QMV - Advisory, Consulting And Technology Firm - Superannuation, Insurance, Banking, Wealth Management

View Original

What Does CPS 230 Mean For Superannuation Funds

Resilient Operations - Preparing for CPS 230

The operational resilience of Australia’s superannuation system is facing a shake-up. The Australian Prudential Regulation Authority (APRA) is currently working through reforms to the prudential regulation of banks, insurers, and trustees of superannuation funds. This change will not only have a significant impact on APRA regulated entities, but also on the supply chains of material service providers.

APRA is seeking to replace several existing industry specific prudential standards with a new cross industry operational risk prudential standard (CPS 230). This new standard will be binding on all APRA-regulated entities, and require APRA-regulated entities to effectively manage operational risks, maintain critical operations through disruptions, and manage the risks associated with service providers. For trustees of superannuation funds, CPS 230 will replace and supersede the current outsourcing (SPS231) and business continuity (SPS232), and the related guidance. Importantly, the information security prudential standard (CPS 234) will remain in place and unchanged.

APRA created this prudential standard for superannuation funds to become more resilient against operational risks and service disruptions. This standard requires that, as part of their Risk Management Framework (RMF), trustees are responsible for ensuring robust approaches to identify and control the operational risks to critical business functions of the fund are in place.

Managing operational risk is not new, it has been prescribed as a material risk category under APRA’s Risk Management Prudential Standard (SPS 220) since 2012. There will, however, be some important changes which will require careful planning and consideration:

  • CPS 230 seeks to bring continuity and seamless operations for members and the financial system. Therefore, the new standard will require that trustees identify and maintain a register of critical operations. Critical operations will need critical tolerance levels to be defined.

  • CPS 230 prescribes business continuity plans to be created with dependable quality. When these principles are combined, funds will experience less disruptions or recover quickly from them.

  • All trustees will have to identify their fund’s material service providers according to the updated definitions. This shift from regulating outsourced material business activities to material service providers is likely to see a wider array of service provider covered than under SPS 231 mandated Outsourcing Policies. CPS 230 extends the scope of material service provider management as it also brings fourth parties into the definition. Superannuation trustees will have to monitor and prepare for the risks posed by them as well.

  • The proposed new standard prescribes certain provisions in relation to the contracts between trustees and material service providers.

  • Risk management strategies, business continuity plans, and material service arrangements (including offshoring) will be closely monitored by APRA. Funds must allow audits, constantly report on any changes and disruptions.

APRA intends to issue draft prudential guidance in mid-2023 and the standard will commence on 1 July 2025. However, APRA has indicated that transitional arrangements will apply where there is a contract with a material service provider already in existence. The deadline for compliance for any such 0rrangement will be either the renewal date or 1 July 2026 (whichever is earlier).

Key points of CPS 230 for Superannuation Trustees

Scope

CPS 230 is a cross industry prudential standard, and therefore will apply to all RSE Licensees.

Three Pillars of CPS 230


Risk Management Integration Framework

Operational risk is already a prescribed material risk category as part of a superannuation trustee’s risk management framework. There may, however, need to be changes to the specific operational risks that have been identified, the trustee’s appetite or tolerance, or the controls in place to manage operational risks. It is important that, as trustee’s implement changes in response to CPS 230, that consideration is given to ensuring that this is reflected in the risk management framework.

Clearer roles and Board Accountability

APRA brings forth that with CPS 230, the board of a superannuation fund has clearer responsibility for managing operational risks, ensuring business continuity, and managing the material service providers. Hence, CPS 230 prescribes the definition of clearer roles for the senior management.

Also, the board must implement internal controls to stay on track with the changing operational risk profile. It must be proactive towards the service disruptions and must be ready to take swift action. Finally, the board bears the onus of regularly reviewing material service provider arrangements.

Operational Risk Management

Managing operational risks is already an essential part of business planning for superannuation funds. Operational risk profiles and operational resilience are two topics that will underpin almost every function, business decision, and project a superannuation trustee undertakes. Therefore, CPS 230 requires proactive monitoring, data collection, and documentation for effective analysis of these elements. Identifying critical processes and dependencies within the fund’s organisation will be vital to improve operational resilience.

Operational resilience will need to be understood through better scenario testing, regular monitoring, and gap analyses are prescribed as a part of business as usual for superannuation trustees. When incidents occur, trustees must have measures in place to deal with them. CPS 230 also makes notifying APRA in 72 hours regarding any operational risk incident that is likely to have a material financial impact or a material impact on the ability of the entity to maintain its critical operations.

Business Continuity Planning

APRA requires a register of critical operations as a part of CPS 230. As mentioned above, the board must make it a core responsibility to identify those. Also, this register must feed into any business planning process. To make things less intuitive, CPS 230 introduces “tolerance levels”. Identifying these tolerance levels will allow superannuation funds to brace for any disruption in their critical operations.

The business continuity plan (BCP) prescribed by CPS 230 must include the register, tolerance levels, and certain triggers to put the plan itself in action. However, these plans can’t be rigid. APRA requires constant reviewing and changing of these plans. Beginning from the board, the senior management of a super fund must maintain compliance with its BCP across all organisational levels.

BCP must be a living element of business and subjected to testing and scenarios to improve it constantly. CPS 230 makes ongoing audits and reviews of the BCP a responsibility of the board. The ultimate purpose of a BCP is ensuring that a superannuation fund keeps its critical operations running at the face of an incident.

Management of material service provider arrangements

The draft version of CPS 230 prescribes a comprehensive policy to manage material service provider arrangements as a new requirement. This is likely to replace the outsourcing policy currently prescribed by SPS 231. Superannuation trustees must create and maintain a register that lists all material service providers they engage with. Additionally, this policy must outline how funds will enter into, maintain, and exit the agreements they form with the service providers.

There are some important new requirements that would be introduced by CPS 230. In addition to due diligence and a robust decision-making process, there is a requirement for trustees to take reasonable steps to assess whether the material service provider is systemically important in Australia. This is a little odd, as systemic risks are difficult for individual actors within the system to manage and present a risk to the entire financial system rather than any particular entity.

Another new requirement for material service provider contracts would require the liability for any failure on the part of any sub-contractor to be the responsibility of the service provider. Such a change could have a significant impact on the pricing of custodial services, where a global custodian will typically not assume liability of sub-custodians (and process fees accordingly).

There is also a new power for APRA to review and require a trustee to make changes to a service provider arrangement where it identifies heightened prudential concerns. This introduces a degree of uncertainty which might see some service providers baulking at what such unknown changes might entail.

As part of the risk management framework, funds will be identifying and analysing all risk posed by material service providers. Also, they will have to stay on track with any potential fourth parties the service providers might engage. CPS 230 makes it a requirement to manage and mitigate all risk coming from third and fourth parties. All activity must also conform to CPS 234.

Trustees must continue to report to APRA when there is a new agreement, change to an existing agreement, and any termination. Also, funds must report on their offshoring arrangements. The deadline to report is 20 business days.

Getting a head start

Prudential Standard CPS 230 sets out new requirements for operational risk management in the superannuation industry. By taking steps to start early in implementing changes, superannuation trustees can avoid the last minute dash to the compliance deadline and continue to effectively manage operational risks, maintain the continuity of critical operations, and enhance their resilience to disruptions. This, in turn, contributes to the stability and integrity of the superannuation industry, promoting trust and confidence from customers, stakeholders, and regulators alike.


If your organisation needs assistance with CPS 230 readiness, risk identification and assessment, BCP reviews and management of service providers - QMV can help. Please reach out to QMV for further information on p +61 3 9620 0707.


ABOUT QMV

QMV provides independent advisory, consulting and technology to superannuation, wealth management, banking and insurance organisations. 

Like what you see? Please subscribe to receive original QMV content! 

You may also benefit from our free monthly pensions and superannuation regulatory updates