- Relevant for APRA-regulated banks, life and general insurers, superannuation trustees, and health insurers, APRA has released a proposed operational risk prudential standard, CPS 230 Operational Risk Management (CPS 230), for consultation. CPS 230 will replace current outsourcing and business continuity management prudential standards.
- CPS 230 is designed to modernise requirements in relation to risk management frameworks, business continuity and ‘material service providers’ of APRA-regulated entities, and to do this in a way which is easy to understand and navigate.
- APRA considers fraud, cyber, conduct, AML/CTF and technology to be important areas of operational risk.
- Under CPS 230, an entity would be required to maintain and give a register of its ‘material service providers’ to APRA annually.
On 28 July 2022, APRA released a consultation package on a new prudential standard for the management of operational risk in the banking, insurance and superannuation sectors: CPS 230. CPS 230 is intended to replace the existing prudential standards relating to Outsourcing (CPS 231, SPS 231 and HPS 231) and Business Continuity Management (CPS 232 and SPS 232).
These changes to the prudential regulatory framework arose from APRA’s observation of what it considered to be examples of operational risk failures. They are part of APRA’s initiative to modernise the prudential architecture, a program seeking to ensure that APRA’s prudential rules are easy to understand and navigate. Those familiar with, for example, the current CPS 231 Outsourcing (CPS 231), will notice a ‘Key principles’ section in CPS 230 which is not found in CPS 231.
APRA is intending to issue guidance on CPS 230 during 2023 and for CPS 230 to apply from 1 January 2024.
The new prudential standard: CPS 230
In its consultation, APRA states that it has observed the following three key themes with operational risk issues:
- Control failures – a number of operational risk events have occurred due to ineffective controls.
- Low tolerance for disruptions – disruptions to business operations have the potential to impact real-time transactions. However, there is an expectation that services will always be available.
- Increasing reliance on service providers – entities are increasingly reliant on the use of service providers to support business operations. Issues with service providers can impact on availability and level of service with implications to the broader financial system.
CPS 230 is designed to address these issues. APRA says CPS 230 is aimed to ensure that APRA-regulated entities ‘[i]mprove operational risk practices through enhanced focus of Boards and senior management’ and ‘[minimise] the impact of disruptions to customers and the financial system’. The key features of CPS 230 are noted to be requiring entities to:
- manage operational risk with effective internal controls, monitoring and remediation;
- respond to disruptions and maintain continuity of critical operations; and
- understand and manage risks from use of service providers.
Risk management framework
CPS 230 retains the requirement for entities to develop and maintain a risk management framework as in current CPS 220 and SPS 220. As part of the risk management framework review currently required in CPS 220 and SPS 220, CPS 230 also provides that that these reviews must cover aspects of operational risk management and that operational risk management is integrated within the overall risk management framework and processes.
If APRA considers that an entity’s operational risk management has material weaknesses, CPS 230 foreshadows that APRA may require the entity to conduct an independent review, develop a remediation program, and other actions required in the supervision of the prudential standard.
Role of the Board
CPS 230 reinforces the responsibility that the Board has over the entity’s risk management framework. The new prudential standard focuses on the Board’s responsibility to oversee operational risk, ensuring that Board members are involved with the business continuity plan through overseeing results of testing and execution of any findings, as well as having oversight of material service provider arrangements.
Operational risk management
The proposed prudential standard includes a requirement for entities to assess the impact of new products on its operational risk profile. APRA has noted in its discussion paper that new products or changes that may materially alter the nature of the product offering will typically impact the entity’s operational risk profile and subsequently may require changes to the entity’s controls and risk management processes.
In particular, APRA has identified crypto-assets as an operational risk where entities will need to have prudent processes and controls. APRA has also noted it is currently considering the appropriate prudential framework for crypto-assets in Australia and plans to consult on draft requirements for ADIs following the conclusion of the Basel Committee’s current consultation.
Under CPS 230, entities must maintain appropriate internal controls to detect and manage operational risks. This includes regular monitoring, reviewing and testing of the effectiveness of these controls and that any material findings must be remediated.
Unsurprisingly, the new prudential standard also requires entities to ensure that operational risk incidents are identified, escalated, recorded and addressed in a timely manner. There is a requirement for the entity to notify APRA within 72 hours after becoming aware of an operational risk incident that an entity deems to be likely to be material.
Similar to the existing framework, CPS 230 requires all entities to have an appropriate business continuity plan (BCP).
The concept of ‘critical operations’ is key to CPS 230. This is similar to the ‘critical business operations’ referred to in CPS 232. However, ‘critical operations’ includes not just the activities and process undertaken by an entity that will have a material impact on the entity itself, but also on the depositors, policyholders, fund members, other customers and its role in the financial system.
The table below provides the steps required by entities under CPS 230.
| Business Continuity Steps – Draft CPS 230|
Step 1: Identify ‘critical operations’
Critical operations are proposed to be defined as activities and processes undertaken that have a material impact on stakeholders including its role in the financial system.
Proposed CPS 230.35 says that ‘critical operations’ include:
- deposit-taking and management;
- claims processing;
- investment management;
- fund administration;
- customer enquiries; and
- systems and infrastructure needed to support the above operations.
Step 2: Set tolerance levels for ‘critical operations’
The proposed prudential standard requires entities to set tolerance levels for each of their identified critical operations. These tolerance levels are required to be approved by the Board.
CPS 230 requires that, for each critical operation, the Board must approve tolerance levels to be set for the maximum period of time the entity would tolerate a disruption, maximum amount of data loss that the entity would accept, and the minimum service levels the entity would maintain while operating under alternative arrangements during a disruption.
Step 3: Testing and review
The testing and review requirements are similar to the existing framework. However, CPS 230 includes a requirement for the testing to be tailored to the material risks of the entity and include a range of severe but plausible scenarios where the contingency arrangement may be required. APRA may also require the entity to conduct a ‘business continuity exercise’ where they APRA are able to include an ‘APRA-determined’ scenario.
Material service providers
CPS 230 contains similar requirements to the current framework in relation to outsourcing. However, CPS 230 applies in relation to ‘material service provider’ and ‘service provider agreements’ instead. APRA is proposing to define a ‘material service provider’ as any service provider that an entity relies on to undertake a critical operation or that it could expose it to material operational risk. Particular service providers are proposed to deemed as a ‘material service provider’ similar to the current framework which deems specific functions to be ‘material business activities’. Examples of deemed service providers include risk management, core technology services, internal audit, fund administration, custodial services and mortgage brokerage.
APRA has also identified the risk of ‘fourth party’ service providers. These are ‘[a] party that a service provider relies on in delivering services to an APRA-regulated entity’. With the proposed framework, an entity will be required to set out its approach in managing risks associated with the material services that it relies on the fourth party to undertake.
Under the proposed framework, an entity would be required to maintain and provide APRA with a register of its material service providers annually.
The proposed CPS 230 also includes similar requirements to these that are under the current outsourcing framework including:
- Notifying APRA when entering into or materially changing a material service provider agreement as soon as possible and within 20 business day,
- Notifying APRA before entering or materially changing any offshoring agreement with a material service provide including in circumstances where data or personnel relevant to the service being provided will be located offshore.
What happens next?
APRA is seeking feedback and accepting submissions on CPS 230 until 21 October 2022. Following this feedback, APRA is aiming to finalise the standard in early 2023 with guidance for consultation. CPS 230 is anticipated to come into effect on 1 January 2024.
This publication is introductory in nature. Its content is current at the date of publication. It does not constitute legal advice and should not be relied upon as such. You should always obtain legal advice based on your specific circumstances before taking any action relating to matters covered by this publication. Some information may have been obtained from external sources, and we cannot guarantee the accuracy or currency of any such information.