Skip to main content

Review of the private health insurance prudential framework: Building resilient insurers

Peter Kohlhagen, Senior Manager, Policy Development - Health Insurance Summit, Sydney

Good morning. It is my pleasure to be here today.

I would like to thank the summit organisers for inviting me to speak on APRA’s review of the existing private health insurance prudential framework. APRA’s relationship with the industry is still fairly new, so any opportunity to speak to you about our priorities and our plans is valuable.

The Summit provides an important opportunity for APRA to communicate with some of our stakeholders in the broader health sector, beyond the private health insurers with whom we have very regular dialogue.

I’m very happy to answer your questions at the end – as a principles based regulator, our preference is always for dialogue over dictation.

Focus of this speech

So far today we’ve heard interesting insights into affordability and the implications of National Health Reform on private health insurers.

I am going to focus on another topic: the importance of building resilient insurers and the work APRA is doing to support this through our policy Roadmap. A resilient insurer is one that is strong in the face of both current and emerging risks. A resilient insurer can withstand those risks and emerge still able to meet its promises to policyholders.

Out of interest, can I have a show of hands of those who feel that the private health insurance industry is well placed to respond to emerging risks at the moment…

Many of the emerging risks APRA observes are not directly within the control or purview of the prudential regulator – risks such as affordability, complacency, legacy, social license… But the consequences, if these emerging risks are not appropriately addressed through sound risk management and governance disciplines, can quickly damage the financial and operational soundness of insurers. And that puts them firmly on APRA’s radar.

One emerging risk that has been discussed in the industry is affordability. I noted with interest recent comments by Medibank Chief Executive Craig Drummond, on this topic. The comments also neatly sum up sentiments expressed by others in the industry. Affordability is one of those risks that does not fall directly within APRA’s mandate. But we do have a keen interest in making sure that emerging structural risks to the system are identified and appropriately managed by insurers. In his remarks, Mr Drummond noted that he had “sat with customers in the last three months who have said that they simply can’t afford insurance” and “we have had people say to us they have cut back on their meat meals.” He went on to comment that “we should all be concerned about where we are in the system” and “it is not dire and the best way to ensure it doesn’t become dire is to deal with those issues”. I strongly support this sentiment. And it is a sentiment that resonates far beyond affordability to a range of other emerging risks and issues. Prevention is always better than cure, it is better to be proactive than reactive, and there is no better time than the present to build resilience in the system. By the time stress is upon us, it is too late.

I will have more to say on other emerging risks later in my remarks. But before I come to that, I will start by quickly summarising APRA’s take on supervision and the changing nature of risk - before offering a deeper perspective on APRA’s private health insurance Policy Roadmap.

PHI’s role in the health care system

Let me begin by noting that APRA recognises the role that private health insurance plays in the fabric of Australia’s health care system. It offers protection to people in their time of need and gives them peace of mind.

In 2016, private health insurers paid out $14.2 billion in hospital benefits and $4.8 billion in general treatment benefits. A recent Private Healthcare Australia survey found that the industry paid out more than $6.4 billion last year on claims that had a benefit payment of more than $10,000. Much of this was spent on long-term treatment for cancer, mental health and intensive care for babies and the elderly. The survey also noted that more high-tech care is taking place in this sector than ever before. These are just some examples of the value that private health insurance brings to Australian society.

As of March 2017, 55.5% of Australians had some level of general cover and 46.5% had some form of private hospital cover. That’s a lot of people who are relying on their insurer to be there for them in their time of need.

APRA’s mandate and changing nature of risk

Our duty as a prudential regulator is to establish and enforce prudential standards and practices designed to ensure that, under all reasonable circumstances, financial commitments made by the institutions we supervise – including private health insurers - are met within a stable, efficient and competitive financial system.

Or to put that more plainly, our role is to make sure that the insurers we supervise are resilient, and are able to keep the promises they have made to their policyholders, so that private health insurance can continue to play its important role in the Australian health care system.

APRA seeks to fulfil its mandate through three key capabilities:

  • The first is developing policy: that is, setting the minimum prudential standards that all insurers must meet;

  • The second is our supervision of entities – our day-to-day oversight of insurers to check they are not at risk of breaching minimum prudential standards; and

  • The third is resolution and enforcement – which provides means for APRA to intervene in the affairs of an insurer should it be at material risk of breach or failure.

These capabilities are critical for monitoring and addressing traditional areas of concern for APRA such as operational risk, insurance risk, market risk and capital adequacy, all of which form part of the broader framework for prudential supervision of insurers.

Yet despite having a clear and tested framework in place, we know that risks to entities and the financial system change over time. These changes arise as institutions grow and become more complex, as society and economies evolve, and as operating environments transform.

As an example, a recent PWC survey of financial industry CEOs found the top three risks of 2017 were change management, cyber risk and technology. Not a single one of these risks featured in the top 10 when the same survey was conducted in 2013 – at that time the top three risks were identified to be Regulation, Investment and the Macro-economic environment.

The changing nature of risk requires that both insurers and APRA remain vigilant to recognise new risks that arise from outside the traditional areas of concern for the prudential regulator. For APRA, this means an increased focus on risks associated with complacency, legacy, social licence and changing consumer behaviour across all insurance industries – and in the case of private health insurance in particular, risks associated with affordability and in the potential impact of any change to broader health policy.

So we know that change can happen quickly - especially in times of uncertainty – but this is nothing new for the entities we supervise. Despite the differences that make the industries we supervise unique, there are also some very important commonalities. In particular, we believe that being prepared for the unforeseen is a continual process that needs to be managed by all. This involves being forward-looking and aware of emerging risks, being agile enough to respond to risks and opportunities, and being resilient and prepared to respond to the unforeseen.

The Policy Roadmap was developed with this goal in mind.

PHI Policy Roadmap

Since assuming responsibility for the prudential regulation of private health insurers in July 2015, APRA has progressively undertaken a rigorous review of the existing private health insurance prudential framework to ensure it remains fit for purpose and able to support the APRA mandate both now and into the future.

Developed in consultation with stakeholders, APRA’s Roadmap consists of three phases: risk, governance and capital. Fundamentally, the proposals in the Roadmap are about building resilient insurers.

So it was natural that our first priority would be risk and risk management, because a resilient insurer has robust processes for identifying and managing current and emerging risks to its operations and financial soundness.

Phase two is concerned with improving governance, because a resilient insurer has robust governance arrangements designed to facilitate effective decision making in the long term interests of the insurer. And processes to make sure that the right people are in place to support those governance arrangements, people who are have the right skills, people who are competent and people who can be trusted to behave appropriately with other people’s money.

And the final, third phase will review capital and solvency requirements. A resilient insurer has adequate amounts of capital. Because despite our best efforts at managing risk, risks can and do still emerge and can threaten financial strength. Holding adequate capital allows time for insurers to weather losses and emerge still able to meet their promises to beneficiaries.

The first phase is now nearing completion.

Focusing on risk management from the outset reflects the importance APRA places on having an effective enterprise-wide risk management framework. It reflects APRA’s experience in developing and implementing a cross-industry prudential standard on risk management - CPS 220 - and addresses a key gap in the prudential framework for private health insurers.

In December 2016, APRA released a discussion paper proposing to apply the cross-industry risk management standard CPS 220 to all private health insurers. APRA invited feedback on the standard and the accompanying practice guide. This included proposals for specific, clear expectations of the board’s role in risk management, clear documentation of risk policies and procedures including a board approved risk appetite statement, review and challenge of decision-making by an operationally independent risk management function headed by an appropriately qualified chief risk officer and ongoing review of the operation of the risk management framework by internal and external audit. Of particular relevance to smaller, less complex private health insurers, APRA proposed to allow scope for alternative arrangements to some of these requirements, where an appropriate case could be made that a different approach could still meet the objectives of the standard.

We were pleased to have received extensive feedback from the industry. And even more pleasingly, there was unanimous support for the introduction of a risk management standard. Submissions queried aspects of APRA’s proposals including the definition of material risks, and in particular the treatment of credit risk, the approach to granting alternative arrangements and the length of the transition period.

APRA has this morning released our response to submissions, together with final standards and guidance, for implementation from 1 April 2018. Importantly, the response paper sets out the process and timeframes for insurers to apply for alternative arrangements. We encourage insurers to speak to their APRA supervision team about their intentions in this regard if they haven’t already done so.

APRA, and PHIAC before it, have engaged extensively with the industry over a significant period of time on risk management and we assess that most insurers are well placed to comply with the standard. We look forward to continuing to work with private health insurers as we move into the implementation phase of this process.

We are now commencing Phase 2 of the Roadmap: a comprehensive review of matters relating to Governance. We anticipate releasing proposals for consultation later in 2017. Similar to risk management, APRA has in place existing cross industry prudential standards on governance matters - CPS 510 Governance and CPS 520 Fit and Proper – that reflect our experience supervising institutions across the financial system. We anticipate that the principles underpinning these standards are likely to be appropriate to the private health insurance industry – and that will be the starting point for our review. We will of course conduct a robust review process to satisfy ourselves of their appropriateness in this context and then test our conclusions through consultation with stakeholders.

Moving on from risk management to focus on governance will give APRA greater confidence in the performance of Boards and senior management to be able to identify, communicate and take action on potential risks facing an institution.

APRA’s review will include consideration of issues such as the independence of directors, their tenure, assessment and appointment processes, as well as expectations around board composition, board committee structures, remuneration structures and board-level engagement with APRA.

As part of the review of governance, APRA will consult on establishing a fit and proper prudential standard for directors, senior managers, auditors and appointed actuaries of private health insurers. We anticipate that the standard would be aligned with the provisions in APRA’s existing cross-industry standard on fit and proper - CPS 520. The key requirement of CPS 520 is for each institution to have a board-approved policy on fitness and propriety, and to assess the fitness and propriety of key executives and board members on both appointment and on a regular basis. And of course where the rubber hits the road is the requirement that when a responsible person is assessed as not being fit and proper, the institution must take prompt steps to remove the person from their responsible position.

APRA also plans to review the prudential functions of private health insurance auditors. All other industries regulated by APRA have separate audit standards, which provide for independent assurance of prudential matters by an appropriately qualified auditor. It would come as no surprise to hear that the auditor plays a key role in providing assurance on the annual accounts and the regulatory returns to APRA in all our regulated industries. But auditors in the other industries also provide assurance to the board and to APRA that the institution has appropriate and effective controls in place to allow them to comply with all prudential requirements. This is stands in contrast to the private health insurance industry, where prudential standard requirements are currently far more limited in their scope. APRA will give careful consideration of whether this difference should remain as part of our Phase 2 review.

APRA encourages all private health insurers to review the existing cross-industry prudential standards – particularly CPS 510 on governance and CPS 520 on fit and proper – and consider where there may be gaps between their own practices and these standards. Insurers that engage with these standards early will be better placed to implement any necessary changes in due course.

Lastly, Phase 3 of the Roadmap will review the private health insurance capital standards. Capital standards are a crucial financial safety component of every solvency regime. These standards aim to ensure that a private health insurer has a sufficient buffer of capital to allow it to navigate its way through stressed times and continue to meet its obligations to policyholders.

In our Roadmap letter to industry, we noted that we didn’t anticipate commencing a review of prudential standards HPS 100 Solvency or HPS 110 Capital Adequacy before 2018/19 unless pressing prudential concerns emerged that warranted an earlier review. And as I stand here today, that is still our conclusion. These standards were comprehensively reviewed by the previous regulator, PHIAC, and implemented in 2014. Importantly, undertaking the review of capital standards as Phase 3 of the Policy Roadmap will allow time for both the industry and APRA to assess implementation and effectiveness of the current standards. Of course, this is subject to us continuing to not have prudential concerns arise in the meantime which may warrant an earlier review.

We often get asked whether APRA intends to align the capital standards with those that apply to other insurers. So far we haven’t made any decisions on that but we do anticipate further alignment to be among the options considered in the review and whether lessons learned in other industries could also be beneficial for private health insurance.

I would say though, that there are significant benefits in financial institutions across different parts of the financial sector using a common language on capital. When APRA comprehensively reviewed the capital frameworks for life insurers and general insurers a few years ago, we aligned the overall structure of the capital frameworks. That didn’t mean that the standards were one size fits all – they retained significant industry specific differences to account for the differing structures and risks in the two industries. But common risks receive consistent treatment and APRA, insurers and other stakeholders have benefited from a common language when talking about capital.

So this is our three-phased Policy Roadmap in brief – and I’m happy to take some questions you may have on this at the end.

But let me now shift into some of the emerging challenges on the horizon that we see impacting the private health insurance industry… I have already spoken about affordability – but these are some of the other risks that motivate our work on the Policy Roadmap.

Addressing complacency and risk management / governance

Similar to our observations in other insurance sectors, we see a risk of complacency developing in the private health insurance space, which may lead to less than optimal risk management and governance practices in the industry. A tendency towards complacency can be a consequence of long periods of relative stability over the years, both within the industry and in the Australian economy generally. Complacency is the enemy of resilience.

APRA recently concluded a thematic review of risk management practices across all private health insurers. Findings from the review have been published on the APRA website in a letter to industry, and indicate that the private health insurance industry is in the early stages of its journey to building strong risk governance.

Although the review showed that many individual insurers had given consideration to risk management and governance within their organisations – there was significant variation between insurers in terms of the maturity of processes. I encourage insurers to review the findings of the letter in detail, but to give you a flavour, common recommendations related to:

  • information flow to the Board, including analysis and reporting on risk;

  • independent review of the risk management framework;

  • establishing enterprise wide risk management frameworks and internal control environment;

  • reviewing risk assessment processes;

  • strengthening both the first and second lines of defence; and

  • enhancing project management, business continuity management and outsourcing disciplines.

Overall, this gave APRA an indication that risk governance and risk management arrangements require further work by insurers. We are confident that the introduction of APRA’s enterprise-wide risk management and governance frameworks will help boards and senior management of private health insurers to overcome these and other challenges.

As we continue to work through our Policy Roadmap - you can expect APRA to maintain focus on this area.

Other emerging risks

Before concluding, I’d like to briefly survey a few other emerging risks that have hit APRA’s radar across the insurance industries. APRA has discussed many of these issues in more detail in other forums:

First is legacy - we have observed that across all insurance sectors many entities are burdened by a complex legacy of products, processes and systems, which heighten operational risk and make it challenging for insurers to adapt to changes in the external environment and to innovate in ways that meet the needs of today’s consumers.

In the private health insurance space, large numbers of products on offer (estimate being tens of thousands), perceptions of complexity, and poor understanding of product features are just some of the symptoms of legacy – highlighting the potential danger that this can ultimately lead to eroding consumer confidence and community trust.

Insurers will come under increasing pressure to innovate in ways that respond to changing consumer expectations and changes in the external environment – and this task is made more difficult by the current legacy environment.

Second is social license. You may have heard APRA Member Geoff Summerhayes speak before about social licence - the idea that companies must maintain the trust of the communities in which they operate. Alongside effective regulation, social licence is an essential element of financial safety and system stability.

Many in this room will have observed how quickly the reputation of a company or industry can be threatened when it fails to meet consumer expectations. In recent times, we have seen examples of this both within the financial sector but also more broadly. Companies that fail to align their values in today’s changing consumer landscape will quickly find out how individual consumers now have, through social media, a means of directly influencing the reputation of a company. Recent action by the ACCC against two insurers is just an example that demonstrates an environment of heightened reputational risk.

The third is of particular importance to the private health insurance industry – APRA has previously noted that the industry is exposed to risks arising from fundamental changes in health policy settings, which can have significant impacts on the financial well-being of the sector through changes in participation rates and revenue. Product design, community rating, risk equalisation, portability, these are all subject to health policy. This environment demands vigilant attention.

Risks such as these, if not appropriately identified and managed, can ultimately threaten an insurer’s soundness, bringing them firmly within the interest of the prudential regulator.

APRA is also innovating

At APRA, we also see ourselves as part of the broader system that needs to evolve and embrace change.

If we are to facilitate continued development of a responsible, viable and innovative private health insurance industry - we must be flexible in embracing new modes of service provision that may not neatly fit into the current regulatory mould. We must also build the necessary resilience to confront emerging risks and meet changing stakeholder expectations.

With this in mind, we are reviewing our licensing framework to see how it can be improved to accommodate new products and services to consumers. We are also paying close attention to what other regulators – both domestic and foreign – are doing in this space.

In addition, we are continuing to invest in new risk and data analytic capabilities – which will help us become more efficient in our daily operations, and enhance our understanding of financial risks facing the entities we supervise as well as the system overall.


To conclude, APRA wants to see a private health insurance industry that is strong, agile and forward-looking. In a word: a system that is resilient.

Prudential supervision is a long term, multi-year journey, and we are still in the early stages of our journey in this industry. The Roadmap is designed to strengthen the resilience of insurers in the face of severe but plausible stresses, while continuing to meet the health needs of the Australian community.

Specifically, this means building a system with the agility and risk management capability necessary to respond to the changing nature of risks effecting the broader insurance space – including those related to affordability, complacency, legacy and social license. But also including others that aren’t yet on anyone’s radar. To reiterate my earlier comment, as new risks continually emerge, there is no better time than now to build resilience in the system. By the time stress is upon us, it is too late.

APRA stands ready to work with the industry to enhance and maintain an innovative and financially stable private health insurance system that provides peace of mind to millions of Australians.

Thank you and I look forward to taking your questions.

The Australian Prudential Regulation Authority (APRA) is the prudential regulator of the financial services industry. It oversees banks, mutuals, general insurance and reinsurance companies, life insurance, private health insurers, friendly societies, and most members of the superannuation industry. APRA currently supervises institutions holding around $9 trillion in assets for Australian depositors, policyholders and superannuation fund members.