Skip to main content

APRA Chair Wayne Byres - Speech to the Australian Banking Association National Economic Series

An ambitious agenda

Wayne Byres, Chairman - Speech to the Australian Banking Association National Economic Series, Sydney.


APRA's 2019-23 Strategy: Deliver four key community outcomes

There is never a dull moment in the financial sector, and so there’s never a moment’s rest in APRA. To help us prioritise, and to be clear as to the goals we are pursuing, our Corporate Plan for 2019-23 identified four key outcomes we want to deliver for the Australian community: 

  • maintain financial resilience and stability;
  • improve member outcomes in superannuation;
  • transform governance, culture, remuneration and accountability in financial institutions; and
  • improve cyber resilience across the financial system. 

All require significant amounts of work. Financial stability requires constant vigilance, and maintaining financial resilience is a core task for APRA. Improving member outcomes in superannuation is critically important, for both individuals – for whom super will be their largest or second largest financial asset – and for broader economic prosperity. And cyber resilience is rapidly increasing in importance as we embrace a connected, digital life, eager to harness the benefits technology brings but also exposing ourselves (often unknowingly) to new risks and threats. 

But in the time I have today I want to focus on our ambitious agenda in relation to governance, culture, remuneration and accountability – or GCRA as we have come to short-hand it. Each of the constituent parts is important in its own right, but we see them as highly inter-dependent. It is difficult to genuinely claim to be strong in one if you do not have reasonable strength in the others. Moreover, it only takes weaknesses in one to undermine the other three. 

An expanding domain

The Royal Commission highlighted a range of shortcomings in relation to GCRA when it came to conduct and behaviour in the financial system. Incentives encouraged staff to push (and sometimes go beyond) the boundaries of acceptable practice. Problems went undetected and/or un-escalated for too long. And even when raised and remedied, there seemed to be little consequence for allowing problems to occur and persist in the first place. Collectively, they delivered very poor outcomes for many consumers. 

Unfortunately, this storyline is not new. The global financial crisis more than a decade ago highlighted excessive financial (rather than conduct) risks in global finance, but with many of the same root causes: misaligned incentives, poor risk identification, and an absence of consequence. Collectively, they delivered very poor outcomes to many communities and economies. To borrow a phrase, history doesn’t repeat but it often rhymes. 

So in recent years prudential supervisors around the world have given greater attention to GCRA. The regulatory and supervisory approach is, relative to traditional prudential risks, still very much in its infancy, with little consensus on the most effective way to tackle the task. We are obviously sharing ideas and experiences with our peers, but unfortunately there is no roadmap to guide us. 

Starting with our goal – to transform governance, culture, remuneration and accountability across the financial sector – I have to admit we chose the word ‘transform’ deliberately but with some trepidation. Transform obviously means more than just improvements at the margin. It implies ambition, and means significant change. We are setting out to make a real difference. 

We don’t underestimate the challenge. And given the scale of the task, it won’t be done overnight. It is a four-year plan for APRA, and we’ll need every bit of that time to drive change and observe whether we’ve been successful. We’re aided by the fact that, in many areas, the industry is seeking to change itself. Generally speaking, we are not swimming against the tide. But what the Australian community wants to see is that improvements in governance, culture, remuneration and accountability are not a short-term fad, dismissed once the spotlight swings elsewhere. They must be long-lasting. 

Before looking forward, however, I’d like to briefly look back. I do so to make the point that this is not new territory for APRA. 

Prior to the failure of HIH Insurance in 2001, APRA’s regulatory framework had little in the way of standards for so-called behavioural issues. We had a clear set of financial requirements (although HIH showed that in some areas they were quite inadequate). We also had a range of risk management requirements for specific (mainly financial) risks. But in areas that related to behaviours – matters such as governance, board composition and independence, fitness and propriety, remuneration and incentives – there was basically nothing. 

Since then, major developments have included:

  • the introduction in 2006 of standards in relation to board governance and fitness and propriety;
  • following the GFC, new requirements were added in 2010 on remuneration, consistent with emerging international principles;
  • in 2014, we finalised for introduction the following year new requirements for boards to actively consider the risk culture in their organisations; and 
  • most recently, the Banking Executive Accountability Regime (BEAR) gave APRA a much stronger role in enforcing accountability.

Each ratcheting up of regulatory requirements was highly contested, and not just in terms of the best policy settings: it has also raised questions about the role of a prudential regulator. However, both the Royal Commission and our own Capability Review firmly concluded APRA needed to do more to broaden its focus in relation to GCRA, set more robust standards, and intensify its scrutiny and challenge of financial institutions. We intend to do that.

In fact, we already are. As an example, take the 36 self-assessments conducted against the CBA Prudential Inquiry report. We have imposed (including the original add-on for CBA) $2.75 billion of additional capital requirements, and are actively monitoring more than 1,200 actions that have been included in rectification plans across the population of institutions.

Looking ahead, how do we intend to build on this? Broadly, it will involve three components:

  • strengthening the prudential framework;
  • sharpening our supervision of GCRA; and
  • sharing our insights and findings with industry and the broader community. 

In total, it is an ambitious agenda. We are not aware of any peer regulator who has such an aspirational and wide-ranging plan. We are taking ideas from others and combining them with our own to build an approach that we believe is capable of driving genuine improvements across the industry.

Let me say a few words about each component.

Strengthening the prudential framework

First, the prudential framework. Our existing standards are largely principles-based. That remains our preference where possible, given the diversity of institutions and circumstances they need to cover. Hindsight, however, tells us they have not been as effective as they need to be in promoting robust governance, healthy corporate cultures, appropriate remuneration outcomes, and clear accountability. So as the standards are reviewed, it is inevitable they will become, at least in places, more prescriptive. 

A good example is our proposed new remuneration requirements. Whereas our current standards contain no quantitative requirements about the way remuneration arrangements work,1  the draft new standards include specific limits, such as a maximum cap on the use of financial metrics within variable remuneration and specified minimum deferral periods. More generally, they have a more prescriptive tone throughout, reflecting the conclusions from our own review of remuneration practices published in 2018, and the subsequent recommendations of the Royal Commission.

Unsurprisingly, our proposals have not been warmly welcomed. Various stakeholders – managers, directors, investors, shareholders – have each found something to seriously dislike. We have had no shortage of feedback. 

My challenge to those engaging in the debate is to provide us with an alternative to our proposals that isn’t just the status quo, because outcomes from the status quo have been found unacceptable. There are two broad ways change can be achieved: more prescription by APRA, or a material change in industry practice, particularly in the use of discretion by boards when considering remuneration outcomes. The most efficient approach would undoubtedly be the latter, but the evidence suggests that will be very difficult, if not impossible, without some form of regulatory backing. 

It is not only remuneration where the prudential framework will be strengthened. 

We plan to update CPS 510 Governance and CPS 520 Fit and Proper to take account of recent experience and international developments. CPS 510, in particular, will be redesigned with a view to more clearly articulating APRA’s expectations of effective board oversight, and empowering supervisors to better identify and act upon boards that are ineffective. 

In doing so, I want to emphasise that this is not intended to impose more obligations on boards. There is already an expectations gap in the community between what boards can do, and what is sometimes expected of them. And I acknowledge we have in the past been accused of adding to that problem. 

We are well aware that it helps no one to ask boards to play a role they cannot play. Nevertheless, we rely on effective boards providing strong governance and oversight as part of the supervisory framework. So in rethinking CPS 510, our goal will be to not add materially to an already long list of responsibilities and duties, but rather to consider how we can best equip and enable boards to perform existing roles well.

We will also be reviewing CPS 220 Risk Management. We need to make sure it remains fit for purpose. Areas for review will include the effectiveness of board obligations in relation to risk culture, the relative emphasis on financial and non-financial risks, and the clear need to strengthen the (relatively weak) requirements in relation to compliance and audit functions. 

And then finally, a major strengthening of the regulatory framework will come from the Government’s plans to extend the BEAR beyond the ADI sector, and to encapsulate conduct-related matters as well. APRA is a strong supporter of this initiative, recognising the positive impact that the BEAR has had to date. We will be working closely with the Treasury and ASIC to deliver on the Government’s ambitious timetable for this roll-out.

Sharpening our supervision

New regulations won’t be enough on their own. So that brings me to the second component of our new approach: sharpening our supervisory practices.

Here, we have a range of initiatives. First and foremost, we are using additional funding approved by the Government to bolster the resources devoted to GCRA-related activities. We established a centre of expertise in this area in 2015, but it has always been a small team, with a single digit number of staff. Looking forward, we see the central team expanding to at least 20. We have also decided to head the team with a senior executive at General Manager level with the sole responsibility for driving our agenda forward.

We are developing improved and new tools to help us identify, assess and deal with shortcomings in GCRA practices. Our PAIRS model – which has been the mainstay of APRA’s risk assessment process for more than 15 years – is being completely overhauled. This overhaul goes well beyond GCRA-related issues, but one objective is to ensure those issues have sufficient weight with our overall risk assessments. We expect to roll out our new model in the first half of 2020.

We are also going to be making use of new types of reviews and investigations to examine GCRA practices. For example, we envisage making greater use of GCRA declarations and self-assessments in the supervision framework, building on the existing framework of risk management declarations. We envisage this could involve:

  • annual GCRA declarations, along the lines of the declarations provided for risk management under CPS 220 Risk Management; and
  • periodic GCRA self-assessments, as well as independent reviews, to supplement the annual declarations.

The exact specifications will need to be consulted on as part of the process of strengthening the prudential framework. There will need to be scope to tailor requirements to the nature, size and complexity of regulated entities. Nevertheless, we agree with the panel that conducted the Capability Review that embedding self assessments in a structured way into APRA’s supervisory processes will lead to a positive and sustained uplift in GCRA practices by all financial institutions. It will also rightly put the onus on institutions to keep these issues under constant review, rather than relying on APRA to identify and call out issues through its own supervision activities.

However, we don’t think declarations and self-assessments themselves will be sufficient: as they say, trust but verify. So we will utilise a spectrum of supervision activities to triage areas of potential weakness and then, where needed, intensify our supervisory effort.

At one end of the spectrum, APRA will continue its supervisory reviews, of the type we routinely do now, to assess GCRA practices within regulated institutions. These will be supported by the development of new supervisory guidance to enable supervisors to better assess, in a more structured manner, GCRA issues. We will be seeking to go beyond assessing the adequacy of policies and frameworks, as important as that is, to make sure we are also assessing effectiveness and outcomes. We also plan an active program of thematic reviews, led by our central team that will examine topics such as the role and effectiveness of board committees, processes undertaken to assess board effectiveness, and the alignment of remuneration outcomes with risk outcomes. Where particular concerns are identified at individual institutions, more intensive examination will occur through ‘deep dive’ reviews of specific areas, possibly drawing on external expertise to assist us. And where there is material concern about potential widespread deficiencies in GCRA practices, APRA can employ either a Prudential Inquiry, as was conducted for CBA in 2017/18, or a more formal investigation under the relevant industry Act.2 

Partnering with experts will be an important part of our approach. Some of APRA’s increased funding will be deployed to engage external experts, from other regulators, academia and the private sector, both domestically and internationally. Being able to draw on this type of expertise on an ‘as needs’ basis to assist with reviews and inquiries of individual institutions, and to help plan, challenge and review the findings from our thematic work, is likely to be more effective and efficient than seeking to develop an entirely in-house capability.

Not all expertise need be human. We intend to make use of technology, such as natural language processing, to help target our scarce resources. Our early trials of this technology have been highly promising, helping identify potential areas for more detailed attention via the deep dive reviews I referred to earlier. And we plan to explore industry surveys, akin to that conducted by the UK Banking Standards Board, to measure and monitor changes in standards of behaviour, competence and culture across the industry. We will seek to use our data analytics capabilities to interrogate the responses, and to provide evidence of the extent to which positive changes are (or are not) occurring.

I want to finish on this point by noting that, notwithstanding this increasing intensity of GCRA supervision, APRA’s supervisory philosophy remains firmly founded on the premise that the ultimate responsibility for the prudent management of a financial institution rests with its board and management. That is not changing. However, the intensity of our oversight, and our preparedness to compel rectification action, is certainly increasing. This is essential for both strengthening the resilience of financial institutions and restoring community trust in the financial system as a whole.

Sharing our insights

Let me quickly turn to the third component of our new approach: sharing our insights.

The APRA Capability Review emphasised the importance of increased transparency and communication as an important tool for driving sound prudential outcomes. We agree. 

Our goals from increased transparency and communication are:

  • to inform – by explaining APRA’s overall supervisory approach, methodology, views and outcomes; 
  • to influence – by conveying key messages that help to deter poor behaviour, promote better practice and maintain confidence in the Australian financial system; and
  • to drive accountability – by holding entities and individuals to account. 

Of course, a prudential supervisor must always be careful about what it discloses: increased transparency must be weighed against potential risks to financial stability, particularly in relation to the resilience of individual regulated institutions. We have looked at the practices of peer international regulators on the use of communication to support supervisory objectives: our current practices are broadly in line with those of our peers in relation to the nature of information that is publicly disclosed. 

However, we think we can take the lead compared with our peers here, without triggering undue concern. We are therefore actively looking to expand the range of material we publish about key areas of supervisory focus (not just in relation to GCRA), and the associated findings. You may have seen that we have recently been more much transparent about a number of our enforcement actions. We will be doing likewise shortly in relation to superannuation heat-maps for member outcomes. 

In a similar vein, we see GCRA-related issues as less likely (at least most of the time) to trigger financial stability considerations, and therefore they’re a good candidate to bring greater transparency into play. Our intent is to actively share our findings and insights in relation to GCRA with the industry and the wider public. We will also be examining sorts of information institutions themselves should routinely make public. 

We are still reviewing all of the options available to us, and of course will need to consult on any new requirements we impose. But at the very least we foresee routinely making public reports on all thematic reviews and the risk governance self-assessments (including identifying the institutions that are demonstrating better or poorer practice), insights from our risk culture deep dives, and, wherever possible, reports from Prudential Inquiries and similar investigations. As we flesh out the specifics of the regulatory and supervisory framework for GCRA, we will see what else can be added to the list.

Concluding Remarks

The message from recent commissions, reviews and inquiries is clear: regulated institutions must lift standards of governance, improve their internal cultures, and embed systems and practices of remuneration and accountability that support the long-term interests of their full range of stakeholders. While responsibility for that transformation must remain with the institutions themselves, another message from those reviews and inquiries is that APRA has an important part to play. 

The development of APRA’s GCRA capabilities is being significantly accelerated. Armed with additional supervisory resources and expertise, and backed by a strengthened prudential framework, APRA will set and enforce higher industry standards. Success will entail:

  • stronger governance frameworks and processes, providing robust oversight of organisational activities;
  • organisational cultures that acknowledge the need for risks (of all types) to be prudently managed, and to deliver outcomes that balance the interests of all stakeholders;
  • remuneration arrangements that reflect a holistic assessment of performance and risk management; and
  • clear accountability (individually and collectively) for outcomes achieved.

If we achieve these outcomes, APRA will have enhanced the financial resilience of regulated entities, reduced the likelihood of poor behaviour and misconduct, and helped to restore community trust and confidence in the Australian financial sector. 

It is an ambitious agenda, undoubtedly, but one we are committed to delivering on.


1. Strictly speaking, there is one quantitative requirement within the remuneration requirements: that a Board Remuneration Committee must have at least three members.

2. It is worth noting that decision to undertake the probe into CBA in the form of a Prudential Inquiry was largely driven by (i) deficiencies in APRA’s formal investigation powers under the Banking Act 1959, and (ii) a firm commitment from the Board of the CBA to cooperate fully. Subsequent legislative amendments to APRA’s powers means a formal investigation is now a more realistic option, especially in instances where the financial institution is not fully cooperative with APRA.

3. The BSB’s most recent survey in 2018 covered 26 banks and building societies across the UK. More than 72,000 respondents participated in the survey.

The Australian Prudential Regulation Authority (APRA) is the prudential regulator of the financial services industry. It oversees banks, mutuals, general insurance and reinsurance companies, life insurance, private health insurers, friendly societies, and most members of the superannuation industry. APRA currently supervises institutions holding around $9 trillion in assets for Australian depositors, policyholders and superannuation fund members.