The Australian Prudential Regulation Authority (APRA) Capability Review released on 17 July confirmed speculation that the regulator would be criticised for its poor enforcement record and its penchant for resolving issues 'behind closed doors'.

This Review came in response to the perfect storm of the Hayne Royal Commission, the CBA Prudential Inquiry, the introduction of the Banking Executive Accountability Regime and the release of the APRA 2018-2022 corporate plan last year.

The Review identified extensive turnover at senior staff levels over the past few years and issues around culture, leadership capability and capacity to implement change, which were acting as constraints on APRA's role as regulator.

As Hayne commented in his Royal Commission about the way ASIC conducted itself sometimes, APRA also tends to do things behind the scenes with the entities it regulates. There are often good reasons for a prudential regulator to be discreet, particularly in cases of acute financial stress. However, the Review is clear that APRA must move towards a more strategic and forceful use of communication.

In this article, partner Langton Clarke focuses on the recommendations about APRA's failures to effectively regulate, investigate and enforce "governance, culture and accountability" (GCA) risks in the financial sector.

Governance, culture and accountability

The Review was scathing in its assessment of APRA's failure to accept that GCA risks have a major bearing on financial risk (which APRA has been very good at regulating). The Review is clear that weaknesses in governance frameworks feed directly into financial safety and stability. GCA is as much of a prudential regulator's remit as capital and liquidity ratios.

In particular, the Review provides that—

APRA appears to have developed a culture that is unwilling to challenge itself, slow to respond and tentative in addressing issues that do not entail traditional financial risks.

APRA has three key prudential standards relating to GCA risks:

• Governance.
• Risk Management.
• Fit and Proper.

The Review found these prudential standards are not effectively used by APRA to investigate GCA risks and need to be amended. Part of the reasons APRA has failed to adequately assess the GCA risk of an organisation is its lack of internal capability to assess risks of a GCA nature.

Examples of supervision activities utilised by prudential regulators internationally include full-board effectiveness reviews, succession planning reviews, cross-industry reviews of board effectiveness, formal fit and proper assessments, and meeting observations. Several of APRA's peer regulators have explicit powers in relation to board and senior management appointments. APRA only has a 'non objections power' to consider the appointment of board members and the Review concludes this is a light touch way of pre-empting the risks of poor board appointments.

The Review concludes that limits on internal resourcing, limits on scalability of activities, and the high level of judgment inherent in supervising GCA risks mean APRA is unlikely to have sufficient internal skills and resources to supervise these risks.

Self-assessments recommended

The panel recommends APRA-regulated institutions complete regular self-assessments of GCA risks, an example of which is outlined in appendix 2 of the report . We recommend anyone who is interested read appendix 2 for an idea about the types of GCA risks and the way boards might be able to monitor and manage them. They include such things as an assessment of how well the board promotes guidance to management on its expectations of good and poor GCA risk behaviours, the actions taken by the board to adjust remuneration of the CEO and senior management for breaches of GCA arrangements, and an assessment of the quality of analytics and reporting used by management to monitor GCA risks.

Conclusion

The Review reiterated the comments from the Hayne Royal Commission that APRA and ASIC must ensure close collaboration to agree their respective roles and to deliver the desired outcomes.

We are hopeful that as ASIC continues its close and continual monitoring program, increased levels of reporting and its "why not litigate" stance, together with APRA taking a more public role in setting standards for governance, culture and accountability risks, our clients will gain some clarity about what the regulators expect and how they will respond should your GCA frameworks fall short of those expectations.