Australian Prudential Regulation Authority (APRA) CPS 230: Highlights and Third-Party Requirements

Even though Australia has various regulatory bodies, such as the Securities and Investments Commission (ASIC) and the Office of Information Commission (AOIC), only one regulator, the Australian Prudential Regulation Authority (APRA), has developed a series of regulatory standards that explicitly outline requirements for an organisation’s management of third parties.

There are two current regulations, and one upcoming regulation, from APRA on third-party relationships to understand:

1. The Prudential Standard on Outsourcing (CPS 231) – Originally issued in 2017, it was the first standard to specifically address managing risks associated with third-party relationships. Many of its requirements are also accepted best practices, such as conducting risk assessments, performing due diligence, formalising legal agreements, and ensuring there’s appropriate monitoring of the relationship. Additionally, Australia also requires organisations to notify APRA before entering any material relationship and to formally consult with APRA before entering into a material relationship with providers conducting business outside of Australia. 
2. The Prudential Standard on Information Security (CPS 234) – This regulation from 2019 outlines expectations for organisations to be resilient against information security incidents (including cyberattacks) by maintaining an information security capability commensurate with information security vulnerabilities and threats. The standard explicitly refers to protecting data managed by third parties. Third-party risk assessment, due diligence, and control testing are crucial for compliance.
3. Operational Management for Financial Institutions (CPS 230) – As APRA intensifies its focus on operational management and resiliency, CPS 231 will be replaced by this new standard, effective July 2025. The new standard broadens APRA's oversight and not only covers outsourcing, but also includes the organisation’s agreements with all material service providers (MSPs). These are the providers an organisation relies on for critical operations or who pose a significant operational risk to the organisation.

How Organisations Can Comply With Third-Party Requirements in APRA CPS 230

The new standard clarifies and expands requirements for outsourcing as part of the overall approach to fortifying operational management. To assist APRA-regulated entities the agency published the Prudential Practice Guide: Draft CPS 230 Operational Management. The guide provides APRA’s detailed view of sound third-party risk management (TPRM) practices and adds clarifying information regarding each requirement.

While CPS 230 Operational Management builds on the requirements of its predecessor, it maintains a keen focus on MSPs and management of those third-party relationships. To ensure compliance and maintain effective third-party risk management, APRA entities must explore the definition and requirements for MSPs per CPS 230. 

Let’s cover 7 key highlights for CPS 230 compliance:

1. Define material service providers – First, it’s crucial to understand how APRA’s CPS 230 defines material service providers:
   
   • A service provider is considered “material” when an organisation relies on it for a critical operation or when the service provider exposes the organisation to significant operational risk.
   • Particular providers are automatically deemed material, such as those involved in credit assessment, funding and liquidity management, and mortgage brokerage for authorized deposit-taking institutions (ADIs).
     
     
   APRA lists the following as those typically considered MSPs: risk management, core technology services, internal audit, credit assessment, funding and liquidity management, mortgage brokerage, underwriting, claims management, insurance brokerage, reinsurance, fund administration, custodial services, investment management and arrangements with promoters, and financial planners.
   
   However, organisations shouldn’t solely depend on the list of services provided by APRA as MSPs. Instead, APRA expects a responsible entity would evaluate all service providers using specific criteria to identify which ones are material, based on the definition in CPS 230. This considers:
   
   • Whether the service supports a critical business operation
   • The totality of services provided by the service provider
   • The nature of the services provided and whether it exposes the organisation to material operational risk, including cyber risks or mis-selling risks, or in the event the service or service provider is compromised operationally, financially, or reputationally
   • The degree of difficulty in exiting the arrangement and transitioning delivery of services to another service provider or bringing it in-house
   • Whether the service involves sensitive or critical information assets, as classified by the organisation for the purposes of CPS 234, including, for example, the consequence of a data breach
2. Create a service provider policy – APRA expects organisations to have a policy in place that covers how MSPs and their risks will be identified and managed. The policy should include how the organisation will begin, monitor, and exit the relationship with the MSP. It should also address fourth-party risks. Other best practices for a service provider policy include identifying roles and responsibilities, outlining the due diligence process, and including an issue management process. 
3. Set and maintain contracts – Each material arrangement should have a contract in place. It should cover the rights, responsibilities, and expectations of each party, including compliance provisions, data breach notifications, and the right to terminate. A service level agreement (SLA) should specify metrics to measure the service provider’s performance. 
4. Manage material arrangements – A material arrangement is one where an organisation relies on it for a critical operation or where it exposes the organisation to material operational risk. Entities must identify and manage risks associated with material arrangements. This includes performing due diligence and risk assessments before entering into or modifying material arrangements. 
   
   
   Pro Tip: For material service providers, organisations should request documents like a SOC report, business continuity and disaster recovery plan, and a financial review. Be sure to document the due diligence process, as this can be helpful to provide to regulators. 
5. Identify fourth parties – Fourth parties are relied upon by service providers to deliver services to an APRA-regulated entity (essentially, suppliers of the supplier). Organisations should identify and focus on fourth parties that are essential for delivering material services.
6. Register all material service providers and notify APRA – APRA requires a current register of all MSPs be submitted to them on an annual basis. Organisations should have a complete list of service providers and services, with material providers clearly identified. The regulation also requires organisations to notify APRA about critical operations agreements, material offshore arrangements, and any significant changes. 
7. Continuously manage service providers – While the new standard places an emphasis on MSPs, it also calls out requirements for managing relationships with service providers throughout the lifetime of the relationship. Material arrangements should be regularly monitored and reported to senior management. 

CPS 230 demonstrates the significant evolution of Australia’s regulatory expectations for managing third-party risks. The new focus extends beyond basic third-party risk management for only the most material relationships and aims to hold organisations accountable for managing the risks of all third-party relationships, including their information security practices and protection, as well as business continuity and resilience. 

CPS 230 will be implemented in July 2025, and it's important for Australian organisations overseen by APRA to fully understand its requirements and start preparing for its implementation well in advance. This will enable organisations to identify any gaps in current practices and make the necessary changes to comply with the new requirements.