APRA CPS 230 Operational Risk: A Compliance Guide for Service Providers

Introduction

The Australian Prudential Regulation Authority’s (APRA) Prudential Standard CPS 230 Operational Risk Management (CPS 230) introduces a significant shift in regulatory oversight for the financial services industry—a change necessitating expert guidance from financial services lawyers, effective 1 July 2025. While this standard directly applies to APRA-regulated entities like banks, insurers, and superannuation funds, its impact extends to the entire ecosystem of technology vendors and service providers that support them.

Even if your fintech is not directly regulated, your bank partners are now legally required to enforce CPS 230 compliance standards upon their material service providers through contractual agreements. This guide provides essential information for service providers on navigating these new obligations, ensuring you can meet the heightened expectations for operational resilience, business continuity, and risk management that are now table stakes for selling into the financial sector.

Interactive Tool: Check Your CPS 230 Compliance Status & Requirements

Understanding Your Role Under APRA CPS 230

What Is a Material Service Provider & Why Your Fintech Is in Scope

Under CPS 230, a service provider is considered a Material Service Provider (MSP) if an APRA-regulated entity relies on it to perform a critical operation or if the arrangement exposes the entity to significant operational risk. Importantly, this classification is not based on the size of your fintech, but on the importance of the service you provide.

A critical operation is a process that, if disrupted, would materially and adversely affect a bank’s customers, its beneficiaries, or its role within the financial system. For banking institutions, APRA has specified that core functions are presumptively critical, including:

• Payments processing and settlements
• Deposit-taking and management
• Clearing and custody services
• Credit assessment and risk management

If your fintech provides payment platforms, Banking-as-a-Service (BaaS) solutions, or specialised SaaS for functions like fraud detection or KYC/AML screening, your services directly support these critical operations. Consequently, your business is almost certainly considered an MSP, placing you within the scope of CPS 230 compliance, even if you are not directly regulated by APRA.

The Contractual Flow-Down: How Banks Enforce Compliance

While the legal responsibility for CPS 230 compliance rests with APRA-regulated entities, the standard’s requirements are extended to fintechs through a process of contractual flow-down. This serves as the primary mechanism through which banks enforce regulatory standards on their service providers, creating a form of indirect or “shadow” regulation.

APRA-regulated entities are required to have formal, legally binding agreements with their MSPs that ensure the provider’s services meet the resilience standards mandated by CPS 230. To avoid their own non-compliance penalties, banks will pass these obligations on to you through new or updated service agreements.

As a result of this contractual ripple effect, your fintech will face requests to uplift existing agreements to include specific clauses covering:

• Operational resilience
• Timely incident notification
• Comprehensive audit rights
• Strict subcontractor oversight

Core CPS 230 Compliance Pillars for Your Fintech

Business Continuity Planning & Demonstrating Resilience

Under CPS 230, your fintech must develop and maintain a credible Business Continuity Plan (BCP) as part of its obligations for effective risk management.

This plan is essential for demonstrating to your APRA-regulated partners that you can sustain your critical operations through a severe disruption. Consequently, the BCP must be directly aligned with the tolerance levels set by your banking clients for their own critical operations.

A core part of this alignment involves defining and adhering to specific metrics that quantify acceptable disruption, which include:

• Recovery Time Objectives (RTOs): The maximum acceptable time your service can be unavailable before it must be restored.
• Recovery Point Objectives (RPOs): The maximum amount of data loss that is tolerable, measured in time, such as 15 minutes of transaction data.

To be considered credible by APRA and your partners, your BCP must be more than a document; it needs to be a tested, actionable framework.

This involves regularly testing the plan against “severe but plausible scenarios,” such as a regional cloud provider outage or a significant cyber-attack.

Additionally, as a service provider, you will be expected to participate in joint resilience drills with your bank partners to validate that your recovery procedures are effective and coordinated.

Managing Service Provider Arrangements & Fourth-Party Risk

CPS 230 requires fintechs acting as an MSP to have their comprehensive service provider management policy.

This policy must clearly outline how you manage the risks associated with your vendors. A significant focus of the standard is on managing “fourth-party risk,” which refers to the risks introduced by the suppliers your service depends on.

For most payment fintechs, these fourth parties include critical infrastructure and software providers. Common examples include:

• Cloud hosting providers like Amazon Web Services (AWS) or Microsoft Azure.
• DNS and security services such as Cloudflare.
• Other SaaS products that are integral to delivering your service.

Your bank partners are required to have visibility into these dependencies and will expect you to manage them with the same level of diligence they apply to you.

Because you are responsible for the failures of your subcontractors, you must take the following actions:

• Conduct thorough due diligence on your vendors.
• Understand their resilience capabilities.
• Have robust contingency plans in place for their potential failure.

Navigating New Contractual Requirements & Step-In Rights

Your agreements with APRA-regulated entities will now include mandatory clauses to ensure CPS 230 compliance.

These legally binding terms move beyond simple commercial arrangements to enforce regulatory-driven resilience. As a result, key contractual changes will include highly specific Service Level Agreements (SLAs) and provisions for “step-in” rights.

SLAs must now legally prove your ability to maintain service uptime and performance in line with the bank’s tolerance levels.

This often means guaranteeing availability like 99.99% and specifying clear remedies for breaches. Furthermore, contracts will also grant both the bank and APRA the right to conduct audits and investigations into your operations, data, and controls to verify compliance.

A significant new requirement is the inclusion of “step-in rights.” These contractual provisions allow a bank to take temporary control of your service or infrastructure during a catastrophic failure.

The primary goal is to ensure the bank’s critical operations can continue without interruption. For a fintech, facilitating these rights may require arrangements such as:

• Escrowing your source code.
• Ensuring data can be easily ported to another provider.
• Providing the bank with access to your cloud environment under specific, crisis-related conditions.

Incident Response & APRA Notification Requirements

Understanding the 72-Hour & 24-Hour Notification Rules

Under CPS 230, APRA-regulated entities are bound by strict, time-sensitive notification deadlines for operational incidents. These obligations are contractually passed down to any MSP, including payment fintechs, creating a high-pressure environment for incident response.

The two primary timeframes that banks must adhere to are critical for any service provider to understand. APRA’s key notification requirements include:

• A 72-hour notification rule: An APRA-regulated entity must notify APRA as soon as possible, and no later than 72 hours, after becoming aware of an operational risk incident, a process that has parallels with the rules for breach reporting by AFS licensees. This applies to events that are likely to have a material financial impact or a material impact on the entity’s ability to maintain its critical operations.
• A 24-hour notification rule: If a disruption causes a critical operation to fall outside its board-approved tolerance levels, the regulated entity must notify APRA within 24 hours. This is often linked to the activation of the entity’s BCP.

Because the clock for the regulated entity starts from the moment of “awareness” rather than full incident resolution, banks cannot afford any delay in receiving information from their service providers. Consequently, contracts with fintechs now include “mirror notification” clauses that mandate reporting in a much shorter timeframe.

For a fintech, this means you are contractually obligated to report any material incident to your bank partner almost immediately. Specifically, the required window is:

• Often just a few hours for general material incidents.
• Sometimes as short as one to four hours for severe incidents affecting critical payment services.

A Practical Roadmap to CPS 230 Compliance for Startups

Achieving Bank-Grade Resilience on a Startup Budget

Achieving the bank-grade resilience required by CPS 230 does not necessarily require a bank-sized budget. Fintech startups can adopt several cost-effective strategies to meet these stringent standards, turning a compliance challenge into a competitive advantage.

A practical approach involves leveraging existing certifications and creating standardised documentation to streamline interactions with APRA-regulated entities.

If your fintech is already SOC 2 Type II or ISO 27001 compliant, you have a head start on demonstrating organisational competence, as a significant portion of the required documentation is already in place. You can then focus your efforts on addressing the specific gaps related to CPS 230, which may include:

• Defining tolerance levels for your critical operations.
• Formalising exit strategies to ensure smooth transitions if needed.

Another effective strategy is to develop a “CPS 230 Compliance Pack.” This is a standardised set of documents that proactively demonstrates how your service provider meets uptime, notification, and fourth-party risk requirements, ultimately helping to shorten sales cycles significantly with financial institutions.

Adopting scalable technologies and open-source tools is another way to manage costs while building a robust resilience framework. These measures allow startups to demonstrate compliance without significant enterprise spending.

Cost-effective measures for compliance include:

• Leveraging scalable cloud architectures: Implementing multi-availability zone (multi-AZ) deployments on major cloud platforms provides a foundational layer of resilience. For critical services, this can be extended to multi-region configurations to protect against large-scale outages.
• Using open-source monitoring tools: Software like Prometheus can be used to monitor uptime and performance metrics. This data can be fed into public status pages or shared dashboards to provide bank partners with the transparency they require.
• Automating governance and risk management: Automated GRC platforms can help monitor fourth-party risks and uptime, providing real-time dashboards to partners and reducing the manual effort of evidence collection.
• Mapping dependencies with free or low-cost tools: Startups can use risk mapping software to identify and document critical service dependencies, which is a foundational step in building a credible BCP.

A phased implementation can make the compliance journey more manageable. This staged approach allows for progress to be tracked against APRA’s guidance without overwhelming a small team.

For instance, a startup could focus on specific milestones, such as:

• Mapping critical services in the first few months.
• Uplifting key contracts shortly after.
• Conducting continuity testing in subsequent quarters.

The Future of CPS 230 & Service Provider Compliance

Understanding the Consultation on Non-Traditional Service Providers

APRA has initiated a consultation on targeted amendments to CPS 230. This initiative aims to address challenges with what it terms Non-Traditional Service Providers (NTSPs).

These providers present unique compliance difficulties because they are typically market-mandated, meaning APRA-regulated entities have little to no choice but to use their services. Specifically, arrangements with NTSPs often rely on standardised, non-negotiable contracts.

As a result, this lack of flexibility makes it difficult for entities to enforce the specific contractual and service level obligations required by CPS 230.

In response to industry feedback, APRA has proposed targeted changes to CPS 230 that would exempt certain material arrangements with NTSPs from some of these requirements.

To qualify for this exemption, the proposed amendment outlines specific criteria:

• The provider must be listed in a new attachment to the standard.
• The arrangement must involve a standardised contract or lack a formal agreement entirely.

Ultimately, this adjustment is intended to alleviate the regulatory burden where entities have limited or no ability to negotiate terms.

Furthermore, APRA’s preliminary list of providers that may be classified as NTSPs provides insight into the scope of this consultation. The types of providers include:

• Government agencies, such as the Reserve Bank of Australia.
• Stock exchanges, including the Australian Securities Exchange.
• Central clearing counterparties, like ASX Clear and London Clearing House (LCH).
• Settlement platforms, such as SWIFT and PEXA.
• Payment Schemes, including Australian Payments Plus (‘AP+’), VISA, and MasterCard.

While these proposed amendments aim to streamline compliance, all other risk obligations under CPS 230 will remain unchanged. APRA-regulated entities must still actively manage their NTSP arrangements by fulfilling the following responsibilities:

• Ensuring business continuity across all operations.
• Conducting ongoing monitoring of the service provider.
• Effectively managing the associated risks of the arrangement.

Importantly, for fintechs operating within these ecosystems (such as those building on payment schemes), the NTSP classification of the underlying infrastructure does not automatically extend to them.

Instead, they remain commercial service providers to their bank partners and must still demonstrate robust operational resilience to meet their contractual obligations. APRA is expected to finalise these targeted changes before 1 July 2026.

Conclusion

CPS 230 redefines the compliance landscape for service providers, contractually obligating fintechs to meet bank-grade standards for resilience, business continuity, and incident response. This shift requires proactive management of service provider arrangements, including fourth-party risks, to maintain critical operations within strict tolerance levels set by APRA-regulated entities.

Navigating these complex requirements demands expert guidance to turn regulatory challenges into strategic opportunities. Contact AFSL House’s experienced AFSL compliance lawyers today to ensure your business is prepared for the new era of operational resilience with our tailored compliance frameworks.

Frequently Asked Questions (FAQ)

When does CPS 230 come into effect?

APRA’s CPS 230 comes into force on 1 July 2025. For pre-existing contractual arrangements with service providers, the requirements will apply from the earlier of the next contract renewal date or 1 July 2026.

What is a critical operation for a payment service provider?

A critical operation is a process that, if disrupted beyond tolerance levels, would have a material adverse impact on a bank’s customers or its role in the financial system. For entities that service banks, this includes processes like payments, deposit-taking, settlements, and clearing—all areas that require careful legal advice on payments regulation—meaning any fintech service involved in these processes is supporting a critical operation.

What are tolerance levels like RTO & RPO?

Tolerance levels define the maximum disruption a business can withstand, with the RTO being the maximum acceptable time for a service to be restored after a failure. The RPO is the maximum acceptable amount of data loss, measured in time, such as 15 minutes of transaction data.

What are fourth-party risks for a service provider?

Fourth-party risks are the risks introduced by your vendors or subcontractors that you rely on to deliver your service. For a payment fintech, this includes your cloud provider like AWS or Azure, DNS services such as Cloudflare, and any other SaaS products integral to your operations.

What are step-in rights in a service provider arrangement?

Step-in rights are contractual provisions that allow a regulated entity, like a bank, to take temporary control of a service provider’s operations or infrastructure if the provider fails catastrophically. This is designed to ensure the bank’s critical operations can continue without interruption.

Do I have to report incidents directly to APRA?

No, as a non-regulated service provider, you do not report incidents directly to APRA. Your contract with a bank will require you to report material incidents to them within a very short timeframe, often just a few hours, so the bank can meet its mandatory notification deadlines.

What if my cloud provider like AWS will not negotiate CPS 230 terms?

Hyperscale cloud providers typically do not negotiate custom contractual terms, so the expectation is to build architectural resilience rather than change their contracts. This means designing your platform for multi-region or multi-cloud failover to ensure you can meet your resilience obligations to the bank, independent of a single provider’s guarantees.

What is a Non-Traditional Service Provider or NTSP?

An NTSP is a provider that is typically market-mandated, where entities have little to no choice but to use their services, such as stock exchanges or payment schemes. These providers typically rely on standardised, non-negotiable terms, and APRA is consulting on targeted amendments to clarify compliance expectations for these unique arrangements.

What is the deadline for updating my existing contracts with banks?

For any service provider agreements that were in place before 1 July 2025, you must ensure they are compliant with CPS 230 by the earlier of the contract’s next renewal date or 1 July 2026. This creates a firm deadline for all existing material arrangements to be updated.