Beware of vendor risks: the "push down" of CPS 230 obligations to service providers of APRA regulated entities

The Australian Prudential Regulation Authority (APRA) has released a draft Prudential Standard CPS 230 (CPS 230) for consultation. All going well, CPS 230 will become effective by 1 January 2024. CPS 230 is APRA’s latest cross-industry standard aimed at strengthening the management of risk, in this case operational risk, across the banking, insurance and superannuation industries.

Two key aspects of CPS 230, currently felt by APRA not being adequately addressed, are the (i) proposed prescribed standards for managing the risks associated with material service providers and (ii) monitoring, testing and notification. That is, once CPS 230 is in force, APRA-regulated entities will have obligations to assess and address the operational risks of material services provided to them and, on an ongoing basis, monitor, assess and ensure the compliance of material service providers with the relevant agreement which is to include prescribed provisions and be subject to ongoing operational risk management, even though such service providers are not themselves APRA-regulated. APRA states that this is in a response to APRA-regulated entities placing greater and greater reliance on third parties to undertake critical operations on their behalf.

However, CPS 230 and these aspects of it have not come out of ‘left field’ but follows the push by other Australian regulatory bodies to expand the scope of privacy and cybersecurity obligations and to include both third party provider risk management and ongoing monitoring, testing and assurance of the risk management controls implemented by the entity.

What is the purpose of CPS 230?

APRA’s aim is that CPS 230 will strengthen the ability and resilience of regulated financial institutions to manage and respond to operational risks and disruptions and is a response to the operational challenges posed by COVID-19, technology risks and natural disasters in recent years.

In a departure from the prior more prescriptive standards, CPS 230 includes a principles-based approach and consolidates the elements of prior Prudential Standards relating to third-party risk management, outsourcing and business continuity, being:

1.         CPS 231 Outsourcing;

2.         CPS 232 Business Continuity Management;

3.         SPS 231 Outsourcing;

4.         SPS 232 Business Continuity Management; and

5.         HPS 231 Outsourcing.

Among other obligations to uplift regulated entities’ management of operational risk, CPS 230 significantly expands the requirements for APRA-regulated entities to assess the risks of and manage material third party and even fourth party providers (i.e. any vendor that a third party service provider relies on in delivering its services to the APRA-regulated entity). While CPS 231 (and the related standards) had a much narrower focus on the “outsourcing” of material business activities CPS 230 targets a much broader scope, all third party (and fourth party) “material service providers.”

For service providers to APRA-regulated entities this means even more requirements will be ‘pushed down’ onto them in addition to more rigorous scrutiny under the new monitoring and assurance regime.

What service provider obligations are introduced by CPS 230?

At the heart of CPS 230 is that APRA-regulated entities must “manage the risks associated with the use of service providers.” APRA-regulated entities must only rely on (i.e. engage) material service providers where they can ensure that those service providers will not negatively impact on them fulfilling their prudential obligations and where they can manage all operational risks associated with those service providers.

As part of this risk management obligation, APRA-regulated entities must also develop, maintain and submit to APRA annually a service provider risk management policy. This document must include a register of material service providers and summarise the entity’s approach to entering into agreements and managing the operational risks of those material service providers (and the fourth party providers). A material service provider is any entity that an APRA-related entity relies on for critical operations or that exposes it to material operational risk (should such fail or not be provided). These are noted to include the areas of risk management, core technology services and mortgage and insurance brokerage. Accordingly, regulated entities that rely on and the providers of IT services, outsourced or otherwise, cloud computing or core data processing must consider the significant impacts of CPS 230 on their risk management practices, the obligations imposed on them and their agreements with all service providers.

Under CPS 230 APRA-regulated entities must also assess the risk impacts of new products, services, geographies, technologies and new providers on their operational risk profile and risk management controls. In particular, APRA notes that emerging technologies (especially crypto-assets) require more robust risk management and monitoring and that arrangements with service providers that offer products associated with crypto-assets and the resulting risks must be ‘prudently’ (i.e. closely) managed.

APRA-regulated entities must further comply with incident notification obligations. Specifically, an entity must notify APRA (i) within 72 hours after becoming aware of an operational risk incident that is likely to have a material financial impact or material impact on the entity’s maintenance of critical operations and (ii) within 24 hours if it has activated its Business Continuity Plan. These APRA incident notifications may also trigger or require notification under other regulator’s notification schemes (such as to the Privacy Commissioner) which we consider a potentially significant risk (e.g. forcing early notification before all the details of the data breach, for example, are known).

What are the obligations to manage service provider arrangements?

CPS 230 imposes strict requirements on APRA-regulated entities as regards the processes of entering into and the content of arrangements with material service providers. Prior to entering into, renewing or materially modifying an arrangement with a material service provider an APRA-regulated entity must:

• undertake appropriate due diligence (including an appropriate tender, selection and assessment process);
• assess the risks (both financial and non-financial) of relying on a service provider; and
• take steps to assess whether the provider is ‘systemically important’ in Australia (i.e. providers of significant market size and importance that distress or failure of those providers would cause serious and adverse economic consequences).

Once the entity has satisfied its due diligence obligation and is prepared to proceed it must enter into a formal legally binding agreement with the material service provider and must ensure that the agreement includes certain prescribed clauses, including clauses that:

• set out the rights, responsibilities and expectations of the parties, including any ownership/control of data;
• ensure that the APRA-regulated entity can meet its legal and compliance obligations (a very wide obligation which includes privacy and cyber obligations, for example, not just its CPS 230 obligations);
• require notification by the service provider of its use of other material service providers (i.e. sub-contracting or fourth party providers) and that any liability for sub-contractor failures rests with the service provider; and
• enable APRA to access certain documentation and data, conduct on-site visits of the service provider and ensure that the service provider will not impede APRA’s regulatory activities.

CPS 230 also imposes notification requirements on the APRA-regulated entity in relation to its agreements with material service providers and for offshoring agreements. That is, an entity must report to APRA within 20 days of entering into agreement for a material service and prior to any offshoring of a material service (including if data or personnel are located offshore) and for any significant amendments to such agreements.

How can Clyde & Co help?

Clyde & Co’s Cyber, Privacy and Technology Team has unparalleled and specialised expertise across the privacy, cyber, financial services information regulatory and broader technology practice areas. It also houses the largest dedicated and market leading privacy and cyber incident response practice across Australia and New Zealand.

The firm's tech, cyber and privacy practice provides end-to-end risk management solutions for clients. From advice, strategy, transactions, innovations, cyber and privacy pre-incident readiness, incident response and post-incident remediation through to regulatory investigations, dispute resolution, recoveries and third-party claims the team offer practical solutions focussed assistance and advice.

For more information, please contact Alec Christie, John Moran, Reece Corbett-Wilkins, Richard Berkahn or Chris Mclaughlin.