APS 220 Credit Risk Management is an APRA prudential standard that requires authorised deposit-taking institutions (ADIs) to maintain a sound, documented framework for identifying, measuring, monitoring and controlling credit risk across the full credit lifecycle, with board oversight and prudent classification and provisioning.

Who does APS 220 apply to?

It applies to all ADIs other than purchased payment facility (PPF) providers — including banks, building societies, credit unions and other mutual ADIs, and foreign ADIs in respect of their Australian operations. The framework is expected to scale with the institution's size and complexity.

When did the current APS 220 take effect?

The current version of APS 220 commenced on 1 January 2023, after APRA revised the standard and deferred the original implementation date. Check APRA's standards library for the version currently in force.

What is the difference between APS 220 and CPS 220?

APS 220 is specific to credit risk management for ADIs, while CPS 220 is APRA's entity-wide risk management standard covering governance, risk appetite and the overall risk framework. APS 220 should be read as fitting within the broader expectations set by CPS 220.

What is the board's role under APS 220?

The board must review and approve the credit risk appetite statement and strategy (at least annually), satisfy itself the credit risk profile aligns with that appetite, challenge senior management on credit policies, and ensure management has the capability and systems to manage credit risk effectively.

APRA APS 220 Credit Risk Management: what ADIs must have in place

APS 220 is APRA's prudential standard requiring ADIs to maintain a sound credit risk management framework. What it covers, who it applies to and what to have in place.

What APS 220 is

APS 220 Credit Risk Management is the prudential standard made by the Australian Prudential Regulation Authority (APRA) that sets out how authorised deposit-taking institutions (ADIs) must identify, measure, monitor and control credit risk. In short: if you lend, APS 220 requires you to run a documented credit risk management framework that is appropriate to your size, business mix and complexity, with clear board oversight, sound credit assessment standards, and prudent classification and provisioning for problem exposures.

It is one of APRA's core banking prudential standards. The standard is principles-based, so a major bank and a small mutual ADI are both subject to it, but the depth of framework expected scales with the institution. APRA supports the standard with non-binding guidance in Prudential Practice Guide APG 220, which explains APRA's expectations and sound practice.

This page explains the substance of the standard at an obligations level. It is not a substitute for reading the standard itself, which is the authoritative text.

Who APS 220 applies to

APS 220 applies to all ADIs other than purchased payment facility (PPF) providers. That captures banks, building societies, credit unions and other mutual ADIs, as well as foreign ADIs operating in Australia (with the standard applying to the Australian operations as set out in the standard).

Where an ADI is part of a group, APRA expects credit risk to be managed both at the individual ADI level and across the relevant group, consistent with the broader prudential framework. The obligation sits with the regulated entity; you cannot fully outsource accountability for it, even where parts of the credit process are performed by a service provider or parent.

If you are uncertain whether a particular entity or activity is in scope, confirm the application provisions in the standard with APRA rather than assuming a carve-out applies.

What the credit risk management framework must include

The heart of APS 220 is the requirement to maintain a credit risk management framework that is sound, well-documented and embedded in practice. At a minimum, APRA expects the framework to address:

A credit risk appetite statement and a credit risk management strategy that are consistent with the ADI's overall risk appetite and business plan.
Clearly defined roles, responsibilities and reporting lines, including a designated credit risk management function with appropriate independence.
Policies and processes across the full credit lifecycle — origination, assessment, approval, administration, monitoring and remediation.
Sound credit assessment standards that emphasise the borrower's capacity to repay, rather than relying primarily on collateral.
Management information systems capable of measuring, aggregating and reporting credit risk and concentrations on a timely basis.
Early identification and management of problem exposures, including processes for restructured and non-performing loans.
Provisioning practices aligned with the Australian Accounting Standards.
Independent review to test whether the framework is operating effectively.

The framework is not a static document. APRA expects it to be reviewed regularly and updated as the ADI's risk profile, products or external conditions change.

Board and senior management responsibilities

APS 220 places direct accountability on the board. The board is responsible for:

Reviewing and approving the credit risk appetite statement and credit risk management strategy, with approval expected at least annually.
Satisfying itself that the credit risk profile is consistent with that appetite and strategy.
Constructively challenging senior management on the design and operation of credit risk policies.
Ensuring management has the capability, resources and systems to manage credit risk effectively.

Senior management is responsible for implementing the framework — developing policies, maintaining the credit risk management function, and reporting to the board on the credit risk profile, emerging risks, concentrations and the status of problem exposures.

This board-and-management structure is deliberately aligned with APRA's overarching risk-management standard. APS 220 should be read alongside the entity-wide risk framework set out in CPS 220 Risk Management, which establishes the broader governance, accountability and review expectations that credit risk management fits within. For directors more generally, the duties context is covered under the directors topic.

Credit standards, classification and provisioning

A central theme of APS 220 is rigorous, repayment-focused credit assessment. ADIs must establish sound criteria for granting credit that genuinely assess the borrower's ability to service and repay the facility, rather than leaning on the value of security. APRA has been particularly focused on serviceability assessment for residential mortgage lending.

The standard also requires disciplined treatment of exposures after origination:

Classification of credit exposures, including identifying exposures as performing or non-performing using consistent definitions.
Restructuring policies that prevent problem loans from being masked through renegotiation.
Provisioning that reflects realistic expectations of recovery and is consistent with the Australian Accounting Standards (which use an expected-credit-loss model).
Large exposures and concentrations monitoring, recognising that credit risk is often driven by correlation and concentration as much as by individual defaults.

The objective is that an ADI's reported asset quality and capital position reflect the true condition of its loan book, so that losses are recognised on a timely and prudent basis.

When it took effect and how it links to other standards

The current APS 220 commenced on 1 January 2023. APRA had revised the standard following an earlier consultation and a response-to-submissions process, deferring the original implementation date to give ADIs time to make systems and process changes. Earlier versions of the standard used different terminology (including a previous "credit quality" framing); the current version reframes the obligation around end-to-end credit risk management.

APS 220 does not operate in isolation. It interacts with capital adequacy standards (such as APS 112 and APS 113 for credit risk capital), the large exposures standard (APS 221), and the entity-wide risk-management standard CPS 220. The non-binding APG 220 practice guide sits beneath the standard and describes APRA's view of sound practice. Always check the APRA standards library for the version currently in force, as APRA periodically updates the banking framework.

What to have in place and common pitfalls

Practical steps for an ADI to demonstrate compliance:

Maintain a current, board-approved credit risk appetite statement and strategy, with evidence of at least annual review.
Document credit policies that cover the full lifecycle, with serviceability and repayment-capacity standards front and centre.
Operate an independent credit risk management function with clear authority and reporting to the board.
Run management information that surfaces concentrations, arrears trends and problem exposures in near real time.
Apply consistent classification and expected-credit-loss provisioning, supported by independent review.

Common pitfalls APRA tends to focus on:

Collateral-led lending — approving facilities on the strength of security while under-testing the borrower's capacity to repay.
Weak serviceability assumptions in mortgage lending, including buffers and treatment of living expenses.
Stale frameworks — a polished policy document that is not reflected in actual approval behaviour or system controls.
Delayed loss recognition — slow or inconsistent classification of non-performing and restructured exposures.
Outsourcing accountability — relying on a parent or service provider for credit processes without retaining genuine oversight.

For broader prudential and licensing context, see the financial services topic. The authoritative requirements remain those in the APS 220 standard itself as published by APRA.