1510

CPS 230 and AI in Collections: The 5 Compliance Gaps Most Teams Haven’t Closed

22 April, 2026

CPS 230 and AI in Collections: The 5 Compliance Gaps Most Teams Haven’t Closed

APRA’s CPS 230 came into effect in July 2025. Most compliance teams attended the briefings, updated the documentation, and moved on.

Nine months later, a more uncomfortable question is surfacing: have we done the work, or have we just described the work?

For collections operations using AI, whether that’s automated decisioning, prioritisation, predictive scoring, or Copilot-assisted case management, this distinction matters. APRA’s supervisory activity is intensifying. ASIC’s scrutiny of AI in credit and collections decisions is sharpening alongside it. And ‘we use the vendor’s AI, we don’t fully understand how it works’ is no longer a defensible position.

Key Takeaways

  • CPS 230 has been in force since July 2025 – APRA supervisory reviews are now underway
  • The ‘black box’ defence is gone. If AI is material to your operation, you’re accountable for how it works
  • ASIC’s conduct obligations run alongside CPS 230, creating dual regulatory exposure
  • Most organisations have documented their AI governance but haven’t tested it in practice
  • Five gaps are most common: vendor due diligence, explainability, model monitoring, contingency planning, and board accountability
  • Platforms can help reduce operational risk but the compliance obligation always sits with the regulated entity

 

The Gap Between Documentation and Reality

CPS 230 requires APRA-regulated entities to demonstrate operational resilience, including across the third-party systems and AI tools material to how they operate. Documentation of a framework is not the same as having a framework that works.

APRA’s supervisory focus in 2026 is explicitly on whether frameworks are ‘actively embedded in decision-making’. For collections operations, that means auditors asking pointed questions documentation alone won’t answer.

What ‘Material’ Actually Means

If your AI system went offline tomorrow, or started producing significantly different outputs, would it materially affect your ability to manage your portfolio, comply with your obligations, or treat customers fairly? If yes, it’s material. And CPS 230 applies in full.

For most collections operations, that includes prioritisation engines, predictive scoring models, AI-assisted hardship assessments, intelligent communication sequencing, and Copilot tools in case management. The instinct to categorise these as ‘decision support’ to reduce regulatory footprint doesn’t hold up under scrutiny.

 

The Five Gaps Most Collections Operations Haven’t Closed

1. Vendor Due Diligence Beyond a Security Questionnaire

For AI vendors specifically, due diligence means understanding how the model was trained, what data it uses, how it handles edge cases, and what happens to your data if the vendor relationship ends. A SOC 2 report satisfies IT procurement, it won’t satisfy an APRA auditor.

The fix: Add an AI-specific due diligence checklist covering model transparency, data governance, change management, and exit provisions. Review annually for material vendors.

2. Explainability: Can You Justify AI-Assisted Decisions?

When a customer complains to AFCA, or ASIC asks how a decision was made, ‘the AI recommended it’ is not an answer. Predictive scoring needs to produce interpretable outputs, not just scores. Hardship assessments need a clear audit trail of what was considered and who decided what.

The fix: Review every AI touchpoint against the question: if a regulator asked us to explain this decision tomorrow, could we? If the answer is ‘we’d have to go back to the vendor’, that’s a gap.

3. Model Monitoring: Are You Watching for Drift?

AI models don’t stay static. Economic conditions shift, customer behaviour shifts, and model outputs can drift in ways that aren’t immediately obvious. Most collections operations notice drift only when outcomes deteriorate, which means the problem has been running for weeks or months.

The fix: Set a quarterly review cadence for each material AI model, with clear performance benchmarks defined upfront.

4. Contingency Planning: What Happens If the AI Fails?

If your AI prioritisation engine went down at 7am on a Monday, what would your team do? CPS 230 requires documented contingency plans for material systems and those plans need to be tested. An untested plan isn’t operational resilience.

The fix: Document, test, and maintain a manual fallback for each material AI system. Make sure it keeps you compliant with contact and response timelines.

5. Board-Level Accountability

CPS 230 and the Financial Accountability Regime (FAR) create personal accountability for board members and senior executives on operational risk, AI included. APRA’s expectation is that boards understand the AI systems their organisations use at more than a conceptual level.

The fix: Build a regular AI governance report into your board cycle. Cover model performance, risks and mitigations, and material changes to systems or vendors.

 

Where ASIC Sits in All of This

CPS 230 is an APRA standard. But the collections operations within APRA-regulated entities also sit within ASIC’s conduct jurisdiction and ASIC’s focus is on consumer outcomes.

The practical implication is dual exposure. An AI that fails CPS 230’s governance requirements is an APRA issue. The same AI that produces decisions you can’t justify, or treats customer cohorts differently without defensible rationale, is simultaneously an ASIC issue. The two regulators are coordinating more actively than at any point in the past decade.

Hardship is where ASIC’s scrutiny is sharpest. An algorithm that flags hardship requests for expedited handling is not the same as a compliant hardship process and ASIC will assess the outcome, not the intention.

 

Controlled AI Is Better Than Avoided AI

The safest approach isn’t to minimise AI use. The risk isn’t AI, it’s ungoverned AI.

A collections environment where actions are traceable, decisions are explainable, exceptions are visible, and activity can be suppressed when required is generally more defensible than a manual process with inconsistent decisions and incomplete documentation. That’s exactly what CPS 230 is pushing toward. Not an industry that avoids AI, but one that uses it with clear controls and accountability.

 

Self-Assessment Questions Worth Asking This Week

  • Can you list every AI system in your collections environment that is material to operations?
  • Do you have documented vendor due diligence for each one that goes beyond security certification?
  • Can you explain how each AI-assisted decision was reached, in terms a regulator and customer would understand?
  • Do you have a formal process for monitoring model performance and detecting drift?
  • Do you have a tested contingency plan for each material AI system?
  • Does your board receive substantive reporting on AI governance and performance?
  • Can your platform suppress activity on cases in hardship or complaint status and evidence that it did?

If the honest answer to any of these is ‘not yet’, that’s where to focus.

 

How 365 Collect Supports This

A software platform alone doesn’t make any organisation CPS 230 compliant. That obligation sits with the APRA-regulated entity. What a well-designed collections platform can do is provide the operational control and evidence layer that makes parts of that framework workable day to day.

Where the Platform Helps

Built on Microsoft Dynamics 365, Dataverse, and the Power Platform, 365 Collect provides:

  • Configurable workflow controls for consistent process application across cases
  • Complete audit trail of communications, case activity, and user actions
  • Visibility of planned versus actual activity, including exceptions and failures
  • Controlled suppression of activity when a case is in hardship, complaint, or dispute
  • Payment arrangement tracking with exception visibility
  • Configurable business rules tuned to your compliance environment
  • Controlled re-entry into standard collections when a case status changes

These capabilities help collections teams reduce operational risk, act more consistently, and evidence what happened and why when activity is reviewed.

Where Responsibility Still Sits With You

365 Collect contributes to a stronger control environment in collections. It does not replace the broader governance work CPS 230 requires, which includes:

  • Board and executive accountability for operational risk
  • Identification of critical operations and tolerance setting
  • Enterprise business continuity planning and testing
  • Service provider governance and contractual controls
  • The design of your overall operating model and manual fallback procedures
  • How the platform is implemented, configured, and governed in your environment

If you’d like to talk through how 365 Collect could support your control environment in collections, we’re happy to have that conversation.

Get in touch with our team here.

 

FAQs

Does CPS 230 apply to us if we’re not a bank or insurer?

CPS 230 directly applies to APRA-regulated entities. But if you’re contracted by one, their obligations flow through to how they govern you as a material service provider. Expect regulated clients to require collections partners to meet governance standards consistent with CPS 230.

We use a third-party AI tool but don’t control the model. Are we still responsible?

Yes. CPS 230 is explicit that regulated entities cannot outsource accountability. If the tool is material to your operations, you’re responsible for understanding how it works, governing how it’s used, and having a plan if it fails.

What does APRA supervisory activity look like?

Requests for governance documentation, followed by interviews with board and senior executives to assess whether frameworks are genuinely embedded in decision-making. Auditors look for gaps between what the documentation describes and what happens in practice.

How long does it take to close the typical compliance gaps?

Vendor due diligence and board reporting updates can be addressed in a few weeks. Model monitoring frameworks and contingency planning take two to three months to design, implement, and test properly. Start with an honest gap assessment.

How does 365 Collect support operational resilience in collections?

Through configurable workflow controls, a complete audit trail, communication tracking, payment arrangement visibility, and exception management. These form part of a client’s broader operational risk and service provider management framework. Not a substitute for the client’s own governance, continuity, and accountability work. We’re happy to walk through how specific controls map to your environment.

 

This blog is intended as general guidance only and does not constitute legal or compliance advice. We recommend consulting your compliance team or legal advisors for advice specific to your organisation.

View All