Banks’ payments services, deposit-taking, custody, settlement and clearing will be classified as critical operations under a new APRA standard designed to minimise the impact of disruptions on the operations of banks, insurers and superannuation funds.
APRA released Prudential Standard CPS 230 Operational Risk Management yesterday, which includes new requirements to address identified weaknesses in existing controls and improves business continuity planning to deal with severe disruptions.
The new standard also includes rules that enhance third-party risk management, so that risks from service providers are appropriately managed.
The standard says a regulated entity must not rely on a service provider unless it can ensure that in doing so it can continue to meet its prudential obligations in full and effectively manage the associated risks.
APRA also released draft Prudential Practice Guide CPG 230 Operational Risk Management to accompany the new standard.
The new standard will commence on 1 July 2025.
APRA chair John Lonsdale said in a statement: “The need for APRA’s new standard has been demonstrated by a number of recent operational risk control failures and disruptions, including material cyber breaches. This new standard will ensure that regulated entities set and test controls and maintain robust business continuity plans to respond if disruptions do occur.”
For the purposes of business continuity planning, the standard defines critical operations as processes undertaken by a regulated entity or its service provider which, if disrupted beyond tolerance levels, would have a material adverse impact on depositors, policy holders, beneficiaries or other customers, or its role in the financial system.
An authorised deposit-taking institution must classify payments, deposit-taking and management, custody, settlement and clearing as critical operations.
Operational risk incidents and “near misses” must be identified, escalated, recorded and addressed in a timely manner.
Where APRA considers that a regulated entity’s operational risk management has material weaknesses, it may require an independent review of the entity’s operational risk management, require the entity to develop a remediation program and require the entity to hold additional capital. It may also impose conditions on a licence.
Before entering into a service arrangement with a third party, a regulated entity must undertake due diligence and assess the financial and non-financial risks from reliance on the service provider.