APRA CPS 230: AI Vendors as Material Providers | TLY

AI Regulation Tracker  /  Prudential standard

APRA finalizes CPS 230 amendments, declines to exempt IT and cloud vendors as material providers

APRA released final targeted amendments to CPS 230 on April 30, 2026, adding narrow exemptions for seven categories of service providers. It refused to exempt information technology and cloud providers, so banks, insurers, and super trustees must keep contracting for and assuring the technology and AI vendors behind their critical operations.

APRA finalizes CPS 230 amendments, declines to exempt IT and cloud vendors as material providers regulation briefing
The Leveraged Years AI Regulation Tracker

The Australian Prudential Regulation Authority released final targeted amendments to Prudential Standard CPS 230 Operational Risk Management on April 30, 2026, alongside updated guidance in CPG 230 and a revised Material Service Provider Register template. The amendments commence on July 1, 2026. For the banks, insurers, and superannuation trustees APRA supervises, the most consequential part of the package is not what APRA changed, but what it refused to change. Industry had asked APRA to lift information technology and cloud providers out of the material-service-provider contracting regime. APRA said no.

What the amendments actually do

The final amendments are narrow. They add limited exemptions from specific contractual requirements for seven categories of provider where APRA accepted that entities face a structural inability to negotiate bespoke terms. Those categories are government agencies, regulators, central banks, financial market exchanges, operators of clearing and settlement facilities, operators of payment systems and schemes, and financial messaging infrastructures. APRA also updated CPG 230 to explain how entities should treat these exempt arrangements and revised the register template so entities can classify an arrangement as exempt. The exemptions apply where the arrangement uses standardised terms or is not documented in a formal agreement.

Why technology and AI vendors stay in scope

APRA received submissions asking it to extend the same relief to information technology and cloud infrastructure, communications providers, and digital wallet providers. It declined. In its response, APRA said the exemptions are reserved for types of provider where there is a universal contract gap and an inability to negotiate bespoke terms. Commercial technology vendors, in APRA's view, do not fit that description. The practical effect is that a bank, insurer, or superannuation trustee relying on a cloud platform, a software vendor, or an AI model provider for a critical operation is dealing with a material service provider, and the full weight of CPS 230 applies to that relationship.

That is where the AI question becomes concrete. CPS 230 requires a regulated entity to identify its critical operations, understand the providers those operations depend on, and hold contracts that let the entity manage the operational risk of relying on an outside party. When the outside party supplies an AI model, the entity is contracting for behaviour it often cannot inspect directly, including model performance, resilience, security, and the risk of biased or unstable outputs. The standard does not name artificial intelligence. It reaches AI through the material-service-provider definition, and the April 30 amendments left that reach intact for technology vendors.

The consequence for procurement and operational risk teams is practical. An entity that cannot independently verify how a vendor's model behaves has to obtain that assurance by contract instead, through service levels, audit and information rights, incident reporting, and the ability to test resilience. CPS 230 also requires entities to notify APRA of material service provider arrangements and to be able to substitute or exit a provider without unacceptable disruption. For a proprietary AI model with no ready equivalent, that exit and substitution expectation is one of the harder questions the standard puts to a regulated firm.

What the amendments do not do

The amendments are not an AI rulebook. APRA did not publish AI-specific model-assurance requirements, bias-testing mandates, or definitions of artificial intelligence in this package, and readers should not treat the amendments as if it had. The AI relevance is a consequence of scope, not a new AI standard. The obligation on entities flows from CPS 230's existing requirements for material service providers, which now clearly continue to cover technology and AI suppliers because APRA declined to carve them out. Any framing that describes these amendments as a dedicated AI directive would overstate what APRA did.

The timeline entities are working against

CPS 230 commenced on July 1, 2025. APRA gave transitional relief for pre-existing material arrangements, which must comply by the earlier of the next contract renewal date or July 1, 2026. That transition window closes on the same day the targeted amendments take effect. Entities that assumed a technology or cloud vendor might fall outside the regime, or into one of the new exemptions, now have a clear answer and little time. The vendor stays in, and the contract must meet the standard.

For a United States reader, CPS 230 does not bind US firms at home, but it binds the Australian operations of global banks and insurers, and it signals a supervisory direction that prudential regulators in several markets are moving toward: treating an AI or cloud vendor as an operational-risk exposure that the regulated firm, not the vendor, must own and evidence.

Frequently Asked Questions

What did APRA change in the April 30, 2026 CPS 230 amendments?

APRA finalized targeted amendments that add limited exemptions from specific contractual requirements for seven categories of provider, such as government agencies, central banks, and payment system operators, and it updated CPG 230 and the Material Service Provider Register template. The amendments commence July 1, 2026.

Who is affected by these amendments?

APRA-regulated banks, insurers, and superannuation trustees, plus the technology, cloud, and AI vendors that supply their critical operations. APRA declined to exempt information technology and cloud providers, so those vendors remain material service providers under CPS 230.

Do the amendments create new AI-specific rules on model performance or bias?

No. APRA did not publish AI-specific model-assurance or bias requirements here. AI vendors are captured because they fall within CPS 230's material-service-provider definition, which the amendments left in place for technology suppliers, not because APRA issued a separate AI standard.

What is the deadline for existing vendor contracts to comply?

CPS 230 commenced July 1, 2025, and pre-existing material arrangements must comply by the earlier of the next contract renewal date or July 1, 2026. The targeted amendments take effect on July 1, 2026.

Browse the full AI Regulation News tracker

Informational analysis for working professionals, not legal advice. Confirm how any rule applies to your situation with qualified counsel.