News

Much has been said and written about CPS 230 however, the time for talking and planning is rapidly coming to an end (& has probably passed for the large insurers). It’s time for implementation! Debunking the CPS 230 myths There continues to be some misinformation circulating about CPS 230, what it is and what it isn’t. Let’s deal with these first: What are the facts? CPS 230 (i) only applies as an obligation for insurers & (ii) only for those authorised by APRA under section 12 of the Insurance Act 1973 (Act); this means CPS 230 applies to general insurers in Australia including foreign general insurers, and does notapply to Lloyds underwriters. Lloyds underwriters are authorised under section 93 of the Act and do not come within the definition of General Insurers (s11 of the Act). Lloyds underwriters (and Coverholders) do not get a ‘free ride’. FCA UK Operational resilience rules come into effect in the UK in March 2025. Also refer to LLoyds Principle 12 Operational Resilience. The FCA rules are similar to CPS 230. CPS 230 compliance is not a complex technical issue per se. Much should already exist. It’s a resourcing issue especially the work around critical operations, process mapping, controls testing, material service providers and updating existing or creating new risk artefacts. A risk person within the CRO team of an APRA regulated insurer would be very familiar with the key CPS 230 requirements: operational risk; tolerance levels, criticial operations (& disruption thereof), outsourcing, business continuity, risk profile, control testing and scenarios. Service providers do nothave any obligations under CPS 230. CPS 230 is the insurers responsibility. The obligations for service providers manifest when they perform critical operations for the insurer (for general insurance this is claim processing) or expose the insurer to material operational risk (at a minimum, for general insurance unless justified otherwise: underwriting, claims management, insurance brokerage and reinsurance). The Service Provider obligations would be reflected in the Binder Agreement and/or Service Provider Agreement as obligations imposed on the Service Provider by the insurer. Non-compliance with CPS 230 does have significant consequences. Section 38AA of the Act requires insurers to notify APRA of certain matters. These include immediate notification of a breach of a Prudential Standard that relates to financial obligations the general insurer has to its policy holders or to the general insurer’s minimum capital requirements & for other breaches of a Prudential Standard within 10 Business Days where the breach is significant within the meaning of s 38AA(5). What should insurers be doing? As I mentioned earlier, compliance with CPS 230 requires some ‘risk-thinking’ [within risk appetite]. However, CPS 230 is more of a resource and project management challenge. There are a number of risk ‘task-based’ activities that insurers should be doing now: identify critical operations; set tolerance levels; process mapping – identify the processes and resources needed to deliver these critical operations, including material service providers; updating risk artefacts: RMF, Operational risk profiles, BCP, controls and control testing including scenario […]

A great indicator of the health of your compliance arrangements is the quantity and quality of data in your compliance registers. No data or limited data, could indicate issues with your people and/or authorised representatives and the adequacy and effectiveness of your compliance arrangements. So what registers should you have and what should you expect to see? Risk register The risk register should include the 10-15 risks that could seriously impact your business operations. They should cover (as relevant) strategic risk, reputational risk, financial risk, people risk, legal risk, regulatory risk, compliance risk, conduct risk, technology risk, data risk and change management risk. The risk register should include accountability, key controls, control testing & action plans to close out any gaps arising from control testing. The risk register (plus all other registers) should be a standing agenda item at your quarterly Risk & Compliance Committee meeting where control testing outcomes, action plans, the internal & external business environment and emerging risks are discussed. Obligations register This register is similar to the risk register but manages your compliance obligations. The register can be a stand-alone register or, for most underwriting agencies, TPA’s and insurance brokers, included as part of your Risk & Compliance Manual. The register should capture AFS Licence obligations, financial service laws (including Prudential Standards for insurers), industry Codes & obligations arising from binder & other agreements. Typically an APRA regulated insurer will have ~300 material obligations, underwriting agencies & TPAs ~130 & insurance brokers ~80. The obligations register enables a shift in focus from the large number of obligations to 20-40 key controls. You can’t manage what you don’t know, an obligations register is critical. Conflict of interest register Conflicts arise in many situations and are a normal part of conducting business. Conflicts may arise from: family or personal relationships other business interests gifts & entertainment commission & fee arrangements related companies multiple directorships roles within an organisation – operational role v member of a risk committee Financial service laws require licensees to adquately manage conflicts. This is usually by disclosure, controlling or avoiding. The conflict and the signed-off management of the conflict must be recorded in the conflicts register. Incident & breach register This register is the lifeblood of your business. People make mistakes, often. A well populated incident & breach register, covering a wide range of incidents, from a wide range of people across the business, is a sure sign of a continuous improvement culture. Incidents should be raised across all risk categories (refer risk register) just not compliance incidents. However, a compliance specialist must review the register to further investigate incidents & be on the look out for breaches or likely breaches of financial service laws or Code. Typically, APRA regulated insurers should be capturing 200-300 incidents per quarter, Underwriting agencies & TPA’s 50 -75 & insurance brokers 40 – 50. The number of incidents per quarter will be a factor of the nature, complexity & scale of your business. Complaints register If an incident […]

The obligation to have trained, competent and experienced employees arises from many different sources of obligations: AFS Licence general obligations: employees must be trained & competent and comply with financial services laws. These laws include financial service obligations in the Corporations Act, misleading & deceptive & Unfair Contract terms in the ASIC Act, APRA Prudential Standards including CPS 230 & 234, Insurance Contracts Act and Privacy Act; A person providing financial product advice must have RG 146 training. Tier 2 is sufficient for general insurance products unless the person provides product advice for sickness and accident insurance; Responsible Managers, Directors & Officers, Accountable Persons and Fit & Proper People should receive specific training based upon the requirements of each regulatory role; Under the GI Code of Practice, a requirement that employees, Distributors and Claim Service Suppliers are trained to provide their services competently; In addition, its a GI Code obligation to ensure employees are trained in respect of supporting customers experiencing vulnerability. This will most likely include trauma-based training going forward. Under the Insurance Brokers Code of Practice, a professional commitment that employees maintain & improve competency through relevant qualifications, continued education & training Also, Insurance Brokers under the Code must ensure that their employees, Authorised Representatives and agents receive appropriate education and training. ANZIIF CIP and NIBA CPD points A number of organisations use ANZIIF & NIBA methodology and points as evidence of compliance with the various training obligations. This is a great start however ANZIIF & NIBA points are part of the membership requirements for those industry bodies. By themselves, they may not meet the various regulatory obligations. Firms within General Insurance must stipulate specific training A requirement to annually achieve 20/25 hours of training for CIP or CPD purposes is a a good starting point however in order to meet the various training obligations, the training must be specific enough to meet each individual obligation. For example, a firm may mandate that employees must successfully complete 25 hours of training per year, allocated as follows: 7 hours for financial service laws An additional 3 hours for regulatory roles (responsible managers etc) 5 hours for the relevant GI or Insurance Brokers Code of Practice 3 hours on customers supporting vulnerability 5 hours on the products and services provided by the firm. The remaining hours can be left to the choice of the employee noting that ’25 hours’ is not a magical competency figure. Competency is both a subjective and objective test. Some employees, due to the complexity of their role or their inexperience, may require additional hours beyond mandatory requirements The point is that general insurance firms must mandate the nature, quality and quantity of training to be undertaken, in order to meet the various regulatory & Code obligations. Additional obligations It is a regulatory requirement that training must be recorded in a training register. This provides evidence of meeting the AFSL general obligation therefore the register should be maintained and current. Training should be provided during induction […]

More than 10,000 members and claimants of the Construction and Building Unions Superannuation Fund (Cbus) were impacted by death benefits and total and permanent disability (TPD) insurance claims taking more than 90 days to be processed, according to allegations contained in documents lodged by ASIC in the Federal Court (Media Release 24-251MR). ASIC alleges that Cbus may have contravened the following provisions of the Corporations Act: ss 912A(1)(a) & (5A) by failing to act efficiently, honestly and fairly in the handling of its members’ claims for death benefit payments and TPD insurance payments; section 912DAA(1) and (7) for failing to lodge a reportable situation report within 30 days of becoming aware of a reportable situation; and Section 1308(5) for failing to take reasonable steps to ensure the breach report lodged on 5 August 2023 was not false or misleading in a material particular. ASIC is seeking penalties, declarations, adverse publicity orders and orders for compliance matters to be implemented. What does this mean for General Insurance claims handling? There are 3 takeaways: providing claims handling efficiently, honestly & fairly; adequate resourcing & adequately trained staff; and failure to take appropriate action. Providing claims handling efficiently, honestly and fairly. As set out in ASIC INFO 253, ASIC considers that timeliness is a critical component of meeting the AFSL general obligations to provide claims handling & settling services efficiently, honestly & fairly. ASIC also consider that industry Code timeframes are useful indicators of what industry considers to be appropriate standards. In the CBUS matter, ASIC alleges that CBUS management had received reports from their outsourced material service provider that very large numbers of death & TPD claims were (1) older than 90 days & (2) even older than 365 days. Nothwithstanding this data the Board committees did not suggest any cause for alarm. Takeaway: General Insurers, Underwriting Agencies and their claim service suppliers must not only monitor timeframes under the GI Code of Practice but also take appropriate action when data shows that timeframes are consistently not being met. Adequate resourcing & adequately trained staff ASIC allege that the CBus Risk Committee were aware that the material service provider had significant staff turnover & that the provider’s claims processing staff were not adequately trained. ASIC further allege that Cbus failed to implement or adequately implement measures that would address the delays in processing death and TPD benefit claims. Insurers were on notice from ASIC ASIC wrote to insurers on 6 March 2024 ‘Obligations of general insurers: Insurance claims and severe weather events‘. In that letter, ASIC set out their expectations of insurers including Insurers are required to sufficiently resource claims handling and dispute resolution functions, and ensure staff are adequately trained. This is a general obligation for AFSL holders. Relevantly, ASIC also advised insurers our message is that ASIC is watching how insurers support their customers very closely. Evidence of significant misconduct identified through these channels may result in enforcement action. Takeaway: General Insurers, Underwriting Agencies and their claim service suppliers such […]

The requirement of CPS 230 for general insurers is that they must effectively manage operational risks, maintain critical operations through disruptions, and manage the risks arising from service providers. It’s the latter requirement that has caused recent tension, with APRA expressing concern with Insurers use of Underwriting Agencies, reminding insurers that they can outsource critical underwriting & claims functions, but not accountability. Underwriting Agencies as an AFS Licensee It’s all well & good for insurers to impose their requirements on agencies (& rightly so, to a degree) however, among all this, it should be remembered that an Agency who holds an AFSL must comply with its obligations or face severe consequences including reputational harm & civil penalties. Somewhat ironically this may potentially also ‘severly disrupt’ the insurer’s operations. An Agency, holding an AFSL must have adequate risk management systems. The requirement for risk management systems ensures that agencies explicitly identify the risks they face and have measures in place to keep those risks to an acceptable minimum. This requirement sounds remarkably similar to the CPS 230 requirement on insurers. Therein lies the answer ( lightbulb moment – I feel like a ‘tahdah’ is warranted at this point), the insurer meets its CPS 230 requirement to manage the risks arising from material service providers and the agency meets its AFSL obligation to have an adequate risk management system & manage its own risks. ASIC (in RG 104) states that a licensee’s risk management systems will depend on the nature, scale and complexity of its business and risk profile. ASIC also states that the licensee’s risk management systems will need to adapt as their business develops and business risk profile changes over time. This would include enhancing the agency’s risk management system to enable it to meet the risk of their binder agreement being terminated. Taking a step back, an insurer would eventually terminate the agencies binder agreement if they presented an unmanageable CPS 230 risk (or any risk for that matter including in respect of CPS 234 Security Information). What does an adequate risk management system look like for an insurance Underwriting Agency? The risk management system must not only cover the risks of the Agency but also, any of its representatives (such as authorised reps or distributors acting under an ASIC instrument). Risk management components: A risk identification (risk profiling) brainstorming session including relevant stakeholders (potentially the insurer(s)) assists in identifying material risks to the business; to ensure nothing is missed, risks are catergorised. CPS 230 provides assistance defining operational risk as legal risk, regulatory risk, compliance risk, conduct risk, technology risk, data risk and change management risk. To this you would add strategic/reputational risk and financial risk. Risk appetite statement (RAS) – a board/senior management approved RAS is critical to define the amount of risk the Underwriting agency is willing to accept in pursuit of its objectives, expressed against each risk category. This can be a simple 1 pager for a typical Underwriting Agency. Risks should be recorded in […]