CPS 230 Service Provider Management: The July 2026 Deadline Non-SFIs Cannot Miss
APRA's CPS 230 (Operational Risk Management) came into effect on 1 July 2025 for SFI entities, but the service provider transition provisions give non-SFI entities until 1 July 2026 to bring existing material service provider arrangements into full compliance. That deadline is now four months away.
This guide covers what CPS 230 requires for material service provider management, what the July 2026 transition means in practice, and a step-by-step approach to getting compliant.
What CPS 230 Requires for Service Providers
CPS 230 replaces the previous CPS 231 (Outsourcing) and CPS 232 (Business Continuity Management) with a single, more comprehensive standard. The service provider provisions in Part E (Paragraphs 47-66) are significantly more prescriptive than CPS 231.
Material Service Provider Definition
Under CPS 230, a material service provider is any provider (including intra-group entities) whose failure or disruption could:
- Have a material impact on the entity's financial position or business operations
- Materially affect the entity's ability to manage risk effectively
- Result in significant harm to beneficiaries, policyholders, or depositors
- Compromise the entity's compliance with legal or prudential requirements
This is broader than CPS 231's "material outsourcing" concept. It captures arrangements that may not traditionally be considered outsourcing, including cloud infrastructure, data services, market data feeds, and critical technology platforms.
The Service Provider Register
Entities must maintain a comprehensive register of all material service providers (Paragraph 48). The register must include:
- Description of the service and the business operations it supports
- Whether the service supports a critical operation
- Location of data storage and processing
- Substitutability assessment (how easily the provider could be replaced)
- Sub-contracting and fourth-party dependencies
- Date of last risk assessment
Contractual Requirements: The Core of the July 2026 Deadline
The contractual requirements in Paragraphs 54-66 are where most non-SFI entities face the biggest compliance gap. Every material service provider contract must include:
| Requirement | CPS 230 Reference | What It Means |
|---|---|---|
| Service levels and performance standards | Para 55 | Measurable SLAs aligned to tolerance levels for critical operations |
| Audit and inspection rights | Para 57 | Entity and APRA must have rights to audit the provider, including on-site |
| APRA access rights | Para 58 | Contract must grant APRA direct access to the provider for examination |
| Data and information rights | Para 59 | Right to access, retrieve, and transfer data at any time |
| Business continuity obligations | Para 60 | Provider must maintain BCP and participate in entity's testing |
| Notification obligations | Para 61 | Provider must promptly notify of incidents, material changes, or sub-contracting |
| Transition and exit provisions | Para 62 | Clear termination rights and transition assistance obligations |
| Sub-contracting controls | Para 63 | Prior approval for material sub-contracting, including fourth-party oversight |
| Data location requirements | Para 64 | Controls on where data is stored and processed, with notification of changes |
Fourth-Party Risk: The Hidden Compliance Challenge
CPS 230 introduces explicit requirements for managing fourth-party risk - the risk that your service provider's own suppliers could disrupt your operations. This was a known blind spot in the CPS 231 framework.
Under Paragraph 63, entities must:
- Identify material sub-contractors used by each material service provider
- Assess concentration risk across the supply chain (e.g., multiple providers using the same cloud region)
- Require prior approval for changes to material sub-contracting arrangements
- Ensure equivalent controls are applied to fourth parties as to direct providers
In practice, this means you need visibility into your providers' supply chains. If your core banking platform runs on AWS, and your payments processor also runs on AWS ap-southeast-2, that's a concentration risk your board needs to understand and accept.
APRA Notification Requirements
CPS 230 requires entities to notify APRA before entering into, or materially changing, any material service provider arrangement that supports a critical operation (Paragraph 50). The notification must include:
- A description of the arrangement and the critical operation it supports
- The risk assessment conducted
- How the arrangement will meet the CPS 230 contractual requirements
- Transition and exit planning
This is a pre-notification requirement - APRA expects to be informed before the arrangement is finalised, not after.
Interaction with CPG 230 Guidance
APRA's CPG 230 (the practice guide) provides additional detail on what "good practice" looks like for service provider management. Key CPG 230 expectations include:
- Tiered oversight: More intensive monitoring for providers supporting critical operations
- On-site assessments: Periodic on-site reviews for critical service providers
- Scenario testing: Including provider failure scenarios in BCP testing
- Board reporting: Regular reporting to the board on material service provider risk
- Lessons learned: Incorporating service provider incidents into the operational risk framework
The Transition Timeline: What Needs to Happen by July 2026
For non-SFI entities, the practical timeline looks like this:
| Phase | Timeframe | Actions |
|---|---|---|
| Inventory | Now (if not done) | Identify all material service providers; build the register |
| Gap analysis | March-April 2026 | Compare existing contracts against CPS 230 Para 54-66 requirements |
| Prioritise | April 2026 | Focus on providers supporting critical operations first |
| Negotiate | April-June 2026 | Renegotiate contracts to include missing provisions (APRA access, BCP testing, sub-contracting controls) |
| Fourth-party mapping | May-June 2026 | Map sub-contractor dependencies and assess concentration risk |
| Board sign-off | June 2026 | Board approval of updated service provider policy and risk appetite |
| Compliance | 1 July 2026 | All existing material arrangements must comply |
What APRA Is Looking For
Based on APRA's 2025-26 Corporate Plan and supervisory communications, APRA is particularly focused on:
- Critical operation mapping: Can you demonstrate which service providers support which critical operations?
- Tolerance level alignment: Are service provider SLAs aligned to your tolerance levels for critical operations?
- Substitutability: Have you assessed how quickly you could replace each material provider?
- Testing: Have you tested your ability to operate if a material provider fails?
- Concentration risk: Do you understand where multiple providers depend on the same fourth parties?
APRA has indicated it will begin supervisory reviews of CPS 230 service provider arrangements from late 2026, with a focus on entities that show limited progress.
Common Pitfalls
1. Treating this as a procurement exercise
CPS 230 service provider management is a risk management obligation, not a procurement function. The board and senior management must own the risk assessment and oversight framework. Delegating this entirely to procurement will not satisfy APRA.
2. Ignoring intra-group providers
CPS 230 explicitly includes intra-group service providers. If your IT is provided by a parent company or shared services entity, that arrangement needs the same contractual protections and oversight as an external provider.
3. Assuming existing contracts are sufficient
Most pre-CPS 230 contracts lack the APRA access rights, BCP testing participation requirements, and fourth-party controls that CPS 230 mandates. A systematic gap analysis is essential.
4. Underestimating negotiation timelines
Large technology vendors (particularly global cloud and core banking providers) have long contract amendment cycles. Starting negotiations in June 2026 for a July 2026 deadline is not viable. Start now.
How GoComply Helps
GoComply's AI compliance chatbot covers every paragraph of CPS 230 and CPG 230, with clause-level citations. Your compliance team can instantly research questions like:
- "What are the CPS 230 contractual requirements for material service providers?"
- "What must an entity notify APRA about before entering a material service provider arrangement?"
- "How does CPS 230 handle fourth-party and sub-contracting risk?"
- "What are the CPG 230 expectations for service provider BCP testing?"
With 2,000 compliance rules across 200+ Australian regulatory sources, GoComply eliminates the hours spent manually searching APRA handbooks.
Test CPS 230 Service Provider Questions Now
Ask any CPS 230 question and get an AI-powered answer with clause references in seconds. Free, no login required.
Try the AI ChatbotKey Takeaways
- The July 2026 deadline is real and immovable. Non-SFI entities have four months to bring all existing material service provider contracts into CPS 230 compliance.
- Contract gaps are almost certain. APRA access rights, BCP testing participation, and fourth-party controls are rarely in pre-2025 contracts.
- Fourth-party risk is the new frontier. CPS 230 requires visibility into your providers' supply chains - something most entities have never systematically assessed.
- Start with critical operations. Prioritise providers that support critical operations, as these face the most intense APRA scrutiny.
- This is a board-level issue. APRA expects board oversight of material service provider risk, not just operational management.