With the 1 July 2026 deadline for updating legacy contracts under CPS 230 fast approaching, the challenge of renegotiating legacy contracts is brought into sharp focus for APRA regulated entities.
The task may seem relatively uncomplicated until you try to renegotiate a longstanding contract with an overseas provider with a far- away expiry date and no termination option.
The problem of “locked in” contracts
Attempts to renegotiate large contracts that were entered into long before CPS 230 can be met with resistance. Some vendors, especially overseas providers (particularly so in the IT space), may not necessarily appreciate the regulatory overlay that Australian financial service providers operate under or they may view the Australian market as too small to warrant deviation from their standard agreements.
If you have a contract that doesn’t expire until 2028 and which doesn’t include termination for convenience or regulatory change clauses, you may be locked in without the flexibility to fully comply by 1 July 2026.
Saying your provider won’t budge or that you are still waiting on a vendor to respond is not an excuse. APRA’s position is clear: entities must take proactive, documented, and reasonable steps to review and update existing arrangements by the earlier of the next renewal date or 1 July 2026.
What Constitutes “Reasonable Steps”?
There is unfortunately no check list provided by APRA to define “reasonable steps”. However, the CPG 230 Operational Risk Management (Practice Guide) and their Response to Submissions, do provide indicators of what is expected. “Reasonable steps” need to be identifiable and auditable and demonstrate ownership and action.
-
- Act now: APRA requires entities to review and update legacy arrangements by the earlier of contract renewal or 1 July 2026. In its Response Paper, APRA states “APRA expects regulated entities to be proactive … every entity should now be actively working on its transition to CPS 230.”
-
- Document: Support your position by having specific records showing:
- Gap Analysis: Evidence that a formal review against CPS 230 requirements (e.g., notification, incident management, data ownership) was performed and the non-compliant gaps were formally logged;
- Remediation Plans: Documentation evidencing that you have formally issued correspondence to vendors, citing the specific non-compliant clauses, and attached an amendment proposal.
-
- Executive Review: Proof that the remediation plan, was presented to and approved by Senior Management and/or the Board Risk Committee.
- Document: Support your position by having specific records showing:
Practical Steps for Negotiation
Tackling legacy arrangements requires early and strategic engagement with a clear focus on documenting a paper trail to evidence the steps taken towards contractual uplift.
-
- Escalate Early and Leverage Senior Management: This isn’t a procurement or legal “nice to have”, it is a regulatory obligation. Senior leadership buy in and support signals to your providers that this is a non-negotiable. It also demonstrates to APRA that the executive team understand their accountabilities. Escalate key non-compliant contracts via senior management and board governance, and record that you are taking reasonable steps to remediate and that there is active oversight.
-
- Communicate clearly and factually – When dealing with service providers, frame the discussion around the fact that this is a mandatory requirement impacting all APRA regulated entities and is part of doing business in this sector. Clear, factual communication helps set expectations and hopefully reduce resistance.
-
- Re-frame the conversation as partnership and risk minimisation: Arguably, CPS 230’s emphasis on clarity in contracting benefits both parties. Key provisions such as risk allocation, service levels and incident response reduce potential for disputes and strengthens both parties business resilience. In short, CPS 230 promotes good contract hygiene.
-
- Use broader procurement cycles as an opportunity: If immediate contract amendment is not possible, include CPS 230 compliance as a baked in requirement in the next renewal or request for proposal (RFP). Make it clear to your vendors that any future engagement depends on compliance readiness.
-
- Contingency Plan: If a vendor still refuses to budge and the contract remains non-compliant, you should document a plan to either (a) absorb the residual risk and justify it to the Board (with a clear mitigation strategy); (b) terminate the service (regardless of penalty, if the regulatory risk outweighs the financial risk); or (c) transfer the service to a compliant provider before the 2026 deadline.
While it can be challenging dealing with legacy contracts, tackling renegotiations with a strategic approach, focused on clear and honest communication with vendors will pay long term dividends not only in operational resilience but in overall confidence in your vendor relationships.
