Assistance Request
Home » Compliance Advocacy Solutions

APRA’s focus on insurers use of Underwriting Agencies (CPS 230)

In a speech to the ICA Annual Conference in Brisbane on 16th October, APRA Executive Board member, Suzanne Smith said, ‘a focus for APRA over the coming year: [is] the risk associated with outsourced underwriting to agencies.’

What is CPS 230?

CPS 230 applies to APRA-regulated general insurers (including a foreign general insurer with a local branch) but does not apply to Lloyd’s underwriters.

The aim of CPS 230 is to ensure that an APRA-regulated insurer is resilient to operational risks and disruptions. An APRA-regulated insurer must effectively manage its operational risks, maintain its critical operations through disruptions, and manage the risks arising from service providers

CPS 230 commences July 2025 however, it’s important to understand that APRA-regulated insurers have existing obligations under the current ‘Outsourcing’ Prudential Standard (CPS 231)

Underwriting Agencies are deemed to be a ‘material service provider’, unless the insurer can justify otherwise.

Operational risk is defined in CPS 230 to include but not limited to legal risk, regulatory risk, compliance risk, conduct risk, technology risk, data risk and change management risk.

What should I be doing now?

Most insurers are in the process of contacting Underwriting Agencies to detail their

requirements of the Agency in respect of CPS 230.

If you have not been contacted by your insurer partner(s) you should reach out to them. It will take time to comply with the insurers requirements so best to commence now.

It’s important to understand that if you hold an AFS Licence (or are appointed as an

authorised representative) you must have adequate risk management systems.  In this context, ‘systems’ mean the combination of your processes, procedures, IT systems & people that assist in managing your risk. It is not enough to assist the insurer in meeting their CS 230 obligations if you fail to meet your obligations as an AFS Licensee.

Your risk management systems will depend on the nature, scale and complexity of your business and your risk profile.

ASIC expects your risk management systems will:

  • be based on a structured and systematic process that takes into account your
    obligations under the Corporations Act (financial products and services);
  • identify and evaluate risks faced by your business, focusing on risks that adversely affect consumers or market integrity (this includes risks of non-compliance with the financial services laws);
  • establish and maintain controls designed to manage or mitigate those risks;
  • fully implement and monitor those controls to ensure they are effective

You should review your risk management systems and ensure that they are adequate in terms of being a material service provider under CPS 230.

A checklist for being CPS 230 ready

  1. read and understand CPS 230 and CPG 230 especially in respect of insurers
    requirements for their material service providers.
  2. contact your insurer to understand their requirements of you in respect of CPS 230.
  3. review your documented risk management manual & update, particularly in respect of:
    1. your consideration of ‘risk’, ensuring it includes the categories of CPS 230 operational risk, (legal risk, regulatory risk, compliance risk, conduct risk, technology risk, data risk and change management risk).
    2. In respect of technology risk and data risk also consider CPS 234 – Security Information.
    3. consider how you monitor operational risk, compile and analyse operational risk data and facilitate reporting to the insurer (see below).
    4. consider how you identify and document the processes and resources needed to deliver critical operations, including people, technology,
      information, facilities and your service providers, the
      interdependencies across them, and the associated risks,
      obligations, key data and controls.
    5. undertake scenario analysis for any risk that has a potential impact of severe operational risk, test its operational resilience and identify the need for new or amended controls and other mitigation strategies.
    6. review your key control(s) and ensure you have a control testing program.
    7. ensure that you capture operational risk incidents as part of your incident management procedures.
    8. ensure you have a current business continuity plan and disaster recovery plan.
  4. The agenda for your Risk & Compliance Committee should be updated to include ‘CPS 230 oversight’, with relevant data being provided to the Committee.
  5. APRA-regulated insurers will require you to have adequate procedures in place for the use of fourth parties. A fourth party is a party that you rely on in delivering services to an APRA-regulated insurer.
    1. ensure that you have a Monitoring Program to manage the risks from fourth parties including due diligence, onboarding & training, business as usual monitoring and an exit plan on termination.
  6. It’s likely that the insurer will require you to execute a new or amend your current Service provider agreement (typically in the form of a Binder agreement) covering CPS 230 requirements.
  7. The insurer is required to monitor your performance and compliance with the Binder agreement. It is important that you provide relevant data in your reporting to the insurer to provide them with assurance. The data should comprise, at a minimum:
    1. performance with reference to agreed key performance indicators.
    2. incident and breach management.
    3. complaint management.
    4. control testing outcomes including action plans to close out control
      identified as ineffective.
    5. quality assurance including file reviews.
    6. changes to your risk profile.
    7. managing regulatory change.
    8. compliance with delegated underwriting and claims authority.
    9. agenda and relevant discussion points from your Risk & Compliance
      Committee.
  8. The insurer may ask you to document (and provide to them) your end-to-end
    processes for critical operations including your control testing of such critical operations. You should develop Standard Operating Procedures for your material activities covering sales, underwriting and claims.

If you need assistance with CPS 230 contact Paul Muir at

paul.muir@complianceadvocacysolutions.com.au

Disclaimer: 

Compliance Advocacy Solutions Pty Ltd provides compliance risk advice and not legal advice and the advice should not be relied upon as a substitute for legal advice.

0
    0
    Your Cart
    Your cart is empty