Compliance expert Paul Muir explains why the prudential regulator’s game-changing operational resilience standard leaves agencies walking a fine line between their own needs and those of insurers.

The new prudential standard CPS 230 introduces strict requirements for insurers to strengthen operational resilience, meaning they must effectively manage operational risks, ensure continuity of critical functions and oversee “material service providers” such as claims and underwriting agencies.

Their most significant challenge lies in outsourcing – where claims and underwriting can be delegated but ultimate accountability cannot.

The Australian Prudential Regulation Authority reform places renewed pressure on general insurers and underwriting agencies to align compliance and risk management practices while building more effective and transparent partnerships.

Who does CPS 230 apply to?

Under section 12 of the Insurance Act 1973, entities must be authorised by APRA to operate as general insurers in Australia.

CPS 230 applies specifically to those insurers authorised under this section. Section 93 of the act provides APRA authorisation for Lloyd’s underwriters to conduct insurance business in Australia.

However, this authorisation is distinct from section 12 and Lloyd’s underwriters do not fall within the statutory definition of “general insurers”.

As a result, CPS 230 does not apply to Lloyd’s underwriters in Australia. These underwriters must comply with Lloyd’s and UK prudential requirements.

Material service providers

Under CPS 230, a service provider is considered material when it supports an insurer’s critical operation (such as claims processing) or exposes the insurer to significant operational risk.

APRA-regulated insurers must maintain a comprehensive service provider management policy and implement processes to ensure material providers are correctly identified, classified and managed.

The insurer board retains ultimate accountability. Insurers must conduct thorough due diligence, establish contracts that set out clear responsibilities, service standards and access rights for both the insurer and APRA, and maintain strong oversight via regular monitoring.

The obligations on underwriting agencies  

An underwriting agency with an Australian financial services licence is required to maintain adequate risk management systems to ensure they explicitly identify the risks they face and implement appropriate measures to keep those risks within acceptable limits.

Importantly, the risk management system must not only address the risks of the agency itself but also extend to its representatives, including authorised representatives.

According to ASIC Regulatory Guide 104, the design of a licensee’s risk management system must reflect the nature, scale and complexity of its business and risk profile.

These systems must evolve as the business grows and its risk profile changes. This includes strengthening risk management practices to ensure they continue to meet the requirements of their binder agreements and insurer partners.  

The challenges for agencies  

Underwriting agencies act on behalf of APRA-regulated insurers, including Lloyd’s underwriters. Risks can arise when, for example:

• The insurer’s strategic objectives or risk profile are inconsistent with the strategic objectives of the agency.
• The insurer’s monitoring and supervision of the agency are restrictive, impacting the customer experience and growth initiatives.
• The agency focuses on the obligations of the insurer instead of taking a holistic approach to risk management.
• The insurer adopts a one-size-fits-all approach to managing compliance and imposes a compliance system fit for an APRA-regulated insurer (with minimum capital requirements) but not for an underwriting agency.
• The insurer fails to appreciate that the agency has its own independent obligations as a licensee.  
  The agency creates numerous policies or documents to meet the insurer’s requirements rather than blending both sets of requirements.
• The agency adopts a reactive approach to compliance rather than adopting an operating rhythm.
• Compliance becomes a checklist, task-focused activity rather than a mechanism to protect the business and its people, customers and partners.
• The insurer is subject to an Australian Securities and Investments Commission review (for example, regarding claim delays, pricing promises or complaints handling) and the agency is impacted (also known as contagion risk).
• The insurer’s risk appetite changes and the agency needs to source additional or alternative capacity.

The result is an increase in operational risk, which ironically is the very risk the insurer is trying to manage under CPS 230.

It is therefore apparent that there is mutual benefit for both the agency and the insurer to ensure that the agency's compliance measures meet not only its own financial services obligations but also the insurer’s requirements.

Underwriting agencies face mounting challenges as the industry evolves, particularly around regulation, operational complexity and the shift towards partnership-based models. A one-size-fits-all regulatory and compliance approach often fails to account for the unique scale and business models of agencies, creating inefficiencies and unnecessary burdens.

This is compounded when agencies manage binders with multiple insurers, each imposing distinct requirements, oversight expectations and systems that must be carefully co-ordinated to maintain compliance and consistency.

At the same time, the rise of embedded insurance highlights the need for agencies to move beyond transactional relationships and build genuine partnerships, aligning with insurers and distribution platforms on technology, customer journeys and risk management to remain competitive in an increasingly integrated market.

The regulatory and operational environment for underwriting agencies is becoming increasingly complex, with CPS 230 raising expectations for insurers and ASIC continuing to emphasise the need for adequate risk management systems.  

The key to managing this complexity and meeting the needs and requirements of all parties is to adopt a holistic risk and compliance framework that self-regulates and generates data that provides assurance to the agency and its insurance partner on the adequacy of its risk management system and meeting CPS 230 obligations.  

Paul Muir is the director and founder of Compliance Advocacy Solutions, providing specialist compliance services to the general insurance industry 

For more in-depth analysis, features and opinion, read the latest Insurance News magazine