Skip to content

What are the most common APRA standards?

Explore some of our latest AI related thought leadership and research

6clicks has been built for cybersecurity, risk and compliance professionals.

Learn more about our Hub & Spoke architecture, Hailey AI engine and explore the other content in our platform here

Developing responsible AI management systems through the ISO/IEC 42001 standard

Using artificial intelligence has propelled global economic growth and enriched different aspects of our lives. However, its ever-evolving nature and...

Incorporating Generative AI into Cybersecurity: Opportunities, Risks, and Future Outlook

Key Takeaways Generative AI is a branch of artificial intelligence that focuses on creating new content with human-like creativity. The rise of...

Understanding RAG: Retrieval-Augmented Generation Explained

Natural Language Processing (NLP) has come a long way in the past few decades. With the goal of enabling more efficient communication between humans...

Responsible AI is here to stay

Artificial Intelligence (AI) and Machine Learning (ML) continue to be a much talked about topic since the release of ChatGPT last year but also well...

Responsible AI in risk management: Diving into NIST’s AI Risk Management Framework

Artificial intelligence has since changed the way we use technology and interact with organizations and systems. AI solutions such as automation and...

The Imperative of Governance to Achieving Responsible AI

AI brings many opportunities to businesses and we can see the AI boom across different industry verticals. However, it also questions who would be...


What is the australian prudential regulation authority (APRA)?

The Australian Prudential Regulation Authority (APRA) is the regulatory body responsible for overseeing and supervising prudential standards across various financial institutions in Australia. It was established in 1998 as an independent statutory authority to ensure the safety, stability, and integrity of the Australian financial system. APRA’s main role is to enforce prudential standards, which are a set of regulatory requirements that aim to protect the interests of depositors, policyholders, and superannuation fund members. These standards cover areas such as risk management, capital adequacy, governance, and business continuity. APRA-regulated entities, including banks, credit unions, life insurers, superannuation funds, and private health insurers, are required to comply with these standards to mitigate risks and maintain their financial stability. APRA supervises these entities by conducting regular inspections, monitoring their financial performance, and imposing penalties for non-compliance. By setting and enforcing prudential standards, APRA ensures the overall safety and soundness of Australia’s financial sector.

Overview of APRA standards

The Australian Prudential Regulation Authority (APRA) has established a comprehensive framework of prudential standards that apply to regulated entities in the banking, insurance, and superannuation industries. These standards are designed to ensure the safety and stability of Australia's financial system and protect the interests of consumers.

APRA standards form an integral part of prudential supervision, which is the process of monitoring and regulating the financial activities of institutions to mitigate risks. They set out the minimum requirements and key expectations for business operations, risk management, governance, capital adequacy, and more.

For example, Prudential Standard CPS 234 focuses on operational risk management, requiring entities to identify and manage material risks to their critical operations. It also encompasses service provider arrangements, stipulating that entities should have sound practices for managing relationships with third-party providers.

Prudential standards also cover areas such as business continuity plans, concentration risk, reputational risk, and legal risk management. Entities are expected to maintain strong internal controls, assess their operational risk profiles, and establish risk appetite frameworks.

Prudential standards

Prudential standards are a crucial component of the Australian Prudential Regulation Authority (APRA) framework, aimed at ensuring the stability and security of the country's financial system. These standards govern regulated entities in the banking, insurance, and superannuation sectors, establishing minimum requirements and key expectations for various aspects of their operations. By addressing areas like operational risk management, business continuity, and third-party provider arrangements, prudential standards help institutions mitigate risks and safeguard the interests of consumers. With a focus on internal controls, risk assessment, and robust governance, these standards are essential for maintaining the integrity of Australia's financial industry.

Prudential standard CPS 234 - information security management

Prudential Standard CPS 234 - Information Security Management is a key requirement for APRA-regulated entities to ensure resilience against information security incidents. This standard focuses on the need for these entities to maintain an information security capability that is in line with the ever-evolving vulnerabilities and threats in the digital landscape.

CPS 234 outlines several requirements that organizations must follow to meet the standard. These requirements include the implementation of controls to protect sensitive information from potential breaches, having a robust system in place to detect and respond to security incidents, conducting regular testing and assessment of the effectiveness of security measures, and ensuring the capability to recover and continue business operations in the event of an incident.

The standard also emphasizes the importance of having a clear information security strategy, supported by senior management, to effectively manage and mitigate information security risks within the organization. This includes having appropriate governance structures, processes, and procedures in place to address potential threats.

By adhering to CPS 234, APRA-regulated entities demonstrate their commitment to safeguarding the security of customer information and mitigating the potential risks associated with cyber threats. This standard enhances the overall resilience of these institutions and helps maintain trust in the financial services sector.

Prudential standard CPS 231 - risk management

Prudential Standard CPS 231 is a set of guidelines established by the Australian Prudential Regulation Authority (APRA) to ensure that APRA-regulated institutions effectively manage operational risk and ensure business continuity. This standard applies to all authorized deposit-taking institutions (ADIs), general insurers, life insurers, and superannuation entities.

CPS 231 sets out the requirements and obligations that these institutions must fulfill to identify, assess, and mitigate operational risks. It outlines the importance of having a comprehensive risk management framework, which includes clearly defined responsibilities, effective internal controls, and ongoing monitoring and reporting mechanisms.

The standard also emphasizes the need for APRA-regulated institutions to have robust business continuity plans in place. Institutions must identify critical business functions and develop strategies to manage potential disruptions. This includes ensuring that appropriate arrangements are in place with service providers and that these arrangements are regularly reviewed and tested.

Recently, CPS 231 underwent a significant update with the introduction of prudential standard CPS 230. This update expanded the requirements for risk management, with a focus on enhancing risk culture, governance, and oversight. Institutions now have to conduct regular self-assessments of their risk management frameworks and report to APRA on their risk management practices.

Prudential standard CPG 235 - business continuity management

Prudential standard CPG 235, also known as the business continuity management standard, plays a crucial role in ensuring that APRA-regulated institutions and group Heads have effective measures in place to mitigate disruptions and minimize their impact on business operations, reputation, and stakeholders.

This standard requires institutions to adopt a whole-of-business approach to business continuity management. It emphasizes the need for institutions to establish a comprehensive and integrated framework that encompasses all aspects of their operations. This includes identifying critical business functions, assessing the potential impact of disruptions, and implementing appropriate strategies to minimize the adverse effects.

By adopting a whole-of-business approach, institutions can enhance their resilience to disruptions. They are better able to identify risks, develop robust contingency plans, and implement effective controls to maintain their business operations during times of crisis. This not only helps protect the institution's reputation but also ensures the continuity of services to customers and clients.

Implementing prudential standard CPG 235 enables institutions to proactively manage potential disruptions and minimize their impact. By having effective business continuity management measures in place, institutions can ensure the stability and ongoing viability of their operations, safeguard their stakeholders' interests, and meet the regulatory requirements set by APRA.

Prudential standard SPS 520 – outsourcing

APRA prudential standard SPS 520 provides guidelines for APRA-regulated entities when outsourcing business activities to service providers. The standard outlines the scope of application and sets out the minimum content of agreements for such arrangements.

This standard applies to all APRA-regulated entities, including superannuation funds, life insurers, and private health insurers, and covers various types of outsourcing arrangements. These include arrangements with third-party service providers, material service providers, and material business activities.

When entering into outsourcing agreements, APRA-regulated entities must ensure that the agreements include certain key requirements. These include the requirement for a formal agreement, termination provisions, and internal controls. The agreements should also address the management of the service provider and specify the type of service provider involved.

SPS 520 differs from other outsourcing standards as it specifically addresses the prudential requirements for APRA-regulated entities. It focuses on the management of risks associated with outsourcing and emphasizes the importance of maintaining effective oversight and control over the outsourced business activities.

In complying with SPS 520, APRA-regulated entities need to carefully consider several requirements and considerations. These include assessing the risks associated with the outsourcing arrangement, ensuring that the outsourced activities are consistent with the entity's risk appetite, and establishing appropriate monitoring and reporting mechanisms.

By complying with prudential standard SPS 520, APRA-regulated entities can effectively manage the risks associated with outsourcing business activities. This helps to ensure the stability and soundness of the financial system and provides confidence to stakeholders and customers.

Superannuation industry-specific requirements

The superannuation industry is subject to specific prudential requirements outlined by the Australian Prudential Regulation Authority (APRA). These requirements are designed to ensure the sound and prudent management of superannuation funds and protect the interests of members. Superannuation funds must comply with various prudential standards, including prudential standard CPS 234 on information security and prudential standard CPS 231 on outsourcing. These standards aim to enhance operational resilience, manage operational risks, and ensure the continuity of critical operations in the superannuation sector. In complying with these standards, superannuation funds must assess the risks associated with outsourcing arrangements, have robust business continuity plans in place, and establish effective oversight and control over any arrangements with service providers. By adhering to these industry-specific requirements, superannuation funds can maintain the trust and confidence of their members while ensuring the stability and integrity of the superannuation industry as a whole.

Superannuation industry (Supervision) act 1993 (SIS Act) and regulations

The Superannuation industry (Supervision) Act 1993 (SIS Act) and its accompanying regulations play a crucial role in regulating the superannuation industry in Australia. This legislation sets out key provisions that ensure the effective management and protection of superannuation funds.

Some of the significant key provisions under the SIS Act and regulations include:

  1. Prudent investment requirements: The SIS Act imposes obligations on trustees to make investments that are in the best interests of fund members and to diversify investment risks.
  2. Trustee duties and responsibilities: Trustees are required to act honestly, fairly, and with care, skill, and diligence. They must also maintain accurate records, monitor investment strategies, and provide regular reports to members.
  3. Prohibition of related party transactions: The SIS Act prohibits trustees from entering into transactions with related parties, except under strict requirements aimed at preventing conflicts of interest and ensuring fair dealing.
  4. Governance and operational standards: The legislation establishes governance standards for superannuation funds, including requirements for adequate resourcing, risk management, and accountability. It also sets out rules for operational matters such as outsourcing arrangements and administration of benefits.
  5. Member protection and disclosure: The SIS Act includes provisions to safeguard member entitlements, such as restrictions on early release of funds and requirements for disclosure of information to members.

These key provisions are crucial in ensuring the integrity, stability, and trustworthiness of the superannuation industry. By imposing prudential standards and obligations on trustees, the legislation aims to protect the best interests of superannuation fund members and maintain the financial security of retirement savings. The SIS Act and regulations provide the regulatory framework that underpins the functioning of the superannuation industry in Australia.

Superannuation data and payment standards 2011 (SDPS)

The Superannuation Data and Payment Standards 2011 (SDPS) is a set of standards established by the Australian Prudential Regulation Authority (APRA) to enhance the accuracy, consistency, and efficiency of data collection and payment processes within the superannuation industry. Its purpose is to ensure that superannuation funds and other APRA-regulated entities comply with high-quality data standards and make timely and accurate payments to their members.

The SDPS features a comprehensive framework that outlines the requirements for collecting, validating, and reporting superannuation data. It covers various aspects, including member contributions, member demographics, investment performance, and member benefits payments. These standards aim to improve the reliability and comparability of data across the superannuation industry, enabling better analysis, benchmarking, and monitoring.

To enforce compliance, APRA utilizes periodic data collection requests, where superannuation funds and other entities are required to submit data at specified intervals. These requests help APRA assess the financial health, operational risk, and compliance of these entities. They also contribute to APRA's ongoing supervisory activities and enable the identification of industry trends and emerging risks.

The SDPS has undergone updates and amendments since its introduction in 2011. These revisions reflect evolving regulatory requirements, industry practices, and technological advancements. APRA periodically reviews the standards and engages in discussions with industry stakeholders to ensure they remain effective and relevant.

Credit union requirements

Credit unions, as apra-regulated entities, are subject to specific prudential standards and regulatory requirements to ensure the soundness and stability of their business operations. One key prudential standard that credit unions must adhere to is CPS 234 on operational risk management. This standard focuses on enhancing the resilience of credit unions' critical operations and the management of material service providers. It requires credit unions to have robust business continuity plans and establish formal agreements with service providers. Additionally, credit unions are expected to maintain effective internal controls and regularly assess their operational risk profile, including identifying and managing inherent risks such as reputational and concentration risks. By complying with these prudential standards, credit unions contribute to the overall stability of the financial system and protect the interests of their members.

Credit unions Act 1979 (CUA), regulations and guidelines

The Credit Unions Act 1979 (CUA) is an important piece of legislation that regulates the establishment and operation of credit unions in Australia. The Australian Prudential Regulation Authority (APRA) plays a significant role in overseeing credit unions and ensuring their compliance with regulatory standards.

Under the CUA, credit unions are required to meet specific prudential standards set by APRA. These standards cover areas such as capital adequacy, liquidity, risk management, and governance. APRA has the authority to set and enforce these standards to protect the interests of credit union members and maintain the stability of the financial system.

APRA also provides guidelines to assist credit unions in understanding and implementing the regulatory requirements. These guidelines provide detailed information on topics such as risk management frameworks, reporting requirements, and internal controls.

In its role as the prudential regulator, APRA conducts regular assessments and reviews to monitor credit unions' compliance with the CUA and the associated regulations and guidelines. APRA evaluates credit unions' financial soundness, risk management practices, and governance arrangements to ensure their ongoing viability.

Credit union online service charter 2007 (COSC)

The Credit Union Online Service Charter (COSC) of 2007 outlines the guidelines and commitments that credit unions must follow when providing online services to their customers. This charter serves the purpose of protecting customer interests and ensuring a seamless and secure online banking experience.

The COSC sets out specific commitments that credit unions must adhere to, including providing transparent and accurate information about their online services, ensuring the privacy and security of customer data, and resolving customer concerns and complaints in a timely manner. These commitments aim to build trust and confidence among customers, assuring them that their financial needs and personal information are being handled with utmost care.

By adhering to the COSC, credit unions demonstrate their commitment to safeguarding customer interests and maintaining high standards of service. The charter outlines the steps that credit unions should take to enhance the security of online transactions, including implementing multi-factor authentication and encryption protocols. Moreover, it emphasizes the importance of clear communication with customers, ensuring that they have access to relevant information, terms, and conditions related to online services.

Credit union compliance program guidelines 2005 (CUCPG)

The Credit Union Compliance Program Guidelines 2005 (CUCPG) were introduced by the Australian Prudential Regulation Authority (APRA) to establish a framework for credit unions to adhere to in order to ensure compliance with regulatory requirements and maintain the stability and integrity of their operations.

These guidelines outline the key requirements and obligations that credit unions must adhere to. They provide detailed guidance on areas such as risk management, governance, internal controls, and business continuity management. Credit unions are required to establish and maintain comprehensive compliance programs that address these areas.

One of the key requirements of the CUCPG is that credit unions must have an effective risk management framework in place. This includes identifying and assessing the risks they face, implementing appropriate controls and measures to mitigate those risks, and regularly monitoring and reviewing their risk profile.

Credit unions also have an obligation to have robust governance structures and internal controls in place. This includes clearly defined roles and responsibilities for management and staff, adequate reporting mechanisms, and appropriate oversight by the board of directors.

Furthermore, the CUCPG emphasizes the importance of business continuity management, requiring credit unions to have comprehensive plans and arrangements in place to ensure the uninterrupted operation of critical business functions in the event of disruptions or emergencies.

By adhering to the CUCPG, credit unions demonstrate their commitment to maintaining high standards of compliance and upholding the stability and integrity of their operations. These guidelines play a crucial role in ensuring that credit unions operate in a responsible and accountable manner, safeguarding the interests of their members and the broader financial system.

Life insurer requirements

Life insurers in Australia are subject to strict requirements imposed by the Australian Prudential Regulation Authority (APRA). APRA sets out detailed prudential standards that govern the operations and risk management practices of life insurers, with the aim of ensuring their financial soundness and protecting policyholders.

APRA expects life insurers to have robust risk management frameworks in place to identify, assess, and manage risks effectively. This includes conducting regular stress tests and scenarios analysis to assess the impact of potential adverse events on their capital position and solvency. Life insurers are also expected to hold adequate levels of regulatory capital to absorb potential losses.

In recent years, APRA has increased its focus on individual disability income insurance (IDII) due to concerns about the sustainability of this product. APRA has conducted a review of IDII and implemented supervisory interventions to address issues such as pricing assumptions, claims management practices, and product design. APRA expects life insurers offering IDII to take appropriate measures to ensure the product's long-term viability and affordability.

APRA is actively monitoring the life insurance industry and has taken regulatory actions to improve industry practices. It has set out its expectations regarding claims handling, risk management, and compliance, and has required insurers to strengthen their controls and governance arrangements.

Looking ahead, APRA continues to work on implementing reforms in the life insurance industry, including reviewing the prudential framework and developing new standards to address emerging risks. Insurers can expect ongoing scrutiny from APRA, and it is crucial for them to stay updated on regulatory developments and comply with APRA's expectations to maintain a strong and sustainable business.

General thought leadership and news

From Compliance to Cybersecurity: The 6clicks Ideal Customer Profile

From Compliance to Cybersecurity: The 6clicks Ideal Customer Profile

In an era where digital threats loom larger by the day, the intersection of compliance and cybersecurity has never been more critical. For businesses...

AI Hype and GRC

Beyond the AI Hype: Crafting GRC Solutions That Truly Matter

In the relentless chase for innovation, it's easy to get caught in the dazzling allure of AI. Everywhere you turn, AI seems to be the silver bullet,...

Reflections from my time as Chief Digital Officer at KPMG

Reflections from my time as Chief Digital Officer at KPMG

Between 2016 and 2018 I held the role of Chief Digital Officer at KPMG, responsible for strategy and the development of software assets to underpin...

6clicks Partners with Microsoft to run 6clicks on Private Azure Clouds

6clicks Partners with Microsoft to run 6clicks on Private Azure Clouds

Summary 6clicks, a cyber governance, risk, and compliance (GRC) platform, has partnered with Microsoft to offer a privately hosted option of its...

6clicks Fabric - Hosted on private Microsoft Azure clouds

Empowering enterprises: Get in control with your own GRC SaaS platform-in-a-box

In today's dynamic business landscape, enterprises are constantly seeking innovative solutions to streamline their operations, improve the value they...

6clicks Fabric for GSIs: Tailoring cybersecurity GRC programs for global markets

6clicks Fabric for GSIs: Tailoring cybersecurity GRC programs for global markets

Robust cybersecurity measures and the effective and safe implementation of IT infrastructure are critical for organizations to successfully do...