Issue 2 | 13 May 2026

On 30 April 2026, APRA published two documents that together reshape the compliance landscape for technology service providers. First, finalised amendments to CPS 230 introducing limited exemptions from contractual requirements for non-traditional service providers such as central banks and clearing houses. Technology vendors are explicitly outside the exempt categories. Second, an industry letter on artificial intelligence identifying third-party supplier risk as the area of greatest governance concern, with contractual arrangements across the AI supply chain lagging practice. Both take effect alongside the 1 July 2026 compliance deadline.

The CPS 230 Service Provider Readiness Kit is built for exactly this review. What banks check, what the standard requires, and how to prepare before the request lands. Coming soon at theinsidebrief.com.

THE BANK'S VIEW

On 30 April 2026, APRA finalised targeted amendments to CPS 230, effective 1 July 2026. The changes introduce limited exemptions from specific contractual requirements for material arrangements with non-traditional service providers. Central banks. Clearing and settlement facilities. Payment system operators. Government agencies.

The categories that qualify are listed in the new Attachment to CPS 230. Technology vendors are not on it.

For every fintech, SaaS provider, cloud platform, and managed service provider that supports critical operations at a regulated institution, the NTSP exemption removed the last ambiguity. Full CPS 230 contractual compliance applies. The deadline for pre-existing arrangements is 1 July 2026 or next contract renewal, whichever comes first.

The practical consequence is that business continuity plan reviews for technology service providers are accelerating. CPS 230 requires regulated entities to maintain BCPs that set out how critical operations would continue within board-approved tolerance levels. Where a service provider supports a critical operation, the entity must be satisfied that the provider's own continuity arrangements are adequate. That means vendor BCPs are now being opened and read against a specific set of requirements.

The pattern that catches vendors out is consistent across the sector.

First: currency. CPS 230 requires BCPs to be regularly reviewed and updated. When a vendor's plan references infrastructure that no longer exists, personnel who have left the company, or recovery sites no longer under contract, it signals that the document was created for a past compliance exercise and never maintained.

Second: alignment. Under CPS 230, tolerance levels are set by the regulated entity's board for each critical operation. A vendor's recovery time objective must align to those tolerance levels. If the bank's approved tolerance for a critical operation is four hours and the vendor's RTO is twenty-four, that is a gap requiring escalation, not a negotiation.