Navigating CPS 230 as a Service Provider

As the Australian Prudential Regulation Authority (APRA) rolls out Prudential Standard CPS 230 Operational Risk Management (effective 1 July 2025), material service providers (MSPs) to APRA-regulated entities face new expectations. Whether you provide core technology services, credit assessments or other critical operations, understanding CPS 230 is essential to maintaining strong partnerships and meeting regulatory demands. Here’s a breakdown of what service providers need to know.

What is CPS 230?

CPS 230, titled “Operational Risk Management,” is the latest regulatory standard issued by the Australian Prudential Regulation Authority (APRA). This standard replaces previous requirements on outsourcing (CPS 231) and business continuity management (CPS 232). 

Its primary goal is to improve the resilience of APRA‑regulated entities by ensuring they can withstand operational disruptions. Whether from cyberattacks, third-party failures or internal process breakdowns.

Which organizations need to comply with CPS 230?

CPS 230 applies directly to APRA-regulated entities, including:

• Banks and credit unions
• Insurers (general, life, and private health)
• Superannuation (pension) funds

Therefore, if your organization isn’t regulated by APRA, CPS 230 doesn’t legally bind you. However, even though MSPs aren’t directly regulated by APRA, the standard’s requirements flow downstream through contractual obligations. 

By mandating tighter contractual controls, the standard indirectly shapes how MSPs operate and the compliance activities they need to undertake. Your APRA-regulated Enterprise Customers will have until 1 July 2026 or the next renewal date of an existing agreement to ensure the agreement with its Material Service Providers complies with CPS 230. This means Material Service Providers need to act now to proactively engage with APRA-regulated Enterprise Customers to negotiate timelines and contractual agreements to avoid last-minute scrambles and position your organization as a reliable, CPS 230-ready partner.

My organization is a service provider to APRA-regulated entities - where should we start?

CPS 230 doesn’t apply to all service providers, only those classified as “Material Service Providers” (MSPs) by APRA-regulated entities. To navigate compliance effectively, start by clarifying whether your APRA-regulated Enterprise Customers designate your services as “material.”

APRA defines MSPs as providers:

• Which APRA-regulated entities rely on to undertake a critical operation, or
  
• That exposes them to material operational risk.
  

Examples of services that MSPs provide include credit assessment, claims management, mortgage brokerage, core technology services etc.

Key clarification:

• It’s not your call: The responsibility to classify your organization as an MSP (or not) lies with your APRA-regulated customers. 
• If designated as an MSP, you should collaborate with your Enterprise Customers to:
  
  • Confirm exactly which critical operations you support (e.g., payments, claims processing, customer inquiries).
  • Confirm the tolerance levels* for these critical operations - note that tolerance levels are set by your Enterprise Customers
    
    

2. Review and Align Contracts

Once your organization has confirmed its status as MSP for APRA-regulated Enterprise Customers, your organization should review the contracts with these clients to ensure that they contain:

• CPS 230-specific clauses: Audit rights for APRA, fourth-party disclosures, liability for subcontractor failures etc.
• Service levels that match Enterprise Customer's tolerance levels (e.g., uptime guarantees, recovery time objectives).

3. Business Continuity Planning

Your Business Continuity Plan (BCP) should enable APRA-regulated Enterprise Customers to maintain critical operations during disruptions. This includes:

• Testing: Participate in your Enterprise Customers BCP testing cycles, especially for severe but plausible scenarios.
• Tolerance Alignment: Ensure recovery timelines match the Enterprise Customers' tolerance levels (e.g. if your Enterprise Customers' maximum allowable outage is 4 hours, your Recovery Time Objective should be ≤4 hours)
  
  

4. Subcontractor Management

CPS 230 requires regulated entities to map dependencies across their supply chains, including the MSP’s subcontractors (i.e. fourth parties). This includes:

• MSPs should notify APRA-regulated Enterprise Customers of material subcontractors.
• MSPs should assume liability for subcontractor failures.

By understanding and embracing CPS 230, MSPs can proactively refine their contracts, business continuity plans, and subcontractor management practices to not only meet regulatory demands but also enhance overall resilience and reliability. With the deadline fast approaching, now is the time to assess your MSP status and align your strategies accordingly.

*Tolerance levels refers to:

(a) the maximum period of time the entity would tolerate a disruption to the operation;

(b) the maximum extent of data loss the entity would accept as a result of a disruption; and

(c) minimum service levels the entity would maintain while operating under alternative arrangements during a disruption. 

How can we help?

AssuranceLab’s mission is to help you streamline your compliance requirements! Our SOC 2 offering covers the typical security, confidentiality and availability requirements for service providers and is a globally recognised general purpose report. We have also expanded our SOC 2 offering now to include additional CPS 230 requirements for MSPs - we call it a SOC 2+ offering. This means that as an MSP, you can provide one SOC 2+ report to your APRA-regulated Enterprise Customers to prove compliance with SOC 2 as well as CPS 230. 

If you want to understand more about CPS 230, whether it applies to you, or what you need to do as a MSP, all you have to do is get in touch with us to have a chat!