The Overlap of APRA and Global Standards

If you’re a financial service provider in Australia or your company sells software or services to one, you’re likely to encounter APRA regulations. The Australian Prudential Regulation Authority (APRA) oversees financial services in Australia, and its evolving standards increasingly impact regulated entities and their third-party providers.

There are two ways APRA may apply to your company:

 You’re an APRA-regulated entity. If you’re a licensed institution such as a bank, insurer, or superannuation provider, you’re directly subject to APRA’s suite of prudential standards, CPS (Cross-industry Prudential Standards). These include prescriptive requirements and principles-based guidelines, requiring direct compliance and evidence of ongoing oversight.

You serve APRA-regulated customers. If you’re not directly regulated, your services may support APRA-regulated entities in cybersecurity, risk, or continuity planning areas. In these cases, your customers are accountable to APRA for any risks introduced through third-party relationships—and they will often extend their compliance obligations to you.

You must read, interpret, and meet all applicable requirements if you’re regulated directly. You’ll also be subject to APRA supervision and potential enforcement actions. If you serve regulated customers, you won’t be subject to direct APRA oversight, but you should expect compliance assessments, due diligence reviews, and ongoing assurance requests from your clients.

This standard mandates that APRA-regulated entities formally assess, manage, and monitor risk across their operations, including their third-party supply chains. While CPS 220 doesn’t directly impose obligations on suppliers, regulated entities typically conduct vendor due diligence and require annual reassessments as part of their risk management programs.

CPS 232 focuses on ensuring the continuity and availability of critical services. If a customer’s business continuity depends on your product—such as ATM withdrawals relying on your software—your services fall within their continuity scope. Regulated entities may require business impact assessments, recovery objectives, testing, and formal continuity plans from you, even if you’re not directly subject to APRA.

Introduced to raise the baseline for cybersecurity, CPS 234 requires APRA-regulated companies to implement and monitor security controls, with oversight at the board level. It was also the first APRA standard to mandate supplier verification based on the criticality and sensitivity of the data involved. If your system processes sensitive customer data, expect to undergo heightened security assessments by your clients.

Effective July 2022, CPS 230 integrates elements from CPS 220 and CPS 232 to form a comprehensive operational risk framework. It adds formal internal control expectations, event response processes, and enhanced third-party oversight. Nearly half the standard focuses on vendor risk, underscoring the growing pressure on regulated entities to monitor and manage supplier performance.

If your business works with APRA-regulated clients, these standards will likely shape their expectations of your services. While global frameworks like SOC 2, HIPAA, and ISO/IEC 27701 don’t map perfectly to APRA’s requirements, they offer a strong foundation for meeting customer assurance needs. These certifications demonstrate proactive risk, security, and continuity management and can help bridge the compliance gap, especially for non-regulated providers.

Need help navigating APRA-aligned standards or demonstrating assurance to regulated clients? Contact us to learn how we can support your compliance and risk management goals.