APRA’s CBA Prudential Inquiry Final Report: Conduct Risks

The Australian Prudential Regulation Authority (APRA) has released the Final Report of the Prudential Inquiry into the Commonwealth Bank of Australia (CBA)Background.

The Report identifies a number of shortcomings in CBA’s governance, culture and accountability frameworks, particularly in dealing with non-financial risks. It says that regaining community trust will require, time, hard work and an undistracted risk and customer focus.

APRA announced the Prudential Inquiry on 28 August 2017 to examine the frameworks and practices in relation to the governance, culture and accountability within the CBA group, following a number of incidents that damaged the reputation and public standing of the bank.

Its overarching conclusion is that “CBA’s continued financial success dulled the institution’s senses to signals that might have otherwise alerted the Board and senior executives to a deterioration in CBA’s risk profile. This dulling was particularly apparent in CBA’s management of non-financial risks, i.e. its operational, compliance and conduct risks.”

The Report raises a number of matters of prudential concern. In response, CBA has acknowledged APRA’s concerns and has offered an Enforceable Undertaking (EU) under which CBA’s remedial action in response to the report will be monitored. APRA has also applied a $1 billion add-on to CBA’s minimum capital requirement.

Nevertheless the Panel “acknowledges the undoubted financial strength and acumen of the CBA, its global standing, and the avowed commitment of staff to servicing customers. CBA needs to translate this financial strength and good intent into better meeting the community’s needs and the standards expected of a systemically important bank in Australia.”

Lessons for other APRA regulated financial institutions

APRA observes that given the nature of the issues identified in the Report, all regulated financial institutions will benefit from conducting a self-assessment to gauge whether similar issues might exist in their institutions. APRA supervisors will also be using the Report to aid their supervision activities, and will expect institutions to be able to demonstrate how they have considered the issues within the Report.

For the largest financial institutions, APRA will be seeking written assessments that have been reviewed and endorsed by their Boards.

CBA Findings

The Panel has made a series of specific recommendations designed to strengthen governance, accountability and culture within CBA. They focus on some key levers of change:
• more rigorous Board and Executive Committee governance of non-financial risks;
• exacting accountability standards reinforced by remuneration practices;
• a substantial upgrading of the authority and capability of the operational risk management and compliance functions;
• injection into CBA’s DNA of the ‘should we?’ question in relation to all dealings with and decisions on customers; and
• cultural change that moves the dial from reactive and complacent to empowered, challenging and striving for best practice in risk identification and remediation.

As some of the recommendations deal with the way in which CBA interacts with customers, APRA will work closely with the Australian Securities and Investments Commission (ASIC) to ensure that the recommendations are addressed in full.

The Panel identified:

  • inadequate oversight and challenge by the Board and its committees of emerging non-financial risks;
  • unclear accountabilities, starting with a lack of ownership of key risks at the Executive Committee level;
  • weaknesses in how issues, incidents and risks were identified and escalated through the institution and a lack of urgency in their subsequent management and resolution;
  • overly complex and bureaucratic decision-making processes that favoured collaboration over timely and effective outcomes and slowed the detection of risk failings;
  • an operational risk management framework that worked better on paper than in practice, supported by an immature and under-resourced compliance function; and
  • a remuneration framework that, at least until the AUSTRAC action, had little sting for senior managers and above when poor risk or customer outcomes materialised (and, until recently, provided incentives to staff that did not necessarily produce good customer outcomes).

With respect to compliance the Report states:

“CBA has acknowledged to the Inquiry a focus on process rather than on mitigating risk. Interviewees noted that the risk function ‘couldn’t see the forest from the trees’ and was ‘consumed by process’. This finding is also consistent with the finding in the Culture and Leadership chapter regarding a lack of ownership of outcomes in favour of following process.

CBA’s approach to operational and compliance risk has also been focused on reacting to losses and incidents that had already occurred, rather than proactively identifying, measuring and managing risks.”

 

Your Compliance Support Plan

We understand you need a cost-effective way to keep up to date with regulatory changes. Talk to us about our fixed price plans.