APRA Insight Issue Four 2017
APRA Insight provides information on APRA’s main policy initiatives and on key developments in the financial industries that APRA supervises.
Residential mortgages: Update on interest-only lending
Over recent years APRA has increased its focus on housing lending by authorised deposit-taking institutions (ADIs) to reinforce prudent lending standards and ensure ADIs are resilient to changing conditions in the housing market. In an environment where household indebtedness is high and increasing – underpinned by historically low interest rates, subdued income growth, and high house prices – APRA announced in March this year new expectations in relation to ADIs’ interest-only lending1.
This article considers the profile of interest-only lending in Australia and recent trends in these types of loans. In addition to monitoring the volume of these loans, APRA also monitors a range of key metrics and trends relating to interest-only lending. APRA has seen some improvements across a range of loan features that indicate ADIs are reducing their risk in interest-only lending portfolios.
Interest-only lending allows borrowers to pay only the interest accrued on a debt rather than reducing the principal debt balance of the loan. As such, borrowers make smaller (interest only) payments in the early stages of the loan, although this results in them paying more over the life of the loan with larger repayments after the interest-only period ceases.
Over recent years, it has been common place for borrowers to refinance or extend the interest-only terms of their loan. This, in turn, has made it relatively simple for borrowers to avoid paying down their principal debt over an extended period of time. As such, in an environment where household indebtedness is high and increasing, APRA regarded the higher proportion of interest-only lending among ADIs to be worthy of additional scrutiny.
In March this year APRA announced its expectation that ADIs should limit new interest-only lending to no more than 30 per cent of their total new housing loans in a given quarter. APRA allowed a short implementation period, with ADIs expected to operate below the 30 per cent benchmark from the quarter ending 30 September 2017.
ADIs reacted quickly to this announcement and Figure 1 shows that, in aggregate, the 30 per cent benchmark was achieved for the September quarter. Interest-only lending represented approximately 23 per cent of new lending for the quarter, which is a reduction of $14 billion or almost 40 per cent when compared to the same quarter last year. Although the reduction in new interest-only lending has been significant, principal and interest lending increased such that there has been no material impact on the volume of new housing lending overall (Figure 2). This indicates there are a material number of borrowers who may have previously sought or been offered an interest-only loan are now opting to make principal and interest payments, and therefore reducing their indebtedness.
Although APRA’s interest-only benchmark was only applicable to new lending, a number of ADIs have encouraged existing interest-only borrowers to switch to principal and interest repayments prior to the end of their interest-only terms. APRA’s monitoring of this switching activity indicates a significant increase in the number of existing interest-only borrowers switching to principal and interest repayments. This level of switching has been so significant that it exceeds the volume of new interest-only lending. In all, these changes have resulted in a decrease in the amount of interest-only loans outstanding in Australia, which had been building for some time.
High LVR loans
Borrowers seeking interest-only loans that represent a significant proportion of the property value (high loan to valuation ratio (LVR)) have been of particular interest to APRA. For a given property value, the higher the LVR at origination, the larger the debt for a borrower. A high LVR loan that is also interest-only indicates both a relatively low equity contribution at origination, and a borrower that does not have a contractual commitment to build any equity for a period of time. As a result, in addition to the introduction of the interest-only benchmark, APRA also encouraged ADIs to strengthen lending practices and set clear limits around high LVR interest-only lending.
While very high LVR lending (greater than 90 per cent) has been reducing over the last few years, there has been recent tightening in LVR policies which has led to a noticeable reduction in lending at LVRs of equal to or greater than 80 per cent. At the start of 2017, most ADIs were willing to lend on interest-only terms up to a maximum LVR of 90 per cent. That figure has subsequently reduced to around 80 per cent for both owner-occupier and investor interest-only loans. This downward trend in high LVR interest-only lending has also contributed to broader improvements in the LVR profile of residential mortgage portfolios.2
Another risk factor for an interest-only loan is the length of the interest-only period. Longer interest-only periods increase the risk of losses for the lender if the borrower should default, and also increase the payments that the borrower will face once the interest-only period ends. APRA first encouraged ADIs to limit lending at lengthy interest-only terms in late 2014 in a letter to industry, and this message was strengthened by the Australian Securities and Investments Commission (ASIC) report on interest-only lending released in August 2015.3 Together, these actions have led to a considerable reduction in maximum interest-only terms, as well as a reduction in new lending at interest-only periods greater than five years.
Many ADIs previously allowed quite generous interest-only periods of up to 10 years for both owner-occupiers and investors. At the extreme, a small number of ADIs allowed up to 15 years of interest-only repayments for investment lending. Most ADIs have since tightened their maximum interest-only periods with none of the largest ADIs allowing interest-only periods of greater than five years for owner-occupiers (Figure 3). A small number of ADIs still allow for interest-only periods of up to 10 years for investors, however in practice loans funded on these terms account for less than one per cent of new lending (Figure 4).
Types of borrowers
A large proportion of investors continue to seek interest-only loans, with tax incentives likely to be a motivating factor. In the most recent period, around 38 per cent of new investors opted for an interest-only loan. Nevertheless, this has reduced dramatically from 67 per cent since the introduction of the interest-only benchmark in March this year (Figure 5).
The motivations for owner occupiers to avoid a principal and interest loan have been less clear. Owner occupier interest-only lending has increased steadily over time to a high of $240 billion in March 2017, or 25 per cent of total outstanding owner occupier loans. Recent tightening of lending policies has seen a significant reduction in interest-only owner occupier lending, with most recent data showing approximately 15 per cent of new owner occupier borrowers receiving an interest-only loan. Based on loan-to-income data collected by APRA, interest-only owner occupiers are also slightly more likely to be highly leveraged than the average owner-occupier.
Although there may be legitimate reasons for owner occupiers to seek interest-only loans, ADIs are expected to apply prudent lending standards to the assessment of all loans. For interest-only loans this includes assessing the borrower’s ability to repay the loan over the remaining principal and interest term.4 ASIC also has a particular interest in this area and is in the process of reviewing the lending practices of a sample of ADIs.5
Since the start of the year, APRA’s actions on interest-only lending has resulted in a significant reduction in the volume of new lending, with the 30 per cent benchmark achieved for the September quarter. APRA has also observed improvements in a number of risk metrics relating to interest-only loans. Some of these improvements have occurred over time, while others have occurred more recently as the result of APRA’s increased scrutiny of interest-only lending since its March announcement.
APRA will continue to encourage ADIs to review potential areas of risk and vulnerability within residential mortgage lending portfolios, including those risks relating to interest-only loans. APRA will devote a large portion of its supervisory resources to housing over 2018 and maintain its focus on reinforcing prudent lending standards and practices in the banking sector.6
1 Refer APRA’s letter to industry dated 31 March 2017: Further measures to reinforce sound mortgage lending practices. (Click here to go back)
3 Refer to APRA’s letter to industry dated 9 December 2014: Reinforcing Sound Residential Mortgage Lending Practices and ASIC’s 2015 report on interest-only lending. (Click here to go back)
Insights from APRA’s 2017 Cyber Security Survey
APRA conducted its first survey of cyber awareness and risk management among its regulated institutions in 2015/16. In June this year, APRA revisited the survey to assess the nature of cyber incidents over the most recent 12-month period, and gauge the extent of change in the period between the surveys. This article outlines the findings from the 2017 survey, and reiterates the need for continued vigilance in cyber security among APRA-regulated institutions.
For the 2017 survey, APRA recognised that technological developments had continued to expand the attack surface for cyber adversaries, who had also grown more sophisticated developing new methods of attack. While no APRA-regulated entity has, to date, suffered a material loss due to a cyber attack, the survey results, combined with intelligence from APRA’s supervisory activities, confirm that all institutions must operate on the basis that cyber-attacks remain a significant threat. Moreover, they are likely to become increasingly frequent and sophisticated. Institutions must recognise there is no ‘finish line’ for cyber risk management, which requires ongoing vigilance, improvement, investment and oversight.
APRA compiled responses from 38 regulated institutions (including, for the first time, private health insurers), and four non-regulated service providers to the financial sector. Approximately half (predominantly larger entities) were common to the 2015/16 survey.
Several themes from APRA’s previous survey remained current in 2017 including: common attack methods; plausible cyber scenarios; board and executive management reporting; risk and assurance; threat intelligence sources; and sound practices. As per the 2015/16 survey1, incidents reported by entities varied in nature, sophistication and impact, and occurred with similar frequency. Table 1 below outlines the most common types of cyber-attacks described in the 2017 survey.
|Ransomware and other malware||By far the most prevalent incident reported. Involves malicious software used to encrypt data for the purpose of a ransom demand.||Underscores the need for effective anti-malware solutions and rehearsed incident response plans, as well as the importance of back-ups which cannot be compromised by the same attack.|
|Distributed Denial of Service (DDoS)||The second most prevalent incident whereby digital services are overwhelmed by fake requests, preventing access by legitimate users.||Highlights the need for entities reliant on digital channels to have effective DDoS mitigation strategies.|
|Hack of an internet-facing platform||Attackers were able to execute commands on the affected servers to create and delete files. Hardened configurations, end-point protection and network segmentation prevented attackers from accessing sensitive customer data.||Illustrates the benefit of a ‘defence in depth’ approach which limits the impact of the initial compromise.|
|Leakage of sensitive data||Incidents included sensitive data being sent by an employee to a private (external) email address. Data loss prevention controls logged that data had been sent externally, and were subsequently strengthened to prevent a similar incident.||Emphasises the need for effective data loss prevention solutions.|
|Phishing attacks||In one instance, online banking credentials used by an entity’s finance department were compromised. An unknown third party used these credentials to change recipient details for an existing payment, but ‘maker-checker’ controls detected the unauthorised change before payment was made.||Emphasises the need for staff and customer education regarding cyber safety, and appropriate fraud ‘stop loss’ controls.|
|Website defacement||Attackers defaced a number of websites.||Demonstrates the need for continual monitoring to identify unauthorised change activity.|
While no respondents reported an advanced persistent threat2 (APT), these are inherently difficult to detect (months and sometimes years after initial intrusion), necessitating ongoing investment in detection capabilities.
As with the previous survey, organised crime remained industry’s greatest cyber concern. In APRA’s view, entities must consider both external and internal threats, with internal threats able to more easily bypass perimeter and other controls. Vigilance over access management (particularly privileged access) and effective oversight of controls at trusted third parties and offshore locations is essential.
Information asset currency (hardware and software)
This was a new topic in the 2017 survey, finding only 50 per cent of respondents with all information assets within mainstream support. Technology that is end-of-life3, out-of-support or in extended support is typically less secure by design, has a dated security model and can take longer (or may be unable) to sufficiently effect change to address new threats. In APRA’s view, any hardware or software which is end-of-life or outside mainstream support creates unnecessary risk exposure, regardless of whether these platforms are vendor-provided or internally-developed and supported.
While extended or custom support arrangements may partially mitigate risk, they are often costly, may provide a false sense of security, and can further delay remediation of ageing technology. Furthermore, support agreements of this nature typically provide hotfixes or patches for critical vulnerabilities only, and remain constrained by the dated security model and design limitations of the technology.
To properly deal with this issue, a disciplined approach to information asset lifecycle management is required, necessitating a comprehensive understanding of all information assets supporting the business, and the impacts of an information security compromise. A forward-looking, risk-aware mind-set is needed to ensure timely remediation of issues, with security considered at all stages of an information asset’s life-cycle.
Another new topic for 2017, respondents reported a high uptake of cyber insurance – 74 per cent had policies in place, with a further 17 per cent actively considering cyber insurance within the next 12 months. Liability limits generally ranged between $1m and $100m, with some in excess of $500m. A wide variety of domestic and international providers and policy offerings were noted, with policies providing not only financial compensation, but also access to specialist services, such as post-incident forensics.
Figure 1: Reasons cited for cyber insurance
Note: totals exceed 42 respondents, as multiple responses were permitted.
Click for larger version
Of note, 10 per cent of policies were issued without any assessment of controls, and no respondents were required to undergo an onsite assessment of IT security controls prior to the policy being issued. Approximately half of policies were issued based on a self-assessment by the insured, with off-site documentation reviews undertaken for the remainder. Given the lack of actuarial data and claims history in this emerging market (only one entity reported submitting a claim under cyber insurance) and an underwriting approach reliant on self-assessment or documentation review, rather than assessment of operational security controls, APRA expects that insurers will start undertaking more robust initial and ongoing due-diligence in order to better assess and price for risk.
A strategic focus on cyber resilience
While maturity varied, most survey respondents either had a formal security technology roadmap (81 per cent) or indicated that security improvements were part of overall technology roadmaps (compared with 74 per cent in the previous survey, albeit with a different sample set). Common areas of investment included: data loss prevention; endpoint protection; intrusion prevention/detection; identity and access management solutions; continuous vulnerability scanning; incident/event monitoring; and security operation centres.
Non-technical improvements noted since the previous survey included: increased levels of education for directors, management, staff and customers; developing and testing cyber incident response plans; tightening privileged access; expanding information security teams and strategic use of third party expertise to enhance security capability.
Given the nature and frequency of cyber incidents, preparedness is vital. While almost 90 per cent of respondents had formalised response plans for plausible cyber scenarios (similar to the previous survey), these plans were often untested and lacked integration with business continuity and disaster recovery plans. In APRA’s view, cyber incidents must be planned for, and response plans validated as part of an overall approach to preparing for business disruptions.
Cyber risk management requires ongoing vigilance, improvement, investment and oversight. The conclusions from APRA’s first cyber survey remain valid – there is no ‘end-state’ for cyber security, requiring a continuous cycle of investment in sound practices. For a list of sound practices, refer to APRA’s 2016 Information Paper (Figure 6).
No entity can defend against every conceivable threat, requiring an intelligence-led and risk-informed approach to investment in preventative and detective measures, as well as verified response capability for when these are defeated (i.e. an assumed breach posture). While cyber insurance is useful, it is an evolving area and cannot always redress the reputational and other damage resulting from a high-impact cyber incident.
Finally, basic cyber hygiene, including a disciplined approach to maintaining the health of information assets, vigilance regarding access management (particularly privileged access) and oversight of controls at trusted third parties, are essential so as not to undermine strategic security investments or unnecessarily increase risk.
2 Advanced persistent threats (APTs) are a set of sophisticated, covert and continuous computer hacking processes coordinated by an individual, group and/or nation-state targeting a specific entity. (Click here to go back)
3 Active investment is no longer occurring with the technology. (Click here to go back)
Industry engagement on replacing D2A
APRA has begun to engage across the Australian financial services sector on one of its largest projects in its 19-year history – the modernisation of APRA’s data collections and capabilities. Work has commenced this year on a multi-year project which, when complete, is intended to transform how APRA collects, stores, accesses and delivers data to industry and the public.
APRA’s vision is an easy-to-use data collection system that collects high-quality data and is adaptable to future business needs. The goal is to have such a system operational in 2019.
The new system will replace APRA’s existing and aging Direct to APRA (D2A) data collection system. In the process, it will provide new, digital data-collection platforms, enhance APRA’s in-house data analytic and publication capabilities, and increase the openness and accessibility of data to the public for transparency and analysis purposes.
Engagement with the financial services industry and others on the design and implementation of new system is a key component of the project. APRA recognises the challenges in replacing a data collection system used by all APRA-regulated entities, and many others in financial services, with differing priorities, resourcing and technological sophistication. As a result, extensive liaison with industry stakeholders is essential to ensure the final product is well suited to all users.
Financial sector data
As a national statistical agency for the Australian financial sector, APRA collects and publishes data from prudentially regulated institutions as well as other firms in the financial sector. This data importantly supports APRA’s core supervisory work, but also informs APRA’s policy development and other activities. APRA also collects data for other agencies such as the Reserve Bank and Australian Bureau of Statistics.
APRA received approval from the Commonwealth Government in 2016 to increase its funding by an additional $11.2 million over the forward estimates for this important work. Over the past 18 months, APRA has established four key, long-term projects as part of the overarching data modernisation program. In addition to replacing D2A as the data collection mechanism, APRA is also creating:
- a new Enterprise Data Warehouse to securely store data in one location;
- a new Access to Data project, with the goal of allowing internal and external users to more quickly and easily access and analyse financial industry data and produce customised reports; and
- an Innovation Centre Lab, designed as an environment for APRA to experiment with data and test the value of answers to business questions.
These changes are extensive and intended to bring enormous benefits to all users. For instance, the new data system is expected to include improved efficiencies and ease of use in collecting data, the elimination of data duplication, a more intuitive interface with simpler-to-understand data validation messages and definitions, and better capabilities for collecting ad hoc and unstructured data from the financial sector.
Although the precise design for the new system has yet to be determined, APRA has begun its engagement with industry with several features and functionality objectives in mind. These are:
- a web-based program;
- automated data submission capabilities; and
- the incorporation of the Standard Business Reporting taxonomy.
APRA began its industry engagement with a roundtable in late October with representatives of financial industry associations, consultancies and other regulators. The purpose of the roundtable was to help APRA gain preliminary perspectives on possible data platforms – feedback that would then be used to inform broader engagement in 2018. Roundtable participants were asked to provide feedback on four key issues:
- How will this change benefit your industry?
- What are the likely impacts/challenges of this project for your industry?
- Are you aware of business or technology opportunities APRA should consider?
- What is the optimal engagement model with industry?
APRA convened a follow-up roundtable in mid-November, which focused primarily on the potential costs faced by industry in transitioning to a new system. Among the main expenses identified by industry were replacing and maintaining technology infrastructure, training staff, governance and conducting impact analysis. Roundtable participants nominated some of the major changes imminent for their industries, including changes to regulation, market changes and technological disruption.
As APRA seeks to maximise participation in the process of selecting and implementing D2A’s replacement, broader industry engagement on the data modernisation project will continue from early next year. Input is also being sought from RegTech suppliers and developers to ensure the aspirations of APRA and industry are feasible and deliverable within the desired timeframe.
Further details will be forthcoming on the proposed formats and timing of upcoming fora, however direct industry engagement is also welcome. Questions or feedback can be delivered by emailing the program team at: [email protected]
So far, APRA has been encouraged by the positive feedback it has received from industry participants as it embarks on what will be a lengthy and challenging project. As well as generating productivity and efficiency benefits for itself, APRA is committed to delivering long-term benefits to industry and other stakeholders in modernising and upgrading its data capabilities.