APRA APS 221 Large Exposures: the limits that cap concentration risk

APS 221 is the Australian Prudential Regulation Authority (APRA) prudential standard that caps how much credit risk an authorised deposit-taking institution (ADI) — a bank, building society or credit union — can run to any single counterparty or group of connected counterparties. Its purpose is to stop a bank from being brought down by the failure of one large borrower. The headline rule is that an ADI's aggregate large exposure to a counterparty or group of connected counterparties is generally limited to 25 per cent of its Tier 1 Capital, with a tighter regime for exposures between domestically systemically important banks.

The standard is Prudential Standard APS 221 Large Exposures, made by APRA under the *Banking Act 1959*. It sits alongside APRA's broader risk-management framework and is closely linked to the capital standards, particularly APS 111 (which defines Tier 1 Capital) and APS 112 (which governs risk weights).

What APS 221 requires in one paragraph

APS 221 requires every covered ADI to set prudent limits on, and actively manage, its large exposures and risk concentrations. In practice this means three things: a Board-approved policy governing large exposures; systems and controls that identify, measure, monitor and report those exposures; and hard quantitative limits — chiefly the 25 per cent of Tier 1 Capital cap per counterparty or group of connected counterparties — that the ADI must stay within and report breaches of to APRA. The aim is concentration discipline, not just capital adequacy: an ADI can be well-capitalised in aggregate yet dangerously exposed to one name.

Who APS 221 applies to

APS 221 applies to all ADIs other than foreign ADIs (the Australian branches of overseas banks) and providers of purchased payment facilities. That captures the locally incorporated banks, building societies and credit unions that take retail deposits in Australia.

Application is generally on both a Level 1 (the ADI alone) and Level 2 (the consolidated banking group) basis, consistent with the rest of APRA's prudential framework. The obligations scale with the institution: a major bank and a small mutual ADI are both caught, though APRA's expectations on the sophistication of systems and controls are proportionate to size and complexity.

If you operate a foreign bank branch in Australia, APS 221's large-exposure limits do not apply to the branch in the same way — but you should confirm the treatment that applies to your entity directly with APRA, because the carve-out is specific.

The core large exposure limits

A "large exposure" is broadly an exposure to a counterparty or group of connected counterparties that equals or exceeds a defined proportion of the ADI's Tier 1 Capital (verify the current reporting trigger with APRA, as definitional thresholds are set in the standard). The binding limits are what matter most:

• 25 per cent of Tier 1 Capital — the general cap on aggregate large exposures to a single counterparty or a group of connected counterparties.
• A tighter limit for exposures between systemically important banks — APRA applies a lower cap (below 25 per cent) to exposures between Australian D-SIBs, reflecting the systemic risk of large banks being interconnected.
• A higher 50 per cent of Tier 1 Capital limit can apply to certain exposures connected to a government that receives a zero per cent risk-weight under APS 112; where the relevant government does not receive a zero per cent risk-weight, the 25 per cent limit applies instead.

The "group of connected counterparties" concept is central. Two or more counterparties are treated as one exposure where they are linked by control or by economic interdependence — so that the financial distress of one would likely cause distress for the others. This prevents an ADI from sidestepping the cap by lending to multiple related entities.

How exposures are measured and aggregated

APS 221 requires a broad, conservative measure of exposure. An ADI must include:

• All on-balance sheet exposures and off-balance sheet exposures.
• Exposures in both the banking book and the trading book.
• Instruments that give rise to counterparty credit risk (for example, derivatives and securities financing transactions).

Exposures are measured against the counterparty and then aggregated across the group of connected counterparties. The standard also sets out how credit risk mitigation and the recognition of guarantees or collateral may be reflected, and contains specific treatments for exposures to other banks, to central counterparties, and through structures such as funds and securitisations (where look-through requirements can apply to the underlying assets).

Because the denominator is Tier 1 Capital, a fall in capital can push a previously compliant exposure over the limit even if the exposure itself has not changed — a point worth monitoring through the capital cycle.

Governance, monitoring and reporting obligations

APS 221 is as much about process as about numbers. A covered ADI must:

• Maintain a Board-approved policy governing large exposures and risk concentrations, including its own internal limits (which may be tighter than APRA's).
• Operate systems and controls adequate to identify, measure, monitor and report large exposures and risk concentrations on a timely basis.
• Monitor concentrations across counterparties, industries, geographies and instrument types — not just single-name limits.
• Report large exposures to APRA through the relevant reporting standard, and notify APRA of limit breaches.

These obligations dovetail with CPS 220 Risk Management, the over-arching standard requiring a sound risk-management framework. Large-exposure controls are one component of the broader framework CPS 220 expects, and APRA will look at them together. For institutions navigating the wider prudential and financial services landscape, treating APS 221 in isolation is a mistake.

What ADIs should do to comply

• Define connected counterparties rigorously. Build and maintain a process for grouping counterparties by control and economic interdependence; this is where most measurement error originates.
• Capture the full exposure set. Ensure systems pull on- and off-balance-sheet, banking- and trading-book, and counterparty-credit-risk exposures into a single aggregated view per counterparty group.
• Calibrate internal limits below the regulatory cap. Give yourself headroom so that ordinary fluctuations — or a fall in Tier 1 Capital — do not trigger a breach.
• Tie limits to live capital figures. Re-test exposures against current Tier 1 Capital, not stale figures, so concentration is measured against the right denominator.
• Document Board oversight. Keep evidence that the Board has approved the policy and receives regular large-exposure reporting.
• Have a breach protocol. Know in advance how a breach will be identified, escalated, remediated and reported to APRA.

Common pitfalls

• Under-grouping connected counterparties. Treating related borrowers as separate names understates true concentration and is a frequent source of inadvertent breaches.
• Missing off-balance-sheet and derivative exposures. Limiting the measure to drawn loans ignores undrawn commitments, guarantees and counterparty credit risk.
• Ignoring the denominator. A reduction in Tier 1 Capital can breach a limit without any new lending.
• Confusing capital adequacy with concentration. A strong total capital ratio does not cure a single-name concentration problem — APS 221 exists precisely because aggregate capital can mask it.
• Stale policies. A Board-approved policy that is not updated for new products, structures or the current standard will not satisfy APRA on review.
• Assuming exact figures from secondary sources. Always confirm the current limits, definitional thresholds and reporting triggers against the live APRA standard, as the framework is periodically revised.