Our latest insights

In June this year, APRA published its eight proposed changes to its governance prudential standards. We have summarised APRA’s updated/clarified position and provided guidance on some steps that boards should be doing to prepare for the revised standards.

ASIC Commissioner Alan Kirkland outlines key regulatory priorities in the credit sector, focusing on responsible lending, dispute resolution, and protecting vulnerable consumers from misconduct.

In today’s fast-moving business landscape, Boards must take a strategic approach to governance. This article explores key priorities including regulatory compliance, cyber and AI risk, operational resilience, and navigating market volatility.

ADIs are navigating regulatory reform, digital transformation, and rising fraud risks by strengthening governance, modernising infrastructure, and aligning strategy with compliance to drive resilience and long-term value.

As the CPS 234 Information Security tripartite review program nears its end in June 2024, APRA-regulated entities face a critical moment. The upcoming CPS 230 Operational Risk Management implementation is closely linked to CPS 234, requiring preparation from regulated entities and service providers.

This week, the Australian Prudential Regulation Authority (APRA) finalised new requirements to Prudential Standard CPS 511 Remuneration, which will significantly impact authorised deposit-taking institutions (ADIs), insurers, and superannuation entities. This new standard requires APRA-regulated entities to publish details around their remuneration frameworks, design, governance, and outcomes. These changes come in an effort to create more transparency and improve risk management, in particular in the context of the poorly designed and executed remuneration frameworks exposed through the financial services Royal Commission.

CPS 230 requires regulated entities to consider service disruption from a different perspective. Working backwards through a scenario, entities must identify the harm that a disruption may cause to its customers or the broader financial system, then take active measures to prevent it (operational risk) and recover from it (operational resilience).

On 10 November, APRA released their insights from their latest risk culture survey in an Insight, “No room for complacency on bank risk culture”. This survey was rolled out to 18 ADIs in late 2021. APRA’s analysis included matters for ADIs to consider, however in our experience these could equally be applied to insurers and Registerable Superannuation Entity Licences (RSELs).

One of the most common ways of managing operational risk is through a system of effective internal controls. Control failures however can lead to events as varied as mis-selling, data breaches and underpayments – as such in APRA's Prudential Standard CPS 230 they have strengthened the focus on operational risk management. In this second series of our CPS 230 technical guides we provide an overview of some necessary elements to achieve strong operational risk management and why it is the foundation of operational resilience.

Last week the Australian Prudential Regulation Authority (APRA) released the key observations from its thematic review of related party outsourcing arrangements across a sample of 10 retail superannuation trustees with outsourcing contracts worth a combined $1.2 billion annually.

As we watch the ramifications of the recent widespread data breach continue to play out in the media and on the floor of Federal Parliament, I keep reflecting on the requirements of APRA Prudential Standards CPS 234: Information Security and the draft Prudential Standard CPS 230: Operational Risk Management. If ever there was any doubt in the minds of Boards or Management as to why the focus on cyber security and operational resilience, then the current situation brings this into stark focus.

APRA has released draft Prudential Standard CPS 230 Operational Risk Management for comment. CPS 230 will replace CPS 231: Outsourcing and CPS 232: Business Continuity, and the sector specific standards HPS 231, SPS 231 and SPS 232. What is operational resilience? Operational risk management analyses and defines risks associated with people, processes, and systems. Operational resilience defines the approach to managing operational risks.