How APRA CPS 230/234 Changes Third-Party Engineering Vendor Selection in Australia

For Australian financial services firms, APRA CPS 230 third-party engineering vendor selection is no longer a procurement exercise - it is a regulated operational risk function. CPS 230 (Operational Risk Management), effective 1 July 2025, and CPS 234 (Information Security), enforced since 2019, have together reshaped how APRA-regulated entities evaluate, onboard, and oversee external engineering partners. The implication for CTOs and heads of procurement is direct: vendor selection decisions must now withstand prudential scrutiny, and the documentation trail begins long before a contract is signed.

This article is written for technology leaders at Australian banks, insurers, superannuation trustees, and other APRA-regulated enterprises who are evaluating engineering partners for critical or material business operations. The guidance focuses on what must be verified, documented, and enforced - not on generic procurement best practice.

What Are the Six Key Shifts CPS 230 and CPS 234 Introduce for Vendor Selection?

• Material service providers are now a regulated category: CPS 230 replaces CPS 231 and expands coverage beyond outsourcing. Any arrangement supporting a critical operation or exposing the entity to material operational risk falls in scope, including embedded engineering partners and SaaS providers.
• Tolerances must be defined before engagement: Boards must approve tolerance levels for disruption of critical operations. Vendor capability to operate within those tolerances becomes a selection criterion, not a post-contract discussion.
• Information security obligations flow through contracts: CPS 234 requires regulated entities to ensure third parties manage information security commensurate with the sensitivity and criticality of assets held. Contractual assurance and independent verification are both expected.
• Concentration and geographic risk must be assessed: CPS 230 explicitly calls out concentration risk across service providers and jurisdictions. Offshore and multi-region delivery models require documented risk analysis.
• Board-level accountability is unambiguous: The board of the regulated entity remains accountable for operational risk outcomes regardless of the delivery model. Vendor selection is a board-visible decision.
• Notification obligations are tight: CPS 234 requires notification to APRA within 72 hours of a material information security incident - including incidents at third parties. Vendor incident response capability is a gating criterion.

Why Does APRA CPS 230 Expand Beyond Traditional Outsourcing?

CPS 231, the prior outsourcing standard, was drafted for a world where IT delivery meant hosted mainframes and packaged software. That framing no longer fits how Australian financial services firms actually build technology. Core banking modernisation, embedded payments, data platforms, and AI-assisted underwriting now involve a mesh of partners - cloud providers, SaaS vendors, engineering service firms, and specialist implementation teams. CPS 230 reflects that reality by moving from "outsourcing arrangements" to "service provider arrangements" and introducing the concept of material service providers.

The practical consequence is scope expansion. An engineering services firm delivering a regulatory reporting pipeline, a specialist team building identity infrastructure, or a partner providing ongoing feature delivery for a retail banking application can all be material service providers. Selection processes written for staff augmentation arrangements - rate cards, interview loops, time-and-materials contracts - do not meet the evidentiary bar CPS 230 now expects.

Importantly, CPS 230 does not prohibit offshore delivery or embedded engineering teams. It requires that the regulated entity can demonstrate it understands the risks, has selected the partner appropriately, and maintains oversight throughout the relationship. A well-run strategic engineering partner with documented processes is easier to defend than a collection of individually contracted contractors whose accountabilities are diffuse.

What Risk Exposure Do Australian FSI Firms Face Under APRA?

The enforcement posture around CPS 230 and CPS 234 has been made public through APRA's own Corporate Plan and supervisory priorities. APRA has repeatedly identified operational resilience and cyber resilience as strategic priorities (APRA Corporate Plan 2024-25). The risk exposure for regulated entities with weak third-party engineering governance falls into four categories.

First, prudential action. APRA has powers including directions, licence conditions, and in serious cases, disqualification of accountable persons under the FAR (Financial Accountability Regime). Material findings in a CPS 230 supervisory review can translate directly into remediation programs with fixed timelines and board reporting obligations.

Second, incident cost. The OAIC Notifiable Data Breaches Report for July-December 2023 recorded 483 notifications, with the finance sector among the top five reporting sectors. A breach originating at a third-party engineering vendor creates overlapping obligations under CPS 234, the Privacy Act 1988, and where applicable SOCI Act critical infrastructure rules.

Third, concentration and continuity risk. CPS 230 requires regulated entities to maintain the ability to continue critical operations through disruption. A partner lock-in that cannot be exited within the defined tolerance window is itself a finding, independent of any operational failure.

Fourth, reputational risk. Australian FSI incidents involving third-party delivery failures have historically attracted significant public and parliamentary attention. A CTO or Head of Procurement whose selection process cannot be defended in a parliamentary inquiry or royal commission carries personal as well as corporate risk.

How Should Engineering Vendor Selection Be Structured Under CPS 230?

A CPS 230-aligned selection process has five stages, each with documentation requirements that persist for the life of the relationship.

Stage one - criticality assessment. Before vendors are shortlisted, the regulated entity must assess whether the arrangement supports a critical operation, is material under CPS 230, or involves information assets in scope of CPS 234. This classification drives every subsequent control.

Stage two - requirements definition. Technical requirements are written alongside operational risk requirements, information security requirements, and exit requirements. Tolerances for disruption, recovery time objectives, and acceptable data locations are defined up front.

Stage three - due diligence. Evidence is gathered and reviewed. This includes certifications (ISO 27001, ISO 9001, IEC 62443-4-1 where OT-adjacent), SOC 2 reports where available, financial viability evidence, references from comparable engagements, and documentation of sub-contractors and offshore locations. Findings are recorded against the requirements.

Stage four - contracting. Contracts include mandatory CPS 230 and CPS 234 clauses: audit rights, incident notification windows, information security obligations, sub-contracting controls, termination rights, data return on exit, and cooperation with APRA. Template clauses developed by industry bodies are a useful starting point but must be tailored.

Stage five - onboarding and oversight. Selection does not end at signing. The regulated entity establishes ongoing monitoring, periodic reassessment, and incident response integration. CPS 230 explicitly requires ongoing review.

Engineering leaders evaluating partners should expect the selection process to take three to six months for material arrangements. Vendors who cannot provide CPS 230-aligned documentation within normal procurement timelines are unlikely to be sustainable long-term partners. For a deeper view of how structured engagement reduces delivery risk in regulated environments, see our overview of mission-critical engineering services.

What Does a Compliant Engineering Partnership Look Like in Practice?

Consider a mid-sized Australian superannuation trustee modernising its member administration platform. The scope covers member onboarding, contributions processing, and regulatory reporting - clearly a critical operation under CPS 230. The trustee engages an external engineering partner for a multi-year build and run relationship.

Under a CPS 230-aligned selection, the trustee documents that the arrangement is material, requires ISO 27001 and SOC 2 Type II evidence, and defines recovery time objectives for member-facing services of four hours. Offshore delivery is permitted subject to Australian data residency for member records, and sub-contracting is limited to pre-approved entities. Quarterly operational risk reviews are contractually mandated, with defined escalation triggers.

The partner provides an information security management system evidence pack: ISO 27001 certificate and statement of applicability, penetration testing summaries, vulnerability management metrics, incident response runbooks, and named security contacts. Engineering process evidence includes traceability from requirements through test cases to deployment records, code review standards, and change management gates.

When APRA conducts a thematic review of operational risk management twelve months later, the trustee presents the selection file, ongoing monitoring reports, and incident logs. The review finds controls operating as designed. The partner continues to operate; the relationship compounds value over time rather than restarting every two years with new staff augmentation contracts.

What Is a Realistic Timeline for CPS 230 Vendor Selection?

For arrangements classified as material under CPS 230, a realistic end-to-end timeline is 12 to 24 weeks from initial market engagement to contract execution.

Weeks 1-3 cover criticality assessment, requirements definition, and market scan. Weeks 4-8 cover formal RFP, vendor responses, and initial evaluation against documented criteria. Weeks 9-14 cover due diligence, including reference calls, certification verification, and on-site or virtual site visits where justified. Weeks 15-20 cover commercial and contract negotiation, with legal, risk, and security functions engaged in parallel. Weeks 21-24 cover board or delegated approval, contract execution, and transition planning.

Programs that compress this timeline typically do so by narrowing the field early based on certification and domain evidence rather than cutting any stage. For non-material arrangements, a proportionate process remains required but the depth of evidence is reduced. Published guidance from APRA explicitly supports proportionality based on the criticality and materiality of the arrangement.

What Compliance Considerations Sit Alongside APRA for Australian FSI?

CPS 230 and CPS 234 do not operate in isolation. A full selection process must also consider adjacent regimes.

The Privacy Act 1988, and the Privacy and Other Legislation Amendment Act 2024, impose obligations on the handling of personal information and require that contracts with third parties reflect those obligations. The Notifiable Data Breaches scheme requires assessment and notification within 30 days of awareness.

The Security of Critical Infrastructure Act 2018 (SOCI Act), as amended, applies to certain financial services market infrastructure. Where applicable, it imposes separate obligations on risk management programs and mandatory cyber incident reporting.

The Financial Accountability Regime (FAR), operational since March 2024 for banks and extended to insurance and superannuation from March 2025, assigns personal accountability for prescribed responsibilities including operational risk and technology. Selection decisions for material engineering partners sit within the accountabilities of named accountable persons.

International standards also matter. ISO 27001 remains the baseline expectation for information security management. IEC 62443 is increasingly referenced where engineering touches OT or industrial control systems within financial infrastructure. Partners with ISO 9001 quality management certification bring structured change control that reduces operational risk over time.

Executive-Level FAQ on APRA Third-Party Engineering Selection

Does CPS 230 prohibit offshore engineering delivery?

No. CPS 230 does not prohibit offshore delivery. It requires that the regulated entity assess and manage the associated risks, including concentration risk, geographic risk, and data residency. Many APRA-regulated entities maintain offshore delivery arrangements within CPS 230 - the obligation is to do so with documented risk management, appropriate contractual controls, and ongoing oversight.

What evidence should we require from engineering vendors before shortlisting?

At a minimum: current ISO 27001 certificate with statement of applicability, current ISO 9001 certificate, financial viability evidence (recent audited accounts or equivalent), insurance certificates, a list of relevant client references in regulated industries, a summary of delivery locations and sub-contractors, and a summary of the vendor's incident response capability including historical major incidents. For OT-adjacent work, add IEC 62443-4-1 certification evidence.

How does CPS 234 change contract terms for engineering vendors?

CPS 234 requires the regulated entity to notify APRA of material information security control weaknesses and incidents within 72 hours. Contracts with engineering vendors must support that timeline - typically with vendor notification obligations to the regulated entity within 24 hours of awareness. Contracts also need audit rights, information security standard clauses, data handling and return obligations, and cooperation clauses for any APRA inquiry.

How often should vendor risk be reassessed under CPS 230?

CPS 230 requires ongoing monitoring. For material service providers, annual formal reassessment is the common industry practice, with quarterly operational reviews and continuous monitoring of defined key risk indicators. Material changes to the arrangement, the vendor's control environment, or the regulatory environment trigger out-of-cycle review.

What Should Australian FSI CTOs Do Next?

The CTOs and heads of procurement making the best decisions under CPS 230 treat engineering vendor selection as a long-horizon risk function rather than a sourcing transaction. They invest in documentation, prefer partners with demonstrable process discipline, and build selection processes that compound value over multi-year relationships. The alternative - repeated short-horizon contracting with whichever provider is cheapest this quarter - generates the concentration of findings APRA is now actively looking for.

Eastgate Software supports Australian FSI clients as a strategic engineering partner with ISO 27001, ISO 9001, and IEC 62443-4-1 certified delivery, reference architectures for regulated data handling, and documentation packs aligned to CPS 230 and CPS 234 evidentiary expectations. To understand how a documented engineering partnership fits APRA-regulated delivery, review the ANZ solutions overview or start a discovery conversation with our engineering leadership.

Under APRA CPS 230 and CPS 234, the engineering partners you select today are part of your regulatory posture for the next decade - pick them accordingly.