Regulatory Monitor AU
prudential_regulation21 May 20264 min read

APRA finalises CPS 230 amendments: what changed in the operational risk standard and what it means for regulated entities

APRA finalised targeted amendments to CPS 230 Operational Risk Management on 30 April 2026, introducing limited contractual exemptions for certain non-traditional service providers such as central banks. Banks, insurers, and superannuation funds must review their Material Service Provider Registers

APRA finalised targeted amendments to CPS 230 Operational Risk Management on 30 April 2026, introducing limited exemptions from specific contractual requirements for certain categories of non-traditional service providers. The changes affect all APRA-regulated entities — banks, insurers, and superannuation funds — and are accompanied by updates to the prudential practice guide CPG 230 and the Material Service Provider Register template.

What are the CPS 230 amendments operational risk changes?

CPS 230 Operational Risk Management is the prudential standard that governs how APRA-regulated entities identify, assess, and manage operational risks — including the risks that arise when they rely on third parties to deliver critical services. Since CPS 230 came into force, entities have been required to meet specific contractual obligations when entering into material service provider arrangements.

The finalised amendments introduce limited exemptions from some of those contractual requirements. Critically, the exemptions apply only to arrangements with certain non-traditional service providers (NTSPs) — a category that, based on the source, includes entities such as central banks. The exemptions do not appear to apply broadly to all service provider relationships.

APRA has also updated the companion prudential practice guide CPG 230 and the Material Service Provider Register template to reflect the amended requirements.

Why does this matter for banks, insurers, and super funds?

Before these amendments, CPS 230 applied a largely uniform set of contractual requirements to all material service provider arrangements. In practice, this created friction for regulated entities that rely on certain non-traditional counterparties — such as central banks — which operate under their own statutory frameworks and are unlikely to agree to commercial contract terms designed for private-sector vendors.

The targeted amendments acknowledge that a one-size-fits-all approach is not always workable. By carving out limited exemptions for NTSPs, APRA is refining the standard rather than retreating from its intent: regulated entities must still manage operational risk rigorously; they simply have more flexibility in how they document and govern specific categories of arrangement.

For compliance and legal teams, the practical implication is that the scope of the Material Service Provider Register and the contractual checklist used to assess material arrangements will need to be reviewed against the updated standard and template.

Plain-English worked example

Consider Bank A, a mid-tier authorised deposit-taking institution that holds an exchange settlement account with the Reserve Bank of Australia — a central bank. Under the original CPS 230, Bank A's compliance team faced uncertainty about whether the standard's contractual requirements applied to that arrangement and, if so, how to satisfy them given the Reserve Bank's non-negotiable terms.

Under the finalised amendments, Bank A can assess whether the Reserve Bank falls within the NTSP exemption category. If it does, Bank A is relieved from the specific contractual requirements that would otherwise apply, while still being required to manage the operational risks associated with that arrangement under the broader CPS 230 framework. Bank A would document this assessment in its updated Material Service Provider Register using the revised template.

Checklist for affected firms

The following steps are relevant for compliance, risk, and legal teams at APRA-regulated entities following the finalised amendments:

  • Review the finalised CPS 230 amendments and updated CPG 230 to understand the precise scope of the NTSP exemptions (refer to the source for exact definitions and thresholds)
  • Audit your current Material Service Provider Register against the revised register template to identify any arrangements that may now qualify for an NTSP exemption
  • Assess each potentially exempt arrangement on its merits — the exemption is limited and category-specific, not a blanket carve-out
  • Update internal policies, procedures, and contract review frameworks to reflect the amended contractual requirements
  • Brief relevant stakeholders — including procurement, vendor management, and the board risk committee — on what has changed and what has not
  • Check the precise implementation timeline directly with APRA's published materials, as the exact commencement date is not specified in the cited source
  • Retain documentation of any exemption assessments in case of supervisory review

What you should do next

  • Access the finalised CPS 230 amendments, updated CPG 230, and revised Material Service Provider Register template directly from APRA's website (link in Sources below)
  • Confirm whether any of your current or proposed material service provider arrangements involve entities that fall within the NTSP categories identified in the amendments
  • Engage your legal advisers to review existing material service provider contracts in light of the amended contractual requirements
  • Update your operational risk management framework documentation to reflect the changes before any applicable commencement date (refer to the source for the exact date)
  • Consider whether the updated CPG 230 guidance changes how your entity approaches business continuity planning for NTSP arrangements

Sources

Quick facts

APRA finalised targeted amendments to CPS 230 Operational Risk Management on 30 April 2026, introducing limited exemptions from specific contractual requirements for certain non-traditional service providers (NTSPs), a category that includes entities such as central banks. The changes apply to all APRA-regulated entities — banks, insurers, and superannuation funds.

The CPS 230 amendments acknowledge that a one-size-fits-all approach to contractual requirements is not always workable. By carving out limited exemptions for NTSPs, APRA is refining the standard rather than retreating from its intent: regulated entities must still manage operational risk rigorously, with more flexibility only in how they document and govern specific categories of arrangement.

Under the finalised CPS 230 amendments, a regulated entity holding an exchange settlement account with the Reserve Bank of Australia can assess whether the Reserve Bank falls within the NTSP exemption category. If it does, the entity is relieved from specific contractual requirements while still required to manage associated operational risks under the broader CPS 230 framework, documenting the assessment in the revised Material Service Provider Register.

Following the CPS 230 amendments, compliance and legal teams must audit their Material Service Provider Register against the revised template, assess each potentially exempt arrangement on its merits, update internal policies and contract review frameworks, and retain documentation of any NTSP exemption assessments in case of supervisory review.

Written by the Regulatory Monitor AU AI research team and reviewed by a human editor before publication. Regulatory Monitor AU publishes informational commentary on Australian regulatory change; we do not provide legal, tax, or financial product advice.