And 2015
Making Sense of the
Prudential Standards
A guide to best practice for
customer-owned deposit-taking institutions
January 2015
© Customer Owned Banking
Making Sense of the Prudential Standards
STATEMENT AS TO THE CURRENCY OF LAW
This Guide refers to the APRA Prudential Standards and Guides as at 1 January
2015.
IMPORTANT DISCLAIMER
All care was taken in the preparation of this Guide. However, this Guide is not to
be used or relied upon as a substitute for professional legal, accounting or risk
management advice on a particular matter.
Customer Owned Banking Association, its directors and officers, and the authors,
expressly disclaim all liability to any person in respect of this Guide, and any
consequence arising from its use by any person in reliance on the whole or any
part of this Guide.
This disclaimer does not exclude any warranties implied by law that may not be
lawfully excluded.
VERSIONS
First published February 2010
Updated December 2010
Updated March 2011
Updated November 2012
Updated May 2013
Updated October 2013
Updated February 2014
Updated January 2015
© COPYRIGHT Customer Owned Banking Association 2015
All rights reserved. No part of this work covered by copyright may be reproduced
or copied in any form or by any means (graphic, electronic or mechanical,
including photocopying, recording, recording taping, or information retrieval
systems) without the written permission of Customer Owned Banking Association.
© Customer Owned Banking Association – January 2015
2
Making Sense of the Prudential Standards
Contents
PART A: Introduction ...................................................................... 4
1.
Introduction to the Guide ...................................................................... 5
2.
APRA’s role and the APRA Prudential Standards regime – an overview ...... 10
3.
The New Risk Landscape ..................................................................... 16
4.
Managing the APRA Relationship .......................................................... 20
5.
Preparing for an APRA Visit ................................................................. 23
PART B: Applying the Prudential Standards .................................. 27
6.
Capital Adequacy ............................................................................... 28
7.
Liquidity ........................................................................................... 47
8.
Credit Risk ........................................................................................ 54
9.
Audit and Disclosure ........................................................................... 61
10.
Operational Risk ................................................................................ 65
11.
Risk and Governance .......................................................................... 70
12.
Miscellaneous .................................................................................... 76
© Customer Owned Banking Association – January 2015
3
Making Sense of the Prudential Standards
PART A: Introduction
© Customer Owned Banking Association – January 2015
4
Making Sense of the Prudential Standards
1.
Introduction to the Guide
Who is this Guide for?
This Guide to the Prudential Standards for Authorised Deposit-taking Institutions
[ADIs] regulated by the Australian Prudential Regulatory Authority [APRA] has
been written primarily for directors of mutual ADIs. We hope it will also be useful
for senior management of mutual institutions. In addition, much of the content
will be applicable to directors and management of other, particularly smaller,
ADIs.
Background to development
The board of directors of an ADI is required to play a central role in its sound and
prudent management. This has long been recognised, and the requirement is
reflected in APRA’s Prudential Standard CPS 510 – Governance.
In our view, to meaningfully discharge your obligations as a director you must
have a good understanding of the APRA Prudential Standards regime, and be able
to apply the regime when considering and reviewing your institution’s prudential
policies (capital, liquidity, credit risk, market risk etc). This is also APRA’s
expectation. As a director, you should be able to show an appreciation of the
impact of the Prudential Standards in contexts such as prudential review
meetings with APRA (see Chapter 5).
That said the scope and complexity of the APRA Prudential Standards regime can
be daunting. This can be true even for experienced directors, including those
from professional backgrounds (e.g. accounting, law or management).
The complexity of the APRA Prudential Standards regime is due in part to the fact
that the Standards do not mandate prescriptive targets over and above the
various minimums and rules in each standard. Rather, the Standards adopt a
largely principles-based approach, requiring the board and management to apply
general principles in setting capital allocation ratios, determining liquidity
management policies, setting credit risk controls, and so on. How to interpret
the language of the Standards, and the regulator’s approach to specific issues in
practice, can be a challenge for boards and management alike. This can be
compounded by a general lack of information about the experience of other
comparable institutions (due in part to the fact that the relationship between
regulator and regulated entity is conducted, for the most part, “behind closed
doors”).
Apart from this, the Standards are not static. They continue to be modified and
extended by APRA, particularly as the standards of the international body
coordinating banking supervision, the Basel Committee of the Bank for
International Settlements, can, and do, change. We look at the implications of
some of these changes, especially the revised approach to capital adequacy
management implemented under the Basel Framework, in subsequent chapters.
Directors and management obviously need to keep abreast of changes to the
© Customer Owned Banking Association – January 2015
5
Making Sense of the Prudential Standards
Standards. At the same time, you must not lose your focus on other core
requirements that need to be monitored and reviewed on an ongoing basis.
Objectives of Guide
Against this background, COBA has collaborated with consultant and legal adviser
to the mutual industry, Mark Swivel, to develop a compact, practical Guide to
understanding and implementing the APRA Prudential Standards.
Our aim is to assist busy directors and senior managers to gain, retain and
refresh the knowledge of the Prudential Standards they need to make a
worthwhile contribution to corporate governance and the prudent management of
their institution.
Structure of Guide
The structure of the Guide will be apparent from the Table of Contents. In brief,
the remaining chapters of Part A provide an overview of the Prudential Standards
framework, and APRA’s role. They also consider the regulator’s expectations of
directors, and provide some tips and suggestions on managing your institution’s
relationship with, and meeting with, this key stakeholder.
The chapters of Part B then deal with the requirements of the Standards in detail
grouped around 6 thematic headings that largely follow the way the Standards
are organised by APRA.
A brief “snapshot” of each Standard is followed by commentary and examples
focussed on how the Standards operate, and strategies for achieving and
maintaining best practice compliance. The central role of the Internal Capital
Adequacy Assessment Process [ICAAP] in structuring a regime of effective
compliance with the Standards is highlighted throughout these Chapters.
Changes to APS 110 and the introduction of updated CPG 110 reinforce the
centrality of the ICAAP to prudential risk management and emphasise the active
role directors are now expected by APRA to play in capital management.
Most chapters end with a set of questions for directors and managers to
consider—emphasising the need for active involvement in decision making by
both boards and management.
Ways Guide might be used
We envisage that the Guide will be used in a variety of ways including – as an
introductory resource for new directors, as a ‘refresher’ for directors and
management (including in the context of upcoming APRA reviews etc), and
generally as a source of sector experience, best practice tips and benchmarking
information.
Development of Guide
The primary author of the Guide is Mark Swivel. Mark is a legal practitioner and
director of Swivel Pty Ltd and was a director of SCU (Sydney Credit Union) Ltd
(from 2008-11). The Guide is largely based on the author’s experience working
with mutual ADIs over many years, advising on compliance issues and writing
© Customer Owned Banking Association – January 2015
6
Making Sense of the Prudential Standards
policies, and particularly in helping mutual institutions frame responses to APRA
Prudential Review Reports. COBA staff have also contributed to, and provided
comments on, drafts of the Guide.
In addition, we have benefited greatly from discussions with senior managers of
COBA member institutions about both their approaches to Prudential Standards
compliance, and the kind of resource that they, and their boards, would find
useful in helping their institutions maintain compliant prudential controls. Our
thanks go to all who have provided their input.
A living document
COBA updates this Guide periodically in light of changes to the Prudential
Standards, APRA’s regulatory approaches, your feedback on the current Guide,
and member institutions’ ongoing experience working with, and seeking to
implement, the Standards. The Guide was first published in February 2010 and
was updated in December 2010, March 2011, November 2012, May 2013,
October 2013 and February 2014 before this edition.
Guide is not a substitute for risk assessment of board and management
The Guide includes a range of worked examples, survey data, good practice tips
and other similar information. This information is intended to assist readers to
gain an understanding of how common issues are or might be approached across
the mutual ADI sector, to establish benchmarks, and to challenge current
practices of your institution where appropriate.
Of course, each ADI must develop its own risk management framework, with its
own assessment of risk profile, its own risk appetite and its own policy settings to
manage the range of risks that its unique business faces. The information
contained in this Guide is not intended, and should not in any way be seen, as a
substitute for the risk management work that each institution must itself
undertake on an ongoing basis.
Exclusions and limitations
Consistent with our target audience and objectives, the Guide does not address:
APS 222 - Related Entities; APS 240 - Credit Cards; and APS 610 - Payment
Facilities.
Note also that, while APRA permits certain large ADIs to measure capital
requirements with respect to credit risk using what is called an Internal Ratings
Based approach as an alternative to the more generally used Standardised
approach, this Guide considers the Standardised approach only. This reflects the
fact that no mutual institution is permitted to use an Internal Ratings Based
approach.
© Customer Owned Banking Association – January 2015
7
Making Sense of the Prudential Standards
Inclusions for 2014 and 2015 editions - confirmed and proposed changes
The February 2014 edition reflected a range of changes to the prudential
standards regime including recent changes to APS 210 (Liquidity), CPS 220 (Risk
Management) and CPS 510 (Governance) with start dates in parentheses:
•
APS 110 – confirmed changes to rules on capital composition and quality
and regulatory minima and buffers for capital adequacy (January 2013)
•
APS 111 – proposed changes to the definition of regulatory capital to
enable the mutual sector’s issuance of Basel III compliant additional Tier 1
and Tier 2 instruments (October 2013)
•
CPG 110 – changes to the enhanced ICAAP framework (March 2013)
•
APS 120 – confirmed changes to securitisation (January 2013)
•
APS 121 – new prudential regulation for secured bonds (August 2012)
•
APS 210 –standard on liquidity management (1 January 2014)
•
CPS 220 –standard on risk management frameworks (1 January 2015)
•
APS 330 – provisions for public disclosure of remuneration (June 2013)
•
CPG 234 – Management of Security Risk in Information and Information
Technology (May 2013)
•
CPG 235 – Managing Data Risk (September 2013)
•
CPS 510 –changes to include the requirement to have a Board Risk
Committee (1 January 2015)
•
APS 910 – revised standard on the Financial Claims Scheme (1 July 2013).
The January 2015 edition includes commentary which reflects APRA’s 1 increased
supervisory intensity in specific areas of prudential concern including:
•
residential mortgage lending
•
capital risk weighting
•
liquidity coverage
•
securitisation.
Although proposed regulations remain in draft standards or discussion papers,
the direction of APRA’s approach is clear.
1
See for example the finalised APG 223 Residential Mortgage Lending Prudential Practice Guide released
in early November2014. In a letter dated 9 December 2014 to all ADIs, APRA discussed the regulatory
and supervisory tools it may apply to address emerging risks in residential mortgage lending practices.
See also the statement to the House Economics Committee by APRA Chair Wayne Byers on the proposed
use of so-called ‘macro-prudential’ measures such as LVR caps and loan-to-income limits together with
the possibility of increased Pillar 2 capital requirements.
© Customer Owned Banking Association – January 2015
8
Making Sense of the Prudential Standards
Other resources
•
APRA web site – The details of the prudential standards framework can be
found here:
Prudential Standards and Guidance Notes:
http://www.apra.gov.au/ADI/ADI-Prudential-Standards-and-GuidanceNotes.cfm.
Prudential Practice Guides:
http://www.apra.gov.au/adi/PrudentialFramework/Pages/authoriseddeposit-taking-institutions-ppgs.aspx
•
The APRA site also includes general information about APRA’s role, as well
as the full text of APRA speeches, media releases and other information
referred to in this Guide.
•
COBA offers two detailed compliance manuals dealing with the APRA
governance-related Prudential Standards. They are the COBA CPS 510
Governance Compliance Manual and the COBA Fit & Proper Compliance
Manual. Your institution may already subscribe to these products. If not,
email complianceinfo@coba.asn.au for more information.
© Customer Owned Banking Association – January 2015
9
Making Sense of the Prudential Standards
2. APRA’s role and the APRA Prudential
Standards regime – an overview
What is APRA’s role?
APRA, which is an Australian Government statutory authority, is the prudential
regulator of the Australian financial services industry. Its responsibilities include
monitoring the financial soundness and stability of ADIs (including all credit
unions, building societies, mutual banks and banks generally) so that depositors’
interests are not compromised by the actions of the board or management of the
regulated institutions. APRA is also the prudential regulator of the insurance and
superannuation sectors.
In brief, APRA does everything it can, within its statutory mandate, to make sure
depositors’ money is safe.
How does APRA supervise ADIs in practice?
APRA’s day-to-day supervision of a mutual ADI is primarily based on these
activities:
•
Offsite analysis – ADIs must submit various reports and information in
accordance with the prudential standards and other requirements imposed by
APRA. Such submissions must include regular financial information (i.e. D2A
reports), business plans, forecasts, etc. This information is analysed and
assessed for compliance with the prudential standards regime and specific
prudential ratios as well as an input to the PAIRS risk assessment process
undertaken by APRA (see next point). APRA also receives applications for
transfers, takeovers, licensing, etc and undertakes review, oversight and
assessment of these key activities.
•
PAIRS Assessments - APRA conducts assessments for all ADIs of the
probability and potential impact of business failure, which covers the board,
management, risk governance, strategy and planning, liquidity risk,
operational risk, credit risk, market and investment risk, insurance risk,
capital coverage/surplus, earnings, and access to additional capital. This
assessment considers inherent risk, management and control, net risk and
capital support and is used by APRA in its ADI supervision action plans.
•
Prudential Reviews – APRA conducts periodic ‘reviews’ of ADIs, typically on a
bi-annual basis, or more frequently if APRA requires this (these reviews are
often referred to in the industry as ‘inspections’). The frequency of reviews is
based on APRA’s risk assessment of the entity, and the supervision action
plan in place to address the entity’s risks.
APRA also plays a major role in policy setting; and periodically, in consultation
with industry, in updating and extending the APRA Prudential Standards regime
with new standards and practice guides.
© Customer Owned Banking Association – January 2015
10
Making Sense of the Prudential Standards
APRA also has powers to issue directions in the event of significant noncompliance with the Prudential Standards. It can also appoint an administrator in
extreme circumstances where an ADI may no longer be a going concern.
The Prudential Standards
In simple terms, the Prudential Standards are best understood as a set of
principles designed to promote banking practices that ensure depositor’s money
is safe. From a business perspective, they can also be seen as a set of good
practice risk management principles.
There are now 24 Standards which, together with associated Guidance Notes and
Practice Guides, constitute the regulatory framework for ADIs enforced by APRA.
The main areas covered are – capital adequacy, liquidity, credit quality, large
exposures, associations with related entities, outsourcing, business continuity
management, accounting and prudential reporting, corporate governance and fit
and proper requirements (see:
http://www.apra.gov.au/adi/prudentialframework/pages/adi-prudentialstandards-and-guidance-notes.aspx.
A Snapshot of the Prudential Standards
We will consider the content of the Standards in detail in Part B of this Guide. But
here is a quick “snapshot” of what APRA requires of ADIs:
•
Capital: Minimum capital must be held as a buffer against potential losses.
Capital must be held against all the risks to which the institution is exposed.
Only certain things can count as capital - primarily profits, past and present.
Capital requirements vary depending on credit and other risk exposures. New
rules are designed to enhance the quality of capital and capital management.
•
Liquidity: Liquidity must be maintained in order to meet liabilities as and
when they fall due. Only certain things count as High Quality Liquid Assets
[HQLAs] – primarily investments held with other ADIs. Plans and funding
lines to deal with irregular events and emergencies are also required to
manage liquidity risk.
•
Business Risks: Credit risk is to be managed through good lending
practices, to minimise delinquencies and write-offs, and by appropriate
provisioning for bad debt. Market risk (interest rate risk) exposures for loans
and deposits must also be managed to protect portfolios and interest
margins. Strategic risk created by key business decisions, concentration risks
in large exposures (for credit and investments) and contagion risk from
related entities (e.g. subsidiaries), all need to be identified and minimised.
•
Operational Risk: Operational risk must be identified and managed across
the whole business of an ADI including: data risk; insurable risks (e.g.
physical assets and workers compensation); the outsourcing of key functions
to third parties; and potential business disruptions (threats to business
© Customer Owned Banking Association – January 2015
11
Making Sense of the Prudential Standards
continuity). These risks require close monitoring, clear processes and
planning to avoid losses.
•
Audit and Disclosure: ADIs must implement an independent and
transparent external audit process, supported by robust internal audit and
effective board oversight. Compliance with Prudential Standards must be
reviewed by external auditors, attested to by the chief executive and
endorsed by the board. Accountability and competition is also encouraged by
mandatory public disclosure of ‘prudential information’ on capital position,
capital adequacy and credit risk, including bad debt statistics.
•
Risk and Governance: An ADI must have a risk management framework
consistent with its strategic objectives and business plan incorporating
structures, policies, processes, people and systems for identifying, measuring,
evaluating, monitoring, reporting and controlling or mitigating material risks
that may affect its ability to meet its obligations to depositors. Sound and
prudent governance is required to maintain public confidence and deliver
benefits to stakeholders. Clear strategic direction by boards, together with
professional management from executives, incorporating contemporary risk
management practices, is demanded. Directors and senior managers must
meet high standards of competence and integrity (‘fitness and propriety’).
Board oversight of risk management and financial performance is central to
good governance. Remuneration policies and oversight arrangements that
promote the long-term financial soundness of the institution must be in place.
The new standard on Risk Management (CPS 220) dovetails with the
Governance and Capital standards to reinforce the overall risk management
framework for the ADI.
The Basel II Framework
In January 2008, a new suite of Prudential Standards developed by APRA came
into operation. The new Standards give effect to the Basel II capital adequacy
standards, called the Basel II Framework, developed by the Basel Committee on
Banking Supervision 2. In general terms, the Basel II Framework, as adopted in
the Standards, aims to bring best practice in risk management into the formal
regulatory framework for managing capital adequacy.
The focus is on promoting stronger and more accurate management and pricing
of risk, including ensuring that adequate capital is allocated to support the full
range of risks assumed by the ADI. The new regime also introduced measures to
enhance transparency by requiring public disclosure of certain capital adequacy
and risk management practices information (see Chapter 9).
2
The Basel Framework is developed by the Basel Committee on Banking Supervision (BCBS), a
Committee of the Bank for International Settlements (BIS) which fosters international monetary and
financial cooperation and acts as a bank for central banks. The BIS is the leading policy and research
forum in the international financial community.
© Customer Owned Banking Association – January 2015
12
Making Sense of the Prudential Standards
Basel III Framework
In late 2009, the Basel Committee on Banking Supervision finalised a new capital
and liquidity framework, developed in response to the Global Financial Crisis.
Known as “Basel III”, the framework aims to improve the banking sector's ability
to absorb shocks arising from financial and economic stress, improve risk
management and governance, and strengthen banks' transparency and
disclosures. As a result, new rules have been introduced that aim to improve the
quality of capital held by ADIs and their capital management by:
•
specifying new ‘common equity’ requirements;
•
introducing capital adequacy buffers including a conservation buffer and a
counter-cyclical buffer; and
•
an enhanced ICAAP framework that provides more guidance and
prescription on how ADIs must prepare and develop their ICAAP to
support capital management (see APS 110 and CPG 110).
APRA has also proposed changes to APS 210 on Liquidity:
•
a tighter definition of HQLA (discussed in Chapter 7); and,
•
enhanced liquidity risk management requirements, including in relation to
funding plans, cash flow projections, stress testing and scenario/crisis
analysis.
Following extended consultation with COBA, in April 2014 APRA released an
updated APS 111 – Capital Adequacy: Measurement of Capital with amendments
facilitating additional capital-raising options for customer-owned ADIs. APRA
wrote to all affected ADIs outlining the changes to the prudential standard 3.
The revised prudential standard represents a key step in accommodating the
customer-owned model in the Basel III capital framework. The amendments were
notable because they represent the first time that APRA has explicitly
accommodated the customer-owned model in any of the prudential standards.
APRA’s implementation of the Basel III framework in January 2013 had the
unintended effect of reducing capital options for customer-owned ADIs. The
amendments restored flexibility for the sector in raising capital from other than
retained earnings. Chapter 6 of this Guide contains further discussion on this.
On 4 November 2014 APRA released a package of reforms to funding and
liquidity reporting arrangements. Reporting Standard APS 210.0 now requires all
ADIs to be able to produce daily liquidity reports on demand. COBA argued
against this for Minimum Liquidity Holdings (MLH) ADIs, a category which
includes most mutual financial institutions,but APRA believes that “the MLH
3
See letter of 15 April 2014 to all mutually-owned ADIs from Charles Littrell, APRA Executive General
Manager, Policy Statistics and International Division,
© Customer Owned Banking Association – January 2015
13
Making Sense of the Prudential Standards
requirement … falls short of providing the information needed during a crisis to
build a view of an ADI’s daily liquidity position.” APRA therefore decided that “the
daily liquidity report should apply to all ADIs,” and noted that a “prudent ADI
would … generate and monitor this data as part of its existing liquidity risk
management process.”. APRA does not anticipate that daily reporting will be a
significant burden for MLH ADIs as the data is likely to be readily available.
Other changes to the Standards
There have been other changes to the Standards and their application in recent
years as well.
For instance, since 1 April 2010, all ADIs have been required to have
arrangements including a Board Remuneration Committee (or comparable
structure) and remuneration policy that ensures the remuneration of executives
and other key staff is aligned with the long-term financial soundness of the
institution and its risk management framework.
APRA has also started to apply Prescribed Capital Ratios to mutual ADIs. In its
2010 prudential reviews it generally focussed on credit risk, reminding ADIs to
preserve credit quality despite the return to better trading conditions following
the 2009 Global Financial Crisis.
APRA has also released an updated version of Prudential Standard APS 210
Liquidity, which introduces interim measures which alter the way the Committed
Liquidity Facility (CLF) applies to foreign bank branches. Several prudential
standards have been consolidated so that they are now identical for the different
entities regulated by APRA i.e. ADIs and non-ADIs.
APRA has introduced new cross-industry standards for risk management
generally which will require ADIs to formalise their risk management framework,
appoint a Chief Risk Officer and establish a Risk Management Committee. These
new requirements are set out in CPS 220 Risk Management and an updated
version of CPS 510 Governance. They were not fully effective until 1 January
2015. However, ADIs were expected to develop implementation plans to ensure
that regulated entities are able to meet all requirements by 1 January 2015.
These are significant (but long-anticipated) changes to the substance of ADI
prudential risk management obligations. Note also there are consequential
amendments to the following standards to reflect the changes introduced by the
new cross-industry standards for risk management:
•
•
•
•
•
•
•
APS
APS
APS
APS
APS
APS
APS
001
116
120
210
220
221
222
Definitions
Capital Adequacy: Market Risk
Securitisation
Liquidity
Credit Quality
Large Exposures
Associations with Related Entities
© Customer Owned Banking Association – January 2015
14
Making Sense of the Prudential Standards
•
•
•
•
•
•
•
•
•
•
•
•
APS 310 Audit and Related Matters
APS 330 Public Disclosure
APS 610 Prudential Requirements for Providers of Purchased Payment
Facilities
CPS 231 Outsourcing;
CPS 232 Business Continuity Management;
GPS 001 Definitions;
GPS 110 Capital Adequacy;
GPS 113 Capital Adequacy: Internal Model-based Method;
GPS 310 Audit and Related Matters
GPS 320 Actuarial and Related Matters;
LPS 001 Definitions; and
LPS 320 Actuarial and Related Matters
Chapter 12 was also added in 2013 to the Guide to cover new prudential
standards APRA has introduced to address specific issues facing industry:
•
•
APS 121 – Covered Bonds
APS 910 – Financial Claims Scheme
On the Horizon
On 18 September 2014 APRA released for consultation a discussion paper and
draft amendments to APS 110 Capital Adequacy and APS 330 Public Disclosure
which outlined APRA’s proposed implementation of new disclosure requirements
for ADIs. The proposed disclosures are in relation to the leverage ratio, the
liquidity coverage ratio and the identification of globally systemically important
banks. The consultation package also proposes minor amendments to rectify
minor deviations from the Basel III framework.
© Customer Owned Banking Association – January 2015
15
Making Sense of the Prudential Standards
3.
The New Risk Landscape
The role of boards in risk management is increasingly demanding. We are now a
long way from the days of volunteer directors who relied on management to ‘run
the business’. Contemporary business culture places the boards of ADIs and
other businesses at the centre of risk management. In the case of ADIs, the
Prudential Standards strongly reinforce this trend, the more so since the
Standards were revised in 2008 to implement the Basel II Framework (see
Chapter 2).
For mutual ADI managers, risk management also requires new skills that reach
beyond the competencies of bread and butter banking.
Risk Management Framework – CPS 220
CPS 220 articulates long-standing informal expectations for ADI risk
management. From January 2015, an ADI Board must have in place a risk
management framework (RMF) appropriate to its size, business mix and
complexity that is consistent with the ADI’s strategic objectives and business
plan.
The RMF will overlay the specific risk systems e.g. policies for capital, liquidity,
market and other risks and must include a board approved:
•
risk appetite;
•
risk management strategy that describes the key elements of the RMF that
give effect to its approach to managing risk;
business plan that sets out its approach for the implementation of its strategic
objectives;
In practice, an RMF should be closely aligned with the ICAAP and APS 310
declaration for the ADI.
•
The ADI must also maintain adequate resources to ensure compliance with CPS
220 and notify APRA of significant gaps in, breaches of or material deviations
from the RMF.
Impact of ICAAP
As part of your institution’s compliance with the Prudential Standards post-Basel
II, it must develop, document and maintain a comprehensive Internal Capital
Adequacy Assessment Process [ICAAP], proportional to its operations and
consistent with APRA’s requirements. In brief, the ICAAP is the APRA-mandated
process for ensuring ADIs take an integrated whole-of-enterprise approach to
allocating capital as a buffer against potential losses. The ICAAP is discussed
further in Chapter 6 on Capital Adequacy, and referred to throughout Part B of
the Guide.
© Customer Owned Banking Association – January 2015
16
Making Sense of the Prudential Standards
Until ICAAP, the Prudential Standards regime could be interpreted as a diverse
range of rules and requirements dealing with separate topics. ICAAP changes
that by bringing each risk type under the one umbrella and allocating prudential
capital for each risk. For example, liquidity risk is no longer just a matter of
meeting minimum standards for HQLA. It now also requires the allocation of an
amount of capital, considering potential threats to liquidity and the costs incurred
by your ADI if those costs materialise.
Your ICAAP can now be used as the centrepiece of your institution’s Prudential
Standards risk management framework. As part of this, all the directors of your
institution should be familiar with the details of your ICAAP. Under the Basel III
changes, directors are now expressly required to understand and be actively
engaged in the development and monitoring of your ICAAP (see CPG 110 and
CPS 220).
Risk and Strategy
Strategy drives risk. APRA will expect all directors and managers to see and
understand the linkage. Your risk management framework must acknowledge
the strategy of the organisation. At the same time, risk should be incorporated in
your strategic planning.
Risk is present whether your strategy is ‘adventurous’ or ‘cautious’. If an ADI
commits to an aggressive growth strategy, risk increases. For example, a
growing loan book can put pressure on capital adequacy; stretching targets may
threaten loan quality and undermine sales processes; and liquidity may be
challenged by spikes in loan funding. On the other hand, risk does not go away if
an ADI adopts a more ‘conservative’ strategy and commits to consolidating its
position. For example, the ADI may lose its relevance; it may stagnate as it tries
to ‘fly under the radar’; it may lose members, loans and deposits, and as a
consequence costs may increase while income and profits can fall.
Be honest about risk
Risk is everywhere. Even in the best-run businesses and ADIs, risks are inherent
to all activity. The question is whether the risks are identified and managed by
the board and management team. So, if there’s a golden rule about risk, it might
be ‘be honest and up front’ and acknowledge the importance of risk. For
example, even if delinquency is currently low and write-offs have been
historically negligible, the risk of default remains a key business risk for any ADI.
Risk Appetite Statement
There is no formula for describing the risk appetite of an ADI; however, the
prudential standards now require a formal risk appetite statement for all ADIs
(see APS 110, CPG 110 and CPS 220). Each ADI must articulate its own risk
appetite as part of its risk management. You should already have the ‘spirit’ of
your risk appetite expressed in your existing policies.
The key requirements for the Risk Appetite Statement (RAS) of an ADI are set
out in CPS 220:28-30. The RAS must address material risks including: credit
© Customer Owned Banking Association – January 2015
17
Making Sense of the Prudential Standards
risk; market and investment risk; liquidity risk; insurance risk; operational risk;
risks arising from strategic objectives and business plans; and other risks that
may have a material impact on the ADI.
The RAS must outline:
•
the degree of risk the ADI is prepared to accept in pursuit of its strategic
objectives and business plan, giving consideration to the interests of
depositors and/or policyholders (risk appetite);
•
for each material risk, the maximum level of risk that the ADI is willing to
operate within, expressed as a risk limit and based on its risk appetite, risk
profile and capital strength (risk tolerance);
•
the process for ensuring risk tolerances are set at appropriate levels, based
on estimated impacts and likelihood of breaches;
•
the process for monitoring compliance with risk tolerances and for taking
action in the event of breach; and
•
the timing and process for reviewing risk appetite and tolerances (CPS
220:28-29).
Each ADI must articulate its own risk appetite as part of its risk management.
You already have the ‘spirit’ of your risk appetite expressed in your existing
policies.
Although all mutual ADIs are different, the core business model tends to produce
similar risk appetites as shown in these typical elements or business
characteristics:
•
Product range – ‘vanilla’ savings, loan and payment products
•
Non standard products – limited use of non-core products (e.g. insurance)
•
Loan portfolio composition – high ratio of mortgages to personal loans, low
average loan-to-value ratios (LVRs)
•
Deposit portfolio composition – ratio of savings to term deposits
•
Credit quality – concentration of assets in secured lending, conservative debt
servicing ratios, limited commercial lending
•
Pricing strategy – competitive but not market leading interest rates
•
Property holdings – limited exposure; generally small scale commercial
properties
•
Staff culture and incentives – emphasis on service and strong control culture
•
Cost to income ratios – generally high ratios across the sector (relative to
banks), primarily due to staffing and branch costs
•
Capital and other prudential ratios – operating well above statutory
minimums.
© Customer Owned Banking Association – January 2015
18
Making Sense of the Prudential Standards
Alternatives to these norms can be found in organisations that pursue aggressive
growth targets, subsidiary businesses, non-core businesses, high concentrations
of commercial lending, and atypical strategic alliances.
Other tips on risk management
Don’t make risk a chore. Risk management is good management.
The Prudential Standards should be approached as statements of good practice.
Each standard establishes minimum levels of requirements and behaviour only.
Every ADI must set its own policy rules based on its risk appetite, culture and
risk management systems.
Your prudential standard compliance system should also be aligned with other
compliance systems e.g. for consumer credit, AML, privacy and AFS licensing.
Good practice in compliance involves creating a compliance ‘culture’ in the
organisation, sponsored by the board and driven through the organisation by
management. For more on Compliance Programs see AS 3806-2006.
See also “The importance of a risk management strategy” in Kiel et al Directors
At Work: A Practical Guide for Boards (Thomson Reuters 2012 p 352); and COBA
publication The Decisive Board “The Board Risk Committee” (July 2014 issue).
© Customer Owned Banking Association – January 2015
19
Making Sense of the Prudential Standards
4. Managing the APRA Relationship
Mutual ADIs should approach the relationship with confidence
In an address to the COBA and AM Institute Convention held in Melbourne in
October 2013, Dr John Laker, outgoing APRA Chairman, acknowledged the strong
performance of mutual ADIs despite the 2009 Global Financial Crisis. Dr Laker
observed :
” Mutual ADIs have emerged from this period and what was no doubt a very
unsettling experience during the worst of the crisis, in solid shape. As a sector
mutual ADIs have continued to grow balance sheets sensibly, earn good profits
(around $450 million in 2012/13) and maintain healthy capital positions. No
mutual ADI failed during the crisis and no mutual ADI breached any of APRA’s
key prudential requirements. A record to be proud of and one that mutual
movements in other countries must envy” 4
Dr Laker’s remarks suggest that mutual ADIs have effective risk management
systems in place. Although there is no cause or room for complacency, mutual
ADIs can approach the relationship with APRA with confidence.
APRA’s expectations of the board of directors
APRA has long seen the role of the board as central to the governance of mutual
ADIs. The position is now clearly stated in CPS 510:
The Board of directors [of an ADI] is ultimately responsible for the sound and
prudent management [of the ADI].
APRA expects the board of a mutual ADI to:
•
understand their business;
•
be capable of identifying, monitoring and managing the risks associated with
that business;
•
anticipate and respond to emerging risks; and
•
approve and oversee implementation of risk-based policies.
Given these expectations, a modern mutual ADI board should:
•
invest in risk management (internally and externally);
•
implement and oversee a comprehensive risk management framework;
•
conduct regular policy reviews; and
•
pro-actively engage APRA and other regulators.
What should a director be doing about Prudential Standards compliance?
Directors must actively participate in the governance of ADI. To do this
meaningfully, as a contemporary director you must be able to:
4
Mutuals : a look back and ahead – John Laker, COBA Convention, Melbourne , 29 October 2013 p 1
© Customer Owned Banking Association – January 2015
20
Making Sense of the Prudential Standards
•
understand the APRA Prudential Standards regime 5;
•
understand your own policies especially capital, liquidity, market risk and
credit risk; and
•
contribute to the strategic risk management process.
What should Risk Committee members (and the chair) be doing?
Although the board as a whole is ultimately responsible for the risk management
function, the Risk Committee members should probably be doing a little more
work than other directors in this area. They should have a good working
knowledge of the details of all Prudential Standards and Guides. The chairs of
the board, Audit Committee and Risk Committee should seek to develop good
working relationships with their contacts at APRA 6.
Communication with APRA – some tips and ideas
Many mutual ADIs maintain effective relationships with APRA. ADIs reporting
‘good experiences’ with APRA emphasise the importance of proactive
communication with their APRA contacts.
Communication and openness can build rapport and an effective relationship with
your regulator.
Here are some ‘common sense’ ideas and tips for better communication with
APRA:
•
Pick up the phone: There’s no need to wait for the phone to ring. ADIs are
free to call APRA and discuss their business and any concerns. For example,
your institution might contact its APRA supervisor on a quarterly or even
monthly basis to discuss your D2A report and current issues in the business,
as well as your institution’s responses to issues raised in the most recent
APRA inspection report.
•
Visit your regulator: There’s no need to wait for an inspection. Some ADIs
already meet with APRA on a regular basis whether at APRA’s offices or yours.
You might prepare a presentation once or twice a year to make sure APRA
knows where your business is going, the state of your prudential ratios and
your appetite for risk.
•
Policy reviews: There’s no harm in telling APRA about policy reviews as they
happen. As you work through your annual policy review schedule, why not
send APRA an email to remind them that your policy review has been
completed, with a summary of the changes made.
5
APRA wrote to all ADI directors on 7 October 2014 clarifying the requirements it imposes on boards by
the prudential standards: http://www.apra.gov.au/CrossIndustry/Documents/Letter-to-industryimproving-APRA-board-engagement-October-2014.pdf
6
For a detailed discussion of the functions of the Board Risk Committee see the COBA publication The
Decisive Board. July 2014.
© Customer Owned Banking Association – January 2015
21
Making Sense of the Prudential Standards
•
Keep APRA in the loop: The regular D2A report provides a lot of information
to APRA. However, some ADIs provide a more frequent report. In one case, a
credit union sends APRA a weekly ‘dashboard’. That’s a good example of
keeping your regulator in the loop.
Developing a “dashboard” update for APRA
Your institution might consider a monthly email to APRA that includes the
following prudential and financial metrics:
Mutual ADI
Prudential
Internal
Current
APRA Update – Dashboard
Limit
Strategic Target
Position
/ Policy Limit
Capital Adequacy Ratio
8%
12.5-15%
14.5%
PCR / ICAAP
12% (PCR)
9% (ICAAP)
14.5%
Common Equity Tier 1 Minimum
4.5%
8%
14.5%
Liquidity – HQLA
9%
11-25%
20.25%
Interest rate risk (NPVBP)
NA
5%
2.75%
Delinquency > 30 days
NA
<1%
0.75%
General Reserve for Credit Losses
NA
0.50%
0.75%
Return on Assets
NA
1%
0.75%
Asset Growth
NA
5% p.a
8.25% p.a.
Cost to Income Ratio
NA
75%
77.5%
Commercial Lending (% of
NA
5%
2.5%
NA
2.5-3.5%
3.55%
portfolio)
Interest Margin
[The sample provided is for illustrative purposes only]
Note: the sample policy limits included in the table above provide an example of
how to approach compliance with the new requirements to articulate risk
tolerances: CPS 220:30.
Questions for directors and senior managers to consider
How could you improve your communications with APRA?
Could you use a dashboard to report to APRA more regularly?
What could you do to enhance your understanding of risk management?
© Customer Owned Banking Association – January 2015
22
Making Sense of the Prudential Standards
5. Preparing for an APRA Visit
Planning Meeting – before the prudential review
The board and management should meet to discuss their approach to the
meeting with APRA. APRA will send a letter outlining the agenda for the
inspection and a list of information required by them before and during the visit.
Management will largely attend to the response but the board should be engaged
with the process. Here is a recommended approach for organising your response
to a prudential review or ‘inspection’:
•
Review the APRA ‘Prudential Review’ letter including agenda and information
required by APRA – discuss the board and management response to each
item clarifying current practices, identifying potential discussion points, and
the documentation that will assist your response.
•
Review the ‘Board and Governance’ section and agree an approach e.g.
dividing topics among directors. Consider developing a presentation to
address the matters raised (see further below).
•
Review the APS 310 declaration – the annual statement on key risks made by
the CEO and endorsed by the board, which should ideally be a summary of
the work conducted by the board or risk management committee throughout
the year.
•
Ensure all policy reviews are complete, particularly the ICAAP – and ensure all
directors understand the elements of the ICAAP and allocation of capital for
specific risks (strategic, credit, interest rate, liquidity, operational etc).
•
Ensure all outstanding items from previous reviews, and issues raised in
subsequent correspondence, have been acted on and implemented including
changes to policies and procedures.
Your approach might well be guided by APRA’s comments on the process. For
instance, the following comments were made by Stephen Glenfield at the COBA
Convention 2009:
•
Treat the review as an opportunity—show you know what you are doing,
and where you are going
•
Be transparent—don’t just hope APRA won’t find it
•
Consider outstanding matters from past/reviews/ audit reports—what has
your institution done about these?
•
What are your institution’s current issues or problems—and, most
importantly, what are you doing about these?
•
What is “Plan B” if your current strategy encounters problems—be
sensible!
Director Preparation - What should directors know?
© Customer Owned Banking Association – January 2015
23
Making Sense of the Prudential Standards
To prepare for an APRA visit, a director of a mutual ADI should revise:
•
The basics of each Prudential Standard—this Guide can assist you here;
•
Your policy guidelines and risk management framework; and
•
The current position of the ADI for each key prudential ratio (especially
capital, liquidity, interest rate risk, delinquency, provisioning).
Most mutual ADIs now have an intranet holding all policies and the organisation’s
risk management framework. The data on key prudential ratios – for the last 12
to 24 months - should be found in your most recent board papers.
Champions: Many mutual ADIs appoint “champions” for particular risk areas.
While everyone must have a general knowledge of the standards and policies, the
appointed ‘experts’ can delve deeper into the detail of the separate topics.
Directors Prudential Review Meeting With APRA
APRA will usually ask directors to attend a meeting with APRA representatives as
part of a prudential review. The agenda will be provided in advance. This will set
out APRA’s expectations for the session, which will usually last for 2 or 3 hours.
The meeting will usually be conducted without management present.
To assist the process, the board may wish to develop a presentation, with
different directors talking to different topics, including:
•
Governance structure – board charter, committees, strategic planning and
budgeting processes
•
Overview of strategic plan, risk profile and risk appetite
•
Key performance metrics (from strategic plan and business plan/budgets)
•
Major initiatives (e.g. new business areas, mergers, strategic alliances)
•
Approach to capital, liquidity, credit risk, market risk, operational risk
APRA wants to see a proactive and engaged board that understands its strategy
and the associated risks. Directors should be able to show an appreciation of the
impact of the Prudential Standards, the performance of the organisation and the
risk management outlook for the foreseeable future.
In particular, APRA expects to see a “joined up” and consistent approach to risk
across the institution’s strategy, policy and implementation. It is probably not
good practice, for example, to say that your institution has a low risk appetite if
you are about to launch a new commercial lending arm.
From 2013, directors can reasonably expect APRA to emphasise the content,
development and understanding of the ICAAP in their reviews. Although not all
directors will need to be involved in the technical formulation of the ICAAP,
everyone must have a solid understanding of what it means for capital
management and strategy, both for the current operating environment and the
future as seen by the organisation.
© Customer Owned Banking Association – January 2015
24
Making Sense of the Prudential Standards
The post-Prudential Review letter from APRA
After the visit, APRA will issue a letter setting out a range of issues for action
designed to enhance your institution’s risk management framework. The actions
will usually be described as one of the following:
•
Requirements—these are effectively mandatory;
•
Recommendations—what APRA sees as best practice, and wants to
encourage your institution to adopt. These need to be seen, inter alia, in
the context of your institution’s broader relationship with the regulator;
and
•
Suggestions—optional actions that may improve your institution’s
approach to risk management.
Each action raised by the APRA letter must be addressed. The board and
management must respond in writing outlining the actions taken in response to
each item. You may not agree with every item, or the reasons behind it. But
where you want to tell APRA you do not agree, make sure your response is a very
clear and reasoned one.
Again, transparency and effective communication is paramount when responding
to the APRA letter.
APRA terms explained in detail
Requirement - If an action is classified as a “Requirement”, the entity must
undertake specific action to address the associated matter. Typically, matters
resulting in a “Requirement” will relate to either the entity’s failure to comply
with legislation or prudential standards, or a fundamental deficiency in the
entity’s risk management and/or governance practices. A general failure by the
entity to act on a “Requirement” may result in APRA exercising legislative or
prudential remedies.
Recommendation: If an action is classified as a “Recommendation”, the entity is
expected to consider formally the implementation of what is being put forward.
Typically, matters resulting in a “Recommendation” will relate to areas of risk
management and/or governance that whilst not fundamentally deficient, could be
improved. A general failure by the entity to implement “Recommendations” may
result in a higher risk rating being assigned and, potentially, in APRA exercising
legislative or prudential remedies.
Request for Additional Information: If an action is classified as a “Request for
Additional Information”, the entity is required to provide that information within
the specified timeframe. Typically, matters resulting in a “Request for Additional
Information” will relate to areas where information was either absent, incomplete
or inconclusive. A general failure to respond to a “Request for Additional
Information” may result in APRA, without further warning, issuing formal
legislative notices requiring the production of information or documents.
Subsequent follow-up action may be necessary depending on APRA’s assessment
of the information supplied.
© Customer Owned Banking Association – January 2015
25
Making Sense of the Prudential Standards
Suggestion: If an action is classified as a “Suggestion”, this represents the
opportunity for the entity to move towards better practice. Subsequent follow-up
action in relation to suggestions is usually performed in the context of better
practice considerations and does not involve timeframes for implementation.
© Customer Owned Banking Association – January 2015
26
Making Sense of the Prudential Standards
PART B: Applying the
Prudential Standards
© Customer Owned Banking Association – January 2015
27
Making Sense of the Prudential Standards
6. Capital Adequacy
Active capital management - evolving approaches to ICAAP and capital allocation
for risks
Capital is the cornerstone of an ADI’s financial strength. It supports an ADI’s
operations by providing a buffer to absorb unanticipated losses from its
activities and, in the event of problems, enables the ADI to continue to
operate in a sound and viable manner while the problems are addressed or
resolved: APS 110:7. The board of directors of an ADI has a duty to ensure
that the ADI maintains a level and quality of capital commensurate with the
type, amount and concentration of risks to which the ADI is exposed from its
activities. In doing so, the board must have regard to any prospective
changes in the ADI’s risk profile and capital holdings: APS110:9.
Capital Adequacy - Objectives and key requirements
APS 110: An ADI must maintain adequate capital to act as a buffer against the
risks associated with its activities. APS 110 outlines the overall framework for
APRA’s assessment of the capital adequacy of an ADI. The updated key
requirements of APS 110 are that an ADI must:
•
have an ICAAP;
•
maintain minimum levels of capital;
•
operate a capital conservation buffer and, if required, a countercyclical capital
buffer;
•
inform APRA of any adverse change in actual or anticipated capital adequacy;
and
•
seek APRA’s approval for any planned capital reductions.
Basel III also changes the details of capital adequacy rules. From 1 January
2013, an ADI must hold a prescribed capital ratio based on risk weighted assets
of:
•
a Common Equity Tier 1 Capital ratio of 4.5 per cent;
•
a Tier 1 Capital ratio of 6.0 per cent; and
•
a Total Capital ratio of 8.0 per cent.
APS 110 also introduces capital buffers that operate over and above these
minima. When managing capital, ADIs will be required – from 1 January 2016 to factor in:
© Customer Owned Banking Association – January 2015
28
Making Sense of the Prudential Standards
•
A capital conservation buffer (to ensure prudential capital management and
avoid breaching the PCR or ICAAP); and
•
A counter-cyclical buffer (if and when required by APRA).
The revised APS 110 also now explicitly mentions ‘risk appetite’ and notes
‘Capital management must be an integral part of an ADI’s risk management, by
aligning its risk appetite and risk profile with its capacity to absorb losses (APS
110:8).
“The mutual ADI sector has a substantial buffer of high-quality capital above
APRA’s prudential requirements to cope with financial stress…On current
holdings mutual ADIs will also easily pass the second milestone on 1 January
2016, when the new capital conservation buffer comes into effect” Mutuals : a
look back and ahead – John Laker, address to COBA Convention, Melbourne ,
29 October 2013 p 6
APS 111: APS 111 sets out the essential characteristics that an instrument must
have to qualify as either Common Equity Tier 1, Additional Tier 1 or Tier 2 capital
for inclusion in the capital base. The new concept of Common Equity essentially
means ordinary shares or retained earnings. Remember that mutual ADI capital
is almost entirely made up of profits – retained and current. Additional Tier 1
capital supplements Common Equity but the capital instruments must comply
with strict conditions to qualify.
Tier 2 capital falls short of the quality of Tier 1 capital but contributes to the
overall strength of the ADI as a going concern. The capital base is the sum of
Tier 1 and Tier 2 capital after deductions. The key requirements of APS 111 are
that an ADI must:
•
only include eligible capital as a component of capital for regulatory capital
purposes; and
•
make certain deductions from capital (e.g. for shares in other ADIs and
companies, investments in CUFSS and intangible assets).
Prior to April 2014 the ‘viability’ provisions of the APS 110/111 made it difficult
for mutual ADIs to create Additional Tier 1 instruments because of the general
requirement for capital instruments to be able to convert into common equity
(which for mutual or customer owned ADIs is limited to member share capital)
e.g. in the event of winding-up. In April 2014 APRA released the final amended
Prudential Standard APS 111 Capital Adequacy: Measurement of Capital (APS
111), which allows mutually owned ADIs to issue Additional Tier 1 (AT1) and Tier
2 (T2) Capital instruments that will qualify to be included in Common Equity Tier
1 (CET1) Capital provided they meet the requirements in Attachments B, F, J and
K of APS 111.
© Customer Owned Banking Association – January 2015
29
Making Sense of the Prudential Standards
To qualify, the capital instruments must provide for conversion into mutual equity
interests (MEI) in the event that the loss absorption or non-viability provisions in
these instruments are triggered.
Conversion into ordinary shares is not possible for mutual ADIs due to their
mutual corporate structure.
The conditions for the qualifying instrument include the requirement for mutual
equity interests to provide no voting rights (other than as required under the
Corporations Act) and to limit both the claim of mutual equity interest holders on
any surplus of a failed mutual ADI and the amounts that can be paid by way of
dividends to these holders.
Prior to the issue of any eligible Additional Tier 1 or Tier 2 Capital instrument
whose terms provide for conversion to mutual equity interests, the issuer must:
(a) have a constitution that permits the issue of mutual equity interests and the
terms of the issue must be consistent with the issuer’s constitution;
(b) have obtained approval from its members, if required by the issuer’s
constitution, to the issue of mutual equity interests if the prescribed events
occur;
(c) have obtained approval from members, if required by the issuer’s
constitution, for the terms of issue of mutual equity interest; and
(d) have obtained any relief considered by the ADI to be necessary under Part 5
of Schedule 4 of the Corporations Act for the issuance of mutual equity interests.
For further details refer to APS 111 available at
http://www.apra.gov.au/adi/Documents/20140408-APS-111-(April-2014)revised-mutual-equity-interests.pdf.
Note: the impact of the Basel III changes on Additional Tier 1 and Tier 2 capital
instruments needs to be considered by each ADI; and APRA should be consulted
to determine the treatment of all existing instruments.
APS 112: An ADI must hold sufficient regulatory capital against credit risk
exposures (i.e. loans and investments). The key requirements of APS 112 are
that an ADI:
•
must apply risk-weights to on-balance and off-balance sheet exposures based
on credit rating grades or fixed weights broadly aligned with the likelihood of
counterparty default; and
•
may reduce the credit risk capital requirement where the asset or exposure is
secured against eligible collateral or supported by mortgage insurance from
an acceptable lenders mortgage insurer.
Risk weighting varies depending on the risk of an exposure. As a result:
•
Mortgages are weighted at 35% to 100% depending on the LVR and whether
lenders mortgage insurance (LMI) applies (see table below);
© Customer Owned Banking Association – January 2015
30
Making Sense of the Prudential Standards
•
Personal loans and commercial loans are always 100% risk weighted;
•
Loans 90 days past due are weighted at 100% for mortgage secured loans
and other loans where specific provision is more than 20% of the outstanding
balance; and up to 150% for other loans where specific provision is less than
20%; and
•
Investments in ADIs are risk weighted at 20% (where the term is no more
than 3 months and the ADI has a credit rating grade of 1, 2 or 3).
Off balance sheet exposures are weighted at 100% for commitments with certain
drawdown, and 50% for other undrawn commitments with a residual maturity of
more than 1 year.
Deductions are made from capital for investments in other ADIs (e.g. shares in
Cuscal, Indue or ASL) and advances made to CUFSS, the credit union industry
liquidity support scheme.
In a speech on * September 2014 APRA chair Wayne Byres observed there was
an increasing lack of faith in internal models used for calculating risk weights,
noting that: “Unless investors have faith in the resulting risk-based capital ratios
they do not serve their full regulatory purpose. And if that is the case simpler
metrics will inevitably become more important and potentially even binding”.
In January 2015 the Basel Committee on Banking Supervision (BCBS) released
consultation papers 7 on credit risk and capital floors, which propose changes to
the risk weights for residential mortgages and bank exposures.
Currently, a flat 35% risk weight is applied to residential mortgages. The BCBS
paper expressed concern that this approach “lacks risk sensitivity” and has
proposed introducing incremental weights ranging from 25% to 100%. The risk
weight of a loan would be determined by its LVR and debt service coverage
(DSC) ratio (see table below) based on the borrower’s after-tax income.
The BCBS has also proposed moving away from credit ratings in determining risk
weights for “bank” exposures. Instead, risk weights would use a sliding scale
based on the capital adequacy and asset quality of the bank to which the
institution was exposed.
Key points from the proposal include:
•
The lowest risk weight would be 30% compared to the current 20%
•
Risk weights for customer owned ADIs could be lower than major banks,
because a CET1 ratio of 12% or more is required for the lowest risk weight.
The BCBS reforms are ultimately likely to be implemented in Australia, however it
is expected to be at least two years before any possible changes flowing from
these proposals are adopted by APRA.
7
See http://www.bis.org/bcbs/publ/d307.pdf and http://www.bis.org/bcbs/publ/d306.pdf
© Customer Owned Banking Association – January 2015
31
Making Sense of the Prudential Standards
Mortgage Risk Weighting for Capital Adequacy Calculations
Loan to Value ratio
No Lenders Mortgage
Lenders Mortgage
Insurance %
Insurance %
0-60%
35
35
60-80%
35
35
80-90%
50
35
90-100%
75
50
100%+
100
75
Please note: APRA has foreshadowed potential changes to asset risk weighting for
capital adequacy purposes but at the time of writing the detail remains to be
finalised.
APS 114: An ADI must also hold sufficient regulatory capital against operational
risk exposures. The key requirements of APS 114 are:
•
an ADI must divide its activities into three areas of business: retail banking,
commercial banking, and all other activity;
•
the total capital requirement for operational risk is the sum of the capital
requirements calculated for each of the three areas of business.
The capital requirement is based on assets and income and is calculated using a
standard formula. For retail/commercial banking, the formula is based on gross
outstanding loans and advances over the previous 6 half-yearly periods. For all
other activities, it is based on net income earned. The capital charge is the
average of those 6 observations: APS 114:18.
Note: APS 113 - Internal Ratings based Approach to Credit Risk, APS 115 Advanced Measurement Approaches to Operational Risk, APS 116 - Market Risk
and APS 117 - Interest Rate Risk in the Banking Book do not generally apply to
mutual ADIs because either: these Standards apply to ADIs using an Internal
Ratings based approach (rather than the Standardised approach); or mutual ADIs
do not have a “trading book”. However, market risk and interest rate risk must
be incorporated in an ADI’s risk management framework and the ICAAP. Market
risk is separately considered at the end of this chapter.
© Customer Owned Banking Association – January 2015
32
Making Sense of the Prudential Standards
Capital Adequacy Ratios
To calculate the capital adequacy ratio for an ADI, you divide capital by riskweighted assets.
Capital
Risk Weighted Assets
Capital – is your accumulated reserves, mainly profits, generated over the years,
plus additional sources of capital (e.g. subordinated debt and the general reserve
for credit losses), less deductions (e.g. investments in Cuscal or Indue or ASL
and loans to CUFSS).
Risk Weighted Assets – are mainly mortgages and other loans and investments
‘weighted for risk’. Risk weighted assets are calculated using the formulae set
out in APS 111 (see table on previous page) – which reduces the assets against
which you must hold capital. Risk weighted assets tend to be around half of total
assets.
The statutory minimum for total capital adequacy is 8% of risk-weighted assets.
Most banks operate around 8%. Most mutual ADIs operate well above that level:
APRA may prescribe a ‘Prudential Capital Ratio’ – and it is increasingly doing so
for mutual ADIs. From 1 January 2013, ADIs will also have to track the minimum
levels of Common Equity Tier 1, Additional Tier 1 and Tier 2 Capital.
From 1 January 2016, the introduction of capital conservation of 2.5% of riskweighted assets and counter cyclical buffers of ‘up to’ 2.5% of risk-weighted
assets will need to be factored into capital adequacy calculations.
In practice each ADI must apply the capital conservation buffer; while the
‘counter-cyclical’ buffer would only be applied at the discretion of APRA, with the
level of the buffer determined by APRA for each ADI based on deteriorating
economic conditions and prospects.
ICAAPs in Practice
An ICAAP requires a plan and policy for the calculation of appropriate levels of
capital given particular risks facing the business. Operational risk has a specific
charge but otherwise there is NO prescribed capital amount to be held for any
particular risk (e.g. credit, liquidity, interest rate). An ICAAP will itemise a capital
allocation for each risk identified (usually expressed as a percentage of capital)
as shown in Examples 1 and 2 below.
Remember: when your institution is setting an ICAAP ratio it is saying in effect:
“This is the amount of capital we believe is necessary for the business to hold to
cover us in the event of future losses, based on our strategy, our past
performance and our expectations for the market and the business.”
© Customer Owned Banking Association – January 2015
33
Making Sense of the Prudential Standards
With the advent of CPS 220, an ICAAP must be aligned with the Risk Appetite
Statement for the ADI. An ICAAP should already address the key risks itemised
in CPS 220:28 and the requirements for risk appetite and tolerances in CPS
220:30.
The New ICAAP: APS 110 and CPG 110
APRA has updated its ICAAP requirements to reflect good practice internationally
and ensure that:
•
an ICAAP includes stress testing and scenario analysis;
•
appropriate processes are implemented for reporting to the board on the
ICAAP and its outcomes;
•
an ICAAP includes a summary statement and policies to address material
risks not covered by explicit regulatory capital requirements; and
•
an ICAAP report is submitted by all ADIs to APRA annually.
Despite the breadth and minutiae of the changes, actual capital risk management
should not be materially changed by the new ICAAP. The emphasis here is on
refining the ICAAP process. Moreover, the changes generally either reflect
existing practice that mutual ADIs should already be following or formalise the
approach taken by APRA in supervising capital management in practice in recent
years.
Revised ICAAP Requirements
An ICAAP must now include or address:
•
Stress testing and scenario analysis – these must be incorporated in the
methodology
•
Reporting - to the board of the ADI and ensuring the ICAAP is incorporated in
business decisions
•
Material risks – not covered by explicit capital requirements
•
A summary statement - summarising the complete ICAAP.
Additional obligations under APS 110 include:
•
An independent ICAAP review must be conducted every 3 years by
appropriately qualified persons
•
Annual ICAAP reporting to APRA by the ADI including 3 years of capital
projections
•
Annual declaration by board and management on the ICAAP.
Boards must oversee the updating of ICAAPs, the creation of new processes and
reports and the implementation of the new ICAAP.
© Customer Owned Banking Association – January 2015
34
Making Sense of the Prudential Standards
Compliance with the new ICAAP generally and in particular the obligations
regarding stress testing and scenario analysis may stretch the technical
knowledge of some directors. Consequently enhanced training on ICAAPs may be
required.
CPG 110 Content
The ICAAP methodology is not prescribed but CPG 110 provides substantial
guidance on the approach that APRA expects ADIs to take. CPG 110 also
underlines the expectation that directors need to be more ‘hands on’ with the
ICAAP, e.g.:
•
‘the capital standards require the board to be actively engaged in the
development and finalisation of the ICAAP and the oversight of its
implementation on an on-going basis’; and
•
‘APRA expects the board to robustly challenge the assumptions and
methodologies behind the ICAAP and associated documentation’.
CPG 110 articulates that the risks covered by the ICAAP should include (as
relevant to the ADI):
•
credit risk, liquidity risk, market risk, interest rate risk in the banking book
and risks associated with securitisation; and
•
operational risk, strategic and reputational risks and contagion risks. Other
risks may be relevant for individual regulated institutions and, if so, will
ordinarily be considered in the ICAAP.
An ICAAP should set capital adequacy ‘target levels’ by taking into account (as
relevant to the ADI):
•
the risk appetite of the regulated institution;
•
regulatory capital requirements;
•
internal assessments of capital needs, including those arising from the
institution’s business plans and strategy;
•
the likely volatility of profit and the capital surplus;
•
dividend policy;
•
where relevant, ratings agency assessments; and
•
access to additional capital.
An ICAAP must also include capital management strategies to protect your capital
that should address (as relevant to the ADI):
•
raising additional external capital or capital from group sources;
•
adjustments to dividend policy and dividend reinvestments plans;
•
slowing or ceasing new business;
© Customer Owned Banking Association – January 2015
35
Making Sense of the Prudential Standards
•
in the case of insurers, entering into reinsurance arrangements;
•
sales of parts of the business;
•
asset sales;
•
changes to investment strategy;
•
changes to product pricing and/or
•
changes to business mix.
An ICAAP must also incorporate stress testing and scenario analysis tailored to
the individual regulated institution and its particular risk exposures. Scenarios will
typically cover the full range of material risks to which the institution is exposed.
A range of approaches may be useful, for example:
•
scenario analysis including: historical scenarios (such as the global financial
crisis experience, early 1990’s Australian recession, 1987 stock market event,
Japan’s 1990’s ‘lost decade’); statistically generated scenarios; and
hypothetical scenarios developed by the institution;
•
sensitivity testing;
•
stress testing based on statistical factors or historical experience;
•
reverse stress testing designed to identify a stress scenario that would cause
failure of the regulated institution;
•
longer-term scenarios (such as the impact of a prolonged low interest rate or
low investment earnings environment) and short- term scenarios (such as
market shocks and insurance events); and
•
a combination of scenarios (e.g. a series of less severe but more frequent
events): CPG 110:35.
ICAAP Risk Itemisation
A sample ICAAP methodology - for illustrative purposes only – might look like
this:
•
Credit Risk – based on an assessment of past and future bad debt using a
multiple of current specific and general provisions for bad debt (e.g. 4 times
current ratios to anticipate ‘outlier’ scenarios)
•
Operational Risk - based on the statutory formula in APS 114
•
Concentration Risk – based on a 20% reduction in property prices across the
loan portfolio
•
Large Exposures – based on a 20% reduction in property prices for large
exposures (loans)
•
Interest Rate risk – based on a 2% rate drop across the loan portfolio and the
resulting reduction in profits
© Customer Owned Banking Association – January 2015
36
Making Sense of the Prudential Standards
•
Liquidity Risk - based on losing 50% of deposits and the cost of funding new
deposits
•
Strategic Risk – a lump sum covering the estimated loss arising from failure
of strategy e.g. rebranding, investment in technology, and introduction of
new products
•
Reputation Risk – based on the estimated loss arising from failure of another
mutual ADI.
Credit Risk and the Statutory Minimum
The statutory minimum for capital is based on credit risk weighted assets.
However, it is NOT a capital charge for credit risk in itself. The capital charge
relates to all risks facing the ADI. When conducting an ICAAP, credit risk is just
one of a range of risks that must be addressed. It should be calculated on its
merits based on past delinquency performance, approvals policy (risk appetite),
membership, trading conditions and current provisioning. Concentration risk
(e.g. geographic or work place) is another element that should be taken into
account in calculating credit risk. For most mutual ADIs, delinquency remains
very low and historically write-offs are a small fraction of the general reserve for
credit losses. For instance, to provide 8% for credit risk in an ICAAP—as
institutions often do—is almost certainly a significant over-statement of the
potential for credit risk to cause losses. Consider the following examples:
© Customer Owned Banking Association – January 2015
37
Making Sense of the Prudential Standards
Example 1 – Allocating Risks on their Merits
Risk
Capital
Requirement
Pillar 1
Credit risk
4.00%
Operational Risk – APS 114 statutory formula
0.80%
Pillar 2
Large Exposures
0.20%
Concentration Risk
0.50%
Interest Rate Risk
4.00%
Liquidity Risk
1.50%
Strategic Risk
0.50%
Reputation Risk
0.50%
Capital Buffer
1.00%
Total
13.00%
Important: this example provided is for illustrative purposes only.
In Example 1, there is a specific allocation of 4% for credit risk, well below
the statutory minimum for all risks of 8%. The 4% for credit risk remains
also well above, the historical experience of bad debt for mutual ADIs. In
reality the General Reserve for Credit Losses is invariably lower than this and
set at around 0.5% to 1.0% of assets. This approach opens up greater
flexibility for the allocation of capital and a more realistic assessment of each
risk. So, in Example 1, interest rate risk is set at 4% of capital.
© Customer Owned Banking Association – January 2015
38
Making Sense of the Prudential Standards
Example 2 – The Statutory Minimum Approach
Risk
Capital
Requirement
Pillar 1
Credit Risk and Operational Risk (0.80%)
8.00%
Pillar 2
Large Exposures
0.25%
Concentration Risk
0.75%
Interest Rate in the Banking Book Risk
0.50%
Liquidity Risk
1.50%
Strategic Risk
0.50%
Contagion and Reputation Risk
0.25%
Regulatory Risk
0.25%
Capital Buffer
1.00%
Total
13.00%
Important: this example provided is for illustrative purposes only.
By contrast, the emphasis on credit risk in Example 2 can distort the
approach to other risks. As one CEO said: ‘I provide 0.50% (of capital) for
interest rate risk (around $50,000), when $500,000 has been more like it
over 2008-9’. The argument underlying this comment is shown in the impact
of interest rate movements on mutual ADI profitability when compared with
the impact of delinquency. For instance, during the 2009 Global Financial
Crisis period, it was the erosion of margins by the rapid fall of interest rates,
rather than bad debt, which impacted profits in the mutual ADI sector.
To be clear, there is no breach of APS 110 in allocating 8% of capital for
credit risk. However, if your institution allocates 8% because it believes it is
taking a conservative approach then, at the very least, that policy position
should be stated in your ICAAP. Yet allocating 8% for credit risk arguably
implies a misunderstanding of the nature of credit risk and an understatement
of the importance of other risks. This is an issue you may wish to discuss
with APRA.
Clarifying Other Risk Categories
Regulatory risk is often included as a separate line item in an ICAAP (see
Example 2). Although this is permitted by APS 110, regulatory risk, strictly
© Customer Owned Banking Association – January 2015
39
Making Sense of the Prudential Standards
speaking, it is part of operational risk as defined in APS 114 (which includes
legal risks).
Large exposures and concentration risks should also be understood, not as
types of risk in themselves, but sub-categories of Credit Risk or Liquidity Risk.
Further, it is also arguable that large exposures are simply a form of
concentration risk and could be included in an ICAAP under Concentration
Risk.
Rationalising ICAAPs - an institution might start with a pre-determined
ICAAP ratio (e.g. 12% or 13%) that is perceived to satisfy the expectations of
APRA. In calculating capital requirements, the institution might then “work
backwards” from the pre-determined ratio. But is this the right way to do an
ICAAP? While a pragmatic approach can be useful, over time it may be more
effective in managing capital to drill down into assessing individual risk types
to make your ICAAP a more sophisticated and responsive risk management
tool. In the long run, that approach may deliver better business results –
and meet APRA’s expectations.
Capital Adequacy Numbers - Percentages or Amounts?
Percentages can be misleading when measuring capital – for all mutual ADIs,
and particularly smaller ones, the total amount can be modest even if the
percentage is high. The amount of capital on hand is the key rather than the
percentage: how much money do you have to meet potential losses? It can
be useful to calculate the dollar value of capital allocations including the value
of 1% of ‘risk weighted capital’ to help inform decision making.
Have you calculated what 1% of capital is worth? Compare your
organisation’s position with the sample below.
ICAAP Sample Data
Assets
$126m
Risk Weighted Assets
$60m
Capital
$15m
Capital Adequacy Ratio [CAR]
25%
$ Value of each 1% of Prudential Capital (based on 25% CAR)
c.$600k
Important: this example provided is for illustrative purposes only.
In the example above, a capital adequacy ratio of 25% sounds high but
amounts in dollar terms to only $15m. Moreover, understanding that 1% of
capital is $600,000 makes the ICAAP more meaningful – dollar figures are
more useful than percentages when allocating risk capital.
© Customer Owned Banking Association – January 2015
40
Making Sense of the Prudential Standards
In the table below, the dollar value of capital is provided for each risk listed in
the ICAAP based on a value of $600,000 for each 1% of capital.
ICAAP Capital Allocations
Capital
Dollar Value ($)
Requirement
Credit risk
4.00%
2,400,000
Operational Risk – APS 114 statutory
0.80%
480,000
Large Exposures
0.20%
120,000
Concentration Risk
0.50%
300,000
Interest Rate Risk
4.00%
2,400,000
Liquidity Risk
1.50%
900,000
Strategic Risk
0.50%
300,000
Reputation Risk
0.50%
300,000
Capital Buffer
1.00%
600,000
Total
13.00%
7,800,000
formula
Important: this example provided is for illustrative purposes only.
Capital Management - Policy Trigger Points
Mutual ADIs typically use trigger points to warn the board and management of
potential pressures on capital. This is a kind of early warning system. Although
the standard says 8% and the ICAAP might say 12%, the policy will say that
there is a ‘trigger point’ or series of trigger points. Trigger points will vary
depending on strategy, risk profile and risk appetite. Note that these trigger
points will help you address your new obligation to set a capital conservation
buffer which is reality will operate just like a trigger point. By contrast, a
counter-cyclical buffer will only be introduced if circumstances require and you
are directed by APRA to introduce an additional buffer to capital management.
Trigger points are designed to inform action. Capital management plans will
identify a range of actions including sale of loans to a securitisation program, or
the issuing of subordinated debt, to raise capital in the event of pressure on
capital.
The test is whether the mutual ADI has the time to implement these actions. In
short, the stated policy of an ADI is only as good as its ability to be implemented.
© Customer Owned Banking Association – January 2015
41
Making Sense of the Prudential Standards
An example is provided in the following table.
Trigger
Range
Policy Rule
Strategic Target
17% - 20%
The board aims to maintain capital in this range
in the short, medium and longer term. Capital
expenditure plans will operate within this range.
Early Warning
15% - 17%
Trigger
The board will consider capital raising and
budget adjustments options once capital goes
below 18%.
Crisis Trigger/
Below 15%
The board will implement appropriate capital
Capital
raising or budget adjustments options once
Conservation
capital goes below 15%.
Buffer
Prescribed Capital
12%
Ratio
APRA have mandated that this amount of capital
must be held by the mutual institution to absorb
potential losses.
ICAAP Ratio
10%
The board and management estimate that this
amount of capital should be sufficient to absorb
potential losses.
Statutory Minimum
8%
The board and management acknowledge this
statutory minimum but note that the ICAAP ratio
is the real policy ‘floor’ for practical purposes.
Discussion of Policy Trigger points
Directors and managers should “reality test” their policies to ensure that all
courses of action are practical.
For example, if your policy says that your institution will sell loans to a
securitisation program to reduce the loan portfolio and pressure on capital, is
there an arrangement in place with a securitisation program to do this? If so,
what is the turnaround time to make it happen? Can you respond quickly enough
to satisfy the business need for capital?
To take another example, if the capital management policy says that
subordinated debt will be issued to raise extra capital and support continued loan
growth, are the documentation and investors in place to do this? Again, what is
the turnaround time to make it happen? Can you respond quickly enough to
satisfy the business need for capital?
© Customer Owned Banking Association – January 2015
42
Making Sense of the Prudential Standards
Positive Capital Management and Planning
Capital is not just about covering potential losses but also developing the
business. By focusing on capital adequacy, the efficient and effective use of
capital can be overlooked. In addition to the ‘negative’ trigger points, an ICAAP
can be enhanced by adding a strategic target which provides both additional
comfort to directors, management and members but also contemplates longer
term capital expenditure including e.g. in computer system development or
branch network expansion. Some ADIs place an upper limit on capital to
acknowledge that profitability is vital but should be subordinated to meeting
member needs. Balancing capital adequacy, profitability and efficient use of
capital is a critical dimension of running a contemporary mutual ADI.
Remember: rapid growth can quickly erode limited capital. Before committing to
growth strategies, directors must be aware of the impact on capital adequacy.
Alternative sources of capital include preference shares, subordinated debt and
member investment shares, all of which have been issued in recent years by
Australian credit unions. In future, eligible ‘common equity’ capital will also
include certain new instruments approved by APRA (see amended APS 110/111).
All forms of additional capital attract a cost, because a return must be paid to the
investor. Directors should be aware that capital-servicing costs can be
significant. By contrast, no returns are paid on member’s equity in a mutual ADI.
Other Capital Issues - Market Risk
Market risk is the exposure to fluctuations in the prices of assets (primarily loans
but also investments and fixed assets) and liabilities (mainly deposits). APS 113
only applies to trading book activity (e.g. investments in bonds, securities,
currency or commodities) – and generally, mutuals do not have a trading book.
That said, many ADIs will be required by APRA to have a formal policy
incorporating interest rate risk as part of their overall risk management
framework. At the very least, your ICAAP must address interest rate risk in its
allocation of capital (and the CPG 110 recognises interest rate risk as separate
from market risk).
That market risk remains relevant to prudent management is shown by recent
experience of interest rate volatility. Many ADIs experienced significant impacts
to profitability as a result of the rapid decline in interest rates in 2009. More
commonly, interest rate risk arises from the day to day positioning of products in
a competitive marketplace.
The main indicator of interest rate risk is the interest margin: that is, the
difference between the average interest rate on income generating assets (loans
and investments) and the average interest rate on liabilities (i.e., deposits).
Protecting the interest margin of an ADI is a key task – and duty – for any
contemporary board or management team.
© Customer Owned Banking Association – January 2015
43
Making Sense of the Prudential Standards
A rising interest rate market tends to increase the interest margin, while a falling
rate market tends to reduce the interest margin. This is because nearly all loans
are variable rate and most deposits are fixed rate. As a result, changes to loan
rates can almost immediately be passed on to borrowers, but the change in
deposit rates must be delayed until the deposits mature. The impact on interest
margin is then primarily caused by the time lag between changes to loan and
deposit rates.
Competitive risk is a separate type of market risk, and it applies in either rising
or falling rate markets. All ADIs are exposed to the risk that competitors may
offer better rates on either loans or deposits. Positioning your products against
competitors is another key task for managers and directors.
Your market risk policy should address strategies for managing interest rate risk
including gap analysis, pricing strategies, product mix and derivatives hedging:
•
Gap analysis – this management tool helps you understand the maturity
mismatches within a savings and loans portfolio. Deposits ‘mature’ more
quickly than loans and the longer it takes for them to ‘reprice’, the more
exposed you are to interest rate risk (positive and negative). In a falling
market, you can get stuck paying interest on deposits at higher than market
rates. Gap analysis can then be used to inform your policy and pricing
response to market risk. Value at Risk and Net Present Value of a Base Point
are other metrics that can be used to measure anticipated losses arising from
interest rate fluctuations.
•
Pricing - if you are not pricing products in a way that is relevant to your
market, your interest margin will suffer either way. Interest margins are
generally constrained for mutual ADIs across the sector by a high
concentration of mortgage loans (i.e. 80%+ of all loans). Managing
competitive risk is about balancing interest margin and loan volume.
•
Product Mix – products can be modified to manage interest rate risk. For
example, adjusting your deposit offerings can reduce market risk by
minimising longer term deposits at the top of the interest rate cycle. Fixed
rate loans can be used to manage interest rate risk by locking in borrowers at
higher rates in a falling market, or as a customer retention strategy in a rising
market. The high proportion of savings accounts exposes mutual ADIs to
market risk. On the other hand, a combination of loyalty and inertia has
allowed most mutual institutions to retain a large proportion of liabilities.
Term deposits also have an average term much shorter than the average
(real) term of mortgage loans.
•
Hedging – at its simplest, a derivative can involve a ‘swap’ contract where an
ADI swaps a variable interest rate stream for a fixed interest rate stream, for
a premium or fee. Derivatives have received negative press in recent times
but basic derivatives should be understood by contemporary directors and
managers. Derivatives are used by some mutual institutions – as their
balance sheets disclose. However, derivatives involve market risk exposures;
© Customer Owned Banking Association – January 2015
44
Making Sense of the Prudential Standards
and need careful attention in accounting treatment. Expert advice should be
obtained before using derivatives to manage market risk.
Link to ICAAP
Your ICAAP must address market risk by allocating capital for interest rate risk
(this has been discussed above). As an example, market risk impacts can be
quantified based on a decrease in interest rates to determine whether the ADI
can sustain such an impact (for example, a 2% decline in interest rate).
Other Capital Issues - Securitisation – APS 120
An ADI must provide additional capital for a securitisation unless it can
demonstrate that credit risk is transferred to a third party within the
securitisation program.
APS 120 requires all ADIs to conduct a self-assessment on each securitisation
and to develop a risk based policy for securitisation generally. An ADI must not
provide implicit support to a securitisation and can only provide services to a
securitisation on an “arms length” basis. Loans can be securitised either by bulk
sale or on a drip feed (piecemeal) basis. In short, if a securitisation involves a
mutual ADI providing loans off-balance sheet effectively as an introducer to the
securitisation program, then no capital needs to be provided.
Questions for directors and managers to consider
What are the capital needs of the business strategy of your organisation?
Is your organisation’s profitability sufficient to meet the need for capital created
by the business strategy?
Do you understand your organisation’s ICAAP?
Do you understand the impact of the new Conservation and Counter Cyclical
capital adequacy buffers?
Is capital properly allocated for each risk (e.g. credit, interest rate, liquidity,
operational etc)?
Are your organisation’s policy triggers clear and achievable in practice?
Does your organisation have timely access to alternative sources of capital
(including ‘common equity’ in future)? What are they?
Does your organisation have an active capital management plan?
Does your organisation use its capital efficiently in the interests of members?
© Customer Owned Banking Association – January 2015
45
Making Sense of the Prudential Standards
Do you understand the risks to capital of growing too quickly?
Is your ICAAP report aligned with / consolidated with your APS 310 report?
© Customer Owned Banking Association – January 2015
46
Making Sense of the Prudential Standards
7. Liquidity
Understanding and managing liquidity risk, the strategic funding requirements of the
business, meeting liquidity and cashflow needs.
The risk of a liquidity problem is intertwined with all of the other risks faced by [an
ADI]. For this reason, liquidity risk is often referred to as a consequential risk. In
many cases, it is not poor liquidity management per se that causes an ADI to
experience difficulties in meeting its cash flow obligations. Instead, it may be
problems in some other area, such as in its credit or trading portfolio, or simply its
reputation as a counterparty, which generates liquidity stress. The potential for such
stress is, of course, inherent in the maturity transformation function that ADIs
perform − the process of transforming short dated or at call borrowings into longer
dated assets or loans.4
APS 210 - Objective and Key Requirements
APS 210 requires an ADI to manage liquidity risk by maintaining:
•
•
•
a robust liquidity risk management framework to measure, monitor and manage
liquidity risk commensurate with the nature, scale and complexity of the
institution;
a portfolio of high-quality liquid assets (HQLA) sufficient to enable the ADI to deal
with severe liquidity stress; and
a robust funding structure appropriate for its size, business mix and complexity:
APS 210:8-11.
The updated APS 210 places new emphasis on an overall risk management
framework for liquidity and reinforces the oversight role of the board and outlines
good practice requirements for senior management. In practice, an ADI will continue
to agree its liquidity risk management framework and strategy with APRA.
Agreement is usually reached during the inspection process or other consultation.
The risk management framework must include:
•
a statement of liquidity risk tolerance, as approved by the board
•
liquidity management strategy and policy approved by the board
•
operating standards for managing liquidity risk;
•
the funding strategy, approved by the board; and
•
a contingency funding plan: APS 210:13.
APRA provides guidance on risk appetite and tolerance in APG 210:
•
Risk appetite is an articulation of the nature and level of risk that is acceptable
in the context of achieving an ADI’s strategic objectives. Not all aspects of risk
appetite are quantifiable. Risk tolerance is a quantitative articulation of the
© Customer Owned Banking Association – January 2015
47
Making Sense of the Prudential Standards
maximum level of acceptable risk after taking into account appropriate mitigants
and controls to reduce the risk (APG 210:4).
•
Liquidity risk tolerance would generally be expressed using measurable limits
that will enable a clear and transparent monitoring process to ensure that the
ADI remains within these risk tolerances. Good practice is that risk tolerances are
set for risks including:
a) quality and diversification of liquid asset portfolios, e.g. by instrument and
counterparty;
b) liability diversification, e.g. by market, product, counterparty and
maturity;
c) reliance on funding sourced from offshore markets;
d) the overall level of maturity mismatch;
e) the management of liquidity risk across borders and legal entities;
f) currency mismatch, including cashflow mismatches arising from the use of
derivatives associated with funding sourced from offshore markets; and
g) contingent liquidity exposures ((APG 210:7-8).
The ADI board must also ensure that senior managers and other staff have
necessary experience to manage liquidity risk; ensure that liquidity risk management
practices are documented and reviewed annually; and review regular reports on
liquidity including new or emerging risks: APS 210:14-15.
Senior management is responsible for:
•
developing liquidity risk management strategy, policies and processes in line
with the board approved liquidity risk tolerance;
•
ensuring sufficient liquidity is maintained at all times;
•
determining the structure, responsibilities and controls for managing and
monitoring liquidity risk;
•
ensuring adequate controls are in place to ensure the integrity of liquidity
management processes;
•
ensuring stress tests, contingency funding and HQLA holdings are effective and
appropriate;
•
establishing reporting criteria and processes including exception reports and
escalations;
•
monitoring current trends, market developments and internal information on
liquidity risk: APS 210:16.
APRA’s guidance for appropriate operating standards for liquidity risk management
are set out in APG 210 which replaces the old AGN 210 series (see APG 210:9-24).
© Customer Owned Banking Association – January 2015
48
Making Sense of the Prudential Standards
ADIs now have a formal obligation to maintain an annual funding strategy,
consistent with the overall liquidity risk management strategy, as approved by the
board, which must be provided to APRA on request and regularly reviewed. An ADI
must maintain a presence in its chosen fund markets and strong relationships with
funds providers, and regularly gauge its capacity to practically and effectively raise
funds quickly in the event of a funding crisis: APS 210:41-43.
APRA expects an ADI to have in place a range of customised liquidity measurement
tools which cover vulnerabilities across normal and stressed conditions over a range
of time-horizons. (APG 210:35-39).
APRA provides an indicative list of early-warning indicators of emerging liquidity risk
which an ADI’s measurement tools would use to assess any negative trends including
rising delinquencies, credit rating downgrades, rising wholesale or retail funding
costs and negative publicity (APG 210:39).
Currently, all COBA members remain Minimum Liquidity Holding (‘MLH’) entities that
are required to maintain a minimum holding of 9% of its liabilities in specified HQLA
at all times: APS 210: Attachment C:1. Some (larger) ADIs have been classified as
Liquidity Coverage Ratio (LCR ADIs) who will need to maintain sufficient HQLA to
cover 30 calendar days under a severe stress scenario and to conduct scenario
analysis alongside a robust stress-testing regime.
For all ADIs HQLA includes:
•
notes and coin and settlement funds;
•
Commonwealth Government and semi-government securities;
•
debt securities guaranteed by the Australian Government, or foreign sovereign
governments;
•
debt securities issued by supranationals and foreign governments;
•
bank bills, certificates of deposits (CDs) and debt securities issued by ADIs;
•
deposits (at call and any other deposits readily convertible into cash within two
business days) held with other ADIs net of placements by other ADIs; and any
other securities approved by APRA (APS 210:Attachment C:3. For an MLH ADI keeping deposits with another ADI to qualify those deposits as MLH
assets, the ADI depositor must have an unequivocal and documented contractual
right to break that deposit on demand. Any deposit placements included by an ADI
as an MLH asset must be calculated net of deposits received from other ADIs (APG
210:136).
Under APS 210, MLH ADIs need to conduct ‘going concern’ scenario testing: APS
210:54. As early as March 2011 APRA staff informed COBA that stress testing
would be the ‘way of the future’ and increasingly will be expected to be
demonstrated by all entities, large and small (although the degree of sophistication
required will depend on the size and complexity of the entity). Liquidity crisis
management was specifically identified in this context.
© Customer Owned Banking Association – January 2015
49
Making Sense of the Prudential Standards
An MLH ADI must inform APRA immediately of any concerns it has about its current
or future liquidity, as well as its remedial plans: APS 210: Attachment C:8.
APS 221 also applies to liquidity to minimise concentration risk in HQLA investments.
APRA approval is required for any aggregate exposure to:
•
An unrelated ADI in excess of 50% of the capital base; or
•
Any external party in excess of 25% of the capital base: APS 221:15/19.
In practice, smaller mutual institutions have long benefited from exemptions for
large exposures to affiliated ADIs. However from 1 April 2015 all ADIs will be
required to demonstrate capacity to produce daily liquidity reports on demand. APRA
has taken the view that all prudent ADIs would generate and monitor this dta as part
of their existing liquidity risk management process 8
Liquidity in Practice
Liquidity is primarily held by ADIs in non-loan interest bearing assets (e.g. ADI
deposits, certificates of deposit and cash). The HQLA ratio is calculated by dividing
HQLA assets by total on balance sheet liabilities. (NB: Liabilities are mainly deposits
– not assets. Assets are mainly loans).
HQLA Assets
Total Liabilities
Liquidity averages in the mutual banking sector tend to be high, particularly for
smaller institutions (20 - 25% or more of total assets for some smaller mutual ADIs.
Liquidity risk tends to arise because deposits and other liabilities are more readily
liquidated than assets (mainly loans). Cash flow analysis is used to track anticipated
inflows and outflows of cash. Gap analysis – as used in estimating interest rate risk
(see Chapter 6) – is also employed in liquidity management.
An ADIs liquidity funding plan, including clear management responsibilities, controls
and reporting obligations, must include:
•
maturity mismatch limits to avoid excessive imbalances between shorter term
deposits and longer term loans;
•
liquid holding parameters including trigger points to ensure the ADI can handle
liquidity fluctuations in normal and adverse trading conditions;
•
diversification parameters to avoid concentration risk (dependence or overexposure) to individual counterparties (e.g. Cuscal or Indue or ASL or any one
ADI)
•
assessment of rollover risks including changes to market conditions and
creditworthiness of counterparties;
8
See letter from APRA to all ADIs dated 7 November, 2104 :
http://www.apra.gov.au/adi/Documents/141104-letter-to-ADIs-Liquidity-risk-recent-consultations-2.pdf
© Customer Owned Banking Association – January 2015
50
Making Sense of the Prudential Standards
•
wholesale funding plans including normal corporate lending policies and standby
facilities for both normal and adverse trading conditions;
•
asset use policies to address the potential sale or securitisation of assets to
boost liquidity; and
•
industry support arrangements to deal with a liquidity crisis.
Liquidity is managed on a daily basis to ensure funds are within policy ratios.
Liquidity is typically held in a CUSCAL, Indue or ASL S1 account and 11AM account
up to policy limits. The balance is then held in fixed term deposits or negotiated
certificates of deposit with ADIs. Investment policy should prescribe limits for
individual exposures, including APRA approvals for large exposures.
Cashflow is typically forecast monthly using a 3 month forecast period analysing all
anticipated cash inflows and outflows. The analysis should take into account
historical experience and knowledge of member behaviour (in relation to both
deposits and loans), product features (e.g. fixed rate loans and competitively priced
term deposits) and market conditions (e.g. loan demand).
Scenario analysis must be conducted as required on an “on-going concern” basis and
as agreed with APRA on a “name crisis” basis – to ensure the capacity of the ADI to
withstand a liquidity crisis (APS 210:54).
Liquidity policy should outline clear procedures for reporting and managing low
liquidity and high liquidity. Targets and triggers will be set to inform liquidity
management as set out in the sample below.
Note: APRA’s request to ADIs in November 2010 to conduct a self-assessment
against the Basel Committee ‘Sound Principles’ does not apply to ‘locally
incorporated ADIs that are subject to MLH requirements under APS 210’.
Nonetheless, APRA encourages ADIs to apply the Sound Principles to liquidity risk
management ‘as appropriate’.
Liquidity Policy
Range
Policy Rule
15 - 20%
The board aims to maintain liquidity in this range in
Triggers
Strategic Target
the short, medium and longer term.
(preferred risk
tolerance)
Liquidity
provides a buffer to meet short term calls on funds
but should not be wasteful.
Early Warning
15%
Trigger
The board will consider liquidity raising options at or
under this level beginning with adjustments to
interest rates on deposits (and loans).
Crisis Trigger
Below 11%
The board will access additional or emergency
liquidity to keep HQLA above 11%.
APRA must be consulted if there is a risk that HQLA
will fall below 9% [Note: this assumes APRA has not
© Customer Owned Banking Association – January 2015
51
Making Sense of the Prudential Standards
imposed a higher standard for HQLA]
Statutory
9%
HQLA must be at least 9% of total liabilities.
Minimum
[The sample provided is for illustrative purposes only]
Best Practices in Liquidity Management
High levels of liquidity can be maintained as hedge against market volatility.
The threats to liquidity posed by the 2009 Global Financial Crisis were largely
managed by the introduction of the Government Guarantee of Large Deposits and
Wholesale Funding Liabilities. While the Government Guarantee of Large Deposits
has now been withdrawn (effective 24 March 2010), the associated Financial Claims
Scheme for deposits—which gives deposit holders certainty in respect of their
deposits up to, currently, $1 million—remains in place. This latter support is to be
made permanent. However, it is expected that the ceiling up to which deposits will
attract government support in the future will be greatly reduced, with an
announcement on a new ceiling expected shortly.
Whatever the final outcome of that process, however, having and regularly reviewing
your retention strategies, particularly for large depositors, remains a critical task for
boards and management.
Investments in other ADIs including inter-credit union and inter-building society
investments must not be double counted, with only the net position used when
calculating liquidity ratios.
Sources of additional or emergency liquidity should be clearly identified by board and
management and supported by enforceable agreements where possible, including
standby facilities e.g. from Cuscal, Indue or ASL, Bridges, CUFSS.
Maintaining liquidity can be expensive - attracting short term funds to respond to
liquidity shortfalls can dent profits. Longer term, many mutual ADIs are looking for
sources of wholesale funding to minimise this exposure.
Link to ICAAP
There is no prescribed method for allocating capital for liquidity risk. A common
approach is to base the calculation on the cost of replacing liquidity. For example, if
a given percentage e.g. 25% or 50% of deposits were withdrawn or redeemed, the
loss would be the additional cost of ‘buying in’ wholesale funds. The calculation can
be made using the rate quoted by the provider of your stand-by facility or line of
credit.
© Customer Owned Banking Association – January 2015
52
Making Sense of the Prudential Standards
Questions for directors and managers to consider
Do you understand your organisation’s liquidity risk management framework
including risk appetite and risk tolerance, strategy, policy and operating
standards?
Do you have plans in place to address the impacts of the updated APS 210 and
APG 210?
Is reporting of liquidity (including cashflow analysis) in your organization
disciplined and effective and conducted by appropriately qualified and
experienced staff?
Are standby facilities available for short term liquidity crises?
Is cashflow and scenario analysis properly and regularly conducted to stress
test the portfolio?
Do you have a long-range strategic funding plan that includes trend analysis
and early-warning indicators of changes to liquidity risk?
© Customer Owned Banking Association – January 2015
53
Making Sense of the Prudential Standards
8. Credit Risk
Responsible lending – writing good loans and managing bad debt
Next, let me turn to the asset quality of credit unions and building societies,
another source of strength. That strength has derived from sticking to the
principles of Credit Assessment 101 — knowing well your customer and their
capacity to service debt, maintaining conservative lending standards and
concentrating on lending markets in which you have honed your skills. Housing
lending now comprises around 85 per cent of your lending activities and it has
proven a good place to be. 9
APS 220 Credit Quality
ADIs are required to control credit risk by adopting prudent credit risk
management policies and procedures. These policies and procedures must
address the recognition, measurement and reporting of, and provisioning for,
impaired facilities. The key requirements of APS 220 are that an ADI must:
•
have an effective credit risk management system that is appropriate to its
needs;
•
regularly review its credit risk management systems, taking account of
changing operating circumstances, activities and risks;
•
have a robust system for the prompt identification, monitoring, and accurate
and complete measurement of its credit risk. This includes recognition and
reporting of impaired facilities and estimated future losses on the credit
portfolio; and
•
maintain provisions and reserves adequate to absorb existing and estimated
future credit losses in its business, given the facts and circumstances
applicable at the time. This includes maintaining a prudent level of a General
Reserve for Credit Losses.
The credit risk reporting system must include timely and accurate information on:
9
•
past due facilities (i.e. 90 days past due)
•
facilities that are impaired
•
fair value of security held against impaired assets
•
status of other sources or cash flows
•
estimated future losses reflecting inherent credit risk
Mutuals after turbulent times – John Laker, COBA Convention, Gold Coast, 9 November 2009
© Customer Owned Banking Association – January 2015
54
Making Sense of the Prudential Standards
•
value of specific provisions and General Reserve for Credit Losses for capital
purposes: APS 220:18.
APS 220 requires “regular reviews” of credit risk policy elements. Your board and
management must ensure the frequency of reviews is adequate given the risks
associated with your institution’s operations.
An ADI must maintain specific provisions and a General Reserve for Credit Losses
that, together, are adequate at all times to absorb credit losses given the facts
and circumstances applicable at the time of assessment: APS 220:37.
Specific provisions and the General Reserve for Credit Losses must account for all
significant factors as at the evaluation date that affect, as relevant, the
collectability of the credit portfolio and estimated future credit losses. The levels
of specific provisions and the General Reserve for Credit Losses must be reviewed
regularly to ensure they are consistent with identified and estimated losses: APS
220:40.
APS 221 Large Exposures
Good practice requires a comprehensive risk assessment of counterparty default
before committing to any large exposure including both loans and investments 10.
ADIs must implement proper measures and prudent limits to monitor and control
their large exposures. APS 221 deals with a form of concentration risk. ‘A large
exposure is an exposure to a counterparty or a group of related counterparties
which is greater than or equal to 10% of an ADI’s capital base’: APS 221:12.
Safeguarding against risk concentrations to particular counterparties, industries,
countries and asset classes must form an essential component of ADIs risk
management strategies. An ADI must consult with APRA before committing to a
large exposure in excess of 10% (unless a government or ADI). APRA approval
is required for any aggregate exposure to:
•
An unrelated ADI in excess of 50% of the capital base; or
•
Any external party in excess of 25% of the capital base: APS 221:15/19.
An ADI must inform APRA immediately if there are any concerns that the large
exposures or your risk concentrations have the potential to materially impact on
your capital adequacy. An ADI must also immediately report to APRA any breach
of the limits set by the standard: APS 221:20/21.
Credit Risk in Practice
Credit is the core business of a mutual ADI. The overwhelming majority of
mutual ADI assets are held in credit provided to members - primarily mortgages,
which account for over 80% of mutual sector credit, and other loans (87% for
credit unions and 90% for building societies: APRA Statistics June 2012). Credit
risk is therefore probably the most important risk facing any mutual ADI.
10
APRA staff have expressed the view (March 2011) that large exposures are often entered into by ADIs
for commercial reasons, with associated risks being an “afterthought”. A “stress testing mindset” needs to
be brought to bear when approving and managing large exposures.
© Customer Owned Banking Association – January 2015
55
Making Sense of the Prudential Standards
Lending is also now a highly regulated and technical area. Contracts and lending
processes need legal advice and sign-off, supported by extensive staff training.
Credit risk is best managed by ensuring good loan quality through clear, effective
and appropriate credit policies, collections and provisioning. Delinquency and
bad debt are historically very low for mutual ADIs. Although this is a great
achievement, it suggests that the ratios can only go one way – up! As a result,
this area receives constant attention from APRA and auditors to ensure that high
standards are maintained for credit quality, collections and provisioning.
Credit policies can be heavy on detail but all good lending follows these basic
principles:
•
Repayment capacity – can the applicant demonstrate sufficient income to
repay the loan (and other commitments) even if rates rise—and still have
more than enough to live on?
•
Adequate security – if the loan requires security, what is it really worth if it
needs to be sold?
•
Exceptions – are the processes and policy rules for delegations and approving
exceptions crystal clear and followed in practice?
•
Collections – are repayments pursued proactively, respectfully and
systematically?
•
Bad Debts – are adequate provisions and prompt writes-off made to reflect
the true state of the loan book?
Best Practices in Credit Risk
It is often said that lending used to be based on the “3 Cs” of character, collateral
and capacity. Collateral in the form of security and character in the shape of
credit history remain central to credit risk management. However, new laws on
responsible lending and prudential regulation, have reinforced the importance of
capacity – the repayment capacity of the borrower.
Credit risk management can be enhanced by clear policies and procedures for
debt servicing ratios, hurdle rates and disposable income rules. Benchmarking of
these limits and ratios could be useful for mutual ADIs.
•
DSR - Debt servicing ratios
Debt Servicing Ratios [DSRs] compare an applicant’s income and expenses. The
DSR equals total expenses divided by total income. The exact calculation
depends on what is counted as an expense and what is counted as income.
There are no formal rules as to what gets counted and excluded, but the
underlying principle should be that all income must be consistent and provable
(i.e. supported by evidence). The calculation can be based on net or gross
income. Net income is probably the preferred measure because that reflects the
amount of money the applicant has ‘in the hand’ after tax.
•
Hurdle rates – what premium do you add for loan assessment?
© Customer Owned Banking Association – January 2015
56
Making Sense of the Prudential Standards
A hurdle rate is a premium added to the actual rate applicable to a loan to make
sure that the applicant can absorb future rate rises. So, if a loan is written at
7.5%, say, the repayment capacity of the applicant is tested at a higher rate e.g.
9.5%. The height of the hurdle is for the lender to decide. For example, it might
be 1, 2 or 3% depending on the risk appetite and view of the market (likelihood
of interest rate rises) taken by the lender. Practices appear to vary among
mutual ADIs with examples reported of1%, 2%, 2.5% and 3%. One mutual ADI
over the past year reported that it assessed most loans at 10%, when rates were
around 6%. Whatever “number” is used, the objective of using hurdle rates is to
maintain credit quality by testing repayment capacity. This objective needs to be
front-of-mind when setting the appropriate hurdle rate.
•
Disposable incomes
After applying the Debt Servicing Rate and a hurdle rate, you need to be sure an
applicant (and their family if applicable) has sufficient funds to live on. Many
mutual ADIs use benchmark data from the Henderson poverty index or a lenders
mortgage insurer’s tables. The objective here is to ensure that the member’s
interests are looked after – obviously a mutual ADI should be seeking to alleviate
rather than cause financial distress.
•
New guidelines for residential mortgages
APG 223 now sets out APRA’s expectations for prudent lending practices in
residential mortgage lending, including the need to address credit risk within the
ADI’s risk management framework, sound loan origination criteria, appropriate
security valuation practices, the management of hardship loans and a robust
stress-testing framework. The guidelines encouragement alignment of mortgage
lending with overall business strategy and risk management and broadly reflect
long established good practice in lending processes and underwriting.
Process consistency
Lending always generates exceptions. Clear rules can promote consistent and
transparent decision-making and ensure that lending decisions are understood –
by board, management, staff and members.
All lending decisions should clearly indicate why a loan has been approved or
declined and refer to the board approved credit policies and procedures.
Exceptions to policies and procedures need to be clear identified and referred to
the appropriate decision making body – whether a senior manager or the board
or committee.
Internal audit must closely monitor credit quality, conducting regular random
checks of lending decisions and all exceptions to policy or procedure. The audit
committee should review credit quality at each meeting, and the board should
receive a report for each meeting, on lending approvals, decline rates, all
exceptions, large exposures, trends in lending and any other irregular issues.
© Customer Owned Banking Association – January 2015
57
Making Sense of the Prudential Standards
Fair value of securities
Mutual ADIs should not be complacent about securities – property values can go
down as well as up. Credit risk management should include regular stress testing
of the loan portfolio to take account of movements in the property market (see
also ICAAP stress testing for concentration risk, Chapter 6). Also, LVRs are often
not as high as we assume them to be when the loan is written. If a security has
to be sold to cover a debt, then enforcement costs will also usually erode the
value of the security.
Collections
Good collection is about good communication. Maintaining contact and
communicating regularly and effectively – but respectfully are the keys to
success. Collections is also a heavily regulated area with prescriptive laws
applicable to customer contact, enforcement of debts generally and the
repossession of securities including properties. Clear policies and procedures
with effective reporting on performance and exceptions are critical to success.
Delinquency
Delinquency is measured by tracking loans that are 30 days in arrears – i.e. 30
days past the last due date for repayment. The delinquency ratio equals the total
outstanding balances of loans in arrears divided by the total loan portfolio. The
ratio is used to monitor trends in credit risk and provide ‘early warning signals’
for bad debt.
Provisioning – allowing for Bad Debt
Even if delinquency and write offs are low, bad debt still occurs and needs to be
provided for.
The General Reserve for Credit Losses must be determined to provide for
potential future losses (bad debt/write offs) based on:
•
historical experience;
•
current impaired assets;
•
market conditions (e.g. employment levels, interest rates, property values);
•
changes in the portfolio (e.g. concentration of mortgages, personal lending;
•
commercial lending);
•
changes to lending policies; and
•
changes to valuation of securities.
There is no formula for the General Reserve for Credit Losses and each ADI must
arrive at its own calculation. Current practices suggest that bad debt
provisioning reserves tend to range from 0.5% to 1% of risk weighted assets.
This reserve provision should be taken into account when calculating the
appropriate ICAAP allocation for credit risk.
© Customer Owned Banking Association – January 2015
58
Making Sense of the Prudential Standards
Benchmarking the reserve provisioning against the provisioning of other
comparable mutual ADIs is also a prudent step. Useful measures of the
adequacy of the Reserve can be based on risk weight assets or capital. The
Reserve must not be used as a substitute for good credit policies, adequate
provisioning or appropriate bad debt write-offs. The General Reserve for Credit
Losses can now be found for each ADI in its APS 330 - Public Disclosure of
Prudential Information.
A Specific Provision must also be made for loans that are delinquent or impaired,
according to APS 220. Provisions must be higher for riskier loans. Another
common good practice is to make additional provision where it is known that a
loan is impaired (i.e. that repayments are doubtful) even though the loan is not
currently in arrears. 11
Delinquent loans should be written off once they reach 100% provision or earlier
if you are almost certain that a loan will not be recovered. Loans can be written
off against the provision, and if no provision is recognised they can be treated as
expenses in the income statement and will reduce taxable income.
The actual provisions for impairment and bad debts written off for all ADIs can
now be found for each ADI in its APS 330 public disclosure.
Commercial Loans
Commercial lending requires a specific skills set to assess repayment capacity on
the basis of business performance and prospects. Staff and managers skilled in
retail lending may not have – and usually do not have – the skills necessary for
analysing business plans, balance sheets and profit and loss statements.
Mutual ADIs should not engage in commercial lending without those skills; and
commercial lending should not be a significant part of a business without an
appropriate investment in skilled lending staff to handle the associated business
volumes. Your institution’s credit risk policy should set a ceiling on commercial
lending as a proportion of total lending.
Large Exposures
An ADI must ‘consult with’ APRA on large exposures of 10% of capital or more.
Strictly speaking, APRA approval is only required for large exposures of 25% of
capital or more.
Consultations and approvals could be improved by the use of a standard form
including an explanation of the proposed loan and applicant details.
Service standards could be agreed with APRA to clarify expectations for all parties
concerned. For lenders the key issue is managing member expectations. APRA
may not always be aware of this pressing commercial issue. Equally, ADIs need
to understand and meet APRA’s requirement for sufficient information to conduct
their assessments of large exposures.
11
APRA staff have commented (March 2011) that they consider this practice prudent and often request
‘watch list’ or pre-watch list’ information when undertaking prudential reviews.
© Customer Owned Banking Association – January 2015
59
Making Sense of the Prudential Standards
Link to ICAAP
Credit risk is fundamental to an ICAAP. As discussed in Chapter 6, capital is
often provided using the ‘default’ allocation of the statutory minimum. However,
credit risk should be provided on the basis of an assessment of the actual credit
risk based on the loan portfolio, risk appetite, past performance and market
conditions. The General Reserve for Credit Losses (‘GRCL’) should also be taken
into account; in this context the GRCL can be seen as a ‘business as usual’
calculation while the ICAAP approach to credit risk will factor in a range of
potential scenarios including significant adverse changes e.g. to market
conditions and property values.
An ICAAP should also take into account concentration risks including by
geographical area, workplaces or industries, as well as large exposures. Property
market fluctuations are also relevant to the extent that they change the
underlying value of securities.
Questions for directors and managers to consider
Does your organisation’s credit risk policy reflect responsible lending criteria?
Is your organisation’s credit risk policy regularly reviewed?
What are your organisation’s debt servicing ratios, buffer rate and disposable
income allowances?
Is delinquency effectively reported and managed?
Does your organisation make adequate provision for bad debt?
Are loans written off appropriately?
© Customer Owned Banking Association – January 2015
60
Making Sense of the Prudential Standards
9. Audit and Disclosure
Accounting to regulators, members and the public
Auditors provide an important independent mechanism for reviewing compliance
with APRA’s prudential and reporting requirements. We want to clarify the role of
auditors to account for industry developments and the new Basel II Capital
Framework. 12
The disciplining effects of markets can reinforce prudential supervision by
rewarding those institutions that assess and manage risk effectively and
penalising those where risk assessment and risk management are inadequate. 13
APS 310 Audit and Related Matters
APS 310 sets out requirements for an ADI to ensure that APRA has access to
independent advice from an auditor relating to the operations, internal controls
and information provided to APRA in respect of the institution. Key requirements
of APS 310 include:
•
the appointment of an auditor to undertake the functions set out in APS 310;
•
specifying the roles and responsibilities of the appointed auditor; and
•
that an ADI must ensure that, as appropriate, the appointed auditor is able to
fulfil its responsibilities in accordance with APS 310.
The CEO of an ADI must provide an annual ‘declaration’ to APRA endorsed by the
board attesting for the financial year past. The declaration must state that:
12
13
•
board and management have identified key risks
•
board and management have established systems to monitor and manage
same (including a series of prudent limits, and adequate and timely reporting
processes)
•
risk management systems are operating effectively and are adequate for
relevant risks; and
•
the risk management systems descriptions provided to APRA are accurate and
current
•
the prudential disclosures required under APS 330 are reliable: APS
310:26/27.
APRA proposes revised audit requirements for ADIs – MR 08.28, 7 November 2008.
APRA releases Basel II market disclosure proposals – MR 07.18, 6 June 2007.
© Customer Owned Banking Association – January 2015
61
Making Sense of the Prudential Standards
APS 330 Public Disclosure of Prudential Information
APS 330 aims to enhance transparency in Australian financial markets by setting
minimum requirements for the public disclosure of information on the risk
management practices and capital adequacy of locally incorporated ADIs. Locally
incorporated ADIs that are Australian owned and use the standardised
approaches are required to disclose some basic prudential information, along with
information on remuneration for directors, senior managers and material risktakers (generally quarterly for prudential information and annually for
remuneration).
APS 310 and 330 in Practice
APS 310 and APS 330 now combine to impose significant reporting obligations on
ADI boards. The APS 310 declaration is made by the CEO/GM but must be
endorsed by the board. As a result, the board must understand how the
declaration is made, and the operation of the ADIs risk management framework.
The APS 310 declaration must also address business continuity (see CPS 232:15)
and the APS 330 public declaration. Note also the overlap between the APS 220
declaration required from an ADI that must be signed by the chairs of the board
and risk committee from January 2015.
The APS 310 is effectively a self-assessment of the risk management framework
for the organisation which covers the whole business of the ADI and the
prudential standards regime. The extent of detail is for each ADI to determine.
APRA provides no guidance. Approaches vary from minimalist to exhaustive. At
the very least, the board should satisfy itself that it can endorse the declaration
with confidence – based on a real understanding of risk and the operation of the
risk management system.
The board or risk committee needs to outline the extent of documentation
required of management to support the statements made in the attestation. The
risk management committee will play a key role in preparing the endorsement
and ‘auditing’ the attestation of the CEO.
The external auditor is now required to report to APRA on compliance with the
prudential standards – effectively an external assessment of the same issues
covered by the APS 310 attestation. The standard now requires the board to
appoint an auditor for this purpose.
Boards must work closely with both external and internal auditors. Auditing
functions are an intrinsic part of your institution’s risk management system,
within the APRA Prudential Standards framework. The board and its Audit
Committee must develop a clear, comprehensive and appropriate audit plan to
frame the activities of external and internal auditors. Directors and managers
alike must be aware of the key role of auditors in providing assurance of the
veracity of information provided both to APRA and your institution’s members.
The APS 330 statement
The APS 330 statement must be posted on your website with information
updated quarterly (annually for capital data). The disclosure includes an annual
© Customer Owned Banking Association – January 2015
62
Making Sense of the Prudential Standards
statement of the capital position of the mutual, along with quarterly updates of
capital adequacy and credit risk information. The detail provided varies as can be
seen from the website disclosures of ADIs. The CEO attests to the reliability of
the Prudential Disclosures in the annual APS 310 declaration.
The board should ensure that internal audit is tasked to maintain the integrity
and transparency of the process that produces both the APS 310 declaration and
the APS 330 statements.
The audit and/or risk committee will ordinarily be responsible for overseeing the
work of the internal auditor and external auditors in support of these reports.
However, the full board remains fundamentally responsible for oversight of these
processes.
From 30 June 2013, a common disclosure template applies along with new
remuneration disclosure rules.
Proposed amendments
In late 2014 APRA released for consultation a discussion paper and draft
amendments to APS 110 and 330, which outlined APRA”s proposed
implementation of new disclosure requirements in relation to:
•
the leverage ratio
•
the liquidity coverage ratio
•
the identification of potential globally systemically important banks
APRA’s intention was that the amendments would come into effect from 1
January 2015; however in November 2014 APRA advised affected ADIs that the
amendments any new requirement would not take effect until 1 April 2015 at the
earliest 14.
Link to the ICAAP
The APS 310 declaration and ICAAP cover the same territory: the key risks facing
the organisation. In practice, the development and review of the ICAAP should
be aligned with the annual declaration. The new ICAAP report (CPG 110:44)
could be provided to APRA with the APS 310 attestation.
APS 330 is about reporting on capital (and credit risk) rather than the calculation
or allocation of capital. The quarterly update of APS 330 data can be aligned with
the ICAAP review.
14
The new requirements once finalised will be discussed in more detail in a forthcoming update of this
Guide.
© Customer Owned Banking Association – January 2015
63
Making Sense of the Prudential Standards
Questions for directors and managers to consider
Is your organisation’s external audit process independent, transparent and
robust?
Is your organisation’s internal audit process empowered, transparent and
robust?
Is your organisation’s APS 310 attestation process clear and robust?
Can the board confidently endorse the APS 310 attestation made by the CEO?
Is your organisation’s APS 330 statement properly expressed, updated and
posted to your website?
Do your organisation’s processes link the ICAAP, APS 310 attestation and the
APS 330 disclosures?
© Customer Owned Banking Association – January 2015
64
Making Sense of the Prudential Standards
10. Operational Risk
Practical tools and challenges – operational risks, outsourcing and business
continuity
We expect the board to be aware of the institution’s major operational risks and
how they are controlled. The board should set the institution’s tolerance for risk
or “risk appetite”, through its approval of policies for managing operational risk.
These policies should outline the institution’s approach to the identification,
assessment, monitoring, control and mitigation of this risk. The board is also
responsible for regular review of the institution’s operational risk management
framework and for ensuring that senior management is actively monitoring the
effectiveness of risk controls. Accordingly, the board should establish a
management structure for operational risk based on clear lines of responsibility,
accountability and reporting. 15
Operational Risk – New CPG 234 and 235
Operational risk is the risk of loss resulting from inadequate or failed internal
processes, people and systems or from external events. This definition includes
legal risk but excludes strategic and reputational risks: APS 001:4. CPG 234 and
235 require mutual ADIs to have a policy on managing data risk including
procedures for transaction record keeping and data backup and storage, as well
as procedures for other operational risks including:
•
legal or compliance risk;
•
key person and other human resources risks; and
•
insurable risks including - workers compensation, damage to physical assets,
fidelity guarantee (covering internal fraud), directors and officer liability,
public liability, professional indemnity and business interruption.
Managing data risk is crucial because it can affect an ADI’s ability to meet
financial and other obligations to depositors and customers. APRA believes that
the risks associated with the use of data, including data application, retention,
storage and security, have become more significant with increasing automation
and the criticality of data to decision-making.
15
The evolution of risk and risk management – a prudential regulator’s perspective – John Laker, 21
August 2007, Reserve Bank of Australia Conference.
© Customer Owned Banking Association – January 2015
65
Making Sense of the Prudential Standards
CPS 231 Outsourcing
CPS 231 aims to ensure that all outsourcing arrangements involving material
business activities entered into by an ADI are subject to appropriate due
diligence, approval and on-going monitoring. All risks arising from outsourcing
material business activities must be appropriately managed to ensure that the
ADI is able to meet both its financial and service obligations to its depositors.
The key requirements of CPS 231 include that an ADI must:
•
have a policy relating to outsourcing of material business activities;
•
have sufficient monitoring processes in place to manage the outsourcing of
material business activities;
•
for all outsourcing of material business activities with third parties, have a
legally binding agreement in place, unless otherwise agreed by APRA;
•
consult with APRA prior to entering into agreements to outsource material
business activities to service providers who conduct their activities outside
Australia; and
•
notify APRA after entering into agreements to outsource material business
activities.
A material business activity is one that has the potential, if disrupted, to have a
significant impact on business operations or ability to manage risks effectively.
The internal audit function must be treated as a material business activity: CPS
231:14/15.
An ADI must notify APRA no later than 20 business days after execution of the
agreement. The notice must include a summary of:
•
the key risks involved in the arrangement; and
•
the risk mitigation strategies put in place to manage the key risks: CPS
231:34/35.
An ADI must devote sufficient and appropriate resources to manage and monitor
the relationship:
•
maintaining regular contact with the provider; and
•
implementing a process for regular performance monitoring (including
adherence to SLAs): CPS 231:38.
An ADI must advise APRA of any problems which may materially affect the
outsourcing arrangement: CPS 231:39.
An ADI must advise APRA of transitional arrangements in place when it
terminates an outsourcing arrangement: CPS 231:40.
© Customer Owned Banking Association – January 2015
66
Making Sense of the Prudential Standards
CPS 232 Business Continuity Management
CPS 232 aims to ensure that an ADI implements a whole of business approach to
business continuity management [BCM]) appropriate to the nature and scale of
its operations. BCM increases an ADI’s resilience to business disruption arising
from internal and external events and reduces the impact on the ADI’s business
operations, reputation, profitability, depositors and other stakeholders.
The prime responsibility for the business continuity of the ADI rests with the
board of directors of the ADI. The key requirements of CPS 232 are:
•
an ADI must identify, assess and manage potential business continuity risks
to ensure that it is able to meet its financial and service obligations to its
depositors and other creditors;
•
the board of the ADI must consider the ADI’s business continuity risks and
controls as part of its overall risk management systems and approve a BCM
policy;
•
an ADI must develop and maintain a business continuity plan [BCP] that
documents procedures and information which enable the ADI to manage
business disruptions.
•
an ADI must review the BCP annually and periodically arrange for its review
by the ADI’s internal audit function or an external expert; and
•
an ADI must notify APRA as soon as possible and no later than 24 hours after
experiencing a major disruption that has the potential to materially impact on
the ADI’s risk profile, or affect its financial soundness.
The BCP must be reviewed by responsible senior management at least annually
or more frequently if there are ‘material changes’ to the operating environment.
Internal audit, or an external expert, must periodically review the BCP and report
to the board or management.
An ADI must review and test its BCP at least annually, or more frequently if there
are material changes to business operations. This is to ensure that the BCP can
meet the BCM objectives. Results of the testing must be formally reported to
management and the board. The BCP must be amended to reflect reviews and
tests: CPS 232:29/30.
An ADI must include in its BCM programs for training and ensuring awareness of
staff in relation to BCM: CPS 232:18. In implementing the training program,
staff with specific responsibility for the BCM program are to undertake the
necessary training to ensure they can competently fulfil their duties. The training
requirements should be in the performance objectives of responsible individuals.
All staff must at least be familiar with the BCP for their unit.
An ADI must notify APRA “as soon as possible” and no later than 24 hours after a
major disruption event. The ADI must explain to APRA the nature of the
disruption, the action being taken, the likely effect and the timeframe for
© Customer Owned Banking Association – January 2015
67
Making Sense of the Prudential Standards
returning to normal operations. APRA must be notified when normal operations
are resumed: CPS 232:31.
In the view of APRA staff 16, BCM is an area of ADI activity generally requiring
improvement, including greater emphasis as part of an institution’s risk
management framework.
Operational Risk in Practice
Operational risk is an inherent feature of doing business. An operational risk
policy should cover data risk and insurable risks. It should also extend to
outsourcing and business continuity recognizing these risks as operational risks.
An operational risk register should be in place with risks identified, evaluated and
treated in line with the process set out in AS/NZS 4360, now 2009 - AS/NZS ISO
31000:2009. Data risk should be covered by your BCP.
Processes and checklists should be developed and used to support due diligence
of outsourcing arrangements, checking the content of outsourcing agreements
and monitoring the performance of third parties. Outsourcing arrangements
should include (at least): providers of treasury services; data bureau (IDPCs)
services; payment processing systems; internal audit; and internet banking
service providers. Professional service providers, e.g. lawyers and external
auditors, are excluded.
BCPs, once established, must be reviewed annually and tests should be
conducted at least annually. Third parties again – especially IDPCs – need to
assist you in testing your BCPs. The annual review should address the business
functions and scenarios included in the plan along with the currency or relevance
of the business impact analysis.
Insurances should be checked for coverage and renewed annually including:
•
fidelity guarantee;
•
asset protection, including fire and malicious damage;
•
directors' and officers' liability;
•
public liability;
•
professional indemnity; and
•
business interruption.
Link to ICAAP
APS 114 mandates a formula for calculating the proportion of capital that must
be provided to cover for potential losses arising from operational risks. An ADI
can always provide more for operational risk (including outsourcing and business
continuity risks) depending on its assessment of actual operational risks. Where
this is done, your ICAAP should have an additional line item setting out the
“extra” allocation of capital for operational risk.
16
Comments to COBA (March 2011)
© Customer Owned Banking Association – January 2015
68
Making Sense of the Prudential Standards
Questions for directors and managers to consider
Does your organisation have an operational risk register?
Are outsourcing arrangements monitored effectively?
Is due diligence observed when entering new relationships?
Are new agreements signed off against the requirements of CPS 231?
Is annual BCP testing conducted?
Are staff adequately trained on BCP?
Is your BCP reviewed annually?
© Customer Owned Banking Association – January 2015
69
Making Sense of the Prudential Standards
11. Risk and Governance
Board that develop an effective risk management framework, add value and
work well with management
An ADI must have a risk management framework consistent with its strategic
objectives and business plan incorporating structures, policies, processes,
people and systems for identifying, measuring, evaluating, monitoring,
reporting and controlling or mitigating material risks that may affect its ability
to meet its obligations to depositors: CPS 220
The ultimate responsibility for the sound and prudent management of ADIs
rests with their board of directors. It is essential that ADIs have a sound
governance framework and conduct their affairs with a high degree of
integrity. A culture that promotes good governance is of benefit to all
stakeholders of an ADI and helps to maintain public confidence in the ADI:
CPS 510
CPS 220 – Risk Management
An ADI must have a risk management framework consistent with its strategic
objectives and business plan incorporating structures, policies, processes,
people and systems for identifying, measuring, evaluating, monitoring,
reporting and controlling or mitigating material risks that may affect its ability
to meet its obligations to depositors.
An ADI must also have in place a Risk Appetite Statement (RAS): CPS
220:28-30. The RAS must address material risks including: credit risk;
market and investment risk; liquidity risk; insurance risk; operational risk;
risks arising from strategic objectives and business plans; and other risks that
may have a material impact on the ADI. The RAS must outline:
•
the degree of risk the ADI is prepared to accept in pursuit of its strategic
objectives and business plan, giving consideration to the interests of
depositors and/or policyholders (risk appetite);
•
for each material risk, the maximum level of risk that the ADI is willing to
operate within, expressed as a risk limit and based on its risk appetite, risk
profile and capital strength (risk tolerance);
•
the process for ensuring risk tolerances are set at appropriate levels, based
on estimated impacts and likelihood of breaches;
•
the process for monitoring compliance with risk tolerances and for taking
action in the event of breach; and
© Customer Owned Banking Association – January 2015
70
Making Sense of the Prudential Standards
•
the timing and process for reviewing risk appetite and tolerances (CPS
220:28-29).
In addition, CPS 220 requires an ADI to appoint a Chief Risk Officer who typically
must be independent from business lines, revenue generation and finance
functions, and report direct to the CEO. However, smaller ADIs can apply to
APRA to have this requirement relaxed.
CPS 510 Governance – Objectives and Key Requirements
CPS 510 sets out minimum foundations for good governance for ADIs. It aims to
ensure that regulated institutions are managed in a sound and prudent manner
by a competent Board of directors, which is capable of making reasonable and
impartial business judgements in the best interests of the ADI and which gives
due consideration to the impact of its decisions on depositors. The governance
arrangements of ADIs build on these foundations in ways that take account of the
size, complexity and risk profile of the ADI.
APRA’s principles-based approach to good governance has emphasised the
following principles since the introduction of CPS 510: responsibility;
independence; renewal; expertise; diligence; prudence; transparency; oversight.
The key requirements of CPS 510 include:
•
specific requirements with respect to board size and composition;
•
the chairperson of the board must be an independent director;
•
a Board Audit Committee and Board Risk Committee must be established
each with its own written charter;
•
ADIs must have a dedicated internal audit function;
•
certain provisions dealing with independence requirements for auditors
consistent with those in the Corporations Act 2001;
•
a compliant remuneration policy and Board Remuneration Committee, or
comparable arrangements, covering responsible managers, risk personnel and
certain other categories of staff; and
•
a policy on board renewal and procedures for assessing Board performance.
The requirements of proposed CPS 220 for a risk management framework and
risk committee should also be considered here. For a more detailed commentary
on CPS 510 requirements, see COBA CPS 510 Governance Compliance Manual.
For more information email complianceinfo@COBA.org.au.
© Customer Owned Banking Association – January 2015
71
Making Sense of the Prudential Standards
CPS 520 Fit and Proper
Persons who are responsible for the management and oversight of an ADI need
to have appropriate skills, experience and knowledge and act with honesty and
integrity. This strengthens the protection afforded to depositors and other
stakeholders. To this end, ADIs need to prudently manage the risk that persons
in positions of responsibility may not be fit and proper. The prime responsibility
for ensuring that an ADIs responsible persons are fit and proper remains with the
board of directors.
CPS 520 sets out minimum requirements for determining the fitness and
propriety of individuals to hold positions of responsibility. The key requirements
of CPS 520 are that:
•
an ADI must have and implement a written Fit and Proper Policy that meets
the requirements of CPS 520;
•
the fitness and propriety of a responsible person must generally be assessed
prior to initial appointment and then re-assessed annually (or as close to
annually as practicable);
•
an ADI must take all prudent steps to ensure that a person is not appointed
to, or does not continue to hold, a responsible person position for which they
are not fit and proper;
•
additional requirements must be met for external and internal auditors; and
•
certain information must be provided to APRA regarding responsible persons
and the ADIs assessment of their fitness and propriety.
For a detailed commentary on CPS 520 requirements, see COBA Fit & Proper
Compliance Manual, available from COBA Compliance Services.
Governance – Practical Implications
Recent changes to prudential standards have raised expectations of board
involvement and performance. Directors and boards of ADIs are now expected to
lead strategy, oversee performance and remuneration and ensure accountability.
Many Prudential Standards now explicitly remind us of the role that APRA expects
the board to play. The basics of CPS 510 are clear:
•
There must be at least 5 directors on its board;
•
A majority of directors must be independent;
•
The chair must be independent and cannot also be the chair of the audit
committee;
•
An audit committee must be established with terms of reference;
•
A board charter must be developed, along with a policy on board renewal;
and
•
Performance reviews must be conducted at least annually for the board as a
whole, and for individual directors.
© Customer Owned Banking Association – January 2015
72
Making Sense of the Prudential Standards
However, good governance is less about procedural compliance than
organisational performance and dynamics, which is where the challenge begins.
Debate continues on a range of issues including board renewal, independence
and performance reviews.
•
Board Renewal
Board renewal is designed to maintain and improve standards of good
governance by keeping the board open to new and fresh ideas. At the 2013
COBA and AM Institute convention outgoing APRA Chairman Dr Laker noted “ In
our experience , Boards that do not renew themselves become too entrenched
and comfortable with the status quo, unable to adapt to changing
circumstances” 17 Many mutual ADIs use the ‘associate’ system to engage
interested people who then sit in on board meetings for a period to ‘learn the
ropes’ and consider whether they wish to stand for election to the board. Debate
often focuses on tenure, and rules can be developed to review the position of
long standing directors. However, many argue that the emphasis should be on
performance – whether a person is adding value to the organisation – rather than
the time served by a director.
•
Independence
A majority of directors of an ADI must be independent (as defined in CPS 510)
but this does not mean that all directors need to be independent. Therefore, if a
director is found to be ‘not independent’ due to business interests or any other
reason, that person can remain a director. A problem for an ADI only arises
where a majority of directors are found to be ‘not independent’.
•
Performance review
Directors – and the board as a whole - should add value to the organisation.
There are many ways of measuring board performance; internal self-assessment
is common as is the use of external consultants. Reticence among directors, and
reluctance to criticise colleagues, can be obstacles to effective reviews. Creating
a positive environment directed towards continuous improvement is the key to
effective reviews. Reviews must cover individual directors, as well as the board
as a whole.
•
Committees
CPS 510 requires an ADI to have an Audit Committee. CPS 220 proposes to
introduce a mandatory Risk Committee, although small institutions may be able
to roll this into another committee. Beyond that, ADIs can design their own
committee structure which may include committees for Governance, Assets and
Liabilities, Marketing and other issues as deemed appropriate by the board. In
relation to remuneration, institutions can either establish a separate
Remuneration Committee, or (with APRA approval) seek to use an existing
17
Mutuals : a look back and ahead – John Laker, COBA Convention, Melbourne , 29 October 2013 p 2
© Customer Owned Banking Association – January 2015
73
Making Sense of the Prudential Standards
committee to address remuneration requirements, in which case that committee’s
terms of reference or charter must reflect CPS 510 requirements.
Skills
Greater investment in training is now required as ADIs must ensure that directors
and senior management, collectively, have the full range of skills for the effective
and prudent operation of the ADI, and that each director has the skills to make
an effective contribution to board deliberations and processes: CPS 510:11.
•
Remuneration
Remuneration policies and practices must reflect and support the risk appetite of
the ADI. Performance related remuneration must be adjustable to zero to protect
the financial soundness of the ADI: CPS 510:47.
Fit and Proper – Practical Implications
Typically mutual ADIs conduct an extensive fit and proper test when directors are
elected or re-elected, supported by an annual declaration during their tenure.
Propriety is usually tested for each responsible person by obtaining police and
bankruptcy checks, personal references and assurances as to character. Each
responsible person will then be asked to make a declaration of any interests that
may conflict with the interests of the company.
Competence is usually based on the formal qualifications and business or work
experience of the director (or applicant). Courses are provided – both in house
and external – to build skills for directors.
Skills are developed through a combination of experience, attendance at industry
conferences and formal training sessions e.g. through the AM Institute.
The formal evaluation of knowledge of directors of financial performance metrics,
prudential standards and legal compliance remains an evolving area. Most
mutual ADIs set a minimum number of training hours e.g. 10 hours or even 20
hours per annum. A key challenge is how to ensure that the knowledge adds
value to promote the engagement of all directors in the governance of the ADI.
Link to ICAAP
Risks related to governance are operational risks and are covered by your APS
114 calculation of the prudential charge of operational risk. Your institution can
always provide more capital as an extra buffer for operational risk. It can also
categorise governance risks as strategic risk, depending on its assessment of the
actual risks in the context of the organisation. If an additional allocation of
capital is made for governance risk, your ICAAP should have an additional line
item setting this out.
© Customer Owned Banking Association – January 2015
74
Making Sense of the Prudential Standards
Questions for directors to consider
Does your organisation conduct annual performance reviews for the board and
individual directors?
Do you have board renewal processes in place?
How do you ensure all responsible persons are fit and proper?
Do you have documented competencies for directors?
How do you assess the impact of training and development activities?
Do you have separate board audit and risk committees in place?
© Customer Owned Banking Association – January 2015
75
Making Sense of the Prudential Standards
12. Miscellaneous
Two new prudential standards deal with specific issues or circumstances, namely
Covered bonds and the Financial Claims Scheme.
APS 121 - Covered Bonds
APS 121 sets out requirements for the issuing of covered bonds by ADIs. Covered
bonds are a new type of potential funding source for ADIs that could operate as an
alternative to retail deposits and other wholesale funding instruments.
Under APS 121, the board is responsible for ensuring that the ADI adopts prudent
practices in the event that it issues covered bonds. The key requirements are that
an ADI must:
•
adopt policies and procedures to manage risks relating to its issuance of covered
bonds; and
•
apply an appropriate capital treatment to exposures associated with covered
bond issuance.
Any mutual ADI looking to issue covered bonds should obtain expert advice including
legal advice before considering the introduction of these fund raising instruments.
APS 910 Financial Claims Scheme
APS 910 (July 2013) sets out the minimum requirements for complying with the
Financial Claims Scheme [FCS].
The key requirements include that an ADI must be able to:
•
identify each unique account-holder, to the extent practicable;
•
develop and implement a Single Customer View (including detailed information
on relevant account balances and account holders);
•
generate and transmit payment instructions by EFT and cheque for each
account-holder;
•
facilitate collection of account-holders’ alternative ADI account details for
reporting to APRA, ATO, and account-holders;
•
facilitate communications with account-holders and stakeholders if an FCS event
is declared;
•
test Single Customer View data, payment and reporting information;
•
ensure systems and data are subject to external audit; and
•
provide a compliance attestation by CEO.
Under the FCS, the new cap of $250,000 per claim will apply; and the
© Customer Owned Banking Association – January 2015
76
Making Sense of the Prudential Standards
‘grandfathering’ provisions that kept allowed claims on term deposits up to $1m
ceased from 31 December 2012. Directors should be aware that computer systems are critical in meeting the FCS
requirements including the Single Customer View (i.e. showing all amounts owed by
the ADI to the customer); and associated payment, reporting and communications
requirements.
The most significant change concerns the creation of alternative ADI account
facilities to enable FCS payments. A practical solution to this complex and potentially
costly obligation is yet to be established.
ADIs must comply with the SCV requirements of APS 910 from 1 January 2014,
unless an extension of the transition period is granted. They must comply with all
elements of APS 910 from 1 July 2014.
© Customer Owned Banking Association – January 2015
77