CPS 230 and material service providers: what you need to do before 1 July 2026

Key Takeaways

• The transition deadline for pre-existing service provider contracts under CPS 230 is the earlier of the next renewal date or 1 July 2026.

• APRA finalised targeted amendments on 30 April 2026, introducing a limited exemption from certain contractual requirements for arrangements with non-traditional service providers such as central banks, payment schemes and clearing facilities.

• The exemption applies only where the arrangement is with an exempt category provider and uses standardised terms or has no formal agreement. All other CPS 230 obligations, including the register, risk management and business continuity planning, still apply.

• APRA regulated institutions should focus on completing contract uplift, documenting any reliance on the new exemption, and ensuring alignment between contracts, the register and business continuity planning before the deadline.

The deadline

CPS 230 is APRA's operational risk and resilience standard for all APRA-regulated entities. Since its commencement on 1 July 2025, one of the main implementation challenges for in-house legal, compliance and risk teams has been the management of service provider arrangements.

If your material service provider contracts haven’t been uplifted by 1 July 2026, you’re out of time.

While CPS 230 commenced on 1 July 2025, APRA allowed a transition period for pre-existing contractual arrangements. For those arrangements, the service provider requirements apply from the earlier of the next renewal date of the contract or 1 July 2026.

In practical terms, institutions can no longer rely on legacy contracting cycles to defer remediation. Any material arrangement that has not already been uplifted, reassessed or documented for exemption needs to be dealt with before 1 July.

Who counts as a material service provider?

A provider is material if the institution relies on it to undertake a critical operation, or if the arrangement exposes the institution to material operational risk. CPS 230 also provides a minimum list of providers that must be treated as material unless there is a documented basis for a different conclusion. For all APRA-regulated entities, that includes providers of risk management, core technology services and internal audit. For ADIs, it also includes credit assessment, funding and liquidity management, and mortgage brokerage.

The more difficult classification issues tend to arise in less obvious arrangements — providers that support a critical operation indirectly, hold sensitive data, create concentration risk, or introduce dependence on significant fourth parties. In practical terms, if disruption of the arrangement would materially affect the institution's ability to keep a critical operation within tolerance, that is a strong indicator that the provider should be assessed as material.

The April 2026 amendments

On 30 April 2026, APRA finalised targeted amendments to CPS 230, CPG 230 and the material service provider register template. The changes followed a consultation in December 2025 and responded to a specific implementation problem: arrangements with counterparties where bespoke contractual terms are unavailable or not realistically negotiable. Examples include central banks, payment schemes, clearing and settlement facilities, exchanges and regulators. Institutions may rely on these providers for critical services, but have limited or no ability to negotiate the contractual protections otherwise required by CPS 230.

How the exemption works

The amendments introduce new paragraph 57, which provides that an APRA-regulated entity need not comply with specified contractual requirements for a material arrangement if two conditions are met:

• the arrangement is with a service provider that falls within a category listed in the Attachment to CPS 230; and

• the arrangement uses standardised terms or is not documented in a formal agreement.

“Standardised terms” means terms prepared by the service provider where the regulated entity has no, or substantially no, ability to negotiate or amend rights and obligations relating to matters covered by CPS 230.

The contractual requirements that are disapplied are:

• paragraph 53 — the requirement for a formal agreement with specified minimum content (service levels, rights and responsibilities, compliance provisions, fourth-party notification, subcontractor liability, force majeure and termination);

• paragraph 54 — provisions for APRA access, on-site visits and non-impediment of APRA;

• paragraph 55(d) — the requirement to ensure that a regulated entity can make an orderly exit from the arrangement;

• paragraph 59(a) — monitoring of performance against agreed service levels; and

• paragraph 59(c) — monitoring compliance of both parties with the service provider agreement.

The seven exempt categories

The Attachment to CPS 230 lists the following categories of exempt service providers:

1. Government agencies — public sector bodies established to administer legislation or deliver public functions (excluding government business enterprises).

2. Regulators — statutory authorities established to supervise, regulate or enforce compliance within the financial system.

3. Central banks — authorities responsible for monetary policy, financial system stability and operation of core infrastructure including settlement, liquidity and banking services.

4. Financial market exchanges — licensed market operators under Part 7.2 of the Corporations Act 2001 (Cth) and comparable overseas exchanges.

5. Operators of clearing and settlement facilities — entities operating licensed clearing and settlement facilities under Part 7.3 of the Corporations Act and comparable overseas entities, including superannuation clearing houses.

6. Operators of payment systems and schemes — non-sovereign organisations that operate or govern a formally recognised payment system, scheme or infrastructure.

7. Financial messaging infrastructures — infrastructures providing secure, standardised messaging services for payment, clearing and settlement instructions, including SuperStream gateway operators.

APRA may grant additional exemptions on a case-by-case basis by written notice (paragraph 58).

What the exemption does not cover

The exemption is narrow and does not create a broader carve-out from CPS 230.

Even for exempt arrangements, institutions must still:

• include the arrangement in the material service provider register;

• assess whether the arrangement is material and manage the associated risks;

• reflect the arrangement in business continuity planning;

• conduct due diligence (though APRA acknowledges this may look different for exempt providers); and

• notify APRA of relevant matters, including entering into or materially changing agreements for critical operations.

What should you do?

With less than six weeks until the deadline, the priorities are:

1. Complete the contract uplift. Identify any material arrangements that have not been remediated. Focus first on arrangements supporting critical operations.

2. Assess the new exemption. Where an arrangement may qualify, document the basis carefully — which exempt category, whether the terms are genuinely standardised, and which specific paragraphs you are relying on the exemption for.

3. Update the register. APRA has updated the material service provider register template to accommodate exempt arrangements. The register should identify the material arrangement, the critical operation or material risk it supports, the responsible business owner, and any significant fourth-party dependencies.

4. Check BCP integration. Ensure material arrangements — including exempt ones — are reflected in business continuity planning, including tolerance levels, alternative arrangements and testing scenarios.

5. Report to the board. Board reporting should identify which arrangements have been uplifted, which still require remediation, where exemptions are being relied on, and what residual risks remain.

A note for service providers

Although CPS 230 imposes obligations on APRA-regulated entities, service providers are feeling the effects directly. If you provide services to banks, insurers or superannuation funds, you will likely have received contract uplift requests covering CPS 230-specific provisions on service levels, APRA access, subcontracting notifications, termination rights and force majeure.

Most service providers dealing with multiple APRA-regulated entity clients will by now have developed a standard position on these requirements. As the 1 July 2026 deadline approaches, it is worth reviewing that position to ensure it remains current, particularly in light of the April 2026 amendments and the new exempt provider categories. You should also expect ongoing due diligence inquiries, requests for information for your clients' material service provider registers, and questions about your own business continuity arrangements and fourth-party dependencies.

Looking ahead

The April 2026 amendments are most relevant for institutions that depend on market infrastructure or public sector counterparties and cannot negotiate bespoke CPS 230 terms. They do not change the broader responsibility to manage operational risk arising from service provider dependence.

Before 1 July 2026, the priority is to ensure that contracts, registers, governance and business continuity planning are aligned. Where those elements are not aligned, that is likely to indicate a broader implementation gap rather than a narrow contracting issue.

Contact us if you need advice on CPS 230 implementation or service provider contracts.

‍ ‍