• Thomas Verlaet

Webinar Recording: APRA update for Finance and Risk

Updated: Apr 28

RegCentric Webinar 18th of March 2020:

Topics covered in this webinar:

  • COVID (Risk)

  • APRA regulatory change timetable (with observations)

  • Reporting and audit

  • BASEL and data Transparency


APRA update in Finance and Risk

1) Thank you for joining

2) Format Change due to dynamic and fast-changing environment related to COVID19.

3) We hope to organize an in-person session in the near future.

4) To keep the session interactive we will share a few polls.


- We are experiencing a global pandemic. And we are seeing history develop in front of our very eyes. After the bush fire crisis, Australia and the rest of the world now faces a health crisis. Our thoughts are with the front line health care workers.

- The impact on our economy and the financial services sector is likely to be significant. While the government has announced a stimulus package to try to avoid a recession, various economists have indicated that a recession may not be avoidable.

- APRA has guidelines on Pandemic Planning – which it has released off the back off Pandemic stress tests it conducted in 2006 and 2007 in the insurance sector. It is our understanding that APRA in recent weeks has been working directly with regulated entities to take stock of their operational preparedness in anticipation of a wider outbreak of the virus. We luckily live in a time where physical social distancing is supported by technology which enables us to work from home. And while there will be a range of measures that impact the operations of banks, especially in the branch network, and some people will be incapacitated due to infection, the sector is not expected to come to a grinding halt, and in fact many organisations we work with have already moved to increased working from home arrangements, for both internal and external staff, in line with their Business Continuity Planning.

- From a direct impact perspective, the immediate APRA regulated sector that comes to mind is the insurance sector. direct impact is likely to be biggest in Health + Life will be expecting claims to increase. Especially for the PHI industry – which is already plagued with decreasing margins and intensifying scrutiny from the regulator surrounding questions of sustainability of their business models, this is not great news.

- Other industries that are regulated: the super industry will be mostly concerned about the global market turmoil will have substantial impacts on their portfolio’s.

- We already touched on the operational impact on ADI’s, and from a financial side, the impact will be a flow on impact coming from the impact the containment measures: short-term: stock markets ; money market drying up; and fx and interest rates falling. Overall resulting in some significant Market and Liquidity risk events. From a market risk perspective, we can start talking about a black swan event.

- Longer term: GDP impact, potential unemployment, housing market likely to be impacted as well. This may result in credit risk events occurring.

- Most economists agree that banks are much better prepared for an economic shock. APRA definitely supports this view and recently confirmed at the senate economic hearing committee that “the financial system is positioned to handle short-term volatility in financial markets, but navigating any period of extended stress is inevitably something that will warrant considerable vigilance.

- We do want to touch on a specific area of regulation which we think will be more prominently present on the agenda of Finance and Risk departments; which is on the impact of IFRS 9 provisions. Under IFRS 9: Expected Credit Losses will increase:

1) PD and LGD are modeled on economic variables. Changes to these variables will likely lead to increased ECL’s.

2) Significant Increase in Credit Risk triggers such as rating downgrades lead to transitioning from stage 1 to stage 2. This in triggers the lifetime ECL to be recorded rather than the 1 year ECL.

We expect that Banks will need to adjust their economic variables or at least that a high probability weighting will be given to scenario’s that reflect the economic downturn conditions. Secondly we expect to start seeing increased transition to Stage 2. Specific sectors will be very hit very hard. Think transportation, tourism, … Concentration risk in various sectors. Property Development(?) – many unknowns -

Forward looking variables will be subject to Management judgement – and will be very hard to judge.

IFRS 9 Expected Credit Loss were designed to start recognizing higher provision levels, earlier in the economic cycle. With the economic outlook worsening, it would be logical and in line with the intent of the standards, to increase credit loss provisions levels.

- Second area we want to highlight is that APRA’s recent Stress Testing results revealed some weaknesses, especially in the smaller ADI segment. This segment may also be more exposed to the operational risks that come with a pandemic. Smaller ADI’s have to rely on smaller scale operations teams and often have less advanced technology set-ups and lower levels of financial flex. Risk and Finance functions also often rely on key personnel to prepare reports on risks and performance metrics to internal and external regulators. So smaller ADI’s might find it particularly challenging to keep the Business as Usual operations going. In a stressed environment, regulators are likely to require ADI’s to report on a heightened frequency. LCR return 210.5 Daily liquidity report for example was created post-GFC to monitor liquidity positions on a daily basis. Additional ad-hoc requests from regulators should be expected if the current volatility sustains for an extended period of time.

POLL 1: We want to understand from this mixed audience what they think will be the risk category that will be impacted the most by COVID-19 for their organisation in a 6 month time frame?

The options are: Market, Liquidity, Credit or Operational Risk. You can select more than 1 answer. In the interest of time we will only keep the poll open for about a minute and we will share the result as soon you have submitted your responses.

Share results:

We’ll conclude here on the Corona Virus update. The financial environment is definitely heavily impacted by this health crisis – but the true impact on the system will only be known once the health crisis subsides. Let’s hope that the regulatory reforms implemented over the last decade have indeed made our industry “Unquestionably Strong.”

We would like to now move on to the original topic of the event and provide an update on APRA’s road map that impacts Risk and Finance departments in 2020 and beyond.

Needless to say that even before the COVID-19, we are operating, the Australian regulatory environment has been one of heightened regulatory pressures. APRA has increased its expectations around Governance, Culture, Remuneration and Accountability; has updated its Enforcement Strategy and is in the middle of rolling out an updated supervisory framework which will see it move away from its SOARS (Supervisory Oversight and Response System)/PAIRS (Probability and Impact Rating System) model to a SRI model (Supervision and Risk Intensity) and has flagged a more active supervision approach, which may see more a more pro-active/on-site engagement model being more widely rolled out.

APRA is still working through the recommendations that came out of the Royal Commission, the industry’s Self-Assessments and the high-visibility failures at some of our largest banks, especially in the context of AML/KYC shortcomings. Cyber security is another area of significant interest. Plenty of interesting topics for future events.

APRA’s strategic was published recently as part of APRA corporate plan 2019-2023 which provides very useful insights in the areas of focus of the regulator. And while a degree of change is likely in certain areas, and especially on the timelines of implementation, it is still worthwhile to have a close look at what APRA’s priorities are from a prudential regulation perspective that will impact Finance and Risk departments in 2020 and beyond.

We’ll start off with the topic of APRA reporting and EFS in particular. The EFS implementation is nearly over, with the last returns on Fees and Charges (730.1) being rolled out for ADI’s with a Balance Sheet > 10 Billion for the financial year ending 30 June 2020 and ARF722 Derivatives being required for entities with gross derivatives positions > 1 billion AUD for quarter ending 30 September 2020. But auditors are really just getting started.

Some of the entities have already gone through APS 310 or RRS710 audits for their Phase 1 returns and those entities know that the goal post for auditors has changed compared to previous APS310 audits. We see an increased number of qualifications in audit opinions and a significant amount of remediation work can be required to solve the observed weaknesses. APRA, the RBA and ABS issued heightened expectations around data quality in the EFS reform; and have given audit firms more clear guidelines on their expectations. Auditors in turn therefore have significantly higher expectations around the governance and risk and controls surrounding the end-to-end data and EFS process.

Especially for entities which use spreadsheet solutions, the auditors expectations with regards to controls, data lineage and governance; forms which fall under the “reasonably assurance requirements” are hard to satisfy. Auditors are also expecting controls in place on the remainder of the Phase 1/2/3 forms (730’s and 740’s). Auditors expect entities to be able to articulate how the entity complies with all of APRA’s standards and guidelines and how management ensures that high quality data is submitted to the regulator.

We have shared a whitepaper in which we have summarized the 5 key areas reporting entities can review in preparation of their EFS audits.

These are:

1) Governance

2) Data Quality

3) Controls and Validation

4) Data and Systems Management

5) Key artefacts

POLL 2: How confident are you that your organisation will receive a clean APS 310 (RRS 710) audit opinion for the current financial year?

The answers

Very Confident - our EFS program was successful

Somewhat confident - there may be areas for improvement

Uncertain - we don't know if we have everything in place for the audit

Not confident - we have known deficiencies which need to be remediated.

Share Results

APRA’s and auditors expectations around data risk management (CPG-235) and data quality (RPG-702) requires entities to think holistically about how they manage their data. Industry best practice includes identifying Critical Data Elements, and ensuring fit for purpose governance, risks and controls environment for those across the end to end lifecycle (data capture) and reporting process. Clear identification of roles and responsibilities, including ultimate accountability for the data quality and the data lifecycle controls.

APRA has flagged that it intends to release a cross-industry data management standard for consultation in the second half of 2020 with the view of implementation in 2021 and 2022. We observe that larger entities have for some time now already worked towards enterprise wide improvements to their data governance and have data strategies. Often under a specific data office, with executive level buy-in to data strategy. We have observed that the CDO offices are tasked with executing on data strategies to enables digital strategy, improve customer insights and analytics and also to improve the “back of the house” functions such as the finance and risk. So while there are regulatory drivers to improve the management of data – there are definitely other compelling reasons for organisations to improve how it captures, and analysis its data.

So in 2020, data governance and data quality should be high on the agenda for Finance and Risk departments.

On a related note, APRA has also announced recently its intention to start publishing much more granular data sets across various industries. For ADI’s in particular, APRA has consulted on the release of quarterly statistics on performance (QADIP) and property exposures (QPEX). This consultation concluded about 3 weeks ago. The data would be disclosed at an entity level, in the same way that data is currently published in the Monthly ADI Statistics. For those who are interested we invite you to take a look at the MADIS dashboard on our website where you can compare some key metrics on individual ADI’s assets and liabilities.

To summarise APRA’s proposal – key risk and performance metrics of individual entities would be disclosed on a quarterly basis. And the property exposure side, APRA would publish all related APRA forms in its entirety. APRA also has also proposed to publish the bank’s commentaries around significant movements between periods. And they would publish remaining data with a 3 year lag.

While we have a number of reservations around the feasibility of their proposal as it currently stands, APRA is quite clear on its intent to improve transparency in the banking industry. And we anticipate that there will be a very significant uplift required surrounding the governance and controls related to the forms that go public. We know that in the current regime, ADI’s have more stringent controls around the 720/1/2 because of the fact data goes public. One can anticipate a similar level of internal scrutiny will be required across the 20 forms that APRA has flagged which are typically prepared across Finance, Treasury and Risk departments.

Topic 2: Strengthen the Capital Prudential Standards that apply to ADI’s.

The Basel reform – which is driven internationally and has been subject to various changes over time, is now due for another major change – often referred to as Basel IV. The finalized Basel framework includes changes to the way ADI’s capital requirements are measured across various types of risk: credit risk, operational risk, market risk and interest rate risk in the banking book, and defines minimum thresholds such as capital floors and leverage ratio. Combined, these reforms are aimed at ensuring ADI’s maintain an unquestionably strong capital position, and to some degree, that there is a more even playing field between smaller ADI’s which apply a standardized approach to measuring risk and capital versus the banks who are accredited to use internal risk models under the advanced IRB approach.

The reform has been highly anticipated and has been subject to many delays. And who knows – potential further delays may be in the cards in the current environment. APRA has consulted on various pieces of the reforms, and process of consultations, with additional standards being subject to consultation in 2020. We have put a couple of key dates on screen.

For all ADI’s, the volume of change is significant, and the impact on the capital ratio’s expected to be substantial. From an implementation perspective, all ADI’s should be funding the project teams to analyse the requirements, the impact on the data provisioning, and start building capability to support the quantitative impact assessments APRA is intended to perform.

Key challenges we anticipate

People: when the entire industry is faced with a significant reform – all organisations are looking to onboard the same skillsets at the same time. Especially in Australia this can be quite challenging. Uplifting internal capability and partnering with specialists early can be required to ensure the right level of knowledge is embedded in the project team and ongoing BAU team.

From a process perspective, changes to capital allocations will require a rethink across the portfolio. Which types of businesses are the most profitable from a capital allocation perspective is important. Therefor credit decision processes may be impacted and these will take time and also require significant amount of executive level review and endorsement. We would also like to link this to APS 220 reform on credit risk – which will be in effect starting 1st of January 2021.

From a systems perspective

Many organization are using legacy technology in this space; and in the smaller ADI space that is often a spreadsheet. We would recommend ADI’s to look out for the new sets of technology which allow institutions to move on from batch-process type systems to those solutions which are designed to perform intra-day calculations through the use of the latest advances in technology such as micro services architectures.

Lastly from a Data perspective, the new Basel rules will require additional data points to be collected. We all know that changes to front office type systems in a legacy environment are very challenging, take a lot of time and are costly. Identifying data gaps early, and building a feasible roadmap for remediation will be critical to the success of any program.

That brings us to the summary of our event.

Focus on Data

Focus on Governance

Focus on audit readiness

Start the Basel project

We will now open the floor to questions.

Level 24, Three International Towers
300 Barangaroo Ave 
Sydney, NSW 2000

One One One Eagle Street

Level 54

Brisbane, QLD 4000

02 8091 7187