Raising the bar: APRA’s enhanced governance proposals

APRA’s judgement is that the overall quality of governance in regulated entities has improved since the Hayne Royal Commission. However, poor practices remain in some areas:

• Seventy-eight per cent of entities are currently subject to heightened supervision by APRA and have underlying governance issues.

• Almost all APRA’s enforcement actions since 2018, identify risk governance and cultural failings as the main underlying driver.

In APRA’s experience, well-governed entities are more resilient in times of stress, more agile in times of change and demonstrate more sophisticated risk judgement. Boards play a central role in ensuring good governance by setting the strategic direction, culture and risk appetite of an institution, and holding management to account.

There are real regulatory consequences for failings in governance. APRA has imposed capital overlays on seven banks and five insurers, imposed additional licence conditions on 13 separate occasions for Registrable Superannuation Entities (RSE) licensees and accepted seven court enforceable undertakings primary due to weakness in governance.

APRA proposes eight changes to strengthen APRA’s core prudential standards and guidance on governance (currently set out in CPS 510 and SPS 510 Governance, CPS 520 and SPS 520 Fit and Proper, and SPS 521 Conflicts of Interest).

The existing cross-industry standards were first introduced in 2012. Much has changed for Australian banks, insurers and superannuation entities since then. Assets held by APRA-regulated entities have grown from $4.2 trillion to $9.1 trillion. Assets held by APRA-regulate superannuation entities have grown 224%. As well as having responsibility for an increased asset base, boards of APRA-regulated entities are also facing emerging risks including growing operational and cyber risks.

The proposals are expected to involve greater cost implications for small to medium-sized APRA regulated entities, which normally have weaker governance practices relative to larger, more well-capitalised and sophisticated entities which will typically have uplifted their governance practices over time. APRA has sought to apply a proportionate approach with three of the proposals involving fewer requirements for non- significant financial institutions (non-SFIs).

Require regulated entities to: 

a.     identify and document the skills and capabilities necessary for the board overall, and for each individual director

b.     evaluate existing skills and capabilities of boards and individual directors 

c.     take active steps to address gaps through professional development, succession planning and appointments. 

Current requirements

Prudential standards CPS 510 and SPS 510 currently require boards collectively to have the necessary skills, knowledge and experience to manage regulated entities appropriately. While boards must evaluate collective performance on an annual basis, there is no requirement to set minimum standards for individual directors or respond to any shortcomings.

At present, regulated entities have substantial discretion in terms of how they define skills and capability needs and the extent to which they assess whether boards and directors meet these requirements. APRA has observed, for example, that entities may adopt a vague or narrow view of the necessary skills and capabilities and may not verify them or rely too heavily on director self-assessments. These types of deficiencies are more common in smaller banks and part of the superannuation sector. For example, a 2021 cohort-based thematic review of mutual banks found that almost 50% of boards had no directors or only one director with contemporary industry experience.

Rationale for the proposal

Proposal one will require regulated entities to clearly identify and document a skills matrix which will contain specific expectations for the chair, chair of board committees and individual directors. Skills should be measurable and verifiable and behavioural attributes observable. APRA is also seeking, via updates to associated prudential guidance, to require firms to demonstrate to APRA that they are taking active steps to remedy gaps including via professional development, succession planning and new appointments.

Neither proposal one nor proposal two would involve changes to the equal representation model under which employer and employee groups have the right to nominate directors to some RSE licensee boards. The equal representation rule is enshrined in section 89 of the Superannuation Industry (Supervision) Act 1993 (Cth) (SIS Act). It requires that employer-sponsored superannuation funds have an equal number of employer and member representatives on the board. Section 89(2) allows for an independent director to be appointed, at the request of either employer or member representatives.

Insights

Many of the largest banks, insurers and superannuation trustees have been uplifting their governance arrangements as part of their program of work to implement the Financial Accountability Regime (FAR). FAR commenced for banks on 15 March 2024 and commenced for insurers and superannuation trustees on 15 March 2025.

Many APRA-regulated institutions already have a skills matrix for directors, though often requiring enhancement for sufficient coverage of skills and experience across all core parts of the operations of an entity, including material risk classes. This has been particularly important as many institutions have modernised their risk management frameworks, including risk classes, to better articulate their non-financial risks.

Some entities have also made enhancements to their arrangements for assessing board, board committee and individual chair and director performance. For example, self-assessment questionnaires have been uplifted to better reflect regulatory expectations of board performance as these are articulated in a variety of publications.

One of the most difficult areas to navigate is the equal representation rule applicable to industry superannuation funds. Often employer and member representatives will wish to have complete discretion in relation to who they nominate to represent them on the trustee board. A sample of industry super funds shows in more than 50% of cases, the full board did not have overriding discretion to refuse to appoint an individual as a director, on the basis that the appointment would not enable the Board to have the full range of skills and capabilities required to manage the regulated entity effectively. Well-developed board renewal processes will resolve these types of issues.

Require regulated entities to meet higher minimum requirements to ensure fitness and propriety of their responsible persons. 

Require SFIs, and non-SFIs under heightened supervision, to engage proactively with APRA on potential appointments.

Current requirements

Fit and proper requirements are contained in CPS 520 Fit and Proper and SPS 520 Fit and Proper.

Entities must have policies and procedures for determining the fitness and propriety of so-called ‘responsible persons’, including directors, senior managers and certain other individuals prescribed by industry legislation, including auditors and actuaries. There is currently no requirement in the relevant prudential standards for regulated entities to consider important matters such as time capacity to fulfill the role, all criminal offences or reputational risk.

Rationale for the proposal

APRA has observed weaknesses in certain entities approaches to assessing fitness and propriety, including a focus on process compliance rather than outcomes, little consideration of the capacity of directors to balance multiple roles, and limited verification including excessive reliance on self-assessment and other ‘light touch’ checks.

Proposal two will strengthen baseline expectations for fitness and propriety by:

• Reinforcing entities’ responsibility for outcomes, as well as following a robust process set out in their fit and proper policy

• Being more specific about what fit and proper means and the need to verify conclusions. APRA will update guidance including on criminal and civil findings against individuals as well as character or regulatory references

• Clarifying triggers for fit and proper reassessment, for example, there are grounds to believe that an individual is not meeting their obligations under FAR

• Requiring regulated entities to notify APRA when concerns arise that may reasonably impact a person’s fitness and propriety, even before a determination has been reached.

The proposed reference to regulatory references would bring Australia into line with other jurisdictions. For example, under the UK’s Senior Managers Regime, regulated entities seeking to appoint an individual to a controlled function (conceptually similar to the role of a responsible person) must take reasonable steps to acquire a regulatory reference from the prior employer (if a regulated firm) in the prescribed format and within a set time.

More involvement by APRA in appointment process

APRA does not have the legislative power to approve or veto appointments but is seeking to heighten its oversight of the suitability of individuals in responsible person roles. In the discussion paper, APRA notes that it will use the broad and general obligation under FAR for regulated entities to take reasonable steps to deal with APRA in an ‘open, constructive and cooperative way’ to:

• Enable APRA to require an entity-led reassessment if concerns about a candidate for a responsible person role are not addressed in a timely manner.

• Require SFIs, and non-SFIs subject to heightened supervision, to keep APRA informed of succession plans and nominations prior to appointment or public announcement.

• In prudential practice guide, note that APRA may request an interview (on an exceptions basis) with any candidates for responsible persons roles, prior to appointment or reappointment.

The use of this general obligation would allow APRA to have closer supervision of all responsible persons at a regulated entity, not just accountable persons (who are a sub-set of responsible persons).

Reflecting a much more active and interventionist approach, APRA will share its views on the fitness and propriety of candidates for responsible person roles with regulated entities. If the entity does not act to address APRA’s concerns, this will ‘inform the intensity of APRA supervision’. For example, APRA may trigger a reassessment of the individual’s fitness and propriety if they are already in a responsible person role or may otherwise use its supervisory or enforcement powers.

While APRA will continue not to have the statutory power to veto appointments, in practice it would be unlikely that many regulated entities would face up to a combative regulator that forms the view that a candidate is not appropriate for the role.

Insights

The obligation under FAR on entities, and individually on directors and senior executives (referred to as accountable persons under FAR) to deal with APRA and ASIC in an ‘open, constructive and cooperative way’ has never been tested in the Australian courts. It is derived from the equivalent obligation in the Senior Managers and Certification Regime and its predecessor, the Approved Persons Regime, in the United Kingdom. In that context it has been interpreted to require an individual to, among other things:

• Tell a regulator information of which the relevant person was aware in response to questions from a regulator.

• Respond accurately to questions put by the regulator as to a borrower’s income during a mortgage fraud investigation when the borrower was the approved person concerned.

• Inform a regulator of a breach of the capital adequacy rules.

• Give a regulator appropriate documents or information when requested within the stipulated time-limits.

The obligation has not been interpreted to require an individual to whistle blow to the UK regulator. There are other obligations on entities and senior managers in the UK, which requires an entity and senior manager to disclose appropriately any information of which the regulator would reasonably expect notice. At the time of introducing the Banking Executive Accountability Regime (BEAR), being the predecessor to FAR for the banking industry, a conscious decision was made not to introduce corresponding accountability obligations in BEAR and FAR.

APRA’s proposed reliance on the obligation as, in effect, a regulatory directions power to require an entity to conduct a re-assessment of the fitness and propriety of proposed candidate for a responsible person role where concerns about the candidate are not addressed in a timely manner would be a novel interpretation of the obligation. It seems likely that entities will disagree with the regulator on the proper scope of the obligation.

As the concept of a ‘responsible person’ is enshrined in legislation, APRA does not propose in the Discussion Paper to remove the concept and replace it with solely ‘accountable persons’ under FAR. Unfortunately, industry will need to continue to comply with relevant obligations for both types of regulated persons. Albeit, this burden should be minimised given the degree of crossover between responsible persons and accountable persons.

Extend current RSE licensee conflict management requirements to banks and insurers so they are also required to:

a.     proactively identify actual and potential conflicts of interest and duty

b.     avoid or prudently manage conflicts

c.     take remedial action when conflicts are not disclosed or managed properly.

Require regulated entities to consider perceived conflicts, in addition to actual and potential conflicts. 

Current requirements

Banks and insurers have different conflict management prudential obligations to RSE licensees. The risk management standard CPS 220 requires bank and insurer risk management policies and procedures to include a process for identifying, monitoring and managing potential and actual conflicts of interest. RSE licensees are subject to a separate standard on conflicts of interest (APRA Prudential Standard SPS 521 Conflicts of Interest (SPS 521)) which incorporates additional requirements, including to identify ‘relevant duties’ and ‘relevant interests’, which may not always amount to a conflict of interest.

Banks, insurers and super trustees that have an Australian Financial Services Licence are separately required to comply with the obligation in section 912A(1)(aa) of the Corporations Act to have adequate arrangements for the management of conflicts of interest that may arise in the provision of financial services. ASIC Regulatory Guide 181 Licensing: Management conflicts of interest (RG 181) outlines ASIC’s expectations relating to conflicts. Among other things, RG 181 emphasises the importance of monitoring compliance with conflicts management arrangements and taking appropriate action in response to breaches.

Across all three industries, there are no requirements in the prudential standards or the Corporations Act covering perceived conflicts. Nor is there any explicit obligation to have regard to reputational risk. For example, RG 181 refers only to actual, apparent and potential conflicts of interest.

Rationale for the proposal

APRA has observed weaknesses in entities identification and treatment of conflicts. Common weaknesses relate to personal financial dealings of responsible persons, directors performing multiple roles within a group, relationships with suppliers and personal affiliations. 

To address these weaknesses, proposal three will apply one single cross-industry set of requirements that incorporate the higher requirements in SPS 521. APRA also proposes to strengthen these requirements by incorporating some material that is currently in guidance into obligations. This includes guidance that as well as actual conflicts, potential or perceived conflicts and conflicts that affect the reputation of the business should be actively managed.

Insights

As noted by  Partner Luke Barrett in the Financial Standard, a “perceived conflict of interest isn’t necessarily a real one. If there were an actual conflict there's already an obligation to manage it. So, when a regulator talks about factoring in perceived conflicts, care needs to be taken that we're not opening the door to far-fetched, fanciful considerations”.

In the superannuation context, we have observed that there is scope for entities to better identify and distinguish between relevant duties and relevant interests, and conflicts of interest.

While SPS 521 requires superannuation entities to publicly disclose their registers of duties and interests, there are compelling reasons why this compliance burden should not be extended to banks and insurers, including the following:

• The nature of business operations in banks and insurers differs significantly from that of RSE licensees. The fiduciary responsibilities and the types of conflicts that arise in superannuation funds are distinct, and the same level of public disclosure may not be as relevant or beneficial in the context of banking and insurance.

• Banks and insurers often engage in highlight competitive markets where strategic information, including the duties and interests of key personnel, could be commercially sensitive.

• There is a risk that public disclosure without adequate context might lead to misinterpretation by the public, investors or media, potentially causing unwarranted reputation damage. The public may lack the expertise to accurately interpret the disclosed information, leading to misunderstandings and potentially causing unnecessary concern.

• The requirement for public disclosure might deter qualified individuals from serving on the boards of banks and insurers due to concerns about privacy and the potential for public scrutiny of their personal and professional interests. Board members might become overly cautious in their decision-making to avoid any potential conflicts.

Strengthen independence on regulated entity boards of banks and insurers by:

a.     Requiring that at least two of their independent directors (including the chair) are not members of any other board within the entity’s group.

b.     Making minor amendments to the independence criteria, including extending the prohibition on directors who are substantial shareholders in a regulated entity or group from being considered independent, to include material holdings of any type of security.

c.     Extending the current requirement for bank and insurer boards to have a majority of independent directors to include boards of entities with a parent that is regulated by APRA or an overseas equivalent.

Note: this proposal relates only to banking and insurance entities. The definition of independence for RSE licensees is prescribed by legislation.

Current requirements

APRA prudential standard CPS 510 requires boards of banks and insurers to have an independent chair and a majority of independent directors. CPS 510 also allows the independent directors on the board of the parent company or its other subsidiaries to sit as independent directors on the board of the regulated entity. 

Rationale for the proposal

APRA considers CPS 510 does not currently take into account the potential for conflict between the interests of different group entities. Where group interests are not well aligned, there is a much higher risk of conflict between the regulated entity and other group entities. In addition, while CPS 510 prohibits directors who are substantial shareholders in a regulated entity or group from being considered independent, it does not acknowledge that holding other types of securities may create similar conflicts which may interfere with a director’s judgement. 

To address the potential for group conflicts, APRA proposes to mandate that on each regulated entity board, at least two of the independent directors (including the chair) must not be directors on any other board within the relevant group. APRA is also proposing to update the criteria in Attachment A of CPS 510 to acknowledge that substantial debt holders, for example, may be subject to the same influence as substantial equity holders.

Insights

For some time now, APRA Supervisors have expressed concern regarding conflicts of interest that may have an adverse impact on an APRA-regulated entity’s ability to be well governed. This is reflected in APRA’s supervisory enquiries of entities relating to their management of conflicts of interests where they are part of a broader group. APRA has requested that some parent companies of banks and insurers register with APRA as non-operating holding companies, that would have the effect of expanding APRA’s regulatory remit over such entities. Such requests are often prompted by concerns of unregulated parent companies influencing boards and executives of regulated subsidiaries in a manner that is not fully consistent with APRA administered laws. Where parents are not non-operating holding companies, we have observed APRA making enquiries on regulated entities’ conflicts of interest management arrangements.

While not explicitly stated in the Discussion Paper, we expect (and APRA has confirmed verbally)  APRA’s proposal that all subsidiaries of APRA regulated entities have a majority of independent directors is intended to refer to solely APRA-regulated subsidiaries, rather than all subsidiaries. If not, the proposal would not be workable for some large corporate groups with numerous subsidiaries.

Require SFIs to commission a qualified independent third-party performance assessment at least every three years which covers the board, committees and individual directors.

Current requirements

APRA standards require boards of all regulated entities to have procedures for assessing board and individual director performance at least annually. 

Rationale for the proposal

APRA’s supervisory experience is that board performance assessments vary substantially in scope and depth. Some reviews are thorough and forward-looking, while others lack rigour and credibility.

While this proposal is limited to SFIs, APRA still expects non-SFIs to improve the overall quality and rigour of their annual performance review.

APRA proposes SFI triennial external reviews would cover, at minimum:

• board, committees and individual director performance

• engagement between directors and senior management

• the chair’s effectiveness

• board and committee workloads and meeting cadence

• quality of reporting to enable risk-based decision-making and oversight

• conflicts management

• strategic alignment of the skills matrix and gap analysis against current state

• effectiveness of overall decision-making.

Insights

APRA’s proposals reinforce existing regulatory publications on better governance practices. The report on APRA’s Prudential Inquiry into the Commonwealth Bank of Australia already outlines many of the better practices that APRA is now seeking to enshrine in its Prudential Standards. Entities who conducted a thorough self-assessment against the findings in the report, will have established arrangements to meet these practices. With that said, many institutions are likely to have further work to do.

Define APRA’s core expectations of the board, the chair and senior management.

Provide additional guidance on which APRA requirements may be delegated to board committees and senior management.

Current requirements

The high-level definition of the role of the board of a regulated entity (‘the board is ultimately responsible for the sound and prudent management of the institution’) is in stark contrast to other relevant standard setters such as the Basel Committee on Banking Supervision, International Association of Insurance Supervisors and the ASX Corporate Governance Council which provide detailed guidance on the roles of the board.

Rationale for the proposal

APRA is concerned that board agendas are overweight in terms of operational matters. APRA’s governance thematic review found that many boards were spending less than 30% of their time on forward-looking strategy and risk oversight. To address these problems, APRA will articulate via associated guidance the responsibilities of the board to expressly include:

• articulating the purpose and values of the entity, and desired culture

• overseeing development, approval and execution of the entity’s strategy, objectives and risk appetite

• overseeing the effectiveness of governance and risk management frameworks

• providing leadership and constructive challenge to senior management.

APRA also proposes to identify the core responsibilities of the chair in prudential standards to include culture, board performance and fit and proper assessments.

In a welcome statement, APRA also stated in the discussion paper that the regulator is open to specific examples of processes and policies APRA has assigned to the board, which would be appropriate for delegation to board committees or senior management. This should shave pages off the typical board pack.

Insights

Having implemented FAR for more than 30 institutions (ranging from Big 4 banks, major insurers and superannuation entities, and mid-sized customer owned and foreign institutions), there can be no doubt that the vast majority of institutions are clear on the role of the board. This is often reflected in the accountability statements of directors and in board and board committee charters.

With that said, we observe many board and board committee charters require uplift or modernising for the current regulatory environment. Entities did the deeper work to improve governance, risk management and compliance arrangements as part of their implementation of FAR (in order to minimise potential exposures under the regime), have already enhanced their board and board committee charters (in addition to making a range of other governance enhancements).

Many boards struggle with the operational burden of approving the myriad of policies an organisation is required to have. By the time policies reach the board for approval, there is often little time for more than a relatively superficial review of the documents.

Allowing boards to delegate approval to board committees and/or senior management, with appropriate oversight, will lighten the load and enable board time to be more focused on the key strategic and risk issues facing APRA-regulated institutions. See below for more on APRA’s views on the role of board committees.

Extend the current requirement for bank and insurer boards to have separate risk and audit committees, to apply to SFI RSE licensees as well. Repeal this requirement for non-SFI banks and insurers, allowing flexibility for smaller entities.

Mandate that only full board members can be voting members of APRA-required board committees.

Current requirements  

APRA currently requires banking and insurance boards to maintain separate risk and audit committees. RSE licensee boards are only required to have an audit committee, whose responsibilities include risk. There is no requirement for a separate risk committee. 

For all industries, there are no provisions that prevent non-board members of board committees, such as external advisers, from voting on committee matters.

Rationale for the proposal

APRA notes that, despite not being required to, most RSE licensees have already established separate risk committee. In some instances where there is no separate risk committee, APRA has observed weaker risk oversight and risk capability.

APRA has also observed the practice of external experts joining board committees of RSE licensees. APRA is not opposed to external advisers attending and advising committees but considers it important these advisers will not be full voting members and not be relied upon to resolve board skill gaps.

Recognising the cost of having a separate audit and risk committee for smaller entities (non-SFIs), APRA propose to remove the current requirement for all bank and insurers to separate these committees. APRA also proposes to create a level playing field by also extending the requirement for separate committees to RSE licensees that are SFIs.

Further, APRA proposes to specify that only full board members can be voting members of APRA-mandated committees. 

Impose a lifetime default tenure limit of 10 years for non-executive directors at a regulated entity. 

Require regulated entities to establish a robust, forward-looking process for board renewal.

Current requirements  

APRA standards require boards to have a formal policy on board renewal. Requirements for RSE licensees are more prescriptive, with SPS 510 mandating that policies must state maximum tenure limits. The associated guidance states that APRA expects there are limited circumstances in which tenure limits beyond 12 years would be appropriate.

Rationale for the proposal

In APRA’s view, limits of director tenure are an important part of good governance. Well managed turnover of directors facilitates stability, continuity and expertise – while also promoting fresh ideas and renewal. Across the approximately 1,500 non-executive directors at APRA regulated entities, 200 directors have a tenure of greater than 10 years, including almost 150 directors with tenure greater than 12 years. This does not account for instances in which a merger has effectively ‘reset the clock’ for director tenure. 

In its most controversial proposal, APRA proposes to introduce a 10-year lifetime tenure limit. APRA acknowledges the trade-offs associated with this proposal given that many director of long tenure are highly experienced and make a strong contribution. APRA will, on a case-by-case basis, grant a two-year extension in limited and exceptional circumstances.

Without mentioning any superannuation funds by name as the catalyst for APRA’s stance on tenure, last year the regulator imposed additional licence conditions on the $94 billion Cbus Super and the Queensland-based BUSSQ Super (both affiliated with the CFMEU) over concerns including propriety of board appointments and director skills assessments.

Without citing which literature, APRA states that a 10-year tenure limit is consistent with ‘contemporary governance benchmarks and relevant literature’. APRA acknowledges this proposal would take Australia out-of-step with other jurisdictions, but APRA considers this limit necessary as it does not have the formal power to address tenure through the reappointment process (for example, UK, Singapore and the Republic of Ireland regulators must approve appointments).

With respect to board renewal, APRA proposes to extend the current prudential requirements to explicitly require:

• Consideration of the full cycle from nomination and appointments through to succession planning.

• Detail on director nominations, appointment process, length of term and maximum number of terms.

• How results of board and director performance assessments will feed into succession planning and renewal. 

According to the AFR, APRA’s proposal would result in a quarter of directors being in breach of the 10 year limit.

Insights

An alternative approach would be for APRA to adopt a similar requirement as found in the ASX corporate governance guidelines where directors would need to explain if (and how) they remain independent after certain periods on the same board, for example, every three years. This approach, when combined with the higher levels of accountability applicable across all APRA-regulated entities because of FAR and the other proposals put forward by APRA, represents a better way forward for board effectiveness and renewal.

Foreign APRA-regulated entities with branches in Australia

There is no meaningful discussion in APRA’s paper on how the proposed reforms relating to boards and directors would apply to APRA-regulated branches of foreign entities. In place of a board, such entities identify a Senior Manager Outside Australia (SOOA) with delegated authority from the Board for overseeing the Australian branch operation. Such individuals typically occupy an executive management role in the global or Asia-Pacific division of the group, often with responsibilities related to multiple entities in the group. It is not clear, for example, whether such individuals would be subject to the proposal relating to board tenure.

The consultation presents an opportunity for such branches to make submissions on the sensible application of the proposed reforms to their operations.