ASFA, EY release guidance on CPS 230

The Association of Superannuation Funds of Australia (ASFA) and EY have released guidance to help superannuation trustees navigate key aspects of APRA's new prudential standard, CPS 230.

CPA 230 will come into effect on July 1, making super trustees responsible for operational risk management of third-party providers.

ASFA said a key component of its guidance document involves increasing industry awareness of the different types of assurance that may be provided by different types of service providers.

The guidance outlines the various types of assurance available, how trustees can use these to satisfy themselves their outsourced arrangements are CPS 230 compliant, and how to address any potential shortcomings.

The guidance note also includes information for those providing services to superannuation funds regarding trustees' assurance expectations.

"CPS 230 represents a significant uplift to the regulatory requirements for operational risk management, including management of third-party risk," ASFA chief executive Mary Delahunty said.

"Outsourcing of key services has always been a feature of our superannuation industry, so trustees understand the need to ensure outsourced providers of key services are closely monitored, given their important role in providing services to fund members.

"Implementation of CPS 230 is not merely a compliance task, but an important opportunity for trustees to further evolve their risk management frameworks, reflecting the superannuation industry's key role in servicing Australians."

EY national superannuation leader Maree Pallisco added the introduction of CPS 230 provides an opportunity for the superannuation industry to enhance its culture of operational resilience.

"Achieving this will require trustees and service providers to work together in new ways to better identify, report on and manage risks," Pallisco said.

"With the implementation date fast approaching, it's important that trustees develop a clear strategy for overseeing their fund's material third-party service providers - one that enables them to meet the refreshed standards and support the ongoing management of operational risks and resilience."

As part of the guidance EY outlines its Third Party Risk Management framework which is structured around three key domains:

• Oversight & Governance supported by policies and procedures: This includes the framework, and roles and responsibilities establishment to ensure the effective oversight, management, and control of service provider relationships. It is supported by a service provider policy and procedures to operationalise the governance principles.
• The Lifecycle: This encompasses the end-to-end process of managing service provider relationships, from planning and due diligence through to ongoing monitoring and termination.
• Supporting Tools: These encompass the tools and technology such as the service provider inventory/register, risk profiling, reporting, and processes that collectively support the effective implementation and management of the TPRM framework and Lifecycle processes.