The Banking Regulation Review: Australia


The Australian banking industry is dominated by the big four banks – Commonwealth Bank of Australia Limited (CBA), Westpac Banking Corporation (Westpac), National Australia Bank Limited (NAB) and Australia and New Zealand Banking Group Limited (ANZ) – which are by far the largest banks in Australia by total assets, accounting for almost 80 per cent of total bank assets. The big four banks also make up four of the seven largest entities by market capitalisation listed on the Australian Stock Exchange. Other institutions, including mutual financial institutions, local operations of foreign banks (whether operating through a local subsidiary or not) and specialist financial services providers, also carry on banking business in Australia. The Australian banking industry is globally connected, with the big four banks (and Macquarie Group Limited) having operations overseas and most global banking groups having operations in Australia. In 2018, the conduct of banks towards their customers was the subject of intense public scrutiny through the Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry (Banking Royal Commission), which exposed considerable misconduct in the financial sector and recommended a number of law reforms in relation to consumer lending and non-banking financial services commonly provided by banks in Australia. The majority of these recommendations were given legislative effect with a host of reforms implemented in 2021.

The regulatory regime applicable to banks

The Australian Constitution grants the national (federal) legislature legislative power with respect to banking, other than state banking within the boundaries of the state concerned. Banking business has long been held to be the taking of deposits from customers on loan, to be repaid on demand or as otherwise agreed between the lender and the customer, and the utilisation of that money in the interim by the lending of it.2 Deposit-taking is the essential element of banking. This definition is substantially replicated in legislation.3 This limited concept of banking business is relevant when considering the Australian regulatory environment.

Australia has a twin peaks approach to financial sector regulation: the Australian Prudential Regulation Authority (APRA) is responsible for financial system stability and depositor protection, and the Australian Securities and Investments Commission (ASIC) is responsible for market conduct and consumer protection.

The Reserve Bank of Australia (RBA) is also involved as the central bank, lender of last resort and facilitator of interbank settlements, and in regulating payment systems.

A person may only carry on banking business in Australia if authorised by APRA to do so.4 Unless it otherwise determines, APRA may only authorise bodies corporate (and not other kinds of corporate structures) to engage in banking business.5 Bodies corporate authorised by APRA are called authorised deposit-taking institutions (ADIs).

Banking business is regulated separately from the provision of financial services. This includes insurance, securities dealing, fund management, underwriting, stockbroking, custodial and depositary services, and advisory services. Financial services are regulated separately by ASIC, and in most cases require an Australian financial services licence (AFSL). ADIs must obtain an AFSL to provide financial services, although the power to impose or revoke conditions on the AFSL that would affect the ADI's ability to carry on its banking business are removed from ASIC and vested in the Minister for Financial Services personally.6

For most purposes, the provision of credit is not a financial service and does not require an AFSL. Consumer credit activities are regulated separately by ASIC. Persons who wish to provide credit to consumers require a credit licence issued by ASIC. ADIs must hold a credit licence to lend to consumers, which ASIC is required to grant provided the ADI includes in its application a statement to the effect that it will comply with its obligations as a licensee.7

In considering whether to grant ADI authorisation to an applicant, APRA will consider the following factors:8

  1. capital: applicants must be able to comply with the capital adequacy requirements imposed by APRA;
  2. ownership: applicants (or their holding companies) must comply with the ownership restrictions in the Financial Sector (Shareholdings) Act 1998 (Cth) (discussed below), and all substantial shareholders must be fit and proper in the sense of being well-established and financially sound entities of standing and substance;
  3. governance: applicants must satisfy APRA prudential standards concerning corporate governance, and have policies in place to ensure that key office holders are fit and proper persons;
  4. risk management and internal controls: applicants must satisfy APRA that these are adequate and appropriate for limiting risk exposures from their operations;
  5. compliance: applicants must have compliance processes and systems in place that are adequate and appropriate for ensuring compliance with APRA prudential standards and other regulatory requirements;
  6. information and accounting systems: these must be adequate to maintain up-to-date records of all transactions, to keep management continuously and accurately informed of the ADI's condition and to comply with reporting obligations;
  7. audit: internal and external audit arrangements must satisfy APRA prudential standards; and
  8. for foreign bank applicants, the standard of supervision in their home jurisdiction and the consent of their home supervisor.

In an effort to increase competition in the banking industry, APRA allows applicants to apply to be authorised as a restricted ADI (RADI). RADIs are required to hold significantly less capital than full ADIs (the higher of 20 per cent of adjusted assets or A$3 million plus a winding-up reserve) and are subject to less stringent prudential standards. However, RADIs may only accept protected deposits (see Section III) up to A$250,000 per customer and up to A$2 million in aggregate. RADI authorisation is only valid for up to two years, after which the RADI must either obtain full ADI authorisation or exit the industry. The RADI licensing scheme was introduced to make it easier for new ventures to enter the Australian banking industry without prejudicing the depositor protection and financial stability achieved by current prudential standards. Unless otherwise stated, references in this chapter to ADIs are references to full ADIs.

The provision of a purchased payment facility (PPF) – a facility purchased from another person that is able to be used for making payments up to the amount standing to its credit from time to time, and under which payments are made by the provider of the facility rather than the purchaser9 – or being the holder of stored value for a PPF is deemed by legislation to be carrying on banking business.10 Consequently, providers of PPFs (e.g., digital wallet services) are required to obtain ADI authorisation from APRA. However, the authorisation granted to PPF providers is typically subject to a condition limiting them only to providing PPFs and preventing them from lending money (other than incidental advances to customers in the course of providing a PPF).

ADIs in Australia are structured as bodies corporate. Mutual (customer-owned) financial institutions existing under state laws were, from 1 July 1999 onwards, converted to companies limited by shares under the national corporations legislation.11 Notwithstanding their conversion to companies with share capital, mutual financial institutions are subject to additional disclosure requirements if their constitutions are to be amended to vary or cancel the rights of members or a class of members.12 On 6 April 2019, the Treasury Laws Amendment (Mutual Reforms) Act 2019 commenced, narrowing the scope of the definition of mutual entities and making it easier for them to raise capital from external sources.

Financial institutions may be corporate groups. It is only the entity carrying on banking business – that is, accepting deposits from customers – that must be an ADI. Other entities in the corporate group can provide other non-banking services that are typically provided by banks in Australia, such as securities dealing, wealth management, wholesale debt issuance and insurance. The ADI may be either the holding company or a subsidiary within the corporate group. If a holding company is not an ADI, APRA may authorise it to be a non-operating holding company (NOHC) of an ADI. If a prospective ADI is a subsidiary of another body corporate, APRA may refuse to grant it authority to carry on banking business unless the body corporate of which it is a subsidiary is authorised as an NOHC.13 NOHC authorisation subjects the holding company to the ownership restrictions in the Financial Sector (Shareholdings) Act 1998.

Foreign banks may enter the Australian banking industry either by obtaining ADI authorisation for a local subsidiary or by obtaining authorisation to carry on banking business through a branch in Australia (the latter is called a foreign ADI in the Banking Act; the former is in reality a local ADI but with a foreign owner). A local subsidiary ADI of a foreign bank is subject to the same capital requirements and other prudential standards as a locally owned ADIs. Local branches of foreign banks are not subject to any capital requirements, but APRA imposes a condition on their ADI authorisation prohibiting them from accepting initial deposits of less than A$250,000 from individuals (other than their employees) and unincorporated entities. If a foreign bank wishes to accept retail deposits, it must establish a local subsidiary.

APRA is a statutory body corporate14 established for the purposes of regulating bodies in the financial sector in accordance with laws providing for prudential standards or for retirement income standards, and administering the financial claims scheme (FCS) provided for in the Banking Act 1959 and Insurance Act 1973 (the FCS is discussed in Section III). In performing its functions, APRA is obliged to balance the objectives of financial safety, efficiency, competition, contestability and competitive neutrality; and promote financial system stability in Australia.15

In performing its functions and exercising its powers, APRA is also required to support New Zealand authorities in meeting their statutory responsibilities for prudential regulation and financial system stability and, to the extent reasonably practicable, to avoid any action that is likely to have a detrimental effect on financial system stability in New Zealand.16

APRA seeks to maintain a low incidence of failure among its regulated institutions, while not hindering competition and efficiency gains. Its stated strategic priorities for 2021 to 2025 are:

  1. preserving the resilience of banks, insurers and superannuation funds;
  2. targeting supervisory activities to those issues of greatest risk;
  3. modernising the prudential architecture; and
  4. enabling data-driven decision-making.17

As APRA continues to respond to the challenges of covid-19, it is committed to continue actively supporting covid-19 response activities where needed to promote a stable, efficient and competitive financial system.18

APRA, together with the RBA, ASIC and the Federal Treasury, is a member of the Council of Financial Regulators. The Council of Financial Regulators is a coordinating body for Australia's main financial regulators, facilitating the sharing of information between regulators and their cooperation on matters of common concern. The four members of the Council of Financial Regulators are also members of the Trans-Tasman Council on Banking Supervision, along with the New Zealand Treasury, the Reserve Bank of New Zealand and the New Zealand Financial Markets Authority. The Trans-Tasman Council on Banking Supervision aims to support the development of a single economic market in banking services between Australia and New Zealand, and to promote a joint approach to trans-Tasman banking supervision and crisis resolution.19

Internationally, APRA and the RBA represent Australia on the Basel Committee on Banking Supervision and the RBA and federal Treasury represent Australia on the Financial Stability Board.

ADIs with total liabilities of A$100 billion (in July 2017-equivalent values; the threshold is indexed quarterly20) in any quarter are subject to a quarterly tax – the Major Bank Levy – of 0.015 per cent of their total liabilities, adjusted to exclude Additional Tier 1 (AT1) capital, FCS-protected deposits, net derivatives liabilities and their exchange settlement account balance with the RBA. The high level of concentration in the Australian banking industry means that the Major Bank Levy is only payable by the big four banks plus Macquarie Group Limited (a NOHC, the ADI being Macquarie Bank Limited), with other ADIs at little risk of exceeding the A$100 billion liabilities threshold. The Major Bank Levy was imposed to reduce the competitive advantage that the major banks derive from their size and greater access to international capital markets, as well as to extract a contribution from them for the implicit subsidy they receive from perceptions of being too big to fail.21

Prudential regulation

i Relationship with the prudential regulator

APRA describes its supervisory approach as forward-looking, primarily risk-based and consultative. It also appears to view its role as being protective, with a number of APRA publications referring to depositors, insurance policyholders and superannuation fund members as its beneficiaries.22 Notwithstanding, APRA is obliged under its founding statute to balance the often competing objectives of financial stability and safety on the one hand, and competition, contestability and competitive neutrality on the other. APRA therefore aims to maintain a low incidence of failure among regulated institutions rather than to guarantee that a regulated institution will never fail. It recognises that primary responsibility for the financial soundness of regulated institutions lies with the management and directors of those institutions.23

APRA's supervision of ADIs consists of both data analysis and on-site interaction with the ADIs being supervised. The fact that ADIs are required to obtain APRA approval for certain transactions and arrangements also facilitates close cooperation between ADIs and APRA.

In addition to general financial reporting obligations, ADIs are subject to reporting requirements under the Financial Sector (Collection of Data) Act 2001 (Cth) (FSCODA), which facilitates the collection of statistical data by APRA. FSCODA applies not only to ADIs, but also to non-bank lenders who carry on a business of providing finance (although most reporting standards applying to non-bank lenders state that they apply only to named non-ADI entities or non-ADI entities if they have total assets of A$50 million or more). APRA has issued reporting standards under FSCODA that prescribe the data that ADIs must supply to APRA and the form in which it must be supplied.

The data required to be supplied to APRA under FSCODA includes both general financial information, such as a statement of financial position,24 and specific information about particular kinds of assets and liabilities associated with banking business.25 The reporting standards require monthly or quarterly reporting, ensuring that APRA has access to current data to assist its decision-making. APRA collects data under FSCODA both to assist it in performing its supervisory functions and for statistical purposes. Data collected by APRA is also shared with other regulators and the Australian Bureau of Statistics, and summary statistical data is made available to the public.

APRA regulates ADIs primarily through the imposition of prudential standards with which ADIs must comply. The prudential standards are, on the whole, concerned with risk management for an ADI. Prudential standards set by APRA address key areas of risk for ADIs, including capital adequacy, liquidity and governance, and aim to ensure that such risks are properly identified and managed. Capital adequacy (which is discussed in more detail later) is the cornerstone of risk management, ensuring that the ADI can absorb losses that arise when adverse risks materialise.

APRA's approach to dealing with regulated entities is consultative and collaborative, both in relation to the setting of standards and enforcement. Its preference has been to work with ADIs to address concerns that it has, as opposed to litigation. The Banking Royal Commission criticised APRA (and ASIC) for their approach to enforcement, suggesting that more litigation to obtain penalties is called for.26 Much of the misconduct considered by the Banking Royal Commission was within ASIC's field of operation rather than APRA's: it concerned unlawful and undesirable conduct towards consumers in the provision of services other than deposit accounts.

ii Management of banks

Corporate governance requirements

Prudential Standard CPS 510: Governance (CPS 510) sets out governance requirements that ADIs must comply with in addition to general corporations law obligations.

Locally incorporated ADIs must have a board of directors consisting of at least five directors, which is ultimately responsible for oversight of the management of the ADI. CPS 510 sets out the following requirements for a board of a locally incorporated ADI:

  1. it must be:
    • composed of a majority of independent directors (unless the ADI is a subsidiary of another APRA-regulated entity or an equivalent overseas regulated entity): a director is independent if he or she does not have any business or other associations with the ADI that could materially interfere with the exercise of his or her independent judgement, such as a substantial shareholding, recent employment as an executive or a professional consulting engagement; and
    • composed of a majority of non-executive directors; and
  2. it must have:
    • procedures for performance assessment and renewal;
    • a remuneration committee to oversee the ADI's remuneration policy composed of at least three directors, a majority of whom are non-executive directors;
    • an audit committee to oversee the internal audit function, accounting, statutory reporting and external audit composed of at least three directors, a majority of whom are independent; and
    • a risk committee to oversee and implement the ADI's risk management framework composed of at least three directors, a majority of whom are independent.

The board must comprise a majority of independent directors, and a majority of those eligible to vote at any meeting must be non-executive directors, unless the ADI is a subsidiary of another APRA-regulated entity (e.g., a NOHC) or an overseas-equivalent entity. The board must also have procedures for assessing its performance on an annual basis. The ADI must also have a policy, overseen by the board remuneration committee, setting out the structure and objectives of its remuneration arrangements, but CPS 510 does not mandate any particular division between fixed and variable remuneration. The board must also have an audit committee to oversee reporting and audit obligations, in addition to the ADI maintaining an appropriately resourced internal audit function. The board must also have a risk committee.

Foreign ADIs need only to have a senior officer outside Australia with delegated authority from the board to oversee the Australian branch operation, and a senior manager ordinarily resident in Australia to be responsible for the local operation and available to meet with APRA on request.

Prudential Standard CPS 520: Fit and Proper (CPS 520) requires responsible persons – directors, senior managers and auditors – to be fit and proper. A person is fit and proper if he or she:

  1. possesses the competence, character, diligence, honesty, integrity and judgement to perform his or her duties;
  2. is not disqualified from holding his or her position; and
  3. does not have a material conflict of interest that would affect the performance of his or her duties.27

An ADI is required to maintain a fit and proper policy setting out the processes for assessing whether a responsible person is fit and proper, and the consequences that will occur if a person is not fit and proper or ceases to be fit and proper. Information about each responsible person, and a statement of whether he or she has been assessed under the ADI's fit and proper policy, must be given to APRA each time that a person is appointed to a responsible person position or if any of the particulars in the statement changes.

An applicant for ADI authorisation must, at the time of application, satisfy APRA that it fulfils the governance requirements in CPS 510 and CPS 520.

Banking executive accountability regime

The banking executive accountability regime (BEAR) hold ADIs and their senior executives and directors accountable for heightened standards of behaviour. The regime came into force for large ADIs on 1 July 2018, and for small and medium ADIs on 1 July 2019.

In assessing the size of an ADI for the purposes of the regime, calculations are based on a three-year average of total resident assets, as follows: a small ADI has less than or equal to A$10 billion in total resident assets, a medium ADI has between A$10 billion and A$100 billion in total resident assets, and a large ADI has greater than or equal to A$100 billion in total resident assets.

The BEAR consists of four sets of obligations: accountability obligations, key personnel obligations, deferred remuneration obligations and notification obligations.

The accountability obligations under the BEAR apply to ADIs and their accountable persons: senior managers who must be registered with APRA. They require ADIs and their accountable persons to conduct their business and responsibilities with honesty, integrity, due care, skill and diligence; deal with APRA in an open, constructive and cooperative way; and prevent matters from arising that would adversely affect the ADI's prudential standing or prudential reputation. ADIs also have an obligation to ensure that their accountable persons and their non-ADI subsidiaries comply with the accountability obligations.

The key personnel obligations require an ADI to:

  1. ensure that the responsibilities of its and its subsidiaries' accountable persons cover all aspects of the corporate group's operations and all prescribed functions;
  2. ensure that all accountable persons are registered with APRA;
  3. ensure that none of their accountable persons are disqualified by APRA;
  4. comply with directions given by APRA in relation to the ADI's key persons; and
  5. ensure that its non-ADI subsidiaries comply with the key personnel obligations.

BEAR requires ADIs and their accountable persons to conduct their business and responsibilities with honesty, integrity and due care, skill and diligence, deal with APRA in an open, constructive and cooperative way and to prevent matters from arising that would adversely affect the ADI's prudential standing or prudential reputation. ADIs also have an obligation to ensure that their accountable persons and their non-ADI subsidiaries comply with the accountability obligations.

Directors may also be held personally liable for a bank's debts in the same way as for any other company. If the directors fail to fulfil their duties they could be found guilty of a criminal offence that has a penalty of up to 15 years' imprisonment and 4,500 penalty units (A$999,000 at the time of writing) or three times the amount of the benefit derived from the contravention. If found to have contravened a civil penalty provision they could be ordered to pay the government the greater of up to A$1 million or three times the benefit derived from the contravention. They could also be found personally liable to compensate the company or others for the loss or damage they suffered and could possibly be prohibited from managing a company.

The deferred remuneration obligations require ADIs to set remuneration policies that defer a specified proportion of the variable remuneration of accountable persons for at least four years (or a shorter period approved by APRA). The proportion of variable remuneration depends on the particular accountable person's role and the size of the ADI.28 This is intended to incentivise senior managers to make decisions for the long-term benefit of the ADI. This obligation also cannot be avoided simply by not paying variable remuneration or paying only token variable remuneration, as the thresholds are expressed in terms of both variable remuneration and total remuneration (e.g., for the CEO of a large ADI, the lesser of 60 per cent of variable remuneration or 40 per cent of total remuneration must be deferred). Deferred variable remuneration must also be withheld if the ADI considers it likely that an accountable person has failed to comply with his or her accountability obligations, pending determination of whether they have in fact failed to meet their accountability obligations.

The notification obligations require an ADI to:

  1. give to APRA an accountability statement in respect of each accountable person, setting out that person's responsibilities and the parts of the ADI's operations that they manage or control;
  2. give to APRA an accountability map identifying accountable persons, areas of responsibility and reporting lines for the ADI;
  3. notify APRA when a person ceases to be an accountable person;
  4. notify APRA when an accountable person is suspended, dismissed or has their variable remuneration reduced due to failure to comply with the accountability obligations; and
  5. notify APRA when the ADI itself or one of its subsidiaries has failed to comply with its accountability obligations.

iii Regulatory capital and liquidity


Regulatory capital requirements for ADIs (other than foreign ADIs and PPF providers, who are not subject to prudential capital requirements) in Australia are imposed by Prudential Standard APS 110: Capital Adequacy (APS 110), with the different classifications of capital instruments being set out in Prudential Standard APS 111: Capital Adequacy: Measurement of Capital (APS 111). The capital requirements largely mirror Basel III requirements, with amendments where appropriate for the Australian environment and a more conservative approach to the classification of capital instruments. Basel III requirements are fully implemented in Australia, and were in fact implemented ahead of the time frame required by the Basel Committee on Banking Supervision.

According to the RBA, the effect of APRA's adjustments to Basel III standards has the effect of increasing the Common Equity Tier 1 (CET1) capital positions of banks by between 1 and 1.5 per cent of risk-weighted assets.29 Concern has been raised about the impact of this on Australian banks' ability to obtain international funding – because they disclose lower capital ratios than equivalent banks overseas, and it may not be known by potential funders that this is due to more conservative capital standards. In August 2020, APRA published a second discussion paper on the ADI capital framework30 setting out the following options to improve the international comparability of Australian ADIs' capital disclosures:

  1. ADIs continue to use existing capital measurement standards, but APRA would specify a methodology to quantify certain aspects of relative conservatism in Australian capital standards to be used to estimate internationally comparable capital ratios for disclosure purposes only; or
  2. some conservatism in Australian capital measurement standards is relaxed to make them correspond more closely to international capital standards, with minimum capital ratios and capital buffers being increased to maintain ADIs' current capital positions.

On 8 December 2020, APRA published a further discussion paper called 'A more flexible and resilient capital framework for ADIs'.31 This paper specifies that APRA is seeking to reform the capital framework in a way that improves the following objectives and dimensions:

  1. delivering 'unquestionably strong' capital ratios;
  2. ensuring adherence to the internationally agreed Basel standards;
  3. improving the flexibility of the capital framework;
  4. implementing more risk-sensitive risk weights, particularly for residential mortgage lending;
  5. enhancing competition;
  6. improving transparency and comparability; and
  7. applying a proportionate approach for smaller ADIs.

APRA proposes that the new framework, incorporating the above objectives and dimensions, will come into effect from 1 January 2023.32

APS 110 requires ADIs to meet at least the following minimum prudential capital requirements (although APRA may determine a higher minimum prescribed capital ratio for a particular ADI at any time): CET1 ratio of 4.5 per cent of risk-weighted assets (RWA), Tier 1 capital ratio of 6 per cent of RWA and total capital ratio of 8 per cent of RWA.

RADIs, however, must hold their entire capital requirement as CET1 capital, unless they are a mutually owned RADI, in which case they may hold their capital as Tier 2 capital and agree with APRA on a time frame for building up Tier 1 capital.

APS 110 also requires ADIs to hold a capital conservation buffer of CET1 capital of 2.5 per cent of RWA.33 This means that an ADI's CET1 capital ratio must not fall below 7 per cent of RWA at any time. ADIs must also maintain a countercyclical capital buffer of between zero and 2.5 per cent of RWA, with the precise amount determined by APRA for each ADI. ADIs are required to report their countercyclical capital buffer position quarterly under Reporting Standard ARS 110.0. If an ADI's CET1 capital is not sufficient to satisfy the capital conservation buffer and countercyclical buffer requirements, it is constrained in its ability to make distributions (including discretionary bonus payments to staff).

ADIs and authorised NOHCs must obtain APRA's written approval prior to making any planned reduction in capital (including the repayment of any Tier 1 or Tier 2 capital instrument or trading in their own shares), and in seeking that approval give to APRA projections that show that they will meet capital adequacy requirements for at least the next two years.

APS 111 classifies capital instruments as follows.

  1. CET1: a permanent and unrestricted commitment of funds, freely available to absorb losses, not imposing any unavoidable servicing charge against earnings and ranking behind the claims of depositors and other creditors in the winding up of the ADI; it includes paid-up ordinary shares, retained earnings, undistributed current year earnings, accumulated other comprehensive income, land and building revaluation reserves, minority interests that are ordinary shares and regulatory adjustments.
  2. AT1: a permanent and unrestricted commitment of funds, freely available to absorb losses, providing for fully discretionary distributions and ranking behind the claims of depositors and other creditors in the winding up of the ADI; they are instruments that do not meet the requirements for CET1 capital but that rank behind everything except CET1 capital in the winding up of the ADI, are redeemable only by the ADI with the consent of APRA, and convert automatically into ordinary shares or mutual equity interests (MEIs), or are written off on the occurrence of a non-viability trigger event.
  3. Tier 2: irrevocably paid-up instruments with a minimum maturity of five years, amortised on a straight-line basis, redeemable only at the option of the issuing ADI no sooner than five years after receipt of the paid-up amount and only with APRA's approval, and ranking behind everything except CET1 and AT1 instruments in the winding up of the ADI; long-term preference shares or subordinated loans that convert automatically into ordinary shares, mutual equity interests or are written off on the occurrence of a non-viability trigger event.

Notably, APS 111 requires equity holdings and other capital support provided to overseas deposit-taking institutions, holdings of its own capital instruments, asset impairment not recognised in profit or loss, deferred tax assets and liabilities, equity holdings and other capital support provided to non-financial entities, guarantees and any surplus in a defined benefit superannuation scheme, to be deducted in full from CET1 capital. There is no threshold treatment for the deduction of such items. Equity holdings and other capital support provided to financial institutions and own instrument holdings must also be deducted in full from the same tier of capital that the instrument held would qualify for had it been issued by the ADI itself (so, for example, ordinary shares in another financial institution must be deducted from the ADI's CET1 capital). MEIs are instruments representing a claim on the issuing ADI that rank equally with CET1 instruments (but behind the subscription price paid for member shares), and on which distributions can only be made from retained earnings and for an amount no greater than 50 per cent of the issuing ADI's net profit for the period to which the distribution relates. MEIs were defined and allowed to be included in CET1 capital to enable mutual ADIs to raise capital from external sources (that is, from persons other than their members) to meet increasing minimum capital ratios without compromising their mutual status or triggering the demutualisation provisions in the Corporations Act.

For capital adequacy measurement purposes, ADIs must use the standardised approach based on prescribed risk weights for different asset types, with credit risk being dependent on ratings assigned by external credit assessment agencies.34 ADIs may obtain approval from APRA to use their internal risk rating models to rate the risk of their assets and then apply weights prescribed in Prudential Standard APS 113: Capital Adequacy: Internal Ratings-based Approach to Credit Risk.


Prudential Standard APS 210: Liquidity (APS 210) governs ADI liquidity requirements. In addition to requiring ADIs to identify their liquidity risk and develop strategies to manage liquidity and liquidity risk, APS 210 requires ADIs to either meet a liquidity coverage ratio (LCR) or minimum liquidity holdings (MLH), depending on which measure APRA determines applies to the ADI.

An ADI to which an LCR applies must maintain an adequate level of unencumbered high-quality liquid assets (HQLA) to meet its liquidity needs for 30 days under a severe stress scenario. The LCR is calculated as unencumbered HQLA held divided by total net cash outflows over the next 30 days (although APS 210 differentiates between grades of HQLA, mandates at least a 15 per cent haircut to relatively lower quality assets and limits the proportion of HQLA that can comprise relatively lower quality assets). A local ADI must maintain an LCR of at least 100 per cent on both an Australian dollar and all currencies basis. A foreign ADI must maintain an LCR of at least 40 per cent on an all currencies basis. APRA may require an ADI to maintain a higher minimum LCR if it has concerns about the ADI's liquidity risk profile or the quality of its liquidity risk management. An ADI to whom LCR applies must also maintain a net stable funding ratio (NSFR) of at least 100 per cent, unless APRA specifies a higher minimum NSFR for a particular ADI.

An ADI to which MLH applies must hold unencumbered prescribed liquid assets – physical currency, Australian government securities, foreign government securities eligible for repurchase agreements with the RBA, debt securities guaranteed by the Australian government or a foreign government and eligible for repurchase agreements with the RBA, bank bills certificates of deposit and debt securities issued by ADIs and net at-call deposits with other ADIs – equivalent to 9 per cent of its liabilities (both on-balance sheet and irrevocable off-balance sheet commitments). APRA may require an ADI to maintain higher MLH if it has concerns about the ADI's liquidity risk profile or the quality of its liquidity risk management.

Unlike capital requirements, liquidity requirements apply to both locally incorporated ADIs and ADIs that are local branches of foreign banks.

Group supervision

Prudential standards generally apply both to an ADI individually and to the consolidated group of which the ADI or an authorised NOHC is the parent entity (referred to in APRA's prudential standards as Level 1 and Level 2, respectively). Individual prudential standards either specify whether the requirements apply without any difference to the corporate group or prescribe different requirements on a Level 1 and Level 2 basis. For corporate group (Level 2) purposes, APS 110 also gives APRA power to determine which entities are to be included in the group for capital measurement purposes. This enables APRA to exercise supervision over entire banking groups in addition to individual banks.

iv Recovery and resolution

Planning for failure

Although the concept has been suggested, ADIs are currently not required to prepare or maintain recovery and resolution plans (commonly called living wills) to deal with their failure. However, for small to medium ADIs, extra loss-absorbing capacity is required as part of their resolution planning process.

To obtain RADI authorisation, applicants must have a credible exit plan that demonstrates to APRA that they will be able to exit their banking business and protect depositors without relying on the FCS or requiring the use of APRA's crisis management powers. This is because RADIs have a two-year time frame in which they must either transition to full ADI authorisation or cease carrying on banking business.

APRA's Prudential Standard CPS 232 Business Continuity Management requires each APRA-regulated institution and 'Head of a group' (entities that comprise a Level 2 or Level 3 APRA Head)35 to integrate a whole-of-business approach to business continuity management to ensure resilience to business disruption and reduce its impact on the institution's business.

In December 2021, APRA released Prudential Practice Guide CPG 229 Climate Change Financial Risks (CPG 229).36 CPG 229 does not create new obligations for APRA-regulated institutions, but rather provides guidance as to how they can manage climate-related risks within existing risk management frameworks. The release of CPG 229 reflects a growing sentiment among Australian regulators to address the issue of climate-related risks in the financial services and credit industries.37

Regulator's power to take control of distressed ADIs

Broadly speaking, APRA can intervene in an ADI if there is a risk of depositors suffering loss or if there is a threat to the financial system's stability. The Banking Act provides for APRA to take control of a locally incorporated ADI's business, or to appoint an administrator to take control of a locally incorporated ADI's business, if:

  1. the ADI informs APRA that it considers itself likely to be unable to meet its obligations or that it is about to suspend payment;
  2. APRA considers that, without external support, the ADI may become unable to meet its obligations, may suspend payment or is likely to be unable to carry on banking business in Australia consistently with the interests of its depositors or the stability of the financial system in Australia;
  3. the ADI becomes unable to meet its obligations or suspends payment;
  4. an external administrator has been appointed to a holding company of the ADI (whether in Australia or overseas) and APRA considers that it poses a significant threat to the soundness of the ADI, interests of depositors or financial stability in Australia; or
  5. for a foreign ADI, an external administrator or equivalent has been appointed to the ADI or an application has been made for such an appointment.38

Where necessary to facilitate the resolution of an ADI or its corporate group, APRA may also take control of or appoint an administrator to the authorised NOHC of the ADI, another subsidiary of the authorised NOHC or a subsidiary of the ADI.

APRA or the administrator in control of an ADI's business (as appropriate) is referred to as a statutory manager in the legislation. The statutory manager may exercise all of the powers of the ADI during its in control of the ADI, and can compel officers of the ADI to give information to it for the purpose of investigating the affairs of the ADI and resolving the ADI. It may also sell or otherwise dispose of all or part of the ADI's business on terms that it considers appropriate. Where necessary or convenient for facilitating the performance of the statutory manager's functions and duties, the statutory manager may also unilaterally vary the ADI's corporate constitution.

If an ADI is insolvent and APRA considers that it cannot be restored to solvency within a reasonable period (whether or not a statutory manager has attempted to resolve the ADI), APRA may apply to the Federal Court of Australia for an order to wind up the ADI.


In the circumstances described above giving rise to APRA's power to take control of or appoint an administrator to an ADI, as an alternative to appointing a statutory manager, APRA may direct an ADI or an authorised NOHC to increase its capital to a specified level.39 The direction may require the ADI to issue shares in itself, rights to acquire shares in itself or such other kinds of capital instruments as specified by APRA in the direction. However, as a safeguard for existing shareholders of the ADI, APRA must obtain an expert's report on the fair value of shares in the ADI prior to directing an ADI to issue such shares or rights to acquire shares. While APRA must consult with the competition regulator, the Australian Competition and Consumer Commission (ACCC), before giving a recapitalisation direction, the acquisition of shares, options or other capital instruments in an ADI that were issued in compliance with a recapitalisation direction is exempt from competition legislation prohibiting mergers and acquisitions that lessen competition.

Once an ADI is under the control of a statutory manager, the statutory manager may issue shares in the ADI or rights to acquire shares in the ADI, cancel shares or rights to acquire shares in the ADI, cancel paid-up share capital that is not represented by available assets or vary the rights attached to a class of shares in order to recapitalise the bank.40 The statutory manager can do this of its own motion without express direction from APRA, but its recapitalisation actions are subject to the same requirement to obtain and consider an independent report on the fair value of the ADI's shares prior to taking any recapitalisation action.

Deposit guarantee: the FCS

The Banking Act was amended in 2008 to implement the FCS, a federal government deposit guarantee scheme applicable to deposit accounts41 held with local ADIs (including Australian incorporated subsidiaries of foreign banks, but not mere branches of foreign banks). Under the FCS, the Treasurer may declare that the FCS applies to an ADI if a statutory manager is in control of an ADI or APRA has applied for an ADI to be wound up. Operation of the FCS is not automatic; it is activated at the discretion of the Treasurer (although, in relation to a large ADI, the political pressure to do so may well be hard to avoid). Once activated, the FCS is administered by APRA.

An account holder with an ADI subject to a declaration is entitled to payment of the balance of his or her account, plus uncredited interest up to the date of the declaration, up to a maximum amount of A$250,000. The A$250,000 limit applies across all protected accounts held with an ADI, including any seemingly separate brand under which the ADI may trade, but does not extend between ADIs, so a person with accounts with multiple declared ADIs may recover more than A$250,000 in aggregate. APRA may pay FCS amounts to account holders either directly or into an account established for them (with or without their consent) at another local ADI. Upon payment of an FCS amount to an account holder, APRA is subrogated to the account holder's claim against the ADI. If the FCS does not cover any part of the account holder's deposits with the bank (e.g., if the account balance exceeded A$250,000), it remains a debt of the ADI owing to the account holder and may be admitted in the winding up of the ADI without proof by the account holder. APRA's costs of administering the FCS are also a debt payable to APRA, provable in the winding up of the ADI.

Bail-in powers

Australia does not have any mandatory bail-in provisions for creditors of ADIs or their holding companies. The terms of particular debt instruments may provide for automatic writing-off or conversion to equity on the occurrence of certain events, providing for the same outcome in substance as a bail-in, but any such write-off or conversion occurs pursuant to the contract between the entity and the holder of the instrument, rather than a special bail-in provision. Under APS 111, instruments must provide for writing-off or conversion into ordinary shares (or mutual equity interests) on the occurrence of certain non-viability events if they are to qualify as AT1 or Tier 2 capital. The big four banks regularly issue preference shares and convertible notes on terms that provide for mandatory conversion to ordinary shares on the occurrence of certain non-viability events, so that those instruments qualify as AT1 or Tier 2 capital.

Other debts not containing write-off or conversion provisions are not subject to mandatory bail-in. However, if the statutory manager of a distressed ADI sells all or part of the ADI's business to a third party on terms that do not involve the third party assuming the liabilities associated with that business (which the statutory manager is empowered to do, and which will likely be necessary in many cases to protect depositors and maintain financial system stability), non-depositor creditors of the distressed ADI will have little prospect of recovery and will likely be in substantially the same position as if they had been bailed-in.

Conduct of business

The conduct of banks' business in Australia is governed by general law and statute law. In addition to ADI-specific rules discussed elsewhere in this chapter, the following legislation governs banks in the activities that they typically undertake:

  1. the National Consumer Credit Protection Act 2009 (Cth): regulates conduct in relation to credit provided to consumers, including pre-contractual disclosure, the terms on which credit is provided and enforcement against defaulting consumers;
  2. the Corporations Act 2001 (Cth): Chapter 7 regulates conduct in relation to financial products and services, including financial advice, deposit account provision, insurance and insurance claims handling, stockbroking, asset custody, wealth management, market-making and crowd-sourced funding;
  3. the Australian Securities and Investments Act 2001 (Cth): Division 2 of Part 2 contains consumer protection obligations in relation to financial services (which for this purpose include credit), most notably obligations to not engage in misleading or deceptive conduct or unconscionable conduct, and protections against unfair contract terms in standard form consumer and small business contracts for financial products or services;
  4. the Privacy Act 1988 (Cth): regulates entities' dealings with personal information about individuals, including credit reporting information;
  5. the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth): imposes obligations in relation to the prevention of money laundering and terrorism financing, including customer identification, transaction monitoring, and reporting and suspicious matter reporting. Most financial activities by banks, including the provision of deposit accounts and making of loans, are designated services that give rise to obligations under the Anti-Money Laundering and Counter-Terrorism Financing Act;
  6. the Personal Property Securities Act 2009 (Cth): governs the creation, priority and enforcement of security interests in property other than land (subject to some exceptions); and
  7. state and territory real property legislation: in relation to dealings in land and the creation and enforcement of mortgages over land; and
  8. the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act): provides a framework to prevent threats of sabotage, espionage and coercion posed by foreign involvement in Australia's critical infrastructure. The SOCI Act has been expanded to the financial services and markets sector to include critical banking assets.

As a condition of their credit licences and AFSLs, banks must be members of the Australian Financial Complaints Authority (AFCA) external dispute resolution scheme. AFCA is a free and independent non-judicial dispute resolution service for consumers and small businesses to bring complaints against financial service providers. AFCA is not constrained by law and procedure in the same manner as a court, and is able to have regard to community standards and good industry practice when determining a dispute. If AFCA identifies systemic issues in the course of determining a dispute, it may refer these to ASIC to further action. ASIC has published the ePayments Code, which is currently a non-binding code that providers of electronic payment facilities may subscribe to. Although a voluntary code, the ePayments Code gains legal force by being incorporated into the contracts between the payment facility provider and the consumer. The ePayments Code sets out rules concerning the disclosure of terms and conditions and the allocation of liability in relation to fraudulent and mistaken electronic payments, more specifically:

  1. at least 20 days' advance written notice of changes to the terms and conditions of the facility that may be adverse to the consumer;
  2. no liability for the consumer as a result of an unauthorised transaction occurring after the consumer has informed the provider that a device used to make payments (e.g., a card) has been misused, lost or stolen, or that the security of a passcode has been breached; and
  3. requiring consumers' ADIs to investigate and take steps to recover internet payments made mistakenly by the consumer, and to cooperate with other ADIs in recovering mistaken payments for their customers.

The banking industry in Australia also self-regulates through voluntary codes of practice developed and regulated by industry associations. The major industry codes of practice are the Australian Banking Association's Banking Code of Practice and the Customer Owned Banking Association's Customer Owned Banking Code of Practice. Compliance with an industry association's code of practice is a condition of membership of industry associations, and the terms of the applicable code are incorporated into the banker–customer contract. Industry codes of practice include consumer protection obligations that go beyond what is required by law, and also operate for the benefit of small businesses. Membership of an industry association is not mandatory for an ADI.

Following the Banking Royal Commission, the Financial Sector Reform (Hayne Royal Commission Response) Act 2020 was enacted, and commenced on 1 January 2021. The Act implements the government's response to 20 recommendations in the Commission's Final Report, which took effect in various phases throughout 2021. Notably, the new Act amends the Corporations Act 2001 (Cth) to strengthen the existing voluntary code of conduct framework by enabling ASIC to designate enforceable code provisions in approved codes of conduct. This reform represents a diametric shift in the administration of Australian codes of practice, for example the ePayments Code and the Banking Code of Practice. This framework enables ASIC to approve codes of conduct via a legislative instrument that may contain enforceable code provisions. A breach of an enforceable code provision is subject to infringement notices and civil penalties.

Banks have a common law duty of confidentiality to their customers, arising from an implied term in their contracts with customers. This duty is separate to any obligation in the Privacy Act and is owed to both natural person and corporate customers. The duty extends beyond information obtained from the customer's account to any information obtained from the banking relationship with the customer. Australian courts have recognised the English decision in Tournier v. National Provincial & Union Bank of England,42 which identified four circumstances where a banker may disclose otherwise confidential information:

  1. where disclosure is under compulsion of law;
  2. where there is a duty to the public to disclose;
  3. where the interests of the bank require disclosure, and
  4. where the disclosure is made with the express or implied consent of the parties.


The majority of bank funding is sourced through deposits, wholesale debt and equity. Following the global financial crisis, there has been a broad shift in funding sources towards more stable sources such as retail deposits and Tier 1 capital instruments. The big four banks and Macquarie Group all have on issue a range of debt-equity hybrid instruments (preference shares, convertible notes, etc.) that provide an alternative source of stable long-term funding.

The RBA provides a committed liquidity facility (CLF) as a part of Australia's implementation of the Basel III liquidity standards. The facility is required due to the limited amount of government debt on issue in Australia and ensures that participating ADIs have enough access to liquidity to respond to an acute stress scenario. The CLF allows participating ADIs to access pre-specified amounts of liquidity by entering into repurchase agreements of eligible securities outside the RBA's normal market operations.43 ADIs are required to pay a fee of 15 basis points per annum, dependent on the size of the agreement, which is payable on both drawn and undrawn commitments. The cost of repurchase transactions to an ADI is either the target cash rate or the target cash rate plus a margin of 25 basis points (depending on the term of the repurchase transaction).

In addition to the FCS, during the global financial crisis the federal government implemented a temporary guarantee for ADIs' large deposit and wholesale funding liabilities. Initially, all wholesale funding instruments were guaranteed without charge, but from late November 2008 only pre-approved funding instruments would be guaranteed and a charge was imposed for the guarantee. The scheme closed to new liabilities on 31 March 2010, but existing liabilities from before that date remain covered to maturity.44

Control of banks and transfers of banking business

i Control regime

A 20 per cent ownership cap for financial sector companies exists in Australia to increase financial stability by limiting ties between an institution and the finances of any particular investors and their associates. Given the importance of ADIs to Australia's economic wellbeing, the ownership cap also prevents any person from accumulating large amounts of power in the financial system. An amendment to the Financial Sector (Shareholdings) Act 1998 (Cth) prohibits a person, or two or more persons under an agreement, from acquiring greater than 20 per cent of a financial sector company's voting shares without the consent of the Treasurer. A shareholding greater than 20 per cent is considered an unacceptable shareholding situation, and will constitute an offence punishable by a fine no greater than 400 penalty units (A$88,800 at the time of writing) if a person was reckless as to whether the acquisition would result in this situation.45 Financial sector companies include ADIs and holding companies of ADIs.

If an unacceptable shareholding situation exists, the Federal Court may make orders to ensure the situation ceases. This may include requiring the disposal of shares, restraining the exercise of rights attached to shares, or prohibiting or deferring payment of sums related to the shares, such as dividends.46

A person may apply to the Treasurer for approval to hold more than a 20 per cent share in a financial sector company. The application must specify the percentage stake the person currently holds in the company, the percentage he or she is seeking to hold, and set out the person's reasons for acquiring that interest, and the applicant must pay the prescribed fee.

In approving an application, the Treasurer may specify a period for which the approval remains in force, or may allow it to remain in force indefinitely. The Treasurer may revoke this approval by written notice if he or she is satisfied that it is in the national interest, that an unacceptable shareholding situation exists or that there has been a contravention of an approval condition.

Since 1 April 2019, new or recently established ADIs may also apply to the Treasurer for a higher shareholding cap if their assets are less than A$200 million and the proposed shareholder is a fit and proper person to hold a stake greater than 20 per cent.

The Financial Sector (Shareholdings) Act also enables the Treasurer to declare that a person has practical control of a financial sector company if, either alone or together with associates, he or she does not hold a greater than 20 per cent stake in the company, but he or she is in a position to exercise control over the company, or the directors are obliged or accustomed to act in accordance with, the person's wishes or instructions.47 The person is then required to take any steps necessary to relinquish his or her practical control of the company; this must be done within 90 days of being given a copy of the Treasurer's declaration, unless the Treasurer allows a longer period.

Since 1990, the federal government has maintained a four pillars policy under which it commits to preventing any acquisitions or mergers between the big four banks. This is a long-standing policy, being an indication of how discretionary powers under competition legislation will be exercised, rather than formal regulation itself. It has bipartisan support and has survived numerous changes in government. The policy has been criticised by the Australian Productivity Commission for enabling complacency among the big four banks, removing the threat of takeover as a means of encouraging efficiency, but it is unlikely to be relaxed in light of the overwhelming market share that the big four banks currently collectively have.

The Competition and Consumer Act 2010 (Cth) prohibits acquisitions of shares in companies (or the assets of a company) that would, or would be likely to, have the effect of substantially lessening competition in any market, unless the acquisition is authorised by the ACCC.48 While this would likely prevent the big four banks from acquiring other ADIs, it is unlikely to prevent consolidation among smaller ADIs to build a scale that enables them to better compete with the big four banks.

ADIs are subject to the provisions of the Corporations Act dealing with changes in corporate control generally. If an ADI or NOHC is publicly listed, or is unlisted but has more than 50 shareholders, a person cannot increase his or her voting power in the company to more than 20 per cent, or by more than 3 per cent every six months if he or she already holds more than 20 per cent, without making a takeover bid to shareholders generally.49 A scheme of arrangement under Part 5.1 of the Corporations Act provides an alternative mechanism for obtaining control of an ADI.

Acquisitions of local ADIs by foreign persons are also subject to the Foreign Acquisitions and Takeovers Act 1975, which requires acquisitions of a substantial interest in an Australian corporation by foreign persons that meet a monetary threshold to be notified to the Treasurer, and empowers the Treasurer to prohibit the acquisition or to require the acquired assets to be disposed of if the acquisition is not in the national interest. At the time of writing, the monetary threshold is A$1.154 billion (reduced to A$266 million for persons from countries with which Australia has a relevant agreement); this amount is indexed annually.

ii Transfers of banking business

Transfers of banking business in Australia are regulated by the Financial Sector (Transfer and Restructure) Act 1999.

An ADI's banking business is a regulated business for the purposes of the Financial Sector (Transfer and Restructure) Act, and an ADI is a regulated body. Prior to a transfer of banking business taking effect, it must be approved by APRA. Two ADIs may apply to APRA for approval of a voluntary transfer of business from one of the ADIs to the other. APRA must approve the transfer if the application has been properly made; the transfer has been adequately adopted by the transferor and transferee (that is, proper governance procedures have been followed to approve the transfer); the transfer should be approved having regard to the interests of depositors of the transferor and transferee and the financial sector as a whole; and the Treasurer consents to the transfer (unless the Treasurer has determined in writing that his or her consent is not required). While the interests of customers are considered, customer consent is not required for APRA to approve a voluntary transfer of banking business.

If APRA approves a voluntary transfer of banking business, it must issue a certificate of transfer setting out material particulars of the transfer. The transfer takes effect when the certificate of transfer comes into force (this is specified in the certificate of transfer). When the certificate of transfer comes into force, all relevant assets and liabilities of the transferor become assets and liabilities of the transferee without further action by either party. The transferee becomes the successor in law to the transferor to the extent of the transfer.

The Financial Sector (Transfer and Restructure) Act also enables APRA to determine that all or part of an ADI's banking business is to be compulsorily transferred to another body corporate. APRA may make such a determination if the Treasurer has made a determination that there should be a compulsory transfer of banking business or APRA is satisfied that the transferring body has contravened the Banking Act, the ADI has informed APRA that it is likely to become unable to meet its obligations or to suspend payment, or a statutory manager has been appointed to the ADI. APRA may also only make a determination for the compulsory transfer of banking business from an ADI if it is satisfied that the transferee consents to the transfer (it cannot compel another ADI to take on an ADI's banking business) and if the Treasurer has consented to the transfer (or has determined in writing that his or her consent is not required).

If APRA has determined that a compulsory transfer of banking business should occur, it must issue a certificate of transfer setting out particulars of the transfer. As discussed above in relation to voluntary transfers, a compulsory transfer takes effect when the certificate of transfer comes into force and thereafter the transferee becomes the successor in law to the transferor to the extent of the transfer. The Financial Sector (Transfer and Restructure) Act prevents contractual counterparties of the transferor and its related bodies corporate from denying contractual obligations, accelerating any debt, closing out any transaction under a contract or enforcing any security under a contract as a result of a compulsory transfer of banking business taking effect under the Act.

Under the Financial Sector (Transfer and Restructure) Act, APRA may also determine that all shares in an ADI are to be transferred to a particular transferee. When a certificate of transfer in relation to such a determination comes into force, all shares in the ADI become held by the transferee without any further action required by any person.

The year in review

The year 2021 brought a number of changes and challenges for the banking industry. Although delayed by the impact of covid-19, the federal government continued to legislate changes implementing the recommendations of the Banking Royal Commission. Public scrutiny of the big four banks continued as numerous class actions continue on behalf of consumers for breaches.

i Banking Royal Commission final report implementation

In response to the findings of the Banking Royal Commission, the federal government released the Financial Services Royal Commission Implementation Roadmap on 19 August 2019, outlining its plan to introduce legislation over the coming years. These include the aforementioned Hayne Royal Commission Response, which implemented key reforms impacting the banking sector, all of which have come into force in 2022. These include:

  1. enforceable code provisions: building on ASIC's existing power to implement codes of conduct, the regulatory body will be authorised to impose civil penalties or pursue administrative actions against signatories for breaches of enforceable industry code provisions;
  2. banning the hawking of financial products: designed to strengthen the existing hawking prohibitions, the Act introduces a general prohibition on 'offers to sell or issue financial products to a retail client in the course of, or because of, unsolicited contact';
  3. reference checking and information-sharing protocol: AFSL holders and credit licensees will be required to comply with new referencing checking, information-sharing and record-keeping protocols, the breach of which will result in a civil penalty;
  4. breach reporting and remediation: superseding the current breach reporting obligations under the Corporations Act, the Act introduces a new breach reporting and remediation regime intended to clarify reportable situations and extend notification requirements to affected clients; and
  5. a statutory obligation for ASIC and APRA to cooperate: APRA and ASIC are required to cooperate with one another in the performance of their functions through the sharing of information and the obligation to notify each other when they reasonably believe a material breach of the other's legislation has occurred. This reform still remains to be implemented.

In July 2021, the Treasury released the exposure draft of the Financial Accountability Regime (Consequential Amendments and Transitional Provisions) Bill 2021 (FAR Bill) which, if implemented, would expand the current obligations under the BEAR regime and extend the BEAR regime across the banking sector to ADIs and their authorised non-operating holding companies, and provide joint administration to ASIC as the conduct regulator. The proposed regime will amend variable remuneration, expand the types and obligations of accountable persons, grant APRA the power to veto accountable person appointments and introduce increased penalties. Some obligations under the BEAR will continue to apply to the banking sector (ADIs and their subsidiaries) after the application of the FAR Bill to enable the transition from the BEAR regime.

At the time of writing, the FAR Bill remains before the House of Representatives in Federal Parliament.

On 25 February, the Financial Sector Reform (Hayne Royal Commission Response No. 2) Act 2020 came into force. This implemented the Hayne Royal Commission recommendations in relation to ongoing advice fee arrangements. The Act took effect on 1 July 2021.

ii ASIC embedding supervision in banks

In 2018, ASIC's chairman, James Shipton, announced plans to embed teams of ASIC agents in the big four banks (NAB, ANZ, CBA and Westpac) and financial services company AMP to identify any misconduct before it occurs.50 This A$8 million project forms part of the A$70.1 million funding aimed at equipping and strengthening ASIC's enforcement capabilities. By 15 November 2019, up to 20 ASIC agents had been embedded in the banks and AMP for 205 days and had participated in 713 meetings with banking staff.51 However, the programme was suspended in March 2020 due to covid-19, which forced tens of thousands of bank staff to work remotely. While ASIC has engaged in virtual supervision, this programme has not resumed onsite, appearing to have been indefinitely shelved as an ASIC priority. As on-site supervisory work continues to be challenging, ASIC has committed to its monitoring programme through information-sharing arrangements.52

iii Neobanks

The RADI path to ADI authorisation introduced by APRA in May 2018 has proved popular, with a number of neobanks seeking RADI authorisation. At the time of writing, more than three banks have transitioned from RADI to full ADI status, one of which has since exited the market and returned its ADI licence. Despite a long line of applicants, only one additional bank has been granted RADI authorisation.

These neobanks seek to disrupt traditional banking models, aiming to compete on price and provide a more seamless customer experience through a digital-only model. A neobank, or 'smartbank', is accessed through a smartphone app and is not formally owned by the big four banks. At the time of writing, the neobanks operating in Australia include Up; 86400; Alex; Volt; BNK; Revolut; Hay; Judo; and Tyro.

On 29 January 2020, NAB announced its intention to acquire Australian neobank 86400 at a cost of approximately A$220 million.53 In May 2021, NAB combined the neobank with its digital-only subsidiary, UBank, to improve its technology platform and mobile banking systems.

Given the constraints of the covid-19 pandemic, APRA suspended the issuance of new banking licenses from March 2020 until March 2021. Since the suspension on issuance was lifted, ARPA granted Alex Bank Pty Ltd a restricted licence to operate as a RADI in July 2021, making it the first in more than one-and-a-half years. APRA released a revised approach to licensing and supervising new ADIs in August 2021.54 This provides expanded and updated guidance for new ADI applicants.

Despite the availability of this new path, two emerging banks have chosen to use the direct ADI route over the past two years. Prior to the regulatory changes introduced by the federal government in the 2017 budget, APRA had only granted one new banking licence to a new local player in the previous decade – payments disrupter Tyro.

A prominent banking failure, in the Australian banking context, is the demise of neobank Xinja Bank (Xinja). In December 2020, Xinja exited the banking industry and returned its ADI licence. Wayne Byres, the chair of APRA, described the demise of Xinja as a 'successful failure', as all deposits were returned to customers. Nonetheless, there have been queries in relation to Xinja's failure, specifically whether there was sufficient due diligence conducted on Xinja's funding profile and whether regulators understood the implications of Xinja's deposit-only business model.

iv Open banking

In November 2017, the federal government announced its intention to create a consumer data right (CDR): a right for consumers to direct a holder of certain data about them to supply that data to another person, or to provide a consumer with a copy of that data. Following this announcement, the ACCC released a timeline for the implementation of the CDR in the banking sector. Accordingly, the CDR is to be implemented in phases categorised by financial products and distinguished between general product and consumer-specific data. The four major banks were required to have made available all required data from 1 February 2021, whereas all other ADIs have until 1 February 2022, at which point open banking will become fully operational.

To receive consumer data, businesses and fintechs must obtain accreditation from the ACCC. Under the Accreditation Guidelines,55 all non-authorised deposit-taking institutions must complete the standard form, whereas ADIs are permitted to complete a streamlined variant. ADIs wishing to receive data will first need to provide data to become accredited recipients.

The CDR will be governed by overarching legislation in the Competition and Consumer Act 2010 and the Privacy Act 1988, with sector-specific rules and technical standards providing detailed requirements for implementing the right in particular sectors and with respect to particular data types (e.g., bank account transaction data). Although the CDR is presently overseen by the ACCC, the Senate Select Committee on Financial Technology and Regulatory Technology recommended in its interim report the establishment of a new national regulatory body responsible for the implementation of the CDR to ensure greater efficiency and accountability.

The CDR will increase competitive pressures on banks by removing the information advantage that they have with respect to their current customers. It will also reduce barriers to entry into businesses currently carried on largely by banks, including lending and insurance, by making it easier for new entrants to assess the risk profile of customers and set prices accordingly.

Furthermore, in 2021, the CDR was subsequently amended by both the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 1) 2021 and (No. 2) 2021. Generally, these amendments aim to give effect to the government's intention to:56

  1. facilitate greater participation in the CDR regime by participants and consumers;
  2. provide greater control of and choice to consumers in sharing their data;
  3. promote innovation of CDR offerings including intermediary services; and
  4. enable services to be more effectively and efficiently provided to customers.

These changes will continue to increase the agility of the CDR to reflect the changing demands of open banking systems in Australia in 2022.

v Critical infrastructure reforms

In November 2021, the Security Legislation Amendment (Critical Infrastructure) Bill 2020 (Cth) (Critical Infrastructure Bill) was passed, amending The Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act). The SOCI Act was first passed to safeguard Australian critical infrastructure of national importance. The SOCI Act provides a framework to prevent threats of sabotage, espionage and coercion posed by foreign involvement in Australia's critical infrastructure.57 Accordingly, the Critical Infrastructure Bill was passed into law on 22 November 2021, substantially increasing the federal government's power to impose obligations in relation to critical infrastructure assets. Important reforms include:

  1. additional positive security obligations for critical infrastructure assets, including a risk management programme, to be delivered through sector-specific requirements, and mandatory cyber incident reporting;
  2. enhanced cybersecurity obligations for those assets most important to the nation, described as systems of national significance; and
  3. government assistance to relevant entities for critical infrastructure sector assets in response to significant cyberattacks that impact on Australia's critical infrastructure assets.

The Critical Infrastructure Bill expands the definition of critical infrastructure sectors to include the financial services and markets sector.58 Notably, a critical banking asset is taken to relate to the financial services and market sector. Section 12G has been inserted into the Act, defining a critical banking asset as an asset that is critical to the functioning, security and stability of financial services and markets. The stability and operational efficiency of the banking system is consequential to business confidence and, by extension, to the Australian economy. As such, the severe compromise of any of Australia's largest banks can have detrimental economic and security impacts given their high volume of retail customers.

vi Review of the payments system

In August 2021, the Australian Payments System Review Report (dated August 2021) was released and commissioned by the Morrison government to investigate the regulatory architecture of the Australian payments system, to assess whether this system was fit for purpose and responsive to advances in payments technology and changes in consumer demand.59 This included investigating whether the framework fostered innovative services, as well as generating productivity-enhancing innovation and competition to facilitating the implementation of government policy.60

On 8 December 2021, the government released its response to the Payment System 61

  1. modernising the payments system legislation to accommodate new and emerging payment systems;
  2. establishing a market licensing framework for digital currency exchanges; and
  3. mandating the ePayments Code for payments licensees.

These changes are likely to lead to an updated and refreshed financial regulatory and payments regime that is fit for the future.62 The Treasury has indicated that in early 2022, it will advise the government on its consultation regarding the recommendations in the Report, but has not provided a time frame for the conclusion.

vii Design and distribution obligations

From 5 October 2021, new product design and distribution obligations (DDO) came into force. The reforms require financial services to design products to meet the needs of consumers and distribute them in a more targeted manner. Financial products to which the DDO apply include, among others, credit facilities and basic banking products. Central to the new regime is the requirement for financial product issuers to prepare a Target Market Determination (TMD) describing who a financial product is appropriate for. It is likely that further guidance regarding the content of TMDs will emerge over the next 12 months as regulatory action is taken to address those that are not described with sufficient granularity.

Outlook and conclusions

Overall, the Australian banking sector is a mature, stable and well-regulated industry. While the Banking Royal Commission has exposed examples of wrongdoing among the major banks, this largely concerned their diversified financial services activities rather than core banking activities. However, banks will be subject to increased public scrutiny and political pressure in the short term, and can expect a more aggressive approach from regulators than they have been accustomed to in the past. Banks' organisational cultures and incentive structures will also be subject to greater scrutiny.

The reduction in trust in traditional banks will provide opportunities for new entrants into the banking industry, and the RADI licensing pathway will improve new players' ability to enter the industry. Open banking reforms (consumer data rights) will reduce established banks' information advantages over new entrants. Furthermore, it can be expected that ASIC and APRA will implement and promote new legislative and regulatory changes in the industry, given the release of their Corporate Plans for 2021–2025 on 26 August 2021. In particular, APRA's Corporate Plan sets out APRA's strategic priorities for protecting bank deposit-holders, insurance policyholders and superannuation members during the current covid-19 pandemic era of disruption and uncertainty. APRA claims that the Corporate Plan is two-fold: 'protect today, prepared for tomorrow'. Banks can expect to be required to hold larger amounts of regulatory capital to maintain their prudential standing. This will reduce the quantity of credit that banks can provide, and affect their ability to engage in riskier but socially beneficial lending. An area of likely impact is lending to small businesses. Falling capital city housing markets may also increase mortgage portfolio loss rates and place pressure on banks' regulatory capital positions.


1 Andrea Beatty is a partner, Chelsea Payne is an associate, Lucy McCoy is a lawyer, Shannon Hatheier is a law graduate and Tom Murdoch is a law clerk at Piper Alderman. The authors would like to thank Gabor Papdi and Chloe Kim for their contributions to previous editions.

2 Commissioners of the State Savings Bank of Victoria v. Permewan Wright & Co Ltd (1914) 19 CLR 457 at 471.

3 Banking Act 1959 (Cth) Section 5(1).

4 Banking Act 1959 (Cth) Section 8.

5 Banking Act 1959 (Cth) Section 7.

6 Corporations Act 2001 (Cth) Section 913B(5).

7 National Consumer Credit Protection Act 2009 (Cth) Section 38.

8 APRA, ADI Authorisation Guidelines (April 2008), [15]–[33].

9 A more precise definition is provided in Section 9 of the Payment Systems (Regulation) Act 1998 (Cth).

10 Banking Regulation 2016 (Cth) Regulation 6.

11 Financial Sector Reform (Amendments and Transitional Provisions) Act (No. 1) 1999 (Cth).

12 Corporations Act 2001 (Cth) Schedule 4, Clause 29.

13 Banking Act 1959 (Cth) Section 9(3A).

14 Australian Prudential Regulation Authority Act 1998 (Cth) Section 13.

15 Australian Prudential Regulation Authority Act 1998 (Cth) Section 8.

16 Australian Prudential Regulation Authority Act 1998 (Cth) Section 8A.

18 APRA, Corporate Plan 2020–2024 (August 2020), p. 15:

19 Terms of Reference for the Trans-Tasman Council on Banking Supervision,

20 The levy threshold is indexed quarterly by multiplying the amount (A$100 billion) by the indexation factor for the particular quarter and rounding the result down to the nearest A$1 million. The indexation factor for a particular quarter is calculated by dividing the GDP number for the preceding quarter by the GDP number for the base quarter.

21 While Australia does not have any formal bank bailout scheme other than the FCS in respect of deposits up to a certain amount, the size and market share of each major bank and their importance to the Australian economy means that they are likely to be bailed out by the government if they ever encountered financial distress. Parliament of Australia, 'The Major Bank Levy explained' (23 June 2016),

22 APRA, 2020–24 Corporate Plan, p. 2.

23 APRA, 2018–22 Corporate Plan, p. 3.

24 See reporting standards ARS 320.0, ARS 322.0 and ARS 323.0.

25 See, for example, reporting standards ARS 320.1 (debt securities held), ARS 320.4 (bill acceptances and endorsements) and ARS 320.8 (housing loans).

26 See, for example, Interim Report: Royal Commissions into Misconduct in the Banking, Superannuation and Financial Services Industry (28 September 2018), executive summary, p. 1.

27 Due to potential inconsistencies with the obligations of accountable persons under the banking executive accountability regime, APRA has committed to a policy timeline to update CPS 520 and CPS 510, with consultations beginning in 2023; APRA, APRA's Policy Priorities (February 2022), p. 19:

28 Banking Act 1959 (Cth) Section 37EB.

29 RBA, Financial Stability Review – September 2013: Box B: The Basel III Capital Reforms in Australia,

30 APRA, 'Discussion paper: Improving the transparency, comparability and flexibility of the ADI capital framework' (14 August 2018).

31 APRA, 'Discussion paper: A more flexible and resilient capital framework for ADIs' (8 December 2020).

32 APRA, 'Discussion paper: A more flexible and resilient capital framework for ADIs' (8 December 2020).

33 In December 2021, APRA released consultation draft guidance on a new framework, contained in Prudential Practice Guide APG 110 Capital Adequacy (draft APG 110). For the large banks, APRA retains the minimum PCR at 4.5 per cent for Common Equity Tier 1 Capital and sets a baseline level for the countercyclical capital buffer of 1 per cent of RWA but increases the capital conservation buffer from 2.5 to 4 per cent.

34 Prudential Standard APS 112: Capital Adequacy: Standardised Approach to Credit Risk.

35 APRA, Prudential Standard APS 001 Definitions,

36 APRA, Consultation on draft Prudential Practice Guide on Climate Change Financial Risks,

37 APRA, Consultation on draft Prudential Practice Guide on Climate Change Financial Risks,

38 Banking Act 1959 (Cth) Section 13A(1).

39 Banking Act 1959 (Cth) Section 13E.

40 Banking Act 1959 (Cth) Section 14AA.

41 Except credit balances on loan accounts or credit cards, purchased payment facilities, prepaid card and wallet facilities, and nostro and vostro accounts of foreign corporations carrying on banking or financial services business in a foreign country: Banking Regulation 2016 (Cth) Regulation 8.

42 Tournier v. National Provincial & Union Bank of England [1924] 1 KB 461.

45 Financial Sector (Shareholdings) Act 1998 Section 11.

46 Financial Sector (Shareholdings) Act 1998 Section 12.

47 Financial Sector (Regulation) Act 1998 (Cth) Section 23.

48 Competition and Consumer Act 2010 (Cth) Section 50.

49 See Chapter 6 of the Corporations Act 2001 (Cth).

50 'ASIC's approach to enforcement after the Royal Commission', speech by Sean Hughes at 'Banking in the Spotlight': the 36th Annual Conference of the Banking and Financial Services Law Association,

57 The Security of Critical Infrastructure Act 2018 (Cth) Section 3-4.

58 The Security of Critical Infrastructure Act 2018 (Cth) Part 2.

The Law Reviews content