BaaS arrangements, downstream service provider risks in APRA's sights

By on
BaaS arrangements, downstream service provider risks in APRA's sights

Regulator plots single operational risks standard.

Australia’s prudential regulator has set its sights on banking-as-a-service (BaaS) arrangements as part of proposed new rules aimed at strengthening operational risk management in financial services.

The Australian Prudential Regulation Authority on Thursday began consulting on a new draft prudential standard, CPS 230, that would also require banks, insurers and super funds to identify “core technology” service providers.

CPS 230 brings together related operational risk concepts from five existing prudential standards into a single standard, with updated requirements for business continuity and service provider management.

It “introduces a principles-based approach to operational risk management that is outcomes-focused”, targeting “key areas where weaknesses have been observed by APRA”, as well as international best practice.

APRA chair Wayne Byres said the updated rules sought to “enhance operational and financial resilience, as well as financial stability” at a time of “changing business models, lessons from recent years and developments in global good practice”.

"The proposed CPS 230 will also help ensure APRA-regulated entities meet the challenges posed by ongoing innovation and technological change in the financial services industry,” he said in a statement.

In a discussion paper on the planned changes, APRA said CPS 230 “specifically requires senior management to provide clear and comprehensive information to the board on operational risk and maintain appropriate and effective information systems”.

The regulator used the example of the BaaS business model, in which an “ADI provides third parties access to a technology platform, so they can allow their customers to utilise the ADI’s banking services”.

BaaS is growing in popularity, with Westpac launching its product late last year. The platform has since been adopted by Afterpay, Society One and, most recently, HR software maker Flare.

“An ADI would need to ensure the BaaS arrangement meets the requirements in draft CPS 230, and that the operational resilience of the ADI would not be compromised, for example through money laundering, cyber-risk vulnerability or breaches of data confidentiality,” APRA said.

“This includes proposed specific requirements for an APRA-regulated entity to conduct a comprehensive risk assessment before providing a material service to another party.”

Extended supply chain risks

In additional to BaaS arrangements, the proposed standard also seeks to address increasing reliance on service providers, including “fourth parties and other downstream providers”.

“With an increasing reliance on service providers, there is greater complexity in supply chains; a number of service providers may be involved in providing a service to an APRA-regulated entity,” APRA said.

“A regulated entity may have a direct agreement with a service provider (a third-party) who, in turn, is reliant on another service provider for the provision of a service (a fourth-party).”

“In certain cases, these fourth party service providers can, in turn, be reliant upon yet another service provider.

“This can result in APRA-regulated entities relying on downstream service providers without a direct agreement in place, which can impede their ability to manage risks in the supply chain.”

APRA said that the new standard would require APRA-regulated entities to identify “material service providers” that are critical to operations, and “manage the risks associated with the use of the providers”.

Consultation will run until October 21, with the new standard expected to come into force from January 2024.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © . All rights reserved.

Most Read Articles

Log In

  |  Forgot your password?