Site Search Site Search

Loading Results

The need for transparency and strong partnerships in an evolving regulatory landscape
supporting compliance
  • Insight
  • February 28, 2025

Modern business ecosystems involve a complex web of outsourced provider relationships relied on for critical functions such as technology and operations. For regulated Financial Services companies, this reliance is coming under increasing regulatory scrutiny. Companies must not only understand the management of services and data by their service providers, but also ensure these are managed securely, resiliently and ethically. 

APRA’s regulations such as CPS 234 (Information Security), CPS 230 (Operational Risk Management), alongside the ATO's third party tax governance guide, and emerging considerations around Artificial Intelligence (AI) and Sustainability standards, emphasise a common theme: the need for deeper, more granular governance of third parties. This includes consideration of how these services are being delivered; whether they are secure and resilient and whether ethical considerations are part of the equation.

The landscape is challenging, and the maturity of Australian service providers to meet these heightened expectations varies significantly. Leading organisations are stepping up, making meaningful strides to provide greater transparency into their operations, controls and monitoring processes. But progress is uneven. While some providers are well-prepared, the broader industry needs to pick up the pace. Global outsourcing providers face an even steeper climb, juggling international regulations on cybersecurity, resilience, sustainability and AI — all while ensuring they meet the high standards expected in Australia. Meanwhile, many regulated companies, as consumers of these services, are still finding their footing. They’re yet to determine what outputs they need from third and even fourth-party providers.

This raises an essential question: How prepared are organisations and their service providers to collaborate and co-create the solutions needed to deliver the comfort and transparency regulators and customers demand?

For service providers, building a robust external reporting framework — one that showcases strong governance and controls to external stakeholders — requires strong foundations. While some regulatory requirements offer transitional periods, these windows are rapidly closing.

Development of significant regulatory obligations

20232024National Institute of Standards and Technology (NIST) Framework released CSF2.0 (global)Feb 2024Voluntary AI safety standard (AU)Aug 2024European Union’s AI Act (EU) Aug 2024Guideline E-21 on Operational Risk Management and Resilience (CA) Aug 2024AUASB Releases Exposure Draft on ASSA 5010: Timeline for Sustainability Report Audits (AU) Sep 2024Corporate sustainability reporting directive (EU) 2024EU’s Digital Operational Resilience Act (DORA) (EU) Jan 2023ISSB released IFRS S1 and S2 global standards for sustainability disclosures (global) Jun 2023APRA CPS 230 Finalised guidance on operational risk management (AU) Jul2023ISO/IEC 23894-1:2023, "Artificial intelligence Governance and risk management“ (global) 2023Regulations/ standards specific to AustraliaGlobal regulations/standardThe requirement mandates that organisations comply directlyThe requirement mandates that vendors, suppliers, and fourth parties comply directly*the requirement might indirectly affect vendors and suppliersKey2025EU’s Digital Operational Resilience Act (DORA) (EU) Jan 2025Mandatory Sustainability Reporting begins for financial entities(AU) Jan 2025CPS 230 comes in effect (AU) Jul 2025CPS230 -Readiness and Implementation phaseDORA -Readiness and Implementation phase

Key areas to consider as a service provider

Get ready for external reporting

Being well-prepared leads to better results for both service providers and their customers. To make sure expectations are clear from the start, organisations should assess their readiness before starting on any new external reporting regime related to their controls and governance. This involves systematically testing internal processes to identify any control gaps early on and ensuring that new or existing controls are well-designed and effective. Recent experiences with CPS 234 have shown that service providers who proactively designed and tested their controls achieved significantly better outcomes for their customers. As we face new regulations in non-financial risk areas such as resilience, AI, and sustainability, early assessment is crucial to meet the expectations of stakeholders.

Leading service providers are also observed to partner with their customers to co-create future assurance vehicles that meets the needs of all parties. This type of pilot ensures there is no expectation gap between the parties, as feedback was transmitted in real-time between the organisations.

Key areas to consider as a customer

Build transparency through collaboration

Transparency with your third and fourth-party service providers isn’t just a regulatory box to check — it’s a shared journey. Many regulated organisations are developing compliance strategies but haven’t yet initiated deep conversations with their service providers. To succeed, you’ll need to define clear service levels and consider co-developing dashboards and reporting that address requirements across resilience, AI and sustainability standards.

Your service providers are likely working with other clients who face similar regulatory challenges. By collaborating, you can align expectations, establish consistent reporting metrics and implement clear accountability measures. This approach builds trust, drives efficiency and creates a robust compliance ecosystem. 

Integrate and streamline your regulatory compliance response

Try not to consider each new regulation as a standalone hurdle. Instead, think of compliance requirements as pieces of a larger puzzle. Tackling them collectively can help you save time, reduce costs and improve outcomes.

For multinational organisations, a global compliance strategy can be especially effective. For example, aligning data protection policies with both Australia’s CPS 230 and CPS 234 ensures comprehensive security while minimising duplication. Similarly, linking new sustainability requirements with existing initiatives like data governance can streamline efforts and accelerate timelines by leveraging mature processes already in place.  

Building robust governance frameworks

Evolving AI regulatory landscape

In the rapidly evolving world of Generative AI (GenAI), where there is a strong emphasis on procuring AI solutions rather than developing them independently ("Don't DIY your AI"), both service providers and deployers must carefully navigate a complex and evolving regulatory environment. The incoming and far-reaching EU AI Act, for example, introduces specific requirements and obligations for both providers and deployers to ensure the safe and ethical deployment of AI technologies, including:

Provider obligations:

  • Providers must ensure comprehensive documentation, risk assessments, and cybersecurity measures.

  • They are required to comply with relevant directives, provide usage instructions, and report serious incidents.

Deployer obligations: 

  • Users must ensure compliance with the AI Act and understand the AI system's risk classification.

  • They must adhere to relevant transparency and ethical guidelines.

  • They should conduct due diligence, be aware of model limitations, and establish oversight mechanisms.

Some organisations are making no regrets investments by accelerating the development and implementation of robust AI Governance Frameworks, covering key elements such as risk-based assessments, transparency and explainability criteria in decision-making, and third-party management in AI procurement. When practically implementing these frameworks, it is important to understand the shared responsibility model with your third parties and working together to ensure there are no gaps in managing key risks and designing and operating key controls.   

Strengthening sustainability governance

Sustainability extends beyond financial reporting, requiring a broader and more integrated approach to address risks and unlock opportunities. Organisations are encouraged to develop tailored methodologies and controls that align with sustainability priorities. Taking these steps not only addresses internal challenges but also prepares businesses for the growing expectations around mandatory assurance requirements.

As the reliance on third-party data continues to grow, ensuring its accuracy and reliability becomes a cornerstone of responsible decision-making. Establishing effective validation processes not only strengthens stakeholder trust but also equips organisations to navigate the increasing demand for transparency and ensuring the quality and reliability of their sustainability reporting to meet the assurance requirements effectively.

Proactive action in this space is more than compliance—it’s a strategic advantage. By preparing today, organisations can not only meet future regulatory requirements but also lead with confidence in a rapidly evolving sustainability landscape.

The road ahead: Embracing transparency and strong partnerships

The industry is advancing toward a future where proactive transparency and robust service provider management are indispensable. As regulators continue their focus on how organisations manage their third-party suppliers, transparency is no longer optional — it’s a fundamental pillar of successful operations. By embedding transparency into daily processes and nurturing strong partnerships, organisations can deliver services that are secure, resilient and ethical.

Companies that embrace these evolving expectations will not only meet regulatory demands but also strengthen trust with customers, boards and regulators. In doing so, they will set a standard for integrity and excellence, positioning themselves for long-term success in a dynamic regulatory environment.

How we can help

At PwC, we work across this ecosystem of regulated entities and third- party suppliers, with our multidisciplinary teams blending expertise in operational resilience management, third-party trust, AI, sustainability, and industry-specific knowledge. We help organisations build trust with boards, regulators, customers and third-party suppliers. If you would like to learn more about how we can help you explore our Third-Party Trust services.

Required fields are marked with an asterisk(*)

By submitting your email address, you acknowledge that you have read the Privacy Statement and that you consent to our processing data in accordance with the Privacy Statement (including international transfers). If you change your mind at any time about wishing to receive the information from us, you can send us an email message using the Contact Us page.

Contact us

Nicola Costello

Nicola Costello

Partner, Digital and AI Trust Leader, PwC Australia

Tel: +61 2 8266 0733

Linkedin Follow Email
Darren Ross

Darren Ross

Partner, Assurance Risk and Digital Trust, PwC Australia

Tel: +61 422 000 238

Linkedin Follow Email
Carley Bryce

Carley Bryce

Partner, Assurance Risk and Digital Trust, PwC Australia

Tel: +61 (2) 8266 2028

Email
Deanna Chesler

Deanna Chesler

Partner, Assurance Risk and Digital Trust, PwC Australia

Tel: +61 414 914 834

Linkedin Follow Email
Joanna Del Vecchio

Joanna Del Vecchio

Director, Assurance Risk and Digital Trust, PwC Australia

Tel: +61 423 616 833

Linkedin Follow Email
Hide