It’s hard to make a billion-dollar slap on the wrist seem subtle. But that’s exactly the kind of quiet discipline APRA is known for.
In early April, the Australian Prudential Regulation Authority (APRA) imposed a $1 billion capital charge on ANZ. For any major bank, that’s a hefty hit. But APRA delivered it with its usual blend of stern reserve and regulatory precision: no flashy headlines, no stunts, just the methodical work of a regulator doing what regulators are meant to do.
APRA’s reasoning? ANZ, it found, had deficiencies in how it manages risk – specifically, non-financial risks such as compliance, operational controls, and internal governance. ANZ will now undergo an independent review, under APRA’s watchful eye, to fix its risk management framework.
The story, reported by The Age, was soon echoed across major outlets. According to The Australian Financial Review, APRA found ANZ’s risk culture lacked the maturity and consistency expected of a systemically important bank. ANZ acknowledged the findings and has said it is committed to addressing the issues raised by the regulator.
A pattern of intervention
The regulator has made similar moves before.
In 2019 it imposed a $1 billion capital overlay on Westpac, in response to serious lapses in anti-money laundering controls and other risk governance concerns. Commonwealth Bank received a $1 billion capital add-on in 2018 after a damning prudential inquiry into its governance and risk culture. Macquarie Bank, too, was required to hold an additional $500 million in operational risk capital from 2021, owing to deficiencies in its management of risk and compliance obligations.
Each of these actions signalled a widening aperture through which APRA is scrutinising Australia’s banking giants.
But what makes the ANZ case particularly notable is that the penalty isn’t tied to a high-profile scandal. There are no headlines about money laundering, no shocking misconduct revelations. Instead, this is APRA doing its job proactively – an assertion of quiet but firm oversight meant to deter future weaknesses, not merely punish past wrongdoing.
For regulators, it’s a case study in evolving oversight. As APRA itself noted in its 2024-25 Corporate Plan, the financial services environment is growing increasingly volatile, with emerging risks spanning cyber threats, climate change, and demographic shifts. It is no longer enough for regulators to focus solely on capital adequacy and compliance checklists. Today’s supervision must reach into the culture, resilience, and adaptability of the organisations they oversee.
That perspective has informed APRA’s more assertive posture since the 2018 Banking Royal Commission. The commission’s findings painted a damning picture of misconduct, enabled in part by weak governance and insufficient regulatory intervention. Since then, APRA has adopted a more forward-leaning stance – sometimes criticised as too conservative, but often credited with insulating Australia from the worst of global banking turmoil.
A maturing model of supervision
The Financial Regulator Assessment Authority (FRAA), in its July 2023 review, broadly endorsed APRA’s effectiveness but recommended that it further enhance its resolution planning and sector-specific risk monitoring. The regulator has since made visible efforts to step up its scrutiny, especially around governance and culture.
This latest ANZ action fits squarely within that trajectory. It sends a message not only to banks but also to regulators in other sectors: proactive, preventative enforcement is not only possible but necessary. And it underscores APRA’s growing emphasis on non-financial risks – the kinds of vulnerabilities that rarely make headlines until it’s too late.
Comparing regulatory approaches abroad
Across the Tasman, the Reserve Bank of New Zealand (RBNZ) has pursued similar goals with a slightly different flavour. RBNZ supervises banks and insurers, but its approach has historically focused more on macroprudential tools like loan-to-value ratios and capital buffers. Still, it shares APRA’s increasing interest in governance and risk culture.
In the UK, the Prudential Regulation Authority (PRA) under the Bank of England has long embraced a forward-looking, judgement-based approach. Following its own post-crisis reforms, it has also emphasised firm-wide stress testing and culture reviews. Meanwhile, across the European Union, the European Central Bank (ECB) and the European Banking Authority (EBA) have pushed hard on risk governance in their supervisory priorities.
Globally, outliers like the United States often lean toward enforcement action and litigation after things go wrong. Australia’s model, in contrast, has been to require stronger buffers, even in the absence of scandal. It’s a different regulatory philosophy – one that assumes financial harm can be prevented with enough foresight and discipline.
Why culture is worth regulating
Why regulate risk culture at all? Because as the Royal Commission made plain, poor culture can produce catastrophic outcomes even in well-capitalised institutions. Weak governance enables misconduct. Lax oversight fosters compliance failures. And when banks stumble, it is not executives who pay the price, but consumers and the broader economy.
So while ANZ’s $1 billion penalty may appear uneventful compared to previous crises, its significance is profound. It is a symbol of a maturing regulatory approach – one that doesn’t wait for disaster to intervene.
What happens next
Looking ahead, ANZ will conduct its independent review over the coming months, with APRA closely monitoring its progress. This may not be the end of regulatory scrutiny for the bank, especially if the review uncovers deeper issues. For APRA, the case reinforces its role as a guardian not just of financial solvency, but of trust and resilience in the system.
And for regulators more broadly, it’s a reminder: culture is not soft. It is a critical asset. And when left unchecked, it becomes a liability worth a billion dollars.
