APRA addresses remuneration disclosure and operational risk management across industries

APRA has already begun to deliver on its strategic priorities shared in August 2021, to preserve the resilience of banks, insurers and superannuation funds by focusing on several areas, including remuneration and accountability.

The regulator recently released new prudential requirements to:

• improve transparency on remuneration and

• strengthen the management of operational risk in the banking, insurance and superannuation industries.

In July 2022, an amended CPS 511 Remuneration (with supporting reporting requirements) and draft Prudential Standard CPS 230 Operational Risk Management were released for consultation.

This blog provides a summary of the new and amended prudential requirements and what they mean for participants across the relevant industries.

Greater transparency for remuneration

In relation to the transparency on remuneration, APRA launched a consultation (open until 7 October 2022) for the proposed new remuneration disclosure and reporting requirements for all banks, insurers and superannuation funds regulated by APRA.

As covered in the blog The 511 on Remuneration, APRA released its initial draft cross-industry remuneration standard in 2020, with subsequent revisions made in 2021 after industry consultation.

The key revisions in 2021 were in relation to the cap on financial measures and the minimum deferral periods for variable remuneration in relation to Significant Financial Institutions (SFIs). In the final standard, the definition of SFIs was also updated to capture entities with more than $20 billion in assets for authorised deposit-taking institutions (ADIs), $30 billion of the collective total assets for RSE licensees, $10 billion for general and life insurers, and $3 billion for private health insurers. You can read more about the revisions that landed in the final standard in our Governance and Risk Culture blog.

The requirements set out in the standard and supporting Prudential Practice Guide CPG 511 Remuneration were intended to operate in conjunction with the proposed draft Financial Accountability Regime Bill, which has now lapsed due to the change in government this year.

APRA is now consulting on its disclosure and reporting proposals to support the implementation of CPS 511 to reinforce accountability and enable data-driven supervision. The proposed disclosure requirements seek to improve transparency of remuneration arrangements in addition to that required under the Corporations Act and SIS Act, as well as allow for more consistent comparisons across all APRA-regulated entities.

What this means for entities

Under the requirements, all APRA-regulated entities are obligated to publicly disclose information on:

• How remuneration is aligned with performance and risk,

• Consequence management for poor outcomes, and

• For variable remuneration, how non-financial measures are incorporated in remuneration outcomes.

These requirements also consider the entity size and complexity of their remuneration arrangements. For larger entities, this means setting out how they have given material weight to non-financial measures (e.g. risk management and conduct) in setting remuneration outcomes and disclosing quantitative information on variable remuneration and deferrals for key executives and other specified roles. For smaller entities, only simplified qualitative disclosures on remuneration frameworks and governance are required.

APRA plans to use this information to regularly publish key quantitative information on variable remuneration across all APRA-regulated entities to enable easier comparison and analysis of such information.

Expected timelines

The requirements are expected to be finalised by the end of 2022, with a staggered implementation as follows:

• ADI SFIs from January 2023

• Insurance and RSE licensee SFIs from July 2023

• All other APRA-regulated entities from January 2024

Strengthening operational risk management

APRA has introduced a new cross-industry prudential standard designed to strengthen the management of operational risk for banks, insurers and superannuation funds. Prudential Standard CPS 230 Operational Risk Management (CPS 230), sets out the minimum standards for managing operational risk.

CPS 230 also includes updated requirements for business continuity and service provider management and will replace the following existing industry-specific prudential standards:

• CPS 231 Outsourcing

• CPS 232 Business Continuity Management

• SPS 231 Outsourcing

• SPS 232 Business Continuity

• HPS 231 Outsourcing (for private health insurers)

APRA states that the key objectives of the new CPS 230 are to improve operational risk practices through enhanced focus of boards and senior management and to minimise the impact of disruptions to customers and the financial system.

What this means for entities

APRA has adopted a principles-based approach in developing the requirements and intends to achieve its objectives through the following outcomes:

• Strengthen operational risk management - with new requirements to address weaknesses that have been identified in existing practices of entities by maintaining effective internal controls for operational risk. Entities must regularly monitor, review and test controls for design and operating effectiveness, report results to senior management and rectify any gaps or deficiencies in a timely manner. This increases the level of accountability for senior management compared to the existing risk management standards.

• Improve business continuity planning – to ensure entities are prepared and ready to respond to disruptions and continue critical operations by adapting processes and systems and setting clear Board-approved tolerances for the maximum level of disruption they are willing to accept. Tolerance levels include the maximum period of disruption time, the maximum extent of data loss and minimum service levels during a disruption.

• Enhance third-party risk management – the requirements now go beyond outsourced providers to cover all material service providers that entities rely upon for critical operations or that expose them to material operational risk. It is proposed that an entity must address its approach to managing risks associated with “fourth parties” (any party that an APRA-regulated entity’s service provider relies on to provide services to the entity) and include a notification requirement in its contracts with material service providers.

Though CPS 230 introduces new requirements, it is also essentially a consolidation of five prudential standards, which means the standard contains less detail than the previous industry-specific standards.

To comply with these requirements, APRA-regulated entities will need to review their existing policies and processes and develop new processes, including drafting additional clauses in material service provider contracts.

Expected timelines

APRA plans to finalise the standard in early 2023 and release draft guidance for consultation, aiming for it to take effect from 1 January 2024.

How we can help

Hall Advisory’s core services include the development and implementation, or independent review, of:

• Regulatory disclosure frameworks and artefacts.

• Accountability frameworks, including drafting of accountability maps, reviewing and editing role statements.

• Remuneration policies for alignment with CPS 511 and FAR.

• Operational risk management frameworks and modelling tools.

• Three lines of defence and accountability.

• Risk culture assessments.

• Outsourcing policies and frameworks, due diligence assessments and tender design and facilitation for material service providers.

• Business continuity and data management frameworks, including business continuity plan and crisis management scenario testing.

For more information about how we can help you comply with and implement the new prudential requirements, contact us today for a confidential, no-obligation consultation.