After months of consultation by APRA on the previous draft (released in July 2022), APRA has released the final version of its new prudential standard on operational risk management, CPS 230. Dive deep into what this means for banks, insurance companies, pension trustees and other his APRA-regulated entities.
Australian Prudential Regulatory Authority (Apra) Final version of cross-industry Prudential Standard CPS 230 Operational Risk Management released (CPS230The purpose of this new standard is to enable APRA-regulated entities to effectively address and manage business risks, especially those associated with critical businesses and critical service providers. This release follows extensive industry consultation on the draft version of CPS 230, which will be released in July 2022, and a review period for proposals by APRA. In addition, APRA has also released a draft of the Prudential Practice Guide CPG 230 Operational Risk Management (CPG230) For consultation regarding submissions due October 13, 2023.
CPS 230 supersedes and replaces five existing prudential standards and five existing prudential practice guides related to outsourcing and business continuity management. streamline the standards that support
The final CPS 230, commencing 1 July 2025, will place responsibilities on regulated entities to proactively meet their obligations under the new standard. The Board is ultimately responsible for overseeing the operational risk framework of APRA regulated entities. This includes ensuring continued resilience in the face of operational risk and business disruption, as well as managing service provider arrangements. In addition, boards must ensure that senior management within APRA regulated companies has clear roles and responsibilities for operational risk management, including management of business continuity and service provider arrangements. . These changes represent an important step towards sustaining and strengthening a stable and resilient financial services industry.
New changes in final CPS 230
The major changes between the CPS 230 draft and final CPS 230 are:
- The new standard will start on July 1, 2025 instead of January 1, 2024. If an APRA-regulated entity has an existing contractual arrangement with a service provider, the requirements of CPS 230 apply in connection with the earlier arrangement. Your next contract renewal date or July 1, 2026, whichever comes first.
- In assessing the operational risk profile of an APRA regulated firm, the defined risk appetite must be supported by metrics and limits as well as tolerance levels.
- The business continuity plan must be consistent with, and must not conflict with or undermine, the APRA Regulated Enterprise Recovery and Exit Plan (previously, the APRA Regulated Enterprise Financial Contingency Plan). did not).
- Although APRA-regulated companies must manage a full range of operational risks, reputational risk is no longer included as part of this non-exhaustive list of operational risks.
- Proper and healthy information and information technology (IT) functions must be maintained (previously we only referred to IT infrastructure).
- APRA-regulated businesses must monitor the age and health of their information assets (previously referred to only as IT infrastructure).
- Clarification has been made on the functions considered by APRA to be critical operations in relation to certain types of entities regulated by APRA. In addition, APRA-regulated entities are required to classify at least certain business operations as significant operations unless there is a reason to the contrary. These important operations include:
- For ADIs: payments, deposit keeping and management, custody, settlement and clearing.
- Insurance companies (general insurance, life insurance, private health): processing claims.
- For RSE Licensees: Investment Management and Fund Management.and
- For all APRA regulated entities: customer inquiries, systems and infrastructure needed to support critical operations.
- Board approval is no longer required for each critical operation of an APRA regulated entity.
- In the event of an unacceptable critical business interruption, an APRA regulated entity must notify APRA as soon as possible within 24 hours of the interruption.
- Comprehensive Service Provider Management Policy:
- It is no longer necessary to include a register of corporate material service providers.and
- Must include an entity’s approach to managing risks associated with third parties that material service providers rely on to provide critical services to APRA regulated entities.
- Significant arrangements are currently defined as those on which the enterprise relies to perform its essential operations or which expose the enterprise to significant operational risk.
- The following providers of such services are currently classified as material service providers (unless an APRA regulated entity can justify otherwise).
- For ADI: Credit Evaluation, Funding and Liquidity Management, Mortgage Brokerage.
- For insurance companies (general, life, private health): underwriting, claims management, insurance brokerage, reinsurance.
- For RSE licensees: fund administration, custody services, investment management, arrangements with promoters and financial planners.and
- Covers all APRA regulated entities (Risk Management, Core Technology Services, Internal Audit).
- APRA can now declare any service provider arrangement as substantive (in addition to its ability to declare service providers as substantive). In addition, the requirement to conduct a bidding process in relation to material arrangements has been removed, but an appropriate selection process and evaluation of the service provider’s ability to provide service on an ongoing basis remains a requirement.
- APRA regulated entities are no longer required to take reasonable steps to assess whether a service provider is systemically important in Australia when entering into or amending a material arrangement.
- In addition to the enhanced contractual content requirements that appeared in the draft version of CPS 230, for all material arrangements, the contract will require that other material service providers’ You must request notice from your service provider of your use. APRA regulated entities through subcontracting or other arrangements.
- Internal audit departments of APRA regulated companies are required to review significant proposed arrangements involving the outsourcing of critical functions. In addition, the internal audit function must regularly report to the board on compliance with key commitments to the company’s service provider management policy.
Key Takeaways for APRA Regulated Entities
Boards and senior management of APRA regulated entities must have a clear understanding and willingness to reassess, review and improve the entity’s operational risk framework. APRA has extended the deadline for compliance, but given the number of new requirements and their impact across organizations, APRA-regulated businesses should take the following steps now.
- Identify critical operations, goods service providers (both external and internal), and goods arrangements for APRA-regulated entities.
- Review external and internal service provider arrangements to ensure compliance with the enhanced contractual content requirements of CPS 230 and document undocumented internal service provider arrangements by the relevant commencement date .
- Conduct a review of all existing operational risk and business continuity policies and procedures to ensure compliance with CPS 230.
- Identify weaknesses in existing operational risk frameworks and implement more comprehensive compliance efforts where necessary.
- Conduct training for all board members, risk management team and other stakeholders to fully understand the responsibilities and roles of each party in engaging and implementing new standards.
- Document and implement new policies, procedures, charters and protocols to ensure compliance with CPS 230, including those related to required service provider management policies, required board and senior management roles and reporting Implement.
- Please review the CPG 230 draft guidelines and consider providing feedback to APRA by the October 13, 2023 consultation deadline.