Australia Coat of Arms
APRA Logo
APRA Logo
copyright privacy disclaimer sitemap  
Advanced search    
 
         
 
     
  Home  
  List of ADIs  
  Foreign bank representative offices (not ADIs)  
  Prudential Framework  
  Basel II implementation in Australia  
  First home saver accounts  
  Consultation packages  
  Other publications  
  Breach reporting  
  Lodging returns  
  Statistics  
  Levies  
  Complaints  
  Links  
  SOARS  
  PAIRS  
     
 

Prudential Note 5.1 (Special Services Providers)

Specific Risks

5.1.4 Transaction and Technology Risk

Transaction risk is the risk that a financial loss is incurred as a result of a transaction not being executed completely and accurately and may arise from poor internal management or even possibly legal risk. Proper systems, controls and experienced personnel will minimise this risk. An SSP must demonstrate satisfactory systems for accurate and timely data capture and ensure that personnel and systems can cope with present and anticipated volumes of all types of transactions. Further, where SSPs provide treasury management functions, effective separation of front and back office operations must be established.

Technology risk is the risk of technological failure either through inadequate technological support to manage risks, for example, inappropriate software, or, at the more basic level, failure of a computer system. SSPs must have systems which safeguard the integrity and security of their data including disaster recovery plans.

5.1.5 Operations Risk

SSPs are exposed to a range of operations risk in carrying out their day-to-day business. Many of these risks are insurable, others are not. Risks arise from a number of sources, including litigation associated with discrimination, negligent advice and invasion of privacy. Whether or not these risks are insured or even insurable, SSPs must demonstrate an understanding of the risks involved and the capacity to measure, monitor and control them.

An important source of insurable operations risk arises from potential damage to the physical assets of the SSP through accident or fire. Further, while compulsory worker's compensation covers potential loss through accidents involving staff, there is a similar risk to members of the public that is not automatically insured. Other operational risks arise from the potential for legal action against the SSP or its directors.

In addition to compulsory worker's compensation, all SSPs should carry effective insurance with a reputable insurance company to protect their personnel, operations and physical assets. Each SSP should carry the following insurance policies with cover at an appropriate level:

  • fidelity guarantee;
  • asset protection, including fire and malicious damage;
  • directors' and officers' liability;
  • public liability;
  • professional indemnity; and
  • business interruptions.

AFIC will seek details of insurance policies and each SSP's approach to insurance.

The practices of management are a particular source of potential loss to SSPs. While there can be no doubt that management has full discretion to carry on the business as it sees fit, the pivotal role of SSPs in the lives of their constituent societies demands that certain minimum standards be observed over and above those required of societies.

Each SSP must satisfy AFIC that at all times it possesses sufficient management expertise and resources to perform its functions satisfactorily. AFIC will seek evidence that the management of each SSP can demonstrate, amongst other attributes:

  • an intimate knowledge of the business of the societies served;
  • appropriate systems to ensure adequate financial and internal control for services offered;
  • a proven record of experience among directors and staff in the services offered; and
  • the on-going commercial viability of operations.

More specifically, where an SSP offers treasury management services to societies, AFIC must be satisfied that the SSP, at all times:

  • retains services of personnel with experience in treasury dealing and operations;
  • maintains adequate financial and internal control over treasury functions, including separation of front and back office operations; and
  • operates within dealing limits and procedures for exposure management.

The key to the control of management risk lies in a comprehensive management process, including adequate internal controls and disclosure. The board of directors and senior management of each SSP must be fully and frequently informed of decisions and practices undertaken throughout the institution. Similarly, supervision of management risk requires full and frequent disclosure to AFIC.

Accordingly, SSPs are required to notify AFIC immediately of any breakdowns in internal controls that will cause a material departure or omission to the legal, prudential or policy obligations of the SSP. They must also have an external audit or review conducted covering matters identified by AFIC. Results of these audits must be forwarded directly by the external auditor to AFIC.

Prudential Standards

5.1.4 Transaction and Technology Risk

5.1.4.a Each SSP must have comprehensive written policies and systems in respect of managing transaction and technology risk. The SSP must be able to demonstrate risk management and processing systems that monitor transactions and exposures from transactions. In addition to experienced personnel, each SSP must have the necessary technological support to effect risk management techniques associated with treasury management, settlement and any use of derivatives. Before expanding into new areas of financial intermediation, an SSP must ensure that the proper systems and controls are in place supported by the appropriate technology. Policies and systems must be audited annually by the SSPs external auditors.

5.1.4.b Each SSP must also provide for the physical security of financial transactions and information. The SSPs policies must also identify procedures for off-site backup and other disaster recovery considerations as part of a comprehensive disaster recovery plan. These systems should be tested on a regular basis at least annually.

5.1.4.d Each SSP must have a comprehensive written statement dealing with the risks and events that may arise due to either the SSP or an external service provider suffering disruptions that may, in turn, disrupt the SSPs normal business operations. These policies and procedures should form part of the SSPs Disaster Recovery Plan in respect of managing both data risk and operations risk.

5.1.4.e All systems and procedures must be documented and available for inspection by AFIC.

5.1.5 Operations Risks

5.1.5.a Each SSP is to provide AFIC annually with a written statement of its policy in respect of insurance and details of its individual insurance policies. Policies and systems must be audited annually by the SSPs external auditors. Each SSP should carry the following insurance policies with cover at an appropriate level:

  • fidelity guarantee;
  • asset protection, including fire and malicious damage;
  • directors and officers liability;
  • public liability;
  • professional indemnity; and
  • business interruption.

5.1.5.b Each SSP must satisfy AFIC that, at all times, it retains appropriate management expertise and resources and conducts activities prudently. AFIC will require evidence that the management of the SSP can demonstrate, amongst other attributes:

  • an intimate knowledge of the business of the societies served;
  • appropriate systems to ensure adequate financial and internal control over the services offered;
  • a proven record of experience among directors and staff in the services offered; and
  • the on-going commercial viability of operations.

5.1.5.c An SSP must notify AFIC immediately of any breakdowns in internal controls that could cause a material departure or omission from the legal, prudential or policy obligations of the SSP. Such notification should include the nature of the breakdown, impact on the operations, action to rectify problem and action to prevent similar breakdown in future.


Authorised Deposit-Taking Institutions | General Insurance | Superannuation | Life Insurance | Friendly Societies

Australian Prudential Regulation Authority