In July next year, CPS 230, a regulation that aims to strengthen operational risk management by large insurers comes into force. Some industry sources say this standard is an industry “game changer”. Others suggest small insurance firms, including underwriting agencies and brokerages, could be forced out of business by the compliance obligations.
Insurance Business is approaching insurance firms for their views on this Australian Prudential Regulation Authority (APRA) standard. Some industry insiders suggest agencies are the most obvious insurance entities impacted by CPS 230.
IB has reached out to half a dozen agencies. One had little knowledge of the regulation, another said it was time consuming and expensive but doubted it would put anyone out of business.
However, at Steadfast Group’s FY24 results presentation last month, an analyst asked Steadfast leaders about merger and acquisition (M&A) opportunities that could present themselves as CPS 230 plays out. The analyst asked if Steadfast has had any discussions yet with smaller agencies that may struggle under the regulation once it comes into force?
CEO Robert Kelly said “there are some opportunities that may come forward.”
“There’s a real rationalization going on with APRA-approved insurers in the Australian market at the moment and there are underwriting agencies that are being told, not that there’s anything wrong with them, but that they [APRA] don’t want to handle smaller underwriting agencies,” said Kelly.
However, he didn’t expect any M&A opportunities until after March next year. At that time, he said, some agencies may come under pressure from their capital providers to show how they are complying with this new rule.
Steadfast COO Nigel Fitzgerald said, currently, it’s the insurers themselves who are organising their compliance under CPS 230.
“Then as they [the insurers] look to apply that to their agencies more specifically, then an agency will identify that the investment required doesn’t meet the operating margins of the business and they will look for an exit,” said Fitzgerald.
Tetiana George (pictured above) says this new regulation is a “game changer”. Since guidelines were released in July last year, in her view, the regulation has triggered an “evolution” she described as “adapt quickly or die”.
“While the standard is not imposed directly on a wider industry - meaning agencies, TPAs and suppliers - their activities fall in scope of the standard and will be indirectly monitored,” said George, board member of Insurtech Australia and CEO of Curium, a compliance software company.
“To be clear, APRA is not going to supervise them directly, but through insurers,” she said.
George said insurers are expected to significantly enhance their risk frameworks, incident response and better understand the risks associated with their suppliers.
“APRA is expecting insurers to focus on critical operations, including underwriting, claims, risk management, core technology and internal audits,” she said.
George said the result of this regulation is that every company working with a large insurer will have to raise the bar on their operational risk.
“Underwriting agencies are the first obvious group impacted,” she said.
One reason is that some small agencies do not usually have dedicated risk and compliance resources. These firms, she said, are already under pressure from “more than 100 regulatory obligations they need to actively manage.”
However, claims services firms, technology providers, brokers under binder agreements and any service firm seen as “critical” by insurers will all be impacted.
“Many businesses already see material changes referring to CPS230 in their agreements with insurers, such as binder agreements and supplier contracts,” she said. “These are usually non-negotiable.”
George said the risk of non-compliance is not a function of size or resources but culture. Bigger companies with a poor compliance culture could also struggle to comply. Many small businesses have “great risk and compliance culture” helped by clever use of technology, she said.
“In our experience, companies that are not AFS-licenced will face the greatest challenge compared to most AFSL businesses, that are used to some degree of ongoing compliance already,” she said.
A paper by international law firm, Allens, has listed key takeaways from CPS 230.
One important change, said the authors, is a shift away from APRA’s previous focus on recovery from disruption to the capability to operate through disruption.
“In strengthening the ability of APRA-regulated entities to identify, manage, and respond to operational risk events, APRA is seeking to enhance operational and financial resilience, as well as financial stability,” the former APRA chair Wayne Byres said in a statement during the 2022 consultations.
How do you see CPS 230? Please tell us below
