APRA Prudential Standards Explained: A Plain-English Guide

Updated March 2026 | 12 min read | By GoComply

APRA (the Australian Prudential Regulation Authority) issues prudential standards that are legally binding on all regulated financial institutions. If you're new to APRA compliance — or need a refresher on how the standards fit together — this guide explains the framework in plain English.

Ask any question about APRA standards in the GoComply AI chatbot — it covers every current CPS, SPS, and guidance note with clause references.

How APRA Standards Are Organised

APRA standards use a prefix system that tells you which industry they apply to:

CPS (Cross-industry Prudential Standards) — apply to ALL APRA-regulated entities: ADIs, insurers, and super funds
APS (ADI Prudential Standards) — apply only to banks, building societies, and credit unions
GPS (General Insurance Prudential Standards) — apply only to general insurers
LPS (Life Insurance Prudential Standards) — apply only to life insurers
HPS (Private Health Insurance Prudential Standards) — apply only to private health insurers
SPS (Superannuation Prudential Standards) — apply only to RSE licensees (super fund trustees)
CPG/APG/GPG/SPG/LPG — Guidance notes (not legally binding, but APRA expects compliance)

The Core Cross-Industry Standards (CPS)

CPS 230 — Operational Risk Management

The biggest standard change in a decade. Requires critical operations registers, tolerance levels, BCP testing, and comprehensive service provider management. Replaced CPS 231 and CPS 232. Read our full CPS 230 guide.

CPS 234 — Information Security

Requires information security capability proportionate to threats, defined roles and responsibilities, control testing programs, and 72-hour incident notification to APRA. The standard behind the Medibank $250M capital charge.

CPS 220 — Risk Management

Requires a board-approved Risk Management Framework (RMF) including risk appetite statement, risk management strategy, three lines of defence, stress testing, and independent risk function (CRO).

CPS 510 — Governance

Sets board composition requirements (majority independent, separate chair/CEO), mandatory committees (audit, risk, remuneration), fit and proper requirements, and senior management structure (CEO, CFO, CRO, head of internal audit).

CPS 511 — Remuneration

Requires remuneration frameworks aligned with risk management. SFIs must defer 60% of senior manager variable pay for 4+ years with clawback provisions. Effective January 2024 for SFIs, January 2026 for others.

CPS 226 — Non-Centrally Cleared Derivatives

Requires daily variation margin exchange, initial margin for inter-financial institution trades, eligible collateral with haircuts, and ISDA documentation for all OTC derivatives.

What Makes an Entity "Significant" (SFI)?

APRA designates entities as Significant Financial Institutions based on size:

ADIs: $20 billion+ total assets (CBA, Westpac, NAB, ANZ, Macquarie, etc.)
Insurers: $10 billion+ total assets
Super funds: $30 billion+ total assets under management (AustralianSuper, ART, Aware, etc.)

SFIs face enhanced requirements under CPS 230, CPS 510, CPS 511, and FAR — including earlier compliance deadlines and stricter governance expectations.

How Standards Evolve

APRA regularly updates its prudential framework. Key recent changes:

CPS 231 + CPS 232 merged into CPS 230 (2025) — operational resilience consolidated
BEAR replaced by FAR (2024) — individual accountability extended to all industries
CPS 511 introduced (2024) — comprehensive remuneration standard replacing CPS 510 remuneration provisions
CPS 235 (Data Risk) proposed — consultation on data governance requirements

APRA's Enforcement Toolkit

APRA has broad enforcement powers under the Banking Act 1959, Insurance Act 1973, and SIS Act 1993:

Directions — require specific actions (hold more capital, remove directors, restrict dividends)
Capital charges — additional capital requirements for compliance failures ($250M Medibank, $50M Bendigo)
Licence conditions — restrict business activities
Investigations — formal investigations with compulsory information powers
Statutory management — APRA takes control of the entity's business
Disqualification — ban individuals from holding roles in regulated entities (via FAR)

Get answers about any APRA standard

GoComply's AI chatbot covers every CPS, SPS, and guidance note with clause references and practical implications.

Try free — no login required

This guide is for informational purposes. Consult qualified compliance professionals for specific obligations. GoComply AI chatbot covers all APRA standards.