APRA’s 2023 Priorities and Areas of Focus for Technology
APRA has recently released its policy and supervision priorities for 2023. “APRA’s 2023 priorities seek to ensure that we can swiftly address today’s risks as well as new challenges beyond the horizon” stated new APRA Chair, John Lonsdale.
He also flagged “a lighter APRA policy load” allowing regulated entities to focus on embedding prior major reforms and respond to challenges in the operating environment.
In terms of supervisory priorities, he highlighted that “operational resilience, including cyber preparedness, continues to grow in importance”, that there was “important work to do on climate risk, governance, culture and recovery planning” and that “the superannuation sector can expect no let-up in our efforts to expose and eradicate underperforming products or actions that are contrary to members’ best interests”.
The team from Capital Consult has assessed the 2023 APRA priorities which can be summarised as:
Policy Priorities
- Modernising the prudential architecture which is a core strategic initiative designed to make the APRA regulatory framework clearer, simpler and more adaptable;
- Completing key reforms to strengthen the financial and operational resilience of the system, and improve outcomes for superannuation members; and
- Reviewing and rationalising core standards within the framework, including for governance and the regulation of conglomerate groups.
Supervisory Priorities
- Heightened supervision on cyber resilience through detailed assessments and rigorous pursuit of breaches;
- Embedding the capital reforms for banks and insurers;
- ·Continuing to hold trustees to account to improve superannuation member outcomes; and
- Availability, affordability and sustainability of insurance.
Technology Focus Areas
A New Standard on Operational Risk Management (CPS 230): Scheduled to go live on 1 Jan 2024, this new standard aims to strengthen the management of operational risk and will replace five existing standards for business continuity and outsourcing. All regulated entities must ensure they effectively identify and manage operational risks, are able to continue to deliver critical operations during disruptions, and prudently manage the risks of service providers. The technology function has a key role to play here in assessing and ensuring technology can meet business demands.
NOTE: Capital Consult has developed a short self assessment to assist organisations in understanding their current state readiness and priority of actions to achieve compliance for CPS 230.
Strengthening Operational Resilience: Supporting the preparedness for CPS 230, APRA will continue to focus its supervisory activities on strengthening operational resilience more broadly, including technology resilience. Entities will need to be prepared to demonstrate to APRA that their technology assets are well managed. This includes the ability to meet current and projected business requirements, support critical operations, be fully resilient and manage risks.
Uplifting Cyber Resilience: APRA is receiving the majority of independent assessments of entities’ compliance with the Prudential Standard CPS 234 Information Security. They will conduct targeted deep-dive reviews on areas of weakness for any entities that fail to meet expectations. They will require comprehensive remediation plans and review these to ensure timely rectification and follow up of all gaps identified. APRA will also be assessing Board effectiveness regarding cyber resilience, organisational capability and preparedness. This includes information requests and meetings with board members to understand practices and areas of challenge. Entities should ensure they are fully compliant to CPS 234 as APRA will rigorously pursue breaches of the standard.
Service Provider Concentration Risk: APRA will focus on strengthening operational resilience through the oversight of continuity planning for outsourcing arrangements. End to end resilience including 3rd and even 4th party service provision is expected. High concentration risk amongst critical technology service providers is a key factor in this. Continuity planning where there is a high reliance on service providers for critical operations will need to be considered as part of meeting CPS 230 obligations. Additional points of APRA engagement could be triggered by a change in an entity’s risk profile, material events, transformation and improvement programs, and mergers and acquisitions.
Data Collections: APRA has embarked upon a major data change program. Changes to reporting requirements will require system and process changes in entities which will necessitate planning and resourcing.
Technology underlies a number of the priorities outlined by APRA for 2023. It will be important for technology leaders to understand the role they play in assisting their organisations in meeting APRA’s expectations. Key areas include technology risk management, disaster recovery, cyber resilience and service provider management.
About the Authors: Mark Zanon and Andre Kreicers are from Capital Consult, who have been providing specialist regulatory and technology advice, consulting and services to the Financial Services industry since 2008. We assist organisations to interpret and achieve compliance with the APRA prudential standards, guidelines and supervisory directions. Capital Consult has worked with many FSI clients in managing their APRA and regulatory obligations. This includes understanding and managing risk paradigms introduced through technology developments such as outsourcing, cloud computing, digital transformation, AI and Banking as a Service.
