Regulators

APRA Prudential Standard CPS 230, effective 1 July 2025 (with transitional arrangements for service provider arrangements until 1 July 2026), consolidates and substantially uplifts operational risk management expectations for all APRA-regulated entities — ADIs, general and life insurers, private health insurers, and RSE licensees. CPS 230 supersedes CPS 231 (Outsourcing) and CPS 232 (Business Continuity Management), introducing three integrated pillars: operational risk management, business continuity, and management of service provider arrangements. The Standard is unambiguous that the Board is ultimately accountable for operational risk management and must approve the entity's operational risk profile, tolerance levels, business continuity plan, and service provider management policy. A central innovation is the requirement to identify 'critical operations' — processes which, if disrupted beyond tolerance levels, would have a material adverse impact on depositors, policyholders, beneficiaries, or financial system stability — and establish quantitative tolerance levels expressed as maximum disruption duration, maximum data loss, and minimum service levels. APRA's supervisory approach, articulated in CPG 230 (Prudential Practice Guide), emphasises end-to-end mapping including upstream and downstream dependencies, scenario testing under severe-but-plausible conditions, and rigorous management of material service providers including the so-called 'fourth parties'. APRA has signalled intensive thematic review activity through 2025-26, with deep-dive reviews of critical operations identification, tolerance level calibration, and material service provider registers expected.

The Digital Operational Resilience Act (DORA), which became fully applicable on 17 January 2025, establishes a unified, directly-binding ICT risk management regime across all EU regulated financial entities — banks, insurers, investment firms, CCPs, trading venues, crypto-asset service providers, and crowdfunding platforms. DORA elevates ICT risk from an operational sub-discipline to a board-level prudential concern, requiring management bodies to bear ultimate responsibility for ICT risk management frameworks, approve digital operational resilience strategies, and allocate appropriate budget. The Regulation is supplemented by a suite of Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) developed jointly by the ESAs, covering ICT risk management tools, incident classification, threat-led penetration testing (TLPT), and third-party risk management. A defining feature is the Oversight Framework for Critical ICT Third-Party Service Providers (CTPPs), under which the ESAs designate and directly supervise systemically important providers — including hyperscale cloud platforms — with powers to issue recommendations, conduct on-site inspections, and impose periodic penalty payments. Supervisory expectations centre on: demonstrable board engagement; granular mapping of ICT assets supporting critical or important functions; rigorous contractual provisions with ICT third parties using the mandatory Register of Information; severity-tiered incident classification with 4-hour initial notification for major incidents; and triennial advanced TLPT for significant institutions. Non-compliance carries reputational, supervisory, and pecuniary consequences, with national competent authorities empowered to impose administrative penalties calibrated to firm size and breach severity.

PRA Supervisory Statement SS1/23, effective 17 May 2024, establishes the UK's first comprehensive cross-cutting expectations for model risk management (MRM) at banks, building societies, and PRA-designated investment firms. SS1/23 articulates five core principles covering model identification and risk classification, governance, development and implementation, validation, and risk mitigants for models with deficiencies. Critically, SS1/23 adopts an expansive definition of 'model' that explicitly includes deterministic quantitative methods and — through PRA's Dear CEO letter follow-up — captures artificial intelligence and machine learning systems used in credit decisioning, financial crime, capital, pricing, and operational decision-making. This brings AI/ML governance squarely within prudential supervisory scope. The PRA expects firms to maintain a comprehensive model inventory with risk-tiering, robust independent validation functions reporting to the CRO or equivalent, and senior accountability anchored under the Senior Managers and Certification Regime (typically SMF4 Chief Risk Officer). The Statement explicitly addresses third-party and vendor models, requiring firms to apply the same MRM standards regardless of model origin — a particularly acute challenge for off-the-shelf AI tools, foundation models, and externally-procured scoring engines. The PRA has integrated SS1/23 compliance into routine supervision and Periodic Summary Meetings; firms self-assessed against the principles in 2024 and material gaps must be remediated under board-monitored plans. Supervisory expectations are intensifying as generative AI and agentic systems proliferate in regulated workflows.