Response to APRA Discussion Paper


Response to APRA Discussion Paper Harmonising cross-industry risk management requirements

8 July 2013

The Customer Owned Banking Association welcomes the opportunity to comment on APRA’s 9 May discussion paper ‘Harmonising cross-industry risk management requirements’. Collectively, the customer owned banking sector has around $84 billion in assets and serves more than 4.5 million customers. The customer owned model is the proven alternative to the listed model, delivering competition, choice, and consistently market leading levels of customer satisfaction. Our Association recognises the importance of sound risk management standards for Authorised Deposit-Taking Institutions (ADIs) and notes APRA’s view “that ADIs largely meet [the proposed new] requirements in substance as part of their existing risk management practices.”1 Customer-owned banking institutions are generally smaller and less complex than listed banks, have strong risk-management cultures and are not motivated to maximise returns to shareholders. While the discussion paper is titled ‘harmonising cross-industry risk management requirements,’ the proposed ‘enhancements’ included in the discussion paper go well beyond harmonisation and represent new prudential requirements. We are concerned that several of these new obligations are overly prescriptive and would be counterproductive for smaller, less complex ADIs. The proposals pose a clear risk of imposing unnecessary costs without leading to improved risk management outcomes. The costs of additional regulation inevitably fall disproportionately on smaller ADIs. As currently proposed, aspects of APRA’s new risk management obligations will not improve the financial stability of smaller ADIs. In addition, the cost burden imposed by these additional regulations will undermine the competitive position of these institutions. While we recognise APRA’s broader policy approach of having a single set of prudential standards for all ADIs, the standards need to be practical and to accommodate diversity. The Customer Owned Banking Association recommends: 

The requirement to designate a “Chief Risk Officer” should not apply to smaller, less complex ADIs. A simple way to delineate application of the requirement is the existing distinction between scenario analysis ADIs and Minimum Liquidity Holdings (MLH) ADIs as set out in APS 210.

That APRA remove the prescriptive requirement for the establishment of a separate Board Risk Committee and instead provide flexibility for ADIs to meet the broader policy objective within their existing Board Committee frameworks where appropriate.

The prescriptive nature of these obligations is inconsistent with the key requirement set out in the standard that “…an APRA-regulated institution must have a risk management framework that is appropriate to its size, business mix and complexity,”2 (emphasis added). We note APRA takes a pragmatic approach in applying prudential standards to smaller ADIs in other areas. For example, the MLH approach to liquidity management recognises that in some cases, “the nature and scale of [an ADI’s] operations do not warrant employing sophisticated liquidity management strategies,” 3 and provides these ADIs with 1 2 3

APRA, Harmonising cross-industry risk management requirements, May 2013, p. 9. APRA, Draft Prudential Standard CPS 220 – Risk Management, May 2013, p. 1. APRA, Prudential Standard APS 210 – Liquidity, para 9. LEVEL 11, 35 CLARENCE STREET,SYDNEY NSW 2000



a simple quantitative metric that can be used instead of the more complicated scenario analysis approach. APRA has never suggested that an appropriately tailored differential approach to prudential regulation is ineffective, so it is unclear why APRA has not taken a similar approach to the issue of risk management. As currently drafted, the prudential standard presupposes that there is one business model which would be best practice for all ADIs, and is strongly contrasted with the “principles-based approach” which is evident in most parts of the current prudential regime. We would recommend that APRA clearly articulate the policy outcomes that these obligations are seeking to deliver, and focus on providing ADIs with the flexibility to put risk management frameworks in place which achieve these outcomes in a manner tailored to their size, business mix and complexity. As it currently stands, the draft standard does not give APRA any latitude to consider alternative structures which might meet the objectives of the standard. In discussing risk management frameworks earlier this year, APRA’s Chair noted that: “What counts is how that strategy is put into effect. What marks out a good board is its activism in embedding a strong risk culture throughout the institution. Behaviours, not structure.”4 We agree that the focus should not be on rigid risk management structures but rather outcomes. The rationale for the additional risk management obligations proposed by APRA is unclear. The discussion paper simply states that the new requirements reflect APRA’s heightened expectations and “in some respects … underpin the improvements that have been made … in response to lessons learned in the global financial crisis.” The discussion paper goes on to state that prudential supervisors are working to address the “serious shortcomings in the governance and risk management of major global financial institutions…” (emphasis added). In supporting the need for enhancements in this area, APRA’s Chair has also cited5 the Financial Stability Board’s (FSB) observation that “… weak risk controls at financial institutions are still being witnessed and there remains room for improvement in supervision to ensure that it is effective, proactive and outcomes-focussed.”6 However, we note that the FSB made this observation in relation to systemically important financial institutions (SIFIs). None of this explains why these additional obligations are appropriate in an Australian context, nor does it provide any detail of the types of problems these new obligations would address. Certainly, there has been no context provided on why blanket application of these requirements to the entire ADI sector is appropriate. We note that in other areas the global regulator has explicitly acknowledged the additional risks which the largest and systemically important ADIs create, and the G-SIB and D-SIB frameworks recognise the appropriateness of tailoring regulatory approaches to address the unique risks these entities present. Given the focus of these reforms appears to be on addressing shortcomings in the largest ADIs, limiting their application to these same ADIs would appear to be a sensible approach. While we note that the prudential standard currently provides some supervisory discretion in the application of the new requirements, an explicit carve-out within the standard which recognises the existing differentiation within the sector would provide industry with greater transparency and certainty. 4 5 6

Laker, The importance of good governance, 27 Feb 2013, p. 10. ibid.

Financial Stability Board, Increasing the Intensity and Effectiveness of SIFI Supervision, Progress Report to the G-20 Ministers and Governors, p. 1. LEVEL 11, 35 CLARENCE STREET,SYDNEY NSW 2000



The Chief Risk Officer Paragraph 38 of the draft standard states that, “an APRA-regulated institution’s risk management function must be headed by a designated Chief Risk Officer (CRO).” The costs of this proposal will fall disproportionately on smaller ADIs. For large ADIs which already employ a CRO, the inclusion of this new requirement in the prudential standard will impose no additional cost. In contrast, for smaller ADIs which do not currently engage a CRO, meeting this obligation will be prohibitively expensive. APRA’s current standard states that the CRO cannot be the Chief Executive Officer (CEO), Chief Financial Officer (CFO) or the Head of Internal Audit.7 For many of our smaller members, this restriction will force them to engage an additional employee or outsource the role. Having to employ an additional staff member to meet this prudential requirement would be a significant cost burden. We note that the CROs employed by the largest ADIs attract remuneration packages of more than $2 million. While the costs to our members of filling a similar role would be lower, filling this position would nonetheless represent a sizable financial impost. In addition to the direct costs of engaging an additional employee, complying with this obligation will impose other related costs on our members, such as restructuring internal reporting lines and putting new procedures and processes in place to integrate with the new position. For some of our members, absorbing additional costs of this magnitude would have a significant impact on their profitability (which would in turn impact on their financial stability). In addition to the direct cost concerns around the proposal, there are other aspects around its implementation which we believe warrant further consideration:

7 8

We question the degree to which the appointment of a CRO would assist with “instilling an appropriate risk culture across the institution.”8 Creating a dedicated position with responsibility for risk management creates a risk that the rest of the organisation will see risk issues as “someone else’s problem.” Particularly in smaller ADIs, the engagement of a dedicated CRO may compartmentalise risk management, and potentially compromise outcomes, which is completely contrary to the broader policy objective of the draft standard.

There is a risk that the existence of a CRO could encourage Boards to give less focus to risk issues, by creating a perception that these matters are already being adequately taken care of elsewhere.

The current system of risk management is based on the primacy of the Board of Directors in setting and monitoring the ADI’s attitude to risk, with input from both internal and external audit. The requirement to engage an independent CRO introduces a “policeman” to sit between the Board and Senior Management. Taking this approach to its logical conclusion, should we also expect ADIs to engage someone to monitor the CRO and ensure that they’re doing their job properly?

APRA, Harmonising cross-industry risk management requirements, May 2013, p. 11. APRA, Draft Prudential Standard CPS 220 – Risk Management, May 2013, para 31(e). LEVEL 11, 35 CLARENCE STREET,SYDNEY NSW 2000



There is a risk that the prescriptive nature of the proposal leads to box-ticking to achieve compliance with the standard rather than leading to improved risk management outcomes.

COBA is concerned about APRA imposing such a significant burden on small ADIs when the risk management benefits such a position would provide are questionable. Given the existing risk management frameworks these ADIs already have in place (including CEO, CFO, Board and internal and external auditors), mandating the appointment of a CRO on top of this would be an unnecessary imposition. For the smaller ADIs, the benefits of such an appointment are questionable. Our members are highly aware of the risks that their businesses currently face, and they have highly experienced Boards and Board Committees who already devote significant time to these issues. As previously noted, we agree with the draft standard’s statement that the risk management framework should be appropriate to an ADI’s size, business mix and complexity. When compared to ADIs in general, the customer owned banking sector is smaller, more conservative and depositor focussed. The sector’s business models are generally less complex and risks are relatively static over time. Given these differences, we believe some explicit tailoring within the standard to the characteristics of the sector is appropriate. While paragraph 54 of the standard currently provides supervisory flexibility in the practical application of this requirement, this does not provide sufficient assurance to smaller ADIs. There is no certainty around when and how APRA may or may not choose to grant an exemption, or the factors they make take into consideration in reaching their decision. There is also a risk that APRA’s supervisory application of the exemption could change over time. As a minimum, APRA should provide greater details in the prudential standard around how this flexibility will be applied. The discussion paper states that “APRA will … consider exemptions for smaller institutions that can demonstrate they meet, in substance, the principles underlying the requirements.” Language of this nature should be included in the prudential standard, along with detail around factors that APRA would take into consideration in making their decision. While this would be a step in the right direction, a better solution would be to provide an explicit exemption for smaller, less complex ADIs. This would be a more transparent way of achieving the same outcome while also providing the sector with greater certainty around their prudential obligations. COBA notes that APRA already draws a supervisory “line in the sand” between scenario analysis ADIs and MLH ADIs. APRA should consider using the same benchmark in determining the need for the appointment of a CRO. Such an approach would recognise that scenario analysis ADIs are by their nature more complicated than MLH ADIs. In the same way that the nature and scale of MLH ADIs do not warrant sophisticated liquidity risk management strategies, it is also arguable that their operations do not warrant the appointment of a separate CRO. While we do not believe that small ADIs should be obliged to engage a CRO, we note that a number of our larger members have already taken this step where they have determined that an appointment of this kind would strengthen their business. In this regard, we believe that the current prudential framework is working well, and provides appropriate flexibility for ADIs to engage a CRO when it makes sense to do so. LEVEL 11, 35 CLARENCE STREET,SYDNEY NSW 2000



However, for these ADIs, the draft prudential standard has created uncertainty, and clarification is required around exactly who can fill the CRO role. The discussion paper, APRA’s letter of 9 May, and the APRA Chair’s speech on good governance all included statements setting out the ways in which the CRO must be ”independent.” However, each of these descriptions could be interpreted differently. It would be valuable if APRA could elaborate on the independence requirements and specify exactly what it would see as compromising a CRO’s independence. For example: 

Can the CRO be a member of the Executive Management (EM) team? Does APRA see a CRO participating in executive decisions as compromising their independence? Allowing the CRO to be part of the EM team serves a number of useful purposes, such as ensuring that the risk perspective is always brought to executive discussions and enabling effective performance of the challenger role. Being part of the EM team also ensures that the position carries the necessary stature and authority, and is seen that way by the business.

Would oversight of the Credit Management / Collections function compromise independence? While this is not a revenue generating function it is closely aligned to credit policy.

Where does the operational management of risk blur the lines of independence and potentially provide a conflict of interest? Does APRA see oversight of AML transaction monitoring as a risk management function or a business function? Could the compliance function form a part of the CRO’s role or is it intended to be a separate independent unit?

What does “distinct” and “dual hatting” actually mean to APRA? In many smaller ADIs, when a senior executive takes leave, their role will be covered by another senior executive. For many of our members, this type of arrangement is common and necessary (particularly at the C suite level). By putting in place appropriate controls, our members are already able to ensure that any potential conflicts are able to be managed effectively. However, is it APRA’s intention that the CRO not be able to act in the role of CFO or CEO in this manner?

Does an ADI need to explicitly call the position “Chief Risk Officer” to meet the requirements of the prudential standard? Where an ADI has an employee that meets the other requirements of the prudential standard, but calls this employee their “Head of Risk,” or something similar, would this be sufficient to meet the CRO obligation?

While the standards prevent the CRO from being the CFO, CEO or Head of Internal Audit, how does this apply to an ADI which does not use these labels to name the executives who hold these of positions? Could the CRO also be the Head of Finance for instance?

The Board Risk Committee The discussion paper proposes requiring all ADIs to establish an independent Board Risk Committee, and states that this is “essential in providing the Board with greater oversight of and advice on the risk management framework.” 9 While, “the proposed composition requirements … do not preclude this Committee having the same


APRA, Harmonising cross-industry risk management requirements, May 2013, p. 12. LEVEL 11, 35 CLARENCE STREET,SYDNEY NSW 2000



composition as the Board Audit Committee,”10 the Risk Committee would be required to operate under a separate charter. COBA recognises the importance of ADI Boards devoting time to risk matters. However, where ADIs already have joint Audit and Risk Committees in place, APRA needs to question what additional prudential benefit is derived from splitting the Committee in two. If the same Board members are able to sit on both Committees, a strong argument can be made that the existing arrangements would be able to achieve the prudential outcomes sought by APRA in an equally effective fashion. If the same people are meeting at the same time to talk about the same things, changing the name of the Committee will not improve prudential outcomes. Requiring the Committee to meet under two separate “hats” and two separate charters appears to simply be adding red tape to the operation of the ADI for no benefit. In reality, the name of a Board Committee is irrelevant, it is the substance of their agenda and activities that matters in practice. Once again, the prescriptive nature of this obligation leads to greater focus on the process, rather than on the outcomes. Given that most larger ADIs already have separate Board Audit and Board Risk Committees in place, this is another obligation where the bulk of the regulatory burden is borne by smaller ADIs.

Transition The discussion paper proposes that the new prudential standard take effect from 1 January 2014. Six months is not a realistic timeframe in which to achieve full compliance with the enhanced requirements of the standard, particularly as consultation will also be occurring during this period. For example, fully detailing the risk appetite statement and enhancing management information systems where needed will require more than six months, with members suggesting that an implementation timeframe of 12 to 24 months would be more appropriate. In the past, short implementation timeframes for new prudential standards have led to some ADIs purchasing “off the shelf” plans to meet APRA’s requirements. Providing a longer lead time will allow ADIs to take a more considered approach to understanding, applying and effectively integrating the new requirements.

Other matters In addition to the concerns with the CRO and Board Risk Committee proposals, COBA makes the following comments: 


Management information systems: Paragraphs 25 and 26 of the draft standard require ADIs to have management information systems capable of providing “regular, accurate and timely” information and supported by a “robust data framework.” In applying this requirement, COBA emphasises the importance of APRA taking the size, business mix and complexity of the ADI into consideration. Implementing comprehensive management information systems can be a very expensive, complicated and time consuming process, and the need for such systems in smaller ADIs with less complex business models is questionable.

APRA, Harmonising cross-industry risk management requirements, May 2013, p. 12. LEVEL 11, 35 CLARENCE STREET,SYDNEY NSW 2000



The risk management strategy (RMS): Under paragraphs 31 and 35, an ADI’s RMS must “list the policies and procedures dealing with risk management matters.” Many of these policies and procedures must already be provided elsewhere under the existing prudential standards, and it would be sensible to integrate this new requirement with existing obligations to ensure that inefficient doubling up of reporting is avoided.

The business plan: Paragraph 32 of the draft standard requires ADIs to have a business plan, which must be a “rolling plan of at least three years’ duration that is reviewed at least annually.” The term “business plan” can have different meanings to different institutions, with many organisations running strategic plans, operational plans and business plans, and the timeframes and focus of each plan can differ between organisations. Many ADIs have strategic plans (of 3 or 5 years duration), supported by an annual business plan with a 12 month focus. To address potential ambiguities in this area, it would be useful if APRA could clarify their exact expectations in this area.

Risk management declarations: The draft standard requires Boards to make an annual declaration to APRA on risk management. How does this declaration integrate with the existing CEO declaration required under APS 310? Given that the CEO declaration covers risk management issues and must be endorsed by the Board, it is questionable what additional value is derived from a separate Board declaration regarding risk management matters.

To discuss any aspect of this submission please contact: Luke Lawler Senior Manager, Public Affairs 02 8035 8448 [email protected]

Micah Green Senior Adviser, Policy & Public Affairs 02 8035 8447 [email protected]





Response to APRA Discussion Paper

Response to APRA Discussion Paper Harmonising cross-industry risk management requirements 8 July 2013 The Customer Owned Banking Association welcom...

359KB Sizes 2 Downloads 3 Views

Recommend Documents

... 2017-11-18 2017-11-18

discussion response | yova yuvitasari
May 21, 2013 - LAPORAN KONDUKTIVITAS. May 21st. discussion response. discussion response. May 21st. discussion response.

mais relevantes foram: i) a identificação de diferenças qualitativas nos ciclos eleitorais de cada ente federado, ... a

de Preços ao Consumidor (INPC). Ao longo desse período, o aumento no preço das tarifas foi absorvido com diferentes inte

Submission to the Treasury in response to the Discussion Paper - OAIC
Jul 18, 2014 - unclaimed money, continue to be made publicly available. In particular, whether an amendment to the Banki

Discussion Paper - UNDP
Abstract. The purpose of this essay is to investigate the mutual role of markets and state actions in the evolution of g

Affinity:2 Discussion Paper
Affinity:2 Discussion Paper, for Regional Conversations 2017 ..... seek clearly defined outcomes that are aligned with C

Submissions in response to Online Copyright Infringement Discussion
Sep 1, 2014 - Society (AMCOS) and the Australian Performing Rights Association (APRA),1 .... download services, includin

WIDER Discussion Paper 2001 047
Abstract. Angola's difficulties in achieving macro-economic stability and economic liberalization have serious implicati

IZA Discussion Paper No. 806
IZA Discussion Paper No. 806. June 2003. ABSTRACT. Multiple Equilibria and Minimum Wages in Labor Markets with Informati