APRA CPS 230 Checklist 2026: Your Step-by-Step Compliance Guide

Use this checklist to assess your entity's readiness for CPS 230. Each item maps to a specific requirement in the standard. Check off each item as you complete it.

Phase 1: Foundation (Complete by Q2 2025)

1. ☐ Gap analysis completed — compared current CPS 231/232 compliance against CPS 230 requirements
2. ☐ Board briefed — Board understands CPS 230 scope, timeline, and their oversight responsibilities
3. ☐ Project team assigned — named CPS 230 implementation lead with adequate resources
4. ☐ FAR accountability allocated — CPS 230 responsibilities mapped to accountable persons under FAR
5. ☐ Budget approved — implementation budget covers technology, people, and external advisory if needed

Phase 2: Critical Operations (Complete by Q3 2025)

6. ☐ Critical operations identified — all processes that, if disrupted beyond tolerance, would materially impact customers or the financial system
7. ☐ Critical operations register created — documented register with each critical operation named and described
8. ☐ Tolerance levels set for each critical operation:
   • ☐ Maximum disruption period (RTO)
   • ☐ Maximum acceptable data loss (RPO)
   • ☐ Minimum service levels during alternative arrangements
9. ☐ Board approved tolerance levels — Board has formally approved all tolerance levels
10. ☐ Minimum classifications verified:
    • ☐ ADIs: payments, deposit-taking, custody, settlements/clearing
    • ☐ Insurers: claims processing
    • ☐ Super: investment management, fund administration
    • ☐ All: customer enquiries and supporting systems

Phase 3: Business Continuity (Complete by Q4 2025 for SFIs, Q2 2026 for non-SFIs)

11. ☐ BCP updated to CPS 230 requirements — includes critical operations register, tolerance levels, activation procedures
12. ☐ Disruption triggers documented — events that activate the BCP clearly defined
13. ☐ Actions to maintain tolerance levels documented — for each critical operation
14. ☐ Execution risk assessed — resources, dependencies, and preparatory measures identified
15. ☐ Communications strategy included — internal, external, regulator notification protocols
16. ☐ Testing program designed:
    • ☐ Annual testing of all critical operations
    • ☐ Severe but plausible scenarios (including service provider disruption)
    • ☐ Results reported to Board
17. ☐ APRA notification process documented:
    • ☐ 24-hour notification for disruptions outside tolerance
    • ☐ 72-hour notification for material operational risk incidents
    • ☐ Named responsible officer for notifications

Phase 4: Service Provider Management (Complete by Q4 2025)

18. ☐ Material service providers identified — using CPS 230's broader definition (includes intra-group)
19. ☐ Service provider management policy updated — Board-approved policy covering identification, monitoring, substitution, exit
20. ☐ Due diligence completed — for each material service provider
21. ☐ Agreements reviewed for each material provider:
    • ☐ Performance standards and SLAs
    • ☐ Audit and APRA access rights
    • ☐ Confidentiality and data security
    • ☐ Termination and transition provisions
    • ☐ Sub-contracting restrictions
22. ☐ Fourth-party risk assessed — your providers' providers identified and risk-assessed
23. ☐ Exit strategies documented — substitutability plans for each material provider
24. ☐ Ongoing monitoring established — performance reporting to Board on material providers

Phase 5: Governance and Reporting (Ongoing)

25. ☐ Board oversight framework established:
    • ☐ Regular reporting on tolerance compliance
    • ☐ Testing results and remediation tracking
    • ☐ Service provider risk reporting
    • ☐ Incident reporting and APRA notifications
26. ☐ Internal audit program includes CPS 230 — periodic review of BCP, tolerance levels, and testing
27. ☐ Annual BCP review process established — update for changes in structure, business, strategy, or risk
28. ☐ CPS 220 RMF updated — operational risk management integrated with CPS 230 framework
29. ☐ CPS 234 alignment checked — information security controls support critical operations
30. ☐ FAR accountability statements updated — CPS 230 responsibilities reflected in FAR statements and map

Key Deadlines

• 1 July 2025 — CPS 230 effective for all entities. SFIs must fully comply.
• 1 July 2026 — Non-SFI BCP and service provider requirements.
• Earlier of renewal or 1 July 2026 — Pre-existing service provider contracts must comply.

This checklist is for informational purposes. Consult qualified compliance professionals for specific obligations. Download the full checklist from gocomply.com.au/resources.