New standards for Operational Risk Management for APRA’s regulated businesses

Under the new APRA prudential standard (CPS 230):

1. Businesses that supply services to APRA regulated industries will have increased obligations that they need to comply with;
2. More service providers will now be caught (and required to comply); and
3. Regulated entities’ boards will now be ultimately accountable to APRA for compliance.

For roughly 5 years the Prudential Regulator (APRA) has had in place standards that applied to both APRA regulated entities and their service providers (CPS 231, 232 and 234). 

Recently APRA has done a deep dive on the existing framework, in particular looking at the supply chain of APRA regulated entities (banks, insurers etc).

The upshot of this review is that APRA have released a new standard, CPS 230 which will (over the next 2 years) replace and consolidate CPS 231 and 232 and their associated standards.

Material arrangements expanded

CPS 230 will expand the scope of CPS 231 to apply to all material service providers and material arrangements, on which the entity relies to undertake a critical operation (being operations that if disrupted would cause a material adverse impact) or that expose it to material operational risk (previously CPS 231 applied only to a material business activity).

APRA have also flagged a number of critical business operations which include (but are not limited to):

• for an ADI: payments, deposit-taking and management, custody, settlements and clearing;
• for an insurer (general, life, private health): claims processing;
• for an RSE licensee: investment management and fund administration; and
• for all APRA-regulated entities: customer enquiries and the systems and infrastructure needed to support critical operations.

In addition to these expanded definitions APRA has powers under CPS 230 to require that an entity classify an arrangement or service provider as material and bring them under the scope of the standard.

These amendments will now impact a far broader range of service providers and arrangements and in certain circumstances fourth party providers captured by the scope of CPS 230.

New and adjusted obligations

As with CPS 231, the new standard will require that the material arrangements address certain matters, while these have been generally consolidated in CPS 23 APRA regulated entities will be required to pass on many of the existing CPS 231  obligations to their providers, including two new requirements being:

• obligations on the service provider to notify the APRA regulated entity of any material fourth party providers; and
• expansive termination provisions in favour of the regulated entity which must include partial and whole agreement termination rights.

Regulated entities must now also maintain comprehensive management policies and undertake specified due diligence to address and manage risks in their provider supply chains including reviewing the risks posed by any material reliance on fourth party providers.

What do businesses need to do?

Every regulated entity will need to implement these changes proactively, including by identifying their critical operations and material service providers by mid-2024. Businesses impacted by these changes should take full advantage of the transition period to keep their offerings ahead of the market.

Newly regulated businesses should begin work early to adapt to the new CPS 230 requirements including by:

• Ensuring that current offerings enable regulated entities to meet their new compliance obligations or can be adapted and provide sufficient risk management options relevant to the services;
• Prepare to see the CPS 230 contractual requirements appear in the standard contracting of regulated entities, businesses will need to accommodate among other obligations:

• Enhanced and severable termination provisions;
• Obligations to allow APRA to access their information gathering powers;
• Extensive monitoring and audit rights; and
• Obligations to pass on CPS 230 compliance obligations to certain fourth party or other downstream providers.

• Take stock of downstream providers to determine their materiality and ability to support CPS 230 obligations, and be ready to provide this information to regulated customers; and
• Be prepared for enhanced scrutiny from regulated customers during the procurement process, the additional due diligence obligations in CPS 230 will require a regulated entities to assess the business’s ability to provide services on an ongoing basis.

Businesses already captured by CPS 231 and 232 will be largely compliant with the new standard however should still take note of the above steps and prepare for the upcoming changes to contracting with regulated customers. Regulated customers will expect that existing service providers will be ready and able to accept any flow down compliance requirements from CPS 230.

CPG 230 while still in draft, will provide valuable guidance in these preparations, consultation on the draft closes on 13 October 2023.

If you have any concerns about compliance with CPS 230, please contact Hamish Fraser at Bird & Bird.