Insights

CPS 230 Compliance for Service Providers: Selling to Banks and APRA-Regulated Entities

Table of Contents

Modern glass skyscrapers representing APRA-regulated financial institutions and banks requiring CPS 230 compliance from third-party service providers

Prudential Standard CPS 230 came into effect on 1 July 2025, reshaping how banks, insurers and superannuation funds manage operational risk and third-party arrangements. While the standard applies directly to APRA-regulated entities, its impact is being felt across the broader financial ecosystem.

Regardless of whether you are a cloud, data-processing, IT vendor, payments provider or other professional services firm, if you provide material services to an APRA-regulated entity, CPS 230 will affect you. Read on to see how you may need to adjust the way you present your services, respond to tenders, negotiate your contracts, and deliver on your obligations to meet your clients’ new CPS 230 compliance expectations.

What CPS 230 Does

Prudential Standard CPS 230 requires APRA-regulated entities to actively manage and oversee the risks that arise not only from their own operations, but also from third- and fourth-party providers involved in delivering critical services. APRA expects regulated entities to have visibility and control over the entire supply chain supporting their critical operations.

A material service is one that supports a critical operation or exposes the client to material operational risk. A material service provider is any third party the institution relies on for such a service – for example, a provider of cloud hosting, data processing, credit assessment, or claims management. CPS 230 automatically deems some services material, such as credit assessment for banks or fund administration for superannuation trustees.

CPS 230 also affects how banks and insurers approach procurement and tenders, and introduces ongoing obligations. Before entering into or renewing any material service arrangement, APRA-regulated entities must carry out due diligence and risk assessments on potential providers. This means CPS 230 obligations start well before a contract is signed – your business may be assessed during the tender process for its operational resilience, governance, data management and business-continuity planning. Those obligations don’t stop once you are appointed: under CPS 230, oversight and assurance are ongoing, with regulated entities required to monitor, review and test their service providers’ performance and risk controls throughout the life of the engagement.

How Oversight Is Changing

CPS 230 aims to fix long-standing weaknesses in how institutions have managed their outsourcing risks including “set and forget” oversight, over-reliance on vendor attestations, and poor visibility of subcontractors. Here’s what’s changing in practice:

  1. Onboarding is now evidence-based.
    Procurement is being centralised and handled by specialist risk teams. Due diligence is deeper and focused on control effectiveness, not just checklists. As a material service provider, you’ll likely be asked to provide concrete proof – for example, control-testing outcomes, SOC 2 reports, or BCP results.
  2. Monitoring is continuous.
    Oversight won’t stop after signing. Regulated clients will conduct ongoing reviews, require regular operational reports and test how your business continuity or incident response plans perform in practice. Some of this monitoring supports the client’s APRA notifications (for example, updates involving critical operations or material offshoring), so timely, accurate information from providers really matters.
  3. Fourth-party visibility is required.
    APRA expects regulated entities to understand who you rely on. That means being transparent about your own subcontractors, obtaining approval for changes and showing you manage them appropriately.
  1. Accountability is formalising.
    Each major supplier relationship within an APRA-regulated institution must now have a named accountable executive. Vendors are also expected to identify a senior contact who owns compliance and communication from their side.The shift is from a transactional contract to an ongoing governance relationship. Service providers that can demonstrate maturity, openness and resilience will be preferred partners.
  2. Mandatory contract terms

CPS 230 prescribes minimum terms that must appear in every agreement covering a material service. At a minimum, contracts must:

    • define the services and service levels being provided;
    • set out the rights and responsibilities of each party, including ownership and control of data, audit access, liability and indemnity;
    • ensure the client can continue to meet its prudential and legal obligations;
    • require notification of material subcontractors or “fourth parties”;
    • make the provider responsible for the performance and failures of subcontractors;
    • include force majeure and termination provisions allowing for orderly exit; and
    • allow APRA access to relevant documentation and data, and permit on-site visits where required for supervision.

For existing contracts, the above requirements apply from the earlier of the next renewal date or 1 July 2026. So even if you’re not renegotiating now, your next renewal is likely to trigger a CPS 230 review.

But You’re Not APRA-Regulated!

Even though you’re not regulated by APRA, if you sell services to banks, insurers or super funds, your clients must be able to demonstrate to APRA that they can rely on you. If you are a material service provider, this means they’ll expect you to:

  • understand how your service supports their critical operations;
  • nominate a senior contact who manages risk and communication;
  • keep your risk, continuity and subcontractor controls documented and current;
  • respond openly and promptly to information requests; and
  • disclose any incidents or material changes early.

In other words, you don’t need to be APRA-compliant – but you do need to behave like a trustworthy, well-governed partner. You can make it easier for your own clients to meet CPS 230 by:

  • keeping accurate, accessible records of your risk and continuity controls;
  • responding quickly and fully to client assurance requests;
  • participating in testing or incident exercises when invited;
  • being prepared to assist with periodic reviews, covering things like operational issues, control effectiveness, information security and BCP capability – plan to create an annual evidence pack; and
  • being transparent about issues and proactive in resolving them.

Regulated clients must also keep a formal policy and a live register of material service providers, so expect structured data requests to help them populate and maintain those records. APRA values demonstrated improvement over superficial compliance. Vendors who engage constructively will strengthen their position as trusted partners.

Preparing Your Business

Over the next year, APRA regulated entities will continue reviewing their outsourcing frameworks and templates to meet CPS 230. Whether you are an existing vendor, or aiming to become one, can get ahead by:

  • reviewing your continuity and incident response plans;
  • knowing exactly where data is stored and which subcontractors you use;
  • reviewing your own subcontracts to ensure they support audit and access rights;
  • setting up an internal process for responding to CPS 230-related information requests; and
  • training your teams to understand these obligations and communicate confidently with clients.

Being ready doesn’t just help compliance – it makes procurement and renewal discussions faster and smoother.

Where to from Here

CPS 230 has made resilience and transparency essential parts of doing business with banks , insurers and other regulated entities. For service providers, success now depends on how well you can support your regulated client’s compliance journey.

Our corporate lawyers with service providers that sell to banks, insurers and other regulated institutions. We can help you:

  • determine if you are likely to be a material service provider under CPS 230;
  • understand how CPS 230 flows through to your contracts and obligations;
  • respond to contract variations and due diligence requests;
  • provide expert negotiation assistance; and
  • prepare or amend your internal documentation and governance materials,

Feel free to get in touch with us if we can help you with anything related to CPS 230!

Author

  • Kelly is a corporate and commercial lawyer dedicated to the Australian startup ecosystem. She specializes in capital raising, governance, and regulatory compliance, helping businesses from early-stage to international scaleups, navigate complex commercial transactions. Kelly is a member of the Australian Law Council SME Committee and holds a particular interest in climate-related regulation.

    View all posts

More Posts

ESOPs and Overseas Employees: Why Multi-National Share Plans Become Expensive for Australian Companies

For Australian companies, an ESOP, employee share scheme or share plan can be a great way to attract and retain staff by giving them a future stake in the business. But the position becomes much more complicated when the company wants to offer options to employees based overseas. What looks like a simple extension of an Australian employee share option plan can quickly become an expensive and time-consuming compliance exercise. Once you move into the world of multi-national share plans or global share plans, you are no longer just dealing

How Convertible Notes, SAFEs and Warrants Work Together in the Capital Raising Stack

In Australia, across early and growth-stage funding, convertible notes, SAFEs and warrants are rarely used in isolation. They are typically layered over time – sometimes deliberately, sometimes opportunistically, as founders raise capital in stages before a larger priced equity round. Having examined each instrument individually in the earlier articles in this series, it is equally important to understand how each instrument operates together. The practical consequences of capital raising often emerge not from the terms of a single instrument, but from the way multiple instruments interact within a company’s capital

right, advocacy, lex-4703926.jpg

Startup Warrants Explained: Key Terms, Dilution and How Warrants Work in Startup Financing

In startup and venture financing, a startup warrant is a right, but not an obligation, to purchase shares in a company at a predetermined price (known as the strike price) within a specified period. Warrants are often issued alongside other investment instruments to provide additional upside to investors or strategic partners. They are commonly used in venture debt arrangements, strategic investment transactions and advisory agreements to help align incentives between investors and the company. Warrants are a familiar feature of startup and scaleup financing, but they are often less well

Understanding Simple Agreements for Future Equity

Simple Agreement for Future Equity (SAFE) is a financing instrument used in startup capital raising that gives an investor the right to receive shares in a future equity round if specified events occur. SAFEs allow startups to raise capital quickly while deferring valuation and share issuance until a later funding round. SAFEs have become a common feature of early-stage capital raising in Australia, particularly at pre-seed and seed stage. They are often described as a faster, simpler alternative to convertible notes, and are designed to help companies raise capital without