Skip to main content
Image coming soon

The CPS 230 Material Service Provider Compliance Playbook

$199.00
Adding to cart… The item has been added

A focused course, tailored for you

The CPS 230 Material Service Provider Compliance Playbook

How compliance teams build the CPS 230 material service provider register from materiality threshold to annual APRA attestation.

Your internal audit team has reviewed the MSP register. The finding reads: substitutability documentation is incomplete for 11 of 43 material service providers, and the criticality assessment methodology cannot be reproduced from the evidence on file. The APRA supervisor visit is in three months. The compliance team owns the remediation.

$199 one-time
Tailored to your situation. Access within 24 hours. 30-day money-back.

Includes a hand-built implementation playbook delivered alongside course access, generated for your specific situation.

Why this course

CPS 230 became enforceable and your institution moved fast to build a register. What got built was a spreadsheet with vendor names, some of which had criticality flagged yes or no, a few with substitutability notes that amount to a sentence. That passed the first internal checkpoint. It will not pass a well-prepared internal audit team that has had time to read the standard, and it will not pass an APRA supervisory review.

The compliance function's problem is structural. CPS 230 sets outcome requirements: the MSP register must document materiality, criticality, substitutability, and tolerance. But it does not prescribe the methodology. That leaves compliance writing the methodology from scratch, typically under time pressure, with limited precedent from other Australian ADIs that have already been through the process.

This course is the methodology. It builds the materiality determination matrix, the criticality and substitutability rubric, the contractual uplift framework, the tolerance statement template, the due diligence scorecard, and the board and APRA reporting pack. Twelve modules, each producing a tangible artefact, all calibrated to what APRA supervisors have actually asked for in reviews.

What you walk away with

  • Apply the APRA materiality test consistently across 200 or more vendors and document each determination in a form that survives audit.
  • Build a criticality and substitutability assessment that names the specific evidence APRA supervisors look for.
  • Produce a contractual uplift prioritisation framework that sequences CPS 230 contract remediation by criticality tier.
  • Draft tolerance statements for your top material service providers that are operationally specific rather than generic risk appetite language.
  • Build the board risk committee annex and annual APRA attestation pack from the register itself, not from scratch each cycle.

The 12 modules

Module 1. Where Compliance Sits in the CPS 230 Accountability Structure
CPS 230 assigns obligations to boards, senior management, and the broader risk management function, but it does not draw a clean line between compliance and operational risk. This module maps the compliance function's specific accountability, how it interacts with the operational risk, procurement, and legal teams, and what evidence APRA expects the compliance function to hold independently rather than pointing to other parts of the business.
Module 2. Building the Third-Party Universe from Multiple Source Systems
Most institutions start a CPS 230 project with a procurement vendor list containing 300 or more records, many of which are duplicates across legal entities or subsidiaries. This module covers how to construct the initial universe from procurement registers, contract management systems, IT asset inventories, and general ledger data, deduplicate across entities, and produce a single working population on which the materiality test can be applied.
Module 3. The Materiality Determination Framework
APRA's materiality test asks whether disruption of a service would have a material impact on the ADI's ability to carry on business or meet its obligations to depositors. This module builds a four-factor determination matrix covering revenue dependency, operational criticality, customer impact, and regulatory sensitivity. It works through how to calibrate thresholds, document each determination, and defend the resulting MSP count in a supervisory review setting.
Module 4. Criticality Assessment Within the MSP Pool
Not all material service providers carry the same risk weight. CPS 230 distinguishes those that support critical operations from the broader MSP population. This module covers how to apply a criticality overlay to the register, how to document the distinction between material and critical, and how to structure the register so that critical providers are visibly prioritised in operational continuity planning and board reporting.
Module 5. Substitutability Analysis: Building the Evidence File
Substitutability is the element most often contested in supervisory reviews. APRA expects evidence that an alternative provider could be transitioned to within a timeframe consistent with the institution's tolerance for disruption. This module builds the substitutability rubric: how to assess market availability of alternatives, transition timeline estimates, switching cost categories, and the conditions that would trigger a formal substitution exercise.
Module 6. Contractual Uplift: Sequencing CPS 230 Remediation
CPS 230 requires contracts with material service providers to include step-in rights, audit access rights, data portability provisions, and termination for regulatory cause clauses. Most contracts predating the standard are missing at least one of these. This module builds a contractual gap analysis template, a remediation priority matrix that sequences renegotiations by criticality tier, and a tracking framework for monitoring contract uplift progress through to completion.
Module 7. Writing Operational Tolerance Statements
APRA expects ADIs to set explicit tolerance levels for the disruption of each material service. These statements must be operationally specific, naming time thresholds, transaction volume floors, and quality parameters rather than generic risk appetite language. This module covers the tolerance statement structure APRA supervisors expect, the drafting errors that draw supervisory questions, and how to tie tolerance statements back to business continuity plan recovery time objectives.
Module 8. Third-Party Due Diligence: A Proportionate Program
A due diligence program that applies the same questionnaire to all 50 MSPs wastes resources and produces thin answers for critical providers. This module builds a tiered due diligence framework: a deeper assessment protocol for critical MSPs, a streamlined annual review for the remainder, a scorecard that captures findings usefully for both compliance and the board, and an escalation pathway for MSPs that return material gaps in their responses.
Module 9. Board and Management Reporting from the Register
The MSP register serves three audiences: the board risk committee wants a strategic overview, the chief risk and compliance officer wants operational detail on the remediation pipeline, and APRA wants the annual attestation. This module builds the board annex template, the quarterly management dashboard, and the APRA attestation pack, with guidance on the language and evidence levels that satisfy each audience without requiring the compliance team to rebuild the same content three times.
Module 10. APRA Notification Requirements and Supervisory Engagement
CPS 230 requires ADIs to notify APRA when a material service provider experiences a significant operational incident or when a material outsourcing arrangement is entering or exiting. This module covers the notification thresholds, the internal escalation pathway that produces a notification-ready situation report within the required window, and how to manage the supervisory follow-up that typically accompanies a significant MSP incident notification to APRA.
Module 11. Concentration Risk Overlay: What the Register Misses
A register that records providers individually will not surface the fact that three of your critical MSPs share the same cloud infrastructure, or that four payment service providers depend on the same clearing network. This module builds a concentration risk overlay for the MSP register covering vendor concentration, geographic concentration, and technology infrastructure concentration, including the format that boards find most useful for understanding systemic exposure across the portfolio.
Module 12. Annual Review Cycles and Register Governance
A CPS 230 register reviewed once and filed does not meet APRA's intent. The standard expects annual reviews, event-triggered updates when material changes occur, and a governance process that captures changes in materiality as the business evolves. This module builds the annual review calendar, the event-trigger criteria checklist, the change management workflow for the register, and the governance structure that keeps the register current through acquisitions, new product launches, and provider changes.

How this addresses your situation

Specific modules that map to what you said you are dealing with.

Internal audit has reviewed the register and found substitutability documentation is incomplete or undocumented for a significant portion of MSPs.
Compliance has the register but cannot demonstrate to APRA how the materiality determinations were made or by whom.
Contractual uplift negotiations are stalled because there is no prioritisation framework linking contract gaps to criticality tier.
The board risk committee is asking compliance to present the MSP concentration risk position and the current register has no concentration overlay.

What you get with this course

  • Twelve text-based modules in the Art of Service learning environment, each producing a named artefact
  • Downloadable templates: materiality determination matrix, criticality and substitutability rubric, contractual uplift tracker, tolerance statement template, due diligence scorecard, board risk committee annex, APRA attestation pack
  • Worked examples calibrated to Australian ADI compliance contexts and APRA supervisory expectations
  • The hand-built implementation playbook delivered alongside course access, with the full artefact set pre-structured for your institution's MSP tier count

What you will have in hand by Day 1, Week 1, Month 1

Course access provisioned within 24 hours of purchase

The hand-built implementation playbook delivered alongside course access

Downloadable templates available from module one

Before and after

Before

The MSP register exists as a spreadsheet with materiality and criticality flags but no documented determination methodology, substitutability documentation that amounts to one sentence per provider, and no systematic way to feed the register into board or APRA reporting without rebuilding it from scratch each cycle.

After

A supervisory-ready MSP framework with a documented and reproducible methodology for every determination, substitutability evidence that meets APRA's standard, a contractual uplift pipeline sequenced by criticality tier, and reporting templates that serve the board, the CRO, and the APRA attestation cycle without being rebuilt each time.

What happens if you do not address this

APRA supervisory reviews under CPS 230 are moving from first-pass acknowledgment to evidence-based scrutiny. An MSP register with undocumented methodology and thin substitutability evidence is the audit finding that triggers a formal supervisory action, a remediation timeline, and a governance escalation. The compliance team that addresses the methodology gap now avoids the reactive remediation cycle.

Who it is for

Compliance managers, senior analysts, and compliance advisors at Australian authorised deposit-taking institutions who own or co-own the CPS 230 program on behalf of the compliance function. You have built or inherited a version of the MSP register and need to take it from a first-draft spreadsheet to a supervisory-ready framework that can survive audit and APRA engagement.

Who this is NOT for. Operational risk managers who own the broader ICRAA or ICAAP process. Procurement teams building vendor management programs without a compliance lens. Legal teams focused solely on the contractual provisions. This course is for compliance professionals who are accountable for the register, the methodology documentation, and the supervisory engagement.

How it arrives

Text-based course in the Art of Service learning environment, plus downloadable templates and worked examples for every module, plus the hand-built implementation playbook delivered alongside course access.

Time investment. Each module is designed to be completed in one working session. The full twelve-module sequence can be completed over two working weeks alongside regular compliance work.

Why $199 is the right number

APRA's own guidance documents set the outcome requirements but do not provide implementation methodology. Law firm briefings cover the legal obligations but not the operational build. Generic operational risk management courses cover ICRAA and ICAAP but not the compliance-specific artefacts CPS 230 requires the compliance function to own. This course fills the methodology gap those resources leave open.

FAQ

We already have a version of the MSP register. Is this course still useful?
The course is designed specifically for institutions that have a first-draft register and need to take it to supervisory standard. If your register has materiality flags but no documented determination methodology, or substitutability notes but no supporting evidence file, the course builds exactly what is missing.
Does the course address the interaction between CPS 230 and other APRA standards such as CPS 234 or CPS 220?
The course is built around CPS 230's material service provider obligations. Where those obligations interact with CPS 234 information security requirements for MSPs or CPS 220 operational risk management, the course notes the interaction. The primary frame is the compliance function's CPS 230 accountability.

30-day money-back guarantee. If after a week of working through the materials this is not what you needed, reply to the receipt email and a full refund is processed. No questions, no forms.

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.