At Arnotts Technology Lawyers, we regularly advise technology providers, including As-a-Service providers who supply services to Australian Prudential Regulation Authority (APRA) regulated entities, including banks, in relation to prudential and reporting standards compliance including CPG 231 Outsourcing, CPG 234 Information Security and CPG 235 Managing Data Risk.
APRA has commenced consultation for a new prudential standard designed to strengthen operational risk management in the banking, insurance, and superannuation industries.
The Prudential Standard CPS 230 Operational Risk Management (CPS 230) aims to ensure APRA-regulated entities are prepared and not disrupted by emerging technologies. This will require APRA-regulated entities to effectively manage operational risk and risks arising from service providers as well as maintain critical operations in the face of disruptive technologies. APRA-regulated entities must be controlled by appropriate checks and risk-management protocols to minimise the harm of emerging technology risks.
Broadly speaking, CPS 230 requires APRA-regulated entities to:
- identify, assess, and manage its operational risks with effective internal controls, monitoring, and remediation
- be able to continue to deliver its critical operations within tolerance levels through severe disruptions (such as data breaches), with credible business continuity plans, and
- effectively manage the risks associated with service providers, with a comprehensive service provider management policy, formal agreements, and robust monitoring to increase responsibility for risk management.
In the aforementioned sectors, cryptocurrency assets were listed as an emerging technology example that requires special focus. Under the current draft of CPS 230, an APRA-regulated entity which conducts business in relation to cryptocurrency would be required to:
- assess the impact of new crypto-asset products, services and technology on its operational profile
- carefully manage agreements with third-party service providers, including those that the entity relies on in offering crypto-based products and services, and
- conduct exercises in the course of business that cover scenarios of disruption to services provided by third-party service providers.
CPS 230 is set to come into force on 1 January 2024. Written submissions may be provided to APRA up to 21 October 2022.
For a full reading of the draft standard, see here.
If you require regulatory advice on how to manage the provision of services to banks and other authorised deposit-taking institutions for compliance with APRA standards please feel free to contact us for a discussion.