On 17 July 2023, APRA released the final version of a new cross-industry Prudential Standard CPS 230 Operational Risk Management (CPS 230) which sets out minimum standards for managing operational risk, including updated requirements for business continuity and service provider management.
In relation to RSE licensees, the new CPS 230 is set to replace Prudential Standard SPS 231 Outsourcing (SPS 231) and Prudential Standard SPS 232 Business Continuity Management (SPS 232).
This article touches on how CPS 230 differs from the draft version that APRA released for consultation on 28 July 2022, explores how the obligations in CPS 230 differ from existing standards, and describes how APRA-regulated entities can start preparing for the implementation of CPS 230.
What has changed from the draft?
Not a lot has changed in the final CPS 230 compared to the draft version. The changes are mainly changes to the words used, which are relatively minor
The start date has changed and a paragraph has been added regarding pre-existing contractual arrangements. Those changes are described below and were flagged by APRA earlier this year.
Parts of CPS 230 now clarify that particular requirements only apply for specific types of APRA- regulated entities. The trigger for notifying APRA has also been reworded.
The final version has the term ‘material arrangement’, which did not appear in the draft. Some references to ‘an arrangement with a material service provider’ have been replaced with ‘a material arrangement’. However, as explained below, a material arrangement is not defined as an arrangement with a material service provider.
How does CPS 230 compare to existing superannuation prudential standards?
The key differences between the obligations that will apply to RSE licensees under the new CPS 230 compared to those that currently apply under SPS 231 and SPS 232 are set out as follows.
Outsourcing
1. Scope of application
SPS 231 currently applies to the outsourcing of a ‘material business activity’. An activity is a ‘material business activity’ if it has the potential, if disrupted, to have a significant impact on an RSE licensee’s business operations, its ability to manage risks effectively, the interests, or reasonable expectations, of beneficiaries or the financial position of the RSE licensee, any of its RSEs or its connected entities, having regard to prescribed factors.
By contrast, CPS 230 will apply to a ‘material arrangement’, which is defined as an arrangement on which the APRA-regulated entity relies to undertake a ‘critical operation’ or that exposes it to material operational risk. ‘Critical operations’ are processes undertaken by an APRA-regulated entity or its service provider which, if disrupted beyond tolerance levels, would relevantly have a material adverse impact on its beneficiaries or its role in the financial system.
This represents a shift in focus away from outsourcing (i.e. activities that an RSE licensee could do itself) to the broader use of service providers. In its discussion paper titled ‘Strengthening operational risk management’, APRA explained that this shift reflects ‘the increased reliance on third parties to undertake critical operations’. In our view, the approach under CPS 230 is likely to capture a wider range of contracts with services providers.
That said, the role of internal audit is still couched in terms of outsourcing. Under CPS 230, an APRA-regulated entity’s internal audit function must review any proposed material arrangement involving the outsourcing of a critical operation. Currently, under SPS 231, an RSE licensee’s internal audit function must review any proposed outsourcing of a material business activity and regularly review and report to the Board or Board Audit Committee on compliance with the RSE licensee’s outsourcing policy.
Another difference is that under CPS 230 APRA may require an APRA-regulated entity, or a class of APRA-regulated entities, to classify a service provider, type of service provider or service provider arrangement as material. By contrast, SPS 231 does not allow for APRA to classify activities as ‘material business activities’.
2. Minimum content of agreement
Like SPS 231, CPS 230 will prescribe minimum content that formal agreements must cover. While there are many overlaps, the two sets of minimum content requirements differ in several key respects.
CPS 230 is arguably less prescriptive in terms of the minimum content that a material agreement must include than the current SPS 231. For example, the new standard is silent on many specific requirements that currently apply under SPS 231 (e.g. the scope of the arrangement; commencement and end dates; review provisions; pricing and fee structure; performance requirements; the form in which the data is to be kept; reporting requirements, including content and frequency of reporting; monitoring procedures; business continuity management; confidentiality, privacy and security of information; default arrangements; and insurance).
In place of these requirements, CPS 230 will require the formal agreement to:
specify the services covered by the agreement and associated service levels;
set out the rights, responsibilities and expectations of each party to the agreement, including in relation to the ownership of assets, ownership and control of data, dispute resolution, audit access, liability and indemnity; and
include provisions to ensure the ability of an APRA-regulated entity to meet its legal and compliance obligations.
Therefore, APRA appears to be giving RSE licensees more scope to determine the specific provisions that fall under these high-level categories.
In saying this, CPS 230 introduces several minimum content requirements that are not currently prescribed under SPS 231 (e.g. a force majeure provision indicating those parts of the contract that would continue in the case of a force majeure event).
CPS 230 also expands on how an agreement must address sub-contracting and termination as follows:
sub-contracting - an agreement must require notification by the service provider of its use of other material service providers that it materially relies upon in providing the service to the APRA-regulated entity through sub-contracting or other arrangements; and
termination - termination provisions must include: (i) the right to terminate both the arrangement in its entirety or parts of the arrangement; and (ii) the ability for an RSE licensee to terminate the arrangement where to continue the arrangement would be inconsistent with the RSE licensee’s duty to act in the best financial interests of beneficiaries.
Under CPS 230, the formal agreement must require the liability for any failure on the part of any sub-contractor to be the responsibility of the service provider. This is similar to the requirement under SPS 231 to include an indemnity to the effect that any sub-contracting by a service provider will be the responsibility of the service provider, including liability for any failure on the part of the subcontractor.
3. APRA access provisions
There are subtle differences between SPS 231 and CPS 230 regarding APRA access provisions.
4. Access to documentation and information
SPS 231 currently requires that an outsourcing agreement include a clause that allows APRA access to documentation and information related to the outsourcing arrangement. Under CPS 230, the formal agreement must include provisions that allow APRA access to documentation, data and any other information related to the provision of the service.
Therefore, the subject of the access will expand from ‘documentation and information’ to ‘documentation, data and other information’, and the trigger for providing access will change from documentation, data (in the case of CPS 230) and information that is ‘related to the outsourcing arrangement’ to that which is ‘related to the provision of the service’.
5. Not impeding APRA
CPS 230 will require agreements to include provisions that ensure the service provider agrees not to impede APRA in fulfilling its duties as prudential regulator.
This is a new requirement, as SPS 231 merely states that APRA expects service providers to cooperate with APRA’s requests for information and assistance.
6. Not disclosing or advertising that APRA has conducted an on-site visit
Unlike SPS 231, CPS 230 will not require RSE licensees to take all reasonable steps to ensure that a service provider will not disclose or advertise that APRA has conducted an on-site visit.
7. Compulsory amendments imposed by APRA
CPS 230 will introduce a new power for APRA to require an APRA-regulated entity to review and make changes to a service provider arrangement where it identifies heightened prudential concerns. To comply with CPS 230, an APRA-regulated entity may need to amend existing agreements to allow for amendments where required by APRA.
Business continuity management
(a) Outsourcing agreement
Unlike SPS 231, CPS 230 does not specifically prescribe that a formal agreement with a material service provider must address business continuity management (BCM). However, this is likely to still be required under the general obligations for formal agreements to:
set out the rights, responsibilities and expectations of each party to the agreement; and
include provisions to ensure the ability of an APRA-regulated entity to meet its legal and compliance obligations.
(b) Assessing an outsourced service provider’s BCP
CPS 230 will remove the following requirements that currently apply to an RSE licensee under SPS 232 where a material business activity has been outsourced:
the requirement to satisfy itself as to the adequacy of an outsourced service provider’s business continuity plan (BCP ) and consider any dependencies between the two BCPs;
the requirement to satisfy itself that the outsourced service provider adequately reviews and tests its BCP at least annually, or more frequently if there are material changes to business operations, to ensure that the BCP can meet the BCM objectives of the RSE licensee; and
the requirement to ensure that the outsourced service provider formally reports the results of the testing, including any change to the service provider’s BCP, as soon as practicable.
Compliance with the above would typically have been addressed through the inclusion of provisions in the relevant outsourcing agreement.
Under CPS 230, an APRA-regulated entity will be required to monitor compliance with its tolerance levels and report any failure to meet tolerance levels, together with a remediation plan, to the Board. Where an RSE licensee’s tolerance levels include tolerance for non-delivery due to a business interruption at a material service provider, it is likely that some of the above existing requirements in SPS 232 might in effect be carried across.
(c) Execution of the BCP
CPS 230 will introduce a requirement for an APRA-regulated entity to ensure it can execute its BCP if needed for each arrangement with a material service provider.
To comply with this new requirement, an APRA-regulated entity may need to amend existing agreements with material service providers to enable it to execute its BCP if needed.
(d) Notification to APRA
Under SPS 232, an RSE licensee must notify APRA as soon as possible, and no later than 24 hours, after experiencing a major disruption that has the potential to have a material impact on the interests, or reasonable expectations, of beneficiaries or the financial position of the RSE licensee, any of its RSEs or connected entities. By contrast, CPS 230 will require an APRA-regulated entity to notify APRA as soon as possible, and not later than 24 hours after, if it has suffered a disruption to a critical operation outside tolerance.
What is the timeline for implementation of CPS 230?
The new standard will come into effect on 1 July 2025.
Where an APRA-regulated entity has pre-existing contractual arrangements with a service provider, the requirements in CPS 230 will apply in relation to those arrangements from the earlier of the next renewal date of the contract with the service provider or 1 July 2026.
What can an APRA-regulated entity do to implement CPS 230?
The first action that we suggest undertaking to prepare for the commencement of CPS 230 is reviewing existing contracts to identify any contracts that will be covered by CPS 230, but which are not covered by existing prudential standards. These are the contracts that are likely to need the most changes to be compliant.
In addition, an APRA-regulated entity also needs to review contracts that are currently subject to SPS 231 or other prudential standards to ensure that they will comply with the content requirements in CPS 230 and negotiate any necessary amendments with service providers ahead of the deadline.
G+T has the knowledge and expertise required to advise regarding legal obligations in CPS 230, including drafting, reviewing and negotiating contractual arrangements with service providers. If interested, please contact Phil Turner or one of our other experts.
The final version of CPS 230 is available to read, here: Operational risk management