The Australian Prudential Regulation Authority (APRA) has finalised changes to Prudential Standard CPS 230 Operational Risk Management that will affect how insurers and other regulated entities manage contractual obligations with certain non‑traditional service providers. Released April 30, 2026, the amendments apply to CPS 230, Prudential Practice Guide CPG 230, and the Material Service Provider (MSP) Register template. The revised standard and guidance will take effect July 1, 2026.
The key change is a limited exemption from specified contractual requirements in CPS 230 where entities have material arrangements with particular categories of non‑traditional service providers and are not in a position to negotiate bespoke terms. Under the amended framework, an APRA‑regulated entity will not need to meet some CPS 230 contractual obligations for a material arrangement if two conditions are satisfied.
First, the provider must fall within one of the exempt service provider categories listed in a new attachment to CPS 230. These categories include government agencies, regulators, central banks, financial market exchanges, operators of clearing and settlement facilities, operators of payment systems and schemes, and financial messaging infrastructures. Second, the arrangement must rely on standardised terms or not be documented in a formal agreement. The exemption applies only to specified contractual requirements. APRA has stated that all other elements of CPS 230 continue to apply and that the changes “do not reduce the expectation that regulated entities actively manage the operational risks arising from reliance on these service providers.”
APRA’s final position follows industry feedback on a December 2025 consultation letter that proposed amendments for material arrangements with non‑traditional service providers. Most submissions supported an approach based on provider type rather than naming individual providers. In response, APRA will keep a list of exempt service provider types, with definitions, in an attachment to CPS 230. The agency said it had worked with industry and peer regulators to “better define the exempt categories, to establish a clear perimeter.”
APRA will retain discretion to adjust the list over time and to grant additional exemptions by written notice where it considers this appropriate. The “second limb” of the exemption test – that entities must still seek CPS 230‑compliant contracts where it is possible to negotiate bespoke terms – remains in place. Some respondents proposed a broader set of exempt categories, including information technology and cloud infrastructure providers, communications providers, digital wallet providers, and certain banks. APRA has made only “minor adjustments” to the illustrative list consulted on and said it has “refined how exempt categories are defined but has not materially changed the scope.”
Several submissions argued that exemptions should extend beyond contractual requirements to cover obligations related to selection, due diligence, business continuity, and risk management processes for arrangements with exempt providers. APRA has left the broader operational risk framework unchanged. CPS 230 will continue to require entities to identify and manage operational risks across all material arrangements, including those involving exempt providers. However, CPG 230 has been updated to recognise that due diligence and selection processes “may look different for an exempt service provider compared to other material service providers.”
The guidance indicates that approaches may vary where information is limited or bargaining positions differ but does not remove the underlying obligations. APRA has also made a minor change to the definition of “standardised contract” to align it more closely with arrangements where there is little or no ability to negotiate terms. On the interaction with CPS 234 Information Security, APRA declined to consolidate or alter requirements at this time, describing the CPS 230 initiative as intentionally narrow and indicating it will observe how the standard operates before considering wider changes.
APRA has confirmed that the force majeure obligation in CPS 230 will remain as drafted, despite feedback from some stakeholders that the requirement is difficult to meet and differs from expectations in other jurisdictions. The updated paragraph 53(f) requires that a material service provider agreement “include a force majeure provision indicating those parts of the contract that would continue in the case of a force majeure event.”
APRA said the provision is intended to provide clarity about which contractual obligations survive or continue during a force majeure event, rather than to require a guarantee of uninterrupted performance. It described a shared understanding of these obligations as important for managing operational disruptions. In addition, APRA has adjusted notification guidance in CPG 230 so that the relevant table mirrors the notification requirements in paragraph 60(a) of CPS 230.
To implement the exemption framework, APRA has updated the MSP Register template so entities can identify arrangements with exempt providers. The instructions for the template have been revised, and the register now includes a way to classify whether a material service provider arrangement is covered by the exemption. APRA will issue an updated APRA Connect return for the 2026 reporting cycle to support submission of revised MSP information. Insurers, superannuation trustees, and other APRA‑regulated entities will need to review their material service provider portfolios, determine which arrangements fall within the exempt categories, and update their MSP registers and reporting processes before the July 1, 2026, commencement date.
The amendments form part of the broader CPS 230 implementation program that began with the final standard in July 2023 and the final CPG 230 in June 2024. APRA previously moved the CPS 230 effective date to July 1, 2025, and introduced transition arrangements for existing contracts with service providers. APRA has indicated it expects the scope of exemptions to narrow over time as domestic and international operational resilience practices develop and as market practice on contract terms continues to change.
