Proposed new APRA Prudential Standard will impact technology procurement

Background

Earlier this year, APRA released its policy and supervision priorities for the next 12 to 18 months. In its policy priorities, APRA noted COVID-19 has demonstrated that management of operational risks and business continuity are core components of financial system resilience, and it is critical that all entities:

• have sound operational risk controls;
• are able to maintain continuity of essential services for customers through any temporary disruptions; and
• can manage the risks presented through arrangements with third parties.

The draft CPS 230 is a core part of giving effect to that overarching policy. The stated aims of draft CPS 230 are to strengthen operational risk management, improve business continuity planning and enhance third party risk management, by extending requirements to all material service providers that APRA-regulated entities rely upon for critical operations or that expose them to material operational risk, rather than just those that have been outsourced. The draft CPS 230 is intended to ensure that APRA-regulated entities are able to meet disruptive events such as COVID-19, as well as the challenges of rapid change in the industry and in technology more generally.

Given the scope of the draft CPS 230, it will replace a number of existing Prudential Standards, including:

• CPS 231 Outsourcing; and
• CPS 232 Business Continuity Management (and the corresponding superannuation standards SPS 231 and SPS 232 and private health insurance standard HPS 231).

CPS 234 Information Security is presently intended to continue.

The remainder of this article focusses on the third party risk management aspects of the draft CPS 230, and the way in which draft CPS 230 will impact arrangements between APRA-regulated entities and technology suppliers.

Third party risk management

The CPS 230 discussion paper notes that regulated entities are increasingly reliant on the use of third party service providers to support their business operations. Entities are looking to external service providers not only for current in-house services (i.e. outsourcing), but also for new services, and capabilities that extend their offerings to the market.

This activity increases complexity in supply chains (including the use of fourth parties) and corresponding risk.  Examples of this increased complexity include the procurement of core cloud computing arrangements (software as a service, managed services), procurement of crypto-enabling technologies, and banking as a service (“BaaS”) arrangements (this is where a regulated entity provides a third party with access to a technology platform so that the third party can provide banking services to its own customers.)      

Draft CPS 230 would require an APRA-regulated entity to identify its ‘material service providers’ (i.e. providers on which the entity relies to undertake a critical operation or that could expose it to material operational risk, and specifically includes providers of core technology services) and manage the risks associated with the use of these providers. Some of the key draft requirements are as follows.

• An APRA-regulated entity must identify and maintain a register of material service providers, and submit it to APRA on an annual basis.
• An APRA-regulated entity must maintain a comprehensive service provider management policy that sets out how it will identify material service providers and manage the arrangements with such providers, including the management of material risks associated with the arrangements. The policy must include the entity’s approach to managing the risks associated with any fourth parties that material service providers rely on.
• Before entering into, renewing or materially modifying an arrangement with a material service provider, an APRA-regulated entity must undertake appropriate due diligence, conduct a tender and selection process, and assess financial and non-financial risks from reliance on the service provider.
• An APRA-regulated entity must conduct a comprehensive risk assessment before providing a material service to another party to ensure that it is able to continue to meet its prudential obligations after entering into the arrangement.
• An APRA-regulated entity must have a systematic testing program for its BCP, which includes disruptions to services provided by material service providers.
• An APRA-regulated entity must notify APRA as soon as possible and not more than 20 business days after entering into. or materially changing, an agreement for the provision of a service on which the entity relies to undertake a critical operation, and prior to entering into any offshoring agreement with a material service provider.
• For all material service provider arrangements, an APRA-regulated entity must maintain a legally binding agreement with the service provider which at a minimum includes certain specified requirements including data, dispute resolution, liability, and failure on the part of a sub-contractor being a failure of the service provider. The agreement must also contain a force majeure provision that indicates those parts of the contract that would continue in the case of a force majeure event, termination provisions that include the right to terminate in whole and in part, and APRA audit and access rights.

Potential consequences

The requirements contained in the draft CPS 230 (some of which are set out above), will result in an increased compliance burden on APRA-regulated entities and impact other participants in the supply chain. We set out below some of the potential consequences and compliance obligations.

• Compared to the existing CPS 231, which applies to material outsourcings, draft CPS 230 will apply to a much broader range of arrangements with third party service providers. This range is difficult to pin down. This is because the definition of ‘material service provider’ in draft CPS 230 is not particularly clear. It includes terms such as ‘critical operation’ and ‘core technology service’ which are not themselves defined, and could capture a broad array of third party services; certainly more than just BaaS.  
• It is likely that APRA-regulated entities will need to uplift vendor selection processes. The requirements to conduct due diligence and carry out a selection process are touched on in the existing CPS 231, but would, under draft CPS 230, due to the definition of ‘material service provider’, apply to more procurement projects, adding complexity and time to this process.    
• APRA-regulated entities are likely to need to update standard contracts with technology vendors, (potentially) uplift contracts with existing vendors to meet the new requirements, and factor in the new requirements when negotiating with new vendors. On this last point, it is worth noting that the list of contractual requirements in draft CPS 230 is not co-extensive with the list in CPS 231:

• some parts of CPS 231 are not mentioned in the contractual requirements in draft CPS 230 (e.g. privacy and confidentiality);
• some parts of CPS 231 are expanded on in the contractual requirements in draft CPS 230 (e.g. termination, subcontracting, and APRA’s rights); and
• draft CPS 230 contains some new contractual requirements (e.g. force majeure provisions, and a requirement for notification by the service provider of its use of other material service providers).

• There are two points to note on this. First, we expect that the list will be refined as part of the feedback and submission process. Second, agreements with cloud software providers, for example, typically do not contain nuanced force majeure provisions and do not often contain the right to terminate the agreement in part. Some cloud vendors hold the balance of power in negotiations, and often insist on using their own paper: the proposed CPS 230 requirements may lead to prolonged and difficult negotiations with vendors.
• A final point on fourth parties. Fourth parties are defined in CPS 230 as “a party a service provider relies on in delivering services to an APRA-regulated entity.” That definition does not contain a materiality component so appears very broad. APRA-regulated entities would be required by draft CPS 230 to prepare a policy which includes fourth party risk management. One way that an APRA-regulated entity can demonstrate to APRA that it is managing the risks associated with fourth parties is if it can demonstrate that the processes of the fourth party, and terms between the fourth party and the third party service provider, comply with the requirements in CPS 230. In that way it is likely that the CPS 230 requirements will be pushed through the supply chain, and fourth party vendor selection (and in turn, third party vendor selection) will depend in part on the extent to which fourth parties are prepared to commit to, or align with, the requirements in CPS 230. Any vendor in a supply chain that includes an APRA-regulated entity should review its contracting processes, and terms, for alignment with draft CPS 230.         

Next steps

APRA is seeking responses on draft CPS 230 by 21 October 2022. Following review of feedback and submissions, APRA plans to finalise the standard in early 2023 and release draft guidance for consultation. CPS 230 would then come into effect for all APRA-regulated entities from 1 January 2024.