APRA Finalises Targeted Amendments to CPS 230 Operational Risk Management

Australia’s financial regulator, APRA, has moved to modernize its operational risk framework by amending CPS 230 and the associated practice guide CPG 230. The original standard imposed uniform contractual obligations on all material service providers, but feedback highlighted challenges when dealing with entities like central banks or clearing houses that cannot negotiate standard contracts. By introducing a flexible exemption list, APRA acknowledges the unique nature of these non‑traditional service providers and seeks to maintain robust risk oversight without imposing unrealistic compliance demands.

The revised guidance delineates how due‑diligence, selection, and monitoring processes can be adapted for exempt providers. Institutions can now document risk assessments that reflect information asymmetry and market dynamics specific to government agencies, regulators, and financial market exchanges. The updated material service provider register includes a new classification field, enabling firms to flag exempt arrangements and streamline reporting. This targeted approach reduces administrative load while ensuring that critical third‑party risks remain visible to supervisors.

Globally, regulators are grappling with the balance between prescriptive standards and the need for flexibility in an increasingly interconnected financial ecosystem. APRA’s amendments bring Australian practices closer to international trends that favor risk‑based, proportionate oversight. For banks and insurers, the July 2026 rollout means revising internal policies, training staff on the new exemption criteria, and preparing updated APRA Connect submissions. In the longer term, the framework positions Australia to better manage systemic risk linked to essential market infrastructure while supporting innovation in service‑provider relationships.