Prudential Standard CPS 230 came into effect on 1 July 2025, reshaping how banks, insurers and superannuation funds manage operational risk and third-party arrangements. While the standard applies directly to APRA-regulated entities, its impact is being felt across the broader financial ecosystem.
Regardless of whether you are a cloud, data-processing, IT vendor, payments provider or other professional services firm, if you provide material services to an APRA-regulated entity, CPS 230 will affect you. Read on to see how you may need to adjust the way you present your services, respond to tenders, negotiate your contracts, and deliver on your obligations to meet your clients’ new CPS 230 compliance expectations.
What CPS 230 Does
Prudential Standard CPS 230 requires APRA-regulated entities to actively manage and oversee the risks that arise not only from their own operations, but also from third- and fourth-party providers involved in delivering critical services. APRA expects regulated entities to have visibility and control over the entire supply chain supporting their critical operations.
A material service is one that supports a critical operation or exposes the client to material operational risk. A material service provider is any third party the institution relies on for such a service – for example, a provider of cloud hosting, data processing, credit assessment, or claims management. CPS 230 automatically deems some services material, such as credit assessment for banks or fund administration for superannuation trustees.
CPS 230 also affects how banks and insurers approach procurement and tenders, and introduces ongoing obligations. Before entering into or renewing any material service arrangement, APRA-regulated entities must carry out due diligence and risk assessments on potential providers. This means CPS 230 obligations start well before a contract is signed – your business may be assessed during the tender process for its operational resilience, governance, data management and business-continuity planning. Those obligations don’t stop once you are appointed: under CPS 230, oversight and assurance are ongoing, with regulated entities required to monitor, review and test their service providers’ performance and risk controls throughout the life of the engagement.
How Oversight Is Changing
CPS 230 aims to fix long-standing weaknesses in how institutions have managed their outsourcing risks including “set and forget” oversight, over-reliance on vendor attestations, and poor visibility of subcontractors. Here’s what’s changing in practice:
- Onboarding is now evidence-based.
Procurement is being centralised and handled by specialist risk teams. Due diligence is deeper and focused on control effectiveness, not just checklists. As a material service provider, you’ll likely be asked to provide concrete proof – for example, control-testing outcomes, SOC 2 reports, or BCP results. - Monitoring is continuous.
Oversight won’t stop after signing. Regulated clients will conduct ongoing reviews, require regular operational reports and test how your business continuity or incident response plans perform in practice. Some of this monitoring supports the client’s APRA notifications (for example, updates involving critical operations or material offshoring), so timely, accurate information from providers really matters. - Fourth-party visibility is required.
APRA expects regulated entities to understand who you rely on. That means being transparent about your own subcontractors, obtaining approval for changes and showing you manage them appropriately.
- Accountability is formalising.
Each major supplier relationship within an APRA-regulated institution must now have a named accountable executive. Vendors are also expected to identify a senior contact who owns compliance and communication from their side.The shift is from a transactional contract to an ongoing governance relationship. Service providers that can demonstrate maturity, openness and resilience will be preferred partners. - Mandatory contract terms
CPS 230 prescribes minimum terms that must appear in every agreement covering a material service. At a minimum, contracts must:
-
- define the services and service levels being provided;
- set out the rights and responsibilities of each party, including ownership and control of data, audit access, liability and indemnity;
- ensure the client can continue to meet its prudential and legal obligations;
- require notification of material subcontractors or “fourth parties”;
- make the provider responsible for the performance and failures of subcontractors;
- include force majeure and termination provisions allowing for orderly exit; and
- allow APRA access to relevant documentation and data, and permit on-site visits where required for supervision.
For existing contracts, the above requirements apply from the earlier of the next renewal date or 1 July 2026. So even if you’re not renegotiating now, your next renewal is likely to trigger a CPS 230 review.
But You’re Not APRA-Regulated!
Even though you’re not regulated by APRA, if you sell services to banks, insurers or super funds, your clients must be able to demonstrate to APRA that they can rely on you. If you are a material service provider, this means they’ll expect you to:
- understand how your service supports their critical operations;
- nominate a senior contact who manages risk and communication;
- keep your risk, continuity and subcontractor controls documented and current;
- respond openly and promptly to information requests; and
- disclose any incidents or material changes early.
In other words, you don’t need to be APRA-compliant – but you do need to behave like a trustworthy, well-governed partner. You can make it easier for your own clients to meet CPS 230 by:
- keeping accurate, accessible records of your risk and continuity controls;
- responding quickly and fully to client assurance requests;
- participating in testing or incident exercises when invited;
- being prepared to assist with periodic reviews, covering things like operational issues, control effectiveness, information security and BCP capability – plan to create an annual evidence pack; and
- being transparent about issues and proactive in resolving them.
Regulated clients must also keep a formal policy and a live register of material service providers, so expect structured data requests to help them populate and maintain those records. APRA values demonstrated improvement over superficial compliance. Vendors who engage constructively will strengthen their position as trusted partners.
Preparing Your Business
Over the next year, APRA regulated entities will continue reviewing their outsourcing frameworks and templates to meet CPS 230. Whether you are an existing vendor, or aiming to become one, can get ahead by:
- reviewing your continuity and incident response plans;
- knowing exactly where data is stored and which subcontractors you use;
- reviewing your own subcontracts to ensure they support audit and access rights;
- setting up an internal process for responding to CPS 230-related information requests; and
- training your teams to understand these obligations and communicate confidently with clients.
Being ready doesn’t just help compliance – it makes procurement and renewal discussions faster and smoother.
Where to from Here
CPS 230 has made resilience and transparency essential parts of doing business with banks , insurers and other regulated entities. For service providers, success now depends on how well you can support your regulated client’s compliance journey.
Our corporate lawyers with service providers that sell to banks, insurers and other regulated institutions. We can help you:
- determine if you are likely to be a material service provider under CPS 230;
- understand how CPS 230 flows through to your contracts and obligations;
- respond to contract variations and due diligence requests;
- provide expert negotiation assistance; and
- prepare or amend your internal documentation and governance materials,
Feel free to get in touch with us here if we can help you with anything related to CPS 230!
