Namely, flexibility for APRA-regulated entities that are non-significant financial institutions (non-SFIs) an additional period of 12 months (until Jul. 1, 2026) to comply with certain aspects of the standard re business continuity as well as scenario analysis.
AST GVT published an explanatory statement regarding this variation instrument.
This variation was made in response to concerns raised to the consult in #179326.
Variation instrument commences on Jul. 1, 2025, same date as CPS 230 commences.
AST APRA consulted on new prudential standard to strengthen operational resilience.
Consultation
AST APRA is consulting on CPS 230, prudential standard that is designed to strengthen the management of operational risk within banking, insurance and superannuation.
Operational risk is potential for financial loss or material disruption from inadequate or failed internal processes or systems, actions of people or external drivers and events.
In the consultation package, AST APRA proposes to introduce a new cross-industry Prudential Standard CPS 230 Operational Risk Management to set minimum standards.
These will apply to managing operational risk, and will include updated requirements for business continuity, as well as for service provider management, to reduce risks.
The proposed new standard includes requirements for regulated entities to maintain effective internal controls for operational risk, commensurate with size of organization.
Also for business mix and complexity of the activities they undertake, to be prepared and ready to ensure continued delivery of critical operations in periods of disruption.
This will then effectively manage the risks associated with the use of service providers.
AST APRA have included a specific discussion paper within the consultation package.
Existing Standards
The new standard will incorporate the requirements for service provider management, currently outsourcing, as well as all requirements for business continuity management.
Current prudential standards CPS 231 Outsourcing and CPS 232 Business Continuity Management, reflect this, with other superannuation and health insurance standards.
Superannuation is in standards SPS 231 and SPS 232, with private health insurance standard being HPS 231, and the five standards will be replaced by the new CPS 230.
Next Steps
After reviewing feedback in response to the consultation, AST APRA expects to release final CPS 230 early next year, before new standard comes in force from Jan. 1, 2024.
Consultation End
Written submissions in response to the consultation are requested by Oct. 21, 2022.
Oct. 2022 AST INS CNCL Response
On Oct. 21, 2022, AST INS CNCL commented on the consultation package above.
Said operational risk management requirements should apply to all regulated entities.
This should be in a proportionate manner that allows entities to use discretion in an appropriate manner consistent with the scale as well as complexity of their business.
Said such an approach will require substantial guidance from AST APRA - discussion paper and draft CPS 230 require further clarification/refinement to meet this objective.
AST INS CNCL is concerned, for example, about the excessive broadening of scope.
That is, most notably re fourth-parties; AST INS CNCL said that assessing whether a provider is systemically important in Australia will be challenging, if not impossible.
It is also concerned re granular level of detail AST APRA requires boards to review.
Concerned also on planned implementation timeline; shorter than other jurisdictions.
Further, set out concerns about significant increase of regulatory costs imposed on insurers; said that this is of particular concern in light of insurance affordability issues.
Apr. 2023 Updated Timeline
On Apr. 13, 2023, AST APRA released updated timeline for the implementation of new cross-industry Prudential standard CPS 230 operational risk management (CPS 230).
AST APRA intends to move the effective date for the new standard to Jul. 1, 2025.
In addition, AST APRA intends to provide transitional arrangements for pre-existing contractual arrangements with service providers, with the requirements in the standard applying from the earlier of the next contract renewal date or Jul. 1, 2026.
Plans to release final version of CPS 230, with draft supporting guidance, in mid-2023.
Jul. 2023 Prudential Standard Finalized
On Jul. 17, 2023, AST APRA published final Prudential standard CPS 230 operational risk management (CPS 230) re consult above; and mark-up version showing changes.
In addition, published Response paper - operational risk management re the consult; submissions generally supported approach in draft CPS 230 and its intended focus.
The key changes to final CPS 230 include easing transition - deferring commencement of CPS 230, as well as inclusion of transition arrangements for existing service provider arrangements; and flexibility on prescribed critical operations and service providers.
Namely, refining the requirement to classify specific business operations as critical and certain service providers as material, with an unless otherwise justified provision.
In addition, modifications so that only material arrangements with material service providers are captured re certain requirements, rather than all arrangements.
CPS 230 will commence Jul. 1, 2025; a transition period allows entities time to update existing contractual arrangements with service providers to comply with CPS 230.
While CPS 230 commencement date moved to 2025, APRA expects regulated entities to be proactive in preparing for the new requirements in 2023-2024 i.e. demonstrating meaningful steps and staged progress in moving towards complying with CPS 230.
Details of staged progress may vary across entities; APRA expects there will be some common approaches; expects that senior management would have identified their critical operations, material service providers by mid-2024 and be well-positioned.
Specifically, well-positioned to set tolerance levels by the end of 2024; supervisors will engage with entities during the implementation period in order to assess progress.
In addition, APRA Chair John Lonsdale stated that the finalization of CPS 230 will strengthen the management of operational risk across APRA’s regulated population.
AST GVT also published an explanatory statement re determination no. 2 of 2023.
This instrument commences on Jul. 1, 2025 and revokes the Banking insurance and life insurance (prudential standard) determinations no. 6 of 2016andno. 7 of 2016.
It also revokes related instruments titled Health insurance (prudential standard) determination no. 4 of 2015, Superannuation (prudential standard) determination no. 3 of 2012, and Superannuation (prudential standard) determination no. 4 of 2012.
These five earlier instruments and the prudential standards that were determined under these determinations, are revoked with effect from Jul. 1, 2025.
Namely, flexibility for APRA-regulated entities that are non-significant financial institutions (non-SFIs) an additional period of 12 months (until Jul. 1, 2026) to comply with certain aspects of the standard re business continuity as well as scenario analysis.
AST GVT published an explanatory statement regarding this variation instrument.
This variation was made in response to concerns raised to the consult in #179326.
Variation instrument commences on Jul. 1, 2025, same date as CPS 230 commences.
Regulators
AST APRA; AST GVT; AST INS CNCL
Entity Types
Bank; BHC; Ins; Pension
Reference
Info, RF F2024L01107, 9/2/2024; Info, RF F2023L01242, 9/14/2023; PR, Rsp 7/17/2023; PR 4/13/2023; Rsp 10/21/2022; CP, PR 7/28/2022; Citation: CPS 230; Banking insurance life insurance health insurance and superannuation (prudential standard) determination no. 2 of 2023; Banking - insurance - life Insurance - health insurance and superannuation (prudential standard) variation no. 1 of 2024;
