E Point Perfect
Law \ Legal

Part 1 – Detailed analysis of CPS 230 and comparison


Your roadmap to compliance

6 min read


Operational risk has been a headline issue in the superannuation, insurance and banking industries over recent years, as regulated entities have faced the COVID-19 pandemic, cyber and technology risk, geopolitical unrest, volatile markets and high-profile compliance failures. It is therefore no surprise to see APRA sharpening its focus on operational resilience with the release of a new draft prudential standard, CPS 230 (Operational Risk Management) (CPS 230).

CPS 230 is proposed to apply to all APRA-regulated entities in the banking, insurance and superannuation industries from 1 January 2024. If introduced in its current form, it will consolidate into a single prudential standard significant new requirements in relation to operational risk management, as well as updated requirements in relation to service provider risk management and business continuity planning.

In this Insight, we provide an overview of CPS 230 and what it will mean for you.

Key takeaways

CPS 230 adopts a principles-based approach and imports many familiar concepts from existing prudential standards. However, if introduced in its current form, it will impose much more prescriptive and extensive obligations in relation to operational risks than we’ve previously seen.

Importantly, CPS 230 would:

  • impose detailed requirements in relation to the governance and management of operational risk, which is currently only addressed in a general sense in CPS and SPS 220 (Risk Management);
  • underscore the importance of ensuring that organisations have a real-time understanding of their operational risk profile and the impact of key business decisions and other changes affecting that profile;
  • make clear that, notwithstanding the emphasis of CPS and SPS 220 on the importance of independent risk functions, senior management has end-to-end responsibility for operational risk and that these considerations should be embedded throughout the business;
  • see a shift from APRA’s previous focus on recovery from disruption, to an expanded focus on ensuring there is the capability to operate through disruption within pre-approved tolerance levels;
  • introduce a much more expansive concept of material service provider arrangements, which includes a requirement to focus on the risks posed by services providers, rather than just on the materiality of any outsourced services being provided – and a requirement to look deeper into the supply chain (eg to consider fourth-party risk); and
  • give APRA increasing visibility into the implementation of operational risk management as well as an increased ability to require regulated organisations to manage their operational risks in particular ways.

As a result, CPS 230 would require significant changes to governance, compliance, contractual and incident response arrangements for all APRA-regulated entities. For more on this, see Part 2 – Practical Implementation Guide (PDF).

Why is APRA publishing a new standard?

Draft CPS 230 attempts to address the following weaknesses that APRA has observed as part of its prudential supervision:

  • Control failures: numerous operational risk events have arisen due to ineffective controls, resulting in action against a range of entities (eg through court-enforceable undertakings, remediation programs and additional operational risk capital requirements).
  • Low tolerance for disruptions: customers have a lower tolerance for disruptions given the importance of core financial services in everyday life and an expectation that these services will always be available.
  • Increasing reliance on (and concentration of) service providers: APRA-regulated entities are becoming more reliant on the use of service providers to support their business operations. Problems in the use of service providers that may form part of a long and complex supply chain involving ‘fourth parties’ and downstream providers can quickly impact the availability and level of service provided by an APRA-regulated entity.

CPS 230 follows similar reforms spearheaded by its counterparts in the UK (Prudential Regulation Authority), Canada (Office of Financial Sanctions Implementation) and others, and has regard to international standards such as the Basel Committee on Banking Supervision’s Core Principles.

APRA’s focus on operational risk also reflects ASIC’s increased focus on the potential impacts of technology in financial markets and services, and its proposed core strategic project in relation to cyber risk and operational resilience, as set out in its 2022–26 Corporate Plan.

What are the key changes?

CPS 230 picks up a number of similar concepts from the prudential standards it proposes to replace, but also contains some very significant changes. We have outlined some of these changes (as compared to current requirements) below.

Issue

What’s new?

Outcomes-based requirements

Draft CPS 230 contains a number of overarching key principles that require APRA-regulated entities to manage operational risks, and that will be assessed from an outcomes perspective. For example, an APRA-regulated entity must:

  • maintain its critical operations within tolerance levels through severe disruptions;
  • to the extent possible, prevent disruption to critical operations; and
  • not rely on a service provider unless it can ensure that in doing so it can continue to meet its prudential obligations in full.

Supplementing these principles are a number of other new requirements, including requirements to understand its operational risk profile, to conduct comprehensive risk assessments before providing material services to other parties, and to design and embed internal operational risk controls in all of its products, activities, processes and systems.

Board and senior management accountability

CPS 230 provides that the board will be accountable for operational risk management (including business continuity and service provider arrangements). Until now, APRA has required the board to be ultimately responsible for certain matters in its prudential standards. The language shift to accountable is subtle but important in terms of APRA’s expectation for boards, and sits hand-in-hand with APRA’s outcomes-focussed supervision.

As part of this, APRA expects the board to set clear roles and responsibilities for senior managers and to oversee operational risk management. In return, senior management must provide clear and comprehensive information to the board on the entity’s operational risk profile and the expected impact to critical operations when the board is making decisions. The onus is firmly placed on business-line management to take responsibility for operational risk, as opposed to relying on risk management functions.  

APRA’s powers

APRA has given itself a raft of new powers in relation to the supervision of operational risk management (including powers to require entities to take specific actions where material weaknesses are identified, to adjust tolerance levels and to classify service providers as material, amongst other things). See Part 2 – Practical Implementation Guide (PDF) for more detail.

APRA reporting

APRA-regulated entities are currently required to report information security incidents to APRA as soon as possible and no later than 72 hours after becoming aware of the incident under Prudential Standard CPS 234 (Information Security). APRA proposes that it must be notified of operational risk incidents in the same timeframe (where the incident is likely to have a material financial impact or a material impact on the ability of the entity to maintain its critical operations).

Issue

What’s new?

How is this different (to CPS and SPS 232)?

Business continuity plan (BCP)

Draft CPS 230 requires APRA-regulated entities to maintain a credible BCP that sets out how the entity would maintain its ‘critical operations’ within ‘tolerance’ levels through disruptions, including disaster recovery planning for critical information assets. The BCP must be approved by the board.

This must include a register of critical operations and associated tolerance levels, triggers to identify disruption and prompt activation of the BCP, actions the entity will take to maintain critical operations within tolerance levels where disruptions arise, assessment of the key dependencies needed to support the effective implementation of the BCP and a communications strategy to support the execution of the plan.

We note that APRA has said in its discussion paper that regulated entities would also be required to submit their BCP to APRA on an annual basis. That requirement doesn’t appear to have made it into draft CPS 230 but watch this space for changes to the draft throughout the consultation process.

For APRA-regulated entities (other than private health insurers)1 the requirement to maintain a BCP is not new, although some new concepts for its contents have been introduced, including ‘critical operations’ and ‘tolerances’ as described.

Some of the other prescriptive requirements for a BCP have been brought across (although reframed) in CPS 230, but APRA has flagged in its discussion paper that it will be for APRA-regulated entities to determine whether their BCPs are fit for purpose given the nature, complexity and size of the business, again giving a nod to its principles-based approach to supervision.

‘Critical operation’ identification

APRA-regulated entities will be required to define, identify and maintain a register of their ‘critical operations’. These are processes undertaken by an APRA-regulated entity or its service provider which, if disrupted beyond tolerance levels (see below), would have a material adverse impact on its depositors, policyholders, beneficiaries or other customers, or its role in the financial system.

APRA has identified that these operations would include payments, deposit-taking and management, custody, settlements, clearing, claims processing, investment management, fund administration, customer enquiries and the systems and infrastructure needed to support these operations. APRA may also require an APRA-regulated entity to define a business operation as critical.

The new concept of ‘critical operations’ is similar, although arguably wider than the current requirements applicable to APRA-regulated entities.

APRA-regulated entities are currently required to identify their ‘critical business functions’ – being their critical business functions, resources and infrastructure. This will be broadened in CPS 230 to require identification of the ‘processes’ of both the APRA-regulated entity and its service providers. APRA has also included specific examples in draft CPS 230 to ensure baseline critical operations are consistently captured across the industry.

The concept of ‘critical operations’ also captures service-provider processes, meaning that these must also be specifically addressed in the institution’s BCP. The current requirement in relation to service providers is that an APRA-regulated institution must satisfy itself as to the adequacy of the service provider’s BCP and any dependencies between the two.

Tolerance setting

APRA-regulated entities will be required to set board-approved tolerance levels for each critical operation, being:

  • the maximum period of time the entity would tolerate a disruption to the operation;
  • the maximum extent of data loss the entity would accept as a result of a disruption; and
  • minimum service levels to maintain while operating during a disruption.

APRA may require that tolerance levels for critical operations are changed or may set tolerance levels where it identifies heightened risk or material weaknesses.

The new requirement to set tolerance levels is a further shift towards outcomes-focussed regulation. APRA-regulated entities are currently required to undertake an impact analysis of plausible disruption scenarios and the period of time for which the institution could not operate without each critical business operation. However, the new requirements are intended to focus institutions’ risk appetite for disruption in respect of all processes as part of their business continuity plans. Failure to meet tolerance levels must be reported to the board under CPS 230.

Testing and review

New testing requirements have been included. APRA-regulated entities must have a systematic testing program for their BCP that covers all critical operations and includes an annual business continuity exercise. The program, which must be tailored to the entity’s material risks, must test the effectiveness of the entity’s BCP and its ability to meet tolerance levels in a range of severe but plausible scenarios. APRA may also require the entity to test against an APRA-determined scenario.

The scope of the testing requirements have been expanded from their current form (which only require the institution to ‘review and test’ the BCP, but without any specific requirements as to the testing criteria). These requirements would apply in addition to the current requirements to review and audit the BCP.

APRA notifications

APRA-regulated entities would be required to notify APRA as soon as possible and within 24 hours if they have activated their BCP.

Although the timeframe (maximum 24 hours) is the same as the current requirements, the trigger for notification to APRA is the activation of the entity’s BCP, as opposed to when the entity ‘experiences a major disruption that has the potential to have a material impact on the institution’s risk profile, or affect its financial soundness’. We do not expect much to turn on this change given that the BCP is required to be activated in the event of a disruption under CPS 230.

Issue

What’s new?

How is this different (to CPS, SPS and HPS2 231)?

Material service providers

CSP 230 will introduce the concept of ‘material service providers’.

Material service providers are those on which the entity relies to undertake a ‘critical operation’ (see above) or that expose it to material operational risk. They include third parties and related parties deemed to be material because of one or a number of arrangements with the APRA-regulated entity.

APRA has specifically stated that this would include risk management, core technology services, internal audit, credit assessment, funding and liquidity management, mortgage brokerage, underwriting, claims management, insurance brokerage, reinsurance, fund administration, custodial services, investment management and arrangements with promoters, financial planners and those service providers that manage information assets classified as critical or sensitive under CPS 234. APRA may also classify a service provider, or type of service provider, as material.

CPS 230 introduces various requirements related to an APRA-regulated entity’s material service providers that are described further below.

This change represents a shift from the current focus on outsourcing and the materiality of the service being provided (ie the outsourcing of a ‘material business activity’), to the materiality of the operational risk posed by the service provider arrangement.

The new definition is likely to capture a much wider range of service providers, which APRA states is to reflect the increased reliance on third parties to provide and undertake critical operations, as well as the fact that a service provider arrangement can expose a regulated organisation to a high degree of risk even where the service it is providing may not be critical. As with the new business continuity regime, APRA has included a list of service providers in draft CPS 230 that will be deemed to be captured, to ensure that these are consistently captured across the industry.

Service provider management policy and ‘fourth parties’

Regulated entities will need to maintain a board-approved ‘service provider management policy’ which sets out how it will identify material service providers and manage arrangements, as well as a number of other specific requirements.  

One such requirement is that the policy addresses how the entity would manage risks associated with any ‘fourth parties’ or subcontractors. These are downstream service providers in the supply chain. It is unclear whether APRA expects that the requirement will be limited to fourth parties or whether it might extend further down the chain of service providers and we expect this to be the subject of submissions to the consultation. In the absence of further clarification on this point, APRA-regulated entities will need to give this some thought.  

Although CPS 231 and SPS 231 currently require a policy, the policy content requirements in CPS 230 are broader, given both the definition of material service providers (see above) and the requirement to address ‘fourth party’ risk.

In terms of fourth parties, CPS 231 and SPS 231 currently require sub-contracting to be addressed in an outsourcing contract, with an indemnity to the effect that any sub-contracting by a third-party service provider is the responsibility of the third-party service provider (and HPS 231 is silent on this). Draft CPS 230 does away with this slightly confusing drafting and instead requires that service providers assume liability for failure of a sub-contractor, and for each APRA-regulated entity to otherwise set its own approach for the management of fourth-party risk.

Practically, risk management in this regard may include a combination of enhanced due diligence on service providers, reporting obligations, the inclusion and exercise of rights to audit and test service provider systems, inclusion of service providers in simulations/tabletop exercises, and the continued requirement that third parties remain liable for any acts or omissions of their subcontractors. Of course, how much can be achieved in this respect will depend on commercial negotiations.

Service provider agreements

All service providers must be appointed by a formal and legally binding agreement. Notably, these agreements must require notification by the service provider of its use of other material service providers (through sub-contracting or other arrangements), for the service provider to take responsibility for its sub-contractors, force majeure provisions and termination rights.

Termination provisions for RSE licensees must include the ability for the trustee to terminate the arrangement where to continue it would be inconsistent with the trustee’s duty to act in the best financial interests of beneficiaries.

APRA may review and make changes to a service-provider arrangement where it identifies heightened prudential concerns.

CPS 230 is silent as to some of the more prescriptive (but non-contentious) requirements that currently apply under CPS and SPS 231, such as the requirement for the agreement to address pricing, insurance or review provisions.

Instead, APRA’s focus has narrowed to the key terms that must be included to address the operational risk brought about by the use of service providers.

APRA notifications

An APRA-regulated entity must submit its register of material service providers to APRA on an annual basis and notify APRA:

  • as soon as possible (and not more than 20 business days) after entering into, or materially changing, an agreement for the provision of services for a critical operation; and
  • prior to any offshoring agreement with a material service provider or when there is a significant change proposed to the agreement.

The requirement to annually submit a register of service providers to APRA is new. APRA hopes this will assist it with industry-wide monitoring so it can step in where it sees ‘concentration risk’ (ie the overuse of a single service provider).

Notifications to APRA where material changes are made (to onshore agreements) or proposed (to offshore agreements) are also new. Private health insurers should note that APRA notification timeframes will be shortened to 20 business days (as opposed to the 28 days that currently apply under HPS 231).

Otherwise, APRA has downgraded its oversight of offshoring agreements. CPS 230 requires entities only to notify APRA prior to entering into such agreements (instead of the current requirement to consult).

Interaction with other standards and guidance

APRA says that CPS 230 will ‘improve the accessibility and adaptability of the framework, seeking to ensure the prudential rules are easy to understand, find and navigate’. That may be true to an extent, but it is worth noting that other regulatory requirements and guidance relating to operational risk would continue to sit alongside the standard, including CPS 234 (Information Security) and CPS 226 (Margining and Risk Mitigation for Non-centrally Cleared Derivatives), as well as other APRA cross-industry and industry-specific prudential guides.

APRA also notes it is not proposing changes to the operational risk capital for ADIs and insurers at this stage.3 RSE licensees will remain bound by the requirements of SPS 114 in relation to the operational risk financial requirement, although we should note that as part of its new powers under draft CPS 230, APRA may require trustees to hold additional capital in the form of ORFR where their operational risk management has material weaknesses. Following its consultation on strengthening financial resilience in the superannuation sector in November 2021 (see more here), APRA says it will provide further information on the intersection between CPS 230 and the ORFR as each of the reforms progress throughout 2022.

Next steps

Written submissions to APRA on draft CPS 230 may be made until 21 October 2022. APRA has invited feedback on the overall design of CPS 230 (including its cross-industry approach, the topics it covers and its proportionality as it applies to significant and non-significant financial institutions) as well as its specific requirements.

APRA is planning to finalise CPS 230 in early 2023 and to issue draft guidance on the standard in the first half of 2023. There is currently no transitional period proposed, although APRA has invited feedback on what would be a reasonable timeframe for institutions to renegotiate contracts with existing service providers.

Given the tight timeframes until the proposed start dates (16 months), APRA-regulated entities should begin to review their operational risk management processes and arrangements against draft CPS 230 – at least to scope the changes required (see Part 2 – Practical Implementation Guide (PDF)). If your organisation provides services to APRA-regulated entities, you should look to understand the implications of contractual obligations these APRA-regulated entities would need to impose for CPS 230 compliance.



Source link

Related posts

First BIPA Trial Ever Results in $228M Judgment Against Company that Hired Out Fingerprint Processing Activities

German Employment Law Fall 2022 Update: Bonuses, COVID-19, and Annual Leave Entitlements

Can you have bad vision and become a NYPD Police Officer?

Would-be purchaser of property not entitled to relief from forfeiture of deposit: Ont. CA

DHS Released a Notice on the Addition of Entities to the UFLPA Entity List

Calculating Actual Cash Value and Depreciation in California