Australia | Publication | August 2024
With the first set of reforms due to commence on 15 March 2025, insurers are no doubt gearing up for the implementation of the Financial Accountability Regime (FAR) and Prudential Standard CPS 230 Operational Risk Management (CPS 230). Ahead of this, ASIC and APRA have recently released the FAR Regulator Rules for Insurers and APRA has finalised its Prudential Practice Guide CPG 230.
The finalised materials provide greater clarity and certainty to insurers on the reforms, which are designed to lift accountability standards and operational resilience across APRA regulated industries.
In this article, we share our insights on the recently finalised materials as applicable to the insurance industry (affecting general, life, and private health insurers), including updated comments from APRA on fourth party risks that have caused some consternation in the insurance industry.
| End of 2024 | Insurers positioned to set tolerance levels under CPS 230 |
| 15 March 2025 | Implementation of the FAR |
| 1 July 2025 | CPS 230 Implementation Date |
| 1 July 2026 | Commencement of Business Continuity related components of CPS 230 for non significant financial institutions (non SFIs). |
APRA and ASIC have issued the Financial Accountability Regime Regulator Rules Amendment Instrument No. 1 of 2024 (Cth) which formalises the Regulator Rules for Insurers under the FAR. There have only been minor changes. The Regulator Rules prescribe the key functions and information for inclusion in the FAR register of accountable persons. They previously only included the key functions applicable to authorised deposit-taking institutions.
The following key functions are now prescribed for insurers:1
| Column1 | Column 2 |
| Insurance key function | An accountable person has responsibility for the Insurance Key Function in Column 1 if they have actual or effective senior executive responsibility for management or control of the whole of, or a significant or substantial part or aspect of, the applicable key function as described in this Column 2 |
| 1. Capital management | Capital management function, including the Internal Capital Adequacy Assessment Process, stress testing, capital buffers and capital instruments. |
| 2. Conduct risk management | Conduct risk management, including the identification and monitoring of the risk of inappropriate, unethical or unlawful behaviour on the part of the accountable entity’s management or employees. |
| 3. Data management | Data management, including data strategy, data architecture, data management framework and governance, data quality and issue management, and data risk management, including the state of data controls and data privacy. |
| 4. Financial and regulatory reporting | Financial and regulatory reporting function, including the preparation of statutory financial reporting, financial market disclosures (where relevant), and regulatory data collections, to relevant regulators including APRA and ASIC. |
| 5. Hardship processes | Hardship policies, procedures and practices for responding to and managing consumers experiencing financial difficulty (not limited to any specific remediation activity). |
| 6. Insurance risk management |
Product design, development and distribution, reserving and pricing functions including: framework, strategy, policies, procedures, assessment, pricing targets and tolerances, and any other related aspects. Note: This key function is different from the ‘Product design and distribution obligations’ key function in that this relates to managing insurance risk of the entity (i.e. issues/matters that may impact the financial soundness of the insurer and reporting and governance thereof). |
| 7. Operational risk management |
Operational risk management function, including:
|
| 8. Product design and distribution obligations |
The various activities involved in complying with the product design and distribution obligations. Note: The product design and distribution obligations and the product origination key functions are related but may be distinguished as follows—The product design and distribution obligations involve ongoing monitoring of products and product governance arrangements, throughout the lifecycle of the product; the product origination obligations are concerned with specific obligations at the time the consumer acquires the product. |
| 9. Product origination | Product origination obligations that relate to financial products—including obligations relating to disclosure, contract formation and insurer representations. |
| 10. Recovery and exit planning and resolution planning |
Recovery and exit planning function, including governance arrangements, trigger frameworks, recovery and exit options, scenario analysis, assessment of recovery capacity, and communication strategy. Resolution planning function, including assisting APRA in identifying any critical functions, assessing the feasibility of resolution options, and removing barriers to the execution of a resolution plan. |
| 11. Reinsurance management | Reinsurance functions including reinsurance strategy, management and administration. |
| 12. Scam management | The entity’s policies, procedures and practices designed to prevent and mitigate consumer loss from scams and fraud, and to respond to incidents of scams and fraud and consumers who have been affected by such incidents. |
| 13. Technology management | Technology management, including technology strategy, lifecycle management of technology used, state of technology controls, information security, disaster recovery, technology operations and infrastructure (including management and maintenance of business and technology applications). |
| 14. Training and monitoring of relevant representatives and staff | Training and monitoring of staff and representatives providing financial products or financial services or engaging in activities on behalf of a licensee. This includes training on mandatory continuous education on a product, service or activity. |
| 15. Underwriting |
Underwriting function including:
|
| 16. Whistleblower policy and process | Implementation and monitoring of the entity’s whistleblower policy and processes. |
The release of the key functions list will now assist insurers in completing their FAR implementation projects, including the identification of accountable persons, preparation of statements and mapping exercises as required.
However, it is important to note that the list of key functions outlined in the Regulator Rules is not exhaustive. Even if all the applicable key functions are allocated, this does not mean that the insurer has covered all aspects of its operations. Furthermore, insurers must assess which of the key functions are applicable to them. For example, some of the key functions in the list above are not applicable to private health insurers, and this is acknowledged by the Regulators.2
ASIC has also recently re-issued Regulatory Guide 279 with additional commentary on the FAR.
While the FAR go-live date is 15 March 2025, insurers have slightly more time to prepare for CPS 230 as it does not commence until 1 July 2025. Furthermore, APRA has given non SFIs additional time to comply with certain business continuity requirements (more on this below).
Following consultation with the industry, APRA has now released the final Prudential Practice Guide CPG 230 Operational Risk Management setting out APRA’s expectations around compliance with CPS 230.
The finalised guidance, together with APRA’s responses to the consultation, provide some welcome clarification on areas previously uncertain.
| The following items may be of particular interest to insurers: | |
| Insurance brokerage and reinsurance providers |
APRA has responded to concerns that insurance brokerage and reinsurers would have to be classified as material service providers under paragraph 50 of CPS 230, regardless of their size or the nature and scope of the services being provided to insurer. APRA has clarified that while CPS 230 is now final, it does not intend to capture arm’s length transactions, such as the purchase of reinsurance or the intermediation of an insurance policy by insurance broker. Such transactions do not automatically deem the provider of the service a material service provider. APRA has clarified that CPS 230 is intended to capture those arrangements where an insurer relies on a service provider to undertake a critical operation (as defined in the Prudential Standard) or where the arrangement introduces a material operational risk to the insurer. APRA says that CPS 230 is only intended to capture brokers if an entity relies on the broker in delivering a critical operation or the broker introduces material operational risk to the insurer. |
| Fourth party risks |
The capture of fourth party risks has caused much consternation among insurers due to the potential challenges in obtaining information from service providers and the costs associated with oversight of third and fourth parties. A fourth party is a party that a material service provider of the insurer relies on to deliver a critical operation. Under the draft prudential guidance, APRA indicated that it would expect insurers to manage the risks associated with fourth party and other downstream service providers for critical operations including through contractual provisions and assurances. These requirements have now been removed in the finalised guidance. APRA has clarified that it expects insurers to outline as part of its service provider management policy its approach to managing the risks associated with fourth parties and to take reasonable steps to identify the fourth parties where the fourth party is relied upon to deliver a service necessary to support a critical operation. This provides more leeway for insurers to design a fourth party risk management strategy that suits them. |
| Interaction with Resolution Planning CPS 900 |
APRA has clarified how Prudential Standard CPS 900 (Resolution Planning) (CPS 900) interacts with CPS 230. Firstly, ‘critical functions’ and ‘critical operations’ are distinct concepts under the respective prudential standards although there is some overlap. ‘Critical functions’ under CPS 900 are also ‘critical operations’ under CPS 230. If CPS 900 applies to the insurer (i.e. SFIs or non SFIs determined by APRA), APRA may require entities to amend certain contracts with service providers to make them “resolution resilient” such that critical functions are maintained in resolution. This may include services that support an entity’s critical functions, business lines, daily operations and/or resolution capabilities. APRA has suggested entities could amend contracts to meet CPS 900 at the same time as they make their CPS 230 updates, rather than reopening the contract regime when APRA initiates resolution planning with them. |
| Delayed start date | Insurers will also be relieved to know that APRA has agreed to delay the start date for certain business continuity related requirements under CPS 230, postponing the implementation date for these requirements from 1 July 2025 to 1 July 2026. This extension is only available to non SFIs. The extension applies to paragraphs 40 to 46 of CPS 230. |
With the regulators issuing finalised materials for the FAR and CPS 230, insurers should now progress their implementation projects in earnest. The materials provide welcome clarification on key aspects that were previously uncertain. Furthermore, while the reforms will affect all APRA regulated entities, it is pleasing to see APRA address the insurance industry’s specific concerns in its response, for example, the clarification around the classification of insurance brokers and reinsurance.
Publication
On September 15, 2024, the Federal Executive Branch published a reform to the Mexican Constitution that directly impacts the organizational structure, administration and operation of the Federal Judicial Branch.
Subscribe and stay up to date with the latest legal news, information and events . . .
© Norton Rose Fulbright LLP 2023
