APRA CPS 190 recovery and exit planning

The Australian Prudential Regulation Authority (APRA) brings Prudential Standard CPS 190 on Recovery and Exit Planning into force for authorized deposit-taking institutions (ADIs), general insurers, and life companies from 1 January 2025, with registrable superannuation entity (RSE) licensees following on 1 January 2026. Boards must show that recovery and orderly exit playbooks are embedded, tested, and connected to CPS 220 risk management, CPS 230 operational resilience, and CPS 511 remuneration incentives so that financial stress or business model failure can be managed without threatening critical operations or breaching fiduciary obligations.

APRA finalized CPS 190 in 2023 after the consultation on CP13/2022 and companion Prudential Practice Guide CPG 190. The standard codifies lessons from global bank failures and domestic supervisory reviews, requiring institutions to maintain credible recovery options, identify exit pathways, and protect critical functions.

By the 2025 compliance date, boards will approve refreshed recovery plans, align trigger frameworks with risk appetite statements, and ensure data needed to support solvent exit decisions is accurate, timely, and accessible. APRA has signaled that early 2025 supervisory reviews will test whether institutions can show end-to-end ownership from board level down to operational execution teams.

Institutions must scope CPS 190 programs across the full regulated group. That means mapping material legal entities, service companies, branches, and off-balance-sheet vehicles, then assessing how recovery actions would affect depositors, policyholders, members, and counterparties. Critical operations identified under CPS 230 and CPS 232 business continuity obligations need to be explicitly linked to recovery response options. APRA expects scenario coverage to include capital and liquidity shocks, contagion events, cyber incidents, and failure of key outsourcing providers—particularly where concentration risks or cross-border dependencies could impede execution.

The board-approved recovery plan needs quantitative and qualitative triggers tied to metrics such as liquidity coverage ratio depletion, breaches of risk appetite limits, or adverse supervisory findings.

Management must monitor the triggers and report emerging stress to the board risk committee quickly enough for actions such as capital raising, asset sales, balance sheet deusing, or business line disposal to remain credible. APRA emphasizes that trigger escalation cannot rely solely on manual reporting; institutions should deploy automated dashboards, workflow tooling, and alerting integrations with treasury, finance, and risk systems so that trigger breaches generate immediate governance attention.

Governance integration: Boards should assign a senior director as recovery planning sponsor, supported by a cross-functional steering committee incorporating treasury, finance, legal, risk, technology, and customer leadership. Charter updates should align CPS 190 oversight with CPS 220 risk governance frameworks and ensure there is a direct reporting line from recovery planning leads to the board risk committee. Institutions with international parents must outline how local boards retain decision authority even when group crisis management teams are activated, with board minutes documenting reserved matters such as capital injections, recovery option sequencing, and exit decision approvals.

Operational governance must also address third-party dependencies. CPS 190 requires mapping of critical service providers, including cloud, payments processing, and data analytics vendors, to understand whether contractual rights and step-in provisions support recovery or exit actions.

Procurement and vendor management functions should refresh due diligence artifacts, ensure service-level agreements include contingency and data portability clauses, and obtain attestations that vendors can honor recovery-driven surge volumes. For entities subject to CPS 234 information security requirements, cyber incident playbooks must be synchronized with recovery options to avoid conflicting decision paths.

Universal opt-out and customer data stewardship: Recovery or exit execution frequently involves heightened customer communications—such as product changes, portfolio transfers, or cross-border notifications—that trigger privacy and marketing obligations. Institutions need to configure communication platforms to respect universal opt-out signals collected through Australian Privacy Act consent flows as well as cross-jurisdictional requirements like California’s global privacy control (GPC) or the Colorado Privacy Act’s universal opt-out mechanism for customers served by multinational groups. Crisis messaging templates should be pre-approved so operational staff can inform customers while excluding segments who have opted out of marketing unless disclosure is legally mandated.

Data teams should create suppression lists that reconcile opt-out preferences from core banking systems, insurance administration platforms, mobile apps, and web channels.

When recovery options involve data sharing with potential acquirers or bridge entities, legal teams must confirm that data-room governance enforces consent terms, anonymises non-essential personal data, and documents lawful bases under the Australian Privacy Principles. For vulnerable customers, including Indigenous communities or customers under financial hardship, institutions should deploy additional safeguards to ensure that opt-out requests are still honored during accelerated transition activity and that alternative communication channels (such as paper mail or community outreach) are available.

Evidence and assurance expectations: APRA supervisors will expect to see a CPS 190 evidence library that shows the plan’s credibility. Core artifacts include board and risk committee minutes, recovery option cost-benefit analysis, scenario design documentation, liquidity and capital modeling outputs, and decision trees showing exit sequencing. Audit-ready evidence should also capture how universal opt-out processes were validated during crisis communication drills, with system logs proving that suppression lists and GPC signals propagated through email, SMS, and call-center tooling.

Internal audit functions should schedule thematic reviews across 2024 and 2025 to assess CPS 190 readiness, testing governance escalation, data lineage, and the completeness of exit contingency arrangements. Assurance plans ought to cover the linkage between CPS 190 and other prudential standards—particularly CPS 900 resolution planning for domestic systemically important banks (D-SIBs), CPS 226 margining and risk mitigation for derivatives, and the cross-industry Prudential Standard CPS 511 on remuneration incentives. External assurance may be necessary for critical models, such as asset valuation models used to support sale or securitisation recovery options.

Implementation playbook for 2024–2025: Institutions should stand up a dedicated CPS 190 program office that tracks progress against milestones, dependencies, and resourcing. Key tasks include conducting a gap assessment against the final standard and CPG 190 guidance, updating recovery option catalogs with refreshed feasibility assessments, and aligning funding strategies with the Liquidity Coverage Ratio and Net Stable Funding Ratio metrics. Treasury teams must test contingent funding arrangements, including collateral mobilization, central bank facilities, and stress repo operations, documenting legal opinions that confirm enforceability.

Scenario testing should draw on cross-disciplinary expertise. For example, cyber-resilience scenarios ought to include technology, security, customer experience, and communications leaders to rehearse how a ransomware event interacts with recovery triggers, universal opt-out compliance, and regulatory disclosure obligations.

Institutions should combine table-top exercises with data-driven simulations that assess system capacity for high-volume transactions, payment redirection, or policyholder transfer. Where exit strategies involve selling portfolios to third parties, business units must pre-negotiate data-sharing protocols, transitional services agreements, and employee transfer frameworks that preserve customer protections.

Stakeholder engagement: APRA expects preventive dialog. Boards should prepare to brief supervisors on CPS 190 setup status during prudential reviews and provide credible timelines for remediating gaps. Where institutions are part of cross-border groups, they must harmonize recovery planning with home regulator expectations, such as the Bank of England’s solvent exit requirements or the Monetary Authority of Singapore’s recovery planning guidelines, ensuring that universal opt-out controls remain consistent across jurisdictions. Institutions should also engage with resolution authorities, state-based regulators, and industry bodies to align on systemic crisis coordination.

Next steps for leaders: Board chairs should schedule CPS 190 deep dives in early 2025 agendas, request assurance over universal opt-out control effectiveness during crisis scenarios, and confirm that the chief risk officer can access the data needed for rapid decision-making. Chief operating officers must integrate CPS 190 triggers into operational dashboards and ensure crisis playbooks include alternate work locations and workforce surge plans. Chief information officers should validate that data platforms can segregate customer consent states at scale, while compliance officers map regulatory reporting obligations—including APRA notifications within 24 hours of activation of recovery plans—and prepare disclosure scripts that reflect opt-out considerations.

Sources

• APRA: Final Prudential Standard CPS 190 Recovery and Exit Planning (2023)
• APRA Prudential Standard CPS 190
• APRA Prudential Practice Guide CPG 190 Recovery and Exit Planning
• Office of the Australian Information Commissioner: Privacy Act obligations

Future Outlook and Considerations

If you are affected, monitor developments in this area and prepare for potential evolution of requirements, practices, or technologies. Understanding the broader trajectory helps inform strategic planning and investment decisions.

Industry engagement through working groups, standards bodies, and peer networks provides early insight into emerging expectations and good practices. Active participation can influence outcomes and ensure organizational interests are considered in future developments.

Recovery plan testing

CPS 190 requires regular testing of recovery plans. Develop testing programs incorporating tabletop exercises, simulation scenarios, and operational rehearsals. Document test results, identified gaps, and remediation actions. Report testing outcomes to board risk committees.

Exit planning for critical operations

Exit plans must address orderly wind-down of critical operations. Map critical functions, identify dependencies, and develop transition procedures. Estimate exit timelines and resource requirements, documenting assumptions and contingency provisions.

See also

Selected articles on related subjects.

Governance · Credibility 96/100 · July 27, 2023

APRA CPS 230 operational risk management

APRA's CPS 230 operational risk standard went effective July 1, 2025 for Australian ADIs, insurers, and super funds. It is a big upgrade from CPS 231 and 232, with stricter requirements for operational resilience…

Governance · Credibility 92/100 · July 26, 2023

SEC cybersecurity disclosure

The SEC’s July 2023 cybersecurity disclosure rules add Form 8-K Item 1.05 and Regulation S-K Item 106, demanding boards document oversight, management expertise, and DSAR-supporting incident controls before accelerated…

Governance · Credibility 96/100 · July 12, 2023

SEBI BRSR Core assurance expansion for top 250 listed entities

India's top 250 listed companies now need reasonable assurance on their BRSR Core ESG disclosures for FY2025. That is the same level of scrutiny as a financial audit—your board needs to own this. Data governance…

Governance · Credibility 92/100 · September 11, 2023

OECD governance principles

The 2023 G20/OECD Principles of Corporate Governance revision elevates board accountability for sustainability and data stewardship, guides staged setup across ownership structures, and links disclosure reforms to…

Governance · Credibility 73/100 · September 26, 2023

SEC Cybersecurity Disclosure Rules Take Effect for Public Companies

The SEC's cybersecurity risk management and incident disclosure rules become effective, requiring public companies to disclose material cybersecurity incidents within four business days on Form 8-K. The rules mandate…

Continue in the Governance pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Board Oversight Governance Blueprint

  Unify Basel Committee, PRA, SEC, and ISSB oversight mandates into an auditable board governance operating model with data lineage, assurance cadences, and regulatory source packs.

• Third-Party Governance Control Blueprint

  Deliver OCC, Federal Reserve, PRA, EBA, DORA, MAS, and OSFI third-party governance requirements through board reporting, lifecycle controls, and resilience evidence.

• Public-Sector Governance Alignment Playbook

  Align OMB Circular A-123, GAO Green Book, OMB M-24-10 AI guidance, EU public sector directives, and UK Orange Book with digital accountability, risk management, and service…

Coverage intelligence

Published

July 27, 2023

Coverage pillar

Governance

Source credibility

96/100 — high confidence

Topics

APRA CPS 190 · Recovery planning · Exit strategy · Board oversight

Sources cited

3 sources (apra.gov.au, iso.org)

Reading time

7 min

Cited sources

1. CPS 190 — Recovery and Exit Planning
2. APRA finalizes new recovery and exit planning requirements
3. ISO 37000:2021 — Governance of Organizations — International Organization for Standardization