Governance

CPS 510 sets out the minimum requirements that any APRA-regulated institution and the head^[26] of a group must meet in order to promote strong and effective governance.

Under CPS 510, ultimate responsibility for oversight of the sound and prudent management of an APRA-regulated institution lies with its board of directors (Board), or equivalent.^[27] For an ADI group, this responsibility will rest with the Board (or equivalent) of the head of the group.

Risk Management

Under APRA’s Prudential Standard CPS 220 Risk Management, it is the responsibility of the Board and management of an ADI and the head of an ADI group to ensure that, respectively, the ADI and ADI group has prudent risk management practices.

CPS 220 requires an ADI and/or the head of an ADI group to maintain a Risk Management Framework (RMF) appropriate to the size, business mix and complexity of the ADI and/or ADI group, as applicable, to ensure the ADI and the ADI group manage risks arising from its business and continue to meet its obligations to depositors. The Board of an ADI is ultimately responsible for the ADI’s RMF and for oversight of its operation by management, in accordance with the requirements of CPS 220.

Refer to CPS 220 for further information on the key elements to be included in an ADI’s and/or ADI group’s RMF, including requirements regarding the use of group risk management where an ADI is part of an ADI group.

An ADI or head of an ADI group is required to submit to APRA an annual Risk Management Declaration in accordance with requirements set out in CPS 220 and Attachment A to CPS 220.

CPS 220 requires an ADI and/or head of an ADI group to notify APRA when it becomes aware of a significant breach of, or material deviation from its RMF, or that the RMF does not adequately address a material risk, as well as any material or prospective material changes to the size, business mix and complexity of its operations.

Responsibility to Appoint Independent Auditor

Under APS 310 and 3PS 310, an ADI and/or head of an ADI group is required to appoint, as appropriate, an auditor(s) and/or group auditor(s) to meet the prudential reporting requirements under APS 310, 3PS 310 and APS 910, as applicable. APS 310 sets out the eligibility criteria for the appointment of a Level 1 (the ADI) and Level 2 (the ADI group) auditor as well as the permitted use of group auditors where an ADI is a member of a Level 2 ADI group. 3PS 310 sets out the requirements in relation to the appointment of auditors for a Level 3 group.

APS 310 and 3PS 310 require an ADI and/or head of an ADI group to:

1. ensure its auditor satisfies the requirements of APS 310 and/or 3PS 310;^[28]
2. set out the terms of the engagement, including matters identified in APS 310 and/or 3PS 310, in a legally binding contract with its appointed auditor and to ensure the auditor complies with these terms; and
3. ensure its auditor undertakes the roles and responsibilities as specified in APS 310 and 3PS 310, as relevant.

Financial Claims Scheme

APRA issued APS 910 to assist ADIs to comply with the requirements of the FCS. It applies to all ADIs except for foreign ADIs and providers of purchased payment facilities.

Under APS 910, ADIs subject to APS 910 are required to implement systems and processes that allow it, to the extent practicable, to identify protected accounts for each account-holder, generate an aggregated view (“single customer view”) of each account-holder identified, and meet reporting, communications, testing and assurance requirements, which will enable APRA to pay out account-holders of the ADI in a timely and effective manner in the event of an ADI being declared subject to the FCS.^[29]

Under APS 910, the Board and senior management of an ADI are responsible for ensuring that appropriate policies and procedures are in place to ensure the integrity of the operations, internal controls and information required under APS 910. This includes, but is not limited to:

1. ensuring that the systems and data required by APS 910 are subjected to an independent limited assurance engagement, in accordance with the requirements stipulated in APS 910, and that this assurance be provided at the same time as the assurance required by APS 310, unless otherwise agreed by APRA; and
2. providing an attestation from the Chief Executive Officer in accordance with the requirements stipulated in APS 910.

Responsibility to keep Auditor Informed

Under APS 310 and 3PS 310, the ADI and/or head of the ADI group is required to ensure that its appointed auditor(s) is kept fully informed, including ensuring that the auditor:

1. has access to all data, information, reports and staff of the ADI and/or ADI group, which the appointed auditor reasonably believes is necessary to fulfil its role and responsibilities under APS 310 and/or 3PS 310. This includes, access to the Board and Board Committees of the ADI and head of the ADI group, internal auditors of the ADI and/or the ADI group, and auditors of entities in the group, as required;
2. is kept fully informed of all Prudential Requirements applicable to the ADI and/or head of the ADI group; and
3. is provided with any other information that APRA has provided to the ADI and/or head of the ADI group that may assist the appointed auditor in fulfilling its role and responsibilities under APS 310 and/or 3PS 310.

In relation to the ADI’s and/or ADI group’s responsibility to keep the auditor informed, the auditor includes these responsibilities clearly in the engagement letter and also requests management of the ADI and/or ADI group to sign an appropriate representation letter(s).^[30]