Content Options:

Content Options

View Options:


You are viewing the version of the document as on 2025-12-01.

CTPS 4.2 Requirement 1: Governance

CTPS 4.2.1R

1A critical third party must ensure that its governance arrangements promote the resilience of any systemic third party service it provides, including by:

  1. (1)

    appointing one or more individuals who:

    1. (a)

      are employees of the critical third party or members of its governing body; and

    2. (b)

      possess the appropriate authority, knowledge, skills and experience,

    to act as the central point of contact with the regulators in their capacity as authorities having oversight functions;

  2. (2)

    establishing clear roles and responsibilities at all levels of its staff who are essential to the delivery of a systemic third party service, with clear and well-understood channels for communicating and escalating issues and risks;

  3. (3)

    establishing, overseeing and implementing an approach that covers the critical third party’s ability to prevent, respond and adapt to, as well as recover from, any CTP operational incident;

  4. (4)

    implementing lessons learned from CTP operational incidents and any testing and exercising undertaken, including but not limited to that undertaken in accordance with CTPS 5 (Assurance, scenario testing and incident management playbook exercise);

  5. (5)

    ensuring appropriate review and approval of any information provided to the regulators;

  6. (6)

    notifying the regulators in writing of:

    1. (a)

      the names of the individuals appointed under (1);

    2. (b)

      the business address of those individuals; and

    3. (c)

      the email address, telephone number and out of hours contact details for each of those individuals; and

  7. (7)

    notifying the regulators of any changes to the information notified under (6) as soon as is practicable.