APRA Prudential Standard CPS 230

Because of APRA’s Prudential Standard CPS 230 (‘CPS 230’), regulated entities across the banking, superannuation, investment management, and insurance sectors are intensifying efforts to strengthen operational resilience. For these organisations, the regulation marks a significant shift in how operational risk and third-party dependencies are managed.  

CPS 230 requires APRA-regulated entities to: 

• Identify and manage operational risks
• Ensure continuity of critical operations
• Govern third-party and fourth-party relationships
• Maintain robust incident response and recovery plans

CPS 230’s material service provider classification 

As part of CPS 230, a service provider is classified as ‘material’ when an APRA-regulated entity relies on it to undertake a critical operation, or when the provider exposes the entity to material operational risk. 

For banks, superannuation funds, investment managers, and insurers, critical operations typically include customer administration, deposits or withdrawals, claims processing, investment execution, and regulatory reporting. If a SaaS (Software as a Service) provider’s software does not directly support or enable these functions, it may fall outside the scope of CPS 230’s material service provider definition. 

In cases where the SaaS platform is used for non-critical functions—such as internal collaboration, document storage, or optional analytics—and where the organisation can continue to operate effectively using manual processes or alternative systems, the reliance on the SaaS is not deemed material. For example, if product disclosure statements or member communications can still be produced manually or via other systems during a disruption, the SaaS does not constitute a single point of failure for a critical operation. 

Additionally, CPS 230 allows APRA-regulated entities to exercise judgment in determining materiality, based on the impact of disruption and the availability of alternatives. 

If the SaaS provider does not introduce significant operational risk, and its services are not essential to maintaining business continuity within tolerance levels, it may reasonably be excluded from the register of material service providers. This distinction is important for focusing compliance efforts on truly critical dependencies, while maintaining flexibility in managing lower-risk vendor relationships. 

Objective’s recommended classification of Objective Keystone 

As a third-party SaaS provider, after in-depth assessment and taking into consideration our customers’ use of Objective Keystone being chiefly the production of product disclosure, Objective Corporation Limited believes it falls outside the scope of CPS 230’s material service provider definition. 

Although Objective Keystone could be considered essential to certain internal business operations, in the unlikely event Objective Keystone is unavailable*, critical updates to product disclosure documents are still achievable. For example, by sourcing the on-market documents from internal repositories or websites and their manual update to ensure current disclosure is available to customers. 

Of course, we understand your organisation may take a highly cautionary approach - particularly with CPS 230 being newly introduced - and consider all its third or fourth-party service providers material services providers.   

As outlined in APRA's Prudential Standard CPS 230 Operational Risk Management guide, entering into more formal arrangements with all service providers necessitates activities that may not be necessary nor operationally practical, so it’s prudent to assess the role each service provider plays with your organisation to determine an appropriate classification. 

*Objective Keystone service is deployed in a highly available fashion as per AWS (Amazon Web Services) architecture best practices to take advantage of an AWS region's set of availability zones (geographically separate data centres). Availability of Objective Keystone: >99.99% over the last 12 months. 

Need more information? 

You’ll find a range of helpful resources on our website about how Objective protects and supports our customers to mitigate risk.   

If you have specific questions or require additional information, please get in touch.