Pathways to Regulatory Compliance in Your Cloud Journey - Australia

References for security and compliance professionals in the Financial Sector

The Regulatory Environment in Australia

Australia has an open, highly developed and competitive financial market. The regulator, Australian Prudential Regulatory Authority (APRA), oversees the changes to the delivery of financial services and the financial market structure resulting from technological advancements. The authority recognizes that cloud computing represents a significant technological change in the industry. They also acknowledge the continuous evolution of cloud computing in the past years and foresee the same trend in the future. As such, APRA released an updated version of the information paper on the use of cloud computing in late 2018, with the purpose of helping APRA-regulated entities to be resilient and responsive to the associated risks of outsourced cloud services.

To seize new digital opportunities as well as encourage innovation, APRA offered the Restricted Authorised Deposit-Taking institution (ADI) license since 2018, which is designed to encourage more fintech start-ups to enter the finance industry. Another regulator, Australian Securities and Investments Commission (ASIC), launched an Innovation Lab in early 2015 to promote innovation and provide assistance to fintech startup businesses in Australia. Alibaba Cloud has worked with these fintech start-ups to innovate, transform and rapidly grow their businesses in the financial market, demonstrating that Alibaba is ready to support customers from the financial sector in Australia.

Australian Prudential Regulatory Authority (APRA)

The Australian Prudential Regulation Authority (APRA) is an independent statutory authority that supervises institutions across the banking, insurance and superannuation industries and promotes the stability of the financial system in Australia.

Prudential Standard CPS 231 Outsourcing

This Prudential Standard requires APRA-regulated entities to manage risks arising from the outsourcing of material business activities appropriately. The material business activity, as defined in the standards, refers to the one, if disrupted, will have significant impacts on the business operations or the risk management capabilities.

Alibaba Cloud has engaged with external assessors to perform an independent assessment on Alibaba Cloud’s adherence to this Prudential Standard. Alibaba Cloud also provides more explanatory information for reference purposes in a User Guide document. Refer to the Informational Resources below.

Prudential Standard CPS 234 Information Security

This Prudential Standard requires APRA-regulated entities to maintain an information security capability commensurate with potential consequences of an information security incident. It should be kept up-to-date and maintained on an on-going basis so as to ensure the continued sound operation of the entity. Prudential Practice Guide CPG 234 (Management of Security Risk in Information and Information Technology) provides detailed guidance on sound practices that are encouraged to be adopted in particular information security management areas.

Alibaba Cloud has engaged with external assessors to perform an independent assessment on Alibaba Cloud’s adherence to this Prudential Standard. Alibaba Cloud also provides more explanatory information for reference purposes in a User Guide document. Refer to the Informational Resources below.

Information Paper on Outsourcing involving Cloud Computing Services

In this Information Paper, APRA points out that the risks associated with the use of the cloud computing services depend on the nature of services consumed (IaaS, PaaS, SaaS) and nature of usage of the cloud services. APRA classifies the risks into three categories (low inherent risk, heightened inherent risk and extreme inherent risk), help regulated-entity understand these risks, and provide detailed guidance on risk management throughout the outsourcing arrangement.

APRA explains that the controls implemented to protect its information assets follows the shared responsibility model. From IaaS, PaaS, to SaaS, the regulated entity is placing reliance on the providers to manage an increasing aspect of the technology stack, they shall evaluate the design and operating effectiveness of controls leveraging the assurance obtained from the providers, such as SOC, CAS STAR, ISO27001 and etc.

Frequently Asked Questions

1. Is a formal approval needed from APRA regarding the outsourcing arrangement?

No, APRA-regulated entities are required to notify APRA after entering into a material outsourcing agreement. Prior consultation with APRA shall take place for outsourcing arrangements that 1. involve a material business activities outside of Australia; 2. involve heightened or extreme inherent risks as defined in the Information Paper on Outsourcing involving Cloud Computing Services, and early engagement is encouraged for the latter. No consultation or notification is needed for outsourcing arrangements with non-material business activities.

2. Is offshore outsourcing allowed in Australia?

Yes, under the condition that an APRA-regulated entity has consulted with APRA in advance and demonstrated that it can adequately manage the additional risks and impacts arising from the offshore outsourcing arrangement. In the Information Paper on Outsourcing involving Cloud Computing Services, APRA encourages the regulated entities to consider the benefits of Australian-host options when choosing an outsourcing solution.

3. How would data be securely removed from the respective infrastructure and rendered inaccessible upon cessation of services or account termination?

Upon contract termination, storage instances will be released, and original disk space and memory space will be reliably scrubbed to ensure user data security. Also, the customer has the right to delete their account online when services are terminated.

A Free Trial That Lets You Build Big!

Start building with 40+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free Get Started for Free