As the Australian Prudential Regulation Authority (APRA) rolls out Prudential Standard CPS 230 Operational Risk Management (effective 1 July 2025), material service providers (MSPs) to APRA-regulated entities face new expectations. Whether you provide core technology services, credit assessments or other critical operations, understanding CPS 230 is essential to maintaining strong partnerships and meeting regulatory demands. Here’s a breakdown of what service providers need to know.

Written by Mi Zhao, Senior Manager and CPS 230 SME

What is CPS 230?
CPS 230, titled “Operational Risk Management,” is the latest regulatory standard issued by the Australian Prudential Regulation Authority (APRA). This standard replaces previous requirements on outsourcing (CPS 231) and business continuity management (CPS 232). 

Its primary goal is to improve the resilience of APRA‑regulated entities by ensuring they can withstand operational disruptions. Whether from cyberattacks, third-party failures or internal process breakdowns.

Which organizations need to comply with CPS 230?
CPS 230 applies directly to APRA-regulated entities, including:

• Banks and credit unions
• Insurers (general, life, and private health)
• Superannuation (pension) funds
  
  

Therefore, if your organization isn’t regulated by APRA, CPS 230 doesn’t legally bind you. However, even though MSPs aren’t directly regulated by APRA, the standard’s requirements flow downstream through contractual obligations. 

By mandating tighter contractual controls, the standard indirectly shapes how MSPs operate and the compliance activities they need to undertake. APRA-regulated entities will have until 1 July 2026 or the next renewal date of an existing agreement to ensure the agreement with its Material Service Providers complies with CPS 230. This means Material Service Providers need to act now to proactively engage with APRA-regulated clients to negotiate timelines and contractual agreements to avoid last-minute scrambles and position your organization as a reliable, CPS 230-ready partner.

My organization is a service provider to APRA-regulated entities - where should we start?

CPS 230 doesn’t apply to all service providers, only those classified as “Material Service Providers” (MSPs) by APRA-regulated entities. To navigate compliance effectively, start by clarifying whether your APRA-regulated clients designate your services as “material.”

APRA defines MSPs as providers:

• Which APRA-regulated entities rely on to undertake a critical operation, or
  
• That exposes them to material operational risk.
  

Examples of services that MSPs provide include credit assessment, claims management, mortgage brokerage, core technology services etc.

Key clarification:

• It’s not your call: The responsibility to classify your organization as an MSP (or not) lies with your APRA-regulated clients. 
• If designated as an MSP, you should collaborate with clients to:
  
  • Confirm exactly which critical operations you support (e.g., payments, claims processing, customer inquiries).
  • Confirm the tolerance levels* for these critical operations - note that tolerance levels are set by your client

Once your organization has confirmed its status as MSP for APRA-regulated clients, your organization should review the contracts with these clients to ensure that they contain:

• CPS 230-specific clauses: Audit rights for APRA, fourth-party disclosures, liability for subcontractor failures etc.
• Service levels that match client tolerance levels (e.g., uptime guarantees, recovery time objectives).

Your Business Continuity Plan (BCP) should enable APRA-regulated clients to maintain critical operations during disruptions. This includes:

• Testing: Participate in your clients’ BCP testing cycles, especially for severe but plausible scenarios.
• Tolerance Alignment: Ensure recovery timelines match the client’s tolerance levels (e.g. if your client’s maximum allowable outage is 4 hours, your Recovery Time Objective should be ≤4 hours)

CPS 230 requires regulated entities to map dependencies across their supply chains, including the MSP’s subcontractors (i.e. fourth parties). This includes:

• MSPs should notify APRA-regulated clients of material subcontractors.
• MSPs should assume liability for subcontractor failures.

By understanding and embracing CPS 230, MSPs can proactively refine their contracts, business continuity plans, and subcontractor management practices to not only meet regulatory demands but also enhance overall resilience and reliability. With the deadline fast approaching, now is the time to assess your MSP status and align your strategies accordingly.

*Tolerance levels refers to:

(a) the maximum period of time the entity would tolerate a disruption to the operation;

(b) the maximum extent of data loss the entity would accept as a result of a disruption; and

(c) minimum service levels the entity would maintain while operating under alternative arrangements during a disruption. 

How can we help?

AssuranceLab’s mission is to help you streamline your compliance requirements! Our SOC 2+ framework contains the typical SOC 2 scope as well as compliance activities required for MSPs. This means as an MSP, you can provide a SOC 2+ report to your APRA-regulated clients to prove compliance with CPS 230. All you have to do is get in touch!