Login
Get in touch
Get in touch

Time To Get Ahead

We'd love to hear from you! Whether you have questions about our solutions, need support, or just want to learn more about how Curium can help your business, our team is here to assist you.

  • This field is for validation purposes and should be left unchanged.

CPS 230: what is it – and how can you be ready from Day 1

03-12-2024

 

1. What is CPS 230?

Prudential Standard CPS 230, introduced by the Australian Prudential Regulation Authority (APRA), aims to bolster operational resilience across the banking, insurance, and superannuation sectors. Effective from 1 July 2025, CPS 230 focuses on three core areas:

  • Operational Risk Management: Ensuring entities can maintain critical operations within defined tolerance levels during disruptions.
  • Business Continuity Planning (BCP): Mandating regular testing and immediate reporting of significant incidents to APRA.
  • Service Provider Management: Requiring rigorous assessment and oversight of third-party service providers to ensure compliance with prudential obligations.

This standard consolidates and enhances previous guidelines to address evolving operational risks in the financial sector.

 

2. What is the timeline of its rollout?

CPS 230 will be implemented in phases:

  • 1 July 2025: The standard becomes effective for all APRA-regulated entities.
  • 1 July 2026: Full compliance is required, including for pre-existing contractual arrangements with service providers.

This phased approach allows entities to align their operations and third-party agreements with the new requirements.

 

3. Who does it impact and how does its application differ across participants?

CPS 230 applies to all APRA-regulated entities, including insurers, brokers, agencies, underwriters, and suppliers. The application may vary or have different emphases depending on provider type – e.g.,:

  • Insurers: Must ensure operational resilience across complex portfolios and establish robust BCPs to protect policyholders.
  • Brokers and Agencies: Need to monitor third-party service agreements and ensure their operations align with compliance standards.
  • Underwriters: Face increased accountability for assessing operational risks tied to underwriting processes. This may call for automated controls to flag high-risk underwriting decisions for review, or detailed contingency plans for underwriting critical lines of business during system outages.
  • Suppliers: Will likely face stricter contract terms and compliance audits as part of service provider management.

 

4. What are the major requirements?

  • Tolerance Levels for Disruption: Define acceptable levels of disruption for critical operations. Tolerance levels for disruption are defined across three key dimensions: i) maximum period of time (i.e., duration of a disruption to a critical operation); ii) maximum extent of data loss; iii) minimum service levels (lowest acceptable level of service that must be maintained during a disruption). Entities should set these levels based on factors such as customer impact, financial implications, and regulatory requirements.
  • Incident Reporting: Notify APRA of significant disruptions within 24 hours (more strict than the current 72 hour requirement). Examples of reportable incidents might include a major IT system failure affecting customer transactions, or a cyber attack compromising customer data.
  • Third-Party Risk Management: Maintain a register of all material service providers and conduct detailed risk assessments for each arrangement. Practically, this may call for regular audits of service providers, implementing real-time performance monitoring tools, or conducting joint business continuity exercises as appropriate.
  • Board Accountability: Boards must oversee and periodically review the organization’s operational resilience strategy.

 

5. What are the potential repercussions for not complying?

Non-compliance with CPS 230 can lead to:

  • Regulatory Penalties: APRA may impose fines or sanctions on non-compliant entities. While it has not issued specific guidance on this, APRA has broad enforcement powers that could include directions to comply, additional capital requirements, restricting business activities, or disqualifying responsible persons
  • Reputational Damage: A failure to maintain operational continuity could harm customer trust (and market position in an increasingly competitive environment).
  • Operational Risk Exposure: Without adherence to CPS 230, entities may face prolonged disruptions, financial losses, or legal liabilities.

 

6. How can providers prepare for CPS 230?

It is critical that providers not ‘kick the can down the road’ when thinking about CPS 230 obligations. Even organisations with seemingly robust risk and compliance practices should start to plan for being CPS 230 ready – as certain gaps may take time to resolve. Some practical steps include:

  • Conducting a Gap Analysis: Assess current operational resilience against CPS 230 requirements to identify gaps.
  • Enhancing BCP Testing: Regularly test and update business continuity plans to ensure alignment with the standard.
  • Reviewing Third-Party Agreements: Strengthen contractual terms with service providers to include CPS 230 compliance obligations.
  • Investing in Training: Equip staff and leadership with grounding in the heightened standards under CPS 230 (as well as any foundational operational risk / compliance principles if needed).
  • Leveraging technology: Consider using user-friendly, future-focused software to help ready your organisation and build in safety nets to guard against bumps in the journey. Core capabilities may include centralising data and oversight, automating reporting, simplifying incident and breach processes, building a robust obligation and control register / testing process, and providing clear audit trails / documentation to demonstrate compliance.

 

7. Pre-mortem: What might go wrong (and what should you be thinking about now?)

In addition to tactical failures (e.g., failures to build robust BCP, meet shorter reporting deadlines or properly assess third-party risks), we see a few potential failure modes that may arise under CPS 230:

  • Cumbersome tech / processes: CPS 230 will demand heightened visibility, and ability to become aware of (and react quickly to) any potential incidents. Over-reliance on multiple spreadsheets and systems may severely hamper this required agility.
  • Weak compliance culture: The world’s best technology or written policies will be ineffectual without a team that has the right ‘buy-in’ and appreciation for robust compliance. We encourage a ‘see something, say something’ culture that permeates all levels of the organisation.
  • Over-reliance on Third-Party Providers: While outsourcing may streamline operations, it can heighten risks if third-party arrangements are not rigorously managed (somewhat of a step change from today), as required under CPS 230. In addition to thorough risk assessments before onboarding providers, providers may include CPS 230-specific clauses in service agreements, and conduct regular compliance testing of its providers through audits, testing, and risk reviews.

 

CPS 230 represents a significant shift in operational risk management for the insurance industry. In our view, the organisations who can best avoid falling foul of these heightened standards – and, indeed, strengthen both operational foundations and customer trust – will be those who plan early, invest where needed, and cultivate buy-in across the organisation.

GET IN TOUCH

You may also be interested in

28/11/24
A tech treatment for pain of compliance

Back in August, Curium was crowned the winner of the Insurance News insurtech seminar pitch competition. Read about Curium’s origin story, and Tetiana’s fascinating motivation for “giving insurance professionals superpowers”.

Read more
19/11/24
Webinar Recording: Understanding your regulatory obligations as an agency, broker and supplier to the industry

This is a webinar that explains in simple terms what obligations are relevant for agencies, brokers and suppliers to the industry.

Read more
18/11/24
Tetiana’s re-election to Insurtech Australia Board

Tetiana has been re-elected for her third successive term to help Insurtech Australia pursue its mission of positioning Australia as a global leader in insurtech and insurance innovation.

Read more
See All Articles
Get in touch

Compliance will always be critical to what you do.
We’ve just made it valuable.

Book a demo
< class=" " style="" >

Copyright © 2024 All rights reserved Curium App Pty Ltd. Created by Codex Digital.

Agencies

Brokers

Insurers

Suppliers

About

News

Events

Contact

Curium would like to acknowledge the Traditional Owners of the land where we work and live – the Gadigal and Bidjigal peoples who traditionally occupied the Sydney coast. We pay our respects to Elders past and present. We celebrate the stories, culture and traditions of Aboriginal and Torres Strait Islander Elders of all communities who also work and live on this land.

Sign up for the latest news

This field is for validation purposes and should be left unchanged.

It’s important to consider your particular circumstances and read the relevant disclosure document turpis egestas pretium aenean pharetra magna ac. Sit amet porttitor eget dolor morbi. Elit ullamcorper dignissim cras tincidunt lobortis feugiat vivamus at augue. Est ultricies integer quis auctor elit. Posuere lorem ipsum dolor sit amet consectetur adipiscing. Fat nullam non nisi est. Pretium lectus quam id leo in. Urna porttitor rhoncus dolor purus. Morbi tristique senectus et netus et malesuada. Vel orci porta non pulvinar neque laoreet suspendisse. Nunc id cursus metus aliquam eleifend mi in. In iaculis nunc sed augue lacus viverra vitae. Ac turpis egestas sed tempus urna et pharetra pharetra massa. Diam phasellus vestibulum lorem sed risus ultricies. Fringilla est ullamcorper eget nulla facilisi etiam dignissim diam.