Get your skates on super trustees
APRA's finalised CPG 230 Operational Risk Management triggers a call to actionThe Australian Prudential Regulation Authority (APRA) finalised and released its Prudential Practice Guide CPG 230 Operational Risk Management (CPG 230) on 13 June. Alongside CPG 230, APRA published some informative guidance and responses to issues presented to APRA through various written submissions and industry engagement (response paper).
Whilst smaller APRA regulated financial institutions (non-SFIs) have been given some extra time to meet business continuity requirements, the clear message from APRA is a polite "get your skates on". It seems to us that the CPG 230 and response paper are, when read in the broader context, a bit of an iceberg - there is plenty below the water line. In particular, super trustees need to be mapping out existing and future material service provider arrangements and critical operations in order to ensure agreements are future-proofed and there is a clear transition plan in place.
APRA describes the final CPG 230 as shorter, sharper guidance with a focus on clearly setting out effective "baseline" compliance requirements. The key takeaways are:
- A Day 1 checklist summarising APRA's ten actions that are expected to be in place from 1 July 2025, with a weighting on management of material service providers. Pragmatically, a top business priority for the next few months should be building a robust plan to manage the transition of service provider agreements over the coming 24 months, critically, prioritising existing and proposed new arrangements and resourcing up to avoid bottlenecks.
- In respect to managing risks associated with fourth parties relied on by suppliers, APRA’s expectation has been moderated to requiring entities to:
- outline as part of a service provider management policy the approach to managing risks associated with fourth parties; and
- take reasonable steps to know which fourth parties are relied on by a material service provider to deliver a service necessary to support a critical operation.
- For non-SFI’s (for super trustees, those funds having total assets less than AUD30 billion), the start date for requirements relating to business continuity and scenario analysis has been pushed back to 1 July 2026. In offering more time, APRA is looking to give smaller entities a bit more space to get their foundations right. Non-SFIs taking advantage of this extra time will need to continue to meet the existing prudential standards CPS 232 and SPS 232 (as relevant) on Business Continuity Management in the interim period. Attachment A to the response paper gives helpful guidance on this key prudential standard content to meet during this transition.
- The first material service provider register does not need to be lodged with APRA until 1 October 2025.
- An outline of APRA’s supervisory program for CPS 230 over 2025-2028. The program includes prudential reviews for selected SFIs from 2025 onwards. A selection of non-SFI are to have prudential meetings, with prudential reviews for non-SFIs only on an exception basis in 2025.
A recap on timelines
- CPS 230 will apply to material service providers relied on to deliver a critical operation from 1 July 2025;
- For material service provider contracts already in place on 1 July 2025, CPS 230 will apply from the earlier of the next renewal date for the contract or 1 July 2026;
- For non-SFIs the requirements relating to business continuity and scenario analysis commence from 1 July 2026; and
- APRA’s response paper flags that it expects all super trustees:
- to have identified critical operations and material service providers by mid-2024; and
- to be positioned to set risk tolerance levels by end of 2024.
Managing service providers (including asset management) relationships
To succeed in the management of service provider arrangements through this transition, super trustees' methodology of grouping suppliers should ideally include: (i) those new suppliers that are expected to be engaged from now on (new suppliers); (ii) those existing providers with a renewal date before 1 July 2026 or a pending contract renegotiation or material amendment (imminent renewals); and (iii) those with no renewal date or renewal dates from 1 July 2026 (later renewals). A key planning and resourcing priority is to avoid double barrel contract negotiations with new suppliers and being left in a position requiring imminent renewals (that is, negotiating contract terms under current prudential requirements and then re-negotiating the post CPS 230 contract terms). To do this, super trustees will need to consider drafting new supplier agreements to meet both the current and ongoing CPS 230 requirements. Where faced with a material review of a current provider's agreement, super trustees may have to just "bite the bullet" and reshape the agreement to meet CPS 230.
An associated issue for super trustees to be cognizant of when considering the application of CPS 230, is their funds' investment approaches adopted for asset management arrangements. In particular, issues may arise depending on whether the structures and mandates adopted for asset management imply a material service provider arrangement, even though this may not be organised through traditional mandate terms. This would include identifying and considering so-called "custom" funds, funds-of-one and related co-investment arrangements.
Fourth Parties
In practice, a potentially challenging element of managing this contractual transition efficiently will be the gathering and analysis of information regarding fourth party reliance. The natural reluctance of fourth parties to be drawn into upstream regulatory requirements is not always easy to manage. However, trustees are obliged to take reasonable steps to know which fourth parties are relied on by a material service provider to deliver services necessary to support a critical operation.
Reviewing contracts with CPS 900 linkage
Under CPS 900 Resolution Planning, APRA may require an entity to uplift its resolution readiness, including supplier contract renegotiation to ensure that the entity has 'resolution-resilient' contracts. Where it brings resourcing efficiencies, it would be prudent to include consideration of contracts to which CPS 900 is likely to apply, when undertaking the CPS 230 contract renegotiations.
APRA's response paper flags that resolution-resilient contracts are those that:
- "have been amended to ensure that service providers may not terminate, cancel, suspend, or vary terms solely on the grounds of APRA exercising any of its powers in connection with resolution; and
- ensure continued access, on arm’s length commercial terms, to services after APRA exercises its powers in connection with resolution. This includes continuity through any restructure or transfer that may be part of the resolution plan."
A recap on scope for super trustees
To recap on the application of CPS 230 for super trustees, CPS 230 effectively mandates that material service providers include those providing the following services:
- investment management;
- fund administration;
- customer enquiries functions;
- arrangements with promoters and financial planners;
- custodial services;
- risk management;
- core technology services;
- internal audit; and
- the systems and infrastructure required to support critical operations.
APRA expects super trustees to consider and classify any additional services that are relied on to undertake a critical operation, or that expose it to material operational risk and to apply CPS 230 requirements to those operations' relevant material service providers and fourth parties. Nothing in CPG 230 dilutes these CPS 230 requirements.
Useful guidance
Whilst the industry has been keenly awaiting the finalisation of CPG 230, its final form is a significant cut back in content compared to its consultation draft. This cut back is in response to industry concerns that:
- the better practice examples and advice could be interpreted as raising the bar in terms of meeting the CPS 230 and CPG 230 requirements;
- implementing fourth party requirements were too commercially difficult to achieve in the short term; and
- concerns more broadly about being able to meet the CPS 230 requirements and having completed service provider assessments by 1 July 2025.
APRA endorses a top-down rather than bottom-up analysis of operational risk when implementing CPS 230, advising that those super trustees identifying critical operations by taking the top-down approach report greater insight into resilience of critical operation and better progress on implementation.
APRA expects that where a material weakness in operational risk management is identified in building the CPS 230 program, the super trustee takes the initiative and keeps APRA informed of the weakness and measures being undertaken to address it. APRA expects scenario analysis to be used to develop risk profiles and provides some elaboration in CPG 230 on the design, testing and monitoring of effective controls. Table 2 of the response paper sets out steps to assess operational risk profiles.
The challenge of proportionality
It is fair to say that assessing proportionality remains a challenge for even the most considered super trustees. Neither CPS 230 nor CPG 230 provide any specific proportionality guidance in the context of operational risk management. In the response paper APRA points the way to land a proportionate implementation by reinforcing that CPS 230 is a baseline expectation of all entities, that it expects SFIs to have stronger practices commensurate with the size and complexity of their operations, and that all super trustees will mature their practices over time as their business operations evolve. Consideration of the size, business mix and complexity remain the cornerstones of proportionality.
Getting your skates on
CPG 230 provides more certainty than the consultation draft CPG 230 as to the regulatory baseline expectations. The concession on non-SFI adaption of business continuity is helpful in the context of APRA’s recent letter on security and adequacy of back up, which flagged APRA’s general concern that data backups and protection against data loss remains problematic in achieving the standards expected under CPS 234 Information Security.
Now is the time for super trustees to ensure they are on track with their material service provider contract renegotiation workstreams and confident that they are adequately resourced and will not lose momentum in bottlenecks. Prioritising current and pending arrangements, gathering fourth party information and ensuring CPS 234 and CPS 900 readiness rolls up a lot of work that is best not back ended or clustered around the CPS 230 July 2025 and 2026 deadlines. As for the super trustee's service providers, including asset managers, they should be aware that a range of existing material contracts are likely at some point to need to be revisited and previous market standards for contractual terms are likely to shift as a result.