Following its December 2010 consultation package, the Australian Prudential Regulation Authority (APRA) has released four prudential standards, intended to consolidate 12 existing standards across the authorised deposit-taking, general insurance and life insurance industries.
The consultation package included drafts of:
- Prudential Standard CPS 510 Governance (CPS 510 Governance);
- Prudential Standard CPS 520 Fit and Proper (CPS 520 Fit and Proper);
- Prudential Standard CPS 231 Outsourcing (CPS 231 Outsourcing); and
- Prudential Standard CPS 232 Business Continuity Management (CPS 232 Business Continuity Management).
The final consolidated prudential standards (CPSs 510, 520, 231 and 232) are substantially similar to the consolidated drafts. However, APRA has made minor amendments and editorial changes in response to stakeholder submissions.
In addition, requirements relating to business continuity management and outsourcing currently contained in Prudential Standard GPS 221 Risk Management: Level 2 Insurance(GPS 221) are being transferred into the relevant consolidated prudential standard. To facilitate this, GPS 221 has been reissued with these provisions omitted.
The relevant amendments are summarised as follows:
Delegation of Board functions
Submissions sought clarification on APRA's intention regarding the ability of the Board to delegate certain functions going forward. APRA has confirmed that the ultimate responsibility for outsourcing and business continuity management rests with the Board (or equivalent) of the regulated institution.
However, APRA has identified areas of operational efficiency that may involve certain functions being delegated to senior management or a Board committee[1]. As such:
- Subparagraph 22(d) of CPS 231 Outsourcing has been amended to enable the Board to delegate involvement in approving an outsourcing.[2]
- Paragraph 14 of CPS 232 Business Continuity Management has been retained. APRA does not consider the completion of a risk management declaration a function that can be delegated to senior management.
- To avoid confusion about APRA's expectations, CPS 232 Business Continuity Management has been amended to remove a paragraph of the standard requiring the Board to ensure that sufficient resources are allocated and maintained.
- As noted in the consultation package, CPS 510 Governance includes a requirement for the Board of each regulated institution that operates as part of a corporate group to approve the use of any group policies and functions in keeping with its responsibilities. APRA considers this to be prudent governance practice.
CPS 231 Outsourcing
CPS 231 Outsourcing has been amended to clarify that, where a foreign ADI, Category C insurer or eligible foreign life insurance company has entered into an outsourcing agreement with its head office, they are not required to:
- execute a legally binding outsourcing agreement; or
- demonstrate that they have taken into account contingency issues should the outsourced activity need to be brought in-house. [3]
CPS 232 Business Continuity Management
CPS 232 Business Continuity Management has been amended to clarify the definition of business impact analysis. The amendment clarifies that business impact analysis is:
- a process performed to identify the critical business operations. As such, a regulated institution cannot simply conduct a business impact analysis for critical business operations, rather, analysis must be conducted across the board in order to determine which operations are critical.
Moving forward
While APRA anticipates that all regulated institutions will be affected, it does not expect the effects to be significant. Nevertheless, in order to allow sufficient time for regulated institutions to review and ensure continued compliance with the requirements, the consolidated prudential standards will be effective from 1 July 2012.
The consultation package also indicated APRA's intention to harmonise existing industry-specific Prudential Practice Guides (PPGs) relating to governance, fitness and propriety, outsourcing and business continuity management. APRA expects to release draft consolidated PPGs for consultation in early 2012.
[1] APRA will provide further guidance on the role of the Board and senior management in the associated Prudential Practice Guides as appropriate.
[2] Consistent with current Prudential Standard APS 231.
[3] In accordance with CPS 232 Business Continuity Management.
This report does not comprise legal advice and neither Gadens Lawyers nor the authors accept any responsibility for it.
For more information, please contact:
|
Sydney |
|
|
|
Ray Giblett |
t (02) 9931 4833 |
|
|
Wendy Blacker |
t (02) 9931 4922 |
|
|
Melbourne |
|
|
|
Andrew Croxford |
t (03) 9252 2587 |
