CPS 230 will disrupt vendor relationships for Australian financial institutions by giving APRA greater authority over service provider arrangements when prudential concerns are heightened. If you’re an APRA-regulated entity, this post will help you understand the requirements of CPS 230, how the new standards differ from SPS 231 and SPS 232, and how to achieve compliance standards by the full compliance deadline of 1 July 2025.
These changes are reflected across three categories - operational risk management, business continuity, and management of service provider arrangements.
Have the ability to maintain critical operations within tolerance levels throughout severe disruptions Have a service provider management policy in place for effectively managing risks associated with service providers.
CPS 230 broaden this scope to include all third and fourth-party providers supporting critical operations through their service and, therefore, exposing organisations to increased material operational risks.