Regulation
Selling to an APRA-regulated company? What CPS 230 now asks of you
CPS 230 is a prudential standard for APRA-regulated companies, not for you. So why does it keep landing on your desk during procurement? Because banks, insurers and super funds can't meet it without the vendors they depend on. When a regulated buyer relies on you to run something critical, the standard reaches your contract and your controls. You don't have to be APRA-regulated. You do have to prove you're a well-governed partner, with evidence, before the deal goes through.
Why a banking rule lands on your desk
CPS 230 makes a regulated entity accountable for the resilience of its critical operations, including the parts you run for them. It can't carry that accountability unless the arrangement with you is governed the way the standard requires. So the obligations flow downhill: the buyer has to hold a contract with you that carries specific terms, has to assess your operational resilience, and has to be able to show APRA it manages the risk you represent. None of that works without your cooperation, which is why the questions arrive.
Are you "material"?
The standard turns on one classification. You are a material service provider if the regulated entity relies on you to undertake a critical operation, or if you expose it to material operational risk. Some categories are treated as material by default unless the entity justifies otherwise, and core technology services is one of them, which catches a lot of software and infrastructure vendors. If you're material, the full weight of the service provider provisions applies to your arrangement. The safe assumption: if you sell something a bank runs its critical operations on, you're in scope.
What the buyer will now require of you
Two things, broadly: evidence that you're operationally resilient, and a contract that carries the terms CPS 230 requires. On the evidence, expect due diligence on your controls and how you test them, your business continuity arrangements, a named risk contact, and visibility of your own subcontractors. On the contract, the regulated entity needs a formal agreement that, at a minimum, addresses seven terms.
- 1The services and service levels.
- 2Rights and responsibilities, including ownership and control of data, dispute resolution, audit access, liability and indemnity.
- 3Provisions that let the entity meet its own legal and compliance obligations.
- 4Notification when you rely on your own material subcontractors.
- 5Liability for any subcontractor failure resting with you.
- 6A force majeure provision.
- 7Termination rights, including partial termination.
Three further provisions will be non-negotiable, because the standard requires them: APRA's access to documentation and data related to the service, APRA's right to conduct an on-site visit, and your agreement not to impede APRA as prudential regulator. Vendors often push back on the access and on-site clauses. They aren't the buyer overreaching. They're in the standard, and the buyer can't sign without them.
Your subcontractors are in scope too
CPS 230 reaches fourth parties: the providers you rely on to deliver the service. A regulated buyer has to understand and manage that chain, so you'll be asked who you depend on, and your contract will make any failure by your subcontractors your responsibility. If your own supply chain is opaque, that becomes the buyer's problem, and therefore yours, at exactly the wrong moment in a deal.
The assurance step is where deals stall
For most vendors the pain isn't abstract. A deal reaches the security and resilience review and stops for weeks while someone assembles answers from scratch. CPS 230 has made those reviews harder and more frequent, and this isn't a one-off tied to a deadline: every new deal with a regulated buyer triggers it, indefinitely. The vendors who win walk into the assurance step with the evidence already packaged: control summaries, continuity evidence, a clear subcontractor picture, and contract terms they've already agreed they can meet. The scramble is optional. The review is not.
The dates that matter to you
CPS 230 has been in force since 1 July 2025. For contracts, the line is the earlier of the agreement's next renewal or 1 July 2026, so remediation lands deal by deal as agreements come up for renewal rather than all at once. In practice the requests aren't slowing down; they're spreading across every renewal and every new tender. Getting your evidence and a standard set of terms ready once, rather than reinventing them per deal, is the difference between assurance being a speed bump and a roadblock.
Key Takeaway
CPS 230 doesn't regulate you, but it reaches you. When a bank, insurer or super fund relies on you for a critical operation, you're a material service provider, and the buyer needs evidence of your operational resilience plus a contract carrying seven minimum terms and three APRA-access provisions, on-site access included. You don't have to be APRA-regulated; you have to prove you're well-governed, before the deal closes. This isn't a 2026 deadline that passes. It's the new normal of selling to regulated buyers, deal by deal. Package the evidence once and the assurance step stops stalling your pipeline.
Get ahead of the assurance step
Stop rebuilding your assurance answers every deal.
The Vendor Resilience Gap Scan shows you exactly what an APRA-regulated buyer will ask, where you fall short, and what to fix first, built by an architect who ran vendor assurance inside Tier-1 banks.