Regulation
What CPS 230 means for your business, and what to do now
CPS 230 is APRA's operational-risk standard, and it has been in force since 1 July 2025. It pulls the old rules on outsourcing and business continuity into one cross-industry standard and raises the bar: identify the operations your customers can't do without, set limits on how far they can be disrupted, prove your controls hold, and govern the providers those operations run on. The shift underneath it is short to state and hard to do. APRA wants evidence, not a policy. Here is what the standard asks of you, and what to do now that it is live.
What CPS 230 actually is
CPS 230 replaces a patchwork of older standards (outsourcing and business continuity among them) with one standard for operational risk. It applies to every APRA-regulated entity: banks and other ADIs, general and life insurers, private health insurers, and superannuation trustees. Its aim is operational resilience, that your critical operations keep running through a severe but plausible disruption and that you can show, on request, that they will. The word that does the work is "show". A policy on paper is not evidence. The standard is built on four obligations that hang together.
- Manage operational risk: governance, internal controls, and control testing that is actually carried out and recorded, not asserted.
- Define critical operations and set tolerances: name the operations customers depend on, and the limits you will run them to.
- Plan for continuity: a business continuity plan that keeps those operations within tolerance, tested every year.
- Govern your service providers: a register, contracts that carry the required terms, and oversight of the parties they in turn rely on.
Critical operations and tolerances
A critical operation is a process which, if disrupted beyond tolerance, would have a material adverse impact on your customers (depositors, policyholders, beneficiaries) or on your role in the financial system. Payments, deposit-taking, claims processing, fund administration: APRA names categories you must treat as critical unless you can justify otherwise. For each one, your board approves three tolerance levels.
- The maximum period of time you would tolerate the operation being down.
- The maximum data loss you would accept from a disruption.
- The minimum service level you would hold while running on alternative arrangements.
Naming your critical operations is the easy part. The step most firms underdo is the next one: proving the tolerances are real, and that the operation actually holds within them under stress.
Business continuity, tested
Your BCP has to list your critical operations and their tolerances, set the triggers that activate it, and spell out how you keep each operation within tolerance through a disruption. CPS 230 then asks for the thing most continuity plans skip: an annual business continuity exercise that tests your ability to meet tolerances across a range of severe but plausible scenarios, including the failure of a material service provider. A plan that has never been exercised is exactly the gap supervision looks for.
Service providers, contracts and fourth parties
This is where CPS 230 reaches furthest, and where most of the remediation work sits. You must keep a register of your material service providers and submit it to APRA every year. A material service provider is one you rely on to run a critical operation, or that exposes you to material operational risk. Some categories are material unless you justify otherwise, including core technology services, risk management and internal audit. For every material arrangement you need a formal, legally binding agreement, and CPS 230 sets seven minimum terms it must address.
- 1The services covered and their service levels.
- 2Each party's rights and responsibilities, including ownership and control of data, dispute resolution, audit access, liability and indemnity.
- 3Provisions that let you meet your own legal and compliance obligations.
- 4Notification when the provider relies on its own material service providers (sub-contracting).
- 5Liability for any sub-contractor failure resting with your provider.
- 6A force majeure provision.
- 7Termination rights, including the right to exit the whole arrangement or part of it.
The agreement must also carry three further provisions that protect APRA's own reach: access to documentation and data related to the service, the right to conduct an on-site visit, and an undertaking that the provider will not impede APRA as prudential regulator. And the obligation does not stop at your direct provider. You have to understand and manage fourth-party risk: the parties your providers themselves rely on to deliver a critical operation.
The notification clocks
CPS 230 sets hard reporting timeframes, and missing one turns the failure itself into a supervisory issue. Four are worth committing to memory.
- 72 hours to notify APRA after you become aware of an operational risk incident likely to have a material impact.
- 24 hours to notify APRA of a disruption to a critical operation outside tolerance.
- 20 business days to notify APRA after entering into or materially changing a material service provider arrangement for a critical operation.
- Before you sign: material offshoring arrangements need prior notification.
Who is accountable, and the dates that matter
Your board is ultimately accountable. It approves the business continuity plan and the tolerance levels, approves the service provider management policy, and has to weigh the impact on critical operations in the decisions it makes. This is not something to delegate to a working group and forget. On timing, three dates frame where you stand.
- CPS 230 has been in force since 1 July 2025. Significant financial institutions have run under the full standard for a year.
- Non-significant financial institutions have until 1 July 2026 for the business continuity and scenario-analysis requirements.
- Pre-existing service provider contracts must meet the standard by the earlier of their next renewal or 1 July 2026.
Going live was the start, not the finish
It is tempting to read the deadlines as a finish line. They are the opposite: they are when supervision begins. The annual register, the annual continuity exercise, the ongoing control testing and the rolling contract renewals make CPS 230 a standing obligation, not a project you close out. Most firms went live with known gaps and a remediation plan, which is normal and expected, and APRA now probes the distance between the policy and the evidence.
The work that pays off from here is the unglamorous kind: making the tolerances real, getting the contracts remediated as they come up for renewal, and being able to produce the artefacts on the day you are asked rather than assembling them in a scramble. That is the work we do, from the side of the table that asks the questions.
Key Takeaway
CPS 230 is operational-risk regulation built on one demand: evidence. Identify the operations your customers can't do without, set board-approved tolerances, prove your continuity plan holds them, and govern the providers and fourth parties those operations depend on with contracts that carry the seven minimum terms and three APRA-access provisions. It has been in force since 1 July 2025, with non-SFIs and legacy contracts reaching the line on 1 July 2026. The deadline is not the finish; it is when supervision starts. The firms that fare best treat evidence as something they can produce on demand.
Where to from here
Knowing the standard is one thing. Evidencing it is another.
We take AI and the operations it touches from policy to supervisable production for APRA-regulated banks, insurers and super funds. Built by a founder with 22+ years on Tier-1 banking platforms and five years architecting financial-crime risk systems at a global Tier-1 bank.