APRA CPS 230 Compliance for Australian Financial Firms

by | Blog

First Published:

July 10, 2026

Content Written For:

Small & Medium Businesses

Large Organisations & Infrastructure

Government

Read Similar Articles

APRA CPS 230 is the prudential standard requiring APRA-regulated entities to manage operational risk, maintain business continuity and oversee their material service providers. It took effect on 1 July 2025 and applies to banks (ADIs), insurers and superannuation licensees.

APRA CPS 230 is the prudential standard that sets out how APRA-regulated entities must manage operational risk, maintain business continuity and oversee their service providers. It applies to banks and other authorised deposit-taking institutions (ADIs), insurers and superannuation (RSE) licensees. The standard took effect on 1 July 2025.

If your firm is regulated by the Australian Prudential Regulation Authority, this is not optional. In short, CPS 230 consolidates several older standards into one operational risk regime. It raises the bar on resilience, and it expects your board and senior management to own the outcome. Accordingly, this guide explains what the standard covers and who must comply. It then walks through the three core areas, how the standard differs from CPS 234, and the practical steps to close your gaps.

Key Takeaways

  • APRA CPS 230 is APRA’s Prudential Standard on Operational Risk Management. It took effect on 1 July 2025.
  • It applies to APRA-regulated entities: ADIs, general, life and private health insurers, and RSE (superannuation) licensees.
  • CPS 230 consolidates and replaces older standards, including CPS 231 (Outsourcing) and CPS 232 (Business Continuity Management).
  • The standard has three core areas: operational risk management, business continuity, and management of service provider arrangements.
  • CPS 230 and CPS 234 are complementary. CPS 234 governs information security; CPS 230 governs operational risk more broadly.
  • Boards must define critical operations, set tolerance levels, maintain a register of material service providers, and test resilience regularly.

What is APRA CPS 230?

APRA CPS 230 is Prudential Standard CPS 230 Operational Risk Management. It requires APRA-regulated entities to identify and manage operational risk, keep critical operations running within defined tolerance levels, and manage the risks that come from using service providers. The standard took effect on 1 July 2025.

More broadly, CPS 230 is part of APRA’s wider push to strengthen operational resilience across the financial system. Rather than leaving operational risk, outsourcing and continuity in separate documents, APRA brought them together. As a result, the standard is a single, cohesive regime that treats resilience as one connected discipline.

Crucially, CPS 230 consolidates and replaces a number of older requirements. For instance, it supersedes CPS 231 (Outsourcing) and CPS 232 (Business Continuity Management), along with their superannuation and private health equivalents: SPS 231 and SPS 232 (superannuation) and HPS 231 (private health insurance). Consequently, firms that built their programmes around those legacy standards must now map their controls to the new, broader expectations. You can read the standard in full on the APRA website.

Importantly, the shift is more than a renaming exercise. CPS 230 expects entities to think about end-to-end processes, not just isolated systems. It asks: which operations are critical to your customers and the financial system, and how quickly can you restore them when something goes wrong?

Who must comply and by when?

CPS 230 applies to APRA-regulated entities. That includes ADIs (banks, building societies and credit unions), general insurers, life insurers, private health insurers, and RSE (superannuation) licensees. The standard’s core requirements took effect on 1 July 2025.

The reach is deliberately broad. In other words, if APRA regulates your entity for prudential purposes, you are almost certainly in scope. Boards remain ultimately accountable, and senior management must demonstrate that the firm meets the standard in practice, not just on paper. In our CPS 230 readiness work with APRA-regulated banks, insurers and super funds, we have found that boards often underestimate how much practical evidence this accountability demands.

CPS 230 key dates

APRA built in some transitional relief, so a handful of dates matter for planning. The table below sets out the key milestones.

MilestoneDate
Standard takes effect1 July 2025
First material service provider register submitted to APRA1 October 2025 (annually thereafter)
Pre-existing material service provider contracts must complyThe earlier of the next contract renewal or 1 July 2026

Entities should confirm these dates, and any proportionate timing for non-significant financial institutions (non-SFIs), against the current APRA standard.

Ultimately, the safest assumption is simple: if you are an APRA-regulated entity, you should already be operating to CPS 230 and using any transitional window only where it clearly applies.

The three core areas of CPS 230

CPS 230 is organised around three connected areas. Together, they require entities to understand their operations, protect them, and govern the third parties they depend on. Notably, each area carries specific, testable expectations that your board and management must be able to evidence.

1. Operational risk management

First, this is the foundation. Entities must identify, assess and manage operational risk across people, processes, systems and external events. In practice, that means maintaining a clear view of the risks in each critical process and the controls that keep them in check.

Notably, CPS 230 expects more than a risk register that gathers dust. Instead, it asks for active management: testing the design and effectiveness of controls, monitoring incidents and near-misses, and remediating weaknesses promptly. Ultimately, the goal is a living programme that adapts as your operations and threats change.

2. Business continuity

Second, the next area is business continuity. Entities must identify their critical operations, set tolerance levels for how much disruption is acceptable, and maintain plans to keep those operations within tolerance. Typically, tolerance levels cover the maximum acceptable downtime and the level of degraded service the firm can sustain.

Crucially, scenario testing sits at the heart of this. You cannot simply write a plan and file it. Rather, CPS 230 expects regular testing against severe but plausible scenarios, so you can show that critical operations would recover within the limits you have set. Where testing reveals you cannot meet a tolerance, that gap must be addressed.

3. Management of service provider arrangements

Third, the final area governs your reliance on third parties. Entities must identify their material service providers, maintain a register of them, conduct due diligence before and during engagements, and monitor performance and risk on an ongoing basis. Importantly, this replaces and broadens the old outsourcing rules.

A material service provider is one your firm relies on to deliver a critical operation, or one whose failure would have a significant impact. The register must be current and accurate. In addition, contracts need appropriate clauses covering performance, audit, sub-contracting and termination. Monitoring must also continue throughout the relationship, not stop once a contract is signed. In our experience, the material service provider register is usually the biggest gap we find when we begin a CPS 230 readiness review.

CPS 230 vs CPS 234: how they fit together

CPS 230 and CPS 234 are complementary standards, not substitutes. Specifically, CPS 234 governs information security. By contrast, CPS 230 governs operational risk, business continuity and service provider management more broadly. Because information security incidents are one source of operational risk, the two standards reinforce each other.

Many firms ask whether meeting one covers the other. However, it does not. You need both, and they should share governance, registers and controls wherever it makes sense. Here is how they compare.

DimensionCPS 230 (Operational Risk Management)CPS 234 (Information Security)
Primary focusOperational resilience: risk, continuity, service providersProtecting information and information assets from cyber and security threats
ScopeAll operational risk across people, process, systems and external eventsInformation security capability, controls, testing and incident response
Key requirementsManage operational risk, define critical operations, set tolerance levels, test continuity, manage material service providersMaintain security capability proportional to threats, implement controls, test controls, notify APRA of material incidents
Service providersRegister, due diligence and ongoing monitoring of material service providersInformation security expectations extend to third parties that manage your information assets
Where they overlapA cyber outage is an operational risk and a continuity eventA security breach can trigger CPS 230 continuity and incident obligations
RelationshipBroader operational resilience umbrellaSpecialist information security discipline within that umbrella

The practical takeaway: treat them as one connected resilience programme. A serious cyber incident is simultaneously a CPS 234 security matter and a CPS 230 continuity and operational risk event. If you would like a deeper look at the security side, see our APRA CPS 234 compliance guide and our detailed CPS 234 walkthrough.

Common CPS 230 compliance gaps

Most APRA-regulated entities had policies in place before CPS 230. Even so, the gaps tend to appear in execution, evidence and end-to-end thinking. Across our readiness reviews with regulated clients, these are the issues we see most often.

An incomplete or stale service provider register. Many firms have an outsourcing list, but it rarely captures every material service provider, including fourth parties and intra-group arrangements. The register must be complete, current and tied to the critical operations it supports.

Critical operations defined too narrowly. Some firms map systems rather than the end-to-end business processes that customers and the system rely on. CPS 230 expects you to think in terms of operations, such as processing payments or paying claims, not just the applications behind them.

Tolerance levels that are aspirational, not tested. Setting a recovery target is easy. Proving you can meet it under a severe but plausible scenario is harder. Untested or unrealistic tolerances are a frequent weakness.

Weak third-party monitoring after onboarding. Due diligence at the start is common. Ongoing monitoring, performance review and risk reassessment across the life of the contract are often thin or missing.

Unclear board and management accountability. CPS 230 expects clear ownership. When responsibility for operational risk and resilience is diffuse, evidence of effective governance is hard to produce.

Your APRA CPS 230 readiness roadmap

There is no shortcut to CPS 230 readiness, but the path is clear. Therefore, work through these steps in order, evidencing each one as you go. Ultimately, the aim is a programme you can demonstrate to APRA and, more importantly, one that genuinely strengthens resilience.

Step 1: Map your critical operations

Start by identifying the operations that matter most to your customers and to financial stability. Next, define them as end-to-end processes, then trace the people, systems, data and providers each one depends on. Importantly, this map underpins everything that follows.

Step 2: Set and document tolerance levels

For each critical operation, define how much disruption is acceptable. Express tolerances clearly, for example as maximum downtime and acceptable degraded service. Make sure the levels are realistic and approved at the right level of governance.

Step 3: Build and test your continuity plans

Develop business continuity plans that keep critical operations within tolerance. After that, test them against severe but plausible scenarios. Finally, capture results, address any failure to meet a tolerance, and repeat testing on a regular cycle.

Step 4: Complete your material service provider register

Identify every material service provider, record them in a register, and link each to the critical operations it supports. Review contracts for the required clauses, and stand up ongoing due diligence and monitoring, not just point-in-time checks.

Step 5: Strengthen operational risk management

Tie the above into a living operational risk framework: risk identification, control testing, incident and near-miss tracking, and remediation. Ensure roles, accountabilities and board reporting are clear and evidenced.

Step 6: Close the loop with assurance

Validate the programme through internal audit or independent review. Track remediation to completion, and report progress to the board. Treat CPS 230 as an ongoing discipline, not a one-off project.

For firms that lack in-house depth, a virtual CISO (vCISO) service or managed compliance support can carry much of this load while your team focuses on the business.

How CyberPulse helps

CyberPulse helps APRA-regulated entities meet CPS 230 with practical, evidence-based support. We map your critical operations, pressure-test your tolerance levels, build your material service provider register, and align your operational risk and continuity programmes to the standard. Where it overlaps with CPS 234, we join the dots so you run one coherent resilience programme rather than two disconnected ones.

Our team works the way your regulators and your board expect: clear documentation, testable controls, and assurance you can show. Whether you need a readiness assessment, ongoing managed compliance, or a vCISO to lead the programme, we tailor the support to your size and risk profile. Explore our cybersecurity for financial services capabilities to see how we work with banks, insurers and superannuation funds.

Ready to close your CPS 230 gaps with confidence? Get in touch with CyberPulse for a readiness conversation.

Frequently Asked Questions

When did APRA CPS 230 take effect?

APRA CPS 230 took effect on 1 July 2025. Some transitional arrangements apply, including time to align certain pre-existing service provider contracts and proportionate timing for some smaller entities. Confirm the exact transitional dates that apply to your firm against the current APRA standard.

What is the difference between CPS 230 and CPS 234?

CPS 234 governs information security: protecting information and information assets from cyber and security threats. CPS 230 governs operational risk more broadly, covering operational risk management, business continuity and service provider arrangements. They are complementary. A cyber incident is both a CPS 234 security matter and a CPS 230 continuity event.

Who does CPS 230 apply to?

CPS 230 applies to APRA-regulated entities. That includes ADIs such as banks, building societies and credit unions, general, life and private health insurers, and RSE (superannuation) licensees. If APRA regulates your entity for prudential purposes, you are very likely in scope and should be operating to the standard.

What is a material service provider under CPS 230?

A material service provider is a third party your firm relies on to deliver a critical operation, or one whose failure would have a significant impact on the firm. CPS 230 requires you to identify these providers, record them in a register, conduct due diligence, and monitor them on an ongoing basis throughout the relationship.

Does CPS 230 replace CPS 231 and CPS 232?

Yes. CPS 230 consolidates and replaces several older standards, including CPS 231 (Outsourcing) and CPS 232 (Business Continuity Management), along with their superannuation and private health equivalents, SPS 231 and SPS 232 (superannuation) and HPS 231 (private health insurance). Firms that built programmes around those legacy standards should map their existing controls to the broader, integrated requirements of CPS 230 rather than assuming the old documents still apply.

About the Author

CyberPulse is an Australian cyber security and compliance firm whose team includes former chief information security officers and experienced cyber risk practitioners. We work with APRA-regulated banks, insurers and superannuation funds to build evidence-based operational risk, business continuity and service provider programmes that meet standards such as CPS 230 and CPS 234.

External Resources