The Australian Prudential Regulation Authority's finalized amendments to Prudential Standard CPS 230 Operational Risk Management take full effect on July 1, 2026. The changes introduce limited contractual exemptions for material arrangements with non-traditional service providers — such as central banks and clearing facilities — while preserving the core operational resilience framework that applies to insurers, banks, and superannuation funds.
A key milestone in Australia's operational resilience framework arrives on July 1, 2026, as the Australian Prudential Regulation Authority's (APRA) targeted amendments to Prudential Standard CPS 230 Operational Risk Management take full effect. APRA finalized these amendments on April 30, 2026, in response to industry feedback highlighting practical difficulties in applying certain contractual requirements to arrangements with non-traditional service providers (NTSPs).
The central change is a carefully scoped exemption: APRA-regulated entities — including banks, general insurers, life insurers, and superannuation trustees — will not be required to meet specific CPS 230 contractual obligations for material arrangements with designated categories of NTSPs where negotiating bespoke contract terms is not practicable. The exempt categories, set out in an attachment to CPS 230, include government agencies, regulators, central banks, and financial market exchanges such as clearing and settlement facilities. These entities typically operate under statutory frameworks that substitute for standard commercial contract terms.
To implement the framework, APRA updated the Material Service Provider (MSP) Register template so entities can classify whether specific arrangements fall under the exemption, and it is issuing an updated APRA Connect return for the 2026 reporting cycle. Insurers, superannuation trustees, and other regulated entities need to review their full material service provider portfolios, identify which arrangements qualify under the new exemptions, and update their registers and reporting processes by the July 1 commencement date.
The broader CPS 230 framework, which took initial effect on July 1, 2025, is designed to ensure that all APRA-regulated entities across banking, insurance, and superannuation can withstand and rapidly recover from operational disruptions — including cyber incidents, technology failures, and third-party service outages. Additional deferred requirements relating to business continuity and scenario analysis apply to non-significant financial institutions from July 1, 2026 as well. APRA has indicated it expects the scope of the NTSP exemptions to narrow over time as domestic and international operational resilience practices mature.
Key Points
- 1APRA's CPS 230 amendments take full effect on July 1, 2026
- 2Limited contractual exemptions apply for non-traditional service providers like central banks and clearing facilities
- 3Insurers, banks, and superannuation trustees must update Material Service Provider registers by July 1
- 4Deferred business continuity and scenario analysis requirements also apply to non-significant institutions from July 1
- 5APRA expects exemption categories to narrow over time as resilience practices mature
Why This Matters
CPS 230 is the cornerstone of Australia's approach to operational resilience across banking, insurance, and superannuation. The July 1 deadline is a hard compliance date: insurers and super funds that have not updated their MSP registers and contractual arrangements face potential supervisory action. The framework's emphasis on withstanding cyber incidents and third-party outages reflects a global regulatory trend toward operational resilience as a core prudential concern.
Original Source
APRA (Australian Prudential Regulation Authority) ↗Related Stories
UK FCA's Landmark 'Targeted Support' Regime Goes Live to Close the Advice Gap
April 6, 2026
US Cyber Incident Reporting Law (CIRCIA) Takes Effect, Requiring 72-Hour Breach Notifications
July 1, 2026
NAIC Confirms Hackers Published Stolen Insurance Regulatory Data Online After PeopleSoft Breach
June 25, 2026
North Carolina Becomes First US State to Ban Third-Party Litigation Funding
June 22, 2026
Daily Intelligence
The PolicyGlobal Daily Brief
Get the top 5 insurance and finance stories every morning, curated and verified by our editorial desk. No spam. Unsubscribe anytime.
Informational newsletter only. Not financial advice. Disclaimer