APRA Chair John Lonsdale - Speech to FINSIA The Regulators 2023

Good afternoon and thank you for the opportunity to speak today alongside my regulatory peers.

Looking around the room, I can see people from across financial services – banking, superannuation, insurance and beyond. On stage we have four different regulators, each with specific areas of focus and responsibility. Yet despite the diversity, there is likely to be commonality in many of the topics discussed today. 

That’s partly a reflection of the array of risks present in the system, which are causing uncertainty and which both regulators and industry need to respond to. Macroeconomic conditions including inflationary pressures and rising interest rates, as well as escalating geopolitical tensions, are live issues concerning the Australian community and they pose risk to financial stability.

The global financial system has also become more interconnected due to advances in technology and communication. New innovations are delivering benefits to businesses and consumers including cost-savings, efficiency and convenience. But the links they foster also deepen the risks that need to be identified and managed. Further complicating matters, emerging digital technologies often straddle international and regulatory boundaries or fall between them entirely. No business or regulator can address these risks in isolation.

One topical issue that highlights the confluence of technology, interconnectivity and the increasing importance of multi-agency cooperation is that of cyber security. Over the past year, APRA has collaborated closely with other regulators in this room and across government agencies to help in the aftermath of several high-profile cyber issues. Our joint focus is to work together to protect Australians and safeguard confidence.

Much of APRA’s focus however is preventative. We are working hard to ensure the banks, insurers and superannuation trustees have the systems, processes and expertise in place to prepare for and repel cyber-attacks.

Three years ago, APRA’s information security standard CPS 234 came into force, and yet many entities are still struggling with foundational issues: ensuring third party controls are effective, making sure that systematic security control testing is in place, and regularly testing incident response plans. With the potential for serious impact to millions of Australians, our patience has run out. Where an entity is found to be significantly wanting in its cyber preparedness, we are intensifying supervision, insisting upon remediation plans, and taking enforcement action such as capital overlays and potentially license conditions.

APRA is also lifting operational resilience standards. Our regulated entities have until mid-2025 to be compliant with the requirements of the new standard, CPS 230. It will help entities to understand and manage the risks across their operational value chain, especially those associated with providing essential services to customers. Although the new standard isn’t in place for another 18 months, there are things entities can do now. Mapping out critical operations and identifying material service providers is a practical initial step, as is building organisational awareness. APRA will continue to work closely with entities to prepare them for the implementation of the standard and will issue additional guidance early next year.

Related to operational resilience is APRA’s ongoing focus on governance, risk culture, remuneration and accountability. This includes our work to increase the focus of boards and senior managers on non-financial measures such as community outcomes, and sharpened accountability to prevent poor outcomes.

Perhaps there is no better recent example of the impact of the interconnectivity in the financial system than that of Silicon Valley Bank earlier this year. The bank’s swift downfall – as facilitated by real-time communication and the digital transferal of funds – rattled public confidence around the world and it preceded other collapses, including that of global giant, Credit Suisse. 

APRA is further strengthening the banking system following the lessons learnt from that event. We are considering targeted improvements to strengthen our banks’ liquidity and capital standards to ensure they remain resilient and that stress at one entity doesn’t have an outsized impact on the system. 

An interconnected financial system does not give us the luxury of only focusing on one industry. As recommended by the Financial Regulator Assessment Authority (FRAA) Review, APRA is heightening its focus on system-wide risks and their potential impact on all our regulated industries. This includes establishing a cross-industry stress-testing regime to explore how shocks to one part of the financial system might spill over into other parts, posing a threat to financial stability.

In superannuation, we are looking closely at liquidity risk, including the valuation of unlisted and illiquid asset classes, as well as lifting transparency and addressing product underperformance. We also want trustees to meet the requirements of the retirement income covenant. Historically the superannuation sector has succeeded in helping Australians accumulate income for retirement but fared much poorer at offering options to manage that money through retirement. The retirement income covenant – which has joint focus between APRA and ASIC – will help with this, although our thematic review released in July found that progress to date needs to be better.

Declining affordability and accessibility of insurance is a risk to financial stability and is another key priority for APRA. It is also not an issue that any one party can fix on its own, and will require collaboration between insurers, regulators and governments. An area where APRA can assist is through the collection and provision of data that increases public understanding of risks and pain points. One example is the upcoming Climate Vulnerability Assessment for general insurance.  Its purpose is to understand the long-term impacts of physical and transition climate change on the affordability of household insurance in the community, which will help identify the magnitude and concentration of climate-driven cost changes. Armed with a better understanding of how climate change may impact insurance, all stakeholders can hopefully make better decisions now to prevent or limit negative consequences.

This segues neatly to the importance of data generally. Successful prudential supervision requires experience, judgement and intuition, but importantly it also requires an accurate picture of what is happening within individual entities, as well as at an industry and economy-wide level. APRA has been working to transform its data collection and analysis capabilities to enable more effective risk-based supervision, improve insights and enhance transparency. This process stepped up earlier this year with the creation of a new standalone Technology and Data division reporting directly to the APRA Members.

This is an ambitious and complex multi-year piece of work. Already, we have needed to rethink the pace, sequencing and priorities of our roadmap for transforming the data collections. In doing so, we are mindful of the importance of keeping industry informed and engaged and limiting regulatory burden as best we can. In the long-term, this important work will benefit everyone, including the entities we regulate who will no longer need to resubmit the same data multiple times. 

More detail on APRA’s initiatives is given in our most recent Corporate Plan, released in August. Our purpose and priorities are clear, yet we won’t be operating alone to address the risks we see. In a more complex, interconnected financial system where products, companies and services transcend traditional boundaries, clear, constructive and forward-looking engagement between regulators and industry is required. 

So too are strong ties between the regulatory community. Forums such as the Council of Financial Regulators and the joint administration of the Financial Accountability Regime are examples of collaboration in action. By working together appropriately, APRA, ASIC, the Reserve Bank of Australia, AUSTRAC and other agencies can better protect the community, balance the regulatory burden for entities and ensure there is still room for competition and innovation to flourish. 

On that note, I will hand over to my fellow regulators and I look forward to your questions.