The Australian Prudential Regulation Authority (APRA) has released a draft Prudential Standard CPS 230 (CPS 230) for consultation. All going well, CPS 230 will become effective by 1 January 2024. CPS 230 is APRA’s latest cross-industry standard aimed at strengthening the management of risk, in this case operational risk, across the banking, insurance and superannuation industries.
Two key aspects of CPS 230, currently felt by APRA not being adequately addressed, are the (i) proposed prescribed standards for managing the risks associated with material service providers and (ii) monitoring, testing and notification. That is, once CPS 230 is in force, APRA-regulated entities will have obligations to assess and address the operational risks of material services provided to them and, on an ongoing basis, monitor, assess and ensure the compliance of material service providers with the relevant agreement which is to include prescribed provisions and be subject to ongoing operational risk management, even though such service providers are not themselves APRA-regulated. APRA states that this is in a response to APRA-regulated entities placing greater and greater reliance on third parties to undertake critical operations on their behalf.