Comply with APRA CPS 230 (Operational Risk Management)
APRA-regulated entities must manage operational risk including a comprehensive third-party / outsourcing register from 1 July 2025.
Who must comply
All APRA-regulated entities (ADIs, insurers, RSE licensees).
What triggers it
Being APRA-regulated.
When due
Continuous from 1 July 2025; pre-existing arrangements transition through 30 June 2026.
Evidence required
Critical operations register, service provider register, tolerance levels, business continuity test results, board attestation.
Max penalty
APRA directions, additional capital, licence conditions
Effective from
1 July 2025
Summary
CPS 230 (in force from 1 July 2025) replaces CPS 231 (outsourcing) and CPS 232 (business continuity). Requires APRA-regulated entities to identify critical operations, set tolerance levels for disruption, maintain a comprehensive register of material service providers, manage concentration risk, and conduct testing.
Enforced by
Source legislation
Industries
Topics
Source: https://apra.gov.au/operational-risk-management. Rules Mate is not a law firm. Always verify against the live regulator source before acting.