APRA's licensing process - frequently asked questions

It is likely that you will need to be licenced by ASIC. You may also need to seek authorisation or to register with other regulators, such as the RBA and AUSTRAC. You should allow time for their assessment processes.

Once you have lodged your application with APRA you should advise APRA in writing of the specific company name that you want to register and request APRA’s consent if the name includes an APRA regulated restricted term. APRA regulated restricted terms include the words ‘bank’, ‘banker’, ‘banking’, ‘building society’, ‘credit union’, ‘credit society’ and ‘friendly society’. If you want to register a company name that uses the restricted words in section 66 of the Banking Act 1959 (such as the words ‘bank’, ‘banker’ and ‘banking’), please also refer to the APRA’s Restricted Words under the Banking Act 1959 Guidelines:

If consent is granted by APRA, it will usually be subject to conditions, such as not using the company name publicly prior to licensing. It is an offence for a person to use a restricted word or expression under section 66 in relation to a financial business, except where APRA has granted a consent or exemption, or where a statutory exception applies.

If you want to register a company name that uses the restricted term ‘friendly society’ you will need to apply for consent from APRA under section 16E of the Life Insurance Act 1995.  It is an offence for a person to use the restricted expression 'friendly society' in relation to a financial business, except where APRA has granted a consent or determined that section 16E does not apply to that person. 

APRA expects each policy, procedure or other document is submitted as a separate file, with a clear index which includes a numbering system and document title to facilitate navigation of the documents. 

APRA prefers that you submit documents in one to three batches. APRA expects the first batch to at least include details of your business plan, financials, governance and all of the documents for the major risk area(s) of your business, e.g. credit risk for an ADI or insurance risk for an insurer. Submitting all documents relevant to a particular risk category together will enable a more efficient review. 

If submitting in batches, APRA expects the first batch to also include an index of all the documents to be submitted, what each document covers and which batch each document will be included in. Documents need to be consistent and coherent with documents submitted in prior batches.

No, the checklist is a guide. It is possible that one Board approved document will cover multiple areas as relevant to your business.  However, your application should make it clear what each document is covering. 

As part of the pre-application phase, APRA will review a business plan which may be a draft in order to provide high level feedback that will assist in the finalisation of the application.  During the assessment phase documents should be the Board-approved final versions.

Your entity will need to have a range of skills and experience to successfully manage a regulated entity, appropriate to your size, business model and business plan. This will include staff with the appropriate level of skill and experience working in the relevant industry sector. Having experience from multiple organisations of different sizes is also useful, including from organisations of a similar size to your proposed business. APRA takes into consideration the level of relevant skills and depth of experience of the entity and in particular that of the proposed Responsible/Accountable People in assessing the licence application.

Yes you can; however, APRA expects that the policies are tailored for your organisation and that they will be implemented and used. The Board also needs to be able to understand and articulate   why particular approaches and policies have been chosen. Management need to be able to explain how the policies would operate in practice.

It is important that your policies and procedures work in practice. As such the policy and procedures designed for a large and complex organisation will differ from those for a small start-up entity. Your entity should create documents suitable for use by your business.

An appendix is used for supplementary material that is not a core component of your document. Content that is required to meet a Prudential Standard is unlikely to fit in this category.

The Superannuation Industry (Supervision) Act 1993 provides APRA must decide an application for a Registered Superannuation Entity (RSE) licence within 90 days after receiving it. APRA may extend the period for up to 30 days under subsection 29CC(2).

Under the Private Health Insurance (Prudential Supervision) Act 2015, unless APRA provides written notice of its decision on the application, APRA is taken to have refused an application for registration as a private health insurer (PHI) within 90 days after the application was made, or 90 days after the day the applicant gives APRA further information as required by APRA.

There is no legislated time frame for licence applications under the Banking Act 1959, Insurance Act 1973 or the Life Insurance Act 1995.

To ensure that RSE and PHI applicants receive the same level of guidance as other industries there will likely be multiple rounds of feedback as part of the pre-licensing assessment process ahead of submitting a formal application.

What is a RAS?

The RAS is a document that provides boundaries within which both management and staff know it is acceptable to operate. It provides ground rules which should be very clear for management in terms of what they are, and are not, allowed to do in pursuit of the institution’s business strategy and objectives. Without such boundaries and ground rules, management (and ultimately all staff) may be unaware that they are operating outside of the risk appetite of the Board. 

How should the RAS be structured?

APRA does not prescribe the structure or form of your RAS and you are generally free to adopt a risk appetite that suits the particular circumstances of your business, within the requirements of the Prudential Standards.

A RAS should be a concise document and should not include all management reporting. It is unlikely that a RAS would need to have an appendix as it would not be expected that there would be ancillary information in a RAS.

What content should be covered in the RAS?

The RAS should cover both high-level qualitative statements and, where appropriate, quantitative measures, which combined clearly capture your attitude towards, and level of acceptance of, its different risks. The RAS should consider the material risks to your company as well as to your reputation with policyholders/depositors, investors and customers. The RAS should also closely align with your strategic direction. 

Qualitative statements should set the overall tone for your approach to risk taking and should also clearly articulate the Board’s motivation for taking on or avoiding certain types of risks or exposures. In this way, qualitative statements advise stakeholders of your attitude toward risk taking by placing high-level boundaries around the types of activities you are prepared to undertake.

How do we demonstrate that the RAS has/will be applied?

Your business strategy and policies should operate in line with your RAS. Once the Board has approved your RAS, you should be able to evidence decisions being made in line with it.

Additionally, as the RAS needs to be used by a number of stakeholders consistently across all of your business operations it must be easy to communicate and written in plain English. A RAS which is not easily understood will be difficult to embed throughout your organisation, as staff will not know how they are expected to behave and what they are permitted to do in order to operate within the risk appetite. 

Footnote

¹Information contained in this section is a summary of all information available from APRA including Information Papers, letters to industry and speeches. The questions and answers are designed to clarify CPS 220 Risk Management but do not form part of the law or create enforceable requirements. If there is a conflict between the guidance contained in this FAQ and CPS 220 Risk Management, then the requirements of CPS 220 Risk Management prevail.

APRA requires the applicant to provide written verification from its appointed external auditor that it meets the minimum regulatory capital level required prior to licensing. This must include meeting the applicable minimum level of capital and capital ratios. The written verification should set out the steps taken by the external auditor in making the verification, including the calculation of minimum capital requirements where applicable. For life insurers, the verification should address the solvency of each statutory fund, as well as the minimum capital requirements and capital ratios for each of its statutory funds and the life company as a whole.

RSE applicants are required to attach an audited copy of the applicant’s statement of financial position for the last two years to their applications, but do not need a separate verification of solvency.

FAR has applied to the banking industry since 15 March 2024 (replacing the earlier Banking Executive Accountability Regime) and to the insurance and superannuation industries since 15 March 2025. 

FAR sets out accountability, key personnel, deferred remuneration and notification obligations for all APRA-regulated entities. It also requires accountable entities to take reasonable steps to ensure their significant related entities comply with FAR obligations. 

Applicants are expected to embed elements of the FAR into their internal accountability framework from the outset. You can find more information about the FAR here.

APRA Connect is used for the FAR data collection—for example, registrations, notifications and if relevant, lodgements of accountability maps and statements. FAR entity profile information is to be submitted in APRA Connect before an entity can apply to register an individual as an accountable person.

The level of detail and need for difference from the underlying ADI or insurer will depend on whether there are other entities under the NOHC and the type of operations in those entities. It is possible that one set of policies can cover both the NOHC and ADI/insurer, with differences for the NOHC and ADI/insurer detailed in the document.  You should discuss the requirements that will suit your circumstances with APRA.