APRA CPS 234 Compliance for AI Systems
A comprehensive guide to meeting APRA's prudential standard on information security when deploying AI in Australian financial services. Understand the requirements, identify the gaps, and implement compliant AI with confidence.
What is APRA CPS 234?
Prudential Standard CPS 234 — Information Security — is APRA's mandatory framework for managing information security in regulated financial services entities. It has been in force since July 2019 and applies to every APRA-regulated entity in Australia.
Who Must Comply
CPS 234 applies to all APRA-regulated entities, regardless of size:
- Authorised deposit-taking institutions (banks, credit unions, building societies)
- General insurers and life insurance companies
- Registrable superannuation entity (RSE) licensees
- Holding companies of banking and insurance groups
Core Objective
The standard requires entities to:
- Maintain information security capability commensurate with threats
- Implement controls to protect information assets
- Detect and respond to incidents in a timely manner
- Notify APRA of material incidents within 72 hours
CPS 234 Requirements for AI Systems
Each requirement of CPS 234 has specific implications for AI deployments. Here is how each requirement applies and how Custom LLM addresses it.
Information Asset Identification
CPS 234 Para 15-17
The Requirement
APRA-regulated entities must identify all information assets, including those managed by third parties. AI systems that process, store, or transmit information are information assets that must be identified, classified, and recorded in the entity's information asset register.
How Custom LLM Addresses It
Our platform provides a complete inventory of all data processed by the AI system, including data sources, processing flows, and storage locations. This inventory maps directly to your entity's information asset register requirements.
Information Asset Classification
CPS 234 Para 18-19
The Requirement
Information assets must be classified by criticality and sensitivity. The classification must reflect the potential impact of a compromise on the entity, its customers, and the financial system. AI training data, model weights, and inference outputs all require appropriate classification.
How Custom LLM Addresses It
The platform enforces classification-appropriate security controls automatically. Data ingested into the AI system inherits the classification of the source, and the platform applies controls commensurate with the highest classification of data it processes.
Security Controls
CPS 234 Para 20-23
The Requirement
Security controls must be commensurate with the size and extent of threats to information assets, the criticality and sensitivity of information assets, the stage of the information asset lifecycle, and the potential consequences of a security incident.
How Custom LLM Addresses It
Multi-layered security controls including AES-256 encryption at rest, TLS 1.3 in transit, role-based access controls, network segmentation, continuous monitoring, and Essential Eight implementation at Maturity Level Three.
Incident Management
CPS 234 Para 24-28
The Requirement
Entities must have mechanisms to detect and respond to information security incidents in a timely manner. Material information security incidents must be notified to APRA within 72 hours. AI-specific incidents — such as data exfiltration through prompts or model manipulation — must be covered.
How Custom LLM Addresses It
Comprehensive incident response procedures aligned with the 72-hour notification requirement. AI-specific threat detection including prompt injection monitoring, data exfiltration attempts, and anomalous access patterns. Automated alerting with severity classification.
Testing Program
CPS 234 Para 29-33
The Requirement
Entities must maintain a systematic testing program to test the effectiveness of security controls. Testing must be performed by appropriately skilled and independent specialists. For AI systems, this includes penetration testing of the AI inference layer.
How Custom LLM Addresses It
Regular penetration testing by independent CREST-certified assessors covering the full AI stack: inference APIs, data ingestion pipelines, access controls, and network perimeter. Testing reports are provided in a format suitable for APRA examination.
Third-Party Management
CPS 234 Para 34-36
The Requirement
Where information assets are managed by a third party, the entity must assess the information security capability of the third party commensurate with the potential consequences of a breach. Audit rights and ongoing assurance must be maintained.
How Custom LLM Addresses It
Our contractual framework includes the audit rights, security assurance reporting, and incident notification provisions that CPS 234 requires. We provide SOC 2 Type II reports, regular penetration test summaries, and support direct audit by your entity's assessors.
Board & Senior Management Obligations
CPS 234 places specific obligations on the board and senior management of APRA-regulated entities. When AI is deployed, these obligations extend to the governance of AI systems.
Board Responsibilities
- Ensure the entity maintains an information security capability commensurate with the size and extent of threats (including AI-related threats)
- Approve the entity's information security policy framework, including AI governance
- Receive reporting on material information security incidents and the status of AI risk management
Management Responsibilities
- Implement the information security policy framework with AI-specific controls
- Maintain a register of AI-related information assets with appropriate classification
- Ensure AI vendor third-party arrangements include audit rights and incident notification
Path to CPS 234 Compliant AI
A structured approach to achieving and maintaining CPS 234 compliance for your AI deployment.
Gap Assessment
We assess your current AI usage against CPS 234 requirements, identifying gaps in information asset classification, security controls, third-party management, and incident response procedures.
Architecture Design
A CPS 234-compliant AI architecture is designed, addressing every requirement: sovereign hosting, access controls, encryption, audit trails, incident management, and board reporting.
Implementation
The compliant AI platform is deployed with all security controls active, integrated with your entity's security monitoring, and documented to the standard required for APRA examination.
Ongoing Assurance
Continuous monitoring, regular penetration testing, and periodic compliance reviews ensure ongoing adherence to CPS 234 as both the standard and your AI usage evolve.
Related Resources
Custom LLM for Financial Services
See how our full financial services AI solution meets APRA requirements across compliance, credit, and risk management.
View financial services solution →Data Sovereignty Guide
Understand the broader data sovereignty landscape in Australia, including the CLOUD Act, Privacy Act, and sovereign cloud options.
Read sovereignty guide →On-Premises Deployment
For maximum control, deploy your AI entirely within your entity's own infrastructure.
Explore on-premises options →Frequently Asked Questions
Common questions about APRA CPS 234 compliance for AI systems in Australian financial services.
CPS 234 does not specifically mention AI or machine learning by name. However, the standard applies to all information assets and the management of information security, which includes AI systems that process, store, or transmit information. APRA has issued supplementary guidance (notably through SPS 234 and various information papers) making clear that AI systems are information assets subject to CPS 234. The standard's technology-neutral language means it applies to AI systems through its general requirements for information asset identification, classification, and protection.
APRA has broad enforcement powers for prudential standard breaches. Penalties can include formal directions requiring remediation, additional capital requirements (which directly affect profitability), restrictions on business activities, enforceable undertakings with public disclosure, and in severe cases, removal of responsible officers. While specific monetary penalties depend on the circumstances, the reputational and operational costs of APRA enforcement action are substantial. The 72-hour breach notification requirement means non-compliance is often discovered quickly.
CPS 234 explicitly covers third-party service providers. When an APRA-regulated entity uses a third-party AI platform, the entity remains responsible for ensuring the AI vendor meets equivalent security standards. This includes maintaining audit rights, ensuring the vendor can demonstrate adequate security controls, and having incident notification procedures in place. Most public AI platforms do not provide the level of contractual audit rights, data segregation, or sovereign hosting that CPS 234 demands.
The Essential Eight is the Australian Signals Directorate's (ASD) baseline of mitigation strategies for cybersecurity. While CPS 234 does not mandate the Essential Eight specifically, APRA expects regulated entities to implement security controls commensurate with their risk profile. In practice, APRA's expectations align closely with Essential Eight Maturity Level Two or Three for most regulated entities. Our AI platform implements all Essential Eight strategies at Maturity Level Three.
CPS 234 and the Privacy Act operate as complementary frameworks. CPS 234 addresses information security (protecting data from unauthorised access), while the Privacy Act addresses information privacy (appropriate collection, use, and disclosure of personal information). AI systems in financial services must comply with both: CPS 234 for the security of the AI infrastructure and data handling, and the Privacy Act for the lawful processing of personal information by the AI. Non-compliance with either can result in separate enforcement actions.
Yes. CPS 234 applies to all APRA-regulated entities, which includes authorised deposit-taking institutions (ADIs — banks, credit unions, building societies), general insurers, life insurers, and registrable superannuation entity (RSE) licensees. The standard applies regardless of the entity's size, though the expected level of security capability is proportionate to the entity's risk profile. Smaller ADIs using AI for member services or internal operations must still classify their AI-related information assets and apply appropriate controls.
Custom LLM is architected specifically for regulated environments. Our sovereign deployment eliminates the third-party AI vendor risks that CPS 234 scrutinises. Information asset classification is built into the platform. Access controls are aligned with your entity's security framework. Comprehensive audit trails satisfy examination requirements. Incident management procedures meet the 72-hour notification obligation. And our contractual framework includes the audit rights and assurance reporting that CPS 234 requires for all service providers.
Deploy AI with CPS 234 Confidence
Book a compliance assessment to understand exactly where your current AI usage stands against CPS 234 requirements, and get a clear roadmap to fully compliant AI deployment.