Skip to main content
Speeches

APRA Chair John Lonsdale - Speech to AFR Banking Summit 2023

A matter of trust

Good morning everyone. It’s a pleasure to be here to deliver my first keynote speech since becoming APRA Chair last year.

In 1972, the American mathematician Edward Norton Lorenz published a paper where he memorably posed the question: could the flap of a butterfly’s wings in Brazil cause a tornado in Texas? The Butterfly Effect, as it’s become known, is the idea that small changes in one place can produce large changes somewhere entirely different.

A variation of the question sprung to mind recently as news filtered through that Silicon Valley Bank (SVB) was in danger of insolvency: could the failure of a mid-size Californian bank specialising in servicing the fintech and start-up sectors impact the stability of the banking system in Australia 12,000 kilometres away?

Although the collapse of SVB and subsequent takeover of Credit Suisse have had little impact on Australian banks, their plight – and the global alarm it sparked – highlighted two truths about banking. The first is how interconnected the international financial system has become. For example, Credit Suisse has a global presence including a branch here in Australia. Local banks had next to no direct exposure to SVB, yet concerns about these entities immediately sparked anxiety about contagion risk.

That’s related to the second point: the importance of confidence in maintaining bank stability. APRA has talked a lot about “trust” in the sense of treating customers fairly. At heart, however, banking relies on an even more fundamental trust – that one’s money is safe and available on demand. The rapid collapse of SVB in a matter of days demonstrates what can happen when customers lose that confidence.

Unlike the prescribed rules we set for capital, APRA can’t prescribe a set level of “confidence” that our regulated entities need to maintain more broadly, but we can work to create the conditions for it to flourish. Importantly, bank boards need to effectively manage their risks and run their institutions prudently at all times. The trust Australians feel in their banks’ ability to withstand a crisis is the product of many years of regulatory reform designed to reinforce the system’s financial and operational resilience. This has enabled us to build a regulatory system for banking that has different and often tougher standards and requirements than many peer jurisdictions. We might be connected, but their issues and problems are not necessarily ours.

It’s also why, as new challenges present – whether climate, cyber or sharply rising interest rates – you can trust that APRA will act decisively to help keep deposits safe. 

Citius Altius Fortius (Swifter Higher Stronger)  

 

Like our peer regulators around the world, APRA and the Council of Financial Regulators are spending considerable time assessing what went wrong with SVB and Credit Suisse in particular to see what lessons we can draw to protect the Australian banking system. 

The financial sector undertook a similar but much more intensive process of information-gathering and self-reflection in the aftermath of the global financial crisis. Among the most consequential of the changes to emerge was the development of the Basel III regulatory framework for banks: new minimum requirements for all internationally active banks in areas such as capital and liquidity designed to boost the financial resilience of the global banking sector. APRA talks about three levels of alignment to Basel: sub-equivalent, equivalent and super-equivalent. And in a number of important areas, APRA’s prudential framework is super-equivalent, meaning it goes above and beyond the minimum Basel requirements. 

Let’s start with capital, the cornerstone of the banking system’s stability. APRA’s new bank capital framework, which took effect from the first of January this year, has not only been informed by the Basel reforms. It also incorporates one of the key findings from 2014’s Financial System Inquiry that Australia’s banks be “unquestionably strong”. For the IRB banks covered by Basel, that’s meant holding additional capital equivalent to 150 basis points. This puts these banks in the top quartile of the international pack for capital strength, helping them retain access to offshore capital markets, which further improves their resilience.

APRA’s prudential framework is proportionate, with a deliberately lower regulatory burden for smaller institutions, but smaller banks aren’t carved out of the capital requirements. For standardised banks, their unquestionably strong requirement was to raise overall capital by around an extra 50 basis points.

Risk weightings are another area where the Australian prudential framework goes beyond Basel requirements. The Australian banking system has a particular concentration risk in residential mortgage lending, and so our capital framework is calibrated to offset that risk with higher risk weightings, and so higher capital requirements.

Australian banks are also super-equivalent to Basel III requirements in liquidity. Compared with many overseas jurisdictions, we allow a much narrower range of definitions of high-quality liquid assets (HQLA) when determining the liquidity coverage ratio (LCR): no corporate bonds, and no residential or commercial mortgage-backed securities. Removing these assets, which can’t always be sold easily, from the equation not only strengthens the quality of bank liquidity, it increases simplicity and transparency, which boosts confidence from investors. 

A final and perhaps best example of how APRA’s prudential framework for banks exceeds international standards is in the area of interest rate risk in the banking book (IRRBB). We are the only jurisdiction in the world that mandates banks carry capital to address the risk of rising interest rates as part of their core (pillar one) capital requirements. The significance of this measure in light of current events is hard to overstate. SVB’s exposure to rising interest rates was one of the main factors behind its collapse. In contrast, as markets moved in response to RBA changes in the official cash rate, Australian banks have had to hold additional capital. Some banks had expressed displeasure about the application of capital for IRRBB but two weeks ago the IRRBB requirement proved its worth. We are currently in the process of updating our prudential standard in this area and will be sure to consider lessons from the past few weeks.

Argentarius cave (Banker beware)

 

The differences between the regulatory requirements for Australian banks and many overseas jurisdictions give us confidence that the banking system here is among the best equipped in the world to handle a crisis. They don’t, however, make us complacent or blind to the potential impact overseas events can have on financial stability here. As a mid-size economy with a population of only 26 million people, our banks depend on access to international markets to meet their wholesale funding and capital needs. No matter how resilient our financial system, what happens globally affects us to a greater or lesser extent.

To date, the impact of recent events in the US and Europe has been limited here.  But that does not mean there are no lessons for us. 

With that front of mind, APRA and other financial regulators globally are already trying to see if the regulatory framework needs strengthening.  One aspect of recent events was the sheer speed of developments, especially with SVB. Chiefly, this is a consequence of technological innovation. In 2007, the fall of Britain’s Northern Rock bank was visible with hundreds of customers queuing in the street outside branches waiting to withdraw their money. With the ubiquity of modern online banking, there’s no need to queue and no need to be constrained by branch opening hours. Entire balances can be instantly transferred elsewhere at the click of a button 24 hours a day. Information – and misinformation – also spread further and faster than ever before, particularly through social media.

As the speed of crises has accelerated, regulators have less time to respond than they once did. We can no longer expect to have days or weeks to debate and plan considered responses. We need to be ready to act quickly, but we also need greater confidence than ever in the prudential safeguards we have in place. It may be that we need to look more closely at concentration risk in deposits and adjust requirements where an ADI has particularly high exposure to a particular industry or demographic. These types of contemplations are already underway among international regulators.

Over recent years, we have seen an increased frequency of events outside the scope of what financial institutions typically model for: fluctuations in commodity prices that we’ve rarely seen before, sharper movements in interest rates and a higher number of extreme weather events. The causes and impact of this greater financial volatility is something we as regulators also need to examine.

Stressed for success

 

One way we prepare for a future crisis is to regularly and rigorously stress test the banking system using severe but plausible scenarios and examining the hypothetical impact. As it happens, we have recently finished analysing the results of our latest banking stress test, and I can run you through the findings now. But before I do that, it is important to make absolutely clear this is not a forecast; this is an exercise to theoretically test the strength of banks. 

The test covered our 10 largest banks, which have the greatest impact on financial system stability. The scenario we presented was based around a deep and prolonged global economic downturn with rising interest rates and prolonged inflationary pressures exacerbated by energy supply shocks. Here in Australia, the scenario saw the Reserve Bank lift the official cash rate by over 400 basis points to 4.5 per cent.

Under the scenario, GDP fell 4 per cent as the economy fell into recession. Unemployment rose to 11 per cent. House prices fell nationally by 43 per cent over three years. That led to downgrades in sovereign and bank debt ratings, a temporary closure of offshore funding markets, a sell-off in the Australian dollar and a widening in credit spreads. And to really the stress the scenario, we added a twist: each bank had to presume it had fallen victim to a major and costly cyber-attack. 

While this is not how events would play out in the real world, we also assumed the banks took no mitigating actions. Under the scenario, all incurred significant credit losses as borrowers missed repayments and many fell into negative equity. Bank profits fell sharply resulting in dividends drying up for investors. Despite this, the banks in aggregate remained above minimum capital requirements. The funding and liquidity positions of the industry also stood up and that means deposits remained safe in the system. 

In reality, banks would take a range of actions to mitigate the financial impacts of the scenario in question. When we allowed banks to take these into account, we saw capital restored to above buffers and back towards their “unquestionably strong” targets.

Operational resilience

 

At a headline level, the stress test results give us some confidence, however our work on building resilience in the system is never finished. In particular, and as an example, results from independent reviews of our information security prudential standard CPS 234 demonstrate the evolving risks we are facing. 

It’s important to note that Australian financial institutions are very focused on the threat of cyber attacks and are working hard on their defences and responses in the event of an attack. But it’s a big risk and the work is never complete. The threat is constantly evolving, as are the defences institutions can deploy to mitigate this risk.  

To recap, APRA asked entities across banking, insurance and superannuation to conduct the tripartite reviews to examine how well they have implemented our first prudential standard specifically focused on cyber. Given recent cyber breaches affecting a broad number of Australians, boosting cyber resilience remains one of APRA’s top priorities. Yet our analysis of the first tranche of results from the reviews show that entities have more work to do and that there is a need to continuously raise the bar on cyber preparedness and resilience across banking, insurance and superannuation. 

Notably, some of the areas for improvement are  

  • a lack of rigour in the nature and frequency of security control testing;
     
  • insufficient board oversight on cyber;
     
  • incident response plans not regularly reviewed or tested; 
     
  • insufficient safeguards to protect sensitive customer data; and
     
  • inadequate service provider oversight arrangements.

However cyber is just one of many risks. Our regulated entities must ensure they effectively identify and manage all operational risks, are able to continue to deliver critical operations during disruptions, and prudently manage the risks of service providers. Later this year APRA will finalise Prudential Standard CPS 230 Operational Risk Management, which will replace five existing standards for business continuity and outsourcing. 

Finally, if avoiding a costly and damaging cyber incident or other operational risk event is not enough of a carrot, APRA is prepared to wield the stick and take enforcement action if necessary. 

Ready for the day

 

Speaking to analysts after the announcement that his bank had agreed to acquire distressed rival Credit Suisse, UBS chair Colm Kelleher described it as a day he “hoped would never come.” But sometimes the day does come, and we need to be ready for it. 

In an increasingly interconnected global economy, where news and speculation can cross the world instantly, our banking system will always be exposed to forces beyond our control. And as we’ve just seen, a bank doesn’t need to be classed as systemically important to impact the stability of the system. For these reasons, we must always be mindful of not only the importance of liquidity and capital, but also confidence more broadly: in our banks, in our prudential framework and in us as regulators.

We hope the day never arrives when the type of dire scenario used for our banking stress test eventuates. But should it do so, Australians can be confident of two things: their banking system is among the strongest and most resilient in the world, with prudential safeguards above and beyond minimum international requirements. And APRA will continue to work hard before any crisis and take decisive action to continue protecting bank depositors, insurance policyholders and superannuation members.

 

The Australian Prudential Regulation Authority (APRA) is the prudential regulator of the financial services industry. It oversees banks, mutuals, general insurance and reinsurance companies, life insurance, private health insurers, friendly societies, and most members of the superannuation industry. APRA currently supervises institutions holding around $9 trillion in assets for Australian depositors, policyholders and superannuation fund members.