APRA releases its 2024-25 Corporate Plan, notes improving cyber risk management and climate risk practices as key priorities

What you need to know

• The Australian Prudential Regulation Authority (APRA) has published its 2024-25 Corporate Plan which outlines its key strategic priorities and, for the first time, its supervision, data collection and publication priorities for the banking, insurance and superannuation industries.
• In the Corporate Plan, APRA notes that it will develop and conduct a system stress test to better understand 'interconnections' across the financial system, lift standards for regulated entities to better manage climate risk and cyber risk, and partner with ASIC to implement the Financial Accountability Regime (FAR) for the insurance and superannuation industries.
• APRA notes its regulatory responsibilities may extend to payments under the government's proposed licensing regime for payments service providers.
• APRA notes, where appropriate, it may increase the intensity of supervision to address inadequate risk management practises and take formal enforcement action against entities (e.g. for breaches of the law).

What you need to do

• Review APRA's Corporate Plan, in particular the strategic priorities which will drive APRA's policy, supervision and data priorities over the next 12 to 24 months for the banking, insurance and superannuation industries.
• Plan for expected engagements with APRA in relation to reviews of Prudential Standard APS 210 Liquidity (APS 210) and implementation of Prudential Standard CPS 230 Operational Risk Management (CPS 230)
• Ensure you continue to meet the standards expected by APRA in relation to cyber risk management as set out in CPS 234 Information Security (CPS 234). Where entities are found to have significant vulnerabilities APRA may intensify supervision, require root cause analysis, request remediation plans and consider enforcement action.
• For the superannuation and insurance industry, prepare for the implementation of FAR which will come into effect from March 2025 for these industries.

APRA has identified nine focus areas across three key strategic objectives where it will heighten its regulatory focus:

Maintain financial and operational resilience

1. Financial resilience

APRA notes technological advances and greater market connectively have increased the speed with which a financial crisis can spread. Given this, APRA needs to ensure that regulated entities can withstand a severe but plausible stress event and operate effectively in a crisis. APRA's strategic response and key regulatory activities will include:

a) Adjusting capital and liquidity standards to ensure the prudential framework remains fit for purpose, which includes conducting a review of APS 210 and consulting on proposals relating to Additional Tier 1 (AT1) capital instruments.

b) Developing APRA’s first system risk stress test to understand interconnections across the financial system.

2. Operational resilience

APRA notes there is greater dependency by both APRA-regulated entities and their customers on technology which has produced a commensurate rise in operational risks. APRA's strategic response and key regulatory activities will include:

a) Increasing minimum standards for operational resilience through implementation of the new CPS 230, which will include engaging with industry groups, professional service firms, peer regulators, and industry led working groups.

b) Designing, developing, and deploying a process for breach notifications for material operational risk events and a consistent approach for the Material Service Provider register.

3. Cyber resilience

APRA notes that APRA regulated entities, industries and service providers are exposed to increased risk of cyber-attacks whilst legal and community expectations around data privacy, security, and continuity of services are rising. APRA's strategic response and key regulatory activities will include:

a) Engaging with government initiatives on cyber regulation, generative AI, preparedness and incident response.

b) Embedding CPS 234 and ensuring entities act on findings from CPS 234 independent reviews to lift minimum standards of cyber risk management.

c) Releasing industry letters on high-risk cyber topics (e.g. securing and testing backups, maintaining security configurations, and maintaining privileged access management) and expecting regulated entities to strengthen practices as appropriate.

d) Conducting a cyber operational resilience stress exercise to test industry preparedness in responding to cyber incidents.

4. Crisis preparedness

APRA notes that whilst Australia's financial system is strong and stable, regulated entities need to be prepared to respond to severe but plausible events such as entity failure and systemic risks. APRA's strategic response and key regulatory activities will include:

a) Implementing Prudential Standard CPS 900 Resolution Planning (CPS 900) across Significant Financial Institutions (SFIs) and, where prioritised, developing and having prepositioned entity resolution plans; and

b) Embedding Prudential Standard CPS 190 Recovery and Exit Planning (CPS 190) in the risk management practices of regulated entities.

5. Governance, Culture, Remuneration, Accountability (GCRA)

APRA notes it is committed to making targeted adjustments to the prudential framework to ensure GCRA related standards are fit for purpose and stronger minimum standards are used to hold individual and entities accountable for poor practices. APRA's strategic response and key regulatory activities will include:

a) Partnering with ASIC to implement the FAR for insurance and superannuation entities.

b) Consulting on amendments to Prudential Standard CPS 510 Governance (CPS 510), Prudential Standard SPS 510 Governance (SPS 510), Prudential Standard 520 Fit and Proper (CPS 520) and Prudential Standard SPS 520 Fit and Proper (SPS 520) to align with FAR and international best practice.

c) Conducting a comprehensive survey across Tier 1 and Tier 2 insurance entities to benchmark and assess staff perceptions of risk culture.

Respond to significant and emerging risks

6. Climate and nature risk

APRA notes that APRA-regulated entities are exposed to risks associated with the increased frequency and severity of climate-related events. These events potentially impact the value of certain assets, income streams and underwriting risks. APRA's strategic response and key regulatory activities will include:

a) Gradually expecting regulated entities to consider the financial impacts of climate risk in their financial decision making (e.g. when considering lending, underwriting and investing).

b) Consulting on amendments to Prudential Standard CPS 220 Risk Management (CPS 220) to include climate risk in the prudential framework.

c) Provide insights on better practices from the data collected from the voluntary climate risk self-assessment survey of entity practices against CPG 229 Climate Change Financial Risks (CPG 229)

7. New and changing business models

APRA notes the government is proposing to extend APRA's regulatory responsibilities to include payments. Increasingly, entities with non-traditional business models are approaching APRA to be prudentially regulated. APRA's strategic response and key regulatory activities will include:

a) Preparing for the introduction of the Government’s proposed licensing regime for payments service providers as it may fall within APRA’s regulatory responsibilities. Consulting on new prudential standards, including for major Stored Valued Facilities (i.e. with more than $100 million in stored value), to set appropriate minimum requirements for such entities.

b) Modernising the licensing framework including by introducing legally enforceable criteria to improve the efficiency of the licensing process.

Address industry specific challenges

8. Protection gap for household insurance

APRA will partner with stakeholders across government to identify actions that could be taken to support the access and affordability of household insurance. APRA's strategic response and key regulatory activities will include:

a) Partnering with stakeholders across the public and private sectors to identify initiatives that could reduce the protection gap for household insurance.

b) Working with insurers, communities and Government to better understand insurance coverage and gaps, risk mitigation measures, and to foster greater transparency on the drivers of premium changes, to put downward pressure on premiums.

9. Retirement incomes

APRA will continue to work with ASIC to ensure trustees are taking action to meet requirements set by the Retirement Income Covenant. APRA's strategic response and key regulatory activities will include:

a) Maintaining supervisory focus on trustees' implementation of the retirement income covenant.

b) Engaging with individual trustees where APRA holds concern about lack of progress being made to effectively implement the retirement income covenant.

Industry specific priorities

APRA has specifically set out how the above focus areas translate into specific regulatory initiatives for the banking, superannuation and insurance industries.

Banking specific initiatives

• Liquidity – Engagement with industry as APRA conducts a review of APS 210 and Reporting Standard ARS 210 Liquidity. APRA will continue focusing on some Liquidity Coverage Ratio ADIs to uplift their liquidity stress testing capabilities following 2023 reviews.
• ATI Capital – APRA will issue a discussion paper responding to stakeholder feedback and will consult on specific changes to prudential standards (including Reporting Standard ARS 110.0 Capital Adequacy).
• System wide stress test – APRA will conduct a system stress test that includes Tier 1 banks (specific entities to be determined).
• Market risk – Ongoing engagement with Internal Ratings-Based banks that have submitted models for approval whilst APRA reviews those models.
• Crisis preparedness – Following implementation of CPS 190 and CPS 900, APRA will continue to embed recovery and exit planning for all relevant entities and continue to progress staged implementation of resolution planning (entity by entity basis) across all SFI and any non-SFIs that provide critical functions.
• Operational resilience – Engagement with regulated entities for the implementation of CPS 230 (which comes into effect from 1 July 2025). Banks will be required to submit a register of material service providers on an annual basis and APRA will use this information to assess risks associated with these arrangements.
• Cyber resilience – APRA will monitor banks to ensure they meet the standards under CPS 234. Where appropriate, APRA may intensify supervision, require root cause analysis, request remediation plans and consider enforcement action.
• Climate and nature risk – APRA will consult on amendments to CPS 220 with the intention of more clearly embedding climate-related financial risk considerations. APRA will release an information paper with insights from the voluntary Climate Risk Self-Assessment survey so entities and other stakeholders can consider best practice climate risk management.
• New and changing business models – After the Government has finalised its reforms for payments regulation, APRA will consult on a proposed new prudential framework for stored value facility providers.
• ADI Licensing Framework – APRA will review its licensing framework for banks and plans to consult on new licensing criteria.

Superannuation specific initiatives

• System wide stress test – APRA will conduct a system stress test that includes a small number of large superannuation funds (specific entities to be determined)
• Crisis preparedness – Following implementation of CPS 900 and CPS 190, APRA will continue to embed recovery and exit planning for all registrable superannuation entity (RSE) licensees and continue to progress staged implementation of resolution planning (entity by entity basis) across all SFIs and any non-SFIs that provide critical functions.
• Operational resilience – APRA will finalise revisions to Prudential Standard SPS 114 Operational Risk Financial Requirement (SPS 114) and associated guidance. APRA will engage with regulated entities for implementation of CPS 230. Trustees will be required to submit a register of material service providers on an annual basis and APRA will use this information to assess risks associated with these arrangements.
• Cyber resilience – APRA will monitor superannuation funds to ensure they meet the standards under CPS 234. Where appropriate, APRA may intensify supervision, require root cause analysis, request remediation plans and consider enforcement action.
• Accountability – With the FAR coming into effect from March 2025 for the superannuation industry, APRA and ASIC will be releasing information packages and hosting webinars to support superannuation entities prepare for the FAR commencement.
• Climate and nature risk – APRA will consult on amendments to CPS 220 with the intention of more clearly embedding climate-related financial risk considerations. APRA will release an information paper with insights from the voluntary Climate Risk Self-Assessment survey so entities and other stakeholders can consider best practice climate risk management.
• Retirement outcomes and superannuation transparency – APRA will monitor adherence to the enhanced Prudential Standard SPS 515 Strategic Planning and Member Outcomes (SPS 515) to promote strong member outcomes. APRA will monitor trustees responsible for underperforming choice products to ensure they are taking steps to improve or exit them.

Insurance specific initiatives

• Crisis preparedness – Following the implementation of CPS 190 and CPS 900, APRA will continue to embed recovery and exit planning for all regulated entities and continue to progress staged implementation of resolution planning (entity by entity basis) across all SFIs and any non-SFIs that provide critical functions.
• Operational resilience – Engagement with insurers for the implementation of CPS 230 . Insurers will be required to submit a register of material service providers on an annual basis and APRA will use this information to assess risks associated with these arrangements.
• Cyber resilience – APRA will monitor insurers to ensure they are meeting requirements under CPS 234. Where appropriate, APRA may intensify supervision, require root cause analysis, request remediation plans, and consider enforcement action.
• Accountability – With the FAR coming into effect from March 2025 for the insurance industry, APRA and ASIC will be releasing information packages and hosting webinars to support superannuation entities' preparations for the FAR commencement.
• Climate and nature risk - APRA will consult on amendments to CPS 220 . APRA will release an information paper with insights from the voluntary Climate Risk Self-Assessment survey so entities and other stakeholders can consider best practice climate risk management. For general insurance, APRA will continue its work on the insurance CVA (which will assess the potential impacts of climate change on home insurance affordability out to 2050).
• Protection gap for household insurance – APRA will consult on reinsurance settings for general insurance to consider scope to promote access to alternative reinsurance.
• Life insurance sustainability – APRA will monitor leading indicators of unsustainable products or practices. Entities can expect APRA to continue its system-wide initiative to assess life insurers’ progress in meeting product sustainability expectations across both individual and group insurance business.

Authors: Hong-Viet Nguyen, Partner; Justin Ho, Senior Associate and Mansi Gupta, Associate.