APRA welcomes the opportunity to provide a submission to the Senate Select Committee on Financial Technology and Regulatory Technology.
As the prudential regulator, APRA is tasked with protecting the interests of depositors, policyholders and superannuation fund members. Its core role is supervising banks, credit unions, building societies, general insurance and reinsurance companies, life insurers, private health insurers, friendly societies, and most superannuation trustees. APRA currently regulates institutions holding over $6.5 trillion in assets for Australian depositors, policyholders and superannuation fund members.
In carrying out its role, under the Australian Prudential Regulation Authority Act 1998 (the APRA Act), APRA must balance the objectives of efficiency, competition, contestability and competitive neutrality and, in balancing these objectives, is to promote financial system stability in Australia. APRA sees this mandate as protecting the Australian community by establishing and enforcing prudential standards and practices designed to ensure that, under all reasonable circumstances, financial promises made by institutions it supervises are met within a stable, efficient and competitive financial system.
In achieving an efficient, competitive and stable financial system, APRA is committed to supporting innovation within the industry. FinTech and RegTech encourage greater innovation, both among new entrants and existing financial institutions. This can deliver prudential benefits, as well as better outcomes for consumers and the community. FinTech and RegTech developments can also improve efficiency, competition and contestability in the system, all of which, where risks are well managed, can improve financial stability over time. It is therefore important in achieving APRA’s mandate that APRA is open to the opportunities FinTech and RegTech provide, while also ensuring risks are appropriately managed.
APRA holds both a direct and a supporting role in relation to FinTech and RegTech:
As FinTech and RegTech industries grow and mature, APRA seeks to understand the opportunities and risks they bring to institutions and the system and adapt to maintain sustainable, open and technology neutral policies and practices.
Where FinTech or RegTech companies seek a licence or provide services for regulated entities, APRA seeks to allow for opportunities and innovations without undue policy or supervisory barriers, while ensuring risks are appropriately managed.
In collecting and publishing data from the financial sector, APRA seeks to maintain modern practices and to be transparent in relation to information that can assist the market.
RegTech can potentially be of benefit to APRA’s own operations. One of APRA’s 2019-2023 strategic initiatives is to transform data-enabled decision-making and APRA is exploring ways of using technology to assist with this.
APRA undertakes significant domestic engagement with other regulators, such as with ASIC and the ACCC, as well as with industry. This engagement builds understanding and assists coordinate regulatory activities across agencies.
APRA’s licensing framework
Authorised deposit-taking institutions (ADIs), insurers and superannuation trustees occupy a unique position of trust within the community and their financial safety is key to the financial stability and economic well-being of the community. As a result, these institutions are subject to higher standards than many other sectors of the economy and they require a licence from APRA. This includes meeting standards to ensure that a new entrant will be able to honour the financial promises it makes under all reasonable circumstances.
Restricted ADI Licence
In 2018, APRA introduced a restricted ADI licensing framework that provides an alternative pathway to a full licence for new banking entrants. This new framework was designed to support new entrants and accommodate different business models, with the added benefit of removing barriers of entry into the market while not materially lessening entry standards that serve as important protections for the Australian community.
Under this framework, a potential new entrant may seek a restricted ADI licence: once granted, the applicant has two years to meet the full prudential framework requirements (proportionate to their risks and size). This facilitates entry to the banking sector, allowing a new entrant to conduct limited banking business while developing their capabilities and resources. If it proves unable to meet the requirements of the prudential framework within two years, the holder of a restricted licence would need to exit the banking industry in an orderly fashion.
The restricted framework was developed after extensive consultation with industry and interested stakeholders, including open roundtables with industry and presentations to FinTech meet-ups. While the framework is not directed solely at FinTechs it has been successfully used by a number of FinTechs and a number of others are in the process of being licensed.
Streamlining the application process
To assist potential applicants, in recent years APRA established a dedicated team to engage with applicants on the licensing process and regulatory expectations. The licensing assessment is a comprehensive process, divided into three phases:
Early contact, which involves a high level overview of business plans and discussions with APRA’s licensing team to discuss the licensing process and for APRA to identify and raise any concerns as soon as possible. This process informs an applicant’s approach to developing its application and provides an early and more efficient steer on ways to mitigate potential issues. For example, early discussions with potential applicants have on occasions highlighted that the intended business does not need a prudential licence to proceed or that the intended structure of institutions in a group will need adjustment.
Pre-application, which involves a more detailed business plan with further details surrounding the business strategy, structure, target market, product plans, licensing timeline and funding strategy. APRA provides advice in regard to the licensing process up to this step at no cost to the potential applicant.
Formal application, which involves submitting the required documentation and an applicable licensing fee. The assessment process involves review of documentation, discussions with management and the Board and onsite visits, including in relation to the applicant’s technology. The process averages 12 months, reflecting that many entities apply at a formative stage and initial drafts of key documents often require multiple revisions as entities develop their operations and understanding.
Since the formation of the central team and the new licensing process there has been a considerable increase in licensing activity1. A large number of FinTech firms have had early contact with APRA, some of which have progressed through to a formal application and a number have successfully been granted a licence.
Figure 1. Total applications received and licensed since 2017
Table 1. Licensing activity from 1 July 2018 to 31 December 2019
1 Jul - 31 Dec 2018
1 Jan - 30 Jun 2019
1 Jul - 31 Dec 2019
APRA Licensing fees (AUD2)
To apply for a licence from APRA there is a non-refundable licensing fee which varies by industry. The licensing fee is designed to be based on cost recovery3.
Table 2. Licensing fees in Australia
Authorised Deposit-taking Institution
Restricted Authorised Deposit-taking Institution
Purchased Payment Facility
Non-Operating Holding Company
By way of international comparison, fees for banks in Singapore are approximately AUD$135,500 and in the UK, AUD$48,000.
Challenges faced by applicants and new entrants
APRA has found that applicants face a number of non-regulatory challenges as they enter the sector. The three most significant issues have been:
Access to capital – applicants and new entrants have found investors in Australia reluctant to invest in companies that do not have a proven product with an existing customer base.
Customer acquisition – attracting customers, particularly where the product suite is still limited.
Recruiting staff – this can be challenging for FinTech start-ups with no proven business and no customers.
These challenges were detailed in an APRA speech in 2019 Regulating challenger banks: Balancing objectives and outcomes6.
In the insurance sector, barriers for Tech start-ups include the considerable time to develop reliable risk data to inform pricing and underwriting and the need for operational experience with regulatory compliance. As a result, most Tech start-ups in the insurance sector have demonstrated a desire to collaborate with existing insurers rather than to compete directly.
1 In the 10 years prior to the July 2018, 10 banking licences were issued with only one of these a locally incorporated ADI along with nine foreign branches. It should also be noted that the instigation of the new licensing framework coincided with (i) the removal of the minimum capital requirement of $50 million to be a bank; (ii) changes to the Financial Sector (Shareholdings) Act 1998 to provide less restrictive ownership restrictions on very small banks, and (iii) changes to the Banking Act 1959 that made it easier for APRA to revoke an authorisation if it became clear that a new entrant would not be viable.
2 All figures quoted are in AUD at 10 December 2019.
3 RSE fees are detailed in SIS legislation
4 An additional $30,000 is paid when applying to progress to a full ADI, with the total fee equivalent to applying for a full licence.
5 This fee applies to public offer trustees with $5,500 applicable for non-public offer entities
FinTech and RegTech in prudentially regulated entities
FinTech and RegTech can provide many benefits to the financial system and individual institutions. APRA regulated institutions often introduce new technology, outsource technological aspects of their business or use FinTech or RegTech services, including through formal partnership arrangements or as part-owners of the FinTech or RegTech provider.
APRA regulated institutions must manage the risks that the business faces. The introduction of new technology or outsourcing or adoption of services, will change the risks the institution must manage. It can lower certain risks and it can introduce new or heightened risks. Risk management practices need to be adapted, built into systems and integrated and maintained within the operations of the business. New technology can also, in some circumstances, make it more difficult for APRA to supervise regulated institutions, as functions or activities may no longer be conducted within the legal entity that APRA has authorised.
APRA has a number of standards and guidance notes that seek to ensure that institutions appropriately manage the risks they face including a Board-approved risk management framework. The most relevant of these in the context of FinTech and RegTech providers are outlined below.
As the financial system ecosystem introduces new FinTech and RegTech offerings many institutions rely on an increasing array of service providers.
APRA’s outsourcing prudential standard, CPS 231, outlines requirements for prudentially regulated institutions in managing risks related to outsourcing. This standard is currently being reviewed to reflect the changing environment for service providers. The revised standard, to be consulted on in 2020, will require entities to conduct appropriate due diligence when entering into service provision arrangements, and to appropriately manage these arrangements on an ongoing basis.
APRA has also published guidance on the management of risks arising from cloud computing services. This guidance was most recently revised in September 2018 reflecting the growing adoption of these services and the developing risk management practices among financial institutions. APRA’s recommendations within the revised guidance changed to be less restrictive on the use of cloud computing services while reinforcing the obligation for entities to manage the associated risks.
Information security and cyber resilience
Under APRA’s information security prudential standard, CPS 234, entities are required to maintain a capability to prevent, detect, and respond to cyber incidents and other information security incidents in a timely manner, and to advise APRA of material incidents. Under APRA’s business continuity standard, CPS 232 (also being updated in 2020), entities must have contingency plans in place to enable them to deliver critical services continuously despite plausible cyber or other disruptions. The entity remains responsible for its information security and business continuity where information assets are managed by service providers, and is required to assess the security controls of service providers.
Improving cyber resilience across the financial system is one of APRA’s four strategic focus areas in its 2019-2023 Corporate Plan.
Digital ‘wallets’ are a growing part of the financial system, driven in particular by advancements in mobile technology and consumers increasing propensity to purchase goods and services online or via mobile applications. Some, but not all, digital wallets hold stored value on behalf of customers and are pre-paid facilities. Others (such as Apple Pay) hold customers’ credit/debit card details and only facilitate payments from that nominated account.
The regulatory framework for providers of digital wallets involves three regulators—the Reserve Bank of Australia (RBA), ASIC and APRA. The RBA is responsible for the overarching framework set out in the Payments System (Regulation) Act 1998 (PSRA). ASIC is responsible for regulating digital payments services that are financial products such as non-cash payments facilities. APRA’s role is to licence and supervise larger providers of widely used facilities that hold stored value under the Purchased Payments Facilities (PPF) framework, as these are functionally akin to bank accounts (but are not protected accounts under the Financial Claims Scheme).
To be licensed by APRA, the facility must be widely available as a means of payment and redeemable for AUD7; and hold customer funds above the limited value threshold ($10 million)8. Currently there is one authorised PPF provider.
Proposed new framework
Through the Council of Financial Regulators (CFR), the RBA, APRA, ASIC and the Treasury are reviewing this framework to reduce complexity, increase competition and foster innovation, leading to improved consumer outcomes. Doing so will also respond to recommendations from both the 2014 Financial System Inquiry and the Productivity Commission’s 2018 inquiry into competition in the Australian financial system.
The CFR has recently delivered a paper to Government setting out its recommendations for a new graduated framework for stored value facilities that is simplified, easier to understand and navigate for industry and seeks to regulate entities proportionate to the risks of their activities9. The new framework is intended not only to be fit for purpose for the current financial system but also be able to accommodate future developments and technological advances, such as proposals for global stable coin eco-systems that have been the subject of significant attention in recent months.
Under this proposal APRA’s role in the framework would be to oversee wallets that are widely used as a means of payment and store significant value for a reasonable amount of time (e.g. potentially Facebook’s Calibra proposal).
APRA’s framework would not be expected to capture digital wallets that are primarily used to pass payments through (e.g. Apple Pay). This is depicted in Figure 2 below.
Figure 2. The potential role of regulators in regulating the stored value framework
As part of this work, APRA has begun developing a new APRA principles-based prudential standard that simplifies the regulatory requirements and is able to accommodate a range of business models that have emerged. The timing of this will be dependent on the broader government response.
7 The determination of ‘banking business’ relating to PPF providers is set out in the Banking Regulation 2016.
8 Payments Systems (Regulation) Act 1998 – Declaration No. 2 of 2006 regarding Purchased Payment Facilities.
9 This follows the RBA’s 2018 review of the regulatory framework for stored-value facilities, Review of Retail Payments Regulation: Stored-value Facilities.
Collection and use of data
APRA’s data collection activities provide opportunities for RegTech in industry as a service to reporting entities. APRA also looks to the RegTech community to play a role in supporting industry as their data and reporting capabilities mature. APRA has begun to implement RegTech within its own processes and systems, spearheaded by its data-based Project Athena. Project Athena is a multi-streamed initiative aimed at delivering improved processes and technologies for the way APRA collects, stores, utilises and accesses data obtained from regulated entities. A number of the streams have now transitioned into business as usual functions and are embedded in day-to-day business practices.
APRA is also developing a new Data Strategy to adapt how the agency collects, uses, manages, governs and shares its data, recognising that data is an increasingly key asset for APRA in delivering its purpose and mandate. APRA is also working closely with number of other government agencies to develop a whole of government approach to data. To facilitate this, APRA has set up a standing committee with RBA, ABS, ASIC and Treasury to co-ordinate data collection activities across the agencies and reduce the number of duplicated requests for data. Recent examples of collaboration cover such areas as superannuation, life insurance claims and residential mortgage data.
APRA has invested in an end-to-end platform that allows improved analytical ability across the organisation, delivering key analytical processes such as entity level financial analysis in a way that allows the agency to focus on areas of higher risk.
APRA has also set up an Innovation Lab (the Lab) to create a centre of excellence for the agency’s data science capabilities. The Lab uses the techniques such as artificial intelligence, machine-learning, network analysis and natural language processing to analyse both APRA’s and entities’ data and correspondence. The data the Lab works on is often unstructured in nature, such as survey results and entity correspondence, and requires these techniques in order to draw greater insights for use in APRA’s supervisory activities. Data-driven insights produced are helping improve the effectiveness, efficiency and nature of APRA’s prudential supervision across the organisation.
APRA’s current data collection system, Direct to APRA (D2A), is a bespoke system built in-house in 2001. More than 4,500 reporting entities use D2A to submit data to APRA. Data collected by APRA under the Financial Sector (Collection of Data) Act 2001 is used for prudential supervision, statistical publications and shared with partner agencies.
As part of Project Athena, APRA is investing heavily in a new data collection system, utilising a commercial solution, to facilitate the more efficient capture of data. The solution selected is used by a number of peer agencies across the globe and is based on a modern web-based system. It is scheduled to go-live by mid-2021 and will ultimately replace D2A.
The solution is designed to meet the demands of modern business and be sufficiently flexible to adapt as data analytics and technology evolve. The solution will allow entities to prepare and submit data in several ways, from manual entry to Excel uploads to XML and XBRL. The solution will also enable machine to machine submissions. As the solution evolves, APRA will look for opportunities to reduce the burden of reporting, for example, through partnership with the RegTech community who can assist in simplifying the process of reporting for financial services entities.
APRA is also increasing the transparency of the data it collects. Increased transparency improves financial stability by promoting market discipline and competition, imposing strong incentives on entities to conduct their business in a safe, sound and efficient manner. The additional data provides RegTechs and FinTechs a resource to incorporate in their analysis and benchmark themselves to the rest of the industry.
APRA has commenced a significant program of work to transform the superannuation data collection and publications (the ‘Superannuation Data Transformation’). This work will support achievement of APRA’s corporate plan objectives, with specific focus on improving outcomes for superannuation members where significant work is well underway.
The Superannuation Data Transformation will greatly enhance the information that is reported to APRA and support the industry and other key stakeholders in understanding the drivers of and outcomes provided for members, as well as provide additional insights into the operations of the industry, including governance and risk management practices.
Two key characteristics of the data transformation program will be the development of more consistent definitions and reporting concepts, and industry participation in the development phases via roundtable consultation and participation of industry in pilot data collections to test and refine reporting outcomes.
The structure of the revised data collection has been designed to:
utilise the capabilities of the new data collection system to allow more efficient collection techniques, including XML and XBRL;
allow better re-use of data through more consistent definitions and linkage back to core concepts; and
allow greater transparency through more frequent and granular releases of data.
The use of RegTech in this area is a logical fit due to:
the efficiencies of scale in automating regular reporting tasks;
coping with increased granularity of data; and
prioritisation of efficiency and re-use of data over human readability of the data.
Working with other regulators and industry
As one of the five government agencies responsible for regulating the Australian financial system, APRA supports interagency FinTech and RegTech activities and has strong engagement with peer regulators. This assists with building understanding and the coordination of regulatory activities amongst agencies including on FinTech and RegTech regulation.
Engagement with industry and industry groups is also important in staying abreast of developments and emerging issues. Some of the key engagement related to FinTech and RegTech is set out below.
Australian Securities and Investment Commission (ASIC)
Given ASIC drives much of the domestic regulatory engagement with the FinTech and RegTech community through its Innovation Hub and supporting its sandbox regime, APRA has not sought to replicate this. Instead, it works closely with ASIC in a number of ways including through:
ASIC’s Digital Finance Advisory Panel (DFAP). The DFAP brings together FinTech and RegTech participants and lead regulators such as APRA, Austrade, Treasury, RBA, ACCC and AUSTRAC to discuss developments. Advice and feedback is provided pertaining to the opportunities, developments and emerging risks for FinTech start-ups as well as established FinTech players who have interacted with ASIC’s Innovation Hub. It also helps improve collaboration amongst Australia’s leading regulators, especially within the FinTech and RegTech space.
“meet-ups” led by ASIC with the FinTech and RegTech community, presenting and answering questions on licensing and other APRA developments at start-up hubs.
regular attendance at the Quarterly RegTech Liaison Forum (run by ASIC) which facilitates discussions surrounding developments and opportunities arising from the application of RegTechs.
regular engagement with ASIC-led meetings among a broad range of government agencies that touch the FinTech and RegTech space.
Australian Competition and Consumer Commission (ACCC)
The Australian Competition and Consumer Commission (ACCC) has introduced the foundation for the Consumer Data Right (CDR) and Open Banking. The CDR authorises accredited persons to disclose consumer data to third party service providers, subject to certain conditions, to assist in providing goods or services to CDR consumers. APRA has assisted the ACCC by:
seconding an APRA employee for an 18-months to provide data and banking expertise to assist building the open banking framework; and
participating in the ACCC established Data Standards Body Advisory Committee aimed at creating suitable safeguards for the CDR’s implementation.
Council of Financial Regulators
APRA is a member of the Council of Financial Regulators (CFR), the coordinating body for Australia’s main financial regulatory agencies. It is comprised of representatives from the RBA, APRA, ASIC and Treasury, and has a number of streams of work which consider FinTech related developments including:
the Distributed Ledger Technology Working Group (which also includes AUSTRAC). It is aimed at aligning supervision and regulation of blockchain technology used in finance. For example this group has examined supervisory considerations and risks associated with the creation of the Libra platform and other stablecoins; and
the Regulatory Perimeter Working Group, which has been driving the revision of the framework for purchased payment facilities.
APRA also engages with the industry more broadly. Examples include:
Discussion and engagement with the RegTech Association and its members including participation in external steering group advising development of our new data collection system.
The New Payments Platform (NPP) Australia is a payment infrastructure that enables Australian consumers, businesses and government agencies to make real-time, data-rich payments between accounts at participating financial institutions. It supports real-time clearing and settlement for simple or complex payment solutions and has the potential to deliver both significant consumer benefits (through faster and more efficient payments) and material back-office efficiencies for financial institutions. NPPA is owned by 13 organisations: 12 ADIs and the RBA. APRA directly supervises the 12 ADIs and has also engaged with the RBA to understand the nuances of the NPP and ensure both organisations have aligned supervisory methodologies which cover all regulatory considerations arising from the NPP.
Speaking and participating at industry conferences and events e.g. a meet-up alongside other regulators at the Australian FinTech Festival.
APRA engages with international stakeholders including foreign regulators and central banks on FinTech and RegTech related matters.
In the past year APRA has had a number of related international engagements:
engaged with the PRA on its New Bank and New Insurer start-up Units, including attending an industry workshop for potential applicants;
participated at the Singapore FinTech Festival, including speaking on a panel;
participated in the Basel Committees Task Force on Financial Technology, including engagement on Facebook’s Libra/Calibra proposal; and
contributed to multiple international surveys on FinTech related matters for international standard-setting bodies.
APRA recognises the important contribution FinTech and RegTech developments have to the financial system. APRA seeks to understand and support these developments, in a sustainable and open fashion. It aims to allow for the opportunities and innovations without undue policy or supervisory barriers, while ensuring risks are appropriately managed in keeping with its mandate. APRA also seeks to implement RegTech within its own data collection systems and processes helping improve efficiency and accessibility.
APRA supports the work of the committee towards these aims.
The Australian Prudential Regulation Authority (APRA) is the prudential regulator of the financial services industry. It oversees banks, mutuals, general insurance and reinsurance companies, life insurance, private health insurers, friendly societies, and most members of the superannuation industry. APRA currently supervises institutions holding around $9 trillion in assets for Australian depositors, policyholders and superannuation fund members.
Subscribe for updates
To receive media releases, publications, speeches and other industry-related information by email