APRA Chair John Lonsdale - Speech to Australian Banking Association Conference 2025

Key points

Good morning and thank you for the invitation to be here today. 

In 2016, a group of American economists published their first Economic Policy Uncertainty Index for Australia. Similar to other national indices the group developed, the Australian index measured the number of times in a month that articles in major newspapers mentioned terms such “uncertainty” and “economy”, plus a range of other policy-relevant terms; for example regulation, taxation or legislation.

Using this method retrospectively, they measured economic policy uncertainty in Australia in October 2001 – the month after the 9/11 terrorist attacks – at 271. It reached 291 in October 2008 at the height of the global financial crisis. Until recently, the record high – 329 – was recorded in July 2016, coinciding with Brexit and the Nice terrorist attacks. Then in March this year, the index reached 382 before rocketing to 625 in April as financial markets roiled in the aftermath of the Liberation Day tariffs. 

Australians are far from alone in feeling uncertain. The Vix Index¹, which primarily reflects US stock prices, is currently recording some of the highest levels of volatility since the start of the pandemic. Meanwhile, the World Uncertainty Index, developed by economists from the IMF and Stanford University², is registering the highest global levels of uneasiness for 60 years. 

As a mid-sized economy dependent on overseas markets for capital and investment, Australia and its financial system are deeply interconnected with the international economy. Whether it’s the prospect of a trade war sparking a global recession or a major cyber-attack on the payments system, Australians expect their banks, insurers and superannuation funds to be resilient and prepared for these risks. APRA’s prudential framework and supervision of these financial institutions seek to ensure they are. 

But Australians face other risks to their financial security: weak productivity growth; a lack of dynamism and innovation in the economy; declining GDP per capita; steep cost of living pressures combined with high household debt and increasingly unaffordable housing. 

A well-regulated financial system may be a prerequisite for long-term economic growth, but regulation isn’t cost-free. Compliance costs money, consumes time and resources and puts limits – for good reason – on the risks businesses can take. 

Earlier this month, APRA and many other regulators received a letter from the Australian Treasurer asking us to identify specific, measurable actions to reduce these compliance costs. Importantly, he’s asked us to do so without compromising standards. While we are still drafting our response, this morning I’d like to outline how we are thinking about striking this balance, with a particular focus on banking. As part of the Council of Financial Regulators’ review of small and medium banks, APRA has identified a range of areas where we believe we can adjust some regulatory requirements and provide more scope for sensible risk-taking. But given the level of volatility and uncertainty in the operating environment, there are other areas where we believe increased vigilance is critical; in particular cyber risk, operational risk and geopolitical risk.

A resilient financial system

Having begun this speech with a focus on uncertainty, let me pivot to something APRA is very certain about, and that’s the resilience of the Australian banking system. That view was reinforced by the results of APRA’s most recent annual authorised deposit-taking institution stress test.

For the 2024 stress test, the hypothetical scenario we presented featured a deep and prolonged global economic downturn triggered by a significant shock in the Asia-Pacific region. The downturn was transmitted to Australia through sharp falls in trade and commodity prices, leading to gross domestic product falling by 4 per cent, unemployment rising to 10 per cent and house prices falling by 40 per cent over three years. Australian bank funding costs blew out to levels seen by US banks during the Global Financial Crisis. Reflecting the evolution in third-party risk, each bank was required to select a service provider that falls victim to a cyber-attack, causing a critical system failure.

The results of the stress test found that banks, even before mitigating actions, had sufficient capital to withstand the impacts of the severe downturn and continue to lend to support an economic recovery. The industry aggregate common equity tier 1 capital ratio declined sharply to a minimum of 9.3 per cent and into regulatory capital buffers. That was driven by falling net interest income, significant market and operational risk losses, and sharply rising credit losses as economic conditions deteriorated. Banks ceased dividend payments as the stress emerged, which were gradually restored as profits returned. 

Banks’ liquidity resilience was a key focus area for this stress test. The systemic stress triggered a rapid closure of banks’ access to global funding markets, intense competition for deposits, a three-notch credit rating downgrade and early redemptions of banks’ existing negotiable certificates of deposit, a key funding source. The results of the stress test indicate that banks, before mitigating actions, were able to continue to meet their liquidity obligations as they fell due during the severe downturn.

Scaling back

These results should give the community confidence that our banking system, armed with “unquestionably strong” levels of capital, has the capacity to withstand a significant, sudden deterioration in economic conditions. And if all banks were required to do was keep deposits safe, that might be enough.

Banks obviously play a much broader and more important role in society. They lend money to enable households to buy cars and homes, and for businesses to fund investments that generate jobs and economic growth. They facilitate access to funds, through digital channels, branches and ATMs, that allow goods and services to be bought and sold.

Many in the community question whether an industry dominated by only four major banks provides sufficient competition to optimise standards of service, keep branches open and put downward pressure on interest rates and fees.

These concerns lie behind the Council of Financial Regulators (CFR) and the Australian Competition and Consumer Commission (ACCC) examining the level of competition provided by small and medium banks.³ As part of that review, we looked at how regulation and other barriers impact the ability of small and medium banks to compete. 

Earlier this month, we handed our report to the Treasurer. While the Treasurer will release the findings of the report in due course, I can confirm that APRA identified a number of areas where we believe we can make our framework simpler and more proportional without creating unacceptable risks – and I would like to outline those today. 

Our first commitment is to formalise a three-tiered approach to proportionality in the framework for banking. At the moment, we essentially have two tiers: significant financial institutions (SFIs) and non-significant financial institutions with SFIs subject to stricter requirements and more intense supervision. APRA will soon move towards having three tiers in banking, roughly corresponding to large banks (the majors), medium banks (other banks that are SFIs) and small banks (non-SFIs). This change will allow us to introduce more nuance into our policy and supervision approach to banks, with greater differentiation between requirements for different bank business models.

Commitment two is to streamline, simplify and clarify our accreditation process that allows banks to use the internal-ratings based approach to calculating risk-weighted assets. Getting approval to use this approach requires significant investments of time and money by banks, but the benefit can be a slight reduction in capital requirements. While APRA has long argued that this benefit is not as large as some critics maintain, we want to make our processes simpler and more transparent for banks to navigate. 

Our third commitment is to better communicate to banks our decisions on minimum capital requirements under Pillar 2 of the Basel framework.⁴ Feedback to the CFR Review indicated that a lack of understanding by banks around the reasons for Pillar 2 adjustments can make it difficult for them to address APRA’s concerns. As a result, we have committed to more clearly explaining the basis for these decisions and what risks need to be addressed for certain capital adjustments to be removed or lowered.

The final action APRA committed to is to amend our bank licensing framework, with the aim of making our expectations more transparent and the process more efficient. While we can’t control the flow of new applicants, we can make our processes as efficient as possible to give high-quality new entrants the best possible chance of success. 

Cumulatively, we believe these measures strike a sensible balance between lowering the regulatory burden for banks while ensuring banks of all sizes have the financial and operational resilience to protect their depositors. There are many other actions we were urged through submissions to take that we have not agreed to. In essence, that’s because we believed these measures – for example, lowering minimum capital requirements – would undermine safety and stability and therefore create unacceptable risks.

Weighing up the costs

Finding this sweet spot between adequately protecting the community and not unduly burdening industry requires us to make constant trade-offs between risk and reward. 

As the prudential regulator, our primary consideration must be financial safety and stability, which lies at the core of our mandate from parliament. Our commitment to getting the balance right therefore can’t be about reducing the resilience of the system or holding back when risks are building. But we do need to be mindful about the impact of our work on competition and efficiency and resist the urge to introduce requirements that are “nice to have” but not essential for financial stability. 

This mindset has contributed to a range of actions APRA has taken over recent years to simplify and streamline regulatory requirements and increase the proportionality of our framework. These include our program to modernise the prudential framework, and ongoing work to remove or pare back duplicative or lower value data reporting requirements. Our upcoming Corporate Plan will outline further initiatives aimed at reducing regulatory burden in areas where it’s safe to do so.

Perhaps the most scrutinised area where we try to strike the right balance is with our macroprudential policy tools, especially in relation to home loans. 

As a society, we want aspiring homeowners to be able to access the credit they need on fair terms. And while recent data shows first home buyers remain well-represented in new lending, the relentless rise of property prices over recent decades has made it difficult for many borrowers – especially young adults – to buy a house.

But we also recognise that it’s not in anyone’s interest for borrowers to be unable to meet their repayments. That’s bad for them, bad for their lender and potentially very bad for everyone. The Australian banking system has more exposure to residential mortgages on variable interest rates than any other comparable economy. Residential mortgages make up two-thirds of all bank loans in Australia, compared to 30 per cent in Europe and only 10 per cent in the United States. Australians also have one of the highest levels of household debt relative to income in the world. As a result, we are uniquely exposed to a shock impacting households’ ability to repay their home loans. 

Using the macroprudential policy tools available to us, including the serviceability buffer, we try to strike a balance to ensure this risk is being adequately managed through sound lending standards, but that credit continues flowing to support the economy. Yesterday we announced that we are keeping our macroprudential settings on hold, after considering factors including household debt levels, credit growth, labour market conditions, as well as instability in the geopolitical environment. Lower interest rates have helped to ease cost-of-living pressures on borrowers and increased borrowing capacity for new borrowers, and we have seen credit continuing to flow to different borrower segments, including to first-home buyers. Lending standards are currently sound, but looking ahead, one concern is that in the event of lower interest rates we could begin to see a rise in riskier forms of residential lending, which is historically what often occurs when the financial risk cycle picks up. It’s important to be forward-looking and prepared for potential risks at future points in the financial cycle. With that in mind, we will soon begin discussions with entities around implementation aspects of our various macroprudential tools to manage lending risks, including limits on some riskier forms of lending. We want to ensure such tools can be activated in a timely manner if needed.

Another area where we have weighed up competing objectives relates to the eight proposals we announced in March as part of our governance review. We’ve tried to strike a balance between prescription and flexibility; between larger and smaller entities; and between setting minimum requirements and leaving boards the autonomy to make their own decisions.

Since releasing that discussion paper, we’ve spent a great deal of time listening to industry views on whether we have got that balance right. During the three-month consultation period, APRA received nearly 80 submissions – which is a lot for us. We’ve also held more than 50 meetings and roundtables involving more than 150 stakeholder organisations. So, we’ve done a lot of listening and a lot of reading! 

We have been pleased with the broad, constructive and iterative engagement on the review to date. We have heard broad support for the package overall, which is generally consistent with global best practice. While there has been enthusiasm for proposals such as enhancing clarity around board roles, we’ve also heard caution around the potential impacts of other proposals, including independence within corporate groups and the proposed 10-year tenure limit. 

My message to you today is to confirm that this is a genuine consultation. While we are not prepared to keep the status quo, we recognise that there is enormous variation in size, complexity and business models among our regulated flock, and we are mindful of not being unduly prescriptive. We want outcomes but we don’t want to prevent entities from achieving these outcomes in different ways. With that in mind, we continue to reflect on the feedback we’ve received and are looking to provide an interim update on the consultation in the next few months. 

Scaling up

Sticking to the theme of listening to feedback, APRA last month published our biennial stakeholder survey. Among the questions we asked was which business risks most concerned banks, insurers and super trustees. The number one concern was cyber risk. Number two was geopolitical risk. Third was operational risk, which relates to managing general business risks such as network outages or technology failures.

In fact, it could be said that there is a “perfect storm” of factors converging to amplify those three risks:

• the growing operational dependence of the financial system on digital technologies;
• increased interconnectivity and reliance on third parties to provide critical operations; and
• shifts in the geopolitical environment that increase risks to the financial system.

This brings me to my final point. There are areas of the prudential framework where APRA can increase proportionality or ease requirements in a way that doesn’t pose unacceptable risks to financial safety. And there are areas where the risks are growing and regulated entities need to do more. 

In all three of these areas – cyber risk, operational risk and geopolitical risk – APRA continues to observe vulnerabilities that boards and management teams must get ahead of. 

On cyber risk, one of the most pressing issues is weaknesses in authentication controls, an issue that was highlighted by the credential stuffing attacks on several superannuation funds that emerged in April. This issue prompted a heightened focus by APRA on how trustees are managing cyber security, however banks can’t afford to be complacent or assume they don’t have similar vulnerabilities. APRA’s prudential standard on information security, CPS 234, requires entities to have controls commensurate with the threat environment, and this is something all entities must continue to review as the cyber threat environment worsens. 

On operational risk more broadly, the increasing reliance on third party service providers continues to be a growing vulnerability that entities must manage. Events such as the Crowdstrike outage last year and the more recent targeting of Qantas customer data through a third-party servicing platform show how third-party weaknesses can lead to significant operational risks. APRA’s new prudential standard on operational risk management, CPS 230, emphasises the need for entities to have an end-to-end understanding of their reliance on material third party service providers, set appropriate tolerances for those services and be proactive in scenario planning for potential operational risk events. 

Amplifying both cyber risk and operational risk is the current elevated geopolitical turmoil. APRA and our CFR colleagues have been working on a geopolitical work program for a while now, supporting member agencies and industry to strengthen the resilience of the financial system. Heightened international tensions could lead to risk transmission through traditional financial and operational risk channels, as well through non-traditional channels such as personnel risks related to foreign interference and preparedness to rapidly implement sanctions of the kind we saw after Russia’s invasion of Ukraine. 

Back in 2019, APRA warned that a significant cyber incident impacting banks, insurers or super funds was a matter of “when”, not “if”. With the recent hacking of multiple major superannuation funds, that has indeed come to pass. To date the impact on customers has been relatively limited at an entity and system-level but, amid the “perfect storm” of factors I referred to earlier, entities must continue to be vigilant. 

With so much at stake, our tolerance for gaps or weaknesses in how these risks are being managed has never been lower. With CPS 230 now in effect, we will be carrying out a series of prudential reviews into how entities are complying with the new standard, starting with significant financial institutions before extending reviews to non-SFIs. On cyber, we see a need for continued focus on baseline resilience across all APRA-regulated industries and will be conducting further reviews to understand how entities are meeting the requirements of CPS 234.

Seeking balance

It’s sometimes said that the greatest risk in life is not taking any, and for the economy to grow and living standards to rise, we need people to take financial risks: to buy a house, to open a new factory, to hire more workers. Australia’s banking system is integral to the ability of households and businesses to finance those risks, and in any competitive industry, not all risks will pay off. 

But a restaurant or tech start-up that fails doesn’t have the same potential consequences as the failure of a bank, given the threat to depositors’ savings and community confidence in the financial system. The privileged place in our economy that banks hold therefore comes with heightened responsibilities, frequently codified in regulation. Not to stop banks taking risks, but to ensure those risks are properly understood and well managed. 

As prudential regulator of the banking sector, APRA likewise has a privileged position that brings significant responsibility. It’s a responsibility we wear with the gravity it deserves as we try to balance the need for a safe and stable financial system, with the need for a competitive banking sector and a dynamic and innovative economy. 

The measures I have outlined today strike the right balance between protecting the community while easing the regulatory burden on banks, including small and medium banks that bring important competitive pressure. APRA will continue to look for more ways to enhance proportionality and cut red tape where it’s safe to do across all the industries we supervise. But in a deeply uncertain world, we will also lean into areas of escalating risk so Australians can be confident our financial system remains protected today and prepared for the challenges of tomorrow.