For vendors selling to APRA-regulated institutions

Selling to a bank, insurer or super fund?
You're now a material service provider.

You don't have to be APRA-compliant. Only your customer is regulated. But under CPS 230 they now have to prove their critical suppliers are well-governed, which means the resilience questions land on you. Get ready once, and pass every due-diligence review in a day, not two weeks.

The deal reaches procurement, then stalls at the security review.

A bank, insurer or super fund wants to buy. Then comes the due-diligence pack: continuity evidence, control attestations, subcontractor visibility, contract terms that satisfy CPS 230. The deal pauses for weeks while you assemble answers from scratch, and a weak response can lose it outright. This isn't a one-off. Every new regulated customer you win will ask the same questions. The deadline that started it has made vendor due diligence a permanent condition of selling into financial services.

The CPS 230 Vendor Resilience Gap Scan.

One week, fixed scope. We find the gaps an APRA-regulated buyer will, and hand you the pack that closes them, built by a former Tier-1 bank architect who used to sit on the other side of this exact review.

How it works

  1. 1

    We review where you stand

    We look at your current contracts, continuity and security posture, against what an APRA-regulated buyer actually checks.

  2. 2

    You get a prioritised readiness report

    Your top resilience gaps and the order to close them, written by someone who ran this assessment from the bank's side of the table.

  3. 3

    You walk away ready, not just informed

    The Vendor Resilience Pack and a 30-minute walkthrough, so the next due-diligence request is a one-day reply, not a two-week scramble.

You walk away with

The Vendor Resilience Pack

  • The 7 mandatory CPS 230 contract clauses, mapped to your service
  • Business-continuity evidence with tested RTO / RPO targets
  • A subcontractor (fourth-party) register your customer can inspect
  • Incident-notification commitments and timeframes
  • Audit and regulator-access provisions, in plain language
  • A data-residency and security-control summary
  • A one-page Vendor Resilience Profile you can hand any FS customer
1-week fixed-scope engagementFrom $2,500
Book a Gap Scan

Built by a founder with 22+ years on Tier-1 banking platforms (HSBC, Westpac): cloud, security and the supplier reviews you're now on the receiving end of.

10 questions. See where you stand.

These are drawn from the questions APRA-regulated institutions actually put to vendors during procurement. Answer honestly — your score tells you what to fix before the next deal.

0/10

Q1

Do you have a documented Business Continuity Plan you can share with an institution on request?

Q2

Have you tested your BCP in the last 12 months with evidence you can produce to a reviewer?

Q3

Can you provide a SOC 2 Type II, ISO 27001, or equivalent third-party assurance report?

Q4

Do you maintain a register of subcontractors whose failure could impact your service delivery?

Q5

Can you provide documented Recovery Time and Recovery Point Objectives for your service?

Q6

Do you have a defined incident notification process with committed timeframes?

Q7

Do you have a nominated operational risk contact your clients can reach during an incident?

Q8

Do your standard contracts include provisions for client audit rights?

Q9

Have you reviewed your contract terms against the mandatory clauses CPS 230 now requires?

Q10

Can you produce a data residency map showing where client data is stored and processed?

Answer all 10 questions to see your score.