CPS 230 Has Raised the Bar: Why Third-Party Risk Oversight Is Now a Board-Level Imperative
According to MinterEllison, third-party service providers have become integral to the operations of financial institutions.
But with complexity comes risk and regulatory scrutiny that won’t accept excuses.
Outsourcing isn’t new. It’s a well-established practice that’s delivered genuine business value. However, with APRA’s new CPS 230 which took effect on 1 July 2025, alongside increased scrutiny from ASIC and AUSTRAC, financial institutions must fundamentally reassess their third-party oversight processes.
For boards and executives across both APRA-regulated and non-regulated entities, this represents a critical period demanding renewed diligence and strategic attention.
Why Past Approaches Are No Longer Acceptable
Despite clear expectations set by long-standing standards such as CPS 231 and CPS 234, serious lapses continue to occur. Recent events, including trading outages, cyber breaches, and delayed claims processing, reveal that good policies on paper aren’t enough.
Critical services can no longer be outsourced on a “set and forget” basis, and regulators are no longer willing to tolerate oversight failures.
For service providers to APRA-regulated entities, CPS 230 introduces a significant shift in expectations that directly affects contractual obligations, operational resilience, and risk management practices.
You’re officially now part of the regulatory ecosystem. Not getting it right can have significant consequences.
What’s Actually Changed Under CPS 230
APRA’s new CPS 230 standard raises the bar for operational risk and third-party management requirements. It expands oversight expectations beyond traditional outsourcing to cover all material service providers and those whose failure could affect critical operations.
The standard now requires institutions to:
- Understand their critical processes and where third and fourth parties play a role
- Maintain a register of material providers that’s actually kept current
- Set clear risk tolerances and incident notification thresholds
- Strengthen board and executive accountability and oversight with named individuals responsible
ASIC is watching. Its Key Issues Outlook 2025 flags operational resilience and third-party cyber vulnerabilities as top risks. Recent enforcement actions have made it very clear: institutions cannot hide behind vendors. If harm occurs, ASIC, APRA, or AUSTRAC will hold the licensee accountable, particularly where oversight was weak, documentation was poor, or assurance relied too heavily on the vendor’s word.
Why Oversight Still Fails (And What That Means for Your Organisation)
So why are organisations still getting it wrong? Five key issues stand out:
1. Set-and-Forget Oversight
You’ve completed due diligence, but fail to conduct regular reviews. Relationships and oversight get delegated down to business units, and risks go unnoticed until it’s too late. By then, the damage is done.
2. Blind Trust in Vendor Reports and Attestations
Many firms rely on vendor self-assessments, audit certificates, or performance dashboards without independently verifying controls, which has proven especially risky in areas like cybersecurity and data destruction, where vendors may be reporting what they think you want to hear rather than the full picture.
3. Failure to Classify Critical Providers
Without a clear and up-to-date register of material service providers, it’s easy for high-risk vendors to fly under the radar. If you don’t know who’s critical, you can’t manage the risk appropriately.
4. Limited Visibility Into Fourth Parties
Complex supply chains make oversight difficult. Organisations often don’t know who their vendors are relying on until a failure occurs. Your vendor’s vendor becomes your problem, but only after the incident.
5. Weak Governance and Unclear Accountability
Oversight roles are often fragmented across procurement, IT, legal, and risk. Without senior ownership and board challenge, issues don’t get the attention they require until they’re on the front page.
What If You’re Not APRA-Regulated But Provide Services to Entities That Are?
Even if you’re not APRA-regulated, if you provide critical services to entities that are, you must meet key contractual obligations. Reporting and information must be timely and transparent, and services must be delivered without disruption. To achieve this, despite it making good commercial sense, requires getting the right infrastructure in place.
More specifically, service providers should:
- Understand the significance of the relationship between yourself and the procurer and admit that you’re part of their regulatory compliance
- Understand the services you’re contracted to provide and the service levels you’re expected to meet
- Appoint a single executive as accountable for the relationship, delivery of services, and escalation of issues
- Build information channels and reporting mechanisms to easily track, monitor, and report on performance against standards
- Understand the risks in service delivery and ensure you have appropriate controls and measures in place to manage them
- Understand where you rely on others to provide services, and where you do, define your expectations, reporting requirements, and timeframes
- Ensure risk and compliance activities test and monitor controls and measures in place to manage risk
- Define how risks are communicated and escalated to your board and governing committees
- Define and communicate the escalation process, should there be an issue or breakdown that includes timeframes
- Consider what you could proactively provide to give the contractor comfort that the right measures are in place (independent testing, internal audit reviews)
- Where you know there are weaknesses, be upfront with the plan to address and remediate them
What Institutions Should Be Doing Now to Demonstrate CPS 230 Compliance
As the new CPS 230 becomes embedded and operationalised, here are practical actions boards and management should consider:
Move From Onboarding to Lifecycle Oversight (And Don’t Forget to Safely Offboard)
Conduct regular risk assessments. Monitor for changes in provider ownership, performance, security posture, and sub-outsourcing. Additionally, don’t forget to offboard properly. Organisations often invest heavily upfront, but offboarding doesn’t receive the same attention, leaving them open to data, privacy, resilience, and regulatory issues even as relationships dissolve.
Test Assurance, Don’t Just Accept It
Run your own reviews, including penetration tests, mystery shopping, spot checks, contingency drills, especially for high-risk vendors. Integrate vendor KPIs into enterprise risk reporting. If a vendor can’t provide evidence beyond certificates and self-attestations, that’s a red flag.
Elevate Governance, Accountability, and Third-Party Reporting
Assign clear executive responsibility for third-party oversight. Oversight roles are often fragmented across procurement, IT, legal, and risk. Clarity around ownership and detailed, regular vendor risk reporting at the board or risk committee level is paramount to success.
Scenario Test on an Ongoing Basis
The nature and extent of services from providers can change quickly as business needs evolve. Have robust exit strategies and contingency plans in place, and test scenarios in which a vendor goes offline or breaches a contract. Know how long you can operate without them and how you’d respond.
Reframe Oversight as Cultural, Not Just Contractual
Third-party risk must be owned across the enterprise. Procurement, legal, technology, and frontline staff all play a role. Embed a culture of “trust but verify” and invest in training to lift awareness and accountability.
Seek Assurance Where Required
Engage internal audit or, where necessary, independent parties to test the control framework. External validation provides credibility with regulators and boards.
2025 Is a Defining Year
CPS 230, the Financial Accountability Regime, and rising cyber threats mean institutions can no longer treat third-party oversight as a back-office compliance task. It’s now front and centre and on the regulator’s radar.
Strong oversight requires investment and discipline. But it also protects against the costliest risks. Boards and executives must view third-party oversight not just as a regulatory obligation, but as a strategic lever to safeguard operational resilience and institutional reputation.
For organisations that aren’t APRA-regulated but are considered critical service providers, you’re not immune to the impacts of these changes. You also need to be prepared and have the right controls and measures in place to satisfy your contractual obligations; getting it wrong can impact you commercially and reputationally.
After all, in a financial system built on trust, someone else’s mistake is still your responsibility.
How Ikara Makes CPS 230 Compliance Manageable (Not Just Possible)
The challenge with CPS 230 is having the visibility and systems to monitor across dozens or hundreds of service providers, which is where most organisations struggle, and where Ikara delivers tangible value.
Ikara’s platform provides executives and boards with unified, real-time visibility across your entire digital supply chain in a single dashboard. Instead of chasing reports from different teams, trying to consolidate spreadsheets, or discovering gaps during regulatory reviews, you get continuous monitoring that makes CPS 230 compliance operationally achievable.
With Ikara, your third-party oversight provides:
- Real-time visibility into your material service provider register
- Continuous monitoring of vendor performance against risk tolerances
- Evidence of ongoing assurance activities beyond vendor attestations
- Clear accountability and escalation pathways for third-party issues
- Proactive identification of fourth-party risks in your supply chain