
"As a result, CBA has given to APRA an Enforceable Undertaking which establishes a framework by which CBA will demonstrate it is addressing the full set of recommendations made by the Panel in a timely manner. Until such times as these recommendations are addressed to APRA’s satisfaction, an add-on to CBA’s operational risk capital requirement will continue to apply.
"CBA is a well-capitalised and financially sound institution but CBA itself had acknowledged shortcomings in governance, culture and accountability ahead of this Inquiry. The comprehensive review, and set of recommendations set out by the Panel, provides CBA with a clear path towards restoring its public standing," Mr Byres said.
Mr Byres thanked the panel members for their thorough Report. "The Panel, and those who supported them in undertaking the Inquiry, have delivered a comprehensive and high quality report that goes to the heart of the issues that led to the damage to CBA’s reputation. More importantly, the Report’s recommendations provide a roadmap for the CBA Board and executive team to deliver organisational and cultural change across the CBA group.
"The Panel notes in its Report that regaining community trust will require time, hard work and an undistracted risk and customer focus and that its recommendations should assist the CBA Board and staff in translating CBA’s undoubted financial strength and good intent into better meeting the community’s needs and expectations," he said.
Mr Byres also said: "the findings of the Report provide important insight for all financial institutions, particularly about the need to maintain a broad focus on all aspects of risk and stakeholder interest and not allow financial success to mask or detract from other important measures of an institution’s performance and risk profile."
Given the nature of the issues identified in the Report, all regulated financial institutions will benefit from conducting a self-assessment to gauge whether similar issues might exist in their institutions. APRA supervisors will also be using the Report to aid their supervision activities, and will expect institutions to be able to demonstrate how they have considered the issues within the Report.
For the largest financial institutions, APRA will be seeking written assessments that have been reviewed and endorsed by their Boards.
The Australian Prudential Regulation Authority (APRA) is the prudential regulator of the financial services industry. It oversees banks, credit unions, building societies, general insurance and reinsurance companies, life insurance, private health insurers, friendly societies, and most members of the superannuation industry. APRA currently supervises institutions holding $6 trillion in assets for Australian depositors, policyholders and superannuation fund members.