CPS 230 vendor deadline · 1 July 2026

Selling to an Australian bank?
You’re now a CPS 230 service provider.

From 1 July 2026, APRA-regulated banks must hold compliant contracts and resilience evidence for the vendors supporting their critical operations. We wrote the checklist of what they’ll require of you, so their due diligence stops blocking your deals.

You don’t have to be APRA-compliant. You do have to prove you’re well-governed.

During procurement, banks now assess your operational resilience: control-testing results, business-continuity evidence, a nominated risk contact, subcontractor (fourth-party) visibility, and contract terms that satisfy the standard. Most small and mid-size vendors have none of this packaged, so deals stall right at the assurance step.

The work, done for you.

The evidence banks expect

Exactly what resilience and control evidence you’ll be asked to produce during due diligence.

The 7 mandatory clauses

The contract terms CPS 230 requires in material-service-provider arrangements, in plain English.

From the bank’s side of the table

We ran vendor assurance inside Tier-1 banks, so this reflects what reviewers actually check.

Get the plain-English guide.

Free guide

CPS 230 for Vendors: 2026 Readiness Checklist

What APRA-regulated banks will require of you as a material service provider by 1 July 2026: the evidence, the contract clauses, and the gaps to close first.

  • Are you a “material service provider”? The test
  • The evidence pack banks expect during due diligence
  • The 7 mandatory contract clauses explained
  • The fastest gaps to close before 1 July 2026

Get the guide

Tell us where to send it. No spam, just the guide and the occasional useful update on the 2026 rules. Unsubscribe anytime.