Skip to main content

Information paper - APRA’s Supervision Priorities

Executive summary

 

APRA’s prudential policies and supervision activities support its purpose to ensure the financial interests of Australians are protected and the financial system is stable, competitive, and efficient. Through supervision, APRA seeks to identify and respond to significant risks to financial institutions and the financial system in a forward-looking manner. Reviews and assessments are targeted to the most significant risks identified and with a preference for preventative action. 

This information paper outlines APRA’s supervision priorities for 2023, anchored to the three outcomes in the Corporate Plan, aiming to ensure the Australian financial system is “protected today and prepared for tomorrow”1. Together with the Policy Priorities Information Paper, it will assist APRA-regulated entities to engage with APRA and allocate appropriate resourcing to address key priority areas. 

Supervision priorities for 2023-Resilient and prudently managed financial institutions: strengthened operational resilience, improved cyber resilience and strengthened board capabilities and renewal practices. A safe and stable Australian financial system: enhanced maturity of recovery and exit planning, embedded capital framework, deeper understanding of climate-related financial risks and disciplined management of problem assets. Good financial outcomes: addressing challenges in insurance availability

The reducing impacts of COVID and the emergence of new products and practices including those on the edge of the regulatory perimeter continue to be part of normal supervision activities. 

Rising inflation and interest rates along with ongoing global geopolitical risks continue to present uncertainties. Transmission of these risks can increase the potential for household and business financial stress and could also add to insurance affordability challenges. Financial markets volatility is a further potential outcome which could impact availability of funding and investment returns across all industries. Supervision activities will be targeted to respond to these risks.   

The heightened risk of operational disruptions including cyber-attacks, even if temporary, can have a significant detrimental impact on the community. APRA will intensify scrutiny of operational and cyber risk-management practices and has heightened expectations of entities’ ability to rapidly detect weaknesses and to implement remediation plans.

At an industry level key priorities are:

  • In banking the embedding of capital reforms for banks to ensure Australia’s financial system remains safe and stable will be a priority, alongside the fundamentals of credit quality and liquidity.
  • Across the general, life and private health insurance sectors, APRA has strategic workstreams to help address challenges in availability, affordability and sustainability of insurance in order to improve financial outcomes for policyholders. 
  • For superannuation, APRA will continue to hold trustees to account to improve member outcomes by: rectifying substandard practices; reducing unacceptable underperformance through the annual performance test and transparency on performance via heatmaps; and examining trustees’ implementation of the retirement income covenant.

Given the uncertain outlook, these priorities will be adjusted as needed throughout the year and resources redirected to respond to new and emerging risks. 

 

Footnotes

 

1 More information on the strategic themes of ‘protected today and prepared for tomorrow’ can be found in APRA’s Corporate Plan 2022-2023 (August 2023), https://www.apra.gov.au/sites/default/files/2022-08/APRA%20Corporate%20Plan%202022-23.pdf.

 


Chapter 1 - Cross-Industry

Shield icon representing important cross-industry risks that APRA will be focusing on during 2023, with a particular focus on heightened cyber risk

 

APRA will continue its work on several important cross-industry risks in 2023 with a particular focus on heightened cyber risk. Other areas of focus are operational resilience, climate risk and governance, remuneration, risk culture and accountability.  

1.1    Preserving the resilience of regulated entities 

1.1.1    Improving cyber resilience

 

Large cyber breaches impacted millions of Australians in 2022, exposing the public to a heightened risk of identity theft or financial fraud by allowing sensitive personal information to be made public. This ongoing risk threatens public trust, confidence in institutions and overall financial system stability. Therefore, improving cyber resilience remains a key cross-industry supervision priority for APRA. As the threat posed by domestic and international cyber adversaries escalates, along with the potential impact of a successful attack, entities must remain on guard and continue to build their cyber defences. 

As part of APRA’s Cyber Strategy to uplift cyber resilience across the financial sector, APRA has embarked on a major exercise involving independent cyber reviews. 2023 will see the receipt of the vast majority of CPS 234 assessments of entities’ compliance with Prudential Standard CPS 234 Information Security (CPS 234). This will provide APRA both detailed individual gaps and holistic insights into the state of cyber resilience. As a result, APRA will exercise heightened supervision and

  • rigorously pursue breaches of the standard;
  • require and review comprehensive remediation plans to ensure timely rectification and follow up of all gaps identified;
  • conduct targeted deep-dive reviews on areas of weakness that fail to meet expectations; and 
  • share insights and industry-wide guidance to direct cyber resilience uplift.

Strong board oversight of organisational capability and preparedness is essential in improving cyber resilience. APRA will assess board effectiveness regarding cyber resilience, via information requests and meetings with board members to understand practices and areas of challenge. This will be targeted to select entities and will be conducted in conjunction with the APRA Governance, Culture, Remuneration and Accountability team (GCRA). 

Individual entities’ Supervision Risk and Intensity (SRI) assessments will be updated commensurate with the severity of cyber resilience weaknesses identified.

APRA's cyber supervision plans will continue to evolve in response to the dynamic nature of cyber, industry behaviour and whole of government response. 

1.1.2    Operational resilience 

 

Sound operational risk management is fundamental to financial safety and system stability. Recent events, including the pandemic, natural disasters and cyber-attacks, have demonstrated the importance of financial institutions being able to identify and effectively respond to business disruptions and operational risks and to ensure the data they hold is secure. 

APRA will continue to focus on strengthening operational resilience through the oversight of third-party service provision, technology resilience, operational risk and compliance. This supports preparedness for the implementation of Prudential Standard CPS 230 Operational Risk Management (CPS 230), expected to be 1 January 2024. 

 

The changing climate presents financial risks to all sectors of the economy, and efforts continue to build understanding of how these may manifest. 

APRA’s Climate Vulnerability Assessment (CVA)2 of Australia’s five largest banks, published on behalf of the Council of Financial Regulators, provides an opportunity for participating banks and all entities to consider the value of quantifying climate risk in their business plus the pathway they might take to access appropriate data, skills and advice. APRA is expanding on the CVA work by progressing quantitative climate risk analyses across other industries. In 2023, APRA intends to conduct a General Insurance related CVA and will engage with the industry over its planning and design.

APRA also recently published a climate risk self-assessment survey3 that gauged entity alignment to APRA’s climate risk guidance. Although it was voluntary, there was a high participation rate from across the industries and APRA has since provided feedback to entities on their results and will continue to engage where improvements can be made. 

APRA expects entities to be abreast of new and ongoing climate change initiatives and to consider the governance and risk management implications to their businesses. Such initiatives include the government’s Annual Climate Change Statement4  and accompanying Climate Change Authority report, and the Treasurer’s announcement of a government consultation on climate-related financial disclosure in December 20225. Other considerations include alignment with relevant international processes such as the International Sustainability Standards Board, and with the wider decarbonisation of the Australian economy. These initiatives represent material changes to the climate governance landscape.  

APRA will continue to participate in the Council of Financial Regulators’ Climate Working Group (which APRA currently chairs), and relevant industry and international processes, to support engagement with these initiatives by all industries.

1.2    Transforming governance, culture, remuneration and accountability

 

APRA is continuing its work to lift GCRA practices across all industries as a foundation for resilient entities, to preserve confidence in the financial system and improve outcomes for the Australian community. 

Ongoing work to strengthen governance through board capability and renewal practices in each industry will continue, with analysis on board capability, composition and tenure informing targeted supervisory responses where outliers are identified. 

To support assessment of the impact of behaviours on risk management, APRA will continue to engage with entities that participated in risk culture surveys to address findings. The lowest scoring dimensions for ADIs were risk governance and controls, decision-making and challenge, and performance management and incentives6. APRA will also share insights from the risk culture survey for superannuation and insurance, so all entities might elevate their own practices. APRA will consider the timing and coverage of further surveys. 

Effective implementation of Prudential Standard CPS 511 Remuneration (CPS 511) across industries will be supported by publishing the areas for improvement identified in the recently completed implementation review for Significant Financial Institutions (SFI), which included in-depth reviews for 15 entities. We expect entities to reflect on their own practices and make changes where necessary. In prudential reviews APRA will seek to understand how individuals are appropriately incentivised to manage risks they are responsible for and that there are appropriate consequences for poor risk outcomes. For select entities a supporting information request will require details on incentives frameworks. 

Preparations to transition from the Banking Executive Accountability Regime to the Financial Accountability Regime within the banking industry will continue, pending the passage of legislation. Preparation will also commence for implementation of the FAR within the insurance and superannuation industries in 2023, ahead of expected commencement of the regime in 2024. 

1.3    Resolution and Recovery and Exit Planning

 

Prudential Standard CPS 190 Recovery and Exit Planning and Prudential Standard CPS 900 Resolution Planning (effective 1 January 2024) are designed to enhance preparedness for crisis management and to ensure the system is well placed to navigate financial stress. This should reduce the risk of disorderly failure and any negative impacts which undermine a safe and stable financial system. For recovery and exit planning, supervisory activity in banking and insurance will continue to build maturity. For resolution, APRA will engage with selected entities which will inform broader industry guidance. 

1.4    Direction for Data Collections  

 

APRA has embarked upon a major data change program that will ultimately streamline requirements of industry with respect to data submission and enrich insights for APRA, government, peer regulators, its regulated population and other stakeholders. This supports public trust and confidence in the financial system and strong market disciplines. 

Roadmaps have been published for each industry, considering policy development needs, gaps in existing data collections and areas of current focus. These include: 

  • improving superannuation member outcomes by enhancing the comparability and consistency of data reported and providing greater transparency to stakeholders;
  • developing granularity in insurance data collections to identify and respond to insurance availability, affordability and sustainability concerns, as well as reflecting the impacts of the AASB 17 Insurance Contracts and private health insurance capital reforms; and
  • reflecting recent capital reforms in the banking industry in data collections, as well as collaborating with industry to develop new collections that will provide greater and more timely insight into current and emerging areas of risk in banking.

At a cross industry level, APRA plans to formalise collection of non-financial risk data in areas such as remuneration, FAR and climate change.  

APRA acknowledges that changes to reporting requirements will require system and process changes in entities. To support planning for the required investment, APRA will publish detailed plans for the design and implementation of new collections for each industry7. This includes timeframes for strategic and technical working group engagement to support the planning, design and implementation of the collection roadmaps.  

As with all significant programs of change, timeframes may need to adjust, and APRA will advise industry with sufficient lead time.   

APRA intends to co-design the data quality framework with each industry, with the objective of ensuring high quality standards for the most critical data elements while minimising associated burden.

 

Footnotes

 

2APRA, APRA releases results of inaugural Climate Vulnerability Assessment (November 2022), https://www.apra.gov.au/news-and-publications/apra-releases-results-of-inaugural-climate-vulnerability-assessment.

3 APRA, APRA publishes findings of latest climate risk self-assessment survey (August 2022), https://www.apra.gov.au/news-and-publications/apra-publishes-findings-of-latest-climate-risk-self-assessment-surve.y

4 Department of Climate Change, Energy, the Environment and Water, Annual Climate Change Statement (2022), https://www.dcceew.gov.au/climate-change/strategies/annual-climate-change-statement.

5 Treasury, Climate-related financial disclosure (December 2022), https://treasury.gov.au/consultation/c2022-314397.

6 APRA, No room for complacency on bank risk culture (November 2022), https://www.apra.gov.au/news-and-publications/no-room-for-complacency-on-bank-risk-culture.

7APRA, APRA releases response to consultation on direction for data collections (December 2022), https://www.apra.gov.au/news-and-publications/apra-releases-response-to-consultation-on-direction-for-data-collections.  


Chapter 2 - Banking

 

Icon showing a magnifying glass hovering over a building.

 

APRA will closely supervise the fundamentals of credit, capital and liquidity, in response to the macroeconomic environment.

2.1    Prudent management including through key reforms 

 

Preserving trust in banks’ financial and operational resilience is critical to a stable financial system. As part of maintaining supervisory rigour on the fundamentals of credit quality, liquidity and funding and capital, APRA will review problem asset management and credit portfolio management. Internal Ratings Based (IRB) model performance will be assessed and provisioning subject to heightened scrutiny. As the industry approaches the refinance of the Term Funding Facility (TFF), APRA will review the banks’ issuance planning and liquidity stress testing. 

Embedding the new capital framework will be a major focus in 2023. The capital framework has introduced additional regulatory buffers and adjusted risk weights. These will be reflected in new reporting from 31 March 2023. APRA will review the new capital returns, ensure Prudential Capital Ratios are appropriately aligned, accredit the remaining IRB models, and follow through on any consequential amendments. 

For SFIs, APRA will conduct capital stress testing against its set scenarios mid-year. This is designed to be an annual, repeatable process and we expect entities to invest in the appropriate capabilities and capacity to meet these requirements. 

2.2 Upgrading the industry and system 

 

APRA expects to assess progress in entities with GCRA remediation plans yet to complete or transitioning to BAU throughout 2023. 

APRA, together with peer regulators, has continued working with large authorised deposit-taking institutions (ADIs) to develop enhanced crisis response plans for cyber risk to the payments system. This crisis-response work will continue in 2023. 

2.3 Responding to innovations in financial products and services 

 

The financial services sector continues to rapidly evolve with new innovations in services, delivery mechanisms, products and participants (both regulated and unregulated). Examples include crypto-currencies, alternative stores of value and non-bank payment providers. This evolution will impact the business models and strategic priorities of ADIs, potentially creating new or increased prudential risks. Similarly, new participants may challenge established regulatory boundaries and frameworks, including mechanisms for consumer protection. 

APRA will continue to engage with entities to ensure any business models and practice changes, such as banking-as-a-service, new product development, strategic partnerships and structural changes to accommodate non-banking business, are subject to robust risk management and appropriately capitalised. Activities in relation to crypto assets should follow the APRA letter to industry of April 20228 which included an expectation to proactively engage with their APRA supervisor as they develop plans.  

APRA will continue to actively monitor developments and work with our domestic and international peer agencies, and the Commonwealth Government, including in relation to the RBA’s CBDC pilot9 and Australia’s payment system10.

 

Footnotes

 

8 APRA, Crypto-assets: Risk management expectations and policy roadmap (April 2022), https://www.apra.gov.au/crypto-assets-risk-management-expectations-and-policy-roadmap.

9 RBA, Australian CBDC Pilot for Digital Finance Innovation (September 2022), https://www.rba.gov.au/payments-and-infrastructure/central-bank-digital-currency/pdf/australian-cbdc-pilot-for-digital-finance-innovation-white-paper.pdf.

10 Treasury, Transforming Australia’s Payments System (December 2021), https://treasury.gov.au/publication/p2021-231824.

 


Chapter 3 - Insurance

 

Icon showing 3 images: three people under an umbrella, an emergency kit and a car in front of a house.

APRA regulates three insurance industries: general insurance, life insurance and private health insurance, which face both unique and shared challenges. APRA’s supervisory efforts are designed to respond with particular focus on availability, affordability and sustainability challenges. 

3.1    Addressing availability, affordability, and sustainability

 

APRA will maintain its strategic focus on addressing challenges in affordability, availability and sustainability of insurance across the general, life and private health insurance sectors in 2023.  

For general insurance, ongoing natural disasters have compounded the difficulty of access to affordable general insurance for homeowners and businesses in areas more vulnerable to severe weather events. Pressure on some commercial lines, such as public liability, also continues. For life insurance, the emphasis on working with the industry to ensure the sustainability of certain products, particularly Individual Disability Income Insurance (IDII), will continue. The affordability of private health insurance, driven largely by increased claims and medical costs, also remains a concern.  

The problems are complex and potential solutions are multi-faceted, requiring a collaborative approach across industry, regulators, government and consumers. Accordingly, APRA has increased its engagement with stakeholders, and this will continue over the next 12 months. However, insurers have an important role, individually and collectively, in supporting the availability, affordability and sustainability of insurance for the Australian community.

To progress the insurance stream of APRA’s data collections work, APRA’s Insurance Data Transformation project will commence consultation on the first phase of broader and more granular data collections for general insurance and life insurance during 2023. APRA will closely coordinate data collection plans with other government agencies and will contribute to developing evidence-based insights into areas of concern such as insurance availability and affordability. 

3.2    General Insurance

 

The general insurance industry remains well capitalised at a system level, despite the challenges posed by more frequent natural disasters, rising reinsurance costs and an adverse economic environment.  

APRA will continue to build industry resilience to such challenges, notably through improved risk management requirements across the sector. APRA is also encouraging industry leadership and innovation to help address availability and affordability concerns, while shoring up contingency planning in the event of a crisis. APRA will contribute to the Hazards Insurance Partnership introduced by the Federal Government in its October budget, bringing industry, government and key stakeholders together to address the challenges arising from extreme weather risks.  

3.2.1    Strengthening insurance risk management 

 

APRA will continue to focus on insurance risk management capabilities across the industry. The issues with business interruption insurance at the height of COVID-19 resulted in a series of legal disputes and created significant uncertainty for policyholders. APRA’s insurance risk management thematic review11, which involved 10 general insurers, considered the root causes of these issues, with the intention of avoiding similar problems in other product lines, particularly cyber-related products. 

In 2023, APRA will supervise the progress and completion of the remediation plans for those insurers who participated in the thematic review. APRA has also encouraged insurers who were not part of the review to conduct similar assessments and incorporate learnings into their own operations and will engage with insurers on this as part of its supervisory activities.

3.3    Life insurance and friendly societies

 

Given the historic and ongoing challenges experienced with life insurance products, APRA remains focused on the establishment of a sound basis for long term product sustainability. This is important to ensure good prudential outcomes for life insurers, and good long-term consumer outcomes.

3.3.1    Sustainable insurance products 

 

APRA remains committed to its program to support the long-term sustainability of IDII. While new IDII products which reflected APRA’s expectations were introduced in October 2021, irresponsible market behaviour remains a risk requiring strong vigilance by both APRA and insurers. In 2023, APRA will maintain its IDII market monitoring activities and take action to ensure the gains of the past few years are not eroded. In addition, APRA plans to review the progress of several individual life insurers in meeting APRA’s product sustainability expectations to assess whether a change in their IDII capital charge is warranted. In undertaking these reviews, APRA will consider the quality of insurer decision-making and will look for evidence of challenge from the boards and risk function.

APRA expects life insurers to apply the recent learnings and sustainability practices introduced for IDII to other products in their portfolios. In 2023, APRA will engage with insurers to understand the progress they have made in doing so, including their assessment of the sustainability of their other insurance products, and their plans and actions to address any potential concerns. As for IDII, APRA will be particularly interested in the level of challenge brought by the board and risk management function on assessment of product sustainability.

In relation to insurance in superannuation, APRA is undertaking a survey of 12 direct insurers and reinsurers active in the group insurance market. This will assess progress in implementing the expectations communicated in APRA’s March 2021 letter12  to registrable superannuation entity licensees and group insurance CEOs. APRA will use the outcomes of that survey to undertake targeted engagements with selected entities.

3.4    Private Health Insurance

 

The private health insurance (PHI) industry remains challenged by affordability issues and increasing claims costs, the underlying drivers of which are expected to persist notwithstanding the distortive impacts of COVID-19. APRA will continue to engage with industry to assess insurer strategies to respond to these challenges, as well as providing insights and advice to Government to assist with development and implementation of longer-term solutions.

3.4.1    Capital management 

 

APRA will continue to engage with industry on implementation of the new capital framework effective in July 2023, with a particular focus on Internal Capital Adequacy Assessment Process commencing with the top five entities in 2023 and the rest of the industry in 2024. 

3.4.2    Strengthening operational resilience 

 

The ability to continue operations in the face of disruptions is critical to maintaining community confidence. Given the industry relies extensively on service providers to fulfil policyholder obligations and the collection of both financial and health data, the importance of outsourcing controls and information security is elevated. Continuity planning for outsourcing arrangements, considering high concentration risk amongst critical service providers, will continue to be an area of focus. 

 

Footnotes

 

11 APRA, APRA releases findings from insurance risk management review (October 2022), 

https://www.apra.gov.au/news-and-publications/apra-releases-findings-from-insurance-risk-management-revie.

12 APRA, APRA urges life insurers and superannuation funds to address sustainability of insurance in superannuation (March 2021), https://www.apra.gov.au/news-and-publications/apra-urges-life-insurers-and-superannuation-funds-to-address-sustainabilit.y

 


Chapter 4 - Superannuation

 

Icon of a hand holding a plant with a coin at the top.

 

To ensure all Australians are well served by the superannuation system, APRA is maintaining its focus on holding trustees to account to improve the member outcomes they are delivering and actively address deficiencies in their practices. 

4.1    Rectifying sub-standard industry practices

 

Strong governance practices along with business planning and performance monitoring disciplines are essential to provide durable superannuation product offerings that benefit members over the long-term. 

APRA will focus on board capabilities, tenure, management of conflicts of interest and strength of internal control systems, including through targeted supervisory actions where sub-standard practices are identified. APRA expects all trustees to have undertaken self-assessments on the themes identified in APRA’s reviews13 on strategic and business planning, fund expenditure and unlisted asset valuation practices and to have well-progressed plans to address deficiencies. Assessment of trustees’ progress will be a focus of APRA’s entity supervision in 2023. 

The duty to act in the best financial interest of members in relation to expenditure decisions continues to be an important determinant of member outcomes. Business models that are challenged in delivering long-term sustainable, competitive outcomes for members will continue to receive scrutiny from APRA, including consideration of where consolidation will be beneficial.14

The investment markets are changing in response to inflation, higher interest rates and geopolitical factors. APRA will assess how trustees are preparing for the changing environment and the adequacy of their practices to respond to market stresses, including possible liquidity stress. APRA will take a targeted approach in this work, driven by risk insights from the information it collects and supervisory activities. 

4.2    Eradicating unacceptable product performance

 

A key driver of member financial outcomes is product performance, which is heavily driven by investment performance and fees charged to members. APRA will continue to use the annual performance test to drive a focus on remediating unacceptable product performance or exit for the benefit of members. 

Alongside the annual performance test, APRA will continue to hold trustees to account in addressing drivers of poor product performance via the transparency provided on performance metrics in its MySuper and Choice Heatmaps. APRA will publish the Choice Heatmap, which is being updated using data submitted through the new APRA Connect system for the first time in early 2023.  

4.3    Influencing improved retirement outcomes

 

The new retirement income covenant demands that trustees innovate and evolve their offerings to better serve the needs of their members as they reach retirement.

Working alongside ASIC, APRA will review how trustees have implemented the retirement income covenant within their business strategies and operations, for the benefit of members, and ensure trustees take steps to address deficiencies where they are identified.

 

Footnotes

 

13 APRA, Findings from APRA’s superannuation thematic reviews (October 2021), https://www.apra.gov.au/findings-from-apra’s-superannuation-thematic-reviews.

14APRA, Small and medium super funds face sustainability challenges (March 2022), https://www.apra.gov.au/news-and-publications/small-and-medium-super-funds-face-sustainability-challenges-0.