← Back to all briefings
Governance 7 min read Published Updated Credibility 96/100

Governance Briefing — APRA CPS 190 recovery and exit planning

APRA-regulated banks and insurers must stand up CPS 190 recovery and exit programs by 1 January 2025, with boards owning governance playbooks, universal opt-out safeguards for stressed communications, and evidence frameworks that prove scenario credibility to supervisors.

Zeph Tech Research Lead

Research lead, Zeph Tech

Timeline plotting source publication cadence sized by credibility.
2 publication timestamps supporting this briefing. Source data (JSON)

Executive briefing: The Australian Prudential Regulation Authority (APRA) brings Prudential Standard CPS 190 on Recovery and Exit Planning into force for authorised deposit-taking institutions (ADIs), general insurers, and life companies from 1 January 2025, with registrable superannuation entity (RSE) licensees following on 1 January 2026. Boards must demonstrate that recovery and orderly exit playbooks are embedded, tested, and connected to CPS 220 risk management, CPS 230 operational resilience, and CPS 511 remuneration incentives so that financial stress or business model failure can be managed without threatening critical operations or breaching fiduciary obligations.

APRA finalised CPS 190 in 2023 after the consultation on CP13/2022 and companion Prudential Practice Guide CPG 190. The standard codifies lessons from global bank failures and domestic supervisory reviews, requiring institutions to maintain credible recovery options, identify exit pathways, and protect critical functions. By the 2025 compliance date, boards are expected to approve refreshed recovery plans, align trigger frameworks with risk appetite statements, and ensure data needed to support solvent exit decisions is accurate, timely, and accessible. APRA has signalled that early 2025 supervisory reviews will test whether institutions can demonstrate end-to-end ownership from board level down to operational execution teams.

Institutions must scope CPS 190 programs across the full regulated group. That means mapping material legal entities, service companies, branches, and off-balance-sheet vehicles, then assessing how recovery actions would affect depositors, policyholders, members, and counterparties. Critical operations identified under CPS 230 and CPS 232 business continuity obligations need to be explicitly linked to recovery response options. APRA expects scenario coverage to include capital and liquidity shocks, contagion events, cyber incidents, and failure of key outsourcing providers—particularly where concentration risks or cross-border dependencies could impede execution.

The board-approved recovery plan needs quantitative and qualitative triggers tied to metrics such as liquidity coverage ratio depletion, breaches of risk appetite limits, or adverse supervisory findings. Management must monitor the triggers and report emerging stress to the board risk committee quickly enough for actions such as capital raising, asset sales, balance sheet deleveraging, or business line disposal to remain credible. APRA emphasises that trigger escalation cannot rely solely on manual reporting; institutions should deploy automated dashboards, workflow tooling, and alerting integrations with treasury, finance, and risk systems so that trigger breaches generate immediate governance attention.

Governance integration: Boards should assign a senior director as recovery planning sponsor, supported by a cross-functional steering committee incorporating treasury, finance, legal, risk, technology, and customer leadership. Charter updates should align CPS 190 oversight with CPS 220 risk governance frameworks and ensure there is a direct reporting line from recovery planning leads to the board risk committee. Institutions with international parents must delineate how local boards retain decision authority even when group crisis management teams are activated, with board minutes documenting reserved matters such as capital injections, recovery option sequencing, and exit decision approvals.

Operational governance must also address third-party dependencies. CPS 190 requires mapping of critical service providers, including cloud, payments processing, and data analytics vendors, to understand whether contractual rights and step-in provisions support recovery or exit actions. Procurement and vendor management functions should refresh due diligence artifacts, ensure service-level agreements include contingency and data portability clauses, and obtain attestations that vendors can honour recovery-driven surge volumes. For entities subject to CPS 234 information security requirements, cyber incident playbooks must be synchronised with recovery options to avoid conflicting decision paths.

Universal opt-out and customer data stewardship: Recovery or exit execution frequently involves heightened customer communications—such as product changes, portfolio transfers, or cross-border notifications—that trigger privacy and marketing obligations. Institutions need to configure communication platforms to respect universal opt-out signals collected through Australian Privacy Act consent flows as well as cross-jurisdictional requirements like California’s global privacy control (GPC) or the Colorado Privacy Act’s universal opt-out mechanism for customers served by multinational groups. Crisis messaging templates should be pre-approved so operational staff can inform customers while excluding segments who have opted out of marketing unless disclosure is legally mandated.

Data teams should create suppression lists that reconcile opt-out preferences from core banking systems, insurance administration platforms, mobile apps, and web channels. When recovery options involve data sharing with potential acquirers or bridge entities, legal teams must confirm that data-room governance enforces consent terms, anonymises non-essential personal data, and documents lawful bases under the Australian Privacy Principles. For vulnerable customers, including Indigenous communities or customers under financial hardship, institutions should deploy additional safeguards to ensure that opt-out requests are still honoured during accelerated transition activity and that alternative communication channels (such as paper mail or community outreach) are available.

Evidence and assurance expectations: APRA supervisors will expect to see a CPS 190 evidence library that demonstrates the plan’s credibility. Core artefacts include board and risk committee minutes, recovery option cost-benefit analysis, scenario design documentation, liquidity and capital modelling outputs, and decision trees showing exit sequencing. Audit-ready evidence should also capture how universal opt-out processes were validated during crisis communication drills, with system logs proving that suppression lists and GPC signals propagated through email, SMS, and call-centre tooling.

Internal audit functions should schedule thematic reviews across 2024 and 2025 to assess CPS 190 readiness, testing governance escalation, data lineage, and the completeness of exit contingency arrangements. Assurance plans ought to cover the linkage between CPS 190 and other prudential standards—particularly CPS 900 resolution planning for domestic systemically important banks (D-SIBs), CPS 226 margining and risk mitigation for derivatives, and the cross-industry Prudential Standard CPS 511 on remuneration incentives. External assurance may be necessary for critical models, such as asset valuation models used to support sale or securitisation recovery options.

Implementation playbook for 2024–2025: Institutions should stand up a dedicated CPS 190 program office that tracks progress against milestones, dependencies, and resourcing. Key tasks include conducting a gap assessment against the final standard and CPG 190 guidance, updating recovery option catalogues with refreshed feasibility assessments, and aligning funding strategies with the Liquidity Coverage Ratio and Net Stable Funding Ratio metrics. Treasury teams must test contingent funding arrangements, including collateral mobilisation, central bank facilities, and stress repo operations, documenting legal opinions that confirm enforceability.

Scenario testing should draw on cross-disciplinary expertise. For example, cyber-resilience scenarios ought to include technology, security, customer experience, and communications leaders to rehearse how a ransomware event interacts with recovery triggers, universal opt-out compliance, and regulatory disclosure obligations. Institutions should combine table-top exercises with data-driven simulations that assess system capacity for high-volume transactions, payment redirection, or policyholder transfer. Where exit strategies involve selling portfolios to third parties, business units must pre-negotiate data-sharing protocols, transitional services agreements, and employee transfer frameworks that preserve customer protections.

Stakeholder engagement: APRA expects proactive dialogue. Boards should prepare to brief supervisors on CPS 190 implementation status during prudential reviews and provide credible timelines for remediating gaps. Where institutions are part of cross-border groups, they must harmonise recovery planning with home regulator expectations, such as the Bank of England’s solvent exit requirements or the Monetary Authority of Singapore’s recovery planning guidelines, ensuring that universal opt-out controls remain consistent across jurisdictions. Institutions should also engage with resolution authorities, state-based regulators, and industry bodies to align on systemic crisis coordination.

Next steps for leaders: Board chairs should schedule CPS 190 deep dives in early 2025 agendas, request assurance over universal opt-out control effectiveness during crisis scenarios, and confirm that the chief risk officer can access the data needed for rapid decision-making. Chief operating officers must integrate CPS 190 triggers into operational dashboards and ensure crisis playbooks include alternate work locations and workforce surge plans. Chief information officers should validate that data platforms can segregate customer consent states at scale, while compliance officers map regulatory reporting obligations—including APRA notifications within 24 hours of activation of recovery plans—and prepare disclosure scripts that reflect opt-out considerations.

Sources

Zeph Tech supports CPS 190 programs by connecting recovery dashboards to consent orchestration, universal opt-out management, and evidence vaults, giving boards real-time assurance that crisis playbooks stay compliant under stress.

Timeline plotting source publication cadence sized by credibility.
2 publication timestamps supporting this briefing. Source data (JSON)
Horizontal bar chart of credibility scores per cited source.
Credibility scores for every source cited in this briefing. Source data (JSON)

Related briefings

Curated signals from the same pillar or overlapping topics.

Continue in the Governance pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • APRA CPS 190
  • Recovery planning
  • Exit strategy
  • Board oversight
Back to curated briefings