Governance Review - Discussion Paper

Chapter 1: Policy background
 

Good governance of financial services entities is essential

APRA-regulated entities play a central role in the economy and the lives of individual Australians. They protect savings, enable payments, provide access to credit, facilitate investment and help mitigate risk. The total assets of regulated entities have grown to around $9.1 trillion in 2024, up from $4.2 trillion in 2012 when CPS 510 was first consolidated from industry-specific standards. As well as having responsibility for this rapidly increasing pool of assets, entities face emerging risks including growing operational and cyber risks.

When regulated entities experience difficulties, the consequences can be dramatic for individual depositors, policyholders and superannuation beneficiaries, as well as for taxpayers and the broader economy. In APRA’s experience, well-governed entities are more resilient in times of stress, more agile in times of change, and demonstrate more sophisticated risk judgement. Instances of misconduct and poor performance are often ultimately found, in full or in part, to result from governance failures that allowed risky and inappropriate conduct to flourish. 

Examples from Australia that highlight the importance of sound governance include the Hayne Royal Commission, the Commonwealth Bank of Australia (CBA) Prudential Inquiry and the Deloitte Independent Review into the trustee of Cbus, United Super Pty Limited. Some recent overseas examples include the reviews into the failures of Silicon Valley Bank (SVB) and Credit Suisse.

APRA’s own supervisory and enforcement work supports the premise that governance shortcomings can lead to significant future problems for entities. Seventy-eight per cent of the entities currently subject to heightened supervision by APRA have underlying governance issues. This is consistent with APRA’s longer term supervisory experience. Almost all of APRA’s enforcement actions since 2018 have had risk governance and culture failings identified as the main underlying driver. APRA has imposed capital overlays for seven banks and five insurers, imposed additional licence conditions on thirteen separate occasions for RSE licensees, and accepted seven Court Enforceable Undertakings primarily due to weaknesses in governance.

APRA sets minimum expectations in concert with other regulation

Promoting effective governance is a fundamental part of prudential regulation. It is important that regulated entities are managed soundly and prudently, and that they are run by people with the right skills, experience and character.

APRA maintains foundational prudential standards for the governance of regulated entities as well as the fitness and propriety⁴  of directors, senior managers and other key office holders (referred to collectively as ‘responsible persons’⁵ ). There are also separate prudential standards governing other aspects of corporate governance including audit, remuneration, disclosure and risk management. APRA’s standards are reinforced by supplementary guidance and risk-based oversight, including reviews of industry practices. Much of APRA’s work is achieved through working directly with regulated entities. Wherever possible, APRA encourages boards and senior executives to drive change themselves. 

APRA’s prudential requirements and guidance are only one part of the regulatory and legislative framework that applies to regulated entities and their directors. Examples of other relevant obligations can be found in:
 

• the Corporations Act 2001, administered principally by ASIC, which establishes key directors’ duties, such as the duty to act with reasonable care and diligence, the duty to act in good faith and for a proper purpose, as well as other statutory obligations and requirements.
• the Financial Accountability Regime Act 2023, jointly administered by APRA and ASIC, which introduced a strengthened responsibility and accountability framework for regulated entities as well as their directors and senior executives. This has come into effect for banks and commences on 15 March 2025 for insurers and RSE licensees. 
• for RSE licensees, the introduction of the best financial interests duty (BFID) in 2021 and the retirement income covenant in 2022. 
• for listed entities, the ASX Listing Rules and the ASX Corporate Governance Council’s Corporate Governance Principles and Recommendations. 

APRA has made governance an enduring focus of its work

Over the past 10 years, APRA has devoted increased attention to governance, culture, remuneration and accountability. This work intensified in the wake of the Hayne Royal Commission and the Prudential Inquiry into the CBA, which emphasised the fundamental importance of sound governance and risk culture. 

In recent years, APRA has introduced new cross-sector prudential standards for remuneration (CPS 511), operational risk management (CPS 230) and information security (CPS 234). APRA and ASIC have worked closely to implement the FAR, which strengthens responsibility and accountability for APRA-regulated entities. 

In parallel, APRA has undertaken extensive supervisory work to assess governance arrangements of its regulated entities, which has enabled identification of good practices as well as remaining shortcomings. Where necessary, APRA has intervened to address instances of poor governance in individual entities. APRA has drawn on a suite of formal tools, such as additional capital overlays or licence conditions to ensure the issues and their underlying root causes are addressed. Nevertheless, there have been instances where stronger prudential standards may have prevented issues, or better enabled APRA to respond to governance shortcomings in a more timely and robust manner. This is most evident in cases where entities have been unwilling to recognise problems or claim they are complying with the letter of the relevant standard.

Governance practices have improved but there is more work to do

APRA’s judgement is that the overall quality of governance in regulated entities has improved since the Hayne Royal Commission. However, poor practices remain in some areas and regulated entities. Some key areas where APRA has observed weakness are the skills and capabilities of directors, narrow approaches to fitness and propriety, insufficient attention to board performance assessments, inadequate management of conflicts of interest, and problems stemming from overly long tenure.

Under its Supervision Risk and Intensity (SRI) framework, APRA rates key risks for all banks, insurers and RSE licensees. The chart below shows the distribution of APRA’s ratings for governance risk for Tier 1 and 2 entities (typically larger, more complex entities). 

APRA’s supervisory governance risk ratings – February 2025

The chart above indicates that governance risk for around 68 per cent of regulated entities is rated as being within APRA’s risk appetite (either rated as minimal or acceptable risk), supporting the view that the sector is, in the main, well-governed. However, there are still areas of poor practice, which cause entities to shift into higher risk categories resulting in more intense supervision by APRA. Reflecting these remaining shortcomings, 32 per cent of entities are assessed as having governance risks which fall outside APRA’s risk appetite: around 24 per cent have moderate or material risks, with 8 per cent of entities rated as having significant risks.⁶

A note about APRA’s existing supervisory and enforcement tools

If APRA is concerned about the governance of a regulated entity, it may use a range of tools and powers to ensure compliance. For example, APRA may: 

• share thematic insights from a cohort or industry and issue recommendations 
• increase the entity’s risk rating, supervisory intensity and/or adjust capital requirements or licence conditions to require the entity to address the issue and any underlying causes
• pursue remedies under the FAR
• direct the entity to remove a director or apply to the court for a directors’ disqualification. 

Updating and clarifying APRA’s governance standards will provide a firmer basis for use of some of these tools.

Governance is an increasing focus for regulators and standard setters internationally

In developing the proposals in this paper, APRA engaged with overseas prudential regulators and considered developments in relevant international standards. 

APRA found that overseas regulators are also placing greater emphasis on governance as a keystone of prudential regulation. Where governance practices are sound, prudential risks are more likely to be well managed. Some international regulators are taking a more interventionist approach to governance issues. Several have explicitly argued that the twin ‘cornerstones’ of an effective supervisory regime are the ability to take an active role in appointments, and a strong accountability regime (like Australia’s FAR) which holds those individuals responsible for risks and obligations. 

Peer regulators also highlighted the importance of two other issues. The first is the value of independent verification and assessment of board and director performance. The second is the need for non-executive directors to be free from material conflicts, such as those arising from group associations. 

Since APRA released its own prudential standards on governance, the Basel Committee on Banking Supervision (BCBS) and the International Association of Insurance Supervisors (IAIS) have updated their own guidance for supervisors. Some of the key governance changes include a stronger emphasis on the skills and capabilities of directors, the need for directors to devote sufficient time to their roles, the importance of robust processes for selection of directors and senior managers, and risk governance in financial institutions. 

In general, APRA considers that the proposals in this paper would help to bring Australia’s prudential framework for governance more closely into line with relevant international standards and overseas practice. Reflecting the importance that they attach to effective governance, some overseas jurisdictions have gone further than Australia by giving their regulators a statutory power to approve or veto appointments to regulated entities. Pursuing a similar approach in Australia would require legislative change, which is beyond the scope of this review. However, APRA proposes in this paper that some entities (SFIs and non-SFIs subject to heightened supervision) should engage more closely with APRA in the appointment process and that entities should improve their succession planning and appointment processes. 

Proposal 8 is the only proposal that is significantly more prescriptive than overseas frameworks and standards. This would introduce a 10-year limit on director tenure at an individual regulated entity for non-executive directors. The issue of long-tenured directors has persisted at a number of regulated entities, and this has prompted APRA to propose a hard limit. APRA is not aware of other jurisdictions with a similar hard limit, other than as criteria for the independence of directors. Overseas regulators have advised that excessive director tenure is uncommon, which they attribute to their powers to intervene in reappointments.

The governance review

It is time to update APRA’s core governance standards. Boards and senior managers of regulated entities are the primary guardians of financial services governance, but strengthening prudential requirements will set clearer expectations and better enable APRA to address unresolved governance shortcomings and to measure entity and sectoral progress over time. Chapter 2 sets out the rationale for each of the eight proposals in this paper.

Chapter 2: Proposals
 

This chapter sets out APRA’s proposals to update its governance requirements. These are informed by APRA’s supervisory experience and international and domestic standard setters.

Proposal 1 – Skills and capabilities

Current requirements

Prudential standards CPS 510 and SPS 510 require boards collectively to have the necessary skills, knowledge and experience to manage regulated entities appropriately. Each director must have ‘skills that allow them to make an effective contribution to board deliberations and processes.’ Boards are required to evaluate their collective performance on an annual basis. There is no explicit requirement to set minimum requirements for individual directors or to respond to any shortcomings.

Problem statement

Regulated entities have substantial discretion as to how they define their skill and capability needs, and how to assess the extent to which their boards and directors satisfy these requirements. As a result, APRA has observed wide variation in the effectiveness of these processes. While many entities adopt a robust forward-looking approach and take care to ensure their boards have the necessary skills and capabilities to support their strategy, others adopt more cursory processes and fail to address gaps. Shortcomings APRA observes include:

• adopting a vague or a narrow view of necessary skills and capabilities, including a failure to specify expected experience, qualifications or behavioural capabilities – and failing to consider how these can be measured
• failure to specify minimum skills and capabilities that individual directors need to fulfil their role
• not verifying skills or capabilities, often relying heavily on self-assessments
• failure to take steps to address gaps and weaknesses through professional development and succession planning. 

These kinds of deficiencies tend to be most prevalent among small banks and in parts of the superannuation sector. For example, a 2021 cohort-based thematic review of mutual banks found that almost 50 per cent of boards had no directors or only one director with contemporary industry experience. Some RSE licensees have boards that are deficient against their own skills matrices, for example not having directors adequately skilled in key areas such as investment and risk management. However, APRA notes such issues are present in all industry cohorts. 

Ongoing failure to address skill and capability needs will result in boards that are inadequately prepared to deliver on their organisational strategy or to anticipate and address challenges that arise.

Addressing the problem

APRA proposes to require all regulated entities to, on an ongoing basis, identify and document the skills, capabilities and behavioural attributes that the board needs to deliver its organisational strategy and perform its role. These attributes should be clearly defined and documented in a skills matrix. They should include specific expectations for the chair, chairs of board committees and other individual directors. Skills should be measurable and verifiable, and behavioural attributes should be observable. The targeted skills, capabilities and minimum criteria should be proportionate to an entity’s business needs, size and complexity. 

Second, APRA proposes to require regulated entities to evaluate the skills and capabilities their boards already have and be able to demonstrate to APRA that they are taking active steps to remedy gaps through professional development, succession planning and new appointments. In considering nominees to the board, APRA expects entities to consider existing skills gaps so that each new appointment makes progress towards addressing them.

This proposal is intended to raise minimum standards for directors and boards across the financial system, irrespective of the nominations process or board structure. Requisite skills should be considered by those making the nomination. It should not impact entities that already adopt proactive and forward-looking approaches to board capability. Listed entities are already subject to similar expectations under the ASX Corporate Governance Principles and Recommendations.

These changes would also better allow APRA to hold regulated entities to account for the calibre and development of their boards. 

To be clear, this proposal, as well as Proposal 2 below, would not involve any changes to the equal representation model under which employer and employee groups have the right to nominate directors to some RSE licensee boards. The focus of the proposals is on ensuring that directors of these entities have the necessary skills, capabilities and character – regardless of how they are nominated, the ownership model or board composition requirements in legislation.

Links with other proposals

Proposals 1 and 2 overlap and reinforce one another. A regulated entity’s fit and proper regime (Proposal 2) should set and assess a baseline of acceptable behaviour, character and qualifications to be on a financial services board or in other responsible person roles (effectively, being fit and proper is the ‘ticket to play’ as an industry leader). Proposal 1 should inform regulated entities’ assessment of whether a fit and proper individual is the right fit for their board. Specifically, entities would need to identify for their own board the specific skills and capabilities mix needed to deliver their organisational strategy – and act to achieve it. Lack of skill and capability should inform ongoing fit and proper assessments and therefore a director's prospects for reappointment. It should also flow through into board renewal and succession planning (Proposal 8). Triennial reviews of SFI board and director performance (Proposal 5) will verify progress on skills and capabilities, and make recommendations as needed.

Proposal 2 – Fitness and propriety

Current requirements

Fit and proper policies are a key part of a regulated entity’s risk management framework. 

Regulated entities must prudently manage the risks that responsible persons who are not fit and proper pose to their business and financial standing. Entities must have policies and procedures for determining the fitness and propriety of responsible persons, including directors, senior managers and certain other individuals prescribed by industry legislation, including auditors and actuaries. 

The definition of fitness and propriety encompasses a person’s core skills, experience and knowledge as well as their honesty and integrity. Conflicts are to be considered as part of the assessment, although there is no reference to potential or perceived conflicts. While APRA guidance lists matters that should be considered by a regulated entity in considering the fitness and propriety of a responsible person, it is generally left up to the entity to decide. 

Fitness and propriety must, except in very limited circumstances, be assessed prior to initial appointment and reassessed at least annually. Regulated entities are obliged to conduct a full reassessment of a responsible person’s fitness and propriety if concerns emerge, but are not obliged to notify APRA unless they determine that person is not fit and proper. Where an individual is assessed as not fit and proper, the entity must take all reasonable steps to ensure that they are not appointed to, or do not continue to hold, a responsible person position. Entity policies must specify actions to be taken in those instances. 

There is no requirement in the relevant prudential standards for regulated entities to consider important matters such as time capacity to fulfill the role, all criminal offences⁷ or reputational risk.

Problem statement

APRA has observed substantial variation in how regulated entities conduct fitness and propriety assessments. Poor practice is typically characterised by a narrowly defined process that fails to generate meaningful outcomes. For instance, APRA observes weaknesses such as: 

• entities being focused on process compliance rather than outcomes
• taking a narrow view of what constitutes fitness and propriety⁸
• inadequate consideration of a person’s fitness (skills, capabilities, experience and knowledge)
• little consideration of the capacity of directors to balance multiple roles and professional obligations
• limited verification, with excessive reliance on self-assessments and other ‘light touch’ checks
• treating annual reviews of incumbent responsible persons as cursory exercises, rather than part of an enduring obligation to ensure the ongoing fitness and propriety of responsible persons.

On occasion, regulated entities have been unwilling to initiate a reassessment of a responsible person’s fitness and propriety where concerns emerge, even where they created reputational or prudential risk to the entity. There have also been instances where entities have been reluctant to engage with APRA where APRA has held concerns about the fitness and propriety of potential appointees.

Addressing the problem

APRA proposes to strengthen baseline expectations for fitness and propriety by: 

• reinforcing entities’ responsibility for outcomes, as well as following a robust process set out in their fit and proper policy 
• being more specific about what fit and proper means, and the need to verify conclusions. APRA proposes to incorporate existing guidance and additional matters into the standard for consideration, such as:
  
  • actual, potential and perceived conflicts of interest and duties
  • criminal and conduct records, for example contraventions arising out of civil, criminal or regulatory matters that may give rise to concerns
  • character or regulatory references to evaluate performance in other roles, including the financial and reputational performance of previous organisations
  • the ability to commit sufficient time to their role, including consideration of specific roles on other boards, for example chair or committee chair
  • reputational risk. 
• clarifying triggers for a fit and proper reassessment, for example:
  
  • there are grounds to believe that an individual is not meeting their obligations under FAR, or otherwise not meeting minimum fitness or performance expectations
  • material misconduct or behaviour inconsistent with an entity’s code of conduct
  • adverse findings in criminal, civil or professional proceedings
  • changes in personal circumstances posing potential reputational risk. 
• requiring regulated entities to notify APRA when concerns arise that may reasonably impact a person’s fitness and propriety, even before a determination has been reached.

As set out in Chapter 1, several overseas jurisdictions can approve or veto appointments to prudentially regulated entities.⁹ While APRA does not have formal approval or veto powers, APRA seeks to heighten its oversight of, and entity focus on, the suitability of individuals in responsible person roles.

The FAR requires regulated entities to take reasonable steps to deal with APRA in an ‘open, constructive and cooperative way’. Consistent with this obligation, and to enable APRA to form a view of potential and incumbent responsible persons, APRA proposes to:

• enable APRA to require an entity-led reassessment if concerns about a responsible person or candidate are not addressed by the entity in a timely manner. For example, a reassessment may be prompted in response to material regulatory findings (e.g. via prudential review) or performance assessment (e.g. via board performance review)
• require that SFIs, and non-SFIs subject to heightened supervision, keep APRA informed of succession plans and nominations prior to appointment or public announcement
• in prudential practice guidance, note that APRA may request an interview with any candidates for responsible person roles, prior to appointment or reappointment. This is on an exceptions basis, where further information is needed to allay any concerns it may have. 

Where APRA is not satisfied with a regulated entity's proposed or incumbent responsible person(s) or board performance, APRA will share its views with the regulated entity. If the entity does not act to address concerns, this will inform the intensity of APRA supervision. APRA may also trigger a reassessment of an individual’s fitness and propriety if they are already in a responsible person role (Proposal 2) or use its other supervisory or enforcement powers to address outstanding risk to the regulated entity.

In strengthening their fitness and propriety regimes, APRA also expects regulated entities’ written agreements with their accountable persons will adhere to both fit and proper criteria and the FAR.

Links with other proposals

This proposal complements Proposal 1 (skills and capabilities) as minimum director skills will overlap with broader fit and proper criteria. This proposal also relates to Proposal 3 (conflicts management). APRA seeks to ensure that all entities integrate forward-looking skills assessments with their fit and proper processes. APRA’s approach to conflicts aims to minimise structural conflicts by ensuring that they are routinely identified and addressed.

Links with FAR

There is some overlap between the reporting obligations that apply to regulated entities under APRA’s fitness and propriety requirements and statutory requirements under the FAR. The FAR has commenced for banks and commences on 15 March 2025 for insurers and RSE licensees. To reduce reporting obligations, APRA will examine whether it can align role definitions and rely on reports it receives under the FAR rather than requiring two sets of reports (although this will not apply to categories of responsible persons who are not accountable persons under the FAR).

Proposal 3 – Conflicts management

Current requirements

To be considered fit and proper, responsible persons of banks, insurers and RSE licensees must either have no conflict of interest in performing their duties or, if the person has a conflict, it would be prudent for a regulated entity to conclude that the conflict will not create a material risk that the person will fail to perform their duties properly. 

More broadly, banks and insurers have different conflict management prudential obligations to RSE licensees. The risk management standard CPS 220 requires bank and insurer risk management policies and procedures to include a process for identifying, monitoring and managing potential and actual conflicts of interest. 

RSE licensees are subject to a separate standard on conflicts of interest (SPS 521), which is more detailed and applies for the purposes of section 52(2)(d)(iv) of the SIS Act. The standard requires RSE licensees to:

• have a conflicts management framework to identify, assess, mitigate, manage and monitor all conflicts 
• develop, implement and review a conflicts management policy that is approved by the board
• identify all relevant duties and relevant interests 
• develop registers of relevant duties and relevant interests and make them public

The associated guidance (SPG 521) provides more insights about avoiding and managing conflicts.

Across all three industries, there are no requirements in the standards covering perceived conflicts, nor is there any explicit obligation to have regard to reputational risk.

Problem statement

APRA’s current requirements are inconsistent across its regulated industries. APRA has observed some weakness in entities’ identification and treatment of conflicts across the regulated population. The most common challenges relate to personal financial dealings of responsible persons, directors performing multiple roles within a group, relationships with suppliers, and personal affiliations. 

Across regulated industries, there have been instances of inadequate identification of conflicts with service providers and responsible persons’ group affiliations. Some entities do not have adequate processes for identifying and managing director conflicts on a continuous basis, other than through declarations at board meetings. There have also been instances where directors and senior managers have held roles or had relationships, either directly or through family relationships, with service providers, and these conflicts were not appropriately addressed. 

Contemporary good practice generally involves officers and directors identifying actual, potential and perceived conflicts of interest; disclosing these conflicts to the board and other stakeholders; actively managing conflicts including through recusal from decisions and structural changes where necessary; and documenting and sharing information as appropriate.

Addressing the problem

To address the issue of differing conflict management requirements across sectors, APRA proposes to create a single cross-industry set of requirements. This would include requirements that currently apply only to RSE licensees (e.g. having a conflicts management policy, and the public disclosure of registers of duties and interests). It is proposed that all regulated entities would be subject to these requirements. However, APRA seeks feedback on whether banks and insurers should be required to maintain and disclose registers of duties and interests and what the effect of this would be. 

APRA also proposes to strengthen the requirements that are currently in SPS 521 by incorporating some material that is currently in the guidance into obligations, which would apply to all regulated industries. This includes the guidance that, as well as actual conflicts, potential or perceived conflicts and conflicts that affect the reputation of the business should be actively managed. This will ensure entities, and if necessary, APRA, can respond more effectively to instances of poor conflict management. 

APRA will also use this as an opportunity to streamline certain requirements which currently apply to RSE licensees under SPS 521. For example, the standard requires an annual and triennial review of a fund’s conflicts management framework. For SFIs, the annual conflicts framework review may be integrated into the triennial board review outlined in Proposal 5.

Links with other proposals

This proposal is connected to Proposal 2 (fitness and propriety) where APRA expects that consideration of an actual, potential or perceived conflict will be a component of the fit and proper assessment. APRA is also proposing that review of the conflicts management framework should be incorporated into the triennial board review (Proposal 5). Finally, Proposal 4 seeks to reinforce the expectation that independent directors can exercise truly independent judgement.

Proposal 4 – Independence

Current requirements

APRA prudential standard CPS 510 requires boards of banks and insurers to have an independent chair and a majority of independent directors. An independent director is currently defined as:

‘a non-executive director who is free from any business or other association — including those arising out of a substantial shareholding, involvement in past management or as a supplier, customer or adviser — that could materially interfere with the exercise of their independent judgement.’ 

CPS 510 allows the independent directors on the board of the parent company or its other subsidiaries to sit as independent directors on the board of the regulated entity. 

The standard also prohibits directors who are substantial shareholders in a regulated entity or group from being considered independent.

While APRA-regulated boards in banking and insurance must generally have a majority of independent directors, locally incorporated entities that are subsidiaries of a prudentially regulated parent have slightly different requirements. The boards of these subsidiaries must have a majority of non-executive directors, but they do not all need to be independent. CPS 510 requires three independent directors (including the chair) on a board of up to seven directors, and four (including the chair) on larger boards.

Problem statement

Intra-group conflicts
As noted in relation to Proposal 3 (conflicts management), APRA has observed instances of poor conflict management where entities do not fully consider potential or actual intra-group conflicts, particularly in the context of board members. APRA has seen instances where directors considered to be independent under the current prudential standard have shown a lack of independent judgment by failing to prioritise the best interests of an APRA-regulated entity over other group entities. 

APRA’s observation is that the current prudential standard does not take sufficient account of the potential for conflict between the interests of different group entities. The extent of these conflicts varies across groups. At one end of the spectrum, there are groups where interests are well aligned. In these cases, independent directors can serve on multiple boards and not encounter significant conflicts. At the other end, there are groups where interests are not well aligned. In these groups there is much higher potential for conflict between the interests of the regulated entity and other group entities. Particularly where conflicts of interest between parent and subsidiary exist, APRA has intervened to require entities to address these conflicts by restructuring boards, taking specific actions to address conflicts, and appointing additional independent directors. In some instances, APRA has imposed capital overlays to encourage these governance concerns to be addressed. 

Other conflicts
While CPS 510 prohibits directors who are substantial shareholders in a regulated entity or group from being considered independent, it does not acknowledge that holding other types of securities may create similar conflicts which may interfere with a director’s judgement. 

Inconsistent requirements for board composition
CPS 510 sets inconsistent requirements for bank and insurer entity boards. While there were concerns about available directors for subsidiaries with APRA-regulated parents or overseas equivalents more than a decade ago, there is limited evidence to support different treatment now.

Addressing the problem

A proposed revised definition of independence is provided below. APRA welcomes feedback on this definition:

‘a non-executive director who is not an employee of the entity, or the group to which it belongs, and who is free from any business or personal relationship that interferes, or could reasonably be perceived to interfere, with their exercise of objective judgement or acting in the interests of the regulated entity.’ 

Intra-group conflicts
There are several ways APRA could address this issue in its prudential standards. All options involve trade-offs between supervisory efficiency, entities’ ease of application, risk mitigation and industry disruption. They range from removing the current clause which allows directors to sit on multiple boards and retain their independent status, through to mandating that independent directors on the board of a regulated entity cannot sit on other boards within the group.¹⁰ The former would involve considerable review and judgement by entities, in consultation with APRA, to determine which directors are independent. The latter would cause considerable disruption and director turnover, even where entity and group interests are highly aligned.

To strike a pragmatic balance between these objectives, APRA proposes to mandate that on each regulated entity board, at least two of the independent directors (including the chair) must not be directors on any other board within the relevant group. 

Irrespective of which option is ultimately chosen, APRA expects regulated entities to effectively manage intra-group conflicts for every member of their board.

Other conflicts
APRA also proposes to update the criteria currently in Attachment A of CPS 510 to ensure that substantial holders of any security issued by the regulated entity or the group to which it belongs cannot be considered independent. The original intent remains the same - to prevent material financial conflicts. The amendment would simply acknowledge that substantial debt holders, for example, may be subject to the same influence as substantial equity holders.

Consistent requirements for board composition
APRA proposes to extend the requirement for bank and insurer boards to have a majority of independent directors, to also apply to subsidiaries of parents regulated by APRA or overseas equivalent. APRA is conscious that the proposed changes may require recruitment of additional independent directors, and a reasonable transition period. Any final requirements that would require changes to board composition would embed suitable transitional arrangements for affected banks and insurers. 

Proposal 5 – Board performance review

Current requirements

APRA standards require boards of all regulated entities to have procedures for assessing board and individual director performance at least annually. APRA’s guidance for the boards of health insurers and RSE licensees (HPG 510 and SPG 510) sets the expectation that the assessment of board performance should by undertaken by an external party at least every three years.

Problem statement

APRA’s supervisory experience is that board performance assessments vary substantially in scope and depth.  Some reviews are thorough and forward-looking, while others lack rigour and credibility. Some entities commission external board reviews, although these can still fall short of expectations. APRA reviews of performance assessments have identified three key areas where reviews have scope to improve: 

• they focus on the collective board and do not capture committee and individual director performance
• they are not informed by robust evidence, instead relying solely on self-assessments or peer input
• chairs fail to take a leadership role, either in the assessment process or in ensuring that emerging recommendations are addressed.

The ASX Corporate Governance Principles and Recommendations for listed entities support the principle that performance assessments should cover individual directors and committees, stating that listed entities should ‘have and disclose a process for periodically evaluating the performance of the board, its committees, and individual directors.’ The principles also encourage considering periodic use of external facilitators. The Australian Institute of Company Directors (AICD) has similarly recognised the value of internal and external board evaluations.

Addressing the problem

To address these problems, and to take a proportionate response, APRA proposes to require SFIs to:

• commission external independent performance assessments of boards, committees and individual directors by credible and appropriately qualified experts every three years
• have their chair take a leading and accountable role for the satisfactory completion of performance assessments and for ensuring that recommendations are addressed appropriately
• submit the independent triennial report to APRA.

Given the anticipated rigour of the triennial review, APRA expects to narrow the scope of annual performance assessments for SFIs (to focus on progress on recommendations from the independent assessment).

APRA recognises that commissioning an external board assessment may be disproportionately costly for smaller entities and has stopped short of mandating this exercise for non-SFIs. However, APRA still expects non-SFIs to improve the overall quality and rigour of their annual performance reviews. Non-SFI chairs are also expected to take active leadership of the process and resulting programme. This will be reflected in guidance.

Current requirements

APRA standards include a short, high-level definition of the role of the board of a regulated entity (‘the board is ultimately responsible for the sound and prudent management of the institution’). They include even less on expectations concerning the role of the chair. Detailed guidance on what boards should do is limited to the roles and responsibilities of board audit, risk and remuneration committees. This contrasts with other relevant standard setters, including the BCBS, the IAIS and the ASX Corporate Governance Council, which each provide guidance in their principles on the role of the board.

CPS 510 gives authority to the board of a regulated entity to delegate responsibilities to senior management. Delegations must be in writing and boards must have systems in place to monitor the exercise of delegated authority. Boards remain ultimately responsible for matters delegated to management.

Problem statement

APRA has observed a tendency for some board agendas to be overweight on operational matters, sometimes at the expense of strategic issues. An APRA governance thematic review found that many boards were spending less than 30 per cent of their time on forward-looking strategy and risk oversight. 

APRA’s current prudential requirements and guidance relating to boards have emerged over many years. The prudential standards currently set around 150 requirements for a typical entity board. Of these requirements, about 25 per cent relate to reports to the board. A further 25 per cent require the board to review or approve specific matters. The remainder assign responsibility to boards for oversight or management of specific prudential obligations. APRA has received feedback that it would help entities if prudential standards and guidance were clearer about the core responsibilities of the board, and what can be delegated to board committees or senior management.  

The final report of the prudential inquiry into the CBA emphasised the importance of boards holding management to account, and management providing the board and committees with sufficient and succinct information to make effective decisions.

The prudential inquiry into the CBA also emphasised the crucial contribution of board chairs to effective governance. APRA has observed poor outcomes at some regulated entities where chairs have failed to provide adequate leadership and oversight of board functions. These include lack of challenge to management, groupthink, a failure to include relevant stakeholders in deliberations and insufficient attention to board performance and renewal.

Addressing the problem

To address these problems, APRA proposes to amend its prudential standards to include a clear articulation of the primary roles of the board, the chair and senior management. While APRA appreciates that most APRA-regulated boards understand their responsibilities, the purpose of the proposal is to be clear on APRA’s expectations, and to facilitate better delegation to board committees and management. This should empower boards to spend more time on forward-looking strategy, risk and oversight.

Responsibilities APRA considers to be central to the board include:

• articulating the purpose and values of the entity, and desired culture
• overseeing development, approval and execution of the entity’s strategy, objectives and risk appetite
• overseeing the effectiveness of governance and risk management frameworks
• providing leadership and constructive challenge to senior management.

APRA also proposes to identify the core responsibilities of the chair in prudential standards. APRA expects that this would include responsibility for culture, board performance and fit and proper assessments.

In relation to the role of senior management, APRA proposes an outcomes-focused definition that supports the execution of the regulated entity’s activities in line with the board-approved strategy, risk appetite, culture and values, and ensures senior management deals with the board in a clear, timely and transparent manner. Senior management should be responsible for briefing the board effectively, with succinct and relevant information to support decision making, rather than briefing with a view to satisfy compliance requirements.

While CPS 510 and SPS 510 already allow boards to delegate certain functions to senior management and board committees, APRA is seeking feedback on more specific examples of processes and policies APRA has assigned to the board that would be appropriate for delegation to committees or senior management.

APRA will also commit, as it revises other prudential standards, to review existing requirements placed on boards to ensure that they remain appropriate.

Links with other proposals

As the board is responsible for overall governance, oversight and strategic direction, this proposal overlaps with all the other proposals. The proposal to clarify the key role of board chairs in prudential standards overlaps with Proposal 2 (fitness and propriety) and Proposal 5 (board performance review), under which chairs would have explicit responsibility for the assessment process and for ensuring that recommendations are addressed and fed into succession planning.

Proposal 7 – Board committees

Footnotes

¹ For the superannuation industry, independence is defined in the SIS Act. APRA’s review does not contemplate changes to primary legislation. Its focus is on amendments to APRA’s own prudential standards.

² Figure based on average regulated bank board, APRA, Information Paper – Authorised Deposit-taking Institutions: guide for directors (November 2022).

³ As defined in Prudential Standard CPS 001 Defined terms for banks and insurers. For RSE licensees, SFIs are defined in each prudential standard that uses the SFI concept. In this paper, for superannuation, an SFI is an RSE licensee that has total assets > $30 billion, or which APRA has otherwise determined to be an SFI, having regard to matters such as complexity in operations or group membership.