As previously reported the Australian Prudential Regulation Authority (APRA) is continuing to caution banks, life insurers, general insurers and superannuation entities (Regulated Institutions) about the risks inherent in off-shoring and outsourcing.  

On 11 December 2012, APRA released Draft Prudential Practice Guide PPG235 (Guide) on managing data risk for industry consultation and comment.  The draft Guide has been released to highlight the importance of data use, retention, storage and security, and to address identified weaknesses in the data practices of Regulated Institutions.

The draft Guide applies to all Regulated Institutions, and provides guidance on best practice measures to be adopted to manage data risks.  The draft Guide is not intended to replace or endorse any existing industry standards, and Regulated Institutions may implement measures not specified in the Guide that are appropriate for that institution having regarding to the size, nature and complexity of its operations.

APRA states that managing data risk is important for a broad range of outcomes of a Regulated Institution including business objectives, obligations to stakeholders, effective management and governance.  Data risk often results from the failure of internal data management processes or from external events.  Examples of data risk include data theft, business disruptions as a result of data corruption or unavailability and breach of legal or compliance obligations.

High-level principles for data risk management

The draft Guide sets out the following high-level principles to manage data risks:

Click here to view table.

Off-shoring or outsourcing data management responsibilities

APRA has also restated its concerns regarding the risks of outsourcing and off-shoring by setting out APRA’s expectations of Regulated Institutions if they intend to outsource or offshore its data management responsibilities. 

In particular, the draft Guide states that APRA expects Regulated Institutions to apply a “cautious and measured approach” in determining whether to retain data offshore, and consider whether the risks involved are within the institution’s “risk appetite”.

Further, the draft Guide states that when outsourcing or off-shoring data management, a Regulated Institution will be expected to demonstrate the following:

  1. ability for the Regulated Institution to maintain business continuity in the event of loss of services;
  2. quality maintenance of critical or sensitive data;
  3. compliance with applicable legislation and prudential requirements; and
  4. no impediments to APRA fulfilling its duties as prudential regulator (including prompt access to data in a useable form, no jurisdictional hurdles to access or no technical controls limiting access).

The draft Guide also set outs APRA’s expectations in relation to the assessment and ongoing management of outsourced/off-shored data management responsibilities, such as conducting detailed risk assessments, developing business cases to justify the risk exposure and periodic evaluation of the risks.

APRA is seeking comments on the draft Guide from industry and stakeholders by 29 March 2013.