Fourth-party risk: your vendor's vendors

Issue 4 | 27 May 2026

CPS 230's service provider management policy requirement (paragraphs 47 and 48 in the current standard, renumbered when the amendments take effect on 1 July 2026) obliges every regulated entity to set out its approach to managing risks associated with fourth parties that material service providers rely on to deliver a critical operation. CPG 230, finalised in June 2024, retains a single sentence on the topic: take reasonable steps to know who those fourth parties are. The 30 April 2026 targeted amendments did not change this obligation. The 1 July 2026 contract uplift deadline applies to all material service provider arrangements.

The Inside Brief is weekly intelligence built for the institutions and service providers reading the same standard from opposite sides of the contract , founding offer at A$49/month, never increases for the life of your subscription, closes 14 June: theinsidebrief.com/upgrade.

A pattern is now visible across CPS 230 readiness work: institutions are reading the final CPG 230 as a relaxation of the fourth-party obligation. It is not.

When APRA finalised CPG 230 in June 2024, it removed the prescriptive examples that had appeared in the consultation draft. Out went the explicit expectations of due diligence on material fourth parties, contractual provisions requiring material service providers to disclose them, and assurance from MSPs that they have the capability to manage them. What remained was a single line: regulated entities should take reasonable steps to know who the fourth parties are that an MSP relies on in delivering a critical operation.

That looked like relief. Industry read it as relief. In practice, the substantive obligation in CPS 230 itself never moved. The service provider management policy must address the entity's approach to managing risks associated with any fourth parties that material service providers rely on to deliver a critical operation. APRA's published Response to Submissions on CPG 230 acknowledged the commercial difficulty industry had raised, and reinforced the expectation anyway. The 30 April 2026 targeted amendments tightened the non-traditional service provider exemption space and changed nothing about fourth parties.