As part of the three-year plan for the implementation of prudential policies following the completion of the transition from PHIAC to APRA, APRA announced in February 2018 a package of proposed measures designed to improve resilience and governance in the private health insurance sector.

It is important for Private Health Insurers to be resilient, agile and have appropriate structures in place to navigate the changing environment and make informed decisions.

Based on our reading of the consultation package and discussions with our clients and APRA over the past few weeks, and looking at the broader regulatory picture, it’s obvious that governance and accountability are gaining more and more focus – not just in the Private Health Insurance space but across all sectors. APRA has clearly indicated its focus on ensuring a level playing field with consistent principles and standards for all regulated sectors including ADIs, general insurers, life insurers and superannuation funds.

The key messaging to be taken away from this is the link between governance, risk and culture and ensuring sound business practices that are fit for purpose. APRA is very clear in their view that the governance principles of any private health insurer must allow the community to have a high degree of trust and confidence that the organisations they choose to do business with are well governed and prudently managed. Moving forward, a key focus will be the ability to demonstrate resilience to emerging risks.


Governance, risk and culture

With the implementation of CPS220 in April, risk culture is continuing to be an area of focus. APRA will be looking closely at how Boards and management teams embrace risk culture and commit to, implement, direct and engage with the organisation. Open communication and transparency is an area of priority for management teams and is important for culture to be driven from the top down, defined and measured.

It is important for organisations to consider if their risk framework is fit for what they do, and understand how it is defined. Organisations should not fall back into just ticking a box, but rather look at how they can provide proper insights into risk for the broader organisation and how their risk framework can be embedded, so they can ensure individuals in the organisation are working within it. 

From a compliance perspective, management should look at how they can make risk conversations more inclusive – bringing in people from other teams such as marketing to gain different perspectives. In order to drive change, risk culture should be managed by everyone in the organisation.  It’s not so much about the terminology but how it’s built into conversations and everyday culture as well as carried forward through onboarding policies, and continues to evolve with the organisation.

APRA’s Aid for Directors (2014) is a useful source of reference for APRA’s expectations of Boards and Senior Management. 


Refer to our GTI Corporate Governance Report for what Boards can do to embed a sound Risk Culture in their organisation. 

Specific requirements under the proposed CPS510 include:

  • Board to be composed of five directors minimum, with an independent chair.
  • Annual performance assessment of Board and of individual directors as a minimum.
  • Board renewal policy is required – need to demonstrate how your Board remains open to new ideas and fresh thinking.
  • A written Remuneration Policy is required – including a wide range of matters and covering a wide range of categories of persons, setting out remuneration objectives, the structure of remuneration, how performance-based components of remuneration are determined.
  • Performance-based remuneration must be designed to encourage behaviour that supports long-term financial soundness and the risk management framework of the institution, and must allow for adjustments downward, potentially to zero.
  • A Board Remuneration Committee is required (unless APRA grants an exemption) as well as a Board Audit Committee and a Board Risk Committee. At least three members of each committee is required, all of whom are non-executive with a majority of independent directors and an independent Committee Chair.
  • Written Committee Charters are required and must include various functions and powers as set out in CPS510.


  • Many Private Health Insurers have already started addressing their Committee structures by separating their Audit and Risk Committees. Many organisations find good governance involves additional Board Committees such as Member Committee, Governance Committee or Nominations Committee.
  • To provide the desire level of confidence and trust in the communities which PHI service (which is a strong theme coming out from APRA) we would recommend that PHIs look to implement a Board Remuneration Committee and organisations should pay particular attention to the extensive guidance contained in PPG511. 
  • While no maximum Board size nor Board tenure limit is prescribed, APRA’s HPG510 Prudential Practice Guide indicates 12 years is a desirable maximum tenure. APRA has expressed a view for other regulated institutions, that Board size should not exceed 12 persons.


Fit and Proper

APRA’s focus is to strengthen existing practices to reduce risk of failure by ensuring the responsible people have the technical competence and integrity to perform their role – i.e. are “Fit and Proper”.   

The formal written policy, which forms part of the Board Risk Management Framework (RMF), needs to be robust and address the situation where someone is deemed not to be Fit and Proper, and outline what steps would be taken to ensure they are not retained or appointed. This includes anyone who has the potential to impact significantly on the financial soundness and stability of the insurer, including the Board, C-Suite, senior management, the Actuary and the Auditor. The policy must also consider the importance of the ability to provide a safe mechanism for Whistleblowing.

The institution must assess whether a responsible person possesses the competence, character, diligence, honesty, integrity and judgement to properly perform the duties of the responsible person position, and is either free from conflicts of interest or conflicts can be managed.


Fit and Proper assessments are made in practice by the Board and include evidence of qualifications, check of disqualified persons registers, bankruptcy/credit checks and civil/criminal proceedings, and disciplinary actions by professional bodies. For persons with overseas work history and qualifications, overseas checks are normally considered desirable. The design of processes and checklists for assessments is one aspect of the application of CPS520 but importantly it’s the processes in place to ensure Fit and Proper status is monitored and assessed and actioned on an ongoing basis to ensure Private Health Insurers maintain the trust of the communities they serve.


Auditor independence and rotation

Appointed auditors will have to satisfy additional fitness and propriety requirements including five years’ experience in the audit of Private Health Insurers, and independence requirements requiring audit partner rotation after five successive years’ involvement in the audit of a particular Private Health Insurer.


This raises a potential issue on application of the standards, in that, an audit partner with, for example six years involvement in the audit of a Private Health Insurer for 30 June 2019 would not be able to continue in that role for the 2020 financial year. In our conversations, APRA has alluded to the need for a 12 month transition plan with applications for alternative arrangements to be considered once the standards are finalized.

Notwithstanding these comments, it is clear APRA is looking for a collaborative approach for how best to implement these additional requirements and we are working with APRA to assist with ensuring a practical solution to minimise disruption to the industry, whilst enforcing the need to reduce the familiarity threat that may arise as a result of the tenure of some auditors.


Our specialist Private Health Insurance team of Partners satisfies the fitness and propriety requirements and provide a depth of talent for effective succession planning if required  Our specialist team will draw on our extensive experience from working with other APRA regulated entities (such as those in banking  and superannuation) to manage any future rotation requirements seamlessly.


Audit Scope

The key change that has come about as a result of the introduction of HPS310 is the additional reporting requirement on Private Health Insurance systems, procedures and internal controls to ensure Private Health Insurers have complied with all applicable prudential requirements, provided reliable data to APRA and the controls have operated effectively throughout the period of review.

The role of external auditors will also be changing along with these policies and the changes will be an extension of current reporting requirements – auditors will have more engagement throughout the organisation and across the C-Suite. This expands the focus from the more traditional audit of financial data to a much broader review of the governance, risk and compliance aspects of the organisations.


APRA is elevating the role of auditors to ensure a more robust assessment of the prudential soundness of Private Health Insurers. The audit scope will expand to include a review of internal controls in place to comply with the Prudential Standards. We recommend that insurers consider undergoing internal control review health checks to help prepare the wider organisation and identify any potential issues or weakness in the controls in order to ensure alignment with the prudential standards and associated guidance.


Next steps

Moving forward, a key focus will be the ability to demonstrate resilience to emerging risks. It would be prudent for insurers to watch closely what is happening in the banking space and other APRA regulated sectors.

We would encourage insurers to submit information to APRA as part of the consultation package to ensure their voice is heard by 2 May 2018.


We expect the proposed reforms to largely be adopted in their present form. The new standards will be effective 1 July 2019 and while we expect APRA to take a facilitated approach for the first 12 months, we recommend Private Health Insurers are in a position to fully comply. We suggest that organisations continue to assess the impact on their organisation and develop an action plan to address any issues as they emerge prior to that period and make necessary changes to ensure they’re complying with the standards. Our Private Health Insurance team can assist you with this.


For further information on APRA’s Prudential Policies and the Private Health Insurance sector, please contact:

list item with text on the right

Alison Sheridan

Partner & Private Health Insurance Leader
Contact Alison

list item with text on the right

Andrew Rigele

Partner & Head of Audit & Assurance, Sydney
Contact Andrew

list item with text on the right

Matt Adam-Smith

National Managing Partner - Audit & Assurance
Contact Matt

list item with text on the right

Madeleine Mattera

Partner & National Head of Financial Services
Contact Madeleine