APRA APS 222 Associations with Related Entities explained

What APS 222 is, in one line

**Prudential Standard APS 222 *Associations with Related Entities* is the Australian Prudential Regulation Authority (APRA) standard that governs how an authorised deposit-taking institution (ADI) manages and limits its exposures to related entities — other companies in its corporate group, including parents, subsidiaries and associates. Its core purpose is to ensure that an ADI is not weakened, contaminated or propped up by the rest of its group, and that depositors are protected if a related entity gets into trouble.

In short: if you run a bank, building society or credit union in Australia and it sits inside a wider corporate group, APS 222 sets the boundaries on how exposed you can be to your own relatives.

The standard sits within APRA's prudential framework for ADIs and should be read alongside the Banking Act 1959 and APRA's broader capital and governance standards. It is part of the wider financial services regulatory architecture.

Who APS 222 applies to

APS 222 applies to all ADIs authorised under the Banking Act, and — importantly — generally applies on both a Level 1 (the ADI itself) and Level 2 (the consolidated banking group) basis. That dual application is deliberate: APRA wants to see the standalone ADI's exposures and the group-wide picture.

It is relevant to:

• Banks, building societies and credit unions authorised as ADIs.
• Foreign ADIs operating in Australia (with modifications APRA may set for their circumstances).
• Authorised non-operating holding companies (NOHCs) of ADI groups.

The standard is built around the concept of a related entity. Broadly, this captures entities connected to the ADI through ownership, control or other close association — parent companies, subsidiaries, the NOHC, related parties, and certain associates. Boards and risk teams should not assume "related entity" maps neatly onto the accounting definition of a subsidiary; the prudential definition is wider and is set out in the standard itself. Always confirm the current scope against the APRA prudential standards register.

What the standard requires

APS 222 imposes both quantitative limits on exposures to related entities and qualitative governance expectations about how those exposures are identified, measured and managed. The combination matters: limits alone do not protect an ADI if it cannot reliably see its own group exposures.

The qualitative expectations broadly require an ADI to:

• Maintain a board-approved policy on associations with, and exposures to, related entities.
• Identify and measure all exposures to related entities on a consistent, group-wide basis.
• Ensure dealings with related entities are conducted on an arm's-length basis and on terms no more favourable than those available to unrelated third parties.
• Have the independence and capacity to "step out" of its group — to operate as a standalone entity under stress — without being dragged down by, or feeling compelled to support, the rest of the group.
• Manage and report contagion risk, including reputational and step-in risk, where the ADI might feel pressure to support a struggling related entity even absent any legal obligation.

These expectations are reinforced by APRA's risk-management and governance standards, so APS 222 should not be read in isolation.

Exposure limits and how they work

APS 222 sets caps on the size of an ADI's exposures to related entities, expressed as a proportion of the ADI's capital base (Tier 1 capital), with separate treatment for individual related entities and for aggregate exposures across all related entities. The standard also restricts the extent to which an ADI can hold exposures to its own NOHC or parent.

Rather than quote figures that may have changed, treat the limits this way:

• There is a per-entity limit on exposure to any single related entity.
• There is an aggregate limit across all related entities combined.
• Equity and subordinated exposures to related entities receive stricter treatment than ordinary senior exposures.
• Certain exposures may be excluded or subject to specific treatment (for example, particular intra-group arrangements that APRA recognises as low-risk).

The precise percentages, the capital measure used and any exclusions are the load-bearing detail here — verify the current limits directly against the standard on the APRA website before relying on them, as APRA has revised APS 222 over time and continues to consult on its framework.

A simple way to think about the structure:

Exposure type	Treated how
Single related entity	Capped as a share of Tier 1 capital
All related entities (aggregate)	Subject to a higher combined cap
Equity / subordinated to related entities	More restrictive treatment
Exposure to NOHC / parent	Tightly constrained

Step-out and contagion: the substance behind the rules

The numbers exist to serve a principle: an ADI must be able to survive on its own. APRA's experience — including lessons from past financial-system stress — is that group structures can transmit problems into the regulated bank. A failing fintech subsidiary, a stressed parent, or an associate with reputational problems can all create pressure on the ADI to provide funding, capital or implicit support.

APS 222 addresses this through two linked ideas:

• Step-out capability. The ADI must be structured and governed so it can operate independently of the group. That means independent risk management, the ability to access its own systems and people, and not being so financially entangled that separation is impossible in a crisis.
• Contagion and step-in risk. Even where there is no contractual obligation, an ADI may feel commercial or reputational pressure to "step in" and rescue a related entity. APRA expects this risk to be identified, limited and reported, not assumed away.

This is why governance and policy expectations carry as much weight as the quantitative caps.

What ADIs need to do in practice

For compliance, risk and finance teams, APS 222 translates into a recurring set of obligations:

• Maintain a current related-entity register that captures the full prudential definition, not just accounting subsidiaries.
• Measure exposures consistently across the group at both Level 1 and Level 2, including off-balance-sheet and contingent exposures.
• Apply and monitor the limits continuously, with clear escalation when exposures approach thresholds.
• Document arm's-length dealing for intra-group transactions, pricing and services.
• Test step-out arrangements — can the ADI genuinely operate alone if the group is removed?
• Report to APRA through the relevant reporting standards and notify APRA of breaches or material developments.
• Refresh the board-approved policy periodically and after any material change to group structure.

New group structures — particularly where an ADI sits alongside a fintech, payments or crypto venture, or an insurance or funds-management arm — deserve specific attention, because novel related entities can introduce exposures and contagion paths that legacy policies never contemplated.

Common pitfalls and supervisory focus

The recurring failure points APRA tends to probe include:

• Under-scoping "related entity." Relying on the accounting consolidation boundary and missing associates or controlled entities the prudential definition captures.
• Incomplete exposure measurement. Overlooking guarantees, undrawn facilities, derivatives and operational dependencies that are still exposures in substance.
• Non-arm's-length dealings. Intra-group pricing or funding on favourable terms that effectively subsidises the rest of the group at the ADI's expense.
• Weak step-out capability. Shared systems, staff or services so deeply integrated that the ADI could not realistically stand alone.
• Treating limits as a one-off check** rather than a live, continuously monitored control.

Because APRA periodically reviews and consults on this standard, the safest compliance posture is to treat the published version of APS 222 — and its accompanying reporting standards and guidance — as the single source of truth, and to confirm the current limits, definitions and effective dates directly with APRA rather than relying on summaries.