28 July 2023
Following recent operational risk control failures and disruptions, including material cyber breaches, the Australian Prudential Regulation Authority (APRA) has released its Prudential Standard CPS 230.
After 12 months of consultation, APRA released the final CPS 230 on 17 July 2023 to address ineffective controls within APRA-regulated entities, low tolerance for disruptions and increasing reliance by regulated entities on service providers. It will replace five current APRA standards on outsourcing and business continuity management.[1]
APRA-regulated entities including banks, insurers and superannuation funds are required to (1) develop and maintain risk management frameworks, (2) enhance Board governance, accountability and oversight, (3) assess and control operational risks, (4) improve business continuity management and (5) uplift arrangements with service providers.
CPS 230 will come into force on 1 July 2025. Where there are pre-existing contractual arrangements between an APRA-regulated entity and its service providers, CPS 230 will apply from the earlier of the next renewal date or 1 July 2026. Flow down obligations will also need to be placed on relevant service providers.
APRA has also released a Draft Prudential Practice Guide (Draft Guide) to assist entities with the implementation of CPS 230, which is open for public consultation until 13 October 2023.
CPS 230 requires an APRA-regulated entity to develop and maintain a risk management framework to deal with and prevent against operational risks and business disruptions. This will involve:
CPS 230 imposes specific roles and responsibilities on an APRA-regulated entity’s board. These include approving the entity’s business continuity plan and tolerance levels for disruptions to critical operations and reviewing risk and performance reporting on material service providers.
To meet its obligations, the board of directors of an APRA-regulated entity is expected to:
CPS 230 requires an APRA-regulated entity to manage its operational risks by assessing the impact of business and strategic decisions on the entity’s operational risk profile and resilience, implementing operational risk controls and identifying and responding to operational risk incidents. The Draft Guidance further emphasises the heightened risks in relation to fraud, cyber, conduct, financial crime and technology associated with crypto-assets.
It is expected that APRA-regulated entities will need to:
As part of business continuity management, CPS 230 requires an APRA-regulated entity to take reasonable steps to minimise the likelihood and impact of disruptions to its critical operations. It provides a non-exhaustive list of ‘critical operations’ which, if disrupted, could have a material adverse impact on an APRA-regulated entity’s depositors, policyholders, beneficiaries and customers, or its role in the financial system. These include payments, deposit-taking and management, investment management, claims processing and customer enquiries.
Flowing from this requirement, APRA-regulated entities should:
CPS 230 broadens ARPA’s powers in overseeing contracts between an APRA-regulated entity and its downstream service providers.
CPS 231, which CPS 230 will replace, applies in respect to the ‘outsourcing’ of a ‘material business activity’. CPS 230 will expand APRA’s oversight by applying not only to outsourcing but to the entity’s agreements with all ‘material service providers’ i.e. those the entity relies upon to undertake a critical operation or those that expose the entity to a material operational risk.[2] CPS 230 seeks to uplift requirements on service providers through increased due diligence and requirements for supplier contracts.
Further, CPS 230 introduces additional requirements to manage parties along an APRA-regulated entity’s supply chain, including any organisation engaged by third party material service providers to render services to an APRA-regulated entity (i.e. a ‘fourth-party service provider’). These include seeking assurance from service providers that they have the capability to manage material fourth parties.
APRA-regulated entities should therefore proactively audit their register of direct and indirect service providers and assess which of these providers could be classified as ‘material service providers’. APRA-regulated entities should then revisit their agreements with ‘material service providers’ to ensure compliance with the heightened CPS 230 requirements (which go beyond agreements for outsourcing of material business activities under current CPS 231).
Amongst other matters, consideration should be given to include provisions that address, where appropriate:
Greater emphasis will also be placed on APRA-regulated entities to assess the financial and other risks from relying on a service provider, including risks associated with the reliance of fourth parties to provide services, and to implement appropriate risk minimisation safeguards.
While CPS 230 will only come into force in two years’ time, APRA-regulated entities should now be proactive in preparing to implement CPS 230 and not leave compliance until the last minute.[3] Service providers that provide material services to APRA-regulated entities (or their service providers) should also expect such entities to require additional (and likely more stringent) terms in their service agreements.
We suggest that APRA-regulated entities refer to the Draft Guide which details APRA’s expectations in their implementation of CPS 230. Written submissions in response to the Draft Guide can be made up to 13 October 2023.
[1] CPS 230 will replace CPS 231, HPS 231 and SPS 231 on outsourcing, and CPS 232 and SPS 232 on business continuity management. CPS 234 on information security will be retained.
[2] Material service providers include providers of core technology services, services supporting critical operations and internal audit services and may be a third-party, related party or connected entity to the APRA-regulated entity.
[3] Per APRA’s chairman, Mr John Lonsdale.
Authors
Partner
Partner
Partner
Senior Associate
Associate
Tags
This publication is introductory in nature. Its content is current at the date of publication. It does not constitute legal advice and should not be relied upon as such. You should always obtain legal advice based on your specific circumstances before taking any action relating to matters covered by this publication. Some information may have been obtained from external sources, and we cannot guarantee the accuracy or currency of any such information.