CPS 230 – Material Service Providers
The new prudential standard CPS 230 Operational Risk Management for APRA-regulated entities commencing in July 2025 (see overview here) includes important provisions on dealing with service providers.
Key concepts
Material service provider: a service provider is “material” when the entity relies on it to undertake a critical operation or where the service provider exposes the entity to material operational risk. CPS 230 deems certain providers to be material. For example, for an authorised deposit-taking institution (ADI), credit assessment, funding and liquidity management and mortgage brokerage are material.
Material arrangement: an arrangement where the entity relies on the arrangement to undertake a critical operation or that exposes the entity to material operational risk.
Fourth party: a party that a service provider relies on in delivering services to an APRA-regulated entity (i.e., a supplier of the supplier).
Key requirements
The key requirements for an APRA-regulated entity in relation to service providers under CPS 230 are:
Policy: having a service provider management policy.
Register: having a register of material service providers.
Due diligence: due diligence and risk assessments before entering into or materially modifying a material arrangement.
Formal agreements: having a formal agreement for each material arrangement.
Content of formal agreements: minimum content requirements for the formal agreements that cover material arrangements.
Risk management: managing risks for each material arrangement.
Monitoring and reporting: monitoring material arrangements and reporting on them to senior management.
Notifying APRA: notifying APRA of certain matters including the register of material service providers, entering into or materially changing an agreement for critical operations, and entering into any material offshoring arrangement or proposing significant changes to one.
Internal audit: internal audit reviews of proposed material arrangements involving the outsourcing of critical operations.
Transition period
For an existing contract with a service provider, the CPS 230 requirements apply from the next renewal date of the contract or 1 July 2026, if earlier.
Action steps to prepare for CPS 230
To prepare for compliance with CPS 230 we set out below some action steps that APRA-regulated entities may wish to take.
Develop service provider management policy.
Create register of service providers.
Identify material service providers.
Review existing material arrangements.
Each of these steps is discussed in more detail below.
Develop service provider management policy
If the entity already has a policy, review it for any CPS 230 gaps and update as required. The policy can (but is not required to) cover all service providers, not just those that are material. APRA draft guidance says that the policy would typically include:
roles and responsibilities of accountable persons or the equivalent;
processes for the selection of and due diligence on service providers;
management of risks associated with service providers;
methodology for the assessment of the materiality of service providers;
on-boarding and exiting procedures;
business continuity plans (BCPs) and alternative arrangement considerations (including where the service provider is unable to provide the service for an extended period of time);
issue management and escalation procedures;
processes for vetting key personnel of service providers; and
oversight processes and practices to monitor the service providers, service level agreements, and risks.
APRA expects companies to actively manage risks associated with service providers (including fourth parties). This includes:
Regular evaluation of the effectiveness of the service provider management policy.
Demonstrating an understanding and management of risks throughout the service provider relationship.
Ensuring that service providers have a sound internal risk management framework.
Maintaining visibility of service provider risk practices and ensuring consistent standards.
Being aware of and managing risks associated with fourth parties used by service providers. This includes identifying material fourth parties, contractual provisions for informing about material fourth parties, and assurance from service providers on managing material fourth parties. APRA draft guidance says that better practice would be to ensure that service providers monitor risks managed by fourth parties (including key factors like control environment and incident management) and provide regular reporting on operational performance and risk management to the APRA-regulated entity.
Create register of service providers
APRA does not currently provide any guidance on the required content of the register of service providers but we expect that it should include information such as:
identity details of the provider;
whether the provider is material;
nature of services covered;
details of the formal agreement including commencement date and termination date; and
persons responsible for the agreement.
Identify material service providers
APRA draft guidance says when deciding if a service provider is material, an APRA-regulated entity would consider:
support of critical business operations;
totality of services provided;
operational risks (cyber, mis-selling, etc.);
difficulty of exiting the arrangement; and
involvement of sensitive information assets.
Review existing material arrangements
Existing material arrangements should be reviewed to ensure that there is a formal agreement in place which includes the mandatory provisions specified in CPS 230. These mandatory provisions are:
Services: specifying the services covered by the agreement and associated service levels.
Rights and responsibilities: the rights, responsibilities and expectations of each party to the agreement, including in relation to the ownership of assets, ownership and control of data, dispute resolution, audit access, liability and indemnity.
Compliance: provisions to ensure the ability of the entity to meet its legal and compliance obligations.
Fourth parties: a requirement that the service provider notify its use of other material service providers that it materially relies upon through subcontracting or other arrangements.
Liability for subcontractors: requiring the liability for any failure on the part of any subcontractor to be the responsibility of the service provider.
Force majeure: a force majeure provision indicating those parts of the contract that would continue in the case of a force majeure event.
Termination: termination provisions including, but not limited to, the right to terminate both the arrangement in its entirety or parts of the arrangement.
APRA access: provisions that allow APRA access to documentation, data and any other information related to the provision of the service; that allow APRA to conduct an on-site visit to the service provider; and which ensure the service provider agrees not to impede APRA in fulfilling its duties as prudential regulator.
APRA draft guidance also refers to the following aspects of the formal agreements between entities and service providers:
Flexibility: Agreements would typically accommodate potential changes.
Service levels and performance: These are usually set out in a service-level agreement (SLA) with clear metrics for measurement and monitoring.
Liability: Agreements would typically include specification of each party's liability, including limits for negligence, indemnities, insurance arrangements, and liability related to the use of other service providers.
Termination: An agreement would typically include clear terms outlining transition arrangements, ownership and access to assets, and the duration of service provision post-termination.
Need help with CPS 230?
We advise many APRA-regulated entities on their service provider contracts and regulatory compliance. Please get in touch with us if you need help with CPS 230 implementation.
Kathleen Harris and Patrick Dwyer
Legal Directors