In summary
CPS 230 is APRA's operational risk standard. While it took effect for most APRA-regulated entities on 1 July 2025, the next phase begins on 1 July 2026, bringing non-significant financial institutions fully into scope and extending requirements to all pre-existing service provider contracts.
For finance, risk, and accounts payable teams, the key takeaway is that payment fraud falls within CPS 230's operational risk framework. APRA, boards, and internal audit teams expect to see effective controls supported by an audit-ready evidence trail, not simply policies on paper.
On this page
- What CPS 230 means for finance, risk, and AP teams in 2026
- What CPS 230 actually is
- Who CPS 230 applies to
- What's changing on 1 July 2026
- The April 2026 amendments: what they mean for service provider risk
- The CPS 230 obligations in plain English
- How CPS 230 paragraphs map to operational requirements
- Where payment fraud sits inside CPS 230
- What good looks like for finance, risk, and AP teams
- Frequently asked questions
- What to do next
What CPS 230 means for finance, risk, and AP teams in 2026
If you work in finance, risk, internal audit, or accounts payable inside an APRA-regulated entity, CPS 230 is the prudential standard reshaping how you have to document, control, and evidence operational risk: including the risks attached to payments and the third parties you rely on to make them.
The standard took effect for most APRA-regulated entities on 1 July 2025. On 1 July 2026, the next phase kicks in: deferred requirements come into force for non-significant financial institutions, every pre-existing service provider contract comes within scope at next renewal, and APRA's April 2026 targeted amendments commence. Smaller funds, insurers, and lenders that were waiting on the deferral now have to operate as if the standard has been in place all along.
For finance and risk teams, the practical question isn't "do we have a policy?" It's whether the controls described in that policy are real, embedded, tested, and producing evidence the board and APRA can read. CPS 230 is principles-based, but the supervisory expectations are operational. Internal audit, the Chief Risk Officer, and APRA's review teams are looking for working controls and audit-grade records, not a document that names the right paragraphs.
This guide walks through what CPS 230 requires, who it applies to, what shifts on 1 July 2026, and where finance, risk, and AP teams should focus between now and then. It is informational rather than legal advice: APRA-regulated entities should validate their interpretation with their own legal, risk, and compliance functions.
What CPS 230 actually is
CPS 230 Operational Risk Management is the prudential standard APRA uses to set its operational risk expectations across the entities it regulates. It replaces and consolidates a suite of earlier standards on business continuity, outsourcing, and operational risk, and it brings the management of service providers, critical operations, and operational risk incidents under a single framework.
The standard is built around three connected obligations.
First, identify, assess, and manage the operational risks the entity faces, end-to-end, including the risks arising from people, processes, systems, and external events. Operational risk in CPS 230 is broader than fraud or cyber, but fraud sits squarely inside the definition.
Second, maintain a credible operational risk management framework. That means a written framework, a working set of internal controls, monitoring and reporting against the controls, and processes for managing service provider arrangements. The framework has to be reviewed regularly, owned by the board, and tested for design and operating effectiveness.
Third, prepare for disruption. CPS 230 introduces the concepts of critical operations, tolerance levels, and business continuity planning that has to be tested against credible severe scenarios. For ADIs, payments, settlements, custody, and clearing are explicitly named as critical operations.
The point of the standard is operational resilience. APRA wants entities to be able to keep operating during disruption, recover quickly when something fails, and demonstrate that the controls protecting critical operations are designed and operating effectively rather than nominally in place.
Who CPS 230 applies to
CPS 230 applies to the full set of APRA-regulated entities. In practice, that covers:
- Authorised deposit-taking institutions (ADIs), including banks, mutual banks, credit unions, building societies, and foreign ADIs
- General insurers
- Life insurers
- Private health insurers
- Registrable superannuation entity (RSE) licensees, meaning APRA-regulated super fund trustees
- Non-operating holding companies (NOHCs) authorised under the relevant Acts
For superannuation funds, insurers, and lenders that fall below the significant financial institution (SFI) thresholds, some requirements (specifically the business continuity and scenario analysis obligations) were deferred until 1 July 2026. From that date, the deferral falls away. A non-SFI is broadly an RSE licensee with assets under A$30 billion, or smaller insurers and ADIs falling below the equivalent thresholds, but every entity should check the precise definition against APRA's published guidance.
Service providers themselves are not directly regulated by CPS 230. The obligation sits with the APRA-regulated entity, which has to manage the operational risks arising from the service providers it uses. This is the part of the standard most directly relevant to AP and procurement teams: every vendor in scope of a material arrangement becomes part of the operational risk picture the board has to oversee.
What's changing on 1 July 2026
Three things change on 1 July 2026, and they matter for different teams.
The first is the end of the non-SFI deferral. From 1 July 2026, all APRA-regulated entities (regardless of size) are subject to the full CPS 230 framework, including the business continuity and scenario analysis requirements that smaller entities had a longer runway on, per APRA's implementation update. Risk and compliance teams inside non-SFIs should already be planning how to evidence those obligations, because the supervisory expectation will be that controls were ready in time, not that they began being built on the commencement date.
The second is the application of CPS 230 to pre-existing service provider contracts. APRA's transitional rule is straightforward: the standard's service provider obligations apply to existing contracts from the earlier of the next renewal date or 1 July 2026. From that point, every material service provider arrangement has to meet CPS 230's contractual, monitoring, and reporting expectations. For procurement, AP, and vendor management teams, the practical implication is that the contract review pipeline through to mid-2026 doubles as a CPS 230 readiness pipeline.
The third is the commencement of APRA's April 2026 targeted amendments to CPS 230 and CPG 230. These were finalised on 30 April 2026 and take effect on 1 July 2026. They don't relax the standard's substantive obligations: they introduce a narrow exemption for certain non-traditional service providers where the standard contractual requirements are not practicable, and they update the Material Service Provider Register template that entities are expected to maintain.
The April 2026 amendments: what they mean for service provider risk
APRA's targeted amendments are widely misunderstood as a loosening of CPS 230's service provider obligations. They aren't.
The amendments introduce a limited exemption from specific contractual requirements (not the substantive risk-management obligations) for material arrangements with categories of non-traditional service providers listed in the Attachment to CPS 230. That list includes government agencies, regulators, central banks, financial market exchanges, operators of clearing and settlement facilities, operators of payment systems and schemes, and financial messaging infrastructures. Where one of these providers uses standardised terms, or the arrangement isn't documented in a formal agreement at all, the regulated entity doesn't have to renegotiate impossible contractual terms.
What the amendments do not do is reduce the expectation that regulated entities actively manage the operational risks arising from these providers. Every other CPS 230 obligation continues to apply: the provider has to be identified, the risks assessed, controls maintained, monitoring in place, and the arrangement included in the Material Service Provider Register. APRA was explicit on this point in its response paper on operational risk management.
For commercial vendors (the suppliers most finance teams interact with day-to-day) nothing has been relaxed. Misdirected payment risk, fraud risk, business continuity dependencies, and concentration risk attached to commercial service providers all sit inside the same framework they did on 30 April 2026.
The CPS 230 obligations in plain English
CPS 230 is principles-based, but the practical obligations cluster around six themes. Most operational issues finance, risk, and AP teams need to evidence map back to one of these.
Operational risk identification and assessment. The entity has to identify the operational risks it is exposed to (across people, processes, systems, and external events) and maintain an operational risk profile that reflects them. Payment fraud, misdirected payments, vendor compromise, and BEC sit inside this profile alongside the more familiar IT, conduct, and process risks.
Internal controls. Controls have to be designed and operating effectively, embedded inside business processes rather than bolted on, and aligned to risk appetite. Effectiveness has to be monitored, tested, and reviewed. Gaps have to be remediated in a timely way. This is the area where finance and AP teams have the most direct visibility, because the controls protecting payments and vendor data run through their workflows.
Operational risk incidents. The entity has to identify, escalate, record, and address operational risk incidents and near-misses. For finance teams, this typically means that an attempted fraud caught at the verification stage is not just an AP issue: it is a recordable operational risk event that feeds the risk profile.
Critical operations and tolerance levels. Critical operations are the activities the entity cannot afford to lose. For ADIs, payments, deposit-taking, custody, settlements, and clearing are explicitly named. The entity has to set tolerance levels (how long an outage it can withstand, how much data loss is acceptable) and prove that controls and continuity arrangements support those tolerances.
Service provider risk management. Material arrangements with service providers have to be identified, risk-assessed, and actively managed. The entity has to maintain a Material Service Provider Register, monitor service provider performance and risk against documented criteria, and report regularly to the board on material exposures.
Governance, reporting, and audit. The board owns the framework. Senior management is accountable for day-to-day execution. Internal audit has to provide independent assurance. Reporting to APRA and to the board has to be substantive: not just policy attestation, but evidence of how controls are operating in practice.
How CPS 230 maps to operational requirements
The table below maps the most relevant CPS 230 paragraphs to what they require in plain English. It is a reference for risk, internal audit, and finance teams working through the standard. References are to Prudential Standard CPS 230 Operational Risk Management as compiled at 1 July 2025. Validate any specific interpretation against APRA's published handbook and your own legal advice.
| CPS 230 paragraph | Theme | What APRA requires |
|---|
| Para 13 | Key principles | Identify, assess, and manage operational risks arising from inadequate or failed internal processes or systems, the actions or inactions of people, or external drivers and events. |
| Para 16 | Risk management framework | Maintain internal controls that are designed and operating effectively, monitor and report on operational risks, and operate processes for managing service provider arrangements. |
| Para 27 | Risk profile and assessment | Maintain effective information systems to monitor operational risk and document the processes, resources, risks, and controls supporting critical operations. |
| Para 29 | Operational risk controls | Design, implement, and embed internal controls to mitigate operational risks in line with risk appetite and meet compliance obligations. |
| Para 30 | Control effectiveness | Regularly monitor, review, and test controls for design and operating effectiveness; report results to senior management; remediate gaps in a timely manner. |
| Para 32 | Incidents and near-misses | Identify, escalate, record, and address operational risk incidents and near-misses promptly. |
| Para 36(a) | Critical operations (ADIs) | Classify payments, deposit-taking and management, custody, settlements, and clearing as critical operations. |
| Para 49 and 56 | Material service provider risks | Identify and manage material risks arising from service provider arrangements, including risks that could result from the arrangement itself. |
| Para 58(b) | Monitoring service providers | Regularly assess the effectiveness of controls managing service provider risks. |
The mapping is deliberately abstract. CPS 230 doesn't prescribe technologies or workflows: it sets the obligations and leaves entities to decide what good looks like inside their own operating model. The practical translation is the work risk, finance, and internal audit teams have in front of them between now and 1 July 2026.
Where payment fraud sits inside CPS 230
This is the part that often gets missed in CPS 230 readiness work.
Payment fraud is not a separate compliance regime running parallel to operational risk. Inside CPS 230, it is operational risk, and it sits inside multiple obligations at once.
It is an internal process failure risk under paragraph 13. The risk that a payment is made to the wrong account, because a vendor's email was compromised or a fraudster impersonated a senior executive, is exactly the kind of process-and-people risk paragraph 13 names.
It is a service provider risk under paragraphs 49 and 56. Every commercial vendor an entity pays is a service provider for the purposes of CPS 230. If their identity or banking details can be impersonated or modified, the entity carries the misdirected payment risk, regardless of who made the original mistake.
It is a critical operations risk under paragraph 36(a) for ADIs. Outgoing payments sit inside the critical operations definition. A successful fraud doesn't just produce a loss: it can be a disruption event the entity has to manage within its tolerance levels.
It is a recordable incident under paragraph 32. APRA expects operational risk incidents and near-misses to be identified, escalated, and addressed. A blocked or detected payment fraud attempt is a near-miss the risk team needs visibility on.
It is a control effectiveness obligation under paragraphs 29 and 30. The controls protecting payments have to be designed effectively, embedded in the workflow, monitored, and tested. A control that only operates when an AP officer manually decides to apply it isn't embedded.
For finance, risk, and AP teams, the working implication is that "payment fraud prevention" is no longer a discretionary good-practice initiative. It is the documented treatment for one of the operational risks the entity has to manage under the prudential standard, and the evidence has to be there when internal audit or APRA asks.
The scale of the risk is real. Eftsure's 2026 Australian payment security research, drawing on a survey of 1,015 Australians, found that 52% had experienced a fraud attempt in the past 12 months and 90% believed AI-generated scams are harder to detect than traditional ones. 91% did not believe senior business leaders adequately understand how modern payment fraud occurs. None of those findings are flattering for the governance side of CPS 230: APRA is asking boards to oversee a risk that, on the available evidence, most leadership teams don't yet fully understand.
The broader architecture finance teams are increasingly using to meet these obligations is continuous controls for outgoing payments: automated, multi-layered verification embedded inside the AP workflow rather than running alongside it. The model maps directly onto the embedded-control and effectiveness-testing expectations in paragraphs 29 and 30.
What good looks like for finance, risk, and AP teams
CPS 230 doesn't prescribe what a good control looks like. It does set the operational test: is the control designed and operating effectively, embedded in the process, monitored, and supported by evidence the entity can produce on demand?
Inside an APRA-regulated entity, that test usually translates into a small number of practical questions. The answers shape what readiness work needs to happen between now and 1 July 2026.
The first question is whether payment fraud risk is named and treated on the operational risk register. Naming it matters: a generic "fraud risk" line doesn't tell internal audit or APRA what the entity is doing about misdirected payments, vendor impersonation, or BEC specifically. The risk has to be named at the level it operates, and the documented treatment has to map to a real control rather than a policy statement.
The second question is whether the controls are embedded in the AP workflow rather than running alongside it. Manual callbacks, ad hoc bank-detail verifications, and one-off vendor onboarding checks are not embedded controls in the CPS 230 sense. An embedded control fires every time the relevant event occurs (a new vendor, a bank-detail change, a payment release), and produces a timestamped record without anyone having to remember to do so. This is the model finance leaders increasingly describe as continuous controls: automated, multi-layered, and producing evidence as a by-product of running.
The third question is whether control effectiveness is being monitored and tested. Paragraph 30 expects regular monitoring, testing, and reporting. For payment controls, that means more than counting how many payments went out: it means tracking how many anomalies the control surfaced, how many were resolved as genuine, and how the control performed over time. The data has to be available to senior management and to internal audit.
The fourth question is whether near-misses are being captured. An attempted fraud that the control stopped is not just an AP team success: under paragraph 32, it is an operational risk near-miss that has to be recorded and assessed. Entities that only log incidents where money was lost are systematically under-reporting against the standard.
The fifth question is whether the service provider population (every vendor the entity pays) is being managed as a CPS 230 service provider population. That means the Material Service Provider Register reflects the full picture of material arrangements, the risks attached to each are assessed, monitoring is in place, and the contract renewal pipeline is on track for the 1 July 2026 transitional cut-off.
The sixth question is whether the evidence the entity needs (per-transaction records, control effectiveness reports, exception logs, the MSP Register itself) is produced as a by-product of the controls running, not assembled retrospectively for an audit. Retrospective evidence is brittle. Continuous evidence is what APRA, the board, and internal audit are increasingly expecting to see.
None of these questions are new for entities that already had mature operational risk programmes. For non-SFIs coming fully into scope on 1 July 2026, they are the readiness checklist.
Frequently asked questions
When does CPS 230 take effect?
The standard took effect on 1 July 2025 for most APRA-regulated entities. Deferred requirements (business continuity and scenario analysis) apply to non-significant financial institutions from 1 July 2026. Pre-existing service provider contracts come within scope from the earlier of next renewal or 1 July 2026. APRA's April 2026 targeted amendments commence on 1 July 2026.
Who is in scope?
CPS 230 applies to ADIs (including foreign ADIs), general insurers, life insurers, private health insurers, RSE licensees, and authorised NOHCs. Service providers used by these entities are not directly regulated, but the obligations on the regulated entity flow through into how those service providers have to be managed.
Is CPS 230 only about service providers?
No. Service provider risk is one obligation, but the standard also covers operational risk identification, control design and testing, incident management, critical operations, tolerance levels, business continuity, and governance. Payment fraud sits across several of these obligations.
Did the April 2026 amendments make CPS 230 easier?
They narrowed specific contractual obligations for certain non-traditional service providers where the standard contractual terms aren't practicable. The substantive risk-management expectations are unchanged, and APRA was explicit that entities are still expected to actively manage the operational risks arising from these providers.
How does CPS 230 interact with CPS 234?
CPS 234 is APRA's information security standard. CPS 230 is broader: it covers operational risk, including but not limited to information security. The two standards overlap (information security incidents are operational risk events, and information security controls are operational controls) but they are not duplicative.
Where does payment fraud sit in the standard?
Payment fraud is an operational risk under paragraph 13, a service provider risk under paragraphs 49 and 56, a critical operations risk under paragraph 36(a) for ADIs, a recordable incident under paragraph 32, and a control effectiveness obligation under paragraphs 29 and 30. It is not a separate compliance regime.
What evidence does APRA expect?
APRA expects entities to be able to demonstrate that controls are designed and operating effectively. In practice that means timestamped records of control execution, exception logs, monitoring and testing results, MSP Register entries, board reporting, and internal audit findings. Policy documents alone are not evidence.
What should non-SFIs be doing now?
Treating the next 12 months as readiness time rather than transition time. Operational risk frameworks should be in place, controls should be operating and producing evidence, and the contract renewal pipeline should be working through the CPS 230 transitional rule.
What to do next
CPS 230 is principles-based, but the supervisory expectations are operational, and the practical readiness work isn't abstract. Risk and internal audit teams need to walk the operational risk register and confirm that the risks the standard names (process failure, service provider, critical operations, incident management) are addressed at the level they actually operate. Finance and AP teams need to confirm that the controls protecting payments are embedded, monitored, and producing evidence as a by-product of running. Vendor management teams need to work the contract renewal pipeline so that no material arrangement reaches 1 July 2026 without being inside scope.
For the parts of the framework that involve outgoing payments specifically (the operational risk of misdirected payments, the service provider risk attached to commercial vendors, and the control effectiveness obligation under paragraphs 29 and 30) entities have a range of options. Some build the controls internally inside their existing AP and ERP environments. Others use independent payment verification services as a documented control on the operational risk register, with the verification platform providing the per-transaction audit trail. Eftsure is one example of the independent verification approach, with the verification record forming part of the evidence pack risk and internal audit teams can take into board and APRA reporting. There are other approaches, and the right one depends on the entity's size, operating model, and the rest of its operational risk architecture.
For finance, risk, and audit leaders working through how these obligations fit alongside broader anti-fraud strategy and audit readiness, Eftsure's guide to continuous controls for outgoing payments walks through the architecture in detail.
What matters is that the answer to "how are we managing misdirected payment risk under CPS 230?" is a working control with an evidence trail, not a paragraph in a policy.
