Long in the offing, APRA CPS 230 compliance is now expected, with the operational risk management and resilience regulation having come into effect on 1 July 2025.
What are the major compliance expectations? Read on to find out.
APRA CPS 230: Operational Risk Management
A Prudential Standard developed by the Australian Prudential Regulation Authority (APRA), APRA CPS 230 has technically been around for a few years now. However, APRA gave regulated entities, including banks, insurers, superannuation funds, and others, until the middle of this year to get their compliance houses in order.
That 1 July deadline has now come and gone, meaning regulated entities will be expected to be fully compliant with the Operational Risk Management regulation.
And the statute doesn’t just place requirements on regulated entities. CPS 230 mandates regulated entities add specified provisions to formal agreements with their material service providers, as well.
APRA CPS 230 compliance obligations
Fortunately, regulated entities have until 1 July 2026 to uplift pre-existing contractual arrangements to meet the new requirements. For the remaining compliance obligations, regulated entities aren’t so lucky. The requirements entered into force on 1 July.
What are some of the key obligations that changed for regulated entities? We recap them, here:
1. Critical operations and tolerance levels
APRA has used the new statute to firm up the operational resilience of its regulated entities. And so, CPS 230 goes beyond requiring entities to have a business continuity plan (BCP).
Instead, APRA has introduced the concepts of critical operations, i.e., those processes undertaken by a regulated entity or its service provider which, if disrupted beyond tolerance levels, would have a material adverse impact, and tolerance levels.
For purposes of the statute, entities are now required to notify APRA within 24 hours if they’ve suffered a disruption to a critical operation outside of tolerance levels.
2. New operational risk management obligations
At its heart, CPS 230 is an operational risk management statute. It, therefore, puts the boards of APRA-regulated entities squarely on the hook for overseeing the operational risk management of their respective entities. So, what does that mean in practice?
Boards are now required to approve BCPs and tolerance levels, as well as service provider management policies (more on those later).
If that wasn’t enough, boards must also review the results of testing and oversee the implementation of any findings and remedial measures.
3. Introducing a new class of material service providers
Previous APRA statutes have tackled “outsourcing” agreements with key third parties. APRA CPS 230 goes far further, though.
Indeed, the regulation introduces a new class of “material service providers.” These are providers a regulated entity relies on to undertake critical operations that open the entity up to material operational risks.
To mitigate operational risk, specifically, APRA is now obligating entities to:
- Maintain and submit a register of material service providers to APRA annually.
- Notify the regulator within 20 business days of entering into an agreement with a material service provider.
- Notify the regulator prior to entering into any material offshoring agreements.
- Maintain a board-approved service provider management policy.
- Only rely on that service provider if the entity can ensure the provider continues to meet its prudential obligations.
Finally, CPS 230 is officially on the books. And so, entities looking for digital technology tailor-made for compliance should consider operational resilience software.
Need a deeper dive into CPS 230 compliance obligations, particularly those due next July? Check out our Guide to APRA CPS 230 for more.
.svg)
.svg)
.svg)