The use of third-party service providers has become integral to the way financial institutions operate. From core banking platforms, administration and custodian services to customer service centres, today’s supply chains are vast and complex. But with complexity comes risk and increasingly, scrutiny.

Outsourcing is not new, in fact it’s a well-established practice. However with the introduction of APRA’s CPS 230 and increased scrutiny from ASIC and AUSTRAC, financial institutions are required to reassess their third-party oversight processes. Reflecting on previous shortcomings and anticipating higher standards, Boards and Executives across both APRA-regulated and non-regulated entities face a critical period demanding renewed diligence and strategic attention.

Despite clear expectations in long-standing standards like CPS 231 and CPS 234, serious lapses continue to occur. Recent events like trading outages, cyber breaches, and delayed claims processing reveal that good policies on paper are not enough. Critical services can no longer be outsourced on a set and forget basis and regulators are no longer willing to tolerate oversight failures.

It also means as a provider of services to APRA regulated entities CPS 230 introduces a significant shift in expectations that directly affects contractual obligations, operational resilience and risk management practices you are officially now part of the regulatory eco-system. Not getting it right can have significant consequences both reputationally and financially.

What’s changed under CPS 230?

Taking effect on 1 July 2025, APRA’s new CPS 230 standard significantly lifted requirements for operational risk and third-party management. It expanded oversight expectations beyond traditional outsourcing to cover all material service providers - i.e. those providers whose failure could affect critical operations. It also requires institutions to:

• understand their critical processes and where 3rd and 4th parties play a role;
• maintain a register of material providers;
• set clear risk tolerances and incident notification thresholds; and
• strengthen board and executive accountability and oversight.

ASIC is also on the front foot. Its “Key Issues Outlook 2025” flags operational resilience and cyber vulnerabilities through third parties as top risks. Its recent enforcement actions have made it clear: institutions cannot hide behind vendors. If harm occurs, ASIC, APRA or AUSTRAC will hold the licensee accountable particularly where oversight was weak, documentation was poor, or assurance relied too heavily on the vendor’s word.

Why oversight still fails

So why are institutions still getting it wrong? In our experience, five key issues stand out:

1. Set-and-forget oversight – Institutions often complete onboarding due diligence but fail to conduct regular reviews. Relationships and oversight is left to business units, delegated down and risks go unnoticed until it’s too late.
2. Blind trust in vendor reports and attestations – Many firms rely on vendor self-assessments, audit certificates, or performance dashboards without independently verifying controls. This has proven especially risky in areas like cybersecurity and data destruction.
3. Failure to classify critical providers – Without a clear and up-to-date register of material service providers, it’s easy for high-risk vendors to fly under the radar.
4. Limited visibility into fourth parties – Complex supply chains make oversight difficult. Institutions often don’t know who their vendors are relying on until a failure occurs.
5. Weak governance and unclear accountability – Oversight roles are often fragmented across procurement, IT, legal, and risk. Without senior ownership and board challenge, issues don’t get the attention they require.

What if I am not APRA regulated but provide service to an entity that is?

Even if you are not APRA regulated, but you provide critical services to those that are you still must meet key contractual obligations, reporting and information must be timely and transparent and services must be delivered without disruption. To be able to do this, despite it making good commercial sense, requires your own efforts in getting the right infrastructure in place. More specifically:

• Understand and appreciate the significance of the relationship between yourself and procurer
• Understand the services you are contracted to provide and the service levels for which you are expected to meet;
• Appoint a single Executive as accountable for the relationship, delivery of services and escalation of issues;
• Build information channels and reporting mechanisms to easily enable to you to track, monitor and report on performance against those standards;
• Understand any risks that may occur in the delivery of these services and ensure that have appropriate controls and measures in place to manage these risks;
• Understand where you rely on others to provide some of these services, where you do, define your expectations and reporting requirements and timeframes to inform consolidated reporting – where necessary update your own contracts;
• Ensure your risk and compliance activities test and monitor controls and measures in place to manage the risk;
• Consider how these risks are their management is communicated and escalated to your Board and Governing Committees;
• Define and communicate the escalation process and arrangements should there be an issue or breakdown – including timeframes;
• Consider what you could pro-actively provide to provide the contractor with comfort the right measures are in place for example, independent testing or internal audit reviews and build these into the annual plans and budgeting process;
• Where you know there are weaknesses – be up-front with the plan to address and remediate.

What should institutions be doing now to demonstrate CPS 230 compliance?

As the core tenets of CPS 230 are embedded and operationalised here are some practical actions boards and management should consider.

1. Move from onboarding to lifecycle oversight – and don’t forget to safely offboard!
   Conduct risk assessments not just once, but regularly. Monitor for changes in provider ownership, performance, security posture, and sub-outsourcing. Additionally, don’t forget to offboard - organisations often invest heavily in time and resource commitment upfront but, often offboarding is not paid the same level of attention opening organisations up to data, privacy, resilience and regulatory issues – even on wind-down as the relationships starts to dissolve.
2. Test assurance don’t just accept it
   Run your own reviews – this might include penetration tests, mystery shopping, spot checks, contingency drills; especially for high-risk vendors. Integrate vendor KPIs into enterprise risk reporting.
3. Elevate governance, accountability and third-party reporting
   Assign clear executive responsibility for third-party oversight. Oversight roles are often fragmented across procurement, IT, legal, and risk. Clarity around ownership and detailed and regular vendor risk reporting at the board or risk committee level is tantamount to success.
4. Scenario test on an ongoing basis – things change very quickly
   The nature and extent of services from providers can change pretty quickly as the needs of the business also change. It is important to have robust exit strategies and contingency plans in place but, also test scenarios where a vendor goes offline or breaches a contract with this in mind. Know how long you can operate without them and how you’d respond.
5. Reframe oversight as cultural, not just contractual
   Third-party risk must be owned across the enterprise. Procurement, legal, technology, and frontline staff all play a role. Embed a culture of “trust but verify” and invest in training to lift awareness and accountability.
6. Seek assurance where required
   Engage internal audit or where necessary independent parties to test the control framework.

Third-party oversight: Looking ahead

2025 will be a defining year. CPS 230, the Financial Accountability Regime, and rising cyber threats mean institutions can no longer treat third-party oversight as a back-office compliance task. It is now front-and-centre and on the regulator’s radar.

Strong oversight requires investment and discipline. But it also protects against the costliest risks; those that damage trust, trigger outages, or breach customer privacy. Boards and Executives must view third-party oversight not just as a regulatory obligation, but as a strategic lever to safeguard operational resilience and institutional reputation. For those organisations that not APRA regulated, but considered critical service providers, you are not immune to the impacts of these changes, you also need to be prepared and have the right controls and measures in place to satisfy your contractual obligations - getting it wrong can also impact you commercially and reputationally.

After all, in a financial system built on trust, someone else’s mistake is still your responsibility.