APRA CPS 230: Implications for financial entities and their technology service providers

28 September 2023

On 17 July 2023, the Australian Prudential Standard Authority (APRA) confirmed the final parameters of the cross-industry prudential standard CPS 230 – Operational Risk Management (CPS 230). CPS 230 aims to strengthen operational risk management in the banking, insurance, and superannuation industries. It will consolidate and strengthen existing CPS/SPS 231 Outsourcing and CPS/SPS 232 Business Continuity Management and operate alongside the existing CPS 234 Information Security Prudential Standard. Together these two standards will form a stronger resilience framework, with implications for regulated entities such as banks, insurers, and superannuation funds, as well as their core and other material technology service providers.

Why the change?

APRA has identified weaknesses within regulated entities and CPS 230 is intended to rectify these key issues. These include:

  • Entities have ineffective internal controls – Failures within internal systems have left entities susceptible to poor operational performance and risks such as, improper recording of accounting transactions or in worse case scenarios fraud. These types of issues often may result in legal action.
  • Entities are vulnerable to business disruptions – Cyber threats will often halt business operation. It is crucial to create a system that is resilient. Across the financial services sector it is a client expectation that services are accessible 24/7.
  • Entities over rely on third party service providers – Within the industry there is a strong reliance on third party providers to support internal operations. This reliance has been found to impact the level of service being provided by these entities to their clients. As there is a complicated chain of reliance on third parties to help carry out material services and thus, impacts the service provided by regulated financial service providers to their clients.

What are the new requirements?

In response to the identified issues above, CPS 230 establishes a higher benchmark for regulated entities. Along with this APRA has highlighted the importance of having a robust and effective cyber security management system. These two considerations ensure entities are protecting themselves and their customers against the weaknesses identified above as well as cyber threats.

The new model requires regulated entities to adopt a risk-based approach. This should include:

  • Creating a strong internal operational risk management system – This needs to be at the forefront of entities’ decision making. Internal measures must be in place that can identify, assess and mitigate internal operational and cyber risks. APRA has specifically called out emerging technologies as requiring particular risk management focus. Enhanced risk management obligations on regulated entities may flow through to their expectations of material service providers, including in areas such as risk control testing and inspections.
  • The ability for an entity to maintain critical operations despite interruptions – Regulated entities must establish tolerance levels for disruption (by reference to time, data loss and service levels) for each critical operation. Critical operations constitute any processes undertaken by a regulated entity which, if disrupted beyond tolerance levels, would have a material adverse impact on customers or the regulated entity’s role in the financial system. Disruptions to critical operations outside tolerance must trigger the implementation of the regulated entity’s business continuity plan (BCP), which must satisfy certain requirements and address service provider processes. Material service providers are likely to find additional focus on their BCPs, which often underpin the plans of regulated entities.
  • Expressly extend risk management to material service providers – A comprehensive risk assessment should be undertaken before entering into arrangements with a material service provider. This will ensure that where entities are relying on outsourcing for critical operations they are protected from external risks.

What are the implications for a regulated entity and its material service providers?

A material service provider is a service provider (whether a third party, related party or connected entity) which a regulated entity relies on (through a single or multiple arrangements) to undertake critical operations or that may expose them to material operational risk. The shift in CPS 230 to regulating arrangements with material service providers means it has a broader reach than the current requirements, which focus on outsourcing of material business activities.

Core technology service providers are deemed to be material service providers for all APRA-regulated entities, and providers of certain specified types of services (together with any that APRA may classify as material in future) are deemed material service providers. Regulated entities have the onus of determining any other service providers that are ‘material’. Vendors of key software applications, core customer data hosting providers and consultants on high-risk technology projects may all constitute material service providers, depending on the circumstances. These providers may be indirectly affected by the enhanced requirements imposed on regulated entities under CPS 230.

Key enhancements include:

  • additional requirements for agreements between regulated entities and material service providers;
  • obligations to notify APRA about material service provider arrangements; and
  • reach-through visibility to ‘fourth parties‘ (ie services providers or subcontractors used by material service providers to provide services to regulated entities),

as further described in the table below.

Regulated EntityMaterial Service ProviderAPRA
A formal legally binding agreement must be in place between a regulated entity and each material service provider, which amongst other things:

  • sets out the specific services and associated service levels;

  • covers off ownership of assets, ownership and control of data, dispute resolution, audit access, APRA access and on-site visits, liability and indemnity;

  • includes a force majeure provision that indicates what part of the contract would continue in the case of a force majeure event; and

  • includes termination provisions including the right to terminate in whole or in part (and for superannuation entities, where inconsistent with their duty to act in the best interest of beneficiaries).

Regulated entities should consider identifying agreements with material service providers that are coming up for renewal well in advance in order to allow time to negotiate compliant provisions, including a right to require variations where directed by APRA.
Providers should be prepared to agree to force majeure, access, termination, and variation provisions that enable the regulated entity to comply with CPS 230 and APRA's rights to require the termination of or changes to agreements.

Providers should consider drafting template provisions that allow regulated entities to comply with CPS 230 while managing service provider risk.

Providers should review templates to ensure they cover all required items.
APRA has the right to require a regulated entity to review agreements with material service providers and to make changes where APRA identifies heightened prudential concerns.

Along with a formal contract the APRA regulated entity must identify and maintain a register of material service providers, and submit that register to APRA annually.

The regulated entity must also notify APRA:

  • within 20 business days after entering into or materially changing an agreement relied on to undertake a critical operation; and

  • before entering into, or when there is a significant change to, a material offshoring arrangement (ie where the service is undertaken outside Australia), including where data or personnel relevant to the service will be located offshore.

Regulated entities should put in place internal procedures to ensure notification is given in a timely fashion and undertake inquiries with existing material service providers as to any potentially material offshoring of services, data or personnel.
Providers should be aware that they may be subject to closer scrutiny from APRA, particularly in combination with the APRA access and on-site visit rights they will be required to agree to in their contracts with regulated entities.

Providers should identify aspects of their service provision or data hosting (including via subcontractors) which occur outside Australia, including individual personnel who may permanently or temporarily be located overseas (including for example working remotely while on holiday).
APRA can be expected to conduct industry wide monitoring and to take particular note where it identifies extensive reliance on a specific provider.
Regulated entities must maintain a material service provider management policy, which amongst other things must set out the regulated entity's approach to managing risks associated with 'fourth parties' that material service providers rely on to deliver any critical operations.

Regulated entities should start drafting (or improving) a service provider management policy and undertaking inquiries with existing material service providers as to their 'fourth party' providers.
Providers should be prepared to agree to (and comply with) contractual obligations to notify the regulated entity of its 'fourth party' (eg subcontracted) service providers that it materially relies on to provide the services.

Providers should be prepared to agree to take on liability for any failure on the part of its service providers, and may wish to consider preparing acceptable drafting.

Providers should consider proactively undertaking an audit of their service providers to identify those that may be considered material and ensuring that they are appropriately indemnified by those 'fourth parties' against exposure to regulated entities.
APRA will supervise overall supply chain risk for regulated entities.

What now?

The expected timeline calls for CPS 230 to come into effect for all APRA regulated entities from 1 July 2025. For entities that fall under the category of ‘material service providers’, the requirements in the standard will apply from either the next contract renewal date or by the latest 1 July 2026.

To allow for a smooth transition to CPS 230 compliance, APRA recommends that entities start developing a plan to implement the contractual changes necessary to meet the incoming requirements now. If you are concerned about how to comply with and implement CPS 230 requirements, please feel free to contact a member of our team.

This article was written by Luke Dale, Partner, Nikki Macor Heath, Special Counsel and Carmen Marino, Law Clerk.

Nikki Macor Heath

Special Counsel | Adelaide

Subscribe to HWL Ebsworth Publications and Events

HWL Ebsworth regularly publishes articles and newsletters to keep our clients up to date on the latest legal developments and what this means for your business.

To receive these updates via email, please complete the subscription form and indicate which areas of law you would like to receive information on.

Contact us