APRA has finalised CPS 230: The clock is ticking for regulated entities to comply with new requirements

Tell me in 1 minute

On 17 July 2023, the Australian Prudential Regulation Authority (APRA) released the long awaited final Prudential Standard CPS 230 Operational Risk Management (CPS 230) following extensive industry consultation. CPS 230 will replace the current APRA Prudential Standards for Outsourcing (CPS 231 / SPS 231 / HPS 231) and Business Continuity Planning (CPS 232 / SPS 232) so that CPS 230 will become the core standard for APRA-regulated entities when outsourcing services and managing other operational risk (including business continuity).

CPS 230 introduces enhanced requirements in operational risk management, resilience and tolerance levels for disruption and service provider management. This will have impacts on APRA-regulated entities, their group members (in some cases) and certain service providers to APRA-regulated entities.

SIDEBAR

Key updates to the consultation draft

The final form of CPS 230 includes the following key updates to the consultation draft:

• Clarity around deemed material service providers – Clarification that providers of certain activities and services are designated as a minimum as being material (unless the APRA-regulated entity can justify otherwise). This includes (amongst other activities): underwriting and claims management for insurers; credit assessment and mortgage brokerage for ADIs; fund administration and custodian services for RSE licensees; and for all APRA entities, risk management, core technology services and internal audit.
• CPS 234 no longer deemed to automatically characterise service providers as material - Service providers that manage information assets classified as critical or sensitive under CPS 234 are no longer deemed to be material service providers – APRA-regulated entities will need to consider this on a case-by-case basis taking into account the services that are designated as being material.
• Changes to mandatory contract requirements - Some of the requirements (including for mandatory contract terms) have been limited to a narrower scope of supplier arrangements through the introduction of a new concept of “material arrangements” that was not referred to in the draft CPS 230.
• Interrelation with business continuity planning - There is now an express reference to business continuity planning being consistent with and not conflicting or undermining an APRA-entity’s resolution and exit planning, highlighting the importance of entities aligning their approach to CPS 230 and to complying with their requirements under CPS 190 and CPS 900.

• Clarity around deemed material service providers – Clarification that providers of certain activities and services are designated as a minimum as being material (unless the APRA-regulated entity can justify otherwise). This includes (amongst other activities): underwriting and claims management for insurers; credit assessment and mortgage brokerage for ADIs; fund administration and custodian services for RSE licensees; and for all APRA entities, risk management, core technology services and internal audit.
• CPS 234 no longer deemed to automatically characterise service providers as material - Service providers that manage information assets classified as critical or sensitive under CPS 234 are no longer deemed to be material service providers – APRA-regulated entities will need to consider this on a case-by-case basis taking into account the services that are designated as being material.
• Changes to mandatory contract requirements - Some of the requirements (including for mandatory contract terms) have been limited to a narrower scope of supplier arrangements through the introduction of a new concept of “material arrangements” that was not referred to in the draft CPS 230.
• Interrelation with business continuity planning - There is now an express reference to business continuity planning being consistent with and not conflicting or undermining an APRA-entity’s resolution and exit planning, highlighting the importance of entities aligning their approach to CPS 230 and to complying with their requirements under CPS 190 and CPS 900.

CPS 230 comes into effect on 1 July 2025 (with a transition period for pre-existing contractual arrangements). While APRA regulated-entities and their suppliers have some time to get ready for the implementation of CPS 230, planning for implementation will take time and impacted entities should be considering gaps to implement CPS 230 now.

A new Draft Prudential Practice Guide Operational Risk Management (CPG 230) has also been released by APRA for consultation (submissions close 13 October 2023).

Who will be affected?

CPS 230 applies to:

• APRA-regulated entities
  • Authorised deposit-taking institutions (ADIs)
  • General insurers
  • Life companies/insurers
  • Private health insurers
  • Registerable superannuation entity licensees
• Group members of APRA-regulated entities
  • Where an APRA-regulated entity is the head of the group, it must comply with CPS 230 on a group basis and by ensuring the requirements are applied appropriately throughout the group.

Service providers to APRA-regulated entities should also expect APRA-regulated entities to flow through CPS 230 obligations in their contracts.

Prudential standard framework for operational risk management after CPS 230 is implemented

The CPS 230 requirements are subject to a transition period, but APRA expects that implementation is not delayed

APRA-regulated entities should take steps to assess compliance against the new and uplifted requirements under CPS 230

Key changes compared with CPS 231 and CPS 232 (and equivalent standards)

Enhanced operational risk management

CPS 230 uplifts operational risk management requirements compared with existing APRA Prudential Standards. Notably, an APRA-regulated entities must maintain a comprehensive assessment of its operational risk profile taking into account the following factors:

Further new or uplifted requirements include requirements to:

• develop and maintain clear internal controls for managing risk and monitor, review and test these controls
• maintain and monitor IT capability
• remediate material weaknesses in operational risk management, including control gaps, weaknesses and failures
• notify APRA within 72 hours, after becoming aware of an operational risk incident that it determines to be likely to have a material financial impact or a material impact on the ability of the entity to maintain its critical operations
• identify, escalate, record and address operational risk incidents and near misses

Managing operational risk will be an involved process and will need to be ingrained into an APRA-regulated entity’s business and strategic planning processes. The impact to the operational risk profile will need to be assessed on an ongoing basis for new products, services, geographies and technologies. In draft CPG 230, APRA expressly recognises that, while CPS 230 requirements will apply to all entities, APRA’s expectation is that an entity’s approach to operational risk is proportionate to the entity’s size, business mix and complexity (e.g. if the entity has a narrower product mix or a domestic focus).

A broader range of service provider arrangements are potentially covered

For service provider arrangements, CPS 230 shifts the focus from the materiality of the service being provided to the materiality of the services provided by the service provider based on the operational risk arising for the APRA-regulated entity from those services.

Material Service Provider is defined in CPS 230 as a service provider on which the APRA-regulated entity relies to undertake a critical operation or that exposes the entity to material operational risk. Providers of the following services to an APRA-regulated entity are prescribed (at a minimum) to be material service providers unless the entity can justify otherwise to APRA:

• for an ADI: credit assessment, funding and liquidity management and mortgage brokerage
• for an insurer: underwriting, claims management, insurance brokerage and reinsurance
• for an RSE licensee: fund administration, custodial services, investment management and arrangements with promoters and financial planners
• for all APRA-regulated entities: risk management, core technology services and internal audit

In draft CPG 230, APRA has noted its expectation that all service providers are assessed by APRA-regulated entities against clear materiality criteria and that the prescribed categories do not limit that assessment. In addition, APRA has proposed that any justification not to classify a prescribed service provider as material would be documented, approved by an accountable person or senior management and reviewed annually.

Materiality would be assessed against criteria including all of the services provided by the service provider, the nature of the services, the operational risks to which the APRA-regulated entity is exposed in using the services provided by the service provider and ease of transitioning to a replacement provider.

Whether services provided by the service provider involve sensitive or critical information assets (as classified under CPS 234) is no longer prescribed in CPS 230 as default criteria for the provider to be considered a material service provider (but is noted in draft CPG 230 as one materiality criteria).

A service provider may be identified as material as a result of an individual arrangement or multiple arrangements with an APRA-regulated entity. Material service providers can be related entities (e.g. under an intra-group agreement) or third parties.

The ‘material service provider’ concept is likely to capture a wider range of suppliers than under CPS 231and the equivalent standards. It requires an assessment at a service provider level rather than on an individual service outsourcing basis. This means that:

• contracts that do not currently meet the requirements of CPS 231 and the equivalent standards may need to be uplifted for compliance with CPS 230
• contracts which currently meet CPS 231 and the equivalent standards requirements may nonetheless require review to assess compliance against the specific changes to the mandatory contract terms for material arrangements under CPS 230 and to validate that other uplifted obligations under CPS 230 are flowed through to suppliers where necessary

For example, amongst others, the following uplifted requirements for affected service provider arrangements apply compared with existing requirements under CPS 231 and the equivalent standards:

As compared to the consultation draft of CPS 230, the final form of CPS 230 also clarifies that not all arrangements with material service providers are subject to the mandatory term or notification requirements by introducing a concept of “material arrangements”. “Material arrangements” are those on which an APRA-regulated entity relies to undertake a critical operation or that expose it to material operational risk. For example, requirements to undertake diligence (including selection processes) and to assess financial and non-financial risks in relying on a material service provider must be undertaken before entering or materially modifying a material arrangement.

Enhanced oversight of and accountability for operational risk

The Board will be held to a higher standard under CPS 230 by being ultimately accountable for oversight of an APRA-regulated entity’s operational risk management (as compared with CPS 231 and the equivalent standards). This includes business continuity and the management of service provider arrangements. The Board is also required to perform specific tasks, such as approving the BCP, tolerance levels and service provider management policy.

CPS 230 sets out clearer expectations of the role of senior management across an APRA-regulated entity in managing operational risk. This includes requirements for senior management to provide clear and comprehensive information to the Board on the expected impacts of the Board’s decisions on the resilience of critical operations and to set and manage tolerance levels across critical operations. Senior management must take action to address any areas of concern arising from the entity’s operational risk profile. They are responsible for operational risk management across the end-to-end process for all business operations.

Draft CPG 230 sets out certain expectations of APRA as to how the Board exercises its oversight, which emphasise the Board’s role to challenge the effectiveness of the operational risk profile (including internal risk controls and the strength of internal audit processes), to actively focus and be informed of any significant weaknesses, major remediation programs and significant new ventures that may give rise to new or material operational risks (expressly noting crypto assets).

This will require APRA-regulated entities to review and validate that their existing reporting and management processes are consistent with this structure and approach.

Directors should also have an eye to the interplay between the Board’s accountability under CPS 230 with directors’ duties and the obligations of directors under BEAR and FAR.

Uplifted business continuity requirements

While the requirement to maintain, test, review and (in the event of a disruption) implement a business continuity plan (BCP) is by no means new, CPS 230 introduces uplifted business continuity requirements based on the new concepts of ‘critical operations’ and ‘tolerance levels’.

APRA-regulated entities must define, identify and maintain a register of their critical operations

Critical operations are processes undertaken by an APRA-regulated entity or its service providers, which if disrupted beyond tolerance levels, would have a material adverse impact on depositors, policyholders, beneficiaries or other customers, or the APRA-regulated entity’s role in the financial system. This concept focuses on processes, rather than previous considerations of business functions, resources and infrastructure. As with the scope of material service providers, certain operations are prescribed by APRA as minimum categories of critical operations unless the APRA-regulated entity can justify otherwise, including:

• for an ADI: payments, deposit-taking and management, custody, settlements and clearing
• for an insurer: claims processing
• for an RSE licensee: investment management and fund administration
• for all APRA-regulated entities: customer enquiries and the systems and infrastructure needed to support critical operations

APRA-regulated entities must establish tolerance levels for each critical operation

Tolerance levels must be defined for:

• the maximum period of time that a disruption to the critical operation would be tolerated
• the maximum extent of data loss that would be accepted as a result of a disruption
• minimum service levels that would be maintained while operating under alternative arrangements during a disruption

Practically, APRA-regulated entities will need to take into account their historic service performance and existing capabilities when setting their tolerance levels, though this needs to be balanced with customer trends relating to decreased tolerance for disruption.

APRA-regulated entities must update their triggers and processes for notifying APRA

Under CPS 230, the following matters will need to be notified or reported to APRA:

Key practical implications

For APRA-regulated entities and their group members

• Uplift governance arrangements for oversight of operational risk, including to ensure appropriate reporting flows on operational risk between the business, senior management and the Board
• Review policies and procedures to assess required uplifts to address enhanced operational risk management requirements, including regular monitoring, testing and remediation of gaps
• Identify operational risks and define tolerance levels and update BCPs accordingly
• Assess which service providers are captured by the expanded concept of ‘material service providers’, which have implications of greater APRA oversight
• Uplift contracts with material service providers to meet CPS 230 requirements
• Ensure material arrangements with related body corporates are captured in a formal contract (the exception in CPS 231 no longer applies)
• Build APRA notification requirements into regulatory reporting practices

Where an APRA-regulated entity is the head of the group, group members will need to ensure CPS 230 requirements are applied appropriately to its operations.

For suppliers to APRA-regulated entities

• APRA-regulated customers will require uplifts to existing arrangements to include provisions that reflect CPS 230 obligations - this could include arrangements which where were not previously captured by CPS 231 / SPS 231 / HPS 231 or CPS 232 / SPS 232
• Certain APRA-regulated customers may flow down aspects of their operational risk management procedures to material service providers – e.g. changes to service levels, notification obligations, reporting and audit rights
• The requirement for APRA-regulated customers to manage risks associated with fourth party suppliers could result in the need for suppliers to incorporate certain terms into their sub-contracts - e.g. additional diligence / information rights, audit rights, monitoring and management obligations
• Expect tighter controls over subcontracting and downstream supply arrangements from APRA-regulated customers – e.g. rights to cease use of a particular downstream supplier, if that supplier will adversely impact the APRA-regulated customer’s operational risk profile
• Where applicable, uplifted diligence requirements for CPS 230 will likely result in more involved and complex vendor procurement processes from potential customers that are APRA-regulated