New insights for ensuring compliance with APRA’s CPS 230
09 July 2024
The Australian Prudential Regulation Authority (APRA) has recently released Prudential Practice Guide CPG 230, a comprehensive guide to Prudential Standard CPS 230, on operational risk management. This guide clarifies compliance requirements for APRA-regulated banks, life and general insurers and superannuation trustees. Further, it will assist technology vendors and service providers serving APRA-regulated entities in navigating potential enhanced risk management obligations in their interactions with these entities.
In July 2023, APRA introduced Prudential Standard CPS 230 to address key vulnerabilities in operational risk management within APRA-regulated entities, including ineffective controls, low disruption tolerance, and the increasing reliance on service providers. In essence, CPS 230 requires that APRA-regulated entities establish and maintain robust risk management frameworks, enhance board governance, accountability, and oversight, assess and mitigate operational risks, develop effective business continuity management strategies, and strengthen arrangements with service providers.
CPS 230 will come into effect on 1 July 2025. For existing contracts between APRA-regulated entities and service providers, these will need to be compliant with CPS 230 from the earlier of the date when the contract is next renewed or from 1 July 2026.[1] In anticipation of the commencement of CPS 230, the Prudential Practice Guide and APRA’s response to public submissions (APRA’s Response) provide essential guidance for entities to prepare for and comply with CPS 230.
Below, we outline the key actions that APRA-regulated entities and their service providers should take based on the Prudential Practice Guide and APRA’s Response.
Key actions for CPS 230 compliance
1. Kickstart with CPS 230 implementation checklist
APRA has released a ‘Day One Checklist’ which summarises CPS 230 requirements, providing a helpful starting point for APRA-regulated entities to understand and implement compliance measures. The checklist outlines a step-by-step approach, beginning with:
- identifying critical operations;
- defining tolerance levels for those operations; and
- identifying material service providers.
2. Identify critical operations and their tolerance levels
Many of the obligations in CPS 230 focus on maintaining and preventing disruptions to an APRA-regulated entity’s critical operations which exceed the tolerance limits of their operations. The Prudential Practice Guide provides considerations to help entities identify their critical operations, in addition to the non-exhaustive list of practices in CPS 230 that are deemed critical.[2] These critical operations include those that, if disrupted beyond their tolerance level, would have a direct or indirect material adverse impact on depositors, policyholders, beneficiaries or other customers.
According to the Prudential Practice Guide, an indirect material impact includes an occurrence that would significantly impact the entity's profitability, financial soundness, reputation, or ability to comply with legal or regulatory requirements.
In addition, APRA outlines the factors that entities should consider when setting tolerance levels for their critical operations, including:
- the maximum amount of time a business service can be unavailable before the impact is deemed unacceptable;
- the maximum amount of time allowed for the recovery of information assets that relate to a business service;
- the maximum amount of data loss a business can tolerate, dependent on how far back the business can reconstruct affected data, which is used to determine the frequency of backups; and
- the minimum resources (people, information assets and resources) required to maintain normal business operations.
3. Address material weaknesses
CPS 230 requires APRA-regulated entities to establish and maintain a risk management framework to mitigate operational risks and business disruptions. Entities must notify APRA as soon as possible, and not later than 72 hours, after becoming aware of an operational risk incident that they determine to be likely to have a material financial impact or a material impact on the ability of the entity to maintain its critical operations.
Additionally, if an entity identifies material weaknesses in its operational risk management, APRA expects the entity to:
- keep APRA informed of the remediation progress; and
- hold additional capital (for authorised deposit-taking institutions or insurers) until remediation is complete.
4. Ensure boards have visibility and oversight of all risk management areas
A key focus of CPS 230 is to ensure that APRA-regulated entities' boards are accountable for risk management. The Prudential Practice Guide outlines three key actions for boards to comply with their CPS 230 obligations and effectively oversee operational risk management. These actions include:
- allocating responsibility for each aspect of an entity's operational risk management within the entity, ensuring no gaps in responsibility;
- overseeing the entity's risk profile, including prompt addressing of risks outside the entity's risk appetite; and
- challenging and approving the entity's business continuity plan and tolerances for disruption and critical operations.
5. Identify material service providers
CPS 230 requires that APRA-regulated entities identify and submit a register of their material service providers to APRA, with the initial submission due by 1 October 2025. APRA-regulated entities are also required to maintain a comprehensive service provider management policy describing (among other things) how the entity will identify material service providers, and manage its arrangements with service providers.
The Prudential Practice Guide clarifies that a service provider is considered 'material' only if the entity relies on the service provider for a critical operation, or if the arrangement poses material operational risk to the entity.
Additionally, the Prudential Practice Guide recommends that entities maintain records of non-material service providers and review this classification annually.
6. Assess and select material service providers
When selecting and assessing potential providers of material services, the Prudential Practice Guide recommends that APRA-regulated entities evaluate the following risks against their risk appetite:
- capabilities or services that must be retained in-house;
- country or region risk;
- supplier risk;
- concentration risk; and
- reputational risk.
Additionally, entities should consider further factors when engaging a service provider in another jurisdiction, including the provider's ability to comply with legal and prudential requirements, their ability to meet core obligations in the event of a service disruption, and APRA's ability to obtain necessary information from the provider.
Service providers offering services to APRA-regulated entities can expect to face rigorous scrutiny and questioning before being engaged, arising from the duty of APRA-regulated entities to assess the risks involved before contracting with a material service provider.
7. Manage the risks associated with fourth parties along supply chains
As part of managing material service providers, APRA requires APRA-regulated entities to be aware of 'fourth parties' (vendors engaged by their suppliers) that provide services to the entities.
The Prudential Practice Guide and APRA’s Response outline APRA’s expectations that APRA-regulated entities should:
- include their approach to managing risks associated with fourth parties involved in critical operations in the service provider management policy; and
- take reasonable steps to identify and list fourth parties relied upon by material service providers in their material service provider register.
APRA notes that APRA-regulated entities that are unaware of fourth parties may have an incomplete understanding of the risks associated with their service providers' reliance on these fourth parties. As a result, service providers should anticipate that APRA-regulated entities will require them to disclose their subcontractors and service providers on an ongoing basis, through contractual obligations.
8. Keeping up-to-date with APRA’s regulatory agenda
APRA's Response outlines its supervision program, providing transparency on its approach to monitoring CPS 230 compliance during the first three years of implementation. Significant Financial Institutions should note the following milestones:
- 2025-2026: APRA will conduct a prudential review of a small subset of entities;
- 2026-2027: APRA will review another subset of entities; and
- 2027-2028: APRA will engage in business-as-usual (BAU) ongoing supervision.
Regarding the reporting obligations under CPS 230, which include submitting a Material Service Provider register and event-based notifications (such as notifications of material events or tolerance breaches), APRA's Response states that between 2025 and 2027, APRA will engage in 'heightened supervision' of an APRA-regulated entity if either a material event occurs or the entity is deemed a material service provider 'outlier'. Although there is no guidance on what constitutes an 'outlier', we recommend that entities comply with submitting their Material Service Provider register to avoid heightened scrutiny by APRA.
Next steps
The publication of the Prudential Practice Guide and APRA's Response provides clarity on APRA's expectations, and sets out a framework for preparing for compliance. With a year-long lead time, APRA-regulated entities can now prepare for CPS 230 compliance by reviewing and enhancing their internal policies and practices, considering any accountability implications under the Financial Accountability Regime. updating assessment frameworks and internal training programs, conducting thorough risk assessments and gap analyses, and strengthening incident response and reporting procedures. Externally, this lead time enables entities to review and negotiate contracts with third-party service providers, identify and assess potential fourth-party risks, and develop strategies for managing third-party relationships.
At the same time, service providers to APRA-regulated entities should utilise this period to assess how they will meet increased obligations from their APRA-regulated customers and develop strategies for cascading compliance downstream to their own providers.
[1] APRA has granted non-Significant Financial Institutions (not listed here) a one-year extension to comply with requirements around business continuity and undertaking scenario analysis.
[2] Clause 36 of CPS 230 sets out business operations for APRA-regulated entities which are deemed to be critical operations, unless an entity can justify otherwise. These are as follows: (a) for an Authorised Deposit-taking Institution: payments, deposit-taking and management, custody, settlements and clearing; (b) for an insurer (general, life, private health): claims processing; (c) for an RSE licensee: investment management and fund administration; and (d) for all APRA-regulated entities: customer enquiries and the systems and infrastructure needed to support critical operations.
Authors
Partner
Partner
Senior Associate
Senior Associate
Associate
Tags
This publication is introductory in nature. Its content is current at the date of publication. It does not constitute legal advice and should not be relied upon as such. You should always obtain legal advice based on your specific circumstances before taking any action relating to matters covered by this publication. Some information may have been obtained from external sources, and we cannot guarantee the accuracy or currency of any such information.
