Heading size 2

Microsoft's Commitment to the Australian Financial Services Sector

Microsoft is pleased to have helped a number of financial institutions in Australia move to the cloud, working in close cooperation with APRA and the financial institutions themselves.

Whether it is National Australia Bank, which is leveraging the flexibility and elasticity of Microsoft's cloud to support its customers' needs, or Insurance Advisernet, which uses Dynamics, Office 365 and Azure to provide a centralized, secure data repository for its teams, financial institutions are benefiting from cloud services to enhance operations and provide better services to their customers.

Recognizing the momentum toward shared computing services, including cloud, APRA calls for regulated entities to implement a thoughtful cloud adoption strategy with effective governance arrangements, a thorough risk assessment and regular assurance processes. Through its partnership with a number of financial institutions in Australia and its long-standing engagement with APRA, Microsoft has developed deep experience of delivering solutions that meet all applicable compliance requirements. Microsoft's response to APRA's Information Paper on cloud was issued to provide further transparency and to tackle common misconceptions surrounding the adoption of cloud in the Australian financial services sector.

From sharing product and service information in the initial project scoping phase through to assisting in any required consultation with APRA, Microsoft stands ready to support our financial institutions customers. By providing these tools and materials, Microsoft reaffirms our commitment to make the adoption of cloud as smooth as possible for your organization. Our subject-matter experts are available to understand your requirements and provide detailed information on the technical, contractual and practical aspects of your proposed cloud project. This is all part of our commitment to providing clarity and helping our financial institution customers innovate and navigate their way to the Microsoft cloud with confidence and enjoy the benefits of digital transformation.

 

Regulatory Overview

The Australian financial services sector is undergoing a rapid transformation, powered by cloud technologies. Financial services institutions across the country, including major banks and insurance companies, are adopting cloud services, from testing and development of data analytics solutions through to communications, CRM and business productivity applications.

From a regulatory perspective, cloud is permitted. The regulatory framework in Australia permits and specifically conceives of the use of cloud services, including public cloud services. If the use of cloud services is a "material outsourcing" (see below) then the financial institution must:

  1. notify Australian Prudential Regulatory Authority (APRA): or
  2. consult with APRA (if the services are provided outside of Australia).

In addition, if the cloud services are deemed to carry "heightened inherent risk" or "extreme inherent risk", the financial institution is encouraged (but not required) to consult with APRA, regardless of whether the service is provided in or outside of Australia.

 

Regulatory Deep Dive

|

Australian Prudential Regulatory Authority (APRA). Banks, credit unions, general insurers, life insurers, superannuation trustees and other FSIs are regulated by APRA.

Yes.

The Prudential Standard CPS231 – Outsourcing. When outsourcing a "material business activity", regulated institutions must comply with APRA’s outsourcing guidelines. A “material business activity” is an activity that has the potential, if disrupted, to have a significant impact on the financial institution's business operations or ability to manage its risks effectively.

 

Meanwhile, APRA's Information Paper, "Outsourcing involving Cloud Computing Services" (September 2018)", outlines important guidance for regulated entities in their assessment of cloud providers and cloud services. Microsoft's response to the APRA paper provides some practical commentary and is available here.

 

In addition, the Prudential Standard CPS 234 – Information Security sets out APRA’s requirements on information security management for regulated institutions.

No.

 

However, financial institutions (other than regulated superannuation entities) must:

  • Notify APRA after entering into agreements involving material outsourcing arrangements within Australia ; or 
  • Consult with APRA before outsourcing material business activities outside of Australia. In practice, financial institutions need to be satisfied that APRA has no objections to the offshore outsourcing before entering into the agreement. 

 

In addition, if the cloud services are deemed to carry "heightened inherent risk" or "extreme inherent risk", as described in APRA's Information paper, "Outsourcing involving Cloud Computing Services" (September 2018), the financial institution is encouraged (but not required) to consult with APRA, regardless of whether the service is provided in or outside of Australia.

The financial institution must ensure that the cloud services provider:

  1. provides APRA with information/documents on request;
  2. allows APRA to have an inspection right; and
  3. conducts appropriate audits including those of independent third party auditors.

Australian General privacy legislation (which applies across all sectors, not just to financial institutions) permits transfers outside of Australia where:

 

  1. The individual gives informed consent;
  2. The financial institution reasonably believes that the cloud services provider is subject to laws, binding schemes or contracts that protect personal information in a substantially similar way to those in Australia; or
  3. The cloud services provider agrees to contractual terms in line with the Australian Privacy Principles.

The financial institution must:

  • prepare a business case and conduct the procurement in a manner that demonstrates that it has considered the impact of the outsourcing on its risk profile (the financial institution could argue that using a reputable provider such as Microsoft is part of its approach to managing risk);
  • have in place an up-to-date outsourcing policy;
  • consider impact of use of cloud services on its business continuity risk and be satisfied that contingency measures exist if the outsourced activity needs to be moved in-house or to an alternate platform;
  • satisfy itself that the service provider's business continuity arrangements are consistent with the financial institution's own business continuity plan and effectively manage the financial institution's overall business continuity risk;
  • evidence the outsourcing by a written, legally binding contract which includes requirements that: (i) the cloud services provider keeps any APRA audit/visit confidential; and (ii) the cloud services provider grants an indemnity in respect of acts by the cloud services providers' subcontractors. Microsoft has prepared a summary of these requirements and how its contract complies and this is available from your Microsoft contact upon request;
  • manage and monitor the outsourcing relationship at all times, including via service levels and regulator meetings; and
  • inform APRA of “significant problems” (i.e. problems that have the potential to materially affect the business operations, profitability or reputation of the financial institution).

General privacy laws (applicable across all sectors) would also be relevant. These laws set out various privacy principles applicable to the collection, use and disclosure of personal data.