What Is APRA CPS 230? How Operational Resilience Requirements Apply to AI Systems

What CPS 230 requires for AI

CPS 230 consolidates CPS 231 and CPS 232 into a comprehensive operational risk framework. AI systems used in material business processes — credit assessment, fraud detection, underwriting, customer service at scale — are subject to the standard's operational resilience requirements. For each material business process, entities must set a disruption tolerance, identify critical resources (including AI systems), maintain resilience, and test it through scenario planning.

Material service providers: third-party AI

APRA requires entities to: identify which AI providers are material; conduct due diligence before engagement and periodically thereafter; maintain contractual provisions including audit rights, incident notification requirements, and adequate liability provisions; and have transition and exit plans. The AI provider's own operational resilience must be assessed, and contracts must include adequate incident notification and audit rights.

Board accountability

Boards must approve the Operational Risk Management framework and receive regular reporting on operational risk including AI incidents. Key questions boards must answer: what AI systems are critical to material business processes? What are our disruption tolerances? What is our plan if a critical AI system fails? What is our third-party AI provider exposure?