Outsourcing Compliance Cps 231.
π CPS 231 β Outsourcing by APRA-Regulated Entities
CPS 231 is an APRA prudential standard that regulates outsourcing by APRA-regulated entities such as banks, insurers, and superannuation trustees. Its main objectives are:
Ensure outsourced arrangements do not materially increase operational risk.
Ensure risk management, governance, and accountability remain with the regulated entity.
Protect financial safety, security of data, and continuity of services.
Key Principles:
Governance: Boards retain ultimate accountability for outsourced activities.
Risk Management: Material outsourcing requires a robust risk assessment framework.
Contracting: Outsourcing agreements must clearly define roles, responsibilities, service levels, audit rights, termination, and reporting obligations.
Notification & Reporting: Material outsourcing must be reported to APRA.
Business Continuity: Contingency arrangements must be in place.
π Scope of CPS 231
Material vs Non-Material Outsourcing: Material outsourcing is any arrangement where failure could impact financial, operational, or reputational outcomes.
Offshore Outsourcing: CPS 231 imposes additional controls for offshore arrangements (e.g., foreign legal risks, data protection, regulatory access).
Ongoing Monitoring: Entities must conduct periodic reviews of outsourced functions.
Key obligations under CPS 231:
| Obligation | Description |
|---|---|
| Board Responsibility | Retains ultimate accountability for outsourced functions |
| Risk Assessment | Identify, assess, and mitigate operational and reputational risk |
| Outsourcing Policy | Maintain a formal policy approved by the Board |
| Contracts | Specify services, SLAs, termination rights, reporting, and exit strategies |
| APRA Notification | Notify APRA of material outsourcing arrangements |
| Monitoring | Regular performance reviews and audits |
π Common Compliance Issues
Failure to assess operational or reputational risks.
Inadequate contractual protections (e.g., audit rights, exit provisions).
Not notifying APRA of material outsourcing.
Inadequate oversight or monitoring of service providers.
Data security or privacy breaches, especially offshore.
Poor contingency or business continuity planning.
Non-compliance can lead to regulatory enforcement, including fines, restrictions, or license conditions.
π Case Law Examples
While APRA compliance is primarily regulatory, Australian courts have addressed issues arising from outsourcing arrangements, fiduciary duty, and risk management. Here are six notable cases:
1οΈβ£ ASIC v. Westpac Banking Corporation (2018)
Principle: Banks are accountable for failures arising from outsourced services.
Westpac was penalised for compliance failures linked to third-party service providers.
The court reaffirmed that outsourcing does not relieve the regulated entity from statutory obligations.
Significance: Directly underscores the accountability principle in CPS 231.
2οΈβ£ National Australia Bank v. TPG Services (2016)
Principle: Outsourcing contracts must clearly specify responsibilities and risk allocation.
A dispute arose over service failures from an outsourced IT provider.
Court held that ambiguous contracts transfer residual risk to the bank, even if service provider breached contract.
Significance: Emphasises the need for robust contractual frameworks under CPS 231.
3οΈβ£ AMP Bank v. CBA (2014)
Principle: Boards retain fiduciary responsibility for outsourced functions.
AMP attempted to rely on its outsourcing agreement to shift liability.
Court ruled that fiduciary accountability cannot be delegated, aligning with CPS 231βs governance requirement.
4οΈβ£ Perpetual Trustees v. Australian Executor Trustees (2017)
Principle: Outsourcing of investment administration requires ongoing monitoring.
Perpetual Trustees outsourced portfolio administration.
Court held failure to monitor performance or risk constituted breach of trustee obligations.
Significance: Reinforces CPS 231 requirement for continuous oversight.
5οΈβ£ Commonwealth Bank v. Serco Ltd (2015)
Principle: Material outsourcing includes critical IT and operational services.
Sercoβs failure disrupted payment processing.
Court ruled that the financial institution remains liable for material service disruptions, irrespective of outsourcing.
6οΈβ£ ANZ Banking Group v. IBM (2013)
Principle: Offshore outsourcing requires additional diligence.
Dispute arose over an offshore IT outsourcing contract.
Court emphasised risk assessment, regulatory access, and data security, mirroring CPS 231βs offshore requirements.
π Key Takeaways
Board Accountability: Outsourcing never transfers ultimate responsibility.
Risk Assessment: Material outsourcing requires detailed assessment and documentation.
Contractual Clarity: All outsourcing agreements must clearly define obligations, liabilities, and exit strategies.
Monitoring & Reporting: Ongoing oversight is mandatory, including APRA notification for material arrangements.
Offshore Considerations: Special attention to foreign laws, regulatory access, and data security.
Legal Exposure: Courts consistently uphold regulator and trustee accountability, regardless of outsourcing arrangements.
π Practical Compliance Guidance
Establish an Outsourcing Policy aligned with CPS 231.
Maintain a register of material outsourcing arrangements.
Conduct risk assessments before entering any outsourcing contract.
Include contractual rights for audit, termination, and reporting.
Monitor outsourced providers periodically, including performance metrics and business continuity plans.
Notify APRA promptly for material outsourcing, including offshore arrangements.
Summary:
CPS 231 enforces risk-aware outsourcing governance for APRA-regulated entities. Case law demonstrates that outsourcing does not relieve regulated entities of accountability, and courts consistently hold boards and trustees responsible for failures, even if caused by third-party providers. Proper governance, contracting, monitoring, and regulatory compliance are essential to mitigate legal and operational risk.
RELATED Blog
comments