Consultation on targeted amendments to CPS 230 Operational Risk Management

To: All APRA-regulated entities
 

APRA is consulting on targeted amendments to Prudential Standard CPS 230 Operational Risk Management (CPS 230) to better accommodate regulated entities’ arrangements with non-traditional service providers (NTSPs).

Background

CPS 230 sets a range of obligations for regulated entities entering material arrangements with service providers. These obligations seek to ensure third parties manage risks in line with the entity’s risk appetite and include requirements relating to contract uplift and service level monitoring.

APRA recognises that entities have faced challenges in meeting some requirements when entering material arrangements with NTSPs. NTSPs are typically market-mandated providers, with engagements that are not established through standard procurement or contractual processes. These arrangements often use standardised contracts or are not subject to a formal agreement. 

Proposals

APRA proposes to exempt certain material arrangements with NTSPs from the contractual and service level obligations outlined in paragraphs 54, 55, 56(d), 57, 58(a) and 58(c) of CPS 230. This exemption will apply only where:

1. The arrangement is with a material service provider included in the new Attachment to CPS 230;

AND

2. The arrangement utilises a standardised contract or is not subject to a formal agreement.

Exempt material arrangements with NTSPs will remain subject to other CPS 230 obligations, including continuity planning, ongoing monitoring and risk management. APRA intends to strictly limit the number of NTSPs included in the Attachment, and entities should continue to work proactively with service providers to achieve compliance wherever possible.

The draft amendments and preliminary Attachment are provided in Appendix A. Not all service providers included in the Attachment will be relevant or material to every industry or entity, and each entity should continue to assess, on an individual basis, whether an arrangement with a service provider is material to them.

These amendments aim to streamline processes for regulated entities and alleviate regulatory burden, while ensuring a practical prudential framework that enhances resilience across the financial system.

Next steps

APRA invites written submissions on the proposed amendments. In particular:

1. Do the draft amendments adequately address the challenges regulated entities face when applying the CPS 230 contractual and service level obligations to material arrangements with NTSPs?
2. What additional NTSP types or providers should be included in the new CPS 230 Attachment? For each additional type and provider, your submission should explain:
   
   1. why your entity considers the provider to be material. Is it relied upon for the delivery of a critical operation, or does it expose the entity to material operational risk?
   2. for material arrangements with this provider, what is the nature of each arrangement, and why is it not possible to maintain a formal agreement that meets the contractual and service level obligations contained in paragraphs 54, 55, 56(d), 57, 58(a) and 58(c) of CPS 230?

Submissions should be sent to  PolicyDevelopment@apra.gov.au  by 30 January 2026 and addressed to the General Manager, Policy and Frameworks. APRA may publish submissions on its website. If you wish your submission to remain confidential, please clearly indicate this when providing your response. 

Subject to feedback, APRA expects to finalise the targeted changes before 1 July 2026.

Yours sincerely,
Therese McCarthy Hockey
APRA Board Member

Appendix A

CPS 230 amendments (paragraphs 58-59 only)

Service provider agreements

53.    Before entering into or materially modifying a material arrangement, an APRA-regulated entity must:

1. undertake appropriate due diligence, including an appropriate selection process and an assessment of the ability of the service provider to provide the service on an ongoing basis; and
2. assess the financial and non-financial risks from reliance on the service provider, including risks associated with geographic location or concentration of the service provider(s) or parties the service provider relies on in providing the service.

54.    For all material arrangements, an APRA-regulated entity must maintain a formal legally binding agreement (formal agreement). The formal agreement must, at a minimum:

1. specify the services covered by the agreement and associated service levels;
2. set out the rights, responsibilities and expectations of each party to the agreement, including in relation to the ownership of assets, ownership and control of data, dispute resolution, audit access, liability and indemnity;
3. include provisions to ensure the ability of the entity to meet its legal and compliance obligations;
4. require notification by the service provider of its use of other material service providers that it materially relies upon in providing the service to the APRA-regulated entity through sub-contracting or other arrangements;
5. require the liability for any failure on the part of any sub-contractor to be the responsibility of the service provider;
6. include a force majeure provision indicating those parts of the contract that would continue in the case of a force majeure event; and
7. termination provisions including, but not limited to, the right to terminate both the arrangement in its entirety or parts of the arrangement. For an RSE licensee, termination provisions must include the ability for the RSE licensee to terminate the arrangement where to continue the arrangement would be inconsistent with the RSE licensee’s duty to act in the best financial interests of beneficiaries (refer to subsection 52(2)(c) of the SIS Act).

55.    The formal agreement must also include provisions that:

1. allow APRA access to documentation, data and any other information related to the provision of the service;
2. allow APRA the right to conduct an on-site visit to the service provider; and
3. ensure the service provider agrees not to impede APRA in fulfilling its duties as prudential regulator.

56.    For each material arrangement an APRA-regulated entity must:

1. identify and manage risks that could affect the ability of the service provider to provide the service on an ongoing basis;
2. identify and manage risks to the APRA-regulated entity that could result from the arrangement, such as step-in risk or contagion risk;
3. ensure it can execute its BCP if needed; and
4. ensure it can conduct an orderly exit from the arrangement if needed.

57.    APRA may require an APRA-regulated entity to review and make changes to a service provider arrangement where it identifies heightened prudential concerns.

58.    The requirements of paragraphs 54, 55, 56(d), 57, 60(a) and 60(c) do not apply to any arrangement between an APRA-regulated entity and a non-traditional service provider identified in the Attachment, provided the arrangement:

1. utilises a standardised contract; or

2. is not subject to a formal agreement.

For this paragraph, ‘a standardised contract’ means a contract prepared by a non-traditional service provider identified in the Attachment and presented to an APRA-regulated entity to either accept or reject the terms and conditions of that contract without the ability of the APRA-regulated entity to negotiate, or amend, those terms and conditions.

59.    APRA may adjust the list in the Attachment in relation to an APRA-regulated entity by written notice.

Monitoring, notifications and review

60.    An APRA-regulated entity must monitor and ensure that senior management receive reporting on material arrangements commensurate with the nature and usage of the service. This monitoring must include a regular assessment of:

1. performance under the service agreement with reference to agreed service levels;
2. the effectiveness of controls to manage the risks associated with the use of the service provider; and
3. compliance of both parties with the service provider agreement.

61.    An APRA-regulated entity must notify APRA:

1. as soon as possible and not more than 20 business days after entering into or materially changing an agreement for the provision of a service on which the entity relies to undertake a critical operation; and
2. prior to entering into any material offshoring arrangement, or when there is a significant change proposed to the arrangement, including in circumstances where data or personnel relevant to the service being provided will be located offshore.

62.    An APRA-regulated entity’s internal audit function must review any proposed material arrangement involving the outsourcing of a critical operation. The internal audit function must regularly report to the Board or Board Audit Committee on compliance of such arrangements with the entity’s service provider management policy.

Preliminary Attachment

^{The above list is not intended to be comprehensive and is provided as an indicative guide to the types of providers that may be included in the finalised amendments.}