But for the real banking scandals – the ones where culture was found to be on the nose, which had threatened to cascade into a financial stability problem – the Australian Prudential Regulation Authority always turned up late and after the damage was done.

It’s the regulatory equivalent of the fire crew always arriving once the building has burnt down.

APRA’s history over the past decade has been as a defensive regulator which is repeatedly responding to its operating environment. With little capacity for anticipation, it has often been forced into a reaction.

Rarely does it attack or anticipate when a pattern of interruption is needed on the entities it oversees. As a regulator, it has felt little urgency as banks continued to report bumper profits and low lending losses while super returns were always climbing.

Regulatory miss

But the catalyst for some of the biggest structural changes across not just one but the two biggest banks in the past decade came not from APRA but from a regulator that didn’t wait to be asked.

The legal actions against Commonwealth Bank – in 2017 – and Westpac – 2019 – by Canberra’s financial crimes agency Austrac rocked both institutions to the core and forced widespread cultural change.

The money laundering misses were symptoms of bigger problems inside the banks. Both cases generated the biggest corporate fines issued in Australia.

Like the late fire truck, APRA certainly followed Austrac with a damning assessment of CBA’s cultural missteps. But the main protagonists had left the bank and a rebuild was well underway. APRA also arrived with its own post-Austrac probe into Westpac which ultimately amounted to nothing.

Even by its own admission APRA never challenged CBA over paying executive bonuses even as cultural issues were arising in wealth management because it didn’t have sufficient expertise around the powers it had on remuneration.

Today it has one of the most powerful regulatory instruments in its toolkit – the banking executive accountability regime. This has never been used.

The focus on banks being safe and unquestionably strong was a recommendation that came out of the independent Murray review of the financial system. Then it was APRA’s job to follow this through by asking lenders to bolster their balance sheets in expectation of tougher times.

So too, international rules coming out of the financial crisis forced banks to bulk up. In a speech to the Financial Services Institute of Australasia on Wednesday, outgoing APRA boss Wayne Byres declared Australia had one of the best financial regulatory systems in the world. He also said we often focus too much on 5 per cent that could be improved rather than the 95 per cent we get right.

While the context was around superannuation, the regulator should know there is zero room for error. A path of continuous improvement should be its dominant belief.

Each of the big four lenders have a lending book of more than $425bn. The five biggest super funds collectively have half a trillion dollars under management. Even a small margin of error represents a financial hole in the tens of billions.

During the 2018 royal commission, a number of red flags were raised that APRA didn’t regard cultural issues as something it was concerned with.

‘Careless mistakes’

At the time Byres dismissed the idea that banks and others that charged customers fees for no service were all just a series of careless mistakes capable of being swept aside as “processing errors”, the Hayne final report found.

The same narrative was also advanced by NAB boss Andrew Thorburn and it was on these points that cost him his job.

Under APRA’s watch AMP failed to protect members interests – this is one of the regulator’s core functions. There APRA failed to look between the lines of the governance frameworks to what was really going on. Likewise, it was following evidence given in the royal commission that APRA took legal action against IOOF’s former CEO Chris Kelaher.

The regulator was unsuccessful in its Federal Court case.

Culture in banks and other big financial institutions counts.

Misconduct always comes back to effective management, good governance and appropriate culture. As the royal commission called out, regulators have an important role to play in supervision of these matters. “Supervision must extend beyond financial risk to non-financial risk and that requires attention to culture, governance and remuneration,” the Hayne report said.

Byres on Wednesday said APRA is set up to primarily work behind the scenes – identifying and addressing issues before they become problems. He also argues there are limits to what can be achieved and consumers should also take some responsibility for bad culture in banks.

“Consumers of financial services still need to take a degree of responsibility for their decisions. Indeed, there are benefits to stability, competition and efficiency when they do,” said Byres who retires at the end of this month after eight years as chairman.

Make no mistake, Australia is heading into an environment where banks and other financial organisations will be sorely tested.

Byres said the banking system is in good shape to weather the downturn thanks in part to the build-up of prudential strength. “Careful stewardship will see the system resilient through the next few (years) as well,” he said.

The era of ultra-low interest rates is over and lending stress is set to rise. Super funds will feel losses from asset writedowns should be keeping cash holdings high. In short, the equivalent of a financial sector bear market has arrived and the community should be asking whether its regulator is ready for it.

Held to ransom

In a twist to Medibank’s statement earlier this week that it was closer to the exit ramp over its cyber attack, the health insurer has since received messages from an unnamed group seeking payment – ransom – regarding the alleged removed of customer data.

It comes after the insurer’s boss David Koczkar said a forensic review turned up no evidence that customer data had been taken. But like the initial attack, Medibank is taking the latest threat seriously and has placed its shares in a trading halt as it works through the demands. The stakes are always much higher at a health insurer given the level of personal medical data held on customers.

Koczkar has again apologised to customers and said the insurer was working around the clock on investigating the attack. “We will continue to take decisive action to protect Medibank customers, our people and other stakeholders.”

Medibank’s disclosure marks one of the first times a listed company has come clean in saying it has received a demand of payment. And this moves us closer to the point where a company will one day disclose if it has had to pay for the return of customer data.

Medibank took its systems offline entirely when it initially detected “unusual activity” on one of its IT systems last week. It had seen that activity as a precursor to a ransomware event. Medibank pulled apart and rebuilt the IT system which was used to support its AHM brand and international student insurance business.

Optus hit the headlines following its massive cyber attack and its parent company Singapore-listed SingTel has been hit again in Australia. SingTel-owned tech services company The Dialog Group last week revealed 20 clients and 1000 employees had potentially had their data compromised.

Some of this data has been published online. From the point when the unauthorised access was detected at the Dialog Group and to the data making its way to the dark web, it took SingTel nearly a full month to disclose the issue.

johnstone@theaustralian.com.au

More Coverage

‘Pockets of stress’ in housing market: APRA

Joyce Moullakis

Hackers make ransom demand to Medibank

JARED LYNCH

RealtyAssist brings in expert to review cyber security

Joyce Moullakis