CPS 230 readiness for General Insurance

Much has been said and written about CPS 230 however, the time for talking and planning is rapidly coming to an end (& has probably passed for the large insurers).

It’s time for implementation!

Debunking the CPS 230 myths

There continues to be some misinformation circulating about CPS 230, what it is and what it isn’t. Let’s deal with these first:

What are the facts?

  1. CPS 230 (i) only applies as an obligation for insurers & (ii) only for those authorised by APRA under section 12 of the Insurance Act 1973 (Act); this means CPS 230 applies to general insurers in Australia including foreign general insurers, and does notapply to Lloyds underwriters. Lloyds underwriters are authorised under section 93 of the Act and do not come within the definition of General Insurers (s11 of the Act).
  2. Lloyds underwriters (and Coverholders) do not get a ‘free ride’. FCA UK Operational resilience rules come into effect in the UK in March 2025. Also refer to LLoyds Principle 12 Operational Resilience. The FCA rules are similar to CPS 230.
  3. CPS 230 compliance is not a complex technical issue per se. Much should already exist. It’s a resourcing issue especially the work around critical operations, process mapping, controls testing, material service providers and updating existing or creating new risk artefacts. A risk person within the CRO team of an APRA regulated insurer would be very familiar with the key CPS 230 requirements: operational risk; tolerance levels, criticial operations (& disruption thereof), outsourcing, business continuity, risk profile, control testing and scenarios.
  4. Service providers do nothave any obligations under CPS 230. CPS 230 is the insurers responsibility. The obligations for service providers manifest when they perform critical operations for the insurer (for general insurance this is claim processing) or expose the insurer to material operational risk (at a minimum, for general insurance unless justified otherwise: underwriting, claims management, insurance brokerage and reinsurance). The Service Provider obligations would be reflected in the Binder Agreement and/or Service Provider Agreement as obligations imposed on the Service Provider by the insurer.
  5. Non-compliance with CPS 230 does have significant consequences. Section 38AA of the Act requires insurers to notify APRA of certain matters. These include immediate notification of a breach of a Prudential Standard that relates to financial obligations the general insurer has to its policy holders or to the general insurer’s minimum capital requirements & for other breaches of a Prudential Standard within 10 Business Days where the breach is significant within the meaning of s 38AA(5).

What should insurers be doing?

As I mentioned earlier, compliance with CPS 230 requires some ‘risk-thinking’ [within risk appetite]. However, CPS 230 is more of a resource and project management challenge.

There are a number of risk ‘task-based’ activities that insurers should be doing now:

  1. identify critical operations;
  2. set tolerance levels;
  3. process mapping – identify the processes and resources needed to deliver these critical operations, including material service providers;
  4. updating risk artefacts: RMF, Operational risk profiles, BCP, controls and control testing including scenario analysis, incident management etc;
  5. identify material service providers (MSP);
  6. for the MSP: understand how the MSP manage key risks associated with material arrangements, how the MSP’s BCP account for these key risks & how they control and test the key risks
  7. create or update MSP artefacts: maintain a MSP register (as per APRA template that must be submitted October 2025), MSP agreements and monitoring program including assessing risk for new MSPs.

What should material service providers be doing (typically underwriting agencies, TPAs [insurance claim managers] and other claim service suppliers)?

  1. Understand from the insurer, in respect of the services being provided if those services are critical operations or that expose the insurer to material risk (CPS 230 services);
  2. review your risk profile in context of the CPS 230 services and update. It may also be necessary to review your tolerances in your Risk Appetite Statement, [the insurers tolerances may be more conservative];
  3. if the MSP is an AFS Licensee (or authorised rep of a Licensee) update your risk management approach/system (including its documented risk & compliance manual) to meet the insurer’s requirements in respect of the CPS 230 services;
  4. process map the CPS 230 services and identify the key controls that manage the CPS 230 services.;
  5. test the key controls;
  6. identify any fourth party supplier that the MSP relies on in delivering the CPS 230 services;
  7. implement steps 3 and 4 for the fourth party supplier & obtain the outcomes as part of reporting data requirements;
  8. Update or create (in addition to risk & compliance manual) any seperate BCP, monitoring program (including fourth party suppliers), incident management & fourth party supplier register.

CPS 230 resourcing

I’m currently working with clients (insurers and MSPs) as a resourcing and sounding-board for CPS 230 planning and implementation.

Contact me if you require assistance with managing or implementing your CPS 230 requirements.

Previous Post
Newer Post
Press ESC key to close search