JUMP TO
    eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1laWQiOiI3Y2M4MGExMy01YmViLTRjNjItYjExZS1iMjFlZGMzOWFiZWIiLCJyb2xlIjoiQXBpVXNlciIsIm5iZiI6MTcxNjE1NjQ4MCwiZXhwIjoxNzE2MTU3NjgwLCJpYXQiOjE3MTYxNTY0ODAsImlzcyI6Imh0dHBzOi8vd3d3Lm1pbnRlcmVsbGlzb24uY29tL2FydGljbGVzL2Nwcy0yMzAtY29uc3VsdGF0aW9uLW9uLXN0cmVuZ3RoZW5pbmctb3BlcmF0aW9uYWwtcmlzay1tYW5hZ2VtZW50IiwiYXVkIjoiaHR0cHM6Ly93d3cubWludGVyZWxsaXNvbi5jb20vYXJ0aWNsZXMvY3BzLTIzMC1jb25zdWx0YXRpb24tb24tc3RyZW5ndGhlbmluZy1vcGVyYXRpb25hbC1yaXNrLW1hbmFnZW1lbnQifQ.efS8A3Y9i4OzaLgT_wTEnCbpYan29JIY83UlmnhArIM
    https://www.minterellison.com/articles/cps-230-consultation-on-strengthening-operational-risk-management
    CLOSE
    CONTACT US Search Minter Ellison
    • Insight

    CPS 230 | Consultation on strengthening operational risk management begins

    11 minute read  15.08.2022 Martin Wright, Richard Batten, Amanda Khoo, Mikaela Wan

    APRA has proposed a new prudential standard CPS 230, which aims to strengthen operational risk controls and monitoring, business continuity planning and the management of third-party service providers. We explore the new framework and what it means for service providers.


    Key takeouts


    • APRA has released a new prudential standard for operational risk management for public comment.
    • The proposed CPS 230 will replace existing outsourcing and business continuity standards.
    • The proposed new framework will be implemented from 1 January 2024, with Prudential Standard CPS 234 Information Security (CPS 234) continuing to operate alongside CPS 230.

    As part of APRA’s multi-year project to modernise the prudential architecture, APRA is consulting on a new prudential standard for operational risk management that will apply to all APRA-regulated entities. The proposed new Prudential Standard CPS 230 Operational Risk Management (CPS 230) aims to strengthen operational risk controls and monitoring, business continuity planning and the management of third-party service providers while minimising the impact of disruptions to customers and the financial system. In developing draft CPS 230, APRA has adopted a principles-based approach with a focus on outcomes rather than process, allowing entities to adopt their own approach in complying with the standard.

    The proposed CPS 230 is set to replace the following five existing standards:

    1. Prudential Standard CPS 231 Outsourcing (CPS 231);
    2. Prudential Standard CPS 232 Business Continuity Management (CPS 232);
    3. Prudential Standard SPS 231 Outsourcing (SPS 231);
    4. Prudential Standard SPS 232 Business Continuity Management (SPS 232); and
    5. Prudential Standard HPS 231 Outsourcing (HPS 231).

    The proposed new framework will see the above five standards replaced from 31 December 2023. CPS 230 will be implemented from 1 January 2024, with Prudential Standard CPS 234 Information Security (CPS 234) continuing to apply alongside CPS 230.

    Rationale for the new framework

    Following the increase in operational risk events and failures in recent years, APRA has observed the following three key challenges in managing operational risks:

    • Control failures – ineffective controls have resulted in operational risk events.
    • Low tolerance for disruptions – the importance of core financial services in everyday life means customers have a low tolerance for disruptions to these services, and expect them to always be available.
    • Increasing reliance on service providers – APRA-regulated entities are increasingly relying on external providers for both in-house services and new services and capabilities to expand their product offerings.

    In light of these trends, the proposed CPS 230 seeks to introduce enhanced requirements that are intended to improve operational resilience, i.e. the ability to effectively manage and control operational risks and maintain critical operations through disruptions.

    Differences between the proposed CPS 230 and CPS 231

    In general, the proposed CPS 230 is less prescriptive than CPS 231, reflecting a shift towards a more outcome-focussed approach.

    Key changes proposed in CPS 230 include:

    • needing to have a register of material service providers;
    • notifying APRA within 24 hours if the business continuity plan is activated;
    • notifying APRA within 72 hours after becoming aware of an operational incident; and
    • changes to the mandatory requirements for outsourcing agreements.

    Below we set out the differences between key elements of the proposed CPS 230 and the current CPS 231 obligations in more detail.

    Policies Navigation Show below Hide below

    CPS 231

    A group outsourcing policy must be maintained that includes a strategy for outsourcing of material business activities that applies to all members of the group.

    Draft CPS 230

    A service provider management policy must be maintained that sets out how the APRA-regulated entity identifies material service providers and manages arrangements with each provider.


    Notifications to APRA Navigation Show below Hide below

    CPS 231

    • APRA-regulated entities must notify APRA as soon as possible and no later than 20 business days after entering into an outsourcing agreement
    • APRA-regulated entities must consult with APRA prior to entering into any offshore arrangements involving a material business activity
    • Where an outsourcing agreement is terminated, an APRA-regulated entity must notify APRA as soon as practicable and provide a statement about transition arrangements and future strategies for carrying out the outsourced material business activity
    • APRA-regulated entities must notify APRA as soon as possible of any new outsourcing agreement that it enters into as a result of invoking its business continuity plan (BCP) or a sudden financial or operational failure of an existing service provider

    Draft CPS 230

    • A register of material service providers must be provided to APRA on an annual basis
    • APRA-regulated entities must notify APRA as soon as possible, no later than 20 business days after entering into or materially changing an agreement for the provision of a service on which the entity relies to undertake a critical operation
    • APRA-regulated entities must notify APRA as soon as possible, within 72 hours after becoming aware of an operational incident that it determines likely to have a material financial impact or a material impact on the ability of the entity to maintain its critical operations
    • APRA-regulated entities must notify APRA as soon as possible, within 24 hours, if it has activated its BCP
    • APRA-regulated entities must notify APRA prior to entering into any offshoring agreement with a material service provider, or when there is a significant change proposed to the agreement. This includes in circumstances where data or personnel relevant to the service being provided will be located offshore

    Assessment of service providers Navigation Show below Hide below

    CPS 231

    The APRA-regulated entity must be able to demonstrate to APRA that the third party service provider has:

    • a business case for outsourcing
    • undertaken a tender or selection process to select that particular service provider
    • undertaken due diligence review of selected service provider (including assessing service provider ability to provide ongoing business activity)
    • involved the Board, Committee or senior management in approving the agreement
    • established procedures to continually monitor performance
    • addressed the renewal process for outsourcing agreements and how it will be implemented
    • developed contingency plans

    The APRA-regulated entity must demonstrate to APRA that it has taken into account:

    • changes in risk profile from outsourcing and address it in risk management framework
    • related body corporates ability to conduct business
    • required monitoring procedures to ensure performance and how inadequacies can be addressed
    • contingency issues

    Draft CPS 230

    No specific requirement to demonstrate anything to APRA.

    The APRA-regulated entity must:

    • undertake due diligence of the service provider
    • have an appropriate tender and selection process, including an assessment of the ability of the service provider to provide the service on an ongoing basis
    • assess financial and non-financial risk from reliance on a particular provider. This includes risk associated with geographic location or concentration of the services providers or parties the service provider relies upon in providing the service
    • take reasonable steps to assess whether the provider is systemically important in Australia

    Outsourcing agreements Navigation Show below Hide below

    CPS 231
    A formal, legally binding agreement must be signed for all outsourcing arrangements and must include clauses regarding:

    • scope
    • commencement and dates
    • review provisions
    • pricing and fee structures
    • service levels and performance requirements
    • the form in which data is to be kept and clear provisions identifying ownership and control of data
    • reporting requirements
    • audit and monitoring procedures,
    • business continuity management
    • confidentiality, privacy and security of information
    • default arrangements and termination provisions
    • dispute resolution arrangements,
    • liability and indemnity
    • sub-contracting
    • insurance
    • offshoring arrangements (to the extent applicable)

    Draft CPS 230

    A formal, legally binding agreement must be signed for material service provider arrangements and must, at a minimum:

    • specify services covered and associated service levels
    • set out rights, responsibilities and expectations of each party – including in relation to the ownership of assets, ownership and control of data, dispute resolution, audit access, liability and indemnity
    • include provisions to ensure the ability of entity to meet legal and compliance obligations
    • require notification by the service provider of its use of other material service providers, through sub-contracting or other arrangements
    • require the liability of any failure on the part of any sub-contractor to be the responsibility of the service provider
    • include a force majeure provision indicating that those parts of the contracts will continue in the case of a force majeure event
    • include termination provisions, including the right to terminate the agreement in its entirety or in parts

    APRA access to service providers Navigation Show below Hide below

    CPS 231

    APRA must be able to access outsourcing documents and information as required. APRA must be able to conduct on-site visits.

    Draft CPS 230

    APRA must be able to access outsourcing documents and information as required. APRA must be able to conduct on-site visits.

    Service providers

    The proposed CPS 230 largely focuses on operational risks associated with material service providers. A material service provider is one an entity relies on to undertake a critical operation or that exposes the entity to material operational risk. The discussion paper for the proposed CPS 230 includes a list of the types of services that would be classified as material for the banking, insurance and superannuation sectors. Services supporting critical operations, risk management, core technology services and internal audit have been flagged as material across all these sectors

    New products and activities

    The proposed CPS 230 requires an APRA-regulated entity to assess the impact of new products, services, geographies and technologies on its operational risk profile as part of operational risk management.

    The discussion paper for the proposed standard uses crypto-assets as an example of an emerging area where regulated entities will need to have prudent processes and controls. It emphasises the importance of operational risk management around fraud, cyber, conduct, AML/CTF and technology risks when dealing with crypto-assets. In particular, APRA has outlined its expectation that all regulated entities will conduct appropriate due diligence and a comprehensive risk assessment before engaging in activities associated with crypto-assets, and apply robust risk management controls.

    APRA's focus on crypto-assets reflects broader regulatory trends, including recent reform proposals in relation to crypto assets. (For more information, view our submission in response to the Treasury's consultation on a licensing and custody regime for crypto asset secondary service providers.) APRA is separately considering the appropriate prudential framework for crypto-assets in Australia in conjunction with this reform.

    Business Continuity Management

    The proposed new standard incorporates and updates requirements for business continuity management that are currently set out in CPS 232 and SPS 232.

    The proposed CPS 230 requires APRA-regulated entities to clearly identify their critical operations, set tolerances to define levels of disruption that would be unacceptable, and maintain credible plans to respond to and recover from incidents and events.

    The concept of critical operations in draft CPS 230 is similar to the existing concept of ‘critical business operations’ in the current CPS 232, but with a definition now more focused on outcomes and the key stakeholders of the entity, rather than the entity itself. The proposed CPS 230 defines critical operations as "processes undertaken by an APRA-regulated entity or its service provider which, if disrupted beyond tolerance levels, would have a material adverse impact on its depositors, policyholders, beneficiaries or other customers, or its role in the financial system". The draft standard has specified that critical operations include, but are not limited to payments, deposit-taking and management, custody, settlements, clearing, claims processing, investment management, fund administration, customer enquiries and the systems and infrastructure needed to support these operations.

    Under the proposed standard, APRA-regulated entities are required to set Board-approved tolerance levels for each of their critical operations, being:

    • the maximum period of time the entity would tolerate a disruption to the operation;
    • the maximum extent of data loss the entity would accept as a result of a disruption; and
    • minimum service levels the entity would maintain while operating under alternative arrangements during a disruption.

    The proposed CPS 230 is consistent with requirements to maintain a business continuity plan (BCP) under the existing CPS 232 and SPS 232. The draft standard sets out matters that an entity's BCP must include, being:

    • the register of critical operations and associated tolerance levels;
    • triggers to identify a disruption and prompt activation of the plan, and arrangements to direct resources in the event of activation;
    • actions it would take to maintain its critical operations within tolerance levels through disruptions;
    • an assessment of the execution risks, required resources, preparatory measures, including key internal and external dependencies needed to support the effective implementation of the BCP actions; and
    • a communications strategy to support execution of the plan.

    Importantly, under the proposed CPS 230 an APRA-regulated entity is required to submit its BCP to APRA on an annual basis and notify APRA as soon as possible, and no later than 24 hours if it has activated its BCP.

    Next steps

    Submissions on APRA's CPS 230 Discussion Paper close on 21 October 2022.

    Importantly, once the standard becomes operational, it will apply immediately in relation to the renewal of an arrangement with a material service provider (including related entities).

    In preparation for these changes, organisations should consider what uplifts may be required to their existing policies, procedures and processes as well as in their contracts with entities in their supply chain. Unlike some other regulatory change programs, organisations will need to approach this with a strategic and systems lens that will enable organisations to navigate an ever increasing complex and disruptive environment. Existing policies, procedures and processes will need to speak to each other under a consistent framework, that for many organisations, will require design and uplift. It is important for organisations to clearly define and articulate the desired outcomes prior to the commencement of any uplift initiatives. Implementation of the proposed CPS 230 is likely to be a significant project for affected organisations and will require a significant investment of time and resources.

    Links to key material

    Discussion Paper - Strengthening operational risk management (apra.gov.au)

    MinterEllison provides full service IT legal and consultancy services with extensive experience in cyber security, privacy, data protection and software and IT service procurement. Please contact us if you would like assistance in understanding and implementing your obligations under the new security of critical infrastructure laws.

    Contact

    Tags

    Homepage display Financial services Funds Management Board & governance Risk & Insurance Technology
    eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1laWQiOiIzNjZhMGE2Mi03ZTFjLTQ1MjktYjdlMC04ZDc2NTllM2UwZGIiLCJyb2xlIjoiQXBpVXNlciIsIm5iZiI6MTcxNjE1NjQ4MCwiZXhwIjoxNzE2MTU3NjgwLCJpYXQiOjE3MTYxNTY0ODAsImlzcyI6Imh0dHBzOi8vd3d3Lm1pbnRlcmVsbGlzb24uY29tL2FydGljbGVzL2Nwcy0yMzAtY29uc3VsdGF0aW9uLW9uLXN0cmVuZ3RoZW5pbmctb3BlcmF0aW9uYWwtcmlzay1tYW5hZ2VtZW50IiwiYXVkIjoiaHR0cHM6Ly93d3cubWludGVyZWxsaXNvbi5jb20vYXJ0aWNsZXMvY3BzLTIzMC1jb25zdWx0YXRpb24tb24tc3RyZW5ndGhlbmluZy1vcGVyYXRpb25hbC1yaXNrLW1hbmFnZW1lbnQifQ.IDIVQTPHwUuvt7zxxDulE7IqPef330NeE0XvN_bwNLc
    https://www.minterellison.com/articles/cps-230-consultation-on-strengthening-operational-risk-management

    Read next

    © 2024 MinterEllison