All Things Newz
Law \ Legal

APRA consults on proposed new operational risk prudential standard –


Key points

  • Relevant for APRA-regulated banks, life and general insurers,
    superannuation trustees, and health insurers, APRA has released a
    proposed operational risk prudential standard, CPS 230
    Operational Risk Management (CPS 230),
    for consultation. CPS 230 will replace current outsourcing and
    business continuity management prudential standards.

  • CPS 230 is designed to modernise requirements in relation to
    risk management frameworks, business continuity and ‘material
    service providers’ of APRA-regulated entities, and to do this
    in a way which is easy to understand and navigate.

  • APRA considers fraud, cyber, conduct, AML/CTF and technology to
    be important areas of operational risk.

  • Under CPS 230, an entity would be required to maintain and give
    a register of its ‘material service providers’ to APRA
    annually.

Overview

On 28 July 2022, APRA released a consultation package on a new
prudential standard for the management of operational risk in the
banking, insurance and superannuation sectors: CPS 230. CPS 230 is
intended to replace the existing prudential standards relating to
Outsourcing (CPS 231, SPS 231 and HPS 231) and Business Continuity
Management (CPS 232 and SPS 232).

These changes to the prudential regulatory framework arose from
APRA’s observation of what it considered to be examples of
operational risk failures. They are part of APRA’s initiative
to modernise the prudential architecture, a program seeking to
ensure that APRA’s prudential rules are easy to understand and
navigate. Those familiar with, for example, the current CPS 231
Outsourcing (CPS 231), will notice a
‘Key principles’ section in CPS 230 which is not found in
CPS 231.

APRA is intending to issue guidance on CPS 230 during 2023 and
for CPS 230 to apply from 1 January 2024.

The new prudential standard: CPS 230

In its consultation, APRA states that it has observed the
following three key themes with operational risk issues:

  1. Control failures – a number of operational risk events have
    occurred due to ineffective controls.

  2. Low tolerance for disruptions – disruptions to business
    operations have the potential to impact real-time transactions.
    However, there is an expectation that services will always be
    available.

  3. Increasing reliance on service providers – entities are
    increasingly reliant on the use of service providers to support
    business operations. Issues with service providers can impact on
    availability and level of service with implications to the broader
    financial system.

CPS 230 is designed to address these issues. APRA says CPS 230
is aimed to ensure that APRA-regulated entities ‘[i]mprove
operational risk practices through enhanced focus of Boards and
senior management’ and ‘[minimise] the impact of
disruptions to customers and the financial system’. The key
features of CPS 230 are noted to be requiring entities to:

  1. manage operational risk with effective internal controls,
    monitoring and remediation;

  2. respond to disruptions and maintain continuity of critical
    operations; and

  3. understand and manage risks from use of service providers.

Risk management framework

CPS 230 retains the requirement for entities to develop and
maintain a risk management framework as in current CPS 220 and SPS
220. As part of the risk management framework review currently
required in CPS 220 and SPS 220, CPS 230 also provides that that
these reviews must cover aspects of operational risk management and
that operational risk management is integrated within the overall
risk management framework and processes.

If APRA considers that an entity’s operational risk
management has material weaknesses, CPS 230 foreshadows that APRA
may require the entity to conduct an independent review, develop a
remediation program, and other actions required in the supervision
of the prudential standard.

Role of the Board

CPS 230 reinforces the responsibility that the Board has over
the entity’s risk management framework. The new prudential
standard focuses on the Board’s responsibility to oversee
operational risk, ensuring that Board members are involved with the
business continuity plan through overseeing results of testing and
execution of any findings, as well as having oversight of material
service provider arrangements.

Operational risk management

The proposed prudential standard includes a requirement for
entities to assess the impact of new products on its operational
risk profile. APRA has noted in its discussion paper that new
products or changes that may materially alter the nature of the
product offering will typically impact the entity’s operational
risk profile and subsequently may require changes to the
entity’s controls and risk management processes.

In particular, APRA has identified crypto-assets as an
operational risk where entities will need to have prudent processes
and controls. APRA has also noted it is currently considering the
appropriate prudential framework for crypto-assets in Australia and
plans to consult on draft requirements for ADIs following the
conclusion of the Basel Committee’s current consultation.

Internal controls

Under CPS 230, entities must maintain appropriate internal
controls to detect and manage operational risks. This includes
regular monitoring, reviewing and testing of the effectiveness of
these controls and that any material findings must be
remediated.

Risk incidents

Unsurprisingly, the new prudential standard also requires
entities to ensure that operational risk incidents are identified,
escalated, recorded and addressed in a timely manner. There is a
requirement for the entity to notify APRA within 72 hours after
becoming aware of an operational risk incident that an entity deems
to be likely to be material.

Business continuity

Similar to the existing framework, CPS 230 requires all entities
to have an appropriate business continuity plan
(BCP).

The concept of ‘critical operations’ is key to CPS 230.
This is similar to the ‘critical business operations’
referred to in CPS 232. However, ‘critical operations’
includes not just the activities and process undertaken by an
entity that will have a material impact on the entity itself, but
also on the depositors, policyholders, fund members, other
customers and its role in the financial system.

The table below provides the steps required by entities under
CPS 230.












Business
Continuity Steps – Draft CPS 230

Step

Description

Step 1: Identify ‘critical operations’

Critical operations are proposed to be defined as activities and
processes undertaken that have a material impact on stakeholders
including its role in the financial system.


Proposed CPS 230.35 says that ‘critical operations’
include:


  • payments;

  • deposit-taking and management;

  • custody;

  • settlements;

  • clearing;

  • claims processing;

  • investment management;

  • fund administration;

  • customer enquiries; and

  • systems and infrastructure needed to support the above
    operations.

Step 2: Set tolerance levels for ‘critical
operations’

The proposed prudential standard requires entities to set
tolerance levels for each of their identified critical operations.
These tolerance levels are required to be approved by the
Board.


CPS 230 requires that, for each critical operation, the Board
must approve tolerance levels to be set for the maximum period of
time the entity would tolerate a disruption, maximum amount of data
loss that the entity would accept, and the minimum service levels
the entity would maintain while operating under alternative
arrangements during a disruption.

Step 3: Testing and review

The testing and review requirements are similar to the existing
framework. However, CPS 230 includes a requirement for the testing
to be tailored to the material risks of the entity and include a
range of severe but plausible scenarios where the contingency
arrangement may be required. APRA may also require the entity to
conduct a ‘business continuity exercise’ where they APRA
are able to include an ‘APRA-determined’ scenario.

Material service providers

CPS 230 contains similar requirements to the current framework
in relation to outsourcing. However, CPS 230 applies in relation to
‘material service provider’ and ‘service provider
agreements’ instead. APRA is proposing to define a
‘material service provider’ as any service provider that an
entity relies on to undertake a critical operation or that it could
expose it to material operational risk. Particular service
providers are proposed to deemed as a ‘material service
provider’ similar to the current framework which deems specific
functions to be ‘material business activities’. Examples of
deemed service providers include risk management, core technology
services, internal audit, fund administration, custodial services
and mortgage brokerage.

APRA has also identified the risk of ‘fourth party’
service providers. These are ‘[a] party that a service provider
relies on in delivering services to an APRA-regulated entity’.
With the proposed framework, an entity will be required to set out
its approach in managing risks associated with the material
services that it relies on the fourth party to undertake.

Under the proposed framework, an entity would be required to
maintain and provide APRA with a register of its material service
providers annually.

The proposed CPS 230 also includes similar requirements to these
that are under the current outsourcing framework including:

  • Notifying APRA when entering into or materially changing a
    material service provider agreement as soon as possible and within
    20 business day,

  • Notifying APRA before entering or materially changing any
    offshoring agreement with a material service provide including in
    circumstances where data or personnel relevant to the service being
    provided will be located offshore.

What happens next?

APRA is seeking feedback and accepting submissions on CPS 230
until 21 October 2022. Following this feedback, APRA is aiming to
finalise the standard in early 2023 with guidance for consultation.
CPS 230 is anticipated to come into effect on 1 January 2024.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.





Lawyers Weekly Law firm of the year
2021

Employer of Choice for Gender Equality
(WGEA)



Source link

Related posts

Managing general protection claims – Employee Rights/ Labour Relations

Horace Hayward

Implied Copyright License To Photographs Of Artist Formerly Known As Prince –

Horace Hayward

SCOTUS May Weigh In—Class Members And Article III Standing – Trials & Appeals & Compensation

Horace Hayward