AU: CPS 231 Outsourcing (Superseded by CPS 230)¶
| Regulator | APRA |
| Jurisdiction | AU |
| Status | superseded |
| Applicability | Platform |
SUPERSEDED — effective 1 July 2025. All obligations are now in CPS 230 Operational Risk and Resilience.
APRA CPS 231 Outsourcing was the primary outsourcing standard for APRA-regulated entities. It required ADIs to maintain a material outsourcing register, conduct pre-engagement and renewal due diligence, include prescribed contractual protections (APRA step-in rights, audit access, data return on exit, sub-outsourcing controls), and notify APRA of significant outsourcing arrangements within 20 business days of execution.
CPS 231 has been superseded by CPS 230 Operational Risk and Resilience, effective 1 July 2025. Outsourcing obligations are now embedded within the broader CPS 230 framework. Existing contracts entered under CPS 231 remain valid until renewal or material amendment, at which point they must be reviewed against CPS 230 requirements.
Compliance register¶
This register is retained for historical traceability. All active compliance obligations are tracked under au-cps-230.
Scope legend¶
| Symbol | Meaning |
|---|---|
| 🤖 Automated | Platform enforces or performs the obligation. Primary control mode is GATE, AUTO, CALC, or ALERT. Human action is not required in the normal case. |
| 📊 Evidenced | Platform captures the evidence trail automatically. Human compliance decision sits on top. Primary control mode is LOG. |
| 🏛 Institutional | Obligation is met by a process entirely outside the platform — training programmes, board governance, HR, legal. Platform may generate evidence inputs but does not own the process. |
| N/A | Obligation does not apply to this deployment configuration. |
Build legend¶
| Symbol | Meaning |
|---|---|
| ✅ | Module built and deployed |
| 🔨 | Module planned — not yet built (build_status: Not started) |
| ❌ | Uncontrolled gap — no module attributed |
Historical obligations (now in CPS 230)¶
| Obligation | Previous scope | Absorbed into CPS 230 | Platform controls (under CPS 230) | Build |
|---|---|---|---|---|
| Material outsourcing register — all material outsourcing arrangements documented with risk classification | 🤖 Automated | Para 25 | MOD-150 (AUTO) — outsourcing register maintained; all designated critical third parties tracked with SLA and health monitoring | 🔨 |
| Pre-engagement due diligence and annual renewal assessment | 🏛 Institutional | Para 26 | Due diligence is a procurement process; MOD-150 monitors ongoing SLA compliance | 🔨 |
| Contractual requirements — audit rights, sub-outsourcing controls, data return on exit, BCP obligations | 🏛 Institutional | Para 27 | Contract negotiation is legal; MOD-150 tracks contract expiry and triggers review reminders | 🔨 |
| APRA notification for significant outsourcing — within 20 business days of execution | 🏛 Institutional | Para 29 | APRA notification is a Compliance Officer process; platform has no role | — |
| Exit plan — documented exit strategy for material arrangements | 🏛 Institutional | Para 27 | Exit plan development is institutional; MOD-150 monitors provider health to inform exit timing | — |
Status note¶
SUPERSEDED effective 1 July 2025. For active compliance obligations, refer to au-cps-230. Existing contracts entered under CPS 231 remain valid until renewal or material amendment.
Any references in policies or module documentation to CPS 231 should be updated to reference CPS 230. The obligation register for this standard is maintained for audit trail purposes only.
Related pages¶
Official documentation¶
Policies referencing this standard¶
(None yet)
Compiled 2026-05-22 from source/entities/regulations/au-cps-231.yaml