Australian regulations for the Financial Services Sector
Did you know we can assist you with your need to be APRA compliant, through developing capability, reviewing your current plans for compliance and crisis management exercising?
If your company is an Authorised Deposit Taking Institution, General Insurer, Superannuation company, Life Insurer or Friendly Society and regulated by the Australian Prudential Regulation Authority (APRA) - you are subject to a number of Prudential Standards.
Note that these standards typically:
Hold the Board accountable for the implementation of the Standard.
Need to be reviewed on an annual basis.
Need to be validated through annual testing (exercising).
Please see below APRA standards that address risk management, resilience and recovery.
Operational Risk Management - CPS 230
The aim of this Prudential Standard is to ensure that an APRA-regulated entity is resilient to operational risks and disruptions. An APRA-regulated entity must effectively manage its operational risks, maintain its critical operations through disruptions, and manage the risks arising from service providers.
Risk management – CPS 220
This Prudential Standard requires an APRA-regulated institution and a Head of a group to have systems for identifying, measuring, evaluating, monitoring, reporting, and controlling or mitigating material risks that may affect its ability, or the ability of the group it heads, to meet its obligations to depositors and/or policyholders.
Business continuity management – CPS 232
This Prudential Standard requires each APRA-regulated institution and Head of a group to implement a whole-of-business approach to business continuity management that is appropriate to the nature and scale of the operations.
Business Continuity Management | APRA
Outsourcing material business activities – CPS 231
If your organisation has outsourcing arrangements for material business activities, the Prudential Standard CPS 231 Outsourcing will be relevant. The standard has an excellent definition of what constitutes a “material business activities” that can be applied generically.
Information security – CSP 234
This Prudential Standard aims to ensure that an APRA-regulated entity takes measures to be resilient against information security incidents (including cyber-attacks) by maintaining an information security capability commensurate with information security vulnerabilities and threats.
Climate Change financial risks - CPG 229
A new Guide is currently in draft form and subject to a consultation process with industry. The draft is designed to assist APRA-regulated entities in managing climate-related risks and opportunities as part of their existing risk management and governance frameworks.
Consultation on draft Prudential Practice Guide on Climate Change Financial Risks | APRA
APRA’s 2021 Review of prudential requirements
Note that APRA is conducting a comprehensive review in 2021 of the prudential requirements for operational resilience. This is expected to include the introduction of a new prudential standard specifically focused on operational risk management, revisions to the existing Prudential Standard CPS 231 Outsourcing and Prudential Standard CPS 232 Business Continuity Management, and guidance for entities.
Information Paper - Policy Priorities 2021
APRA’s Paper on cloud services
In 2018, APRA published a paper “OUTSOURCING INVOLVING CLOUD COMPUTING SERVICES”. The paper addresses APRA’s observation of the growing usage of cloud computing services by APRA-regulated entities, an increasing appetite for higher inherent risk activities, as well as areas of weakness identified as part of supervisory activities.
Note that some cloud providers have provided extensive replies to this paper.
Information Paper - Outsourcing involving cloud computing services
ASX Listing Rules
Business Continuity
The ASX Clear Operating Rules – Guidance Note 10 assist participants understand the disaster recovery arrangements they should have in place to meet their obligations under the ASX Clear Operating Rules.
ASX Clear GN 10 - Business Continuity and Disaster Recovery
Offshoring & Outsourcing
The ASX Clear Operating Rules – Guidance Note 9 provides guidance to participants on some of the issues they need to address when offshoring or outsourcing their activities as a participant.
ASX OR GN 9 - Offshoring and outsourcing
Revision of RTO’s
As a result of the impact of the COVID pandemic on businesses, the ASX has reviewed the RTO times as outlined in Key Requirement 4.6
Guidance Note 10 – Recovery Time Objective and Notification Requirements
ASIC
Obligations Licensed Market Operators – Regulatory Guide 172
This guide relates to the obligations of market operators set out under 7.2 and 7.2A of the Corporations Act 2001. These obligations are relevant for all licensed or exempt market operators, as applicable. The guide also relates to the obligations of certain domestic market operators that are subject to the ASIC market integrity rules.
The Guide contains a number of requirements for domestic and overseas operators to address business continuity.
Regulatory Guide RG 172 Financial markets: Domestic and overseas operators
Cyber resilience: Health check – Report 429
This report highlights the importance of cyber resilience to ASIC’s regulated population. It is intended to help our regulated population improve their cyber resilience by increasing their awareness of cyber risks, encouraging collaboration between industry and government, and identifying opportunities for them to improve their cyber resilience.
Report REP 429 Cyber resilience: Health check
ASIC Observations of operational resilience of market intermediaries during the COVID-19 pandemic.
Operational resilience of market intermediaries during the COVID-19 pandemic
ASIC Financial Services Licencees
Australian Financial Services licence – Regulatory Guide 104
This guide describes what ASIC looks for when they assess compliance with most of the general obligations under s912A(1) of the Corporations Act.
There is specific mention of a requirement to have a Business Continuity Plan.
Regulatory Guide RG 104 AFS Licensing: Meeting the general obligations
Risk management systems of responsible entities – Regulatory Guide 259
As Australian financial services (AFS) licensees, responsible entities (including dual-regulated entities) are legally obliged to have adequate risk management systems. These systems are fundamental to mitigating exposure to relevant risks and informing business decision making. This guide provides guidance on how responsible entities may comply with this obligation.
Regulatory Guide RG 259 Risk management systems of responsible entities