AIRiskAware
インサイトに戻る英語で読む

この記事は現在英語でのみご利用いただけます。

Australia 7 min read 2026

What Is APRA CPS 230? How Operational Resilience Requirements Apply to AI Systems

APRA's CPS 230 Operational Risk Management standard (effective July 2025) applies to all APRA-regulated entities and has significant implications for AI governance — particularly for material business processes, third-party AI, and AI incident response.

What Is APRA CPS 230? How Operational Resilience Requirements Apply to AI Systems

Key Takeaways

  • CPS 230 (effective 1 July 2025) applies to all APRA-regulated entities: ADIs, general and life insurers, private health insurers, and RSE licensees — replacing CPS 231 and CPS 232.

  • Boards and senior management must actively own operational risk management including AI risk. Boards must approve the Operational Risk Management framework addressing AI as a material operational risk.

  • Material service provider provisions apply to third-party AI providers. Entities must identify material AI providers, conduct due diligence, and maintain contractual audit rights and incident notification requirements.

  • AI systems used in material business processes — credit decisioning, underwriting, fraud detection at scale — trigger CPS 230's most stringent operational resilience requirements.

  • CPS 230 requires disruption tolerance settings for material business processes. If an AI system is a single point of failure for a material process, adequate redundancy or board-approved tolerance is required.

  • APRA expects regulated entities to have conducted a comprehensive self-assessment against CPS 230 by its effective date in July 2025.

"情報提供のみを目的としています。この記事は法律、規制、財務または専門的なアドバイスを構成するものではありません。具体的なアドバイスについては、資格を持つ専門家にご相談ください。"

What CPS 230 requires for AI

CPS 230 consolidates CPS 231 and CPS 232 into a comprehensive operational risk framework. AI systems used in material business processes — credit assessment, fraud detection, underwriting, customer service at scale — are subject to the standard's operational resilience requirements. For each material business process, entities must set a disruption tolerance, identify critical resources (including AI systems), maintain resilience, and test it through scenario planning.

Material service providers: third-party AI

APRA requires entities to: identify which AI providers are material; conduct due diligence before engagement and periodically thereafter; maintain contractual provisions including audit rights, incident notification requirements, and adequate liability provisions; and have transition and exit plans. The AI provider's own operational resilience must be assessed, and contracts must include adequate incident notification and audit rights.

Board accountability

Boards must approve the Operational Risk Management framework and receive regular reporting on operational risk including AI incidents. Key questions boards must answer: what AI systems are critical to material business processes? What are our disruption tolerances? What is our plan if a critical AI system fails? What is our third-party AI provider exposure?