Final targeted amendments to CPS 230 Operational Risk Management
To: All APRA-regulated entities
APRA has finalised targeted amendments to prudential standard CPS 230, prudential practice guide CPG 230, and the corresponding Material Service Provider Register Template. The amendments introduce a limited exemption from specific contractual requirements in CPS 230 for material arrangements with certain categories of non-traditional service providers (NTSPs), like central banks and clearing and settlement facilities, where contractual compliance is not practicable.
APRA’s final amendments provide relief that is narrowly targeted, administratively efficient, and responds to industry concerns, while preserving the core objectives of CPS 230. A regulated entity will not need to comply with specified contractual requirements in CPS 230 for a material arrangement if:
- The arrangement is with a service provider that falls within a category listed in the Attachment to CPS 230 (including government agencies, regulators, central banks, financial market exchanges, operators of clearing and settlement facilities, operators of payment systems and schemes, and financial messaging infrastructures); and
- The arrangement uses standardised terms or is not documented in a formal agreement.
The exemption applies only to the specified CPS 230 contractual requirements. All other CPS 230 requirements continue to apply. These amendments do not reduce the expectation that regulated entities actively manage the operational risks arising from reliance on these service providers.
APRA has also made minor amendments to supporting guidance to clarify expectations for managing material arrangements with exempt service providers, and to enable entities to classify exempt arrangements in the Material Service Provider Register Template available on APRA’s website.
APRA will have the ability to grant exemptions for additional service providers by written notice where appropriate. Over time, as domestic and international operational resilience practices mature, APRA expects the scope of exemptions to narrow rather than expand.
APRA will periodically review the operation of these exemptions to ensure they remain appropriate and aligned with prudential objectives.
The amendments will come into effect on 1 July 2026.
If you have any questions about these changes, please contact your APRA supervisor or email PolicyDevelopment@apra.gov.au.
Yours sincerely,
Therese McCarthy Hockey
APRA Board Member
Attachment A – Consultation summary and APRA’s response
| Issue | Consultation feedback | APRA response |
|---|---|---|
| Exemption mechanism | Most submissions expressed a preference for exemption by provider type, rather than APRA explicitly designating individual providers. Submissions noted the risk of unintended consequences of certain providers being inappropriately included in or excluded from the list, likely creating a need for frequent updates. There was general support for the second limb of the test for exemption. Specifically, that entities would still be expected to have CPS 230 compliant agreement for services where it is possible to have a bespoke contract. | Revised proposal. APRA will maintain a list of exempt service provider types with clear definitions in an attachment to CPS 230. APRA agrees that exemption by service provider type is more efficient and easier to manage over time. APRA has worked closely with industry and peer regulators to better define the exempt categories, to establish a clear perimeter. APRA will be able to adjust the list of exempt service providers over time and may provide additional exemptions on a case-by-case basis by written notice. APRA will maintain the second limb of the test as proposed. |
| Categories of exempt providers | Some submissions recommended including a broader set of exempt provider types (compared with the illustrative list included in consultation). For example: information technology and cloud infrastructure, communications providers, digital wallet providers, and ADIs and correspondent banks. Submissions noted difficulties in negotiating bespoke terms and service level agreements, particularly with large and international service providers. | Minor amendments. APRA has made minor adjustments to the illustrative list we consulted on. The final list will be an attachment to CPS 230 and is an attachment to this letter. APRA has refined how exempt categories are defined but has not materially changed the scope. While APRA recognises that contract uplift has taken longer than expected with some types of service providers, the exemptions are reserved for types of provider where there is a universal contract gap and inability to negotiate bespoke terms. APRA is seeing evidence locally that large regulated entities drive initial contractual uplift with service providers which then cascades to the broader industry. This is consistent with experience in other jurisdictions. |
| Scope of exemption | Some submissions suggested expanding the scope of the exempt obligations. For example, relief from requirements relating to selection processes, due diligence, business continuity management, and risk identification and management in relation to material arrangements with exempt service providers. Industry acknowledged the importance of strong risk management but noted that they could not always achieve the same standard for arrangements with exempt service providers. | Minor clarification. CPS 230 requires regulated entities to manage their operational risks. APRA recognises risk management may look different for arrangements with exempt service providers given information asymmetry, market dynamics and structure. However, the standard is principles-based, allowing flexibility in implementation. Updates to CPG 230 recognise that, for example, due diligence and selection processes may look different for an exempt service provider compared to other material service providers. |
| Standardised contract definition | Some submissions noted that the proposed definition of ‘standardised contract’ risked creating unintended consequences and may lead to inconsistent application. | Minor amendment. APRA has clarified the standard to better reflect the intent of the exemption, which is to accommodate arrangements where there is an inability to negotiate. |
| Material service provider register | Some submissions queried whether exempt providers need to be captured in a regulated entity’s material service provider register. | Minor amendment. APRA has made a very minor change to the material service provider register template so that entities can classify arrangements as exempt. |
| Interaction with CPS 234 | One submission suggested streamlining requirements of CPS 230 and CPS 234 Information Security to reduce duplication of third and fourth-party risk oversight, incident management and reporting. | No change. This initiative is intentionally targeted to address a specific issue. APRA will monitor how CPS 230 is operating over the next few years before considering further changes. |
| Key terms | One submission suggested APRA clarify and/or streamline overlapping terms, including 'material arrangement', 'service provider agreement', 'formal agreement', 'service agreement' and 'outsourcing'. | No change. This initiative is intentionally targeted to address a specific issue. APRA will monitor how CPS 230 is operating over the next few years before considering further changes. |
| Force majeure obligation | A couple of submissions argued that the force-majeure requirement in paragraph 54(f) of CPS 230 is impractical because service providers cannot guarantee uninterrupted performance during extraordinary events and goes beyond expectations in foreign jurisdictions. | No change. Paragraph 54(f) (paragraph 53(f) in the updated standard) requires that a material service provider agreement “include a force majeure provision indicating those parts of the contract that would continue in the case of a force majeure event”. The obligation is about contractual clarity, not a service‑level guarantee. It asks parties to specify which contractual obligations survive or continue during a force majeure event. Shared understanding is critical for managing operational disruptions. |
| Notifications | One submission noted that the language in the guidance relating to notifications to APRA does not fully align to the prudential standard. | Minor amendment. APRA has amended Table 1 of CPG 230 to replicate the requirements of paragraph 59(a) (paragraph 60(a) in the updated standard) of CPS 230. The language is now fully aligned. |
Attachment B – Exempt service provider list (CPS 230)
CPS 230 Attachment – Categories of exempt service providers
| Category | Definition |
|---|---|
| Government agencies | Public sector bodies established to administer legislation or deliver public functions on behalf of government, including administrative or service delivery roles. This exemption does not extend to government business enterprises. |
| Regulators | Statutory authorities established under legislation to supervise, regulate or enforce compliance within the financial system. |
| Central banks | Public authorities responsible for monetary policy, financial system stability and operation of core infrastructure, including settlement, liquidity, banking services to government and financial institutions. |
| Financial market exchanges | Entities that are licensed market operators under Part 7.2 of the Corporations Act (Cth), and comparable overseas financial market exchanges subject to equivalent regulatory oversight, that provide a facility for the regular making or acceptance of offers to acquire or dispose of financial products. |
| Operators of clearing and settlement facilities | Entities that operate, or provide services through, a licensed clearing and settlement facility under Part 7.3 of the Corporations Act 2001 (Cth), and comparable overseas entities subject to equivalent regulatory oversight, including facilities that clear, net, novate, or settle transactions in financial products by interposing themselves between counterparties and managing counterparty, credit, liquidity, and settlement risk. This exemption extends to superannuation clearing houses listed on the Australian Tax Office’s SuperStream Product register. |
| Operators of payment systems and schemes | Non-sovereign organisations that operate, control, or govern a formally recognised payment system, scheme or infrastructure under an established regulatory oversight framework. |
| Financial messaging infrastructures | Infrastructures that provide secure, standardised messaging services to support exchange of payment, clearing, settlement instructions. This exemption extends to providers which operate a gateway to route SuperStream messages within the Superannuation Transaction Network and have signed an application under a Memorandum of Understanding with the Gateway Network Governance Body Ltd. |