On 17 July 2023, the Australian Prudential Standard Authority (APRA) confirmed the final parameters of the cross-industry prudential standard CPS 230 – Operational Risk Management (CPS 230). CPS 230 aims to strengthen operational risk management in the banking, insurance, and superannuation industries. It will consolidate and strengthen existing CPS/SPS 231 Outsourcing and CPS/SPS 232 Business Continuity Management and operate alongside the existing CPS 234 Information Security Prudential Standard. Together these two standards will form a stronger resilience framework, with implications for regulated entities such as banks, insurers, and superannuation funds, as well as their core and other material technology service providers.
Why the change?
APRA has identified weaknesses within regulated entities and CPS 230 is intended to rectify these key issues. These include:
- Entities have ineffective internal controls – Failures within internal systems have left entities susceptible to poor operational performance and risks such as, improper recording of accounting transactions or in worse case scenarios fraud. These types of issues often may result in legal action.
- Entities are vulnerable to business disruptions – Cyber threats will often halt business operation. It is crucial to create a system that is resilient. Across the financial services sector it is a client expectation that services are accessible 24/7.
- Entities over rely on third party service providers – Within the industry there is a strong reliance on third party providers to support internal operations. This reliance has been found to impact the level of service being provided by these entities to their clients. As there is a complicated chain of reliance on third parties to help carry out material services and thus, impacts the service provided by regulated financial service providers to their clients.
What are the new requirements?
In response to the identified issues above, CPS 230 establishes a higher benchmark for regulated entities. Along with this APRA has highlighted the importance of having a robust and effective cyber security management system. These two considerations ensure entities are protecting themselves and their customers against the weaknesses identified above as well as cyber threats.
The new model requires regulated entities to adopt a risk-based approach. This should include:
- Creating a strong internal operational risk management system – This needs to be at the forefront of entities’ decision making. Internal measures must be in place that can identify, assess and mitigate internal operational and cyber risks. APRA has specifically called out emerging technologies as requiring particular risk management focus. Enhanced risk management obligations on regulated entities may flow through to their expectations of material service providers, including in areas such as risk control testing and inspections.
- The ability for an entity to maintain critical operations despite interruptions – Regulated entities must establish tolerance levels for disruption (by reference to time, data loss and service levels) for each critical operation. Critical operations constitute any processes undertaken by a regulated entity which, if disrupted beyond tolerance levels, would have a material adverse impact on customers or the regulated entity’s role in the financial system. Disruptions to critical operations outside tolerance must trigger the implementation of the regulated entity’s business continuity plan (BCP), which must satisfy certain requirements and address service provider processes. Material service providers are likely to find additional focus on their BCPs, which often underpin the plans of regulated entities.
- Expressly extend risk management to material service providers – A comprehensive risk assessment should be undertaken before entering into arrangements with a material service provider. This will ensure that where entities are relying on outsourcing for critical operations they are protected from external risks.
What are the implications for a regulated entity and its material service providers?
A material service provider is a service provider (whether a third party, related party or connected entity) which a regulated entity relies on (through a single or multiple arrangements) to undertake critical operations or that may expose them to material operational risk. The shift in CPS 230 to regulating arrangements with material service providers means it has a broader reach than the current requirements, which focus on outsourcing of material business activities.
Core technology service providers are deemed to be material service providers for all APRA-regulated entities, and providers of certain specified types of services (together with any that APRA may classify as material in future) are deemed material service providers. Regulated entities have the onus of determining any other service providers that are ‘material’. Vendors of key software applications, core customer data hosting providers and consultants on high-risk technology projects may all constitute material service providers, depending on the circumstances. These providers may be indirectly affected by the enhanced requirements imposed on regulated entities under CPS 230.
Key enhancements include:
- additional requirements for agreements between regulated entities and material service providers;
- obligations to notify APRA about material service provider arrangements; and
- reach-through visibility to ‘fourth parties‘ (ie services providers or subcontractors used by material service providers to provide services to regulated entities),
as further described in the table below.
|Regulated Entity||Material Service Provider||APRA|
|MATERIAL SERVICE PROVIDER AGREEMENTS|
|A formal legally binding agreement must be in place between a regulated entity and each material service provider, which amongst other things:|
Regulated entities should consider identifying agreements with material service providers that are coming up for renewal well in advance in order to allow time to negotiate compliant provisions, including a right to require variations where directed by APRA.
Providers should consider drafting template provisions that allow regulated entities to comply with CPS 230 while managing service provider risk.
Providers should review templates to ensure they cover all required items.
|APRA has the right to require a regulated entity to review agreements with material service providers and to make changes where APRA identifies heightened prudential concerns.
|NOTIFICATION OF USE OF MATERIAL SERVICE PROVIDER|
|Along with a formal contract the APRA regulated entity must identify and maintain a register of material service providers, and submit that register to APRA annually.|
The regulated entity must also notify APRA:
Regulated entities should put in place internal procedures to ensure notification is given in a timely fashion and undertake inquiries with existing material service providers as to any potentially material offshoring of services, data or personnel.
|Providers should be aware that they may be subject to closer scrutiny from APRA, particularly in combination with the APRA access and on-site visit rights they will be required to agree to in their contracts with regulated entities.|
Providers should identify aspects of their service provision or data hosting (including via subcontractors) which occur outside Australia, including individual personnel who may permanently or temporarily be located overseas (including for example working remotely while on holiday).
|APRA can be expected to conduct industry wide monitoring and to take particular note where it identifies extensive reliance on a specific provider.|
|'FOURTH PARTY' MANAGEMENT|
|Regulated entities must maintain a material service provider management policy, which amongst other things must set out the regulated entity's approach to managing risks associated with 'fourth parties' that material service providers rely on to deliver any critical operations. |
Regulated entities should start drafting (or improving) a service provider management policy and undertaking inquiries with existing material service providers as to their 'fourth party' providers.
|Providers should be prepared to agree to (and comply with) contractual obligations to notify the regulated entity of its 'fourth party' (eg subcontracted) service providers that it materially relies on to provide the services.|
Providers should be prepared to agree to take on liability for any failure on the part of its service providers, and may wish to consider preparing acceptable drafting.
Providers should consider proactively undertaking an audit of their service providers to identify those that may be considered material and ensuring that they are appropriately indemnified by those 'fourth parties' against exposure to regulated entities.
|APRA will supervise overall supply chain risk for regulated entities.|
The expected timeline calls for CPS 230 to come into effect for all APRA regulated entities from 1 July 2025. For entities that fall under the category of ‘material service providers’, the requirements in the standard will apply from either the next contract renewal date or by the latest 1 July 2026.
To allow for a smooth transition to CPS 230 compliance, APRA recommends that entities start developing a plan to implement the contractual changes necessary to meet the incoming requirements now. If you are concerned about how to comply with and implement CPS 230 requirements, please feel free to contact a member of our team.
This article was written by Luke Dale, Partner, Nikki Macor Heath, Special Counsel and Carmen Marino, Law Clerk.