Archived Posts Lists

Australian Regulatory Compliance Review
Australian Technology and IP Business
Credit Union and Mutual Law
National Consumer Credit Reform
Personal Property Securities Australia
Longview Business Insights
Australian Private Health Insurers
Wills, Trusts, Super
Mutuals Resource Centre


Commonwealth legislation
Corporate Governance
Not-for-Profit links
Regulator Links

March 27, 2013

The characteristics of quality corporate governance of financial institutions

I recently spoke to a group of mutuals on the topic of director liability.

I discussed the James Hardie and Centro cases but instead of focussing on penalties for breaches I looked at risk management and linked it to the business judgement rule: can a director be held liable for every unforeseen business risk? What do directors need to do personally and as a Board?

In the end it is a question of what directors of financial institutions do to manage other people's money and how they control the risks. Are your customers the focus of everything you do?

In a recent speech APRA Chair John Laker identified the following factors in the boards of successful financial institutions:

  • professionalism of the board: does the board have the financial industry experience and understanding of market complexities to ensure they can perform their fundamental role of independent and objective oversight?
  • risk governance: does the board have the ability to accurately identify and understand the risks inherent in their business and ensure there are robust structures for managing and reporting on these risks?
  • risk appetite: Has the board clearly defined the degree of risks they are prepared to assume in pursuing their strategic and business objectives? Does the risk management function have the authority and independence to challenge the business areas; are there clear risk management lines of reporting to the board?
  • the flow of information to the board: does the board receive timely, relevant and comprehensive risk information? Is there too much information or too little? Do the reports provide an enterprise-wide perspective? Does information reach the board late and/or distorted? Is the information sufficient to give the board a holistic view of the risk exposures of their institution? Are there defined warning triggers?
  • A values and risk culture: Is there a culture which drives people to do the right thing even when no one is looking. Is it consistent with the risk appetite of the board or with the personal values they expect of their staff?


Print This Post Print This Post

Posted 27th March 2013 by David Jacobson in Legal, Risk management

December 7, 2012

ASIC’s financial institution audit priorities

ASIC's Audit inspection program report for 2011–12 specifically comments on financial institution audits.

ASIC's review highlighted findings common to all industries, such as not obtaining sufficient appropriate evidence to support audit procedures conducted in relation to assessing impairment, the application of professional scepticism, the performance of substantive analytical reviews, and relying on the work of others.

Key findings specific to the audit of banks and credit unions include:
(a) insufficient and inappropriate audit evidence obtained to support the valuation of significant financial assets, such as trading derivatives, trading securities and available-for-sale securities. In particular, ASIC found instances where the auditor’s substantive procedures were inadequate and the auditor placed inappropriate reliance on controls and external confirmations to validate the valuation assertion;
(b) insufficient testing to assess the adequacy of provisions for loan losses. In designing a disaggregated substantive analytical procedure, one auditor used an aggregated threshold for testing, and did not clearly identify a threshold for investigating differences or sufficiently corroborate variations identified; and
(c) insufficient testing of the reported net interest margin, including the inappropriate application of substantive analytical procedures or reliance on the audited entity’s controls without detailed substantive testing where the balance was material.

ASIC says these findings do not necessarily mean that there were deficiencies in the systems of any of the regulated entities concerned.

ASIC says its reviews of audits of banks, credit unions and insurance companies found that sampling procedures were often inappropriate. For example, there was often insufficient evidence that the auditor considered whether the sample selected was representative of the whole population or whether sampling was undertaken in accordance with the firm’s policy.

ASIC also commented on the adequacy and timeliness of auditors reporting suspected contraventions under s311 and 601HG of the Corporations Act, reporting under s990K, and reporting under the national credit legislation.

Print This Post Print This Post

Posted 7th December 2012 by David Jacobson in Legal, Mutuals, Risk management

November 16, 2012

Financial Claims Scheme preparation

APRA has published a discussion paper and draft changes to APS 910 Financial Claims Scheme setting out proposals that ADIs be required to implement the systems needed to ensure that they can:
• generate and transmit payment instructions to a paying agent appointed by APRA;
• generate and disseminate APRA reports to account-holders and other parties in respect of FCS payments;
• facilitate communications with stakeholders; and
• comply with testing, audit and CEO attestation requirements.

Under transition arrangements in APS 910, ADIs are required to comply with the Single Customer View (SCV) requirements by 1 January 2014. ADIs with difficulties in meeting the requirements by that date may seek APRA approval for an extended transition period of up to a further two years.

Under the amended APS 910, it is proposed that ADIs will be required to implement the prepositioning requirements for payment instructions, reporting and communications by 1 July 2014. This proposed timing is based on an assumption, at this stage, that the finalised version of the amended standard will be issued by 1 July 2013. An extended transition period to meet these requirements, up to 1 January 2016, may be approved by APRA on a case-by-case basis.

Print This Post Print This Post

Posted 16th November 2012 by David Jacobson in Risk management

October 22, 2012

Breach and complaint registers

In its October 2012 newsletter the Code Compliance Committee for the Mutual Banking Code of Practice commented on the diversity and quality of breach and complaint registers used across Code subscribers. The Committee commented that there appears to be no common industry practice or guidance in place about the importance of accurate and meaningful capture of breach and compliance data.

Recording and monitoring complaints and breaches is a critical part of any compliance framework.

The complaints handling process of Code subscribers must comply with clause 28 of the Code of Practice. The Australian Standard on Compliance Programs (AS 3806-2006) is a useful benchmark.

Recognising a complaint is an important training issue. These may be received at branches, by letter, by email, by feedback from your website or in call centres. However they are received they must be recorded to ensure the required response time deadlines are met.

Whether complaints and breaches are recorded in hard copy registers, in excel spreadsheets or in databases does not matter as long as the system is able to track when complaints are lodged, the nature of the complaint, when they are responded to and when they are resolved. The records must be accessible, be maintained and be monitored.

It’s what you do with the complaints you receive that is important. You have to tell your customers how their complaint will be dealt with (and when) as well as the ultimate resolution and keep them informed along the way. And complaints should be analysed internally to assess whether they are an indicator of a widespread problem, poor customer service or a potential breach of a law or Code.

Unresolved complaints become disputes which must be separately recorded and monitored, particularly if they are referred to External Dispute Resolution.

If complaints or disputes involve compliance issues there must be a process to assess them and what has been done to fix them.

You need to establish the appropriate links between your IDR procedures and your EDR Scheme (see ASIC RG 165)

If they are substantial breaches of an AFS Licence they need to be reported to ASIC within 10 business days.

Accordingly your compliance system needs to include reporting regularly to your Risk and Audit Committee on whether there have been any complaints, breaches or disputes and whether previous matters have been resolved or not.

This must be positive reporting: even if there has been no complaint, breach or dispute you must report that fact if that is the case.

Langes can help review your complaints process.

Print This Post Print This Post

Posted 22nd October 2012 by David Jacobson in Mutuals, Risk management

September 28, 2012

APRA Internal Capital Adequacy Assessment Process review for ADI’s

APRA has released for consultation draft Prudential Practice Guide CPG 110 Internal Capital Adequacy Assessment Process and supervisory review (CPG 110).

The Guide is part of APRA's increasing emphasis on capital risk management as Basel III approaches commencement on 1 January 2013. (see here)

UPDATE 1 October: APRA has released a final set of prudential standards and reporting standards that give effect to major elements of the Basel III capital reforms in Australia.

The Guide supports compliance with Prudential Standard APS 110 Capital Adequacy (APS 110) which sets out requirements in relation to the capital adequacy of a regulated institution, including the need for a regulated institution to have an Internal Capital Adequacy Assessment Process (ICAAP), and establish a framework for supervisory review and adjustment of a regulated institution’s capital requirements.

Under the capital standards, the Board of a regulated institution has primary responsibility for the capital management of that institution. This obligation goes beyond the need to ensure compliance with regulatory capital requirements and requires the Board to ensure that each regulated institution holds capital resources commensurate with its risk profile.

Consistent with that overarching responsibility, the capital standards require each regulated institution to have an ICAAP that has been approved by its Board.

The Board is responsible for the risk appetite of a regulated institution and for ensuring that the institution has an appropriate risk management framework. Risk appetite is a fundamental part of both risk management and capital management.

APRA has not yet decided on the form of capital instruments that mutual ADIs can issue to comply with Basel III Common Equity Tier 1.

Print This Post Print This Post

Posted 28th September 2012 by David Jacobson in Mutuals, Risk management

March 22, 2012

APRA report on progress of remuneration requirements implementation

APRA has published the results of its review of APRA-regulated institutions' progress on implementation of its prudential requirements in relation to remuneration.

APRA's comments include:

  • all of the Boards it met with "had well-established Remuneration Committees, with reasonably clear and robust governance arrangements. In most cases, the Chair of the Board attended meetings (either as a full or ex-officio member) was also pleasing to see a strong linkage between the Remuneration Committee and the Board Risk Committee: the most common model observed was for there to be at least two directors who sat on both committees (and often the Chair of the Risk Committee was a member of the Remuneration Committee)....
    We were pleased to see considerable evidence that, as appropriate, Remuneration Committees sought advice from external sources, independent of that obtained by management."
  • there was a "strong focus on the remuneration outcomes of the most senior executives. In a limited number of cases, there still seemed to be a degree of tension between the role of the CEO in determining the remuneration arrangements and awards for his/her senior executive team, and the requirement in the Prudential Standard that these arrangements be determined by the Board. While the CEO will rightly be a source of advice and input on these matters, ultimately it is the Board’s responsibility to determine both the structure of, and actual outcomes from, the remuneration arrangements of senior executives."
  • there were "some inconsistencies across the institutions in the extent of Board approval of the remuneration of material risk-takers below the senior executive level...Further, the remuneration arrangements of relevant staff of a related body corporate which provides material services to the regulated institution may also be subject to the requirements of the Prudential Standards."
  • "Most of the Remuneration Committees we met with have established performance assessment arrangements based on a scorecard approach, in which various quantifiable objectives and benchmarks are used to assess performance. However, the application of these scorecard-based approaches varied widely. Some scorecards contained fairly high level metrics only, with a high degree of judgement applied by the Remuneration Committee to convert key performance indicators (KPIs) into actual rewards....APRA does not advocate either of these approaches in their entirety, believing instead that good performance assessment requires both clarity of objectives to provide a sound basis for performance measurement, and the application of experienced judgement to reflect those aspects of performance which cannot be measured using readily quantifiable KPIs...We are wary of totally ‘mechanical’ or formulaic approaches to performance-based remuneration, which rely completely on the use of quantitative risk measures as a means of meeting the requirements within the Prudential Standard...Equally, we are wary of highly subjective approaches – they lack a sound basis on which to establish performance expectations or measure the adequacy of results, and rely too heavily on the judgement of the Remuneration Committee to ensure remuneration outcomes are appropriate."


Print This Post Print This Post

Posted 22nd March 2012 by admin in Risk management

February 21, 2012

Retail banking operational risks

In our recent Responsible Manager seminars we discussed operational risks including system "glitches" resulting from hybrid and patched computer platforms.

The Reserve Bank has now called for industry views on:

  • sources of vulnerability in ADIs' retail operational processes;
  • existing controls, safeguards and contingencies in ADIs' retail operations; and
  • ADIs' existing plans for upgrade and enhancement of the technology supporting retail operations and the objectives of these plans.

Following a number of operational incidents involving disruption to electronic retail payments systems, the Reserve Bank intends to formalise its requirements for the reporting of major retail payments system incidents. Authorised Deposit-taking Institutions (ADIs) that provide retail payments services and operate Exchange Settlement Accounts with the Reserve Bank will be required to report significant incidents in their retail payments operations to the Reserve Bank, according to specified criteria.

Print This Post Print This Post

Posted 21st February 2012 by David Jacobson in Risk management

December 21, 2011

Payments fraud in Australia

The Australian Payments Clearing Association (APCA) has released statistics for cheque and payment card fraud in Australia for all financial institutions the 12 months to the end of June 2011.

Whilst cheque fraud dropped, scheme credit, debit and charge card fraud (signature-permitted debit, credit and charge cards and card-not-present (CNP) transactions) increased from 58.9 cents to 74.3 cents in every $1,000 transacted. The incidence of fraud on these cards increased from 34.6 to 41.9 in every 100,000 transactions.

CNP fraud is increasing. CNP is where the consumer is not face-to-face with the retailer – shopping online, by mail or by phone.

The figures show that CNP now accounts for 71% of fraud value on Australian-issued scheme credit, debit and charge cards, of which more than half occurs overseas.

Print This Post Print This Post

Posted 21st December 2011 by David Jacobson in Risk management

October 26, 2011

Mutuals: the quiet achievers

In APRA Chair John Laker's speech at the Abacus Convention he described the ‘quiet achievement’ on the part of mutual ADIs as an important source of their strength, notwithstanding "unsettled times".

He confirmed that APRA will maintain its focus on three main supervisory issues: credit standards, liquidity and funding, and governance.

In respect of funding he made the following comment on securitisation:

self-securitisation ... is an arrangement under which an ADI ‘packages’ mortgage loans on its books into an instrument that can be used in repurchase transactions with the Reserve Bank of Australia. Self-securitised instruments are not intended for day-to-day funding purposes but they have proven their worth at times of acute market pressures earlier in the crisis. I mentioned at the 2009 Conference that APRA expected all large credit unions and building societies to establish self-securitisation facilities with the Reserve Bank of Australia as part of their contingency planning. Many have now done so but, to be frank, we have also had some pushback. Some have argued that existing securitisation warehouse arrangements and/or other committed facilities are an acceptable alternative. We disagree. Experience in 2008 was that such arrangements can be unreliable at the very time they are needed. Prudence dictates another instrument in the crisis management armoury.

John Laker also commented on the impact of Basel III on mutual ADIs:

Your one challenging area in Basel III, where we would like your thinking caps on, is the design of capital instruments that might be issued by mutual ADIs. Basel III requires that, to be eligible as regulatory capital, all classes of capital instruments must be capable of absorbing losses at the point of non-viability. At that point, without going into the details, capital instruments must either be converted into equity or written-off. Only the latter appears an option for mutual ADIs.

Langes can advise mutual ADIs on funding and capital arrangements as well as issues relating to becoming a mutual bank and other regulatory requirements.

Print This Post Print This Post

Posted 26th October 2011 by David Jacobson in Legal, Mutuals, Risk management

September 11, 2011

Regulatory capital for mutuals under Basel III

APRA has set out its proposals for regulatory capital for ADI's under Basel III in a discussion paper.

APRA proposes to adopt the Basel III definition of regulatory capital, under which common equity (ordinary shares) is the predominant form of Tier 1 capital.

APRA proposes that, from 1 January 2013, all ADIs will be required to meet the following minimum requirements:
• a 4.5 per cent Common Equity Tier 1 ratio (increased from 2%);
• a 6.0 per cent Tier 1 capital ratio (increased from 4%); and
• an 8.0 per cent Total Capital ratio (no change) .

A capital buffer of an additional 2.5% of Common Equity Tier 1 will also be required resulting in a minimum of 7% Common Equity Tier 1.

In respect of mutual ADIs APRA says:

The criteria for classification as common shares in Common Equity Tier 1 is intended to apply to all ADIs, including mutually owned ADIs, taking into account their specific constitutional and legal structure. Basel III provides some scope for instruments other than ‘common shares’ to be recognised as part of Common Equity Tier 1. The Basel III rules text states that ‘the application of the criteria should preserve the quality of the instruments by requiring that they are deemed fully equivalent to common shares in terms of their capital quality as regards loss absorption and do not possess features which could cause the condition of the bank to be weakened as a going concern during periods of market stress.’

There are a number of mutually owned ADIs that have issued instruments currently qualifying as Tier 1 capital. APRA invites submissions from these ADIs as to whether the features of the instruments will comply with the criteria for Common Equity Tier 1 (or Additional Tier 1 criteria, set out in section 2.1.2 ...). APRA also invites submissions more generally on how new capital instruments issued by mutually owned ADIs could be deemed to be the equivalent of common shares (or Additional Tier 1 capital) in terms of their capital quality and loss absorption.

Langes+ can advise mutuals on constitutional and legal issues affecting capital raising.

Print This Post Print This Post

Posted 11th September 2011 by David Jacobson in Legal, Risk management
Older Posts »