And 2015
Making Sense of the Prudential Standards A guide to best practice for customer-owned deposit-taking institutions
May 2016 © Customer Owned Banking
Making Sense of the Prudential Standards
STATEMENT AS TO THE CURRENCY OF LAW This Guide refers to the APRA Prudential Standards and Guides as at 1 May 2016. IMPORTANT DISCLAIMER All care was taken in the preparation of this Guide. However, this Guide is not to be used or relied upon as a substitute for professional legal, accounting or risk management advice on a particular matter. Customer Owned Banking Association, its directors and officers, and the authors, expressly disclaim all liability to any person in respect of this Guide, and any consequence arising from its use by any person in reliance on the whole or any part of this Guide. This disclaimer does not exclude any warranties implied by law that may not be lawfully excluded.
VERSIONS First published February 2010 Updated December 2010 Updated March 2011 Updated November 2012 Updated May 2013 Updated October 2013 Updated February 2014 Updated January 2015 Updated September 2015 Updated May 2016
© COPYRIGHT Customer Owned Banking Association 2016 All rights reserved. No part of this work covered by copyright may be reproduced or copied in any form or by any means (graphic, electronic or mechanical, including photocopying, recording, recording taping, or information retrieval systems) without the written permission of Customer Owned Banking Association.
© Customer Owned Banking Association – May 2016
2
Making Sense of the Prudential Standards
Contents PART A: Introduction ...................................................................... 7 1.
2.
3.
Introduction to the Guide ....................................................................... 8 1.1.
Who is this Guide for? ...................................................................... 8
1.2.
Background to development.............................................................. 8
1.3.
Objectives of Guide.......................................................................... 9
1.4.
Structure of Guide ........................................................................... 9
1.5.
Ways Guide might be used ............................................................... 9
1.6.
Development of Guide .................................................................... 10
1.7.
A living document .......................................................................... 10
1.8.
Guide is not a substitute for risk assessment of board and management 10
1.9.
Exclusions and limitations ............................................................... 10
1.10.
Log of recent changes ................................................................. 11
1.11.
Other resources .......................................................................... 11
APRA’s role and the APRA Prudential Standards regime – an overview ....... 12 2.1.
What is APRA’s role? ...................................................................... 12
2.2.
How does APRA supervise ADIs in practice? ...................................... 12
2.3.
The Prudential Standards................................................................ 13
2.4.
A Snapshot of the Prudential Standards ............................................ 14
2.5.
Basel II Framework........................................................................ 15
2.6.
Basel III Framework ...................................................................... 15
2.7.
Impact of recent cross-industry risk standards .................................. 17
2.8.
Other changes to the Standards ...................................................... 17
The New Risk Landscape ...................................................................... 19 3.1.
Risk Management Framework – CPS 220 .......................................... 19
3.2.
New definition of Risk – ISO 31000 .................................................. 19
3.3.
Impact of ICAAP ............................................................................ 20
3.4.
Risk and Strategy .......................................................................... 20
3.5.
Be honest about risk ...................................................................... 20
3.6.
Risk Appetite Statement ................................................................. 21
3.7.
Pro Tip: risk management is good management ............................... 22
© Customer Owned Banking Association – May 2016
3
Making Sense of the Prudential Standards
4.
5.
Managing the APRA Relationship ........................................................... 23 4.1.
Mutual ADIs should approach the relationship with confidence ............ 23
4.2.
APRA’s expectations of the board of directors .................................... 23
4.3.
CPS 220 – Greater Expectations ...................................................... 24
4.4.
What should a director be doing about Prudential Standards compliance? 24
4.5.
What should Risk Committee members (and the chair) be doing? ........ 25
4.6.
Communication with APRA – some tips and ideas .............................. 25
4.7.
Developing a “dashboard” update for APRA ....................................... 26
Preparing for an APRA Visit................................................................... 27 5.1.
Planning Meeting – before the prudential review ................................ 27
5.2.
Directors Prudential Review Meeting With APRA ................................. 28
5.3.
The post-Prudential Review letter from APRA .................................... 29
5.4.
APRA terms explained in detail ........................................................ 29
PART B: Applying the Prudential Standards .................................. 31 6.
7.
Risk and Governance ........................................................................... 32 6.1.
CPS 220 – Risk Management........................................................... 32
6.2.
CPS 510 Governance – Objectives and Key Requirements................... 34
6.3.
CPS 520 Fit and Proper .................................................................. 35
6.4.
Governance – Practical Implications ................................................. 35
6.5.
Fit and Proper – Practical Implications .............................................. 38
6.6.
Link to ICAAP ................................................................................ 38
Capital Adequacy ................................................................................ 40 7.1.
Capital Adequacy - Objectives and key requirements ......................... 40
7.2.
First Tier 2 Capital Issue by Mutual ADI ............................................ 42
7.3.
Risk weighting varies depending on the risk of an exposure. As a result: 43
7.4.
Capital Adequacy Ratios ................................................................. 45
7.5.
ICAAPs in Practice ......................................................................... 46
7.6.
ICAAP Risk Itemisation ................................................................... 46
7.7.
The New ICAAP: APS 110 and CPG 110 ........................................... 48
7.8.
Revised ICAAP Requirements .......................................................... 48
7.9.
CPG 110 Content ........................................................................... 49
© Customer Owned Banking Association – May 2016
4
Making Sense of the Prudential Standards
7.10.
ICAAPs in Practice ....................................................................... 50
7.11.
Capital Management - Policy Trigger Points .................................... 52
7.12.
Positive Capital Management and Planning ..................................... 54
7.13.
Other Capital Issues - Market Risk ................................................ 54
7.14.
Link to ICAAP ............................................................................. 56
7.15.
Other Capital Issues - Securitisation – APS 120 .............................. 56
8.
Liquidity ............................................................................................. 58 8.1.
APS 210 - Objective and Key Requirements ...................................... 58
8.2.
Liquidity in Practice ........................................................................ 61
8.3.
Best Practices in Liquidity Management ............................................ 63
8.4.
Link to ICAAP ................................................................................ 63
9.
Credit Risk ......................................................................................... 65 9.1.
Credit Risk – Your Core Business ..................................................... 65
9.2.
APS 220 Credit Quality ................................................................... 65
9.3.
APS 221 Large Exposures ............................................................... 66
9.4.
Credit Risk in Practice .................................................................... 67
9.5.
Best Practices in Credit Risk ............................................................ 67
9.6.
Process consistency ....................................................................... 69
9.7.
Fair value of securities ................................................................... 69
9.8.
Collections .................................................................................... 69
9.9.
Delinquency .................................................................................. 70
9.10.
Provisioning – allowing for Bad Debt ............................................. 70
9.11.
Commercial Loans ...................................................................... 71
9.12.
Large Exposures ......................................................................... 71
9.13.
Link to ICAAP ............................................................................. 71
10.
Audit and Disclosure ............................................................................ 73
10.1.
APS 310 Audit and Related Matters ............................................... 73
10.2.
APS 330 Public Disclosure of Prudential Information ........................ 73
10.3.
APS 310 and 330 in Practice......................................................... 74
10.4.
The APS 330 statement ............................................................... 74
10.5.
Link to the ICAAP ........................................................................ 74
11.
Operational Risk ................................................................................. 76
© Customer Owned Banking Association – May 2016
5
Making Sense of the Prudential Standards
11.1.
Operational Risk – New CPG 234 and 235 ...................................... 76
11.2.
CPS 231 Outsourcing................................................................... 77
11.3.
CPS 232 Business Continuity Management ..................................... 78
11.4.
Operational Risk in Practice .......................................................... 79
12.
Miscellaneous ..................................................................................... 81
12.1.
APS 121 - Covered Bonds ............................................................ 81
12.2.
APS 910 Financial Claims Scheme ................................................. 81
© Customer Owned Banking Association – May 2016
6
Making Sense of the Prudential Standards
PART A: Introduction
© Customer Owned Banking Association – May 2016
7
Making Sense of the Prudential Standards
1. Introduction to the Guide 1.1.
Who is this Guide for?
This Guide to the Prudential Standards for Authorised Deposit-taking Institutions [ADIs] regulated by the Australian Prudential Regulatory Authority [APRA] has been written primarily for directors of mutual ADIs. We hope it will also be useful for senior management of mutual institutions. In addition, much of the content will be applicable to directors and management of other, particularly smaller, ADIs.
1.2.
Background to development
The board of directors of an ADI is required to play a central role in its sound and prudent management. This has long been recognised, and the requirement is reflected in APRA’s Prudential Standard CPS 510 – Governance. In our view, to meaningfully discharge your obligations as a director you must have a good understanding of the APRA Prudential Standards regime, and be able to apply the regime when considering and reviewing your institution’s prudential policies (capital, liquidity, credit risk, market risk etc). This is also APRA’s expectation. As a director, you should be able to show an appreciation of the impact of the Prudential Standards in contexts such as prudential review meetings with APRA (see Chapter 5). That said the scope and complexity of the APRA Prudential Standards regime can be daunting. This can be true even for experienced directors, including those from professional backgrounds (e.g. accounting, law or management). The complexity of the APRA Prudential Standards regime is due in part to the fact that the Standards do not mandate prescriptive targets over and above the various minimums and rules in each standard. Rather, the Standards adopt a largely principles-based approach, requiring the board and management to apply general principles in setting capital allocation ratios, determining liquidity management policies, setting credit risk controls, and so on. How to interpret the language of the Standards, and the regulator’s approach to specific issues in practice, can be a challenge for boards and management alike. This can be compounded by a general lack of information about the experience of other comparable institutions (due in part to the fact that the relationship between regulator and regulated entity is conducted, for the most part, “behind closed doors”). Apart from this, the Standards are not static. They continue to be modified and extended by APRA, particularly as the standards of the international body coordinating banking supervision, the Basel Committee of the Bank for International Settlements, can, and do, change. We look at the implications of some of these changes, especially the revised approach to capital adequacy management implemented under the Basel Framework, in subsequent chapters. Directors and management obviously need to keep abreast of changes to the
© Customer Owned Banking Association – May 2016
8
Making Sense of the Prudential Standards
Standards. At the same time, you must not lose your focus on other core requirements that need to be monitored and reviewed on an ongoing basis.
1.3.
Objectives of Guide
Against this background, COBA has collaborated with consultant and legal adviser to the mutual industry, Mark Swivel, to develop a compact, practical Guide to understanding and implementing the APRA Prudential Standards. Our aim is to assist busy directors and senior managers to gain, retain and refresh the knowledge of the Prudential Standards they need to make a worthwhile contribution to corporate governance and the prudent management of their institution.
1.4.
Structure of Guide
The structure of the Guide will be apparent from the Table of Contents. In brief, the remaining chapters of Part A provide an overview of the Prudential Standards framework, and APRA’s role. They also consider the regulator’s expectations of directors, and provide some tips and suggestions on managing your institution’s relationship with, and meeting with, this key stakeholder. The chapters of Part B then deal with the requirements of the Standards in detail grouped around 6 thematic headings that largely follow the way the Standards are organised by APRA. A brief “snapshot” of each Standard is followed by commentary and examples focussed on how the Standards operate, and strategies for achieving and maintaining best practice compliance. The central role of the Risk Management Framework [RMF] and Internal Capital Adequacy Assessment Process [ICAAP] in structuring a regime of effective compliance with the Standards is highlighted throughout these Chapters. Introduced in January 2015, CPS 220 now formalises the established concepts of risk management framework and risk appetite along with the role of the Chief Risk Officer [CRO]. APS 110 and CPG 110 reinforce the centrality of the ICAAP to prudential risk management and emphasise the active role directors are now expected by APRA to play in capital management – by identifying risks and allocating capital to them. Most chapters end with a set of questions for directors and managers to consider—emphasising the need for active involvement in decision making by both boards and management.
1.5.
Ways Guide might be used
We envisage that the Guide will be used in a variety of ways including – as an introductory resource for new directors, as a ‘refresher’ for directors and management (including in the context of upcoming APRA reviews etc), and generally as a source of sector experience, best practice tips and benchmarking information.
© Customer Owned Banking Association – May 2016
9
Making Sense of the Prudential Standards
1.6.
Development of Guide
The primary author of the Guide is Mark Swivel. Mark is a legal practitioner and director of Swivel Pty Ltd and was a director of SCU (Sydney Credit Union) Ltd (from 2008-11). The Guide is largely based on the author’s experience working with mutual ADIs since 1995, advising on compliance issues and writing policies, and particularly in helping mutual institutions frame responses to APRA Prudential Review Reports. COBA staff have also contributed to, and provided comments on, drafts of the Guide over the years. In addition, we have benefited greatly from discussions with senior managers of COBA member institutions about both their approaches to Prudential Standards compliance, and the kind of resource that they, and their boards, would find useful in helping their institutions maintain compliant prudential controls. Our thanks go to all who have provided their input.
1.7.
A living document
COBA updates this Guide periodically in light of changes to the Prudential Standards, APRA’s regulatory approaches, your feedback on the current Guide, and member institutions’ ongoing experience working with, and seeking to implement, the Standards. Editions of this Guide have been published in February 2010, December 2010, March 2011, November 2012, May 2013, October 2013, February 2014, January 2015 and September 2015.
1.8. Guide is not a substitute for risk assessment of board and management The Guide includes a range of worked examples, survey data, good practice tips and other similar information. This information is intended to assist readers to gain an understanding of how common issues are or might be approached across the mutual ADI sector, to establish benchmarks, and to challenge current practices of your institution where appropriate. Of course, each ADI must develop its own risk management framework, with its own assessment of risk profile, its own risk appetite and its own policy settings to manage the range of risks that its unique business faces. The information contained in this Guide is not intended, and should not in any way be seen, as a substitute for the risk management work that each institution must itself undertake on an ongoing basis.
1.9.
Exclusions and limitations
Consistent with our target audience and objectives, the Guide does not address: APS 222 - Related Entities;; and APS 610 - Payment Facilities. Note also that, while APRA permits certain large ADIs to measure capital requirements with respect to credit risk using what is called an Internal Ratings Based approach as an alternative to the more generally used Standardised approach, this Guide considers the Standardised approach only. This reflects the
© Customer Owned Banking Association – May 2016
10
Making Sense of the Prudential Standards
fact that no mutual institution is permitted to use an Internal Ratings Based approach.
1.10.
Log of recent changes
The January 2015 edition included commentary which reflects APRA’s 1 increased supervisory intensity in specific areas of prudential concern including: •
residential mortgage lending
•
capital risk weighting
•
liquidity coverage
•
securitisation.
The September 2015 edition included new content on: •
APS 110 – Capital (effective July 2015).
•
APS 330 – Public Disclosures (effective August 2015).
1.11. •
Other resources APRA web site – The details of the prudential standards framework can be found here: Prudential Standards and Guidance Notes: http://www.apra.gov.au/ADI/ADIPrudential-Standards-and-Guidance-Notes.cfm. Prudential Practice Guides: http://www.apra.gov.au/adi/PrudentialFramework/Pages/authorised-deposittaking-institutions-ppgs.aspx
•
The APRA site also includes general information about APRA’s role, as well as the full text of APRA speeches, media releases and other information referred to in this Guide.
•
COBA offers two detailed compliance manuals dealing with the APRA governance-related Prudential Standards They are the COBA CPS 510 Governance Compliance Manual and the COBA Fit & Proper Compliance Manual. COBA also offers a resource Capital and Risk Management for Customer-Owned ADIs which takes an integrated approach to the subject of capital and risk management. Its aim is to be a practical overview of how you can link your formal risk management framework with your ICAAP .Your institution may already subscribe to these products. If not, email
[email protected] for more information.
1 See for example the finalised APG 223 Residential Mortgage Lending Prudential Practice Guide released in early November2014. In a letter dated 9 December 2014 to all ADIs, APRA discussed the regulatory and supervisory tools it may apply to address emerging risks in residential mortgage lending practices. See also the statement to the House Economics Committee by APRA Chair Wayne Byers on the proposed use of so-called ‘macro-prudential’ measures such as LVR caps and loan-to-income limits together with the possibility of increased Pillar 2 capital requirements.
© Customer Owned Banking Association – May 2016
11
Making Sense of the Prudential Standards
2. APRA’s role and the APRA Prudential Standards regime – an overview 2.1.
What is APRA’s role?
APRA, which is an Australian Government statutory authority, is the prudential regulator of the Australian financial services industry. Its responsibilities include monitoring the financial soundness and stability of ADIs (including all credit unions, building societies, mutual banks and banks generally) so that depositors’ interests are not compromised by the actions of the board or management of the regulated institutions. APRA is also the prudential regulator of the insurance and superannuation sectors. In brief, APRA does everything it can, within its statutory mandate, to make sure depositors’ money is safe and the banking sector is sound and stable. Over time, APRA has moved from a policy-by-policy approach to an organisational or cultural approach to governance and risk management. As the new Chair of APRA Wayne Byres noted recently: “Both the industry, and the community of supervisors, is still grappling with how best to make assessments of organisational culture, and how to respond when a culture is shown to be in need of improvement. Much has to do with the incentives that individuals face and how they signal what an organisation truly values (and what it does not). It is clear that, in many cases, aspirational statements of organisational culture have been no match for the personal incentives that are created for individuals. Much of the post-crisis reform agenda has been aimed at getting the organisational interests of financial firms more aligned with those of the wider community. Getting personal incentives correspondingly aligned with organisational interests needs to be seen as equally important” 2.
2.2.
How does APRA supervise ADIs in practice?
APRA’s day-to-day supervision of a mutual ADI is primarily based on these activities: •
2
Offsite analysis – ADIs must submit various reports and information in accordance with the prudential standards and other requirements imposed by APRA. Such submissions must include regular financial information (i.e. D2A reports), business plans, forecasts, etc. This information is analysed and assessed for compliance with the prudential standards regime and specific prudential ratios as well as an input to the PAIRS risk assessment process undertaken by APRA (see next point). APRA also receives applications for
Byres’ speech “The post-crisis reform agenda – a stocktake 28-29 May 2015”
© Customer Owned Banking Association – May 2016
12
Making Sense of the Prudential Standards
transfers, takeovers, licensing, etc and undertakes review, oversight and assessment of these key activities. •
PAIRS and SOARS Assessments - APRA conducts assessments for all ADIs of the probability and potential impact of business failure, which covers the board, management, risk governance, strategy and planning, liquidity risk, operational risk, credit risk, market and investment risk, insurance risk, capital coverage/surplus, earnings, and access to additional capital. SOARS is used to determine how supervisory concerns based on PAIRS risk assessments should be acted upon. SOARS has four supervision stances: Normal, Oversight, Mandated Improvement and Restructure. This assessment considers inherent risk, management and control, net risk and capital support and is used by APRA in its ADI supervision action plans.
•
Prudential Reviews – APRA conducts periodic ‘reviews’ of ADIs, typically on a bi-annual basis, or more frequently if APRA requires this (these reviews are often referred to in the industry as ‘inspections’). The frequency of reviews is based on APRA’s risk assessment of the entity, and the supervision action plan in place to address the entity’s risks.
APRA also plays a major role in policy setting; and periodically, in consultation with industry, in updating and extending the APRA Prudential Standards regime with new standards and practice guides. APRA also has powers to issue directions in the event of significant noncompliance with the Prudential Standards. It can also appoint an administrator in extreme circumstances where an ADI may no longer be a going concern.
2.3.
The Prudential Standards
In simple terms, the Prudential Standards are best understood as a set of principles designed to promote banking practices that ensure depositor’s money is safe. From a business perspective, they can also be seen as a set of good practice risk management principles. There are now 24 Standards (excluding the standard on Definitions) which, together with associated Guidance Notes and Practice Guides, constitute the regulatory framework for ADIs enforced by APRA. The main areas covered are – capital adequacy, liquidity, credit quality, large exposures, associations with related entities, outsourcing, business continuity management, accounting and prudential reporting, corporate governance and fit and proper requirements (see: http://www.apra.gov.au/adi/prudentialframework/pages/adi-prudential-standards-andguidance-notes.aspx).
APRA introduced new cross-industry standards for risk management from January 2015 requiring ADIs to formalise their risk management framework, articulate a formal risk appetite and appoint a Chief Risk Officer and establish a Risk Management Committee. These new requirements are set out in CPS 220 Risk Management and an updated version of CPS 510 Governance. The changes
© Customer Owned Banking Association – May 2016
13
Making Sense of the Prudential Standards
formalised long-standing supervisory principles and expectations of mutual ADIs governance, operational structure and culture.
2.4.
A Snapshot of the Prudential Standards
We will consider the content of the Standards in detail in Part B of this Guide. But here is a quick “snapshot” of what APRA requires of ADIs: •
Risk and Governance: An ADI must have a risk management framework consistent with its strategic objectives and business plan incorporating structures, policies, processes, people and systems for identifying, measuring, evaluating, monitoring, reporting and controlling or mitigating material risks that may affect its ability to meet its obligations to depositors. Sound and prudent governance is required to maintain public confidence and deliver benefits to stakeholders. Clear strategic direction by boards, together with professional management from executives, incorporating contemporary risk management practices, including an articulated risk appetite is demanded. Directors and senior managers must meet high standards of competence and integrity (‘fitness and propriety’). Board oversight of risk management and financial performance is central to good governance. Remuneration policies and oversight arrangements that promote the long-term financial soundness of the institution must be in place. The new standard on Risk Management (CPS 220) dovetails with the Governance and Capital standards to reinforce the overall risk management framework for the ADI.
•
Capital: Minimum capital levels must be held as a buffer against potential losses. Capital must be held against all the risks to which the institution is exposed. Only certain things can count as capital - primarily profits, past and present. The importance of maintaining profitability as a prudential measure cannot be overstated. Capital requirements vary depending on credit and other risk exposures. New rules are designed to enhance the quality of capital and capital management. Future supervisory policy promises to reinforce this trend.
•
Liquidity: Liquidity must be maintained in order to meet liabilities as and when they fall due. Only certain deposits or holdings count as High Quality Liquid Assets [HQLAs] – primarily investments held with other ADIs. Plans and funding lines to deal with irregular events and emergencies are also required to manage liquidity risk.
•
Business Risks: Credit risk is to be managed through good lending practices, to minimise delinquencies and write-offs, and by appropriate provisioning for bad debt. Lending is of course the core business of a mutual ADI and the key risk to be managed in the business. Market risk (interest rate risk) exposures for loans and deposits must also be managed to protect portfolios and interest margins. Strategic risk created by key business decisions, concentration risks in large exposures (for credit and investments)
© Customer Owned Banking Association – May 2016
14
Making Sense of the Prudential Standards
and contagion risk from related entities (e.g. subsidiaries), all need to be identified and minimised. •
Operational Risk: Operational risk must be identified and managed across the whole business of an ADI including: data risk; insurable risks (e.g. physical assets and workers compensation); the outsourcing of key functions to third parties; and potential business disruptions (threats to business continuity). These risks require close monitoring, clear processes and planning to avoid losses.
•
Audit and Disclosure: ADIs must implement an independent and transparent external audit process, supported by robust internal audit and effective board oversight. Compliance with Prudential Standards must be reviewed by external auditors, attested to by the chief executive and endorsed by the board. Accountability and competition is also encouraged by mandatory public disclosure of ‘prudential information’ on capital position, capital adequacy and credit risk, including bad debt statistics.
2.5.
Basel II Framework
In January 2008, a new suite of Prudential Standards gave effect to the Basel II capital adequacy standards developed by the Basel Committee on Banking Supervision 3. In general terms, the Basel II Framework, as adopted in the Standards, aims to bring best practice in risk management into the formal regulatory framework for managing capital adequacy. The focus is on promoting stronger and more accurate management and pricing of risk, including ensuring that adequate capital is allocated to support the full range of risks assumed by the ADI. The new regime also introduced measures to enhance transparency by requiring public disclosure of certain capital adequacy and risk management practices information (see Chapter 10).
2.6.
Basel III Framework
In late 2009, the Basel Committee released a new capital and liquidity framework, in response to the Global Financial Crisis. Known as “Basel III”, the framework aims to improve the banking sector's ability to absorb shocks arising from financial and economic stress, improve risk management and governance, and strengthen banks' transparency and disclosures. As a result, new rules have been introduced that aim to improve the quality of capital held by ADIs and their capital management by: •
specifying new ‘common equity’ requirements;
•
introducing capital adequacy buffers including a conservation buffer and a counter-cyclical buffer; and
3 The Basel Framework is developed by the Basel Committee on Banking Supervision (BCBS), a Committee of the Bank for International Settlements (BIS) which fosters international monetary and financial cooperation and acts as a bank for central banks. The BIS is the leading policy and research forum in the international financial community.
© Customer Owned Banking Association – May 2016
15
Making Sense of the Prudential Standards
•
an enhanced ICAAP framework that provides more guidance and prescription on how ADIs must prepare and develop their ICAAP to support capital management (see APS 110 and CPG 110).
APRA has also proposed changes to APS 210 on Liquidity: •
a tighter definition of HQLA (discussed in Chapter 8); and,
•
enhanced liquidity risk management requirements, including in relation to funding plans, cash flow projections, stress testing and scenario/crisis analysis.
In April 2014 APRA released an updated APS 111 – Capital Adequacy: Measurement of Capital with amendments facilitating additional capital-raising options for customer-owned ADIs. The revised prudential standard represents a key step in accommodating the customer-owned model in the Basel III capital framework. The amendments were notable because they represent the first time that APRA has explicitly accommodated the customer-owned model in any of the prudential standards. APRA’s implementation of the Basel III framework in January 2013 had the unintended effect of reducing capital options for customer-owned ADIs. The amendments restored flexibility for the sector in raising capital from other than retained earnings. Chapter 6 of this Guide contains further discussion on this. In November 2014 APRA released a package of reforms to funding and liquidity reporting arrangements. Reporting Standard APS 210.0 now requires all ADIs to be able to produce daily liquidity reports on demand. COBA argued against this for Minimum Liquidity Holdings (MLH) ADIs, a category which includes most mutual financial institutions, but APRA believes that “the MLH requirement … falls short of providing the information needed during a crisis to build a view of an ADI’s daily liquidity position.” APRA therefore decided that “the daily liquidity report should apply to all ADIs,” and noted that a “prudent ADI would … generate and monitor this data as part of its existing liquidity risk management process.”. APRA does not anticipate that daily reporting will be a significant burden for MLH ADIs as the data is likely to be readily available. In April 2016 APRA Chairman Wayne Byres outlined a timetable to implement the revised Basel III framework in a “Broadly speaking, 2016 is the year for finalising the international framework, 2017 will be the year for consultation on its domestic application having regard to the [Financial System Inquiry], and 2018 will be the year for implementation” Mr Byres said. APRA is waiting on finalisation of the Basel Committee’s work on the credit risk and operational risk frameworks before finalising what constitutes ‘unquestionably strong’ capital requirements in an Australian context” 4.
4
See “From Strength to Resilience”, speech by APRA Chairman Wayne Byres, AFR Banking and Wealth Summit, Sydney 6 April 2016
© Customer Owned Banking Association – May 2016
16
Making Sense of the Prudential Standards
2.7.
Impact of recent cross-industry risk standards
APRA has introduced cross-industry standards for risk management generally which require ADIs to formalise their risk management framework, appoint a Chief Risk Officer and establish a Risk Management Committee. These new requirements are set out in CPS 220 Risk Management and an updated version of CPS 510 Governance. They were effective from 1 January 2015. These are significant (but long-anticipated) changes to the substance of ADI prudential risk management obligations.
2.8.
Other changes to the Standards
There have been other changes to the Standards and their application in recent years as well. For instance, since 1 April 2010, all ADIs have been required to have arrangements including a Board Remuneration Committee (or comparable structure) and remuneration policy that ensures the remuneration of executives and other key staff is aligned with the long-term financial soundness of the institution and its risk management framework. APRA now generally applies Prescribed Capital Ratios to mutual ADIs. In its 2010 prudential reviews it generally focussed on credit risk, reminding ADIs to preserve credit quality despite the return to better trading conditions following the 2009 Global Financial Crisis. These are significant (but long-anticipated) changes to the substance of ADI prudential risk management obligations. There were consequential amendments to the following standards to reflect the changes introduced by the new cross-industry standards for risk management 5:
5
•
APS 001 Definitions
•
APS 116 Capital Adequacy: Market Risk
•
APS 120 Securitisation
•
APS 210 Liquidity
•
APS 220 Credit Quality
•
APS 221 Large Exposures
•
APS 222 Associations with Related Entities
•
APS 310 Audit and Related Matters
•
APS 330 Public Disclosure
•
APS 610 Prudential Requirements for Providers of Purchased Payment Facilities
•
CPS 231 Outsourcing;
•
CPS 232 Business Continuity Management;
See under sub-heading above “Impact of recent cross-industry risk standards”
© Customer Owned Banking Association – May 2016
17
Making Sense of the Prudential Standards
•
GPS 001 Definitions;
•
GPS 110 Capital Adequacy;
•
GPS 113 Capital Adequacy: Internal Model-based Method;
•
GPS 310 Audit and Related Matters
•
GPS 320 Actuarial and Related Matters;
•
LPS 001 Definitions; and
•
LPS 320 Actuarial and Related Matters
Chapter 12 was also added in 2013 to the Guide to cover new prudential standards APRA namely: APS 121 – Covered Bonds and APS 910 - Financial Claims Scheme.
© Customer Owned Banking Association – May 2016
18
Making Sense of the Prudential Standards
3. The New Risk Landscape The role of boards in risk management is increasingly demanding. We are now a long way from the days of volunteer directors who relied on management to ‘run the business’. Contemporary business culture places the boards of ADIs and other businesses at the centre of risk management. In the case of ADIs, the Prudential Standards strongly reinforce this trend, the more so since the Standards were revised in 2008 to implement the Basel II Framework (see Chapter 2). For mutual ADI managers, risk management also requires new skills that reach beyond the competencies of bread and butter banking.
3.1.
Risk Management Framework – CPS 220
CPS 220 articulates long-standing informal expectations for ADI risk management. From January 2015, an ADI Board must have in place a risk management framework (RMF) appropriate to its size, business mix and complexity that is consistent with the ADI’s strategic objectives and business plan. The RMF will overlay the specific risk systems e.g. policies for capital, liquidity, market and other risks and must include a board approved: •
risk appetite;
•
risk management strategy that describes the key elements of the RMF that give effect to its approach to managing risk;
•
business plan that sets out its approach for the implementation of its strategic objectives;
In practice, an RMF may be closely aligned with the ICAAP and APS 310 declaration for the ADI. The ADI must also maintain adequate resources to ensure compliance with CPS 220 and notify APRA of significant gaps in, breaches of or material deviations from the RMF.
3.2.
New definition of Risk – ISO 31000
ISO 31000 defines risk as the “effect of uncertainty on objectives”
and a positive or negative deviation from what is expected. The definition recognises the obvious: that when we pursue an objective, things may not go to plan. Every outcome is inherently uncertain and our actions carry risk that needs to be managed. Relative to expectations, we may get positive results or negative results or both. Risk management is about reducing uncertainty to the extent
© Customer Owned Banking Association – May 2016
19
Making Sense of the Prudential Standards
that we can. This is done through systems and information to help detect and understand the risk associated with events, including their likelihood and consequences.
3.3.
Impact of ICAAP
All ADIs must develop, document and maintain a comprehensive Internal Capital Adequacy Assessment Process [ICAAP], proportional to its operations and consistent with APRA’s requirements. The ICAAP is the APRA-mandated process for ensuring ADIs take an integrated whole-of-enterprise approach to allocating capital as a buffer against potential losses. The ICAAP is discussed further in Chapter 6 on Capital Adequacy, and referred to throughout Part B of the Guide. Until ICAAP, the Prudential Standards regime could be interpreted as a diverse range of rules and requirements dealing with separate topics. ICAAP changes that by bringing each risk type under the one umbrella and allocating prudential capital for each risk. For example, liquidity risk is no longer just a matter of meeting minimum standards for HQLA. It now also requires the allocation of an amount of capital, considering potential threats to liquidity and the costs incurred by your ADI if those threats materialise. Your ICAAP must align with your institution’s risk management framework. As part of this, all the directors of your institution should be familiar with the details of your ICAAP. Under the Basel III changes, directors are now expressly required to understand and be actively engaged in the development and monitoring of your ICAAP (see CPG 110 and CPS 220).
3.4.
Risk and Strategy
Strategy drives risk. APRA will expect all directors and managers to see and understand the linkage. Your risk management framework must acknowledge the strategy of the organisation. At the same time, risk should be incorporated in your strategic planning. Risk is present whether your strategy is ‘adventurous’ or ‘cautious’. If an ADI commits to an aggressive growth strategy, risk increases. For example, a growing loan book can put pressure on capital adequacy; stretching targets may threaten loan quality and undermine sales processes; and liquidity may be challenged by spikes in loan funding. On the other hand, risk does not go away if an ADI adopts a more ‘conservative’ strategy and commits to consolidating its position. For example, the ADI may lose its relevance; it may stagnate as it tries to ‘fly under the radar’; it may lose members, loans and deposits, and as a consequence costs may increase while income and profits can fall.
3.5.
Be honest about risk
Risk is everywhere. Even in the best-run businesses and ADIs, risks are inherent to all activity. The question is whether the risks are identified and managed by the board and management team. So, if there’s a golden rule about risk, it might be ‘be honest and up front’ and acknowledge the importance of risk. For
© Customer Owned Banking Association – May 2016
20
Making Sense of the Prudential Standards
example, even if delinquency is currently low and write-offs have been historically negligible, the risk of default remains a key business risk for any ADI.
3.6.
Risk Appetite Statement
There is no formula for describing the risk appetite of an ADI; however, the prudential standards now require a formal risk appetite statement for all ADIs (see APS 110, CPG 110 and CPS 220). Each ADI must articulate its own risk appetite as part of its risk management. You should already have the ‘spirit’ of your risk appetite expressed in your existing policies. The key requirements for the Risk Appetite Statement (RAS) of an ADI are set out in CPS 220:28-30. The RAS must address material risks including: credit risk; market and investment risk; liquidity risk; insurance risk; operational risk; risks arising from strategic objectives and business plans; and other risks that may have a material impact on the ADI. The RAS must outline: •
the degree of risk the ADI is prepared to accept in pursuit of its strategic objectives and business plan, giving consideration to the interests of depositors and/or policyholders (risk appetite);
•
for each material risk, the maximum level of risk that the ADI is willing to operate within, expressed as a risk limit and based on its risk appetite, risk profile and capital strength (risk tolerance);
•
the process for ensuring risk tolerances are set at appropriate levels, based on estimated impacts and likelihood of breaches;
•
the process for monitoring compliance with risk tolerances and for taking action in the event of breach; and
•
the timing and process for reviewing risk appetite and tolerances (CPS 220:28-29).
Each ADI must articulate its own risk appetite as part of its risk management. The ‘spirit’ of your risk appetite was always implied in your established policies. Although all mutual ADIs are different, the core business model tends to produce similar risk appetites as shown in these typical elements or business characteristics: •
Product range – ‘vanilla’ savings, loan and payment products with limited opportunity for financial losses to members or the organisation
•
Non standard products – limited use of non-core products (e.g. insurance) underlining the low risk core product range
•
Loan portfolio composition – high ratio of mortgages to personal loans, low average loan-to-value ratios (LVRs) creating a relatively low risk loan book
•
Deposit portfolio composition – ratio of savings to term deposits – high proportion of low interest (and low cost) savings accounts in funding mix
© Customer Owned Banking Association – May 2016
21
Making Sense of the Prudential Standards
•
Credit quality – concentration of assets in secured lending, conservative debt servicing ratios, limited commercial lending effectively cherry-picking high quality housing loan assets
•
Pricing strategy – competitive but not market leading interest rates protecting narrow interest margins and avoiding dependence price-led new business
•
Property holdings – limited exposure; generally small scale commercial properties avoiding higher-risk lending opportunities
•
Staff culture and incentives – emphasis on service and strong control culture with limited use of performance-based remuneration, suppressing loan generation but minimising bad loans
•
Cost to income ratios – generally high ratios across the sector (relative to banks), primarily due to staffing and branch costs maintaining staff satisfaction and loyalty (but exposing business to viability risks)
•
Capital and other prudential ratios – operating well above statutory minimums to provide regulatory buffer.
Exceptions to these norms can be found in organisations that pursue aggressive growth targets, subsidiary businesses, non-core businesses, high concentrations of commercial lending, and atypical strategic alliances.
3.7.
Pro Tip: risk management is good management
Don’t make risk a chore. Risk management is no more than good management. The Prudential Standards should be approached as statements of good practice. Each standard establishes minimum requirements and behaviour. Every ADI must set its own policy rules based on its strategy, risk appetite and culture. Your prudential standard compliance system should also be aligned with other compliance systems e.g. for consumer credit, AML, privacy and AFS licensing. Good practice in compliance involves creating a compliance ‘culture’ in the organisation, sponsored by the board and driven through the organisation by management. For more on Compliance Management Systems see AS ISO 19600-2015. See also “The importance of a risk management strategy” in Kiel et al Directors At Work: A Practical Guide for Boards (Thomson Reuters 2012 p 352); and COBA publication The Decisive Board “The Board Risk Committee” (July 2014 issue).
© Customer Owned Banking Association – May 2016
22
Making Sense of the Prudential Standards
4. Managing the APRA Relationship 4.1. Mutual ADIs should approach the relationship with confidence In an address to the COBA and AM Institute Convention held in Melbourne in October 2013, Dr John Laker, then APRA Chairman, acknowledged the strong performance of mutual ADIs since the Global Financial Crisis: ” Mutual ADIs have emerged from this period and what was no doubt a very unsettling experience during the worst of the crisis, in solid shape. As a sector mutual ADIs have continued to grow balance sheets sensibly, earn good profits (around $450 million in 2012/13) and maintain healthy capital positions. No mutual ADI failed during the crisis and no mutual ADI breached any of APRA’s key prudential requirements. A record to be proud of and one that mutual movements in other countries must envy” 6 Dr Laker’s 2013 remark suggested that mutual ADIs had effective risk management systems in place. Although there is no room for complacency, mutual ADIs should approach the relationship with APRA with confidence.
4.2.
APRA’s expectations of the board of directors
APRA has long seen the role of the board as central to the governance of mutual ADIs. The position is now clearly stated in CPS 510: The Board of directors [of an ADI] is ultimately responsible for the sound and prudent management [of the ADI]. APRA expects the board of a mutual ADI to: •
understand their business;
•
be capable of identifying, monitoring and managing the risks associated with that business;
•
anticipate and respond to emerging risks; and
•
approve and oversee implementation of risk-based policies.
Given these expectations, a modern mutual ADI board should:
6
•
invest in risk management (internally and externally);
•
implement and oversee a comprehensive risk management framework;
•
conduct regular policy reviews; and
•
pro-actively engage APRA and other regulators.
Mutuals : a look back and ahead – John Laker, COBA Convention, Melbourne , 29 October 2013 p 1
© Customer Owned Banking Association – May 2016
23
Making Sense of the Prudential Standards
4.3.
CPS 220 – Greater Expectations
CPS 220 articulates the particular expectations APRA has of directors of an ADI: The Board is ultimately responsible for the institution’s risk management framework. In particular, the Board must ensure that: (a) it defines the risk appetite and establishes a risk management strategy; (b) a sound risk management culture is established and maintained throughout the institution; (c) senior management take the steps necessary to monitor and manage all material risks consistent with the strategic objectives, risk appetite statement and policies approved by the Board; (d) the operational structure of the institution facilitates effective risk management; (e) policies and processes are developed for risk-taking that are consistent with the risk management strategy and the established risk appetite; (f) sufficient resources are dedicated to risk management; (g) uncertainties attached to risk measurement are recognised, and the limitations and assumptions relating to any models used to measure components of risk are well understood; and (h) appropriate controls are established that are consistent with the institution’s risk appetite, risk profile and capital strength, and are understood by, and regularly communicated to, relevant staff.
4.4. What should a director be doing about Prudential Standards compliance? Directors must actively participate in the governance of an ADI. To do this meaningfully, as a contemporary director you must be able to: •
understand the APRA Prudential Standards regime 7;
•
understand your own policies especially capital, liquidity, market risk and credit risk; and
•
contribute to the strategic risk management process.
7
APRA wrote to all ADI directors on 7 October 2014 clarifying the requirements it imposes on boards by the prudential standards: http://www.apra.gov.au/CrossIndustry/Documents/Letter-to-industryimproving-APRA-board-engagement-October-2014.pdf
© Customer Owned Banking Association – May 2016
24
Making Sense of the Prudential Standards
4.5. What should Risk Committee members (and the chair) be doing? Although the board as a whole is ultimately responsible for the risk management function, the Risk Committee members should probably be doing a little more work than other directors in this area. They should have a good working knowledge of the details of all Prudential Standards and Guides. The chairs of the board, Audit Committee and Risk Committee should seek to develop good working relationships with their contacts at APRA 8.
4.6.
Communication with APRA – some tips and ideas
Many mutual ADIs maintain effective relationships with APRA. ADIs reporting ‘good experiences’ with APRA emphasise the importance of proactive communication with their APRA contacts. Communication and openness can build rapport and an effective relationship with your regulator. Here are some ‘common sense’ ideas and tips for better communication with APRA: •
Pick up the phone: There’s no need to wait for the phone to ring. ADIs are free to call APRA and discuss their business and any concerns. For example, your institution might contact its APRA supervisor on a quarterly or even monthly basis to discuss your D2A report and current issues in the business, as well as your institution’s responses to issues raised in the most recent APRA inspection report.
•
Visit your regulator: There’s no need to wait for an inspection. Some ADIs already meet with APRA on a regular basis whether at APRA’s offices or yours. You might prepare a presentation once or twice a year to make sure APRA knows where your business is going, the state of your prudential ratios and your appetite for risk.
•
Policy reviews: There’s no harm in telling APRA about policy reviews as they happen. As you work through your annual policy review schedule, why not send APRA an email to remind them that your policy review has been completed, with a summary of the changes made.
•
Keep APRA in the loop: The regular D2A report provides a lot of information to APRA. However, some ADIs provide a more frequent report. In one case, a credit union sends APRA a weekly ‘dashboard’. That’s a good example of keeping your regulator in the loop.
8 For a detailed discussion of the functions of the Board Risk Committee see the COBA publication The Decisive Board. July 2014.
© Customer Owned Banking Association – May 2016
25
Making Sense of the Prudential Standards
4.7.
Developing a “dashboard” update for APRA
Your institution might develop a dashboard that provides a snapshot of key prudential ratios. You could consider sending monthly email to APRA that includes the following prudential and financial metrics: Mutual ADI
Prudential
Internal
Current
APRA Update – Dashboard
Limit
Strategic Target
Position
/ Policy Limit Capital Adequacy Ratio
8%
12.5-15%
14.5%
PCR / ICAAP
12% (PCR)
9% (ICAAP)
14.5%
Common Equity Tier 1 Minimum
4.5%
8%
14.0%
Liquidity – HQLA
9%
11-20%
17.25%
Interest rate risk (NPVBP)
NA
5%
2.75%
Delinquency > 30 days
NA
<1%
0.75%
General Reserve for Credit Losses
NA
0.50%
0.75%
Return on Assets
NA
1%
0.75%
Asset Growth
NA
5% p.a
8.25% p.a.
Cost to Income Ratio
NA
75%
77.5%
Commercial Lending (% of
NA
5%
2.5%
NA
2.0-3.5%
2.55%
portfolio) Interest Margin
[The sample provided is for illustrative purposes only] Note: the sample policy limits included in the table above provide an example of how to approach compliance with the new requirements to articulate risk tolerances: CPS 220:30. Questions for directors and senior managers to consider How could you improve your communications with APRA? Could you use a dashboard to explore risks and report to APRA more regularly? What could you do to enhance your understanding of risk management?
© Customer Owned Banking Association – May 2016
26
Making Sense of the Prudential Standards
5. Preparing for an APRA Visit 5.1.
Planning Meeting – before the prudential review
The board and management should meet to discuss their approach to the meeting with APRA. APRA will send a letter outlining the agenda for the inspection and a list of information required by them before and during the visit. Management will largely attend to the response but the board should be engaged with the process. Here is a recommended approach for organising your response to a prudential review or ‘inspection’: •
Review the APRA ‘Prudential Review’ letter including agenda and information required by APRA – discuss the board and management response to each item clarifying current practices, identifying potential discussion points, and the documentation that will assist your response.
•
Review the ‘Board and Governance’ section and agree an approach e.g. dividing topics among directors. Consider developing a presentation to address the matters raised (see further below).
•
Ensure all policy reviews are complete, particularly the Risk Appetite and ICAAP – and ensure all directors understand the elements of the Risk Appetite and ICAAP and allocation of capital for specific risks (strategic, credit, interest rate, liquidity, operational etc).
•
Review the CPS 220 declaration – the annual statement on risk management made by board (signed by the chair and the risk committee chair), which should ideally be a summary of the work conducted by the board or risk management committee throughout the year.
•
Ensure all outstanding items from previous reviews, and issues raised in subsequent correspondence, have been acted on and implemented including changes to policies and procedures.
Your approach might well be guided by APRA’s comments on the process. For instance, the following comments were made by Stephen Glenfield at the COBA Convention 2009: •
Treat the review as an opportunity—show you know what you are doing, and where you are going
•
Be transparent—don’t just hope APRA won’t find it
•
Consider outstanding matters from past/reviews/ audit reports—what has your institution done about these?
•
What are your institution’s current issues or problems—and, most importantly, what are you doing about these?
•
What is “Plan B” if your current strategy encounters problems—be sensible!
© Customer Owned Banking Association – May 2016
27
Making Sense of the Prudential Standards
Director Preparation - What should directors know? To prepare for an APRA visit, a director of a mutual ADI should review: •
The basics of each Prudential Standard—this Guide can assist you here;
•
Your policy guidelines and risk management framework; and
•
The current position of the ADI for each key prudential ratio (especially capital, liquidity, interest rate risk, delinquency, provisioning).
Most mutual ADIs now have an intranet holding all policies and the organisation’s risk management framework. The data on key prudential ratios – for the last 12 to 24 months - should be found in your most recent board papers. Champions: Many mutual ADIs appoint “champions” for particular risk areas. While everyone must have a general knowledge of the standards and policies, the appointed ‘experts’ can delve deeper into the detail of the separate topics.
5.2.
Directors Prudential Review Meeting With APRA
APRA will usually ask directors to attend a meeting with APRA representatives as part of a prudential review. The meeting will usually be conducted without management present. To assist the process, the board may wish to develop a presentation, with different directors talking to different topics, including: •
Governance structure – board charter, committees, strategic planning and budgeting processes
•
Overview of strategic plan, risk profile and risk appetite
•
Key performance metrics (from strategic plan and business plan/budgets)
•
Major initiatives (e.g. new business areas, mergers, strategic alliances)
•
Approach to capital, liquidity, credit risk, market risk, operational risk
APRA wants to see a proactive and engaged board that understands its business strategy and the associated risks (for example the impact of a lending growth strategy on liquidity). Directors should be able to show an appreciation of the impact of the Prudential Standards, the performance of the organisation and the risk management outlook for the foreseeable future. In particular, APRA expects to see a “joined up” and consistent approach to risk across the institution’s strategy, policy and implementation. It is probably not good practice, for example, to say that your institution has a low risk appetite if you are about to launch a new commercial lending arm. Directors can reasonably expect APRA to emphasise the content, development and understanding of the ICAAP in their reviews. Although not all directors will need to be involved in the technical formulation of the ICAAP, everyone must have a solid understanding of what it means for capital management and
© Customer Owned Banking Association – May 2016
28
Making Sense of the Prudential Standards
strategy, both for the current operating environment and the future as seen by the organisation.
5.3.
The post-Prudential Review letter from APRA
After the visit, APRA will issue a letter setting out a range of issues for action designed to enhance your institution’s risk management framework. The actions will usually be described as one of the following: •
Requirements—these are effectively mandatory;
•
Recommendations—what APRA sees as best practice, and wants to encourage your institution to adopt. These need to be seen, inter alia, in the context of your institution’s broader relationship with the regulator; and
•
Suggestions—optional actions that may improve your institution’s approach to risk management.
Each action raised by the APRA letter must be addressed. The board and management must respond in writing outlining the actions taken in response to each item. You may not agree with every item, or the reasons behind it. But where you want to tell APRA you do not agree, make sure your response is a very clear and reasoned one. Again, transparency and effective communication is paramount when responding to the APRA letter.
5.4.
APRA terms explained in detail
Requirement - If an action is classified as a “Requirement”, the entity must undertake specific action to address the associated matter. Typically, matters resulting in a “Requirement” will relate to either the entity’s failure to comply with legislation or prudential standards, or a fundamental deficiency in the entity’s risk management and/or governance practices. A general failure by the entity to act on a “Requirement” may result in APRA exercising legislative or prudential remedies. Recommendation: If an action is classified as a “Recommendation”, the entity is expected to consider formally the implementation of what is being put forward. Typically, matters resulting in a “Recommendation” will relate to areas of risk management and/or governance that whilst not fundamentally deficient, could be improved. A general failure by the entity to implement “Recommendations” may result in a higher risk rating being assigned and, potentially, in APRA exercising legislative or prudential remedies. Request for Additional Information: If an action is classified as a “Request for Additional Information”, the entity is required to provide that information within the specified timeframe. Typically, matters resulting in a “Request for Additional Information” will relate to areas where information was either absent, incomplete or inconclusive. A general failure to respond to a “Request for Additional
© Customer Owned Banking Association – May 2016
29
Making Sense of the Prudential Standards
Information” may result in APRA, without further warning, issuing formal legislative notices requiring the production of information or documents. Subsequent follow-up action may be necessary depending on APRA’s assessment of the information supplied. Suggestion: If an action is classified as a “Suggestion”, this represents the opportunity for the entity to move towards better practice. Subsequent follow-up action in relation to suggestions is usually performed in the context of better practice considerations and does not involve timeframes for implementation.
© Customer Owned Banking Association – May 2016
30
Making Sense of the Prudential Standards
PART B: Applying the Prudential Standards
© Customer Owned Banking Association – May 2016
31
Making Sense of the Prudential Standards
6. Risk and Governance Boards that develop an effective risk management framework, add value and work well with management
An ADI must have a risk management framework consistent with its strategic objectives and business plan incorporating structures, policies, processes, people and systems for identifying, measuring, evaluating, monitoring, reporting and controlling or mitigating material risks that may affect its ability to meet its obligations to depositors: CPS 220 The ultimate responsibility for the sound and prudent management of ADIs rests with their board of directors. It is essential that ADIs have a sound governance framework and conduct their affairs with a high degree of integrity. A culture that promotes good governance is of benefit to all stakeholders of an ADI and helps to maintain public confidence in the ADI: CPS 510
6.1.
CPS 220 – Risk Management
An ADI must have a risk management framework consistent with its strategic objectives and business plan incorporating structures, policies, processes, people and systems for identifying, measuring, evaluating, monitoring, reporting and controlling or mitigating material risks that may affect its ability to meet its obligations to depositors. An ADI must also have in place a Risk Appetite Statement (RAS): CPS 220:2830. The RAS must address material risks including: •
credit risk;
•
market and investment risk;
•
liquidity risk;
•
insurance risk;
•
operational risk;
•
risks arising from strategic objectives and business plans; and
•
other risks that may have a material impact on the ADI.
The RAS must outline: •
the degree of risk the ADI is prepared to accept in pursuit of its strategic objectives and business plan, giving consideration to the interests of depositors and/or policyholders (risk appetite);
© Customer Owned Banking Association – May 2016
32
Making Sense of the Prudential Standards
•
for each material risk, the maximum level of risk that the ADI is willing to operate within, expressed as a risk limit and based on its risk appetite, risk profile and capital strength (risk tolerance);
•
the process for ensuring risk tolerances are set at appropriate levels, based on estimated impacts and likelihood of breaches;
•
the process for monitoring compliance with risk tolerances and for taking action in the event of breach; and
•
the timing and process for reviewing risk appetite and tolerances (CPS 220:28-29).
In addition, CPS 220 requires an ADI to appoint a Chief Risk Officer who typically must be independent from business lines, revenue generation and finance functions, and report direct to the CEO. However, smaller ADIs can apply to APRA to have this requirement relaxed. CPS 220 also requires an annual statement on risk management to be made by the board – signed by the chair and the chair of the risk committee – effectively replacing the old APS 310 declaration made by the CEO.
6.1.1.
CRO Case Studies
Mutual ADIs can approach the role of Chief Risk Officer in a variety of ways, depending on the nature of their business and operating model. Here are some examples of different approaches: 1. Risk Manager – in a large organisation, there are sufficient resources and the organisation is complex enough to justify a dedicated role. In larger mutual ADIs the role of risk manager will probably already exist, and the existing role takes on the duties and title of CRO. In an organisation of this scale there will also usually be a separate role for the Compliance Manager and the Audit Manager or Internal Auditor. 2. Deputy GM – in a smaller organisation with a limited management team the responsibilities of risk, compliance and audit have traditionally been shared by two or three key managers – often there is a General Manager and their Deputy discharging these functions. As a result of this (lack of) scale, the role of CRO can be allocated to the Deputy GM who incorporates the role in their duties alongside their line management role. 3. Outsourcing – a third party organisation (e.g. an accounting or consulting firm) can be retained to perform the risk functions of a CRO. This is an option for small to medium organisations is to outsource the CRO role.
© Customer Owned Banking Association – May 2016
33
Making Sense of the Prudential Standards
6.2. CPS 510 Governance – Objectives and Key Requirements CPS 510 sets out minimum foundations and professional standards for good governance among ADIs. It aims to ensure that regulated institutions are managed in a sound and prudent manner by a competent Board of directors, which is capable of making reasonable and impartial business judgements in the best interests of the ADI and which gives due consideration to the impact of its decisions on depositors. The governance arrangements of ADIs build on these foundations in ways that take account of the size, complexity and risk profile of the ADI. APRA’s principles-based approach to good governance has emphasised the following principles since the introduction of CPS 510: responsibility; independence; renewal; expertise; diligence; prudence; transparency; oversight (see details on the following page). The key requirements of CPS 510 include: •
specific requirements with respect to board size and composition;
•
the chairperson of the board must be an independent director;
•
a Board Audit Committee and Board Risk Committee must be established each with its own written charter;
•
ADIs must have a dedicated internal audit function;
•
certain provisions dealing with independence requirements for auditors consistent with those in the Corporations Act 2001;
•
a compliant remuneration policy and Board Remuneration Committee, or comparable arrangements, covering responsible managers, risk personnel and certain other categories of staff; and
•
a policy on board renewal and procedures for assessing Board performance.
The requirements of proposed CPS 220 for a risk management framework and risk committee should also be considered here. For a more detailed commentary on CPS 510 requirements, see COBA CPS 510 Governance Compliance Manual. For more information email
[email protected].
© Customer Owned Banking Association – May 2016
34
Making Sense of the Prudential Standards
6.3.
CPS 520 Fit and Proper
Persons who are responsible for the management and oversight of an ADI need to have appropriate skills, experience and knowledge and act with honesty and integrity. This strengthens the protection afforded to depositors and other stakeholders. To this end, ADIs need to prudently manage the risk that persons in positions of responsibility may not be fit and proper. The prime responsibility for ensuring that an ADIs responsible persons are fit and proper remains with the board of directors. CPS 520 sets out minimum requirements for determining the fitness and propriety of individuals to hold positions of responsibility. The key requirements of CPS 520 are that: •
an ADI must have and implement a written Fit and Proper Policy that meets the requirements of CPS 520;
•
the fitness and propriety of a responsible person must generally be assessed prior to initial appointment and then re-assessed annually (or as close to annually as practicable);
•
an ADI must take all prudent steps to ensure that a person is not appointed to, or does not continue to hold, a responsible person position for which they are not fit and proper;
•
additional requirements must be met for external and internal auditors; and
•
certain information must be provided to APRA regarding responsible persons and the ADIs assessment of their fitness and propriety.
For a detailed commentary on CPS 520 requirements, see COBA Fit & Proper Compliance Manual, available from COBA Compliance Services.
6.4.
Governance – Practical Implications
Recent changes to prudential standards have raised expectations of board involvement and performance. Directors and boards of ADIs are now expected to lead strategy, oversee performance and remuneration and ensure accountability. Many Prudential Standards now explicitly remind us of the role that APRA expects the board to play. The basics of CPS 510 are clear: •
There must be at least 5 directors on its board;
•
A majority of directors must be independent;
•
The chair must be independent and cannot also be the chair of the audit committee;
•
An audit committee must be established with terms of reference;
•
A board charter must be developed, along with a policy on board renewal; and
© Customer Owned Banking Association – May 2016
35
Making Sense of the Prudential Standards
•
Performance reviews must be conducted at least annually for the board as a whole, and for individual directors.
However, good governance is less about procedural compliance than organisational performance and dynamics, which is where the challenge begins. Debate continues on a range of issues including board renewal, independence and performance reviews. •
Board Renewal
Board renewal is designed to maintain and improve standards of good governance by keeping the board open to new and fresh ideas. At the 2013 COBA and AM Institute convention outgoing APRA Chairman Dr Laker noted “ In our experience , Boards that do not renew themselves become too entrenched and comfortable with the status quo, unable to adapt to changing circumstances” 9 Many mutual ADIs use the ‘associate’ system to engage interested people who then sit in on board meetings for a period to ‘learn the ropes’ and consider whether they wish to stand for election to the board. Debate often focuses on tenure, and rules can be developed to review the position of long standing directors. However, many argue that the emphasis should be on performance – whether a person is adding value to the organisation – rather than the time served by a director. •
Independence
A majority of directors of an ADI must be independent (as defined in CPS 510) but this does not mean that all directors need to be independent. Therefore, if a director is found to be ‘not independent’ due to personal business interests or any other reason, that person can remain a director. A problem for an ADI only arises where a majority of directors are found to be ‘not independent’. •
Performance review
Directors – and the board as a whole - should add value to the organisation and performance reviews can support this process. There are many ways of measuring board performance; internal self-assessment is common as is the use of external consultants. Reticence among directors, and reluctance to criticise colleagues, can be obstacles to effective reviews. Creating a positive environment directed towards continuous improvement is the key to effective reviews. Reviews must cover individual directors, as well as the board as a whole. •
Board evaluation
A board evaluation is not strictly required by CPS 510. It is not a personal performance review of directors; however it is a very useful tool to assess the performance of the board as a whole. Some alternative ways a board evaluation may be undertaken are: 9
Mutuals : a look back and ahead – John Laker, COBA Convention, Melbourne , 29 October 2013 p 2
© Customer Owned Banking Association – May 2016
36
Making Sense of the Prudential Standards
•
Self-evaluation, conducted wholly internally,
•
By a committee of the board or by senior management, or
•
By an external party such as a consultant.
For reasons of independence and objectivity it will be appropriate to delegate the evaluation to a non-executive, independent director or to a board committee, rather than to senior management.
A consultant engaged to carry out the evaluation will usually be perceived as more independent than a reviewer with an existing relationship with the organisation, such as senior management, a lawyer or auditor.
The methods employed for a board evaluation may be:
•
Qualitative e.g. interviews of directors individually or as a group, observation, document analysis
•
Quantitative e.g. survey by phone, person to person, email
•
A combination of qualitative and quantitative methods e.g. combining a questionnaire with interviews. This will seek to avoid a ‘tick-the-box’ approach that an over-reliance on quantitative assessment may encourage.
•
Committees
CPS 510 requires an ADI to have an Audit Committee. CPS 220 introduces a mandatory Risk Committee. Beyond that, ADIs can design their own committee structure which may include committees for Governance, Assets and Liabilities, Marketing and other issues as deemed appropriate by the board. In relation to remuneration, institutions can either establish a separate Remuneration Committee, or (with APRA approval) seek to use an existing committee to address remuneration requirements, in which case that committee’s terms of reference or charter must reflect CPS 510 requirements. •
Skills
Greater investment in training may now be required as ADIs must ensure that directors and senior management, collectively, have the full range of skills for the effective and prudent operation of the ADI, and that each director has the skills to make an effective contribution to board deliberations and processes: CPS 510:11. •
Remuneration
© Customer Owned Banking Association – May 2016
37
Making Sense of the Prudential Standards
Remuneration policies and practices must reflect and support the risk appetite of the ADI. Performance related remuneration must be adjustable to zero if required to protect the financial soundness of the ADI: CPS 510:47.
6.5.
Fit and Proper – Practical Implications
Typically mutual ADIs conduct an extensive fit and proper test when directors are elected or re-elected, supported by an annual declaration during their tenure. Propriety is usually tested for each responsible person by obtaining police and bankruptcy checks, personal references and assurances as to character. Each responsible person will then be asked to make a declaration of any interests that may conflict with the interests of the company. Competence is usually based on the formal qualifications and business or work experience of the director (or applicant). Courses are provided – both in house and external – to build skills for directors. Skills are developed through a combination of experience, attendance at industry conferences and formal training sessions e.g. through the AM Institute. The formal evaluation of knowledge of directors of financial performance metrics, prudential standards and legal compliance remains an evolving area. Most mutual ADIs set a minimum number of training hours e.g. 10 hours or even 20 hours per annum. A key challenge is how to ensure that the knowledge adds value to promote the engagement of all directors in the governance of the ADI.
6.6.
Link to ICAAP
Risks related to governance are operational risks and are covered by your APS 114 calculation of the prudential charge of operational risk. Your institution can always provide more capital as an extra buffer for operational risk. It can also categorise governance risks as strategic risk, depending on its assessment of the actual risks in the context of the organisation. If an additional allocation of capital is made for governance risk, your ICAAP should have an additional line item setting this out. Questions for directors to consider Does your organisation conduct annual performance reviews for both the board as a whole and individual directors separately? Do you have board renewal processes in place? How do you ensure all responsible persons are fit and proper? Do you have documented competencies for directors?
© Customer Owned Banking Association – May 2016
38
Making Sense of the Prudential Standards
How do you assess the impact of training and development activities? Do you have separate board audit and risk committees in place?
© Customer Owned Banking Association – May 2016
39
Making Sense of the Prudential Standards
7. Capital Adequacy Active capital management - evolving approaches to ICAAP and capital allocation for risks
Capital is the cornerstone of an ADI’s financial strength. It supports an ADI’s operations by providing a buffer to absorb unanticipated losses from its activities and, in the event of problems, enables the ADI to continue to operate in a sound and viable manner while the problems are addressed or resolved: APS 110:7. The board of directors of an ADI has a duty to ensure that the ADI maintains a level and quality of capital commensurate with the type, amount and concentration of risks to which the ADI is exposed from its activities. In doing so, the board must have regard to any prospective changes in the ADI’s risk profile and capital holdings: APS 110:9.
7.1.
Capital Adequacy - Objectives and key requirements
APS 110: An ADI must maintain adequate capital to act as a buffer against the risks associated with its activities. APS 110 outlines the overall framework for APRA’s assessment of the capital adequacy of an ADI. The updated key requirements of APS 110 are that an ADI must: •
have an ICAAP;
•
maintain minimum levels of capital;
•
operate a capital conservation buffer and, if required, a countercyclical capital buffer;
•
inform APRA of any adverse change in actual or anticipated capital adequacy; and
•
seek APRA’s approval for any planned capital reductions.
Basel III also changes the details of capital adequacy rules. From 1 January 2013, an ADI must hold a prescribed capital ratio based on risk weighted assets of: •
a Common Equity Tier 1 Capital ratio of 4.5 per cent;
•
a Tier 1 Capital ratio of 6.0 per cent; and
•
a Total Capital ratio of 8.0 per cent.
APS 110 also introduces capital buffers that operate over and above these minima. When managing capital, ADIs will be required – from 1 January 2016 to factor in:
© Customer Owned Banking Association – May 2016
40
Making Sense of the Prudential Standards
•
A capital conservation buffer (to ensure prudential capital management and avoid breaching the PCR or ICAAP); and
•
A counter-cyclical buffer (if and when required by APRA – note that APRA advised ADIs in December 2015 that the current buffer will be set at ‘ZERO’).
The revised APS 110 also now explicitly mentions ‘risk appetite’ and notes ‘Capital management must be an integral part of an ADI’s risk management, by aligning its risk appetite and risk profile with its capacity to absorb losses (APS 110:8).
“The mutual ADI sector has a substantial buffer of high-quality capital above APRA’s prudential requirements to cope with financial stress…On current holdings mutual ADIs will also easily pass the second milestone on 1 January 2016, when the new capital conservation buffer comes into effect” Mutuals : a look back and ahead – John Laker, address to COBA Convention, Melbourne , 29 October 2013 p 6
Note that supervisory policy will reinforce this trend (e.g. as APRA increases the amount of capital that internal ratings-based (IRB) ADIs are required to hold against residential mortgage exposures, with effect from 1 July 2016
.
APS 111: APS 111 sets out the essential characteristics that an instrument must have to qualify as either Common Equity Tier 1, Additional Tier 1 or Tier 2 capital. The new concept of Common Equity essentially means ordinary shares or retained earnings. Remember that mutual ADI capital is almost entirely made up of profits – retained and current. Additional Tier 1 capital supplements Common Equity but the capital instruments must comply with strict conditions to qualify. Tier 2 capital falls short of the quality of Tier 1 capital but contributes to the overall strength of the ADI as a going concern. The capital base is the sum of Tier 1 and Tier 2 capital after deductions. The key requirements of APS 111 are that an ADI must: •
only include eligible capital as a component of capital for regulatory capital purposes; and
•
make certain deductions from capital (e.g. for shares in other ADIs and companies, investments in CUFSS and intangible assets).
Prior to April 2014 the ‘viability’ provisions of the APS 110/111 made it difficult for mutual ADIs to create Additional Tier 1 instruments because of the general requirement for capital instruments to be able to convert into common equity (which for mutual or customer owned ADIs is limited to member share capital) e.g. in the event of winding-up. In April 2014 APRA released the final amended Prudential Standard APS 111 Capital Adequacy: Measurement of Capital (APS 111), which
© Customer Owned Banking Association – May 2016
41
Making Sense of the Prudential Standards
allows mutually owned ADIs to issue Additional Tier 1 (AT1) and Tier 2 (T2) Capital instruments that will qualify to be included in Common Equity Tier 1 (CET1) Capital provided they meet the requirements in Attachments B, F, J and K of APS 111. To qualify, the capital instruments must provide for conversion into mutual equity interests (MEI) in the event that the loss absorption or non-viability provisions in these instruments are triggered. Conversion into ordinary shares is not possible for mutual ADIs due to their mutual corporate structure (which among other things limits the value of a member share to a common, nominal value e.g. $10). The conditions for the qualifying instrument include the requirement for mutual equity interests to provide no voting rights (other than as required under the Corporations Act) and to limit both the claim of mutual equity interest holders on any surplus of a failed mutual ADI and the amounts that can be paid by way of dividends to these holders. Prior to the issue of any eligible Additional Tier 1 or Tier 2 Capital instrument whose terms provide for conversion to mutual equity interests, the issuer must: (a) have a constitution that permits the issue of mutual equity interests and the terms of the issue must be consistent with the issuer’s constitution; (b) have obtained approval from its members, if required by the issuer’s constitution, to the issue of mutual equity interests if the prescribed events occur; (c) have obtained approval from members, if required by the issuer’s constitution, for the terms of issue of mutual equity interest; and (d) have obtained any relief considered by the ADI to be necessary under Part 5 of Schedule 4 of the Corporations Act for the issuance of mutual equity interests. For further details refer to APS 111 available at http://www.apra.gov.au/adi/Documents/20140408-APS-111-(April-2014)-revised-mutualequity-interests.pdf.
Note: the impact of the Basel III changes on Additional Tier 1 and Tier 2 capital instruments needs to be considered by each ADI; and APRA should be consulted to determine the treatment of all existing instruments.
7.2.
First Tier 2 Capital Issue by Mutual ADI
In June 2015, a mutual ADI issued $50 million in subordinated debt that qualified as Tier 2 regulatory capital. This is the first Basel III compliant Tier 2 issue in Australia with “write-off”, rather than “conversion”, as the primary mechanism for loss absorption if a Non-Viability Trigger Event occurs. Issuance of Tier 2 capital with “write-off” as the loss absorption mechanism had
© Customer Owned Banking Association – May 2016
42
Making Sense of the Prudential Standards
been hampered by uncertainty about tax matters. This successful transaction signals a wider range of capital options for mutual ADIs under the Basel III capital regime. Using “write-off” rather than “conversion” as the loss absorption mechanism may suit customer-owned ADIs that do not wish to change their constitutions to enable a “conversion” option. The conversion option for customer-owned ADIs is the Mutual Equity Interest (MEI) instrument, set out in Attachment K to APS 111. APS 112: An ADI must hold sufficient regulatory capital against credit risk exposures (i.e. loans and investments). The key requirements of APS 112 are that an ADI: •
must apply risk-weights to on-balance and off-balance sheet exposures based on credit rating grades or fixed weights broadly aligned with the likelihood of counterparty default; and
•
may reduce the credit risk capital requirement where the asset or exposure is secured against eligible collateral or supported by mortgage insurance from an acceptable lenders mortgage insurer.
7.3. Risk weighting varies depending on the risk of an exposure. As a result: •
Mortgages are weighted at 35% to 100% depending on the LVR and whether lenders mortgage insurance (LMI) applies (see table below);
•
Personal loans and commercial loans are always 100% risk weighted;
•
Loans 90 days past due are weighted at 100% for mortgage secured loans and other loans where specific provision is more than 20% of the outstanding balance; and up to 150% for other loans where specific provision is less than 20%; and
•
Investments in ADIs are risk weighted at 20% (where the term is no more than 3 months and the ADI has a credit rating grade of 1, 2 or 3).
Off balance sheet exposures are weighted at 100% for commitments with certain drawdown, and 50% for other undrawn commitments with a residual maturity of more than 1 year. Deductions are made from capital for investments in other ADIs (e.g. shares in Cuscal, Indue or ASL) and advances made to CUFSS, the credit union industry liquidity support scheme. In a speech in September 2014 APRA chair Wayne Byres has observed there was an increasing lack of faith in internal models used for calculating risk weights, noting that: “Unless investors have faith in the resulting risk-based capital ratios they do not serve their full regulatory purpose. And if that is the case simpler metrics will inevitably become more important and potentially even binding”.
© Customer Owned Banking Association – May 2016
43
Making Sense of the Prudential Standards
In January 2015 the Basel Committee on Banking Supervision (BCBS) released consultation papers10 on credit risk and capital floors, which propose changes to the risk weights for residential mortgages and bank exposures. Currently, a flat 35% risk weight is applied to residential mortgages. The BCBS paper expressed concern that this approach “lacks risk sensitivity” and has proposed introducing incremental weights ranging from 25% to 100%. The risk weight of a loan would be determined by its LVR and debt service coverage (DSC) ratio (see table below) based on the borrower’s after-tax income. The BCBS has also proposed moving away from credit ratings in determining risk weights for “bank” exposures. Instead, risk weights would use a sliding scale based on the capital adequacy and asset quality of the bank to which the institution was exposed. Key points from the proposal include: •
The lowest risk weight would be 30% compared to the current 20%
•
Risk weights for customer owned ADIs could be lower than major banks, because a CET1 ratio of 12% or more is required for the lowest risk weight.
The BCBS reforms are ultimately likely to be implemented in Australia. Further discussion continues on changes to risk weightings but the proposals remain well short of being settled with rules on LVRs and LMI not yet finalised. Mortgage Risk Weighting for Capital Adequacy Calculations Loan to Value ratio
No Lenders Mortgage
Lenders Mortgage
Insurance %
Insurance %
0-60%
35
35
60-80%
35
35
80-90%
50
35
90-100%
75
50
100%+
100
75
Please note: APRA has foreshadowed potential changes to asset risk weighting for capital adequacy purposes but at the time of writing the detail remains to be finalised.
10
See http://www.bis.org/bcbs/publ/d307.pdf and http://www.bis.org/bcbs/publ/d306.pdf
© Customer Owned Banking Association – May 2016
44
Making Sense of the Prudential Standards
APS 114: An ADI must also hold sufficient regulatory capital against operational risk exposures. The key requirements of APS 114 are: •
an ADI must divide its activities into three areas of business: retail banking, commercial banking, and all other activity;
•
the total capital requirement for operational risk is the sum of the capital requirements calculated for each of the three areas of business.
The capital requirement is based on assets and income and is calculated using a standard formula. For retail/commercial banking, the formula is based on gross outstanding loans and advances over the previous 6 half-yearly periods. For all other activities, it is based on net income earned. The capital charge is the average of those 6 observations: APS 114:18. Note: APS 113 - Internal Ratings based Approach to Credit Risk, APS 115 Advanced Measurement Approaches to Operational Risk, APS 116 - Market Risk and APS 117 - Interest Rate Risk in the Banking Book do not generally apply to mutual ADIs because either: these Standards apply to ADIs using an Internal Ratings based approach (rather than the Standardised approach); or mutual ADIs do not have a “trading book”. However, market risk and interest rate risk must be incorporated in an ADI’s risk management framework and the ICAAP. Market risk is separately considered at the end of this chapter.
7.4.
Capital Adequacy Ratios
To calculate the capital adequacy ratio for an ADI, you divide capital by riskweighted assets. Capital Risk Weighted Assets
Capital – is your accumulated reserves, mainly profits, generated over the years, plus additional sources of capital (e.g. subordinated debt and the general reserve for credit losses), less deductions (e.g. investments in Cuscal or Indue or ASL and loans to CUFSS). Risk Weighted Assets – are mainly mortgages and other loans and investments ‘weighted for risk’. Risk weighted assets are calculated using the formulae set out in APS 111 (see table on previous page) – which reduces the assets against which you must hold capital. Risk weighted assets tend to be around half of total assets. The statutory minimum for total capital adequacy is 8% of risk-weighted assets. Most banks operate around 8%. Most mutual ADIs operate well above that level: APRA may prescribe a ‘Prudential Capital Ratio’ – and it is increasingly doing so
© Customer Owned Banking Association – May 2016
45
Making Sense of the Prudential Standards
for mutual ADIs. From 1 January 2013, ADIs will also have to track the minimum levels of Common Equity Tier 1, Additional Tier 1 and Tier 2 Capital. From 1 January 2016, the introduction of capital conservation of 2.5% of riskweighted assets and counter cyclical buffers of ‘up to’ 2.5% of risk-weighted assets will need to be factored into capital adequacy calculations. In practice each ADI must apply the capital conservation buffer; while the ‘counter-cyclical’ buffer would only be applied at the discretion of APRA, with the level of the buffer determined by APRA for each ADI based on deteriorating economic conditions and prospects (the current counter-cyclical buffer is zero).
7.5.
ICAAPs in Practice
An ICAAP requires a plan and policy for the calculation of appropriate levels of capital given particular risks facing the business. Operational risk has a specific charge but otherwise there is NO prescribed capital amount to be held for any particular risk (e.g. credit, liquidity, interest rate). An ICAAP will itemise a capital allocation for each risk identified (usually expressed as a percentage of capital) as shown in Examples 1 and 2 below. Remember: when your institution is setting an ICAAP ratio it is saying in effect: “This is the amount of capital we believe is necessary for the business to hold to cover us in the event of future losses, based on our strategy, our past performance and our expectations for the market and the business.” With the advent of CPS 220, an ICAAP must be aligned with the Risk Appetite Statement for the ADI. An ICAAP should already address the key risks itemised in CPS 220:28 and the requirements for risk appetite and tolerances in CPS 220:30.
7.6.
ICAAP Risk Itemisation
A sample ICAAP methodology might look like this: •
Credit Risk – based on an assessment of past and future bad debt using a multiple of current specific and general provisions for bad debt (e.g. 4 times current ratios to anticipate ‘outlier’ scenarios)
•
Operational Risk - based on the statutory formula in APS 114
•
Concentration Risk – based on a 20% reduction in property prices across the loan portfolio
•
Large Exposures – based on a 20% reduction in property prices for large exposures (loans)
•
Interest Rate risk – based on a 2% rate drop across the loan portfolio and the resulting reduction in profits
© Customer Owned Banking Association – May 2016
46
Making Sense of the Prudential Standards
•
Liquidity Risk - based on losing 50% of deposits and the cost of funding new deposits
•
Strategic Risk – a lump sum covering the estimated loss arising from failure of strategy e.g. rebranding, investment in technology, and introduction of new products
•
Reputation Risk – based on the estimated loss arising from failure of another customer-owned ADI.
Worked Example Risk
Capital Requirement
Pillar 1 Credit risk
2.00%
Operational Risk – APS 114 statutory formula
0.80%
Pillar 2 Large Exposures
0.20%
Concentration Risk
0.50%
Interest Rate Risk
1.50%
Liquidity Risk
1.50%
Strategic Risk
0.50%
Reputation Risk
0.50%
Capital Buffer
1.00%
Total
8.50%
[The sample provided is for illustrative purposes only] In Example 1, there is a specific allocation of 2% for credit risk, well below the statutory minimum for all risks of 8%. The 2% for credit risk remains well above the historical experience of bad debt for mutual ADIs. In reality the General Reserve for Credit Losses is invariably lower than this at around 0.5% to 1.0% of assets. This approach entails realistic assessment of each risk. So, in Example 1, interest rate risk is set at 1.5% of capital based, e.g., on the experience of loss of margin due to falling interest rates in 2009, following the GFC.
© Customer Owned Banking Association – May 2016
47
Making Sense of the Prudential Standards
7.7.
The New ICAAP: APS 110 and CPG 110
APRA has updated its ICAAP requirements to reflect good practice internationally and ensure that: •
an ICAAP includes stress testing and scenario analysis;
•
appropriate processes are implemented for reporting to the board on the ICAAP and its outcomes;
•
an ICAAP includes a summary statement and policies to address material risks not covered by explicit regulatory capital requirements; and
•
an ICAAP report is submitted by all ADIs to APRA annually.
Despite the breadth and minutiae of the changes, actual capital risk management should not be materially changed by the new ICAAP. The emphasis here is on refining the ICAAP process. Moreover, the changes generally either reflect existing practice that mutual ADIs should already be following or formalise the approach taken by APRA in supervising capital management in practice in recent years.
7.8.
Revised ICAAP Requirements
An ICAAP must now include or address: •
Stress testing and scenario analysis – these must be incorporated in the methodology
•
Reporting - to the board of the ADI and ensuring the ICAAP is incorporated in business decisions
•
Material risks – not covered by explicit capital requirements
•
A summary statement - summarising the complete ICAAP.
Additional obligations under APS 110 include: •
An independent ICAAP review must be conducted every 3 years by appropriately qualified persons
•
Annual ICAAP reporting to APRA by the ADI including 3 years of capital projections
•
Annual declaration by board and management on the ICAAP.
Boards must oversee the updating of ICAAPs, the creation of new processes and reports and the implementation of the new ICAAP. Compliance with the new ICAAP generally and in particular the obligations regarding stress testing and scenario analysis may stretch the technical knowledge of some directors. Consequently enhanced training on ICAAPs may be required.
© Customer Owned Banking Association – May 2016
48
Making Sense of the Prudential Standards
7.9.
CPG 110 Content
The ICAAP methodology is not prescribed but CPG 110 provides substantial guidance on the approach that APRA expects ADIs to take. CPG 110 also underlines the expectation that directors need to be more ‘hands on’ with the ICAAP, e.g.: •
‘the capital standards require the board to be actively engaged in the development and finalisation of the ICAAP and the oversight of its implementation on an on-going basis’; and
•
‘APRA expects the board to robustly challenge the assumptions and methodologies behind the ICAAP and associated documentation’.
CPG 110 articulates that the risks covered by the ICAAP should include (as relevant to the ADI): •
credit risk, liquidity risk, market risk, interest rate risk in the banking book and risks associated with securitisation; and
•
operational risk, strategic and reputational risks and contagion risks. Other risks may be relevant for individual regulated institutions and, if so, will ordinarily be considered in the ICAAP.
An ICAAP should set capital adequacy ‘target levels’ by taking into account (as relevant to the ADI): •
the risk appetite of the regulated institution;
•
regulatory capital requirements;
•
internal assessments of capital needs, including those arising from the institution’s business plans and strategy;
•
the likely volatility of profit and the capital surplus;
•
dividend policy;
•
where relevant, ratings agency assessments; and
•
access to additional capital.
An ICAAP must also include capital management strategies to protect your capital that should address (as relevant to the ADI): •
raising additional external capital or capital from group sources;
•
adjustments to dividend policy and dividend reinvestments plans;
•
slowing or ceasing new business;
•
in the case of insurers, entering into reinsurance arrangements;
•
sales of parts of the business;
•
asset sales;
•
changes to investment strategy;
© Customer Owned Banking Association – May 2016
49
Making Sense of the Prudential Standards
•
changes to product pricing and/or
•
changes to business mix.
An ICAAP must also incorporate stress testing and scenario analysis tailored to the individual regulated institution and its particular risk exposures. Scenarios will typically cover the full range of material risks to which the institution is exposed. A range of approaches may be useful, for example: •
scenario analysis including: historical scenarios (such as the global financial crisis experience, early 1990’s Australian recession, 1987 stock market event, Japan’s 1990’s ‘lost decade’); statistically generated scenarios; and hypothetical scenarios developed by the institution;
•
sensitivity testing;
•
stress testing based on statistical factors or historical experience;
•
reverse stress testing designed to identify a stress scenario that would cause failure of the regulated institution;
•
longer-term scenarios (such as the impact of a prolonged low interest rate or low investment earnings environment) and short- term scenarios (such as market shocks and insurance events); and
•
a combination of scenarios (e.g. a series of less severe but more frequent events): CPG 110:35.
7.10.
ICAAPs in Practice
7.10.1. Credit Risk and the Statutory Minimum The statutory minimum for capital is based on credit risk weighted assets. However, it is NOT a capital charge for credit risk in itself. When conducting an ICAAP, credit risk is just one of a range of risks that must be addressed. Charges should be calculated based on past delinquency performance, approvals policy (risk appetite), membership, trading conditions and current provisioning. Concentration risk (e.g. geographic or work place) is another element to be taken into account in calculating credit risk. For most mutual ADIs, delinquency remains very low and historically write-offs are a small fraction of the general reserve for credit losses. So, to provide 8% for credit risk in an ICAAP—as institutions used to often do—is generally a significant over-statement of the potential for credit risk to cause losses. Consider the following examples:
© Customer Owned Banking Association – May 2016
50
Making Sense of the Prudential Standards
Rationalising ICAAPs - an institution might start with a pre-determined ICAAP ratio (e.g. 12% or 13%) that is perceived to satisfy the expectations of APRA. In calculating capital requirements, the institution might then “work backwards” from the pre-determined ratio. But is this the right way to do an ICAAP? While a pragmatic approach can be useful, over time it may be more effective in managing capital to drill down into assessing individual risk types to make your ICAAP a more sophisticated and responsive risk management tool. In the long run, that approach may deliver better business results – and meet APRA’s expectations.
7.10.2. Clarifying Other Risk Categories Regulatory risk is often included as a separate line item in an ICAAP. Although permitted by APS 110, it is part of operational risk as defined in APS 114 (which includes legal risks). Large exposures and concentration risks should also be understood, not as types of risk in themselves, but subcategories of Credit Risk or Liquidity Risk. Further, it is also arguable that large exposures are simply a form of concentration risk and could be included in an ICAAP under Concentration Risk.
7.10.3. Capital Adequacy Numbers - Percentages or Amounts? Percentages can be misleading when measuring capital – for all mutual ADIs, and particularly smaller ones, the total amount can be modest even if the percentage is high. The amount of capital on hand is the key rather than the percentage: how much money do you have to meet potential losses? It can be useful to calculate the dollar value of capital allocations including the value of 1% of ‘risk weighted capital’ to help inform decision making. Have you calculated what 1% of capital is worth? Compare your organisation’s position with the sample below. ICAAP Sample Data Assets
$126m
Risk Weighted Assets
$60m
Capital
$15m
Capital Adequacy Ratio [CAR]
25%
$ Value of each 1% of Prudential Capital (based on 25% CAR)
c.$600k
[The sample provided is for illustrative purposes only]
© Customer Owned Banking Association – May 2016
51
Making Sense of the Prudential Standards
In the example above, a capital adequacy ratio of 25% sounds high but amounts in dollar terms to only $15m. Moreover, understanding that 1% of capital is $600,000 makes the ICAAP more meaningful – dollar figures are more useful than percentages when allocating risk capital.
In the table below, the dollar value of capital is provided for each risk listed in the ICAAP based on a value of $600,000 for each 1% of capital. ICAAP Capital Allocations
Capital
Dollar Value ($)
Requirement Credit risk
2.00%
1,200,000
Operational Risk – APS 114 statutory
0.80%
480,000
Large Exposures
0.20%
120,000
Concentration Risk
0.50%
300,000
Interest Rate Risk
1.50%
900,000
Liquidity Risk
1.50%
900,000
Strategic Risk
0.50%
300,000
Reputation Risk
0.50%
300,000
Capital Buffer
1.00%
600,000
Total
8.50%
5,100,000
formula
[The sample provided is for illustrative purposes only]
7.11.
Capital Management - Policy Trigger Points
Mutual ADIs typically use trigger points to warn the board and management of potential pressures on capital. This is a kind of early warning system. Although the standard says 8% and the ICAAP might say 12%, the policy will say that there is a ‘trigger point’ or series of trigger points. Trigger points will vary depending on strategy, risk profile and risk appetite. Note that these trigger points will help you address your new obligation to set a capital conservation buffer which is reality will operate just like a trigger point. By contrast, a counter-cyclical buffer will only be introduced if circumstances require and you are directed by APRA to introduce an additional buffer to capital management. Trigger points are designed to inform action. Capital management plans will identify a range of actions including sale of loans to a securitisation program, or
© Customer Owned Banking Association – May 2016
52
Making Sense of the Prudential Standards
the issuing of subordinated debt, to raise capital in the event of pressure on capital. The test is whether the mutual ADI has the time to implement these actions. In short, the stated policy of an ADI is only as good as its ability to be implemented.
An example is provided in the following table. Trigger
Range
Policy Rule
Strategic Target
17% - 20%
The board aims to maintain capital in this range in the short, medium and longer term. Capital expenditure plans will operate within this range.
Early Warning
15% - 17%
Trigger
The board will consider capital raising and budget adjustments options once capital goes below 18%.
Crisis Trigger/
Below 15%
The board will implement appropriate capital
Capital
raising or budget adjustments options once
Conservation
capital goes below 15%.
Buffer Prescribed Capital
12%
Ratio
APRA have mandated that this amount of capital must be held by the mutual institution to absorb potential losses.
ICAAP Ratio
8.5%
The board and management estimate that this amount of capital should be sufficient to absorb potential losses.
Statutory Minimum
8%
The board and management acknowledge this statutory minimum but note that the ICAAP ratio is the real policy ‘floor’ for practical purposes.
7.11.1. Discussion of Policy Trigger points Directors and managers should “reality test” their policies to ensure that all courses of action are practical. For example, if your policy says that your institution will sell loans to a securitisation program to reduce the loan portfolio and pressure on capital, is there an arrangement in place with a securitisation program to actually do this? If so, what is the turnaround time to make it happen? Can you respond quickly enough to satisfy the business need for capital?
© Customer Owned Banking Association – May 2016
53
Making Sense of the Prudential Standards
To take another example, if the capital management policy says that subordinated debt will be issued to raise extra capital and support continued loan growth, are the documentation and investors in place to do this? Again, what is the turnaround time to make it happen? Can you respond quickly enough to satisfy the business need for capital?
7.12.
Positive Capital Management and Planning
Capital is not just about covering potential losses but also developing the business. By focusing on capital adequacy, the efficient and effective use of capital can be overlooked. In addition to the ‘negative’ trigger points, an ICAAP can be enhanced by adding a strategic target which provides both additional comfort to directors, management and members but also contemplates longer term capital expenditure including e.g. in computer system development or branch network expansion. Some ADIs place an upper limit on capital to acknowledge that profitability is vital but should be subordinated to meeting member needs. Balancing capital adequacy, profitability and efficient use of capital is a critical dimension of running a contemporary mutual ADI. Remember: rapid growth can quickly erode limited capital. Before committing to growth strategies, directors must be aware of the impact on capital adequacy. Alternative sources of capital include preference shares, subordinated debt and member investment shares, all of which have been issued in recent years by Australian credit unions. Eligible ‘common equity’ capital can also include certain new instruments approved by APRA (see amended APS 110/111). All forms of additional capital attract a cost, because a return must be paid to the investor. Directors should be aware that capital-servicing costs can be significant. By contrast, no returns are paid on member’s equity in a mutual ADI.
7.13.
Other Capital Issues - Market Risk
Market risk is the exposure to fluctuations in the prices of assets (primarily loans but also investments and fixed assets) and liabilities (mainly deposits). APS 113 only applies to trading book activity (e.g. investments in bonds, securities, currency or commodities) – and generally, mutuals do not have a trading book. That said, many ADIs will be required by APRA to have a formal policy incorporating interest rate risk as part of their overall risk management framework. At the very least, your ICAAP must address interest rate risk in its allocation of capital (and the CPG 110 recognises interest rate risk as separate from market risk). That market risk remains relevant to prudent management is shown by recent experience of interest rate volatility. Many ADIs experienced significant impacts to profitability as a result of the rapid decline in interest rates in 2009. More
© Customer Owned Banking Association – May 2016
54
Making Sense of the Prudential Standards
commonly, interest rate risk arises from the day to day positioning of products in a competitive marketplace. The main indicator of interest rate risk is the interest margin: that is, the difference between the average interest rate on income generating assets (loans and investments) and the average interest rate on liabilities (i.e., deposits). Protecting the interest margin of an ADI is a key task – and duty – for any contemporary board or management team. A rising interest rate market tends to increase the interest margin, while a falling rate market tends to reduce the interest margin. This is because nearly all loans are variable rate and most deposits are fixed rate. As a result, changes to loan rates can almost immediately be passed on to borrowers, but the change in deposit rates must be delayed until the deposits mature. The impact on interest margin is then primarily caused by the time lag between changes to loan and deposit rates. Competitive risk is a separate type of market risk, and it applies in either rising or falling rate markets. All ADIs are exposed to the risk that competitors may offer better rates on either loans or deposits. Positioning your products against competitors is another key task for managers and directors. Your market risk policy should address strategies for managing interest rate risk including gap analysis, pricing strategies, product mix and derivatives hedging: •
Gap analysis – this management tool helps you understand the maturity mismatches within a savings and loans portfolio. Deposits ‘mature’ more quickly than loans and the longer it takes for them to ‘reprice’, the more exposed you are to interest rate risk (positive and negative). In a falling market, you can get stuck paying interest on deposits at higher than market rates. Gap analysis can then be used to inform your policy and pricing response to market risk. Value at Risk and Net Present Value of a Base Point are other metrics that can be used to measure anticipated losses arising from interest rate fluctuations.
•
Pricing - if you are not pricing products in a way that is relevant to your market, your interest margin will suffer either way. Interest margins are generally constrained for mutual ADIs across the sector by a high concentration of mortgage loans (i.e. 80%+ of all loans). Managing competitive risk is about balancing interest margin and loan volume.
•
Product Mix – products can be modified to manage interest rate risk. For example, adjusting your deposit offerings can reduce market risk by minimising longer term deposits at the top of the interest rate cycle. Fixed rate loans can be used to manage interest rate risk by locking in borrowers at higher rates in a falling market, or as a customer retention strategy in a rising market. The high proportion of savings accounts exposes mutual ADIs to market risk. On the other hand, a combination of loyalty and inertia has allowed most mutual institutions to retain a large proportion of liabilities.
© Customer Owned Banking Association – May 2016
55
Making Sense of the Prudential Standards
Term deposits also have an average term much shorter than the average (real) term of mortgage loans. •
Hedging – at its simplest, a derivative can involve a ‘swap’ contract where an ADI swaps a variable interest rate stream for a fixed interest rate stream, for a premium or fee. Derivatives have received negative press in recent times but basic derivatives should be understood by contemporary directors and managers. Derivatives are used by some mutual institutions – as their balance sheets disclose. However, derivatives involve market risk exposures; and need careful attention in accounting treatment. Expert advice should be obtained before using derivatives to manage market risk.
7.14.
Link to ICAAP
Your ICAAP must address market risk by allocating capital for interest rate risk (this has been discussed above). As an example, market risk impacts can be quantified based on a decrease in interest rates to determine whether the ADI can sustain such an impact (for example, a 2% decline in interest rate).
7.15.
Other Capital Issues - Securitisation – APS 120
An ADI must provide additional capital for a securitisation unless it can demonstrate that credit risk is transferred to a third party within the securitisation program. APS 120 requires all ADIs to conduct a self-assessment on each securitisation and to develop a risk based policy for securitisation generally. An ADI must not provide implicit support to a securitisation and can only provide services to a securitisation on an “arms length” basis. Loans can be securitised either by bulk sale or on a drip feed (piecemeal) basis. In short, if a securitisation involves a mutual ADI providing loans off-balance sheet effectively as an introducer to the securitisation program, then no capital needs to be provided. Further revisions to the prudential standards will be made in 2016. Questions for directors and managers to consider What are the capital needs arising from the strategy of your organisation? Is your organisation’s profitability sufficient to meet the need for capital created by the business strategy? Do you understand your organisation’s ICAAP including the risks identified and the capital allocated to them? Do you understand the impact of the new Conservation and Counter Cyclical capital adequacy buffers?
© Customer Owned Banking Association – May 2016
56
Making Sense of the Prudential Standards
Is capital properly allocated for each risk (e.g. credit, interest rate, liquidity , operational etc)? Are your organisation’s policy triggers clear and achievable in practice? Does your organisation have timely access to alternative sources of capital (including ‘common equity’ in future)? What are they? Does your organisation have an active capital management plan? Does your organisation use its capital efficiently in the interests of members? Do you understand the risks to capital of growing too quickly? Is your ICAAP report aligned with / consolidated with your APS 310 report?
© Customer Owned Banking Association – May 2016
57
Making Sense of the Prudential Standards
8. Liquidity Understanding and managing liquidity risk, the strategic funding requirements of the business, meeting liquidity and cashflow needs.
The risk of a liquidity problem is intertwined with all of the other risks faced by [an ADI]. For this reason, liquidity risk is often referred to as a consequential risk. In many cases, it is not poor liquidity management per se that causes an ADI to experience difficulties in meeting its cash flow obligations. Instead, it may be problems in some other area, such as in its credit or trading portfolio, or simply its reputation as a counterparty, which generates liquidity stress. The potential for such stress is, of course, inherent in the maturity transformation function that ADIs perform − the process of transforming short dated or at call borrowings into longer dated assets or loans.
8.1.
APS 210 - Objective and Key Requirements
APS 210 requires an ADI to manage liquidity risk by maintaining: • • •
a robust liquidity risk management framework to measure, monitor and manage liquidity risk commensurate with the nature, scale and complexity of the institution; a portfolio of high-quality liquid assets (HQLA) sufficient to enable the ADI to deal with severe liquidity stress; and a robust funding structure appropriate for its size, business mix and complexity: APS 210:8-11.
The updated APS 210 places new emphasis on an overall risk management framework for liquidity and reinforces the oversight role of the board and outlines good practice requirements for senior management. In practice, an ADI will continue to agree its liquidity risk management framework and strategy with APRA. Agreement is usually reached during the inspection process or other consultation. The risk management framework must include: •
a statement of liquidity risk tolerance, as approved by the board
•
liquidity management strategy and policy approved by the board
•
operating standards for managing liquidity risk;
•
the funding strategy, approved by the board; and
•
a contingency funding plan: APS 210:13.
APRA provides guidance on risk appetite and tolerance in APG 210: •
Risk appetite is an articulation of the nature and level of risk that is acceptable in the context of achieving an ADI’s strategic objectives. Not all aspects of risk appetite are quantifiable. Risk tolerance is a quantitative articulation of the
© Customer Owned Banking Association – May 2016
58
Making Sense of the Prudential Standards
maximum level of acceptable risk after taking into account appropriate mitigants and controls to reduce the risk (APG 210:4). •
Liquidity risk tolerance would generally be expressed using measurable limits that will enable a clear and transparent monitoring process to ensure that the ADI remains within these risk tolerances. Good practice is that risk tolerances are set for risks including: a) quality and diversification of liquid asset portfolios, e.g. by instrument and counterparty; b) liability diversification, e.g. by market, product, counterparty and maturity; c) reliance on funding sourced from offshore markets; d) the overall level of maturity mismatch; e) the management of liquidity risk across borders and legal entities; f) currency mismatch, including cashflow mismatches arising from the use of derivatives associated with funding sourced from offshore markets; and g) contingent liquidity exposures ((APG 210:7-8).
The ADI board must also ensure that senior managers and other staff have necessary experience to manage liquidity risk; ensure that liquidity risk management practices are documented and reviewed annually; and review regular reports on liquidity including new or emerging risks: APS 210:14-15. Senior management is responsible for: •
developing liquidity risk management strategy, policies and processes in line with the board approved liquidity risk tolerance;
•
ensuring sufficient liquidity is maintained at all times;
•
determining the structure, responsibilities and controls for managing and monitoring liquidity risk;
•
ensuring adequate controls are in place to ensure the integrity of liquidity management processes;
•
ensuring stress tests, contingency funding and HQLA holdings are effective and appropriate;
•
establishing reporting criteria and processes including exception reports and escalations;
•
monitoring current trends, market developments and internal information on liquidity risk: APS 210:16.
APRA’s guidance for appropriate operating standards for liquidity risk management are set out in APG 210 which replaces the old AGN 210 series (see APG 210:9-24).
© Customer Owned Banking Association – May 2016
59
Making Sense of the Prudential Standards
ADIs now have a formal obligation to maintain an annual funding strategy, consistent with the overall liquidity risk management strategy, as approved by the board, which must be provided to APRA on request and regularly reviewed. An ADI must maintain a presence in its chosen fund markets and strong relationships with funds providers, and regularly gauge its capacity to practically and effectively raise funds quickly in the event of a funding crisis: APS 210:41-43. APRA expects an ADI to have in place a range of customised liquidity measurement tools which cover vulnerabilities across normal and stressed conditions over a range of time-horizons. (APG 210:35-39). APRA provides an indicative list of early-warning indicators of emerging liquidity risk which an ADI’s measurement tools would use to assess any negative trends including rising delinquencies, credit rating downgrades, rising wholesale or retail funding costs and negative publicity (APG 210:39). All COBA members remain Minimum Liquidity Holding (‘MLH’) entities that are required to maintain a minimum holding of 9% of its liabilities in specified HQLA at all times: APS 210: Attachment C:1. Some (larger) ADIs have been classified as Liquidity Coverage Ratio (LCR ADIs) who will need to maintain sufficient HQLA to cover 30 calendar days under a severe stress scenario and to conduct scenario analysis alongside a robust stress-testing regime. For all ADIs HQLA includes: •
notes and coin and settlement funds;
•
Commonwealth Government and semi-government securities;
•
debt securities guaranteed by the Australian Government, or foreign sovereign governments;
•
debt securities issued by supranationals and foreign governments;
•
bank bills, certificates of deposits (CDs) and debt securities issued by ADIs;
•
deposits (at call and any other deposits readily convertible into cash within two business days) held with other ADIs net of placements by other ADIs; and any other securities approved by APRA (APS 210:Attachment C:3.
For an MLH ADI keeping deposits with another ADI to qualify those deposits as MLH assets, the ADI depositor must have an unequivocal and documented contractual right to break that deposit on demand. Any deposit placements included by an ADI as an MLH asset must be calculated net of deposits received from other ADIs (APG 210:136). Under APS 210, MLH ADIs need to conduct ‘going concern’ scenario testing: APS 210:54.
As early as March 2011 APRA staff informed COBA that stress testing would be the ‘way of the future’ and increasingly will be expected to be demonstrated by all entities, large and small (although the degree of sophistication required will depend on the size and complexity of the entity). Liquidity crisis management was specifically identified in this context. An MLH ADI must inform APRA immediately of any concerns it has about its current or future liquidity, as well as its remedial plans: APS 210: Attachment C:8.
© Customer Owned Banking Association – May 2016
60
Making Sense of the Prudential Standards
APS 221 also applies to liquidity to minimise concentration risk in HQLA investments. APRA approval is required for any aggregate exposure to: •
An unrelated ADI in excess of 50% of the capital base; or
•
Any external party in excess of 25% of the capital base: APS 221:15/19.
In practice, smaller mutual institutions have long benefited from exemptions for large exposures to affiliated ADIs. However from 1 April 2015 all ADIs will be required to demonstrate capacity to produce daily liquidity reports on demand. APRA has taken the view that all prudent ADIs would generate and monitor this dta as part of their existing liquidity risk management process. 11
8.2.
Liquidity in Practice
Liquidity is primarily held by ADIs in non-loan interest bearing assets (e.g. ADI deposits, certificates of deposit and cash). The HQLA ratio is calculated by dividing HQLA assets by total on balance sheet liabilities. (NB: Liabilities are mainly deposits – not assets. Assets are mainly loans).
HQLA Assets Total Liabilities Liquidity averages in the mutual banking sector tend to be high, particularly for smaller institutions (20 - 25% or more of total assets for some smaller mutual ADIs. Liquidity risk tends to arise because deposits and other liabilities are more readily liquidated than assets (mainly loans). Cash flow analysis is used to track anticipated inflows and outflows of cash. Gap analysis – as used in estimating interest rate risk (see Chapter 6) – is also employed in liquidity management. An ADIs liquidity funding plan, including clear management responsibilities, controls and reporting obligations, must include: •
maturity mismatch limits to avoid excessive imbalances between shorter term deposits and longer term loans;
•
liquid holding parameters including trigger points to ensure the ADI can handle liquidity fluctuations in normal and adverse trading conditions;
•
diversification parameters to avoid concentration risk (dependence or overexposure) to individual counterparties (e.g. Cuscal or Indue or ASL or any one ADI)
•
assessment of rollover risks including changes to market conditions and creditworthiness of counterparties;
11 See letter from APRA to all ADIs dated 7 November, 2104 : http://www.apra.gov.au/adi/Documents/141104-letter-to-ADIs-Liquidity-risk-recent-consultations-2.pdf
© Customer Owned Banking Association – May 2016
61
Making Sense of the Prudential Standards
•
wholesale funding plans including normal corporate lending policies and standby facilities for both normal and adverse trading conditions;
•
asset use policies to address the potential sale or securitisation of assets to boost liquidity; and
•
industry support arrangements to deal with a liquidity crisis.
Liquidity is managed on a daily basis to ensure funding is within policy ratios. Liquidity is typically held in a CUSCAL, Indue or ASL S1 account and 11AM account up to policy limits. The balance is then held in fixed term deposits or negotiated certificates of deposit with ADIs. Investment policy should prescribe limits for individual exposures, including APRA approvals for large exposures. Cashflow is typically forecast monthly using a 3 month forecast period analysing all anticipated cash inflows and outflows. The analysis should take into account historical experience and knowledge of member behaviour (in relation to both deposits and loans), product features (e.g. fixed rate loans and competitively priced term deposits) and market conditions (e.g. loan demand). Scenario analysis must be conducted as required on an “on-going concern” basis and as agreed with APRA on a “name crisis” basis – to ensure the capacity of the ADI to withstand a liquidity crisis (APS 210:54). Liquidity policy should outline clear procedures for reporting and managing low liquidity and high liquidity. Targets and triggers will be set to inform liquidity management as set out in the sample below. Liquidity Policy
Range
Policy Rule
15 - 20%
The board aims to maintain liquidity in this range in
Triggers Strategic Target
the short, medium and longer term.
(preferred risk tolerance)
Liquidity
provides a buffer to meet short term calls on funds but should not be wasteful.
Early Warning
15%
Trigger
The board will consider liquidity raising options at or under this level beginning with adjustments to interest rates on deposits (and loans).
Crisis Trigger
Below 11%
The board will access additional or emergency liquidity to keep HQLA above 11%. APRA must be consulted if there is a risk that HQLA will fall below 9% [Note: this assumes APRA has not imposed a higher standard for HQLA]
Statutory
9%
HQLA must be at least 9% of total liabilities.
Minimum
[The sample provided is for illustrative purposes only]
© Customer Owned Banking Association – May 2016
62
Making Sense of the Prudential Standards
8.3.
Best Practices in Liquidity Management
High levels of liquidity can be maintained as hedge against market volatility (provided you are prepared to accept the impact on profitability). The threats to liquidity posed by the Global Financial Crisis were largely managed by the introduction of the Government Guarantee of Large Deposits and Wholesale Funding Liabilities. While the Government Guarantee of Large Deposits was withdrawn (24 March 2010), the associated Financial Claims Scheme for deposits— which gives deposit holders certainty in respect of their deposits up to, currently, $1 million—remains in place. This latter support is to be made permanent. Regularly reviewing your retention strategies, particularly for large depositors, remains a critical task for boards and management. Investments in other ADIs including inter-credit union and inter-building society investments must not be double counted, with only the net position used when calculating liquidity ratios. Sources of additional or emergency liquidity should be clearly identified by board and management and supported by enforceable agreements where possible, including standby facilities e.g. from Cuscal, Indue or ASL, Bridges, CUFSS. Maintaining liquidity can be expensive - attracting short term funds to respond to liquidity shortfalls can dent profits. Longer term, many mutual ADIs are looking for sources of wholesale funding to minimise this exposure. Boards should be careful not to take ‘sticky’ deposits for granted. Loss of payroll groups and membership attrition can undermine this cheap source of funds. Competition from internet savings and other higher interest accounts can also threaten the volume and quality of savings and deposit accounts that dominate liquidity for mutual ADIs. Directors also need to be alive to market changes such as the current trend towards ‘locked-in’ term deposits offered by the major banks as part of their response to meeting Liquidity Coverage Ratio obligations, with the effect that the term deposit market is dominated by products that do not allow early withdrawal.
8.4.
Link to ICAAP
There is no prescribed method for allocating capital for liquidity risk. A common approach is to base the calculation on the cost of replacing liquidity. For example, if a given percentage e.g. 25% or 50% of deposits were withdrawn or redeemed, the loss would be the additional cost of ‘buying in’ wholesale funds. The calculation can be made using the rate quoted by the provider of your stand-by facility or line of credit.
© Customer Owned Banking Association – May 2016
63
Making Sense of the Prudential Standards
Questions for directors and managers to consider Do you understand your organisation’s liquidity risk management framework including risk appetite and risk tolerance, strategy, policy and operating standards? Do you have plans in place to address the impacts of APS 210 and APG 210? Is reporting of liquidity (including cashflow analysis) in your organization disciplined and effective and conducted by appropriately qualified and experienced staff? Are standby liquidity / funding facilities available for short term liquidity crises? Is cashflow and scenario analysis properly and regularly conducted to stress test the portfolio? Do you have a long-range strategic funding plan that includes trend analysis and early-warning indicators of changes to liquidity risk?
© Customer Owned Banking Association – May 2016
64
Making Sense of the Prudential Standards
9. Credit Risk Responsible lending – writing good loans and managing bad debt
We certainly want to see competition between lenders and fully accept that different ADIs can have different risk appetites And we are not seeking to interfere in ADIs ability to compete on price, service standards or other aspects of the customer experience. However, making overly optimistic assessments of a borrower’s capacity to repay does not seem a sensible or sustainable basis on which to attract new customers or retain existing ones. 12
9.1.
Credit Risk – Your Core Business
Credit is the core business of a mutual ADI. The overwhelming majority of mutual ADI assets are held in credit provided to members - primarily mortgages, which account for over 80% of mutual sector credit and other loans (87% for credit unions and 90% for building societies: APRA Statistics June 2012). Credit risk is therefore probably the most important risk facing any mutual ADI.
9.2.
APS 220 Credit Quality
ADIs are required to control credit risk by adopting prudent credit risk management policies and procedures. These policies and procedures must address the recognition, measurement and reporting of, and provisioning for, impaired facilities. The key requirements of APS 220 are that an ADI must: •
have an effective credit risk management system that is appropriate to its needs;
•
regularly review its credit risk management systems, taking account of changing operating circumstances, activities and risks;
•
have a robust system for the prompt identification, monitoring, and accurate and complete measurement of its credit risk. This includes recognition and reporting of impaired facilities and estimated future losses on the credit portfolio; and
12 Byres, Wayne, Chairman, APRA, “Sound lending standards and adequate capital : preconditions for long-term success” COBA CEO & Director Forum Sydney, 13 May 2015
© Customer Owned Banking Association – May 2016
65
Making Sense of the Prudential Standards
•
maintain provisions and reserves adequate to absorb existing and estimated future credit losses in its business, given the facts and circumstances applicable at the time. This includes maintaining a prudent level of a General Reserve for Credit Losses.
The credit risk reporting system must include timely and accurate information on: •
past due facilities (i.e. 90 days past due)
•
facilities that are impaired
•
fair value of security held against impaired assets
•
status of other sources or cash flows
•
estimated future losses reflecting inherent credit risk
•
value of specific provisions and General Reserve for Credit Losses for capital purposes: APS 220:18.
APS 220 requires “regular reviews” of credit risk policy elements. Your board and management must ensure the frequency of reviews is adequate given the risks associated with your institution’s operations. An ADI must maintain specific provisions and a General Reserve for Credit Losses that, together, are adequate at all times to absorb credit losses given the facts and circumstances applicable at the time of assessment: APS 220:37. Specific provisions and the General Reserve for Credit Losses must account for all significant factors as at the evaluation date that affect, as relevant, the collectability of the credit portfolio and estimated future credit losses. The levels of specific provisions and the General Reserve for Credit Losses must be reviewed regularly to ensure they are consistent with identified and estimated losses: APS 220:40.
9.3.
APS 221 Large Exposures
Good practice requires a comprehensive risk assessment of counterparty default before committing to any large exposure including both loans and investments 13. ADIs must implement proper measures and prudent limits to monitor and control their large exposures. APS 221 deals with a form of concentration risk. ‘A large exposure is an exposure to a counterparty or a group of related counterparties which is greater than or equal to 10% of an ADI’s capital base’: APS 221:12. Safeguarding against risk concentrations to particular counterparties, industries, countries and asset classes must form an essential component of ADIs risk management strategies. An ADI must consult with APRA before committing to a large exposure in excess of 10% (unless a government or ADI). APRA approval is required for any aggregate exposure to: 13
APRA staff have expressed the view (March 2011) that large exposures are often entered into by ADIs for commercial reasons, with associated risks being an “afterthought”. A “stress testing mindset” needs to be brought to bear when approving and managing large exposures.
© Customer Owned Banking Association – May 2016
66
Making Sense of the Prudential Standards
•
An unrelated ADI in excess of 50% of the capital base; or
•
Any external party in excess of 25% of the capital base: APS 221:15/19.
An ADI must inform APRA immediately if there are any concerns that the large exposures or your risk concentrations have the potential to materially impact on your capital adequacy. An ADI must also immediately report to APRA any breach of the limits set by the standard: APS 221:20/21.
9.4.
Credit Risk in Practice
Credit risk is best managed by ensuring good loan quality through clear, effective and appropriate credit policies, collections and provisioning. Delinquency and bad debt are historically very low for mutual ADIs. Although this is a great achievement, it suggests that the ratios can only go one way – up! As a result, this area receives constant attention from APRA and auditors to ensure that high standards are maintained for credit quality, collections and provisioning. Lending is also now a highly regulated and technical area. Contracts and lending processes need legal advice and sign-off, supported by extensive staff training. Credit policies can be heavy on detail but all good lending follows these basic principles: •
Repayment capacity – can the applicant demonstrate sufficient income to repay the loan (and other commitments) even if rates rise—and still have more than enough to live on?
•
Adequate security – if the loan requires security, what is it really worth if it needs to be sold?
•
Exceptions – are the processes and policy rules for delegations and approving exceptions crystal clear and followed in practice?
•
Collections – are repayments pursued proactively, respectfully and systematically?
•
Bad Debts – are adequate provisions and prompt writes-off made to reflect the true state of the loan book?
9.5.
Best Practices in Credit Risk
It is often said that lending used to be based on the “3 Cs” of character, collateral and capacity. Collateral in the form of security and character in the shape of credit history remain central to credit risk management. However, new laws on responsible lending and prudential regulation, have reinforced the importance of capacity – the repayment capacity of the borrower. Credit risk management can be enhanced by clear policies and procedures for debt servicing ratios, hurdle rates and disposable income rules. Benchmarking of these limits and ratios could be useful for mutual ADIs.
© Customer Owned Banking Association – May 2016
67
Making Sense of the Prudential Standards
•
DSR - Debt servicing ratios
Debt Servicing Ratios [DSRs] compare an applicant’s income and expenses. The DSR equals total expenses divided by total income. The exact calculation depends on what is counted as an expense and what is counted as income. There are no formal rules as to what gets counted and excluded, but the underlying principle should be that all income must be consistent and provable (i.e. supported by evidence). The calculation can be based on net or gross income. Net income is probably the preferred measure because that reflects the amount of money the applicant has ‘in the hand’ after tax. •
Hurdle rates – what premium do you add for loan assessment?
A hurdle rate is a premium added to the actual rate applicable to a loan to make sure that the applicant can absorb future rate rises. So, if a loan is written at 7.5%, say, the repayment capacity of the applicant is tested at a higher rate e.g. 9.5%. The height of the hurdle is for the lender to decide. For example, it might be 1, 2 or 3% depending on the risk appetite and view of the market (likelihood of interest rate rises) taken by the lender. Practices appear to vary among mutual ADIs with examples reported of1%, 2%, 2.5% and 3%. One mutual ADI over the past year reported that it assessed most loans at 10%, when rates were around 6%. Whatever “number” is used, the objective of using hurdle rates is to maintain credit quality by testing repayment capacity. This objective needs to be front-of-mind when setting the appropriate hurdle rate. •
Disposable incomes
After applying the Debt Servicing Rate and a hurdle rate, you need to be sure an applicant (and their family if applicable) has sufficient funds to live on. Many mutual ADIs use benchmark data from the Henderson poverty index or a lenders mortgage insurer’s tables. The objective here is to ensure that the member’s interests are looked after – obviously a mutual ADI should be seeking to alleviate rather than cause financial distress. •
New guidelines for residential mortgages
APG 223 now sets out APRA’s expectations for prudent lending practices in residential mortgage lending, including the need to address credit risk within the ADI’s risk management framework, sound loan origination criteria, appropriate security valuation practices, the management of hardship loans and a robust stress-testing framework. The guidelines encourage alignment of mortgage lending with overall business strategy and risk management and broadly reflect long established good practice in lending processes and underwriting. APRA has indicated that its expectations of lending quality will be further enhanced given the sustained housing loan boom, with close attention paid to underwriting standards, ensuring that borrowers can truly demonstrate affordability and the capacity to withstand interest rate rises. •
New guidelines for investor loans
© Customer Owned Banking Association – May 2016
68
Making Sense of the Prudential Standards
APRA introduced a 10% growth cap on investor loan portfolio growth in 2015 but only as short term measure applicable to major banks and other large institutions. Mutual ADIs can expect APRA to closely scrutinise growth in this type of lending even in the absence of formal changes to prudential standards 14.
9.6.
Process consistency
Lending always generates exceptions. Clear rules can promote consistent and transparent decision-making and ensure that lending decisions are understood – by board, management, staff and members. All lending decisions should clearly indicate the reasons why a loan has been approved or declined and refer to the board approved credit policies and procedures. Exceptions to policies and procedures need to be clear identified and referred to the appropriate decision making body – whether a senior manager or the board or committee. Internal audit must closely monitor credit quality, conducting regular random checks of lending decisions and all exceptions to policy or procedure. The audit committee should review credit quality at each meeting, and the board should receive a report for each meeting, on lending approvals, decline rates, all exceptions, large exposures, trends in lending and any other irregular issues.
9.7.
Fair value of securities
Mutual ADIs should not be complacent about securities – property values can go down as well as up. Credit risk management should include regular stress testing of the loan portfolio to take account of movements in the property market (see also ICAAP stress testing for concentration risk, Chapter 6). Also, LVRs are often not as high as we assume them to be when the loan is written. If a security has to be sold to cover a debt, then enforcement costs will also usually erode the value of the security.
9.8.
Collections
Good collection is about maintaining relationships and good communication. Maintaining contact and communicating regularly and effectively – but respectfully are the keys to success. Collections is also a heavily regulated area with prescriptive laws applicable to customer contact, enforcement of debts generally and the repossession of securities including properties. Clear policies and procedures with effective reporting on performance and exceptions are critical to success.
14
While APRA’s original intent had been to apply the cap to only the largest ADIs and most significant outliers, At the time of going to presss (May 2016) APRA had been applying a hard 10% cap to all ADIs, irrespective of their size or current levels of investor lending however the regulator has indicated that it would consider removal of the 10% cap on investor lending once ADIs can demonstrate they (i) have maintained a position below the 10% benchmark and stayed there for a period of time and (ii) have addressed serviceability assessment concerns to APRA’s satisfaction.
© Customer Owned Banking Association – May 2016
69
Making Sense of the Prudential Standards
9.9.
Delinquency
Delinquency is measured by tracking loans that are 30 days in arrears – i.e. 30 days past the last due date for repayment. The delinquency ratio equals the total outstanding balances of loans in arrears divided by the total loan portfolio. The ratio is used to monitor trends in credit risk and provide ‘early warning signals’ for bad debt.
9.10.
Provisioning – allowing for Bad Debt
Even if delinquency and write offs are low, bad debt still occurs and needs to be provided for. The General Reserve for Credit Losses must be determined to provide for potential future losses (bad debt/write offs) based on: •
historical experience;
•
current impaired assets;
•
market conditions (e.g. employment levels, interest rates, property values);
•
changes in the portfolio (e.g. concentration of mortgages, personal lending;
•
commercial lending);
•
changes to lending policies; and
•
changes to valuation of securities.
There is no formula for the General Reserve for Credit Losses and each ADI must arrive at its own calculation. Current practices indicate that bad debt provisioning reserves tend to range from 0.5% to 1% of risk weighted assets. This reserve provision should be taken into account when calculating the appropriate ICAAP allocation for credit risk. Benchmarking the reserve provisioning against the provisioning of other comparable mutual ADIs is also a prudent step. Useful measures of the adequacy of the Reserve can be based on risk weight assets or capital. The Reserve must not be used as a substitute for good credit policies, adequate provisioning or appropriate bad debt write-offs. The General Reserve for Credit Losses can now be found for each ADI in its APS 330 - Public Disclosure of Prudential Information. A Specific Provision must also be made for loans that are delinquent or impaired, according to APS 220. Provisions must be higher for riskier loans. Another common good practice is to make additional provision where it is known that a loan is impaired (i.e. that repayments are doubtful) even though the loan is not currently in arrears. 15
15 APRA staff have commented (March 2011) that they consider this practice prudent and often request ‘watch list’ or pre-watch list’ information when undertaking prudential reviews.
© Customer Owned Banking Association – May 2016
70
Making Sense of the Prudential Standards
Delinquent loans should be written off once they reach 100% provision or earlier if you are almost certain that a loan will not be recovered. Loans can be written off against the provision, and if no provision is recognised they can be treated as expenses in the income statement and will reduce taxable income. The actual provisions for impairment and bad debts written off for all ADIs can now be found for each ADI in its APS 330 public disclosure.
9.11.
Commercial Loans
Commercial lending requires a specific skills set to assess repayment capacity on the basis of business performance and prospects. Staff and managers skilled in retail lending may not have – and usually do not have – the skills necessary for analysing business plans, balance sheets and profit and loss statements. Mutual ADIs should not engage in commercial lending without those skills; and commercial lending should not be a significant part of a business without an appropriate investment in skilled lending staff to handle the associated business volumes. Your institution’s credit risk policy should set a ceiling on commercial lending as a proportion of total lending.
9.12.
Large Exposures
An ADI must ‘consult with’ APRA on large exposures of 10% of capital or more. Strictly speaking, APRA approval is only required for large exposures of 25% of capital or more. Consultations and approvals could be improved by the use of a standard form including an explanation of the proposed loan and applicant details. Service standards could be agreed with APRA to clarify expectations for all parties concerned. For lenders the key issue is managing member expectations. APRA may not always be aware of this pressing commercial issue. Equally, ADIs need to understand and meet APRA’s requirement for sufficient information to conduct their assessments of large exposures.
9.13.
Link to ICAAP
Credit risk is fundamental to an ICAAP. As discussed in Chapter 6, capital is often provided using the ‘default’ allocation of the statutory minimum. However, credit risk should be provided on the basis of an assessment of the actual credit risk based on the loan portfolio, risk appetite, past performance and market conditions. The General Reserve for Credit Losses (‘GRCL’) should also be taken into account; in this context the GRCL can be seen as a ‘business as usual’ calculation while the ICAAP approach to credit risk will factor in a range of potential scenarios including significant adverse changes e.g. to market conditions and property values. An ICAAP should also take into account concentration risks including by geographical area, workplaces or industries, as well as large exposures. Property
© Customer Owned Banking Association – May 2016
71
Making Sense of the Prudential Standards
market fluctuations are also relevant to the extent that they change the underlying value of securities.
Questions for directors and managers to consider Does your organisation’s credit risk policy reflect responsible lending criteria? Is your organisation’s credit risk policy regularly reviewed? What are your organisation’s debt servicing ratios, buffer rate and disposable income allowances? Is delinquency effectively reported and managed? Does your organisation make adequate provision for bad debt? Are loans written off appropriately and in line with policy?
© Customer Owned Banking Association – May 2016
72
Making Sense of the Prudential Standards
10. Audit and Disclosure Accounting to regulators, members and the public
Auditors provide an important independent mechanism for reviewing compliance with APRA’s prudential and reporting requirements. We want to clarify the role of auditors to account for industry developments and the new Basel II Capital Framework. 16 The disciplining effects of markets can reinforce prudential supervision by rewarding those institutions that assess and manage risk effectively and penalising those where risk assessment and risk management are inadequate. 17
10.1.
APS 310 Audit and Related Matters
APS 310 sets out requirements for an ADI to ensure that APRA has access to independent advice from an auditor relating to the operations, internal controls and information provided to APRA in respect of the institution. Key requirements of APS 310 include: •
the appointment of an auditor to undertake the functions set out in APS 310;
•
specifying the roles and responsibilities of the appointed auditor; and that an ADI must ensure that, as appropriate, the appointed auditor is able to fulfil its responsibilities in accordance with APS 310.
Note that the old APS 310 annual declaration on key risks has been superceded by the annual statement on risk management made by the board itself, signed off by the chair of the board and the chair of the risk committee under CPS 220.
10.2.
APS 330 Public Disclosure of Prudential Information
APS 330 aims to enhance transparency in Australian financial markets by setting minimum requirements for the public disclosure of information on the risk management practices and capital adequacy of locally incorporated ADIs. Locally incorporated ADIs that are Australian owned and use the standardised approaches are required to disclose some basic prudential information, along with information on remuneration for directors, senior managers and material risktakers (generally quarterly for prudential information and annually for remuneration).
16 17
APRA proposes revised audit requirements for ADIs – MR 08.28, 7 November 2008. APRA releases Basel II market disclosure proposals – MR 07.18, 6 June 2007.
© Customer Owned Banking Association – May 2016
73
Making Sense of the Prudential Standards
10.3.
APS 310 and 330 in Practice
The external auditor is now required to report to APRA on compliance with the prudential standards – effectively an external assessment of the same issues covered by the APS 310 attestation. The standard now requires the board to appoint an auditor for this purpose. Boards must work closely with both external and internal auditors. Auditing functions are an intrinsic part of your institution’s risk management system, within the APRA Prudential Standards framework. The board and its Audit Committee must develop a clear, comprehensive and appropriate audit plan to frame the activities of external and internal auditors. Directors and managers alike must be aware of the key role of auditors in providing assurance of the veracity of information provided both to APRA and your institution’s members.
10.4.
The APS 330 statement
The APS 330 statement must be posted on your website with information updated quarterly (annually for capital data). The disclosure includes an annual statement of the capital position of the mutual, along with quarterly updates of capital adequacy and credit risk information. The detail provided varies as can be seen from the website disclosures of ADIs. The CEO attests to the reliability of the Prudential Disclosures in the annual APS 310 declaration. The board should ensure that internal audit is tasked to maintain the integrity and transparency of the process that produces both the APS 310 declaration and the APS 330 statements. The audit and/or risk committee will ordinarily be responsible for overseeing the work of the internal auditor and external auditors in support of these reports. However, the full board remains fundamentally responsible for oversight of these processes. From 30 June 2013, a common disclosure template applies along with new remuneration disclosure rules. The Capital Disclosure Template is found in Attachment A of APS 330.
10.5.
Link to the ICAAP
APS 330 is about reporting on capital (and credit risk) rather than the calculation or allocation of capital. The quarterly update of APS 330 data can be aligned with the ICAAP review.
© Customer Owned Banking Association – May 2016
74
Making Sense of the Prudential Standards
Questions for directors and managers to consider Is your organisation’s audit process independent, transparent and robust? Is your organisation’s internal audit process empowered, transparent and robust? Is your organisation’s APS 310 attestation process clear and robust? Can the board confidently endorse the APS 310 attestation made by the CEO? Is your organisation’s APS 330 statement properly expressed, updated and posted to your website? Do your organisation’s processes co-ordinate the ICAAP calculation, APS 310 attestation and the APS 330 disclosures?
© Customer Owned Banking Association – May 2016
75
Making Sense of the Prudential Standards
11. Operational Risk Practical tools and challenges – operational risks, outsourcing and business continuity
We expect the board to be aware of the institution’s major operational risks and how they are controlled. The board should set the institution’s tolerance for risk or “risk appetite”, through its approval of policies for managing operational risk. These policies should outline the institution’s approach to the identification, assessment, monitoring, control and mitigation of this risk. The board is also responsible for regular review of the institution’s operational risk management framework and for ensuring that senior management is actively monitoring the effectiveness of risk controls. Accordingly, the board should establish a management structure for operational risk based on clear lines of responsibility, accountability and reporting. 18
11.1.
Operational Risk – New CPG 234 and 235
Operational risk is the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. This definition includes legal risk but excludes strategic and reputational risks: APS 001:4. CPG 234 and 235 require mutual ADIs to have a policy on managing data risk including procedures for transaction record keeping and data backup and storage, as well as procedures for other operational risks including: •
legal or compliance risk;
•
key person and other human resources risks; and
•
insurable risks including - workers compensation, damage to physical assets, fidelity guarantee (covering internal fraud), directors and officer liability, public liability, professional indemnity and business interruption.
Managing data risk is crucial because it can affect an ADI’s ability to meet financial and other obligations to depositors and customers. APRA believes that the risks associated with the use of data, including data application, retention, storage and security, have become more significant with increasing automation and the criticality of data to decision-making.
18 The evolution of risk and risk management – a prudential regulator’s perspective – John Laker, 21 August 2007, Reserve Bank of Australia Conference.
© Customer Owned Banking Association – May 2016
76
Making Sense of the Prudential Standards
11.2.
CPS 231 Outsourcing
CPS 231 aims to ensure that all outsourcing arrangements involving material business activities entered into by an ADI are subject to appropriate due diligence, approval and on-going monitoring. All risks arising from outsourcing material business activities must be appropriately managed to ensure that the ADI is able to meet both its financial and service obligations to its depositors. The key requirements of CPS 231 include that an ADI must: •
have a policy relating to outsourcing of material business activities;
•
have sufficient monitoring processes in place to manage the outsourcing of material business activities;
•
for all outsourcing of material business activities with third parties, have a legally binding agreement in place, unless otherwise agreed by APRA;
•
consult with APRA prior to entering into agreements to outsource material business activities to service providers who conduct their activities outside Australia; and
•
notify APRA after entering into agreements to outsource material business activities.
A material business activity is one that has the potential, if disrupted, to have a significant impact on business operations or ability to manage risks effectively. The internal audit function must be treated as a material business activity: CPS 231:14/15. An ADI must notify APRA no later than 20 business days after execution of the agreement. The notice must include a summary of: •
the key risks involved in the arrangement; and
•
the risk mitigation strategies put in place to manage the key risks: CPS 231:34/35.
An ADI must devote sufficient and appropriate resources to manage and monitor the relationship: •
maintaining regular contact with the provider; and
•
implementing a process for regular performance monitoring (including adherence to SLAs): CPS 231:38.
An ADI must advise APRA of any problems which may materially affect the outsourcing arrangement: CPS 231:39. An ADI must advise APRA of transitional arrangements in place when it terminates an outsourcing arrangement: CPS 231:40.
© Customer Owned Banking Association – May 2016
77
Making Sense of the Prudential Standards
11.3.
CPS 232 Business Continuity Management
CPS 232 aims to ensure that an ADI implements a whole of business approach to business continuity management [BCM]) appropriate to the nature and scale of its operations. BCM increases an ADI’s resilience to business disruption arising from internal and external events and reduces the impact on the ADI’s business operations, reputation, profitability, depositors and other stakeholders. The prime responsibility for the business continuity of the ADI rests with the board of directors of the ADI. The key requirements of CPS 232 are: •
an ADI must identify, assess and manage potential business continuity risks to ensure that it is able to meet its financial and service obligations to its depositors and other creditors;
•
the board of the ADI must consider the ADI’s business continuity risks and controls as part of its overall risk management systems and approve a BCM policy;
•
an ADI must develop and maintain a business continuity plan [BCP] that documents procedures and information which enable the ADI to manage business disruptions.
•
an ADI must review the BCP annually and periodically arrange for its review by the ADI’s internal audit function or an external expert; and
•
an ADI must notify APRA as soon as possible and no later than 24 hours after experiencing a major disruption that has the potential to materially impact on the ADI’s risk profile, or affect its financial soundness.
The BCP must be reviewed by responsible senior management at least annually or more frequently if there are ‘material changes’ to the operating environment. Internal audit, or an external expert, must periodically review the BCP and report to the board or management. An ADI must review and test its BCP at least annually, or more frequently if there are material changes to business operations. This is to ensure that the BCP can meet the BCM objectives. Results of the testing must be formally reported to management and the board. The BCP must be amended to reflect reviews and tests: CPS 232:29/30. An ADI must include in its BCM programs for training and ensuring awareness of staff in relation to BCM: CPS 232:18. In implementing the training program, staff with specific responsibility for the BCM program are to undertake the necessary training to ensure they can competently fulfil their duties. The training requirements should be in the performance objectives of responsible individuals. All staff must at least be familiar with the BCP for their unit. An ADI must notify APRA “as soon as possible” and no later than 24 hours after a major disruption event. The ADI must explain to APRA the nature of the disruption, the action being taken, the likely effect and the timeframe for
© Customer Owned Banking Association – May 2016
78
Making Sense of the Prudential Standards
returning to normal operations. APRA must be notified when normal operations are resumed: CPS 232:31. In the view of APRA staff 19, BCM is an area of ADI activity generally requiring improvement, including greater emphasis as part of an institution’s risk management framework.
11.4.
Operational Risk in Practice
Operational risk is an inherent feature of doing business. An operational risk policy should cover data risk and insurable risks. It should also extend to outsourcing and business continuity recognizing these risks as operational risks. An operational risk register should be in place with risks identified, evaluated and treated in line with the process set out in AS/NZS 4360, now 2009 - AS/NZS ISO 31000:2009. Data risk should be covered by your BCP. Processes and checklists should be developed and used to support due diligence of outsourcing arrangements, checking the content of outsourcing agreements and monitoring the performance of third parties. Outsourcing arrangements should include (at least): providers of treasury services; data bureau (IDPCs) services; payment processing systems; internal audit; and internet banking service providers. Professional service providers, e.g. lawyers and external auditors, are excluded. BCPs, once established, must be reviewed annually and tests should be conducted at least annually. Third parties again – especially IDPCs – need to assist you in testing your BCPs. The annual review should address the business functions and scenarios included in the plan along with the currency or relevance of the business impact analysis. Insurances should be checked for coverage and renewed annually including: •
fidelity guarantee;
•
asset protection, including fire and malicious damage;
•
directors' and officers' liability;
•
public liability;
•
professional indemnity; and
•
business interruption.
Link to ICAAP APS 114 mandates a formula for calculating the proportion of capital that must be provided to cover for potential losses arising from operational risks. An ADI can always provide more for operational risk (including outsourcing and business continuity risks) depending on its assessment of actual operational risks. Where this is done, your ICAAP should have an additional line item setting out the “extra” allocation of capital for operational risk. 19
Comments to COBA (March 2011)
© Customer Owned Banking Association – May 2016
79
Making Sense of the Prudential Standards
Questions for directors and managers to consider Does your organisation have an operational risk register? Are outsourcing arrangements monitored effectively? Is due diligence observed when entering new relationships? Are new agreements signed off against the requirements of CPS 231? Is annual BCP testing conducted? Are staff adequately trained on BCP? Is your BCP reviewed annually?
© Customer Owned Banking Association – May 2016
80
Making Sense of the Prudential Standards
12. Miscellaneous Two prudential standards deal with specific issues or circumstances, namely Covered bonds and the Financial Claims Scheme.
12.1.
APS 121 - Covered Bonds
APS 121 sets out requirements for the issuing of covered bonds by ADIs. Covered bonds are a new type of potential funding source for ADIs that could operate as an alternative to retail deposits and other wholesale funding instruments. The board is responsible for ensuring that the ADI adopts prudent practices in the event that it issues covered bonds. The key requirements are that an ADI must: •
adopt policies and procedures to manage risks relating to its issuance of covered bonds; and
•
apply an appropriate capital treatment to exposures associated with covered bond issuance.
Any mutual ADI looking to issue covered bonds should obtain expert advice including legal advice before considering the introduction of these fund raising instruments.
12.2.
APS 910 Financial Claims Scheme
APS 910 (sets out the minimum requirements for complying with the Financial Claims Scheme [FCS]. The key requirements include that an ADI must be able to: •
identify each unique account-holder, to the extent practicable;
•
develop and implement a Single Customer View (including detailed information on relevant account balances and account holders);
•
generate and transmit payment instructions by EFT and cheque for each account-holder;
•
facilitate collection of account-holders’ alternative ADI account details for reporting to APRA, ATO, and account-holders;
•
facilitate communications with account-holders and stakeholders if an FCS event is declared;
•
test Single Customer View data, payment and reporting information;
•
ensure systems and data are subject to external audit; and
•
provide a compliance attestation by CEO.
© Customer Owned Banking Association – May 2016
81
