In the dynamic landscape of financial services, regulatory compliance frameworks play a pivotal role in ensuring stability, security, and resilience. Two such critical standards in Australia are CPS 230 and CPS 234, issued by the Australian Prudential Regulation Authority (APRA). These two frameworks are consuming budget and delaying other projects that could be extracting costs or growing revenue. Meta recently announced the worlds largest ever daily enterprise value growth of $200bn. This came off the back of a 25% growth in earnings whilst cutting 25% of its workforce. The market loved it. It is frustrating to see such growth when highly regulated enterprises, are constrained from similar activities. Yet by understanding the frameworks, some opportunities for growth and efficiency appear. Let’s delve into their significance and explore how they impact regulated financial institutions.
1. CPS 230: Operational Risk and Resilience
What Is CPS 230?
CPS 230 focuses on operational risk management within financial institutions. Its primary objective is to enhance the resilience of these institutions against operational disruptions, including technology-related incidents, cyberattacks, and other unforeseen events.
Key Aspects of CPS 230:
- Information Security: CPS 230 mandates that APRA-regulated entities maintain robust information security measures. This includes safeguarding sensitive data, reporting breaches promptly, and ensuring the security of critical systems.
- Business Continuity Planning (BCP): Institutions must have comprehensive BCP strategies in place to mitigate operational disruptions. This involves planning for various scenarios, testing response mechanisms, and ensuring continuity during crises.
- Outsourcing Oversight: CPS 230 imposes specific rules around outsourcing, including assessing fourth-party risks (i.e., risks associated with suppliers of suppliers). Institutions must diligently manage their outsourcing arrangements.
Implications for ADIs:
Authorised Deposit TakingInstitutions (ADIs) need to:
- Assess Vulnerabilities: Understand their operational vulnerabilities, especially related to information security and technology infrastructure.
- Strengthen Resilience: Develop robust BCP frameworks, conduct regular drills, and ensure seamless service continuity.
- Vendor Management: Scrutinize third-party vendors and assess their security practices. Remember that fourth-party risks matter too.
- Reporting Obligations: Promptly report any incidents or breaches to APRA.
2. CPS 234: Information Security
What Is CPS 234?
CPS 234 builds upon previous prudential standards and specifically addresses information security. Its goal is to ensure that regulated entities have adequate security measures in place, considering the criticality and sensitivity of the information they hold.
Key Requirements of CPS 234:
- Risk-Based Approach: Entities must assess their unique risks and tailor security measures accordingly.
- Data Assets Protection: Safeguard data assets against unauthorized access, breaches, and cyber threats.
- Incident Reporting: Promptly report any security incidents to APRA.
- Third-Party Risk: Evaluate the security practices of third-party service providers.
Implications for ADIs:
- Risk Assessment: Conduct thorough risk assessments to identify vulnerabilities.
- Security Measures: Implement robust security controls, encryption, access controls, and monitoring.
- Incident Response: Have clear incident response plans and communication channels.
- Collaborate: Work closely with other financial institutions and regulators to enhance collective security.
CPS 230 & 234 are not so much about locking down systems but improving them to create more resilience. APRA-regulated entities are explicitly required to maintain information technology capabilities that meet business requirements and support critical operations. Vulnerability assessments for the weakest links should be pconducted and placed within the context of a business case that advocates change and includes:
Identifying the Problem or Opportunity:
- Clearly define the business problem or opportunity you aim to address. Common examples of these include manual or outdated technologies that lack speed, are error prone or are vulnerable to disaster and security breeches, presenting business continuity challenges.
- Highlight pain points related to manual processes, inefficiencies, or resource limitations.
Proposing the Solution:
- Describe how investment in areas such as automation, including robotics, and modern computing infrastructure such as cloud, analytics, open banking, KYC and document generation , can alleviate the identified challenges.
- Specify the type of automation relevant to your context.
Benefits and Costs Analysis:
- Favorable Outcomes:
- Increased productivity.
- Increased accuracy and speed
- Reduced downtime.
- Lower production costs.
- Optimal workforce utilization.
- Improved disaster recovery
- Reduced cyber or other security risk
- Favorable Outcomes:
- Potential Unfavorable Outcomes:
- Perceived high upfront investment.
- Maintenance and upkeep costs.
- Requirement to understand new systems and technologies
- Employee concerns about job security.
- Potential Unfavorable Outcomes:
A Lending Example
Whilst much information is buried deep within core banking infrastructure, much is not. Many processes within regulated financial services institutions are still carried out on spreadsheets and worse, paper. In part, this is why fintechs are able to make inroads into the market as they are able to introduce modern solutions that provide better efficiency, effectiveness and regulatory stature.
In lending, the core revenue driver of many ADIs and non bank lenders, loan applications are still being assessed by down loading a master spreadsheet template from a share drive, selecting File Save/As and starting a new manual application that way. Other times or in addition to, risk and credit decisions are performed on a hand calculator and pieces of paper. At the other end of the process, when a loan has been approved, loan documents are being generated by hand , in a similar, File/Save As manner.
- Slow. The whole process is slow, taking customers and staff a long time to complete. This presents competitive issues for the lender
- Error prone. From filling in numbers on a form, through to making calculations and saving files in the right place, getting approvals and generating documents, multiple errors can be made in a risk critical aspect of the business
- Security. Share drives often have poor access control and certainly little fined grained control where different users have different access to certain functions
- Disaster vulnerable. Depending on the location of the shared drives, fires and cyber attacks can render the system unavailable for extended periods and sensitive information stolen and compromised.
- Staff inefficencies. When the war on talent is tough, attracting and retaining staff is difficult when they are using old systems and forced to do repritive work that can be done by robots wheile they spend their time on more high value adding tasks.
Investing in a modern cloud based lending application, such as Moroku Lending can
Speed the system up by automating information capture with Open Banking and decisioning by embedding rules based decisioning algorthms within the data capture process, providing conditional approval within a few minutes.
Reduce errors by automating many of the calculations and document generation
Improve security by running the system of some of the worlds most advanced cloud based security and identity/KYC infrastructures with disaster recover systems and processes across multiple regions.
Enhance culture by relieving staff of mundane activities and creating a sales, customer success focus .
CPS 230 and CPS 234 underscore the critical importance of operational resilience and information security. For financial institutions, compliance is not just a regulatory obligation—it’s an investment in their long-term stability and the trust of their customers. By proactively addressing these standards, credit unions, banks, wealth providers and others can navigate the evolving financial landscape with confidence.
Remember, regulatory compliance isn’t a burden; it’s a strategic advantage. By aligning your business case with CPS 230 and CPS 234 principles, you can confidently advocate for automation. Remember, automation isn’t just about technology—it’s an investment in resilience, competitiveness, and member trust.
Let’s build a resilient and secure financial ecosystem together.
- EY Australia: How Australia’s financial institutions are approaching CPS 230 on Operational Risk and Resilience
- IT News: Australia’s banks, insurers have three years to renegotiate cloud and IT contracts
- Mondaq: Cyber-security obligations under CPS 234 and its trickle-down effect
- Anitech Group: What is CPS 234 and why should Australian Organisations Comply
- APRA: Update on the implementation of new operational risk standard