A new compliance era has arrived for Australia’s financial services sector. APRA’s Prudential Standard CPS 230 — Operational Risk Management — came into force on 1 July 2025. If you’re an APRA-regulated entity and you’re still getting your house in order, the clock is running.
And if you supply services to an APRA-regulated entity? This standard is coming for your contracts too.
Here’s what CPS 230 actually requires, why 2026 is the critical year for service provider arrangements, and how Envision Legal can help.
What Is CPS 230?
CPS 230 is APRA’s new cross-industry prudential standard on operational risk management. It replaces a fragmented set of legacy standards — including CPS 231 (Outsourcing) and CPS 232 (Business Continuity Management) — and consolidates them into a single, unified framework.
The goal: ensure that banks, insurers, and superannuation trustees can withstand disruption — whether that’s a cyberattack, a critical system outage, or a failure by a key third-party supplier — without causing material harm to customers or financial markets.
CPS 230 applies across the board to all APRA-regulated entities, including:
- Authorised Deposit-Taking Institutions (ADIs) — banks, credit unions, building societies
- General insurers and life insurers
- Private health insurers
- Registrable Superannuation Entity (RSE) licensees
- Non-operating holding companies (NOHCs)
This is not a niche regulatory update. It touches every corner of Australia’s prudentially regulated financial system.
Three Pillars of CPS 230
The standard rests on three core obligations that regulated entities must now embed into their operations.
1. Operational Risk Management
Entities must identify, assess, and manage operational risks through an effective internal control environment. This means a documented, board-approved operational risk management framework — not a policy that sits in a drawer. APRA expects active monitoring, regular testing, and real remediation when controls fail.
Board accountability is significantly elevated under CPS 230. Directors can no longer treat operational risk as a management-level concern. The board must actively oversee the framework, approve tolerance levels, and take ownership of outcomes.
2. Business Continuity Planning
Entities must be able to continue delivering critical operations through severe disruptions — within pre-defined tolerance levels. APRA mandates that certain functions be classified as “critical” by default, including:
- Payments and deposit-taking (ADIs)
- Claims processing (insurers)
- Investment management and fund administration (RSE licensees)
- Customer enquiries across all regulated entities
Business continuity plans must be tested — not just drafted. Scenario testing of extreme but plausible disruptions is now an expectation, not a best practice.
3. Service Provider Management
This is where CPS 230 reaches furthest — and where most compliance gaps currently sit.
Entities must maintain a formal service provider management policy, identify material service providers, enter into compliant written agreements, and monitor performance against those agreements on an ongoing basis.
Critically, APRA has extended its reach to fourth-party providers — the service providers of your service providers. If a critical function runs on a supply chain, you need visibility across that chain.
Why 2026 Is the Line in the Sand
While the standard commenced on 1 July 2025, APRA provided transitional relief for pre-existing service provider contracts. Those legacy arrangements must comply with CPS 230 from the earlier of:
- The next contract renewal date, or
- 1 July 2026 — whichever comes first.
That transition period is almost gone. Any regulated entity that hasn’t already audited its existing supplier contracts and identified gaps needs to act now. Contracts that were compliant under CPS 231 may not meet the new requirements under CPS 230 — particularly around termination rights, audit access, sub-contracting controls, and business continuity obligations.
For non-significant financial institutions (non-SFIs), certain deferred requirements also apply from 1 July 2026. If that’s you, the runway is short.
Material Service Providers: The High-Stakes Category
Under CPS 230, not all service providers are equal. A material service provider is one whose failure or disruption could have a material impact on a regulated entity’s critical operations, financial position, or reputation.
APRA requires regulated entities to:
- Maintain a register of material service providers — using APRA’s preferred template for reporting under paragraph 51 of CPS 230
- Conduct due diligence before engaging a material service provider — and on an ongoing basis
- Enter into formal written agreements that include specific CPS 230-mandated provisions
- Monitor performance against agreed service levels and resilience obligations
- Have exit strategies — credible plans to transition away from a provider if they fail
What must those agreements actually contain? APRA’s final CPS 230 standard and accompanying Prudential Practice Guide CPG 230 are prescriptive. At minimum, material service provider agreements must address:
- Clear service scope and performance standards
- APRA’s right of access to information and audit
- Sub-contracting controls and notification obligations
- Business continuity and incident response obligations
- Data security and confidentiality requirements
- Step-in and termination rights in stress scenarios
- Notification obligations when the service provider’s own risk profile changes
If your existing supplier agreements don’t cover these — and most legacy contracts don’t — they need to be renegotiated or replaced before the 1 July 2026 deadline.
If You’re a Service Provider: This Applies to You Too
CPS 230 is not just a regulated entity problem. If you supply technology, data, outsourced functions, or professional services to a bank, insurer, or super fund — your clients are now required to impose CPS 230-compliant obligations on you by contract.
Expect your regulated clients to come to the table with new or amended agreements. Expect audit rights, business continuity obligations, sub-contracting restrictions, and enhanced data security requirements to be non-negotiable positions from their side.
Understanding what those contract provisions mean — and where the commercial risk sits — matters before you sign.
How Envision Legal Can Help
At Envision Legal, we work with businesses operating in or alongside Australia’s insurance and financial services sector. We understand the regulatory environment, the commercial pressures, and what CPS 230 compliance actually looks like at the contract level.
Here’s where we add value:
For APRA-Regulated Entities
- Service provider contract gap analysis — we review your existing material service provider agreements against CPS 230 requirements and identify what needs to change before 1 July 2026
- CPS 230-compliant contract drafting — new agreements or addenda built to satisfy APRA’s requirements without unnecessary commercial friction
- Supplier negotiation support — helping you navigate pushback from service providers on audit rights, sub-contracting controls, and termination provisions
- Policy and framework review — plain-English assessment of your service provider management policy and whether it meets the standard
For Material Service Providers
- Contract review before you sign — understanding what CPS 230-driven obligations your regulated clients are imposing on you, and where the risk sits
- Negotiation advice — where provisions are unreasonable or go beyond what CPS 230 actually requires, we’ll tell you and help you push back
- Precedent addenda — efficient, fixed-fee solutions for businesses receiving multiple CPS 230 addenda across their client base
We work on fixed fees. No billable hour surprises. Just clear, commercial legal advice delivered fast.
Book a free 15-minute consultation to talk through where you stand on CPS 230 compliance.
The Bottom Line
CPS 230 is the most significant overhaul of operational risk management obligations for APRA-regulated entities in a generation. The 1 July 2025 commencement was not the finish line — it was the starting gun. The real pressure point for service provider arrangements is now, with the 1 July 2026 deadline fast approaching.
If your contracts aren’t CPS 230-ready, the time to fix that is before your next renewal date — not after APRA comes knocking.
Get ahead of it. Talk to us.
This article contains general information only and does not constitute legal advice. Envision Legal accepts no liability for any loss arising from reliance on this content. You should seek independent legal advice tailored to your specific circumstances. For enquiries, contact Envision Legal.