APRA's CPS 230 standard puts pressure on regulated entities to lift their game when it comes to material service providers – pressure that may have commercial implications for service providers who aren’t ready to step up.
In Protecht’s recent The road to CPS 230: Getting intimate with your material service providers webinar, we covered these topics from both sides of the fence – from the perspective of regulated entities, and those that provide services to them.
We had great feedback from our attendees, including the survey responses and questions answered below. If you missed the webinar live, then you can view it on demand here:
Survey results
We expected the lion’s share of attendees to be APRA-regulated entities, though the prevalence of ‘others’ – over a quarter – was higher than expected. Some were other professionals such as lawyers and consultants aiming to support regulated entities. Others did not have a direct link with CPS 230, but the topic – managing service providers – is relevant to anyone. CPS 230 is principles-based, and many components can be adapted to other sectors.
Looking at the results from this webinar and our previous poll in March 2024, it looks like a few entities have transitioned from identifying critical operations and material service providers into assessing their tolerance levels, but the majority are still in that identification phase. This is perhaps not surprising as we are at the mid-year mark, which is when APRA had set a benchmark for that initial identification phase.
Notable though is that proportion of attendees still trying to get the ball rolling is more than one in five. It’s possible some non-regulated entities influenced these answers (who might be waiting for APRA-regulated entities to prod them), but if you need assistance with setting up frameworks, or educating your team on the requirements and how to progress, you can reach out to us about our consulting or training services. If you’d like to attend our CPS 230 training sessions later this month you can find out more here.
Questions
Q1: Can you share what are some considerations/data points for fourth parties that a regulated entity must identify, collect and track in these dashboards?
Q2: How are people identifying service providers which may “expose it to material operational risk” without it being such a massive undertaking each time you consider a new supplier?
Q3: If you have a SaaS provider that has SOC 1 or SOC 2 type 2 reports, do you rely on checking regularly the report for CPS 230 compliance?
Q4: Who identifies the risk of multiple regulated entities reliant on a Material Service Provider and how will APRA use the information they collect?
Q5: How can we map in advance what we can manage in Protecht ERM versus what we need to work on offline?
Q1: Can you share what are some considerations/data points for fourth parties that a regulated entity must identify, collect and track in these dashboards?
Let’s begin by clarifying that there isn’t anything that regulated entities must collect. As clarified by APRA in recent response to submissions:
An entity is now expected to:
Outline, as part of its service provider management policy, its approach to managing the risks associated with any fourth parties that MSP’s rely on to deliver critical operations; and
Take reasonable steps to know who the (fourth) parties are that an MSP relies on, in delivering a service necessary to support a critical operation.
As suggested by the finalised CPG 230 guidance, your register of material service providers should consider listing the fourth parties that are involved in delivery of a critical operation.
The level of detail you choose to capture will depend on your approach, but you might scale effort based on the level of risk your service provider brings to your operations, and how much they rely on the fourth party. This data collection could be through a couple of approaches; direct, or indirectly through publicly available information.
- Direct – This is collecting information from your third party that they are allowed to provide to you directly about the fourth party, or by acting as an intermediary between you and the fourth party. Neither of them may have a contractual requirement to share this information, but may be transparent for the benefit of all parties. You might even suggest controls assurance that the third party should implement that you monitor, or risk metrics for them the report up to you.
- Indirect – Once you are aware of who the fourth parties are, there are different aggregators of publicly available information or monitoring services that can provide insights about these fourth parties. This can include sentiment analysis, external information security scans, or ESG scores. These might only provide a part of the picture (e.g. external security scans won’t tell you about their internal environment), but might identify red flags which you then raise with your third party.
Alongside any information you collect about the fourth party themselves, this can be linked to dashboards or reporting on concentration risk, such as the number of third parties you have that rely on that one fourth party.
Q2: How are people identifying service providers which may “expose it to material operational risk” without it being such a massive undertaking each time you consider a new supplier?
There isn’t a specific definition of material operational risk in the standard, but we can look to the definition of critical operations, which includes material adverse impact on depositors, policyholders, beneficiaries or customers, or the entities’ role in the financial system. While this definition is in the context of disruption and related tolerance levels, you might consider a similar approach to non-disruptive risks. i.e. are not disruptive in nature, but still have a material impact on customers.
The initial tiering process we covered in the webinar can also help you assess materiality on several dimensions. For example, a service provider who completes a critical compliance obligation on your behalf – for example, Know Your Customer assessments – may be considered material due to the harm it can cause if these compliance obligations are not met or are applied incorrectly.
Q3: If you have a SaaS provider that has SOC 1 or SOC 2 type 2 reports, do you rely on checking regularly the report for CPS 230 compliance, and also do you also request the SOC report of the sub service organisation or service providers of your primary service provider?
I’ll respond in context of SOC reports, but it can be expanded to any type of assurance activities by independent parties.
I’ll assume the phrase ‘for CPS 230 compliance’ refers to requirements to monitor risks and controls of your material service providers. SOC reports can be a way to gain assurance over controls and the related risks (or highlight red flags for action). You will need to decide of course whether these give you sufficient assurance over the risks that the service provider poses to your organisation, or whether they need to be complemented by other assurance activities.
Obtaining reports for fourth parties can also be beneficial to provide you additional assurance, but again will depend on the level of risk. There may also be confidentiality that needs to be addressed, and permission may need to be obtained from the fourth party to share those reports. Some larger service providers may provide direct access or portals to summary information, so that fourth parties can access this information directly.
Of course, you may also use that provider yourself (think major technology services) and have direct access to these reports yourself if they are directly applicable to both you and the SaaS provider.
Q4: Who identifies risk of multiple regulated entities reliant on a Material Service Provider – APRA has oversight when collecting Material Service Provider register details. Any mention of how they will use the information they will collect?
We can’t speak on APRA’s behalf, but I think it is noteworthy that they require the register of material service providers to be submitted, but not the register of critical operations (though I’m sure that will come up during their regular supervisory activities). I expect their intention is to get a better understanding of fourth party concentration risk across the sector.
APRA aren’t regulating fourth parties directly – APRA do not designate any organisation to be a ‘material service provider’ in their own right. They are only material service providers in the context of their relationship with each regulated entity they may deal with.
Q5: It would be interesting to see a map of what we can document and manage in Protecht ERM versus what we need to work on offline so that we can start preparing in advance what we need to do on desktops versus how all the modules interact in Protecht ERM to enable us to document thought processes, conclusions and inter-dependencies for the organisation as well as any third parties who request to view such stuff, like internal audit, entities we are a MSP to, or regulators.
The answer will depend on specifically what you want to achieve, but the benefit of Protecht ERM when seeking to meet CPS 230 requirements is its flexibility. CPS 230 isn’t prescriptive; different entities will have different approaches, and as you point out, different stakeholders who need different information. By collecting that information in a structured way, including relationships between data, you can prepare information for the audiences that need it, in the way they need it.
You can read our CPS 230 white paper that covers how Protecht can help you with your CPS 230 implementation, including how our Protecht ERM system can help support your CPS 230 implementation, the consulting services we can provide in terms of planning and documentation, and the training we can provide for staff in risk and resilience.
We’d be happy to review anyone’s approach and requirements, and demonstrate how we can link this information together to meet your particular needs.
Conclusions and next steps for your organisation
If you missed this webinar live, Protecht’s Research & Content Lead Michael Howell and Senior Risk Consultant Hela Ebrahimi unpacked how regulated entities and service providers can work together to achieve resilient outcomes across the financial services sector. You can view it on demand here: