APRA’s new CPS 230: key requirements for regulated entities and their service providers
28 July 2023
Following recent operational risk control failures and disruptions, including material cyber breaches, the Australian Prudential Regulation Authority (APRA) has released its Prudential Standard CPS 230.
After 12 months of consultation, APRA released the final CPS 230 on 17 July 2023 to address ineffective controls within APRA-regulated entities, low tolerance for disruptions and increasing reliance by regulated entities on service providers. It will replace five current APRA standards on outsourcing and business continuity management.[1]
APRA-regulated entities including banks, insurers and superannuation funds are required to (1) develop and maintain risk management frameworks, (2) enhance Board governance, accountability and oversight, (3) assess and control operational risks, (4) improve business continuity management and (5) uplift arrangements with service providers.
CPS 230 will come into force on 1 July 2025. Where there are pre-existing contractual arrangements between an APRA-regulated entity and its service providers, CPS 230 will apply from the earlier of the next renewal date or 1 July 2026. Flow down obligations will also need to be placed on relevant service providers.
APRA has also released a Draft Prudential Practice Guide (Draft Guide) to assist entities with the implementation of CPS 230, which is open for public consultation until 13 October 2023.
Key CPS 230 requirements
1. Develop and maintain risk management frameworks
CPS 230 requires an APRA-regulated entity to develop and maintain a risk management framework to deal with and prevent against operational risks and business disruptions. This will involve:
- integrating the operational risk management into the overall risk management framework and processes;
- developing a remediation program and obtaining independent review where APRA finds material weakness in the risk management framework; and
- reviewing the risk management framework, which should include:
- governance arrangements for operational risk oversight;
- assessment of operational risk profile;
- effective internal controls for managing operational risks;
- appropriate monitoring, analysis and reporting of operational risks;
- escalation processes for operational incidents and events;
- business continuity plans;
- processes for the management of service provider arrangements.
2. Enhance board governance, accountability and oversight
CPS 230 imposes specific roles and responsibilities on an APRA-regulated entity’s board. These include approving the entity’s business continuity plan and tolerance levels for disruptions to critical operations and reviewing risk and performance reporting on material service providers.
To meet its obligations, the board of directors of an APRA-regulated entity is expected to:
- consider legal, regulatory, technology, data and change management risks, including those relating to cyberattacks and data breaches;
- review and challenge regular updates to the entity’s operational risk profile provided by senior management;
- deep dive into areas of significant weakness; and
- review information on operational risk to understand the entity’s operational resilience before making strategic decisions (particularly when entering into a merger or acquisition or implementing a new core technology platform).
3. Assess and control operational risks
CPS 230 requires an APRA-regulated entity to manage its operational risks by assessing the impact of business and strategic decisions on the entity’s operational risk profile and resilience, implementing operational risk controls and identifying and responding to operational risk incidents. The Draft Guidance further emphasises the heightened risks in relation to fraud, cyber, conduct, financial crime and technology associated with crypto-assets.
It is expected that APRA-regulated entities will need to:
- maintain information technology capabilities to meet business requirements and support critical operations;
- conduct comprehensive assessment of an entity’s operational risk profile (including undertaking scenario analyses to test operational resilience);
- regularly monitor, review and test the effectiveness of operational risk controls; and
- notify APRA as soon as possible (and in any event no later than 72 hours) after becoming aware of a risk incident which is likely to have a material financial impact or a material impact on an entity’s ability to maintain its critical operations. This reporting obligation will not apply in respect to what APRA describes as ‘near misses’ (i.e. events that did not result in financial loss, but had the potential to do so).
4. Improve business continuity management
As part of business continuity management, CPS 230 requires an APRA-regulated entity to take reasonable steps to minimise the likelihood and impact of disruptions to its critical operations. It provides a non-exhaustive list of ‘critical operations’ which, if disrupted, could have a material adverse impact on an APRA-regulated entity’s depositors, policyholders, beneficiaries and customers, or its role in the financial system. These include payments, deposit-taking and management, investment management, claims processing and customer enquiries.
Flowing from this requirement, APRA-regulated entities should:
- identify an entity’s critical operations;
- for each critical operation, develop ‘tolerance levels’ covering maximum time and data loss and the minimum service levels that an entity can tolerate during an operational disruption;
- consider financial or reputational impact on an entity and on the broader financial system when setting tolerance levels;
- include in business continuity plan a register of critical operations and their respective tolerance levels and descriptions of how to maintain operations through disruptions;
- ensure business continuity planning is consistent with, and does not conflict or undermine, an entity’s financial contingency planning; and
- notify APRA as soon as possible (and in any event no later than 24 hours) after an entity has suffered a disruption to a critical operation outside tolerance.
5. Uplift arrangements with service providers
CPS 230 broadens ARPA’s powers in overseeing contracts between an APRA-regulated entity and its downstream service providers.
CPS 231, which CPS 230 will replace, applies in respect to the ‘outsourcing’ of a ‘material business activity’. CPS 230 will expand APRA’s oversight by applying not only to outsourcing but to the entity’s agreements with all ‘material service providers’ i.e. those the entity relies upon to undertake a critical operation or those that expose the entity to a material operational risk.[2] CPS 230 seeks to uplift requirements on service providers through increased due diligence and requirements for supplier contracts.
Further, CPS 230 introduces additional requirements to manage parties along an APRA-regulated entity’s supply chain, including any organisation engaged by third party material service providers to render services to an APRA-regulated entity (i.e. a ‘fourth-party service provider’). These include seeking assurance from service providers that they have the capability to manage material fourth parties.
APRA-regulated entities should therefore proactively audit their register of direct and indirect service providers and assess which of these providers could be classified as ‘material service providers’. APRA-regulated entities should then revisit their agreements with ‘material service providers’ to ensure compliance with the heightened CPS 230 requirements (which go beyond agreements for outsourcing of material business activities under current CPS 231).
Amongst other matters, consideration should be given to include provisions that address, where appropriate:
- the scope of services and associated service levels;
- the ability of an APRA-regulated entity to meet its legal and compliance obligations;
- notification by the service provider of its use of other service providers that it materially relies upon to provide service to an APRA-regulated entity; and
- a service provider not impeding APRA in fulfilling APRA’s duties.
Greater emphasis will also be placed on APRA-regulated entities to assess the financial and other risks from relying on a service provider, including risks associated with the reliance of fourth parties to provide services, and to implement appropriate risk minimisation safeguards.
Next steps
While CPS 230 will only come into force in two years’ time, APRA-regulated entities should now be proactive in preparing to implement CPS 230 and not leave compliance until the last minute.[3] Service providers that provide material services to APRA-regulated entities (or their service providers) should also expect such entities to require additional (and likely more stringent) terms in their service agreements.
We suggest that APRA-regulated entities refer to the Draft Guide which details APRA’s expectations in their implementation of CPS 230. Written submissions in response to the Draft Guide can be made up to 13 October 2023.
[1] CPS 230 will replace CPS 231, HPS 231 and SPS 231 on outsourcing, and CPS 232 and SPS 232 on business continuity management. CPS 234 on information security will be retained.
[2] Material service providers include providers of core technology services, services supporting critical operations and internal audit services and may be a third-party, related party or connected entity to the APRA-regulated entity.
[3] Per APRA’s chairman, Mr John Lonsdale.
Authors
Partner
Partner
Partner
Senior Associate
Lawyer
Tags
This publication is introductory in nature. Its content is current at the date of publication. It does not constitute legal advice and should not be relied upon as such. You should always obtain legal advice based on your specific circumstances before taking any action relating to matters covered by this publication. Some information may have been obtained from external sources, and we cannot guarantee the accuracy or currency of any such information.
