What Is APRA CPS 230? How Operational Resilience Requirements Apply to AI Systems

What CPS 230 is and who it applies to

Prudential Standard CPS 230 Operational Risk Management came into force on 1 July 2025. It applies to all APRA-regulated entities — authorised deposit-taking institutions (ADIs, including banks and credit unions), general insurers, life insurers, private health insurers, and registrable superannuation entity (RSE) licensees. CPS 230 replaces two previous standards: CPS 231 (Outsourcing) and CPS 232 (Business Continuity Management), consolidating and significantly strengthening their requirements into a single cross-industry standard.

The core purpose of CPS 230 is operational resilience — ensuring that APRA-regulated entities can continue to deliver critical operations and meet their obligations even under severe disruption. APRA's final targeted amendments to CPS 230, released on 30 April 2026, introduced limited exemptions from specific contractual requirements for material arrangements with certain non-traditional service providers (such as central banks and clearing and settlement facilities) where contractual compliance is not practicable.

How CPS 230 applies to AI systems

CPS 230 does not contain AI-specific provisions. Instead, it applies to AI through its operational risk, business continuity, and third-party risk frameworks. An AI system that supports a critical operation — credit assessment, fraud detection, claims processing, investment management, customer service — is subject to CPS 230's full requirements for that operation. The key obligations that directly capture AI use are:

Operational risk management framework. Entities must design, implement, and embed internal controls to mitigate operational risks in line with their risk appetite. For AI systems, this means controls over model risk, data quality, algorithmic bias, and system failures. Controls must be regularly monitored, reviewed, and tested for both design and operating effectiveness.

Critical operations identification. Entities must identify their critical operations — those whose disruption would materially affect their ability to meet obligations to beneficiaries, policyholders, or depositors, or cause broader financial system harm. AI systems embedded in critical operations must be included in operational resilience planning, with defined tolerance levels for maximum acceptable disruption.

Business continuity planning (BCP). Entities must maintain documented BCPs that address severe but plausible disruption scenarios. For AI-dependent critical operations, this includes scenarios where the AI system fails, produces systematically wrong outputs, or is unavailable. BCPs must be tested regularly, including through scenario analysis and simulation exercises.

Material service provider (MSP) management. CPS 230 extended third-party risk requirements beyond the previous CPS 231 framework to cover all material service providers — those that support critical operations or expose the entity to material operational risk. AI vendors providing models, platforms, or inference services used in critical operations are material service providers under CPS 230. Entities must: maintain a register of material service providers (submitted to APRA; ADIs, superannuation trustees, and insurers were required to submit registers by 1 October 2025); conduct due diligence before engagement; include specified contractual protections (including audit rights and incident notification requirements); and have documented exit and transition plans.

APRA's April 2026 AI observations and what they mean for CPS 230 compliance

In its letter to industry on artificial intelligence dated 30 April 2026, APRA Executive Board Member Therese McCarthy Hockey set out specific findings from APRA's targeted supervisory engagement with selected large banks, insurers, and superannuation trustees in late 2025. Several findings directly concern CPS 230 compliance in the context of AI:

On supplier risk, APRA found that some entities did not have adequate visibility over their full AI supply chain, including fourth-party dependencies (the service providers of their AI vendors). Entities that use AI vendors built on foundation models from third parties (such as OpenAI, Google, Anthropic, or Microsoft) must map and manage that extended dependency chain under CPS 230's material service provider framework.

On change management and assurance, APRA found a reliance on point-in-time and sample-based assurance methods that are ill suited to probabilistic models that learn, adapt and drift over time. CPS 230's requirement for regular testing of controls applies to AI systems, but traditional point-in-time testing is insufficient for models that produce non-deterministic outputs and can drift post-deployment. APRA expects continuous monitoring and validation rather than periodic review alone.

On incident management, CPS 230's notification requirements apply to AI-related operational risk incidents. Material operational risk incidents must be notified to APRA within 72 hours of the entity becoming aware. Disruptions to critical operations that fall outside the entity's tolerance levels must be notified within 24 hours. An AI system producing systematically wrong outputs at scale in a critical operation is an operational risk incident that may trigger these notification obligations.

What CPS 230 compliance requires in practice for AI

For an APRA-regulated entity using AI in its operations, a structured CPS 230 compliance programme for AI should include:

AI inventory mapped to critical operations. Identify every AI system used in or supporting critical operations. For each, document the operation it supports, its risk classification, and who is accountable for it. APRA found in April 2026 that AI inventories were absent or incomplete at several supervised entities.

Material service provider assessment. For every AI vendor supporting a critical operation, assess whether it meets the definition of a material service provider under CPS 230. If it does, ensure contracts include audit rights, incident notification obligations, adequate liability provisions, and exit/transition terms. Review subcontractor and fourth-party chains.

Tolerance levels for AI-dependent critical operations. Define the maximum acceptable disruption period for each critical operation that relies on AI. These tolerance levels must be board-approved and must be tested through scenario analysis.

Continuous monitoring over point-in-time testing. Replace or supplement periodic model validation with continuous monitoring: real-time performance tracking, drift detection, output sampling, and integration with the security operations centre for AI-specific threat monitoring.

Incident classification and notification procedures. Define what constitutes an AI-related operational risk incident, at what threshold it triggers CPS 230 notification obligations, and who in the organisation has authority to initiate that notification.

Primary sources: APRA CPS 230 Prudential Standard · APRA CPS 234 Information Security

Related reading

AI Governance in Australian Financial Services: The Complete Regulatory Guide