Federal Register of Legislation - Australian Government

Skip to primary navigation Skip to primary content
Federal Register of Legislation Skip to Content
SearchOpen search

Primary content

Bookmark

this version | go to latest

Banking, Insurance and Life Insurance (prudential standard) determination No. 7 of 2016 - Prudential Standard CPS 232 Business Continuity Management

Authoritative Version
CPS 232 Standards/Prudential (Banking & Insurance) as made
This instrument determines Prudential Standard CPS 232 Business Continuity Management.
Administered by: Treasury
Registered 14 Sep 2016
Tabling HistoryDate
Tabled HR10-Oct-2016
Tabled Senate10-Oct-2016

Banking, Insurance and Life Insurance (prudential standards) determination No. 1 to 9 of 2016

EXPLANATORY STATEMENT

Prepared by the Australian Prudential Regulation Authority (APRA)

Banking Act 1959, section 11AF

Insurance Act 1973, section 32

Life Insurance Act 1995, section 230A

APRA may, in writing, determine, vary or revoke a prudential standard that applies to an institution regulated by APRA under:

(1)          subsection 11AF(1) of the Banking Act 1959 (Banking Act),  in relation to authorised deposit-taking institutions (ADIs) and authorised non-operating holding companies (authorised banking NOHCs);

(2)          subsection 32(1) of the Insurance Act 1973 (Insurance Act), in relation to general insurers, authorised non-operating holding companies (authorised insurance NOHCs), and subsidiaries of general insurers and authorised insurance NOHCs; and

(3)          subsection 230A(1) of the Life Insurance Act 1995 (Life Insurance Act), in relation to life companies, friendly societies, registered non-operating holding companies (registered life NOHCs), and subsidiaries of life companies and registered life NOHCs.

On 8 September 2016, APRA made the following determinations (the instruments):

(1)          Banking, Insurance and Life Insurance (prudential standards) determination No. 1 of 2016, which determines Prudential Standard 3PS 001 Definitions (3PS 001);

(2)          Banking, Insurance and Life Insurance (prudential standards) determination No. 2 of 2016, which determines Prudential Standard 3PS 221 Aggregate Risk Exposures (3PS 221);

(3)          Banking, Insurance and Life Insurance (prudential standards) determination No. 3 of 2016, which determines Prudential Standard 3PS 222 Intra-group Transactions and Exposures (3PS 222);

(4)          Banking, Insurance and Life Insurance (prudential standards) determination No. 4 of 2016, which determines Prudential Standard 3PS 310 Audit and Related Matters (3PS 310);

(5)          Banking, Insurance and Life Insurance (prudential standard) determination No. 5 of 2016, which revokes Prudential Standard CPS 220 Risk Management (CPS 220) made under Banking, Insurance and Life Insurance (prudential standard) determination No. 3 of 2014, and determines a new Prudential Standard CPS 220 Risk Management (CPS 220);

(6)          Banking, Insurance and Life Insurance (prudential standard) determination No. 6 of 2016, which revokes Prudential Standard CPS 231 Outsourcing (CPS 231) made under Banking, Insurance and Life Insurance (prudential standard) determination No. 1 of 2014, and determines a new Prudential Standard CPS 231 Outsourcing (CPS 231);

(7)          Banking, Insurance and Life Insurance (prudential standard) determination No. 7 of 2016, which revokes Prudential Standard CPS 232 Business Continuity Management (CPS 232) made under Banking, Insurance and Life Insurance (prudential standard) determination No. 2 of 2014, and determines a new Prudential Standard CPS 232 Business Continuity Management (CPS 232);

(8)          Banking, Insurance and Life Insurance (prudential standard) determination No. 8 of 2016, which revokes Prudential Standard CPS 510 Governance (CPS 510) made under Banking, Insurance and Life Insurance (prudential standard) determination No. 4 of 2014, and determines a new Prudential Standard CPS 510 Governance (CPS 510); and

(9)          Banking, Insurance and Life Insurance (prudential standard) determination No. 9 of 2016, which revokes Prudential Standard CPS 520 Fit and Proper (CPS 520) made under Banking, Insurance and Life Insurance (prudential standard) determination No. 4 of 2012, and determines a new Prudential Standard CPS 520 Fit and Proper (CPS 520).

The instruments commence on 1 July 2017.  

1.      Background

In keeping with its mandate of financial stability, APRA is developing a conglomerate framework (Level 3 framework) that would seek to capture the contagion, reputation, moral hazard and other related risks that could have significant impacts on Australia’s financial stability.

Since 2010, APRA has released several consultation packages[1] outlining the Level 3 framework for the supervision of conglomerate groups (Level 3 groups), covering four components: group governance, risk exposures, risk management and capital adequacy. In August 2014,[2] APRA released the Level 3 framework, but deferred implementation of the new requirements until the conclusion of the Financial System Inquiry (FSI)[3].

In early 2016, APRA decided to implement the non-capital aspects of the Level 3 framework, and defer the implementation of capital components of the Level 3 framework until a number of other domestic and international policy initiatives had progressed. These policy initiatives include:

-          APRA’s implementation of the FSI recommendation on unquestionably strong capital ratios for ADIs (FSI recommendation 1);

-          consideration of proposals in relation to loss absorption and recapitalisation capacity (FSI recommendation 3); and

-          proposed legislative changes to strengthen APRA’s crisis management powers (FSI recommendation 5).

Taken together, these initiatives will influence APRA’s final views on the appropriate requirements with respect to the strength, resilience, recovery and resolution capacity of Level 3 groups.

Accordingly, APRA announced in March 2016[4] that consultation on the capital components of the Level 3 framework would take place no earlier than mid-2017, with implementation no earlier than 2019.

APRA has made consequential amendments to the non-capital aspects of the Level 3 framework, as well as several amendments to improve the drafting of the standards. Although these clarifications did not change the underlying policy positions, given the number of clarifications/amendments, in March 2016 APRA released for public consultation the non-capital components (nine prudential standards and two prudential practice guides) of the Level 3 framework.

Four submissions were received in the March 2016 consultation period. APRA has carefully considered the submissions and made minor amendments to the framework published in March 2016. The final form of the non-capital components of the Level 3 framework was released on 8 August 2016. These will be effective from 1 July 2017.

2.      Purpose and operation of the instruments

The purpose of these instruments is to promote sound practices regarding governance, risk management and management of risk exposures for Level 3 groups. While group membership may offer benefits to prudentially regulated institutions[5], it may also expose institutions to risks that emerge from other group members that may or may not be regulated by APRA. There are also risks that may emerge from the size, scope, and operations of the group itself, rather than any particular institution in the group.

To promote sound practices across the group, these instruments establish a prudential framework for group governance, risk management and management of risk exposures that APRA can apply to protect the interests of depositors, policyholders, and superannuation beneficiaries of prudentially regulated institutions that are members of these groups.

The instruments allow APRA to determine Level 3 groups where it considers that material activities are performed within the group across more than one industry regulated by APRA and/or in one or more industries not regulated by APRA, to ensure that the ability of the group’s prudentially regulated institutions to meet their obligations to depositors, policyholders, and superannuation beneficiaries is not adversely impacted by risks emanating from the group, including institutions in the group not regulated by APRA.

The instruments provide for APRA to enforce the Level 3 framework through supervision of the Head of the Level 3 group (Level 3 Head), rather than directly applying prudential supervision to institutions that are not regulated by APRA. Consequently, the instruments allow APRA to determine the Level 3 Head.

To achieve this objective, the instruments determine the following new prudential standards (collectively, the ‘Level 3 prudential standards’): 3PS 001, 3PS 221, 3PS 222 and 3PS 310.

The instruments also determine new versions of the following existing prudential standards (collectively, the ‘cross-industry prudential standards’): CPS 220, CPS 231, CPS 232, CPS 510 and CPS 520.

The instruments will also apply the requirements in the cross-industry prudential standards to a Level 2 group through the Head or Parent of the Level 2 group (Level 2 Head), as defined in Prudential Standard APS 001 Definitions (APS 001) and Prudential Standard GPS 001 Definitions (GPS 001).

Where these prudential standards incorporate by reference the requirements of another prudential standard, this is a reference to the prudential standard as it exists from time to time.

I.                   Level 3 prudential standards

i.                    Prudential Standard 3PS 001 Definitions

3PS 001 defines key terms that are used in the Level 3 prudential standards and cross-industry prudential standards. It applies to Level 3 Heads.

Paragraphs 1 to 3 state APRA’s authority to make the prudential standard, the date which the standard commences and that the definitions in 3PS 001 apply to all prudential standards that are applicable to Level 3 Heads.

Paragraph 4 states the definitions of key terms that are used in the Level 3 prudential standards, as well as elsewhere in APRA’s prudential framework. Some of the key terms defined in 3PS 001 include:

Ensure: This term is used in APRA’s prudential framework in relation to a responsibility of the board.

Level 3 institution: This term defines an institution that is a member of the Level 3 group.

Prudentially regulated institution: This term is defined to cover the set of institutions that are referred to in the Level 3 prudential standards. Note that this term differs from the term ‘APRA-regulated institution’ which is used as the collective term in the cross-industry standards, as ‘prudentially regulated institution’ includes RSE licensees.

Paragraph 4 also describes the institutions that APRA may determine to be a Level 3 Head or part of a Level 3 group.

ii.                  Prudential Standard 3PS 221 Aggregate Risk Exposures

3PS 221 requires a Level 3 Head to ensure that a concentration of risk in one part of, or across, the Level 3 group does not pose a threat to the prudentially regulated institutions in the group. These are qualitative, principles-based requirements that complement the quantitative limits and thresholds required for individual institutions or Level 2 groups in other prudential standards.

Paragraphs 1 to 5 are introductory paragraphs that:

-          state APRA’s authority to make the prudential standard, the date which the standard commences, and that the standard applies to Level 3 Heads;

-          link key terms used in 3PS 221 to their definitions in 3PS 001; and

-          provide for APRA to exercise a power or discretion in writing.

Paragraph 6 defines the key term ‘aggregate risk exposures’ and prohibits unlimited exposures to any individual counterparty unless agreed with APRA. The definition of aggregate risk exposure is based on APRA’s definition for large exposures to unrelated counterparties used in other areas of APRA’s prudential framework in relation to Level 1 or Level 2 requirements, extended to the context of a Level 3 group and aggregated across the Level 3 group. An important element of the definition is that the exposures have the potential to result in material losses for the group or an individual prudentially regulated institution in the group.

The scope of risk exposures is broad as it is intended to ensure that the Level 3 Head has a clear understanding of the aggregate of all relevant exposures to external counterparties, regardless of where they are within the Level 3 group and can effectively identify, monitor, report on, and manage those exposures.

Paragraphs 7 to 11 establish high-level requirements for the Level 3 Head with respect to aggregate risk exposures. These requirements include that it must have an aggregate risk exposures policy, and that the Level 3 Head must conduct forward-looking scenario analysis and stress testing of the Level 3 group’s material aggregate risk exposures. The management of aggregate risk exposures must also be a part of the Level 3 group’s risk management framework required by CPS 220.

Paragraph 12 states requirements that apply to the Board of the Level 3 Head in order to provide for sound oversight and governance of aggregate risk exposures via providing oversight of appropriate policies, systems and controls to manage the risks associated with aggregate risk exposures. These requirements are intended to align with the Board’s responsibility for oversight, rather than placing operational responsibilities on the Board.

Paragraphs 13 to 16 provide more specific requirements on the content of the aggregate risk exposures policy, including that the Level 3 Head sets limits on aggregate risk exposures that are commensurate with the group’s risk appetite, and describe the systems for monitoring and reporting on aggregate risk exposures to support the Level 3 Head’s oversight of material risks across the group.

Paragraph 17 sets out the circumstances where APRA may require a Level 3 Head to limit or reduce the Level 3 group’s level of aggregate risk exposure, or determine how a Level 3 Head must calculate an aggregate risk exposure. The paragraph also sets out criteria for APRA to consider when exercising its capacity to impose these requirements on Level 3 Heads.

Paragraphs 18 and 19 set out requirements for a Level 3 Head to communicate with APRA within certain timeframes on any breaches of, changes to, or inadequacies with the aggregate risk exposures policy.

Paragraph 20 is a standard paragraph that appears in all APRA’s prudential standards.

Versions of this standard that were previously circulated for consultation included a paragraph that provided for APRA to impose a supervisory adjustment to the prudential capital requirement for the Level 3 group. However, as APRA has deferred the capital components of the Level 3 prudential framework at this stage, that paragraph has been removed.

iii.                Prudential Standard 3PS 222 Intra-Group Transactions and Exposures

3PS 222 requires a Level 3 Head to ensure that associations and dealings within the Level 3 group do not expose prudentially regulated institutions within the group to excessive risk. It adopts the same qualitative, principles-based approach used in 3PS 221, with the policy intent of managing the risk that one institution in the group may compromise the financial or operational position of another institution in the group because of links through intra-group transactions and exposures (ITEs).

Paragraphs 1 to 5 are introductory paragraphs that:

-          state APRA’s authority to make the prudential standard, the date which the standard commences, and that the standard applies to Level 3 Heads;

-          link key terms used in 3PS 222 to their definitions in 3PS 001; and

-          provide for APRA to exercise a power or discretion in writing.

Paragraph 6 defines the key term ‘intra-group transaction or exposure’ (ITE). The scope of the definition is broad, as it is intended that the Level 3 Head has a clear understanding of all exposures within the group in order to be able to effectively identify, monitor, and report on contagion risks emerging from within the Level 3 group – including from Level 3 institutions that are not regulated by APRA.

Paragraphs 7 to 9 establish high-level requirements for the Level 3 Head with respect to ITEs. These requirements include that it must have an ITE policy, and that the Level 3 Head must conduct forward-looking scenario analysis and stress testing of the Level 3 group’s material ITEs. The management of ITEs must also be a part of the Level 3 group’s risk management framework required by CPS 220.

Paragraphs 10 states requirements that apply to the Board of the Level 3 Head in order to provide for sound oversight and governance of ITEs via providing oversight of appropriate policies, systems and controls to manage the risks associated with ITEs. These requirements are intended to align with the Board’s responsibility for oversight, rather than placing operational responsibilities on the Board.

Particular risks may arise when dealing with a related, rather than unrelated, counterparty. To ensure that contractual terms and conditions that are not consistent with arms-length transactions have had adequate oversight, in paragraph 11 APRA requires the Board of the Level 3 Head to approve terms and conditions where a prudentially regulated institution in the group proposes to accept terms and conditions, in dealing with other Level 3 institutions in the group, that are not consistent with terms and conditions that would be negotiated on an arms-length basis.

Paragraphs 12 to 17 provide more specific requirements on the content of the ITE policy, including that the Level 3 Head sets limits on ITEs and describe the systems for monitoring and reporting on ITEs to support the Level 3 Head’s oversight of material risks across the group. The limits on ITEs must be set having regard to limits on exposures to unrelated counterparties under 3PS 221 and APRA expects that the ITE limits are set commensurate with the group’s risk appetite.

APRA recognises that Level 3 groups derive efficiency, consistency and other business benefits from having group-wide operations. However, APRA is concerned that groups may focus on the benefits of such arrangements without adequate regard to understanding or managing the risks of prudentially regulated institutions participating in group-wide operations. Paragraphs 13 and 14 specify requirements for a Level 3 Head to ensure that these risks are identified, understood and managed.

Paragraph 17 sets out the circumstances where APRA may require a Level 3 Head to limit or reduce the Level 3 group’s level of ITEs, or determine how a Level 3 Head must calculate ITEs. The paragraph also sets out criteria for APRA to consider when exercising its capacity to impose these requirements on Level 3 Heads.

Paragraphs 18 and 19 set out requirements for a Level 3 Head to communicate with APRA within certain timeframes on any breaches of, changes to, or inadequacies with the ITE policy.

Paragraph 20 is a standard paragraph that appears in all APRA’s prudential standards.

Versions of this standard that were previously published for consultation included a paragraph that provided for APRA to impose a supervisory adjustment to the prudential capital requirement for the Level 3 group. However, as APRA has deferred the capital components of the Level 3 prudential framework at this stage, that paragraph has been removed.

iv.                Prudential Standard 3PS 310 Audit and Related Matters

3PS 310 requires that a Level 3 Head obtains and makes available to APRA independent advice from an auditor relating to the operations, internal controls and information provided to APRA in respect of the Level 3 Head and the Level 3 group. The requirements in 3PS 310 are based on audit requirements that APRA sets for Level 1 and Level 2 institutions in the individual industry prudential standards.

Paragraphs 1 to 6 are introductory paragraphs that:

-          state APRA’s authority to make the prudential standard, the date which the standard commences, and that the standard applies to Level 3 Heads;

-          link key terms used in 3PS 310 to their definitions in 3PS 001; and

-          provide for APRA to exercise a power or discretion in writing.

Paragraphs 7 to 13 are general requirements relating to the appointment of a group auditor, the terms of engagement of that auditor and the fitness and propriety of that auditor.

Paragraphs 14 to 19 establish responsibilities for the Level 3 Head in relation to the Appointed Auditor and internal audit. These are practical requirements to facilitate the Appointed Auditor or internal auditor in performing their role, and to ensure transparent communication with the Board Audit Committee to facilitate the performance of the Board Audit Committee’s role in governing the audit arrangements of the Level 3 group.

APRA expects an open and productive relationship with the Appointed Auditor and the Level 3 Head in relation to matters covered by 3PS 310. Paragraphs 20 and 21 state APRA’s requirements regarding meetings with, and information provision by, the Appointed Auditor with APRA. For the avoidance of doubt, APRA outlines that meetings may not always include the Level 3 Head, and APRA may choose who attends the meetings related to 3PS 310.

Paragraphs 22 to 23 clarify the material that must be provided to APRA by the Appointed Auditor and that there are circumstances where an Appointed Auditor must not provide material to the Level 3 Head. Paragraph 24 also clarifies that APRA recognises that an Appointed Auditor is likely to consider material produced by APRA in its supervision of the Level 3 group. However, it is not acceptable for the Appointed Auditor to place sole reliance on APRA’s work.

In paragraph 25, APRA recognises that material produced by the Appointed Auditor for the purposes of 3PS 310 may have a dual scope as some requirements relate to the group as a whole, whereas others relate to the Level 3 Head itself. For the avoidance of doubt and to facilitate clarity in communication, APRA requires that the Appointed Auditor must clearly distinguish these differing scopes where relevant in the material it produces.

Paragraphs 26 to 31 set out specific requirements in relation to the reports that an Appointed Auditor prepares on a routine basis or through a special purpose engagement. These requirements cover the content, timeframes and to whom the reports are to be provided.

In the individual industry prudential standards, it is APRA’s practice to specify the particular reporting forms that are to be covered in an Appointed Auditor’s report via an attachment to the prudential standard. A previous version of 3PS 310 that was published for consultation included an attachment. This attachment sets out the proposed specific data collections for Level 3 Heads referred to in paragraphs 27(a) to 27(c), including two proposed reporting forms in relation to capital. However, at this stage there are no specific reporting forms applying to a Level 3 Head and as such, no attachment is provided with 3PS 310. APRA expects to include an attachment to 3PS 310 in the future when reporting requirements for the Level 3 Head relating to capital are implemented.

Paragraph 32 is a standard paragraph that appears in all APRA’s prudential standards.

II.                Cross-industry prudential standards

The changes to implement conglomerate supervision for risk management and governance that were published by APRA in August 2014 were implemented for CPS 220 and CPS 510,[6] but have not yet been implemented for CPS 231, CPS 232, or CPS 520. The instruments described in this explanatory statement adopt the policy intent that was published in August 2014[7], with minor amendments to the drafting of the cross-industry prudential standards to provide clarity and ensure the effectiveness of the Level 3 framework.

The cross-industry prudential standards are currently in force, and these instruments make no material changes to these standards except to facilitate their application at Level 2 and Level 3. This explanatory statement is therefore limited in scope to those changes. Further information in relation to each of these prudential standards is available in the explanatory statements attached to the determinations that established each of the above legislative instruments.

Unless specified otherwise, all the paragraph references in this explanatory statement refer to the paragraph numbering in the new cross-industry prudential standards that are to commence on 1 July 2017.

i.                    Complying with the standards on a group basis

Each of the cross-industry prudential standards has been amended to facilitate the application of the standard to Heads of groups, and clarify how a Head of a group (Level 2 Head or Level 3 Head) must apply the prudential standards to the group. This amendment is located in paragraph 4 of each cross-industry prudential standard.

As the Head of a group is itself an APRA-regulated institution, for avoidance of doubt, paragraph 4(a) requires the Head of a group to comply with the prudential standard in its own capacity as an individual APRA-regulated institution.

Paragraph 4(b) focuses on application of the prudential standard at the level of individual institutions within the group, including institutions that are not APRA-regulated. It requires the Head of a group to determine an appropriate application of the prudential standard for each institution in the group and ensure that the requirements are effected by those institutions. In particular, for institutions in the group that are not APRA-regulated, the Head of the group must determine whether and how to apply each standard appropriately to those institutions.

Paragraph 4(c) focuses on group-wide application of the prudential standard, rather than individual institution-level application. It requires the Head of a group to ensure that the group arrangements required under the prudential standard meet the requirements of the standard.

Paragraph 4 also establishes the paragraphs that, when applied on a group basis, must be interpreted differently in relation to group arrangements. APRA provides specific instructions on how to read certain terms in those circumstances. For only these paragraphs, and only when applying the standard on a group basis (i.e. when complying with 4(c)), the term ‘APRA-regulated institution’ refers to ‘Head of a group’, and the term ‘institution’ refers to ‘group’. This drafting aligns the requirements for group arrangements with arrangements for individual APRA-regulated institutions, but allows the scope of those requirements to be read in two distinct ways (the individual basis and the group-wide basis).

Consequently, throughout the cross-industry prudential standards the term ‘APRA-regulated institution’ has replaced the term ‘institution’, and vice versa, or the term ‘APRA-regulated institution’ or ‘institution’ has been added or removed, in paragraphs where it is necessary that the requirement to be read at both the individual level and group-wide level.

ii.                  Definitions

Minor amendments have been made to the ‘interpretations’ section of each cross-industry prudential standard. These amendments have been made to facilitate application to Level 2 groups and Level 3 groups.

The instruments amend each cross-industry standard to include a reference to 3PS 001, so that key terms that are defined in 3PS 001 can be used without ambiguity throughout all the cross-industry prudential standards. Further, the instruments for CPS 231, CPS 232 and CPS 520 amend the interpretations section of each prudential standard to include the following definitions: group, Head of a group, Level 2 group, and Level 2 Head. For CPS 220 and CPS 510, these definitions have been updated to ensure consistency in language and presentation of the requirements across the cross-industry prudential standards, but there have not been changes to the substance of these definitions.

iii.                Additional requirements of the Head of the group

APRA has amended the existing ‘Requirements of the Head of a group’ section in CPS 220 and CPS 510 to more clearly indicate which requirements are applicable to Heads of groups on a group basis, and to implement specific requirements that only apply to the Head of a group. For CPS 231, CPS 232 and CPS 520 APRA is introducing these provisions (under the heading ‘Additional Requirements of the Head of a group’) for the first time.

The instruments achieve this objective by aggregating the key requirements of the Head of a group into one section in each cross-industry prudential standard. The title of this section in each standard is ‘Additional requirements of the Head of a group’.

Where the instruments implement a requirement that is applicable to a Head of a group on a group basis, the paragraph will typically state the nature of the requirement (e.g. a group policy or group committee) required by the standard, as well as the paragraphs in the prudential standard that apply on a group basis in relation to that requirement.  For example, see paragraph 14 of CPS 220:

As part of the group risk management framework (see paragraphs 19 to 25), the Head of a group must maintain processes to coordinate the identification, measurement, evaluation, monitoring, reporting, and controlling or mitigation of all material risks across the group, in normal times and periods of stress. The Head of a group must ensure its Board has a comprehensive group-wide view of all material risks, including an understanding of the roles and relationships of subsidiaries to one another and to the Head of a group.

iv.                Requirements for the board

APRA consulted with industry on Improving APRA’s board engagement in October 2014 and has stated in its August 2015 response to industry[8] that it will make amendments to improve the clarity of board requirements in response to issues raised in submissions to that consultation. These amendments clarify that the role of the board is to provide oversight of matters in relation to the APRA-regulated institution and/or the group, rather than assume responsibilities that would normally be assigned to management.

Consequently, changes have been made to the following:

-          paragraphs 22 and 35 of CPS 231 have been amended;

-          paragraphs 12 and 18 of CPS 232 have been amended;

-          paragraph 9 of the previous version of CPS 232 has been amended and merged into paragraph 10;

-          the new paragraph 13 of CPS 510 includes clarifications of the role of the Board;

-          paragraphs 14, 16, 18, and 106(b) of CPS 510 have been amended; and

-          for CPS 232 and CPS 510, the explanatory material at the front of the prudential standard (the ‘grey box’) has also been amended.

v.                  Minor amendments

These instruments also implement minor changes across the cross-industry prudential standards. These changes include:

-          removing all remaining references to the Level 3 capital standards;

o   removed paragraphs 10 and 12 from the previous CPS 220 and CPS 510; and

o   removed a reference to Prudential Standard 3PS 110 Capital Adequacy in footnote 7 to paragraph 23(f) of CPS 220;

-          simplifying expressions such as ‘develop and maintain’ or ‘have and maintain’ to ‘maintain’;

o   in CPS 220: Paragraphs 14, 17, 19, 27, 37(a), and the grey box;

o   in CPS 231: Paragraph 16 and the grey box;

o   in CPS 232: Paragraph 11 and the grey box;

o   in CPS 510: Paragraphs 11, 51, and 85;  and

o   in CPS 520: Paragraphs 12 and 17;

-          changes to the ‘Authority’ section (paragraphs 1(a) to 1(c)) to remove unnecessary detail;

-          changes to the ‘Application’ section (paragraphs 2(a) to 2(c)) to clarify the kinds of institutions that are covered by the term ‘APRA-regulated institution’;

-          inserting a footnote (footnote 1 to paragraph 2) to clarify that the cross-industry prudential standards do not apply to RSE licensees;

-          simplifying the ‘determinations made under previous prudential standards’ paragraph at the end of each cross-industry prudential standard; and

-          changing the grey box for each cross-industry prudential standard to include information about the standard’s application to Heads of groups.

vi.                CPS 220

The instrument implements a number of minor changes to CPS 220:

-          the heading ‘Group risk management’ has been changed to ‘Use of group risk management by an APRA-regulated institution’ to indicate that the requirements in that section apply to individual APRA-regulated institutions that use the group risk management arrangements provided for by CPS 220;

-          amended footnote 6 of paragraph 23(f) to clarify that a Level 3 Head is not required to have a group ICAAP;

-          replaced the word ‘identified’ with ‘required’ in paragraph 35;

-          amended footnote 7 of paragraph 35(f) to include the Banking Regulations 1966 in the definition of ‘prudential requirements’;

-          amended the existing requirement in paragraph 51 to submit the risk management declaration to APRA so that ADIs, authorised banking NOHCs that are not a disclosing entity within the meaning of the Corporations Act 2001, and Level 3 Heads submit the risk management declaration within four months, and all other APRA-regulated institutions within 3 months of its annual balance date; and

-          moved the requirement to submit the group liquidity management policy to APRA from paragraph 52 to paragraph 17.

vii.              CPS 231

The instrument implements a number of other minor changes to CPS 231:

-          amended paragraph 12 to clarify that offshoring only occurs when a Level 2 or 3 institution engages with a service provider that is overseas to that Level 2 or 3 institution.

-          amended paragraph 15 to include the risk management function as a material business activity;

-          amended paragraph 26 to clarify APRA’s policy intent regarding the process for selecting service providers and the due diligence review of the chosen service provider;

-          amended footnote 8  to paragraph 26 that defines the term ‘third party’ for the purposes of CPS 231;

-          amended paragraph 29 to include two new requirements with respect to the outsourcing agreement that relate to the form, ownership and control of data, and reporting requirements;

-          amended paragraph 33 to clarify APRA’s policy intent where an APRA-regulated institution invokes the institution’s Business Continuity Plan (BCP) and enters into a new outsourcing agreement following the sudden failure of an existing service provider;

-          amended a reference to CPS 510 in paragraph 44; and

-          made a consequential amendment to paragraph 46 to avoid duplication with paragraph 8.

viii.            CPS 232

The instrument implements several new requirements:

-          a new paragraph 15 in CPS 232 to clarify the responsibility of the group internal audit function or an appropriate external expert to review the group BCP and provide an assurance to the Board of the Head of the group (or delegated management) on specified matters on a group basis.

-          a new paragraph 23 that requires the Board to approve the Business Continuity Management (BCM) policy. In the case of the group BCM policy, the approval must come from the Board of the Head of the group.

-          a new paragraph 33 that requires APRA-regulated institutions to satisfy themselves of the adequacy of an outsourced service provider’s BCP, and must consider any dependencies between the service provider’s and their own BCP where material business activities are outsourced. This requirement also applies on a group basis, requiring the Head of the group to be satisfied with respect to the group BCP and outsourcing arrangements that are material to the group. 

The instrument also implements a number of other minor changes to CPS 232:

-          removed references to ‘crisis management and recovery’ in paragraph 22, to avoid any ambiguity regarding the scope of CPS 232;

-          clarified footnote 6 to paragraph 30 regarding the use of multiple BCPs to meet the requirements of the standard;

-          amended paragraph 38 to clarify that external experts that are used to review the BCP and provide assurance to the board must have the appropriate expertise; and

-          amended footnote 8 to paragraph 39 to include a reference to 3PS 310 and to state the full title of Prudential Standard APS 310 Audit and Related Matters in place of its abbreviated form.

ix.                CPS 510

The instrument implements a number of minor changes to CPS 510:

-          corrected paragraph 9 with minor changes to improve the clarity of the paragraph;

-          corrected paragraphs 42 and 43 and their respective headings to more accurately reflect the definitions of key terms such as ‘group’, and the scope of application (i.e. to locally-incorporated APRA-regulated institutions);

-          amended paragraph 57(a)(ii) to make a clearer and more accurate reference to paragraphs 9(a) to 9(e) of CPS 510;

-          amended a reference to the Corporations Act 2001 in paragraph 92;

-          corrected references to CPS 220 and Financial Sector (Collection of Data) Act 2001 (FSCODA) in footnotes 14 and 16;

-          minor corrections to footnotes 19, 20, and 23; and

-          corrected a reference to FSCODA in paragraph 25(g) of Attachment B.

x.                  CPS 520

The instrument implements several new requirements and material amendments to existing requirements:

-          a new paragraph 19, which clarifies the circumstances which the Head of a group must notify APRA with respect to its responsible persons. The paragraph provides that these notifications must only be made if another APRA-regulated institution in the group has not already notified APRA, so as to avoid duplicate reporting.

-          a new paragraph 20(g), which establishes that the scope of ‘responsible persons’ includes those that are responsible persons in relation to a group. The criterion for whether a person is a responsible person in relation to a group is whether the person’s activities may materially affect, either directly or indirectly, the whole, or a substantial part, of the business or financial status of the group.

-          amend an existing requirement in paragraph 43 to require a fit and proper assessment of individuals that APRA has determined under paragraph 22 to be responsible persons.

-          a number of amendments to paragraphs 50 to 55 in relation to whistleblowing to clarify APRA’s requirements. This includes an updated requirement that the Heads of groups and APRA-regulated institutions must ‘explain’ the whistleblower provisions of their Fit and Proper Policy and the associated procedures to directors and employees, where the existing requirement only requires those details to be ‘communicated’. These changes do not reflect a change in APRA’s policy position on whistleblowing. Instead, they reflect APRA’s expectation that Heads of groups and APRA-regulated institutions take reasonable steps to inform directors and employees of the whistleblower provisions of the Heads of groups’ and APRA-regulated institutions’ Fit and Proper Policy and the associated procedures.

The instrument also implements a number of other minor changes to CPS 520:

-          amended paragraph 21 to facilitate the application of the standard to Level 3 Heads;

-          amended paragraph 32(c) to restrict individuals from being considered fit and proper to be an auditor if they are the Chief Executive Officer or a director of the APRA-regulated institution or a related body corporate; [9]

-          amended paragraphs 39 and 40(b) to improve the clarity of the policy intent;

-          amended paragraph 57 to align the responsible person reporting requirements in CPS 520 with those in Prudential Standard SPS 520 Fit and Proper; and

-          amended paragraph 2 of each attachment to clarify the intention that the attachments do not apply to RSE licensees.

3.      Consultation

APRA undertook extensive consultation on its proposed supervisory framework for conglomerate groups from 2010 to 2016. Submissions were received from, and discussions held with the eight conglomerates that APRA had initially signalled as being the  likely Level 3 groups, other institutions regulated by APRA (including groups regulated at Level 2), and industry bodies.

The consultation process was aimed at ensuring that the adoption of the proposed non-capital components of the Level 3 framework would maintain the integrity of the prudential regime whilst remaining relevant to industry.  The consultation also ensured clear communication with industry on the main changes proposed and took into account practical implementation issues.

The consultation process raised a number of issues across the group governance, risk management, risk exposures, and capital adequacy elements of the Level 3 framework.  

A number of public discussion and response papers (with draft standards) were released during the consultation period:

-          March 2010: Discussion paper – Supervision of conglomerate groups;

-          December 2012: Supervision of conglomerate groups (Level 3) - Group governance and risk exposures;

-          May 2013: Supervision of conglomerate groups (Level 3) - Risk management and capital adequacy;

-          September 2013: Supervision of conglomerate groups (Level 3) - Draft reporting requirements;

-          August 2014: Supervision of conglomerate groups (Level 3) - Prudential standards and draft guidance; and

-          March 2016: Supervision of conglomerate groups (Level 3) - Non-capital requirements.

Further information concerning consultation on the making of these instruments is contained in the attached Regulation Impact Statement, and in APRA’s response letter to industry on the implementation of the non-capital components of the conglomerate supervision framework.[10]

4.   Regulation Impact Statement

APRA prepared a Regulation Impact Statement which has been lodged as supporting material.

5.   Statement of compatibility prepared in accordance with Part 3 of the Human Rights (Parliamentary Scrutiny) Act 2011

A Statement of compatibility prepared in accordance with Part 3 of the Human Rights (Parliamentary Scrutiny) Act 2011 is provided at Attachment A to this Explanatory Statement.


[5] See definition under the heading “i. Prudential Standard 3PS 001 Definitions” below.

[6] These changes were implemented through Banking, Insurance and Life Insurance (prudential standard) determinations Nos. 3 and 4 of 2014.

[9] N.B. this restriction only applies to assessments of fitness and propriety of auditors required under the prudential acts – see paragraphs 17(2)(b) and 21(3)(b) of the Banking Act; paragraphs 39(3)(a), 43(2)(b) and 44(3)(b), and subparagraph 44(1)(a)(ii) of the Insurance Act; and paragraph 245A(3)(b) of the Life Insurance Act.