The Australian Prudential Regulation Authority (APRA) has released the final new cross-industry Prudential Standard CPS 230 Operational Risk Management (CPS 230), and is set to go live on 1st July 2025 following industry consultation that commenced in July 2022.
Disruptions in the financial sector can have a significant impact on supply chains. Several recent operational risk control failures and well publicised bank failures outside of Australia have cemented the need for better regulation. The Australian Financial Services (FS) market continues to be well isolated due to the fallout from the failure of Silicon Valley Bank (SVB) and the woes of Credit Suisse, but a number of high-profile cyber incidents continue to keep resilience front of mind. CPS 230 aims to ensure regulated financial entities can better withstand disruption, both from cyber and non-cyber related risks.
Wayne Scott, our Regulatory Compliance Solutions lead, takes us through the key points of the proposals.
What is APRA’s plan?
The new standard is designed to strengthen the management of operational risk. It will ensure each regulated entity in the banking, insurance, and superannuation industries, can maintain critical operations through severe disruptions. It will allow each to manage the risks associated with the use of all service providers.
Who is included in the regulations?
APRA’s CPS 230 regulations have an expansive reach that includes 4th party providers – the vendor’s own vendors - in its scope. The new regulations apply to material suppliers and services and does not differentiate between on premise software or cloud services. This provides the regulations with an all-encompassing range, making it applicable to a wide array of entities but more importantly future proofs the regulations to include innovation.
The end of July brings the final regulations, and organisations work to complete a list of material service providers and critical operations. By the end of 2024, each regulated entity will be positioned to set its tolerance levels, and by July 2025, CPS 230 will commence. The transition period for existing service contracts will come to an end in July 2026. The APRA also retains the right to add to the list of material services and suppliers of an entity, assumingly once overall concentration risk to the market has been considered.
What should organisations be aware of?
Under the new guidance, APRA-regulated entities must set out to:
- Effectively manage operational risks and set and maintain appropriate standards for conduct and compliance.
- Maintain critical operations within tolerance levels through severe disruptions (see below for more information on determining tolerance levels).
- Manage the risks associated with the use of service providers.
Responsibility now lies with board members of organisations to effectively mitigate against potential operational risk. The guidance will ensure each organisation regulated by the APRA can become resilient to operational risks and disruptions.
There are several changes businesses should be aware of, which must be enforced to abide by the new regulations. These include the renewal and renegotiations of license agreements to add relevant clauses to ensure resilience, as businesses now build “Service Provider Management Policies”, and any future material services must have these plans in place before entering any arrangements.
Setting risk appetite and tolerance levels
Each regulated entity must set risk appetite and risk tolerance levels and build plans to remain within those levels. When setting risk appetite, entities must take a multifaceted approach, considering:
- Business services and capabilities which must be retained in-house
- Country or region risk, like war or natural disasters
- Supplier risk and the potential for unexpected termination of services
- Concentration risk, arising from using a single source for business operations
- Reputational risk, arising from damage to the firm’s reputation
What risk management considerations do organisations need to comply by?
The new regulations set by APRA mandate organisations to take comprehensive steps to manage risks. These changes are far reaching and will make significant impacts in the way organisations currently function.
Regulated entities must identify and maintain a list of their material suppliers to be submitted to the regulator on an annual basis, as well as manage the material risks associated with using these providers.
They must have alternative arrangement considerations where the service provider is unable to provide services for an extended period. Annual scenario testing has become mandatory to provide sufficient coverage and adequate understanding of financial and operational resilience impacts from any operational risks.
Each regulated entity must also have a set of controls in place to manage risks and ensure adequate coverage, including preventive, detective, and responsive controls.
All APRA regulated entities must consider supplier management policies for the systems and infrastructure needed to support critical operations too. There are further additions for sectors like Banking, Insurance, and Superannuation.
Sector specific additions are far-reaching and will have a significant impact across each:
- Banks have further policies and regulations governing payments, deposit-taking and management, custody, settlements and clearing. The regulations also effect credit assessment, funding and liquidity management and mortgage brokerage.
- Insurers have additional policies, shaping each key aspect of operations, including claims processing, underwriting, claims management, insurance brokerage and reinsurance.
- Superannuation will see similarly expansive changes. New regulations will affect investment management, fund administration, custodial services as well as arrangements with promoters and financial planners.
What practical steps can organisations take to comply?
Escrow solutions offer a way to comply with the various strands of the new CPS 230 Operational Risk Management regulations without complicating risk management strategies and services.
Although escrow isn’t directly named for consideration within the new regulations, escrow remains a wide-reaching solution that has a comprehensive range of risk control capabilities that addresses each of the requirements set by APRA. Escrow is a tried and tested solution to controlling the risks of supplier failure service deterioration and concentration risk already recommended by other FS regulators the world over.
Software escrow agreements should be a major consideration as part of an organisation’s risk management plans. These agreements have become ever more important as businesses increasingly rely on software and technology for their operations.
Escrow creates a robust foundation, a resilience baseline, to maintain critical operations within tolerance levels through severe disruptions. It will enable organisations to manage the risks associated with the use of service providers forming a legal arrangement where a third party holds and regulates the transfer of assets or information between two entities. This ensures that all organisations are protected, and the information can be accessed in the event of disruption.
Escrow agreements and associated verification services are one of the only ways to always guarantee the protection of material services and information contained within. Perhaps most importantly, escrow does so in a proportional, cost-effective manner.
What happens next?
With the introduction of the new regulations, Australia has a unique opportunity to learn from the banking turmoil in the first quarter of the year, and the shortcomings it highlighted in the UK FS industry’s slow reaction to their new regulations on risk management for Financial Institutions.
Escrow allows regulators to place supplier failure, service deterioration, and concentration risk at the forefront of planning, ensuring risk management receives adequate attention.
The inclusion of service provider management policies and the outlined mandatory services for consideration are a huge step forward when it comes to enforcing effective risk management.
Regulators across the globe are taking leaps to manage operational risk, and the next few years promise to be an exciting time for organisations working to ensure resilience.