Guide to Prudential Standard CPS 231 Outsourcing for APRA-Regulated Institutions

APRA and its role

An independent statutory authority, the Australian Prudential Regulation Authority (APRA) supervises financial and related institutions across the banking, insurance, and superannuation sectors.

APRA is accountable to the Australian Parliament, who has tasked the authority with the duty to maintain the safety and soundness of the financial industry. More specifically, APRA is responsible for protecting the interests of depositors, policyholders, and superannuation fund members. 

To promote the stability of the financial system, APRA works in tandem with other regulatory bodies, including the Australian Treasury, the Reserve Bank of Australia, and the Australian Securities and Investments Commission.

Entities APRA oversees 

• Authorised deposit-taking institutions (such as banks, building societies, and credit unions)
• General insurers
• Life insurers
• Friendly societies
• Private health insurers
• Reinsurance companies
• Superannuation funds (other than selfmanaged funds)

Why is APRA interested in risk to businesses?

The failure of just one regulated institution can undermine the stability of the financial system. For that reason, APRA is obliged to maintain a low incidence of failure among the entities it regulates.

Of course, APRA can only do so much. Instead, it must compel the management and directors of those entities (most likely the Board of Directors) to ensure that their own institutions remain sound. 

APRA primarily does so through the imposition of prudential standards. These standards largely involve risk and business continuity management. The reason they are put into place is to increase resilience to business disruption arising from internal and external events and reduce impact on business operations, reputation, profitability, depositors, policyholders, and other stakeholders.

Key standards address capital adequacy, liquidity, and governance to ensure that systemic risks (i.e., risks that would endanger the system as a whole) are properly managed. 

Outsourcing falls under this rubric, as well. And so, in July 2016, APRA released Prudential Standard CPS 231 Outsourcing, to which the subsequent guide provides a primer.

About Prudential Standard CPS 231 Outsourcing

Outsourcing, the regulation of which CPS 231 tackles, is entering into an arrangement with another party (including a related body corporate) to perform, on a continuing basis, a business activity that currently is, or could be, undertaken by the institution itself. 

Although handed down by APRA, CPS 231 derives its statutory authority from subsections of existing parliamentary law. Those laws include:

• Banking Act 1959
• Insurance Act 1973
• Life Insurance Act 1995

What then does the standard do? According to its text, the prudential standard requires that all outsourcing arrangements involving material business activities entered into by an APRA-regulated institution and a “Head of a group” be subject to appropriate due diligence, approval, and ongoing monitoring. 

Further, all risks arising from outsourcing said material business activities must be appropriately managed to ensure that the APRA-regulated institution, or the group it heads, is able to meet its financial and service obligations to its depositors and/or policyholders. 

Understanding what constitutes material business activity is key to complying with the standard. Material business activity comprises any activity that has the potential, if disrupted, to have a significant impact on the APRA-regulated institution’s or group’s business operations or ability to manage risks effectively, as regards the following:

• Financial and operational impact and impact on reputation of a failure of the service provider to perform over a given period of time
• Cost of the outsourcing arrangement as a share of total costs
• Degree of difficulty, including the time taken, in finding an alternative service provider or bringing the business activity in-house
• Ability of the APRA-regulated institution or member of the group to meet regulatory requirements if there are problems with the service provider
• Potential losses to the APRA-regulated institution’s or group’s customers and other affected parties in the event of a service provider failure
• Affiliation or other relationship between the APRA-regulated institution or group and the service provider

How to comply? Well, the most salient requirements of this standard include:

• Maintaining a policy, approved by the Board, relating to outsourcing of material business activities
• Having sufficient monitoring processes in place to manage the outsourcing of material business activities
• For all outsourcing of material business activities with third parties, having a legally binding agreement in place, unless otherwise agreed by APRA
• Consulting with APRA prior to entering into agreements to outsource material business activities to service providers that conduct their activities outside of Australia
• Notifying APRA after entering into agreements to outsource material business activities

As with many risk management standards, CPS 231 imposes timely notification requirements on regulated entities should they get into outsourcing arrangements involving material business activity. 

For starters, APRA-regulated institutions must notify
the authority as soon as possible after entering into an outsourcing agreement; in any event, no later than 20 business days after execution of the outsourcing agreement. This notification requirement applies to all outsourcing of material business activities.

What’s more, when APRA-regulated institutions notify APRA, they must also provide a summary of the key risks involved in the outsourcing arrangement and the risk mitigation strategies put in place to address these risks. APRA also has the discretion to request additional material where it considers it necessary to assess the impact of the outsourcing arrangement on the institution’s risk profile.

Taken from this vantage, CPS 231’s requirements simply extend risk management best practices to the realm of outsourcing. Requirements for APRA-regulated institutions, here, include:

• Identify, assess, manage, mitigate, and report on risks associated with outsourcing to meet the institution’s financial and service obligations to its depositors, policyholders, and other stakeholders. 
• Have procedures to ensure that all the institution’s relevant business units are made aware of and have processes and controls for monitoring compliance with, the outsourcing policy. 
• Rest ultimate responsibility on the Board for oversight of any outsourcing of a material business activity. Although outsourcing may result in the service provider having day-today managerial responsibility for a business activity, the APRA-regulated institution remains responsible for complying with all prudential requirements that relate to the outsourced business activity. 
• Give the Board of the APRA-regulated institution responsibility to ensure that outsourcing risks and controls are taken into account as part of the institution’s risk management strategy and when completing the mandatory risk management declaration to APRA. 

Role of digital technology in APRA compliance

For APRA-regulated entities, compliance with CPS 231 might seem like a lot. However, adhering to best practices in risk management, business continuity, and outsourcing is beneficial in and of itself.

Furthermore, digital technology can help. Integrated platforms, like Noggin, give APRA-regulated institutions the risk management functionality to identify, assess, manage, mitigate, and report on risks associated with outsourcing.

Business continuity is also a critical component of outsourcing. Here, Noggin Continuity enables APRA-regulated entities to automate key functions that are crucial to compliance (e.g., recovery should disruption occur). Other Noggin Continuity capabilities that can help with compliance include:

• Define domains, critical business activities, assets, and sites, as well as record interdependencies
• Assess the risk and impact of outages across activities, assets, and sites, and implement risk treatment plans and actions to mitigate risks, and reduce the likelihood or impact of incidents
• Assign and track business impact assessment and risk management activities for organisational unit owners
• Set recovery targets for business activities and report on progress against those targets as incidents occur 
• Visualise and report on the risk profile of business and the impact on critical services
• Digitise business continuity, crisis, and incident response plans, including strategies and considerations, roles and responsibilities, and pre-assigned checklists ready to deploy when incidents occur
• Activate crisis and incident management teams including structures, roles, capabilities required and on-call resources
• Record and manage incidents and response tasks, log and share updates, decisions, facts, and assumptions, and produce situation reports and briefings
• Initiate and track investigations, capture evidence and related actions
• Conduct exercises, post-incident reviews, and lessons learned
• Visualise locations of incidents, risks, people, and assets using the fully integrated mapping features. 
• Manage key details of staff, contractors, customers, suppliers, regulators, and external parties 
• Display key information where it is needed using flexible dashboards, analytics, and reporting that caters for all stakeholders.
• Automate and lead people through procedures, with fully-configurable workflows

Finally, APRA-regulated entities are being asked to do their part to ensure the stability of the financial system. That means implementing best practices in risk management, business continuity, and outsourcing, to mitigate key threats. 

If those measures sound daunting, they don’t have to. Digital technologies, like Noggin’s suite of safety and security management solutions, can help regulated entities comply with their requirements expeditiously, while getting the jump on the competition.

Citations

i. This standard applies to (a) authorised deposit-taking institutions (ADIs), including foreign ADIs, and non-operating holding companies authorised under the Banking Act (authorised banking NOHCs); (b) all general insurers, including Category C insurers, non-operating holding companies authorised under the Insurance Act (authorised insurance NOHCs) and parent entities of Level 2 insurance groups; and (c) all life companies, including friendly societies and eligible foreign life insurance companies (EFLICs), and non-operating holding companies registered under the Life Insurance Act (registered life NOHCs).