12 September 2011
APRA has released four consolidated prudential standards on governance, fitness and propriety, outsourcing and business continuity management.
In December 2010, APRA released a consultation package comprising a Discussion Paper and a set of draft consolidated behavioural standards applying across authorised deposit-taking institutions (ADIs), general insurers and life companies. The consultation package included drafts of:
- Prudential Standard CPS 510 Governance (CPS 510 Governance);
- Prudential Standard CPS 520 Fit and Proper (CPS 520 Fit and Proper);
- Prudential Standard CPS 231 Outsourcing (CPS 231 Outsourcing); and
- Prudential Standard CPS 232 Business Continuity Management (CPS 232 Business Continuity Management).
Once effective, the 12 prudential standards currently applying to ADIs, general insurers and life companies will be reduced to four standards, each applicable across regulated institutions in these industries.
APRA received a number of submissions on the consultation package from regulated institutions and industry groups. Submissions were supportive of APRA’s initiative to harmonise these requirements across the regulated industries.
The Discussion Paper noted that APRA was not generally seeking to review the content and scope of the behavioural standards, beyond that required to harmonise application across industries. Submissions containing substantive content changes have been noted for any future review of the standards. APRA would consult on any such reviews as a part of its normal practice.
Submissions largely sought further clarification on APRA’s intention in respect of specific drafting changes. The final consolidated prudential standards are therefore substantially the same as the drafts released in December. APRA has, however, made minor amendments and editorial changes in response to the submissions.
In harmonising the existing prudential standards, provisions relating to the ability of the Board of a regulated institution to delegate certain Board functions to senior management or a Board committee were modified for some industries in order to facilitate the move to a set of crossindustry standards. Submissions have sought clarification on APRA’s intention regarding the ability of the Board to delegate these functions going forward.
The ultimate responsibility for outsourcing and business continuity management rests with the Board (or equivalent) of the regulated institution. However, considerations of operational efficiency may involve certain functions being delegated to senior management or a Board committee. APRA is not seeking to substantially alter this ability of the Board to delegate to senior management, where appropriate. As such:
- Subparagraph 22(d) of CPS 231 Outsourcing has been amended to enable the Board to delegate involvement in approving an outsourcing agreement to senior management, consistent with current Prudential Standard APS 231 Outsourcing and Prudential Standard GPS 231 Outsourcing.
- Paragraph 14 of CPS 232 Business Continuity Management has been retained. APRA does not consider that ensuring that the regulated institution’s business continuity risks and controls are taken into account as part of the overall risk management system and when completing a risk management declaration is a function that can be delegated to senior management.
- In the context that the Board has overall responsibility for management of business continuity risks, CPS 232 Business Continuity Management has been amended to remove a paragraph of the standard requiring the Board to ensure that sufficient infrastructure, budgetary and other resources are allocated and maintained, to avoid confusion about APRA’s expectations.
- As noted in the Discussion Paper, CPS 510 Governance includes a requirement for the Board of each regulated institution that operates as part of a corporate group to approve the use of any group policies and functions in keeping with its responsibilities. The Board of each regulated institution must ensure that any such group policies and functions give appropriate regard to the specific business and circumstances of that regulated institution. APRA considers that it is prudent governance practice that the Board of a regulated institution considers the appropriateness of group policies and functions and explicitly approves their use.
APRA will provide further guidance on the role of the Board and senior management in the associated Prudential Practice Guides (PPGs) as appropriate.
A paragraph has been included in CPS 231 Outsourcing to clarify that, where a foreign ADI, Category C insurer or eligible foreign life insurance company has entered into an outsourcing agreement with its head office, they are not required to:
- execute a legally binding outsourcing agreement; or
- demonstrate that they have taken into account contingency issues in accordance with CPS 232 Business Continuity Management, should the outsourced activity need to be brought in-house.
This is in recognition of the specific structure of branch operations, which do not have a separate legal existence from their head office.
A minor amendment has been made to CPS 232 Business Continuity Management to clarify the definition of business impact analysis. The amendment clarifies that business impact analysis is a process performed to identify the critical business operations. That is, a regulated institution cannot just perform a business impact analysis for critical business operations - it must perform
the analysis for all operations in order to determine which are critical.
As part of the consolidation project, requirements relating to business continuity management and outsourcing currently contained in Prudential Standard GPS 221 Risk Management: Level 2 Insurance (GPS 221) are being transferred into the relevant consolidated prudential standard. To facilitate this, GPS 221 has been reissued with these provisions omitted.
In order to allow sufficient time for regulated institutions to review and ensure continued compliance with the requirements, the consolidated prudential standards will be effective from 1 July 2012. APRA expects that this will allow a sufficient transition period for regulated institutions to assess their continued compliance with the new standards in line with their normal review cycles for these documents.
The consolidated prudential standards include provisions preserving the operation of all determinations (including any approvals, waivers or directions) made under previous versions of the standards that are in operation at the effective date. Accordingly, regulated institutions will not be required to reapply to APRA to request the continued exercise of such discretions.
The December 2010 consultation package also indicated APRA’s intention to harmonise existing industry-specific PPGs relating to governance, fitness and propriety, outsourcing and business continuity management. APRA expects to release draft consolidated PPGs for consultation in early 2012.
For further information please contact firstname.lastname@example.org.