By Dan Briggs — IT Engineer | 8 June 2026

Author: Dan Briggs | Published: 8 June 2026 | Reading time: 18 minutes

Executive summary

On 1 July 2026, the last of the transition arrangements under APRA’s Prudential Standard CPS 230 Operational Risk Management run out. From that date, every contract a regulated bank, insurer or superannuation trustee holds with a material service provider must meet the standard’s requirements, whether or not the contract has come up for renewal. On the same day, smaller institutions lose the extra year APRA gave them on business continuity and scenario analysis, and the targeted amendments APRA finalised on 30 April 2026 come into effect, along with an updated Material Service Provider Register template.

If you run an APRA-regulated entity, none of this should be news, but our experience says the contract uplift is where timetables have slipped. If your register lists agreements that still don’t contain APRA access rights, data ownership clauses or proper termination provisions, you have three weeks to close the gap or to be able to show APRA a credible plan for closing it.

The bigger story is for everyone else. CPS 230 reaches well beyond the banks, insurers and super funds APRA supervises, because it forces those entities to rewrite their contracts with the businesses that serve them. Software vendors, IT providers, fund administrators, claims handlers, brokers, BPOs, payroll bureaus and document management firms across Sydney, Brisbane and Melbourne have spent the past year receiving “contract uplift” letters from their financial services clients. The volume of those letters has spiked as the deadline approaches, and we’re seeing them land on businesses with no idea what CPS 230 is or why a mid-tier super fund suddenly wants audit rights over their systems.

This whitepaper explains what lands on 1 July 2026, who is directly caught, what the uplift letters actually ask for, and what to do in the next three weeks, whether you’re the regulated entity or the supplier. It finishes with the part we know best: how your IT environment either supports these obligations or quietly undermines them.

A quick refresher: what CPS 230 actually is

CPS 230 is APRA’s cross-industry standard for operational risk. It commenced on 1 July 2025 and replaced the old outsourcing and business continuity standards (CPS 231 and CPS 232, and their industry equivalents). It applies to all APRA-regulated entities: banks, mutual banks and credit unions, general insurers, life insurers, private health insurers, friendly societies and superannuation trustees. APRA supervises institutions holding about $9.8 trillion in assets, so the standard’s reach across the economy is considerable.

In plain terms, CPS 230 asks three things of a regulated entity.

1. Know your critical operations and set tolerance levels

Critical operations are the processes that would materially hurt customers or the financial system if they stopped: payments and deposit-taking for a bank, claims processing for an insurer, fund administration and investment management for a super trustee. The entity must set Board-approved tolerance levels for how long each critical operation can be down, how much data it can lose, and the maximum acceptable extent of disruption.

2. Maintain a credible, tested business continuity plan

The BCP must be tested annually against severe but plausible scenarios, and those scenarios must include disruptions to services provided by material service providers. APRA can even direct an entity to run a specific scenario it nominates.

3. Manage service providers like the operational dependencies they are

This is the part that pulls in the rest of the economy. Entities must identify their material service providers, keep a register of them, submit that register to APRA annually, conduct due diligence before signing or materially changing agreements, and make sure those agreements contain a specific set of contractual protections. The first registers went in by 1 October 2025, and APRA has now updated the register template for the 2026 round.

The standard also sets hard notification clocks. An entity must tell APRA within 72 hours of becoming aware of an operational risk incident likely to have a material financial impact or a material impact on critical operations, and within 24 hours if a critical operation is disrupted beyond tolerance. New or materially changed agreements supporting critical operations must be notified within 20 business days, and material offshoring arrangements before they’re entered into.

Three deadlines land on the same day

What makes 1 July 2026 worth a whitepaper rather than a footnote is that three separate transition tracks converge on it.

Pre-existing contracts run out of road

When CPS 230 commenced last year, APRA allowed existing contractual arrangements with material service providers to keep running on their old terms until the earlier of the contract’s next renewal date or 1 July 2026. That grace period is what ends in three weeks. Any agreement that hasn’t been renegotiated since, including evergreen arrangements that never formally renew, must comply from 1 July. Law firms working in this space have been blunt about it: if a material service provider contract hasn’t been uplifted by then, the entity is out of time.

Smaller institutions lose their extension

In 2024, APRA gave non-significant financial institutions (non-SFIs) an extra 12 months on the business continuity and scenario analysis requirements, recognising that smaller entities needed time to get the foundations right. Broadly, non-SFIs are the institutions below APRA’s significance thresholds: most mutual banks and credit unions, smaller and captive insurers, and boutique super trustees. They were allowed to keep operating under the old business continuity standards in the interim. From 1 July 2026 that concession ends, and the full CPS 230 requirements, including tolerance levels, annual testing against severe but plausible scenarios and provider-failure scenarios, apply to them in full.

For a 60-person mutual or a small trustee office, this is the harder deadline. Contract uplift is mostly a legal exercise. Scenario analysis is an operational one: it requires knowing your systems, your dependencies and your actual recovery capability, then proving it with a test.

The April amendments and the new register template take effect

On 30 April 2026, APRA finalised targeted amendments to CPS 230, the accompanying practice guide CPG 230, and the register template. The amendments create a narrow exemption from some contractual requirements for material arrangements with what APRA calls non-traditional service providers, such as central banks and clearing and settlement facilities, where demanding bespoke contract terms simply isn’t practicable. Everything else, including the register, risk management and continuity planning obligations, still applies to those arrangements. The changes commence 1 July 2026, and entities relying on the exemption need to document that reliance and reflect it in the updated register. Details are on APRA’s operational risk management page.

Be clear about what this exemption is not. It is not relief for ordinary commercial suppliers. If you provide software, IT services, administration or claims handling to a regulated entity, the full contractual requirements apply to your agreement. The exemption exists precisely because a small Australian insurer cannot make the Reserve Bank or a global card scheme sign its template terms. Your business does not have that negotiating position, and APRA knows it.

The wider blast radius: are you a material service provider?

A material service provider is one the entity relies on to maintain a critical operation, or one that exposes it to material operational risk. You don’t get a vote on the classification; the regulated entity makes the call, and APRA can override it by deeming a provider or a whole class of providers material.

On top of that judgement call, CPS 230 deems certain services material by default:

For every regulated entity: risk management, core technology services and internal audit.
For banks and other ADIs: credit assessment, funds management, custody, settlement and clearing.
For insurers: underwriting, claims management, insurance brokerage and reinsurance.
For super trustees: fund administration, custodial services, investment management and arrangements with promoters and financial planners.

“Core technology services” is the phrase that catches most of the businesses we work with. If you host, manage, develop or support systems that a bank, insurer or super fund needs to serve its customers, you are very likely on someone’s register, and the obligations in their contract with you are being rewritten to match the standard.

The standard also looks one layer further down, at what it calls fourth parties: the providers your business relies on to deliver the service. The regulated entity must manage risks from fourth parties that its material service providers depend on, which is why uplift questionnaires now routinely ask suppliers to disclose their own subcontractors and key dependencies, including which cloud platforms and data centres they run on. If your service to a super fund runs on Microsoft 365 and Azure, expect to be asked exactly that, in writing.

What the contract uplift letter actually asks for

CPS 230 prescribes minimum content for any agreement with a material service provider. When the uplift letter arrives, the attached amendment deed will usually track the standard clause by clause. Here is what each demand means in practice from the supplier’s side of the table.

What the contract must now include	What it means for you as the supplier
Specified services and service levels	Vague statements of work are out. Expect defined deliverables, measurable SLAs and reporting against them.
Ownership and control of data and assets	The client will want it recorded that their data is theirs, with clarity on where it lives, who can access it and how it’s returned or destroyed on exit.
Audit and access rights for the entity	Your client can inspect documentation, data and operations related to the service. You’ll want to negotiate notice periods and confidentiality boundaries rather than resist the right itself.
APRA access and on-site visit rights	The regulator itself gets the right to access information about the service and visit your premises, and you must agree not to impede APRA doing its job. This clause is non-negotiable; the entity cannot sign without it.
Notification of subcontracting	You must disclose other material providers you rely on to deliver the service, and usually notify changes to them. Quietly swapping a key subcontractor is no longer an option.
Liability for subcontractor failure	If your subcontractor drops the ball, contractually that’s your failure. Check your own back-to-back agreements and insurance reflect that.
Force majeure provisions	The contract must specify which parts of the service continue during a force majeure event, which means you need a real continuity capability, not a clause that excuses you from everything.
Termination rights, in whole or in part	The client must be able to exit the arrangement, or parts of it, including where staying in it would breach their legal obligations. Expect transition-out assistance obligations too.
Support for legal and compliance obligations	Catch-all provisions requiring you to cooperate with the entity’s regulatory obligations, including the incident notification clocks described below.

Alongside the deed, there’s usually a due diligence questionnaire covering your financial position, security posture, business continuity arrangements and incident history, because the entity is required to assess your ability to deliver the service on an ongoing basis, including risks tied to your location and concentration. And because CPS 234 Information Security continues to operate alongside CPS 230, expect specific questions about your information security controls, since your client must assess them where you hold their information assets.

If you’re the supplier: how to respond without signing away the farm

We’ve now sat on the supplier side of enough of these uplifts to offer some practical guidance.

Don’t ignore the letter. The entity has a hard deadline and no discretion about the minimum clauses. Suppliers who stall past 1 July aren’t strengthening their negotiating position; they’re creating a compliance problem their client must report and manage, and the standard hands the client a documented register of alternatives. The entities we work with have already identified which suppliers they would substitute if uplift fails. You don’t want to be the line item that’s easier to replace than to fix.

Understand which clauses are fixed and which are drafting. APRA access, audit rights, data ownership, subcontractor disclosure and termination rights have to be there in substance. But notice periods for audits, the scope of what’s auditable, cost recovery for assistance, liability caps and the mechanics of transition-out are all negotiable drafting. Spend your legal budget there.

Build the evidence pack once. Every uplift questionnaire asks roughly the same things: who can access client data and how access is controlled, where data is stored and replicated, what your backup and recovery capability actually is (with test results, not assertions), how you’d detect and report an incident within your client’s 72-hour window, and which subcontractors and platforms you depend on. Answering this once, properly, turns every subsequent questionnaire into a half-day job instead of a three-week scramble. It also becomes a sales asset: “yes, we’re CPS 230-ready” is now a differentiator when tendering to financial services clients.

Map your own dependencies properly. Your client must manage fourth-party risk, so your Microsoft 365 tenancy, your hosting provider, your RMM tooling and your offshore development partner are all disclosable. If you don’t have a current dependency map, build one before you answer the questionnaire, not while you’re answering it.

Check your insurance. Accepting liability for subcontractor failure and committing to incident notification timeframes has consequences for your professional indemnity and cyber cover. Tell your broker what you’re signing.

If you’re the regulated entity: a three-week triage

For non-SFIs and any entity with uplift still in flight, here is the triage we’d run between now and 30 June.

Reconcile the register against reality. Pull the register you submitted last October and confirm every material arrangement on it has either a compliant agreement or a dated, documented uplift plan. The updated template takes effect for the 2026 submission, so check what’s changed before you populate it.
Prioritise by criticality, not by contract value. A $30,000-a-year software dependency that sits inside a critical operation matters more than a $300,000 facilities contract that doesn’t.
Paper the stragglers. Where a supplier can’t complete uplift by 1 July, document the gap, the interim controls and the remediation date. APRA’s supervisors respond very differently to a known, managed gap than to one they find first.
Decide whether you’re relying on the NTSP exemption. If any material arrangements are with exempt-category providers on standardised terms, document the reliance and reflect it in the register.
Close out business continuity, if you’re a non-SFI. Tolerance levels approved by the Board, a BCP that reflects them, and at least one severe-but-plausible scenario exercise completed, including a provider-disruption scenario. If you haven’t scheduled the exercise yet, do it this week; the people you need in the room have EOFY commitments too.
Test the notification clocks. Run a tabletop: an incident hits at 2pm Friday, who decides it’s material, who drafts the APRA notification, and can you actually do it inside 72 hours, or 24 hours for an out-of-tolerance disruption? The clock starts when you become aware, and awareness depends entirely on your monitoring.

Where your IT environment does the heavy lifting

CPS 230 is a risk standard, not a technology standard, but nearly every obligation in it lands on technology eventually. Four areas decide whether compliance is a document or a capability.

Monitoring and the notification clocks

The 72-hour and 24-hour notification windows only work if incidents are detected when they happen, not when a customer complains. That means centralised logging and alerting across your environment, including your Microsoft 365 tenancy, with someone responsible for triage out of hours. We’re seeing clients fail their own tabletop exercises not on the reporting step but on the awareness step: the incident had been visible in logs for two days before anyone classified it.

Data ownership and control, in practice

Contract clauses about data ownership are only as good as the tenancy configuration behind them. Who actually holds global admin on your Microsoft 365 tenant? If your IT provider does, and you’re a regulated entity, that provider is exercising control over your information assets, and your uplifted contract needs to say so, along with how you’d recover control on exit. We structure client tenancies so the business, not the provider, retains ownership and ultimate admin control; under CPS 230 that structure stops being good practice and starts being contractual evidence.

Backup, recovery and proof

Tolerance levels imply recovery time and recovery point commitments. The only honest way to set them is from tested numbers: how long a full restore of your line-of-business system actually takes, verified this year, not estimated from a vendor datasheet. Scenario analysis that uses real restore timings takes about the same effort as scenario analysis that uses guesses, and only one of them survives contact with APRA’s supervision team.

Dependency mapping

Whether you’re filling in the register or answering an uplift questionnaire, you need an accurate map of which systems support which operations and which providers sit behind each system, down to the fourth-party layer. Most organisations discover their documentation is two restructures out of date the first time they try. Keeping that map current is unglamorous work, and it’s exactly the kind of thing a managed IT partner should be doing for you as a matter of course.

What happens if you miss the deadline

CPS 230 doesn’t come with a fine schedule, and that has led some businesses to underrate it. APRA’s tools are arguably worse than fines: heightened supervision, formal requirements to remediate, conditions on licences and, for individuals in regulated entities, intersections with the Financial Accountability Regime. Operational risk is a stated supervision priority, and the regulator has been signalling for two years that it expects the transition to be done on time. An entity that turns up to July with undocumented gaps should expect its next supervisory conversation to be longer and less pleasant.

For suppliers, the consequence is commercial rather than regulatory. The standard requires entities to plan for substituting providers, and the uplift process has forced them to identify alternatives. A supplier who can’t produce security evidence, continuity test results or a subcontractor map is now measurably riskier than one who can, and procurement teams in financial services have a fresh mandate to act on that difference.

One more thing about 1 July

This deadline shares its date with two others we’ve covered recently: the Microsoft 365 price rises that take effect 1 July, and the start of AML/CTF Tranche 2 obligations for lawyers, accountants and real estate professionals. If your budget and compliance calendars are converging on the same fortnight, you’re not alone, and it’s a good argument for getting the CPS 230 items that depend on other people, like contract signatures and scheduled tests, locked in this month rather than during the EOFY crush.

Your pre-1 July checklist

Action	Regulated entity	Supplier to one
Reconcile MSP register against signed agreements	This week	Not applicable
Document gaps, interim controls and remediation dates	Before 30 June	Where uplift is in flight
Sign or escalate outstanding uplift deeds	Before 30 June	Respond within days, not weeks
Complete BCP and scenario exercise (non-SFIs)	Before 30 June	Have your own continuity evidence ready
Tabletop the 72-hour and 24-hour notifications	This month	Test your client-notification process
Map dependencies, including fourth parties	This month	This month
Review insurance against new contractual liability	Recommended	Strongly recommended
Verify backup restore times with a live test	This month	This month

Talk to us before the deadline does the talking

We support both sides of this equation: smaller regulated entities that need their technology environment, monitoring and recovery capability brought up to what CPS 230 assumes, and the suppliers, from software houses to administrators, who need a credible evidence pack before the next questionnaire lands. Most of the work, from dependency mapping to restore testing to incident-response tabletops, is work a good IT partner should be doing anyway. The deadline just removed the option of doing it later.

If any part of this paper describes your situation, call us on 1300 425 548 or get in touch through our contact page. Three weeks is enough time, if you start this week.

1300 425 548