Managing data risk - APRA releases Draft Prudential Practice Guide 235

Introduction

On 11 December 2012, APRA released for consultation its Draft Prudential Practice Guide 235 Managing Data Risk (the Guide). The Guide was released in recognition of data as a key asset for regulated institutions and the need for appropriate data risk management.

Purpose of the Guide

The Guide is intended to highlight a number of weaknesses identified by APRA with current data risk management, and provide usable recommendations for institutions. Importantly, the Guide is only a Prudential Practice Guide and does not mandate compulsory Prudential Standards. Therefore, the relevance of particular content contained in the Guide will differ for each institution.

The Guide follows on from the 2009 Prudential Practice Guide 234 Management of security risk in information and information technology, and states that data risk is an important subset of IT risk.

Recommendations

APRA envisages that a regulated institution would adopt a set of high-level principles in order to establish a sound foundation for data risk management, in effect an approved data risk policy. Among other things, it is recommended these principles provide that:

  • data architecture practices are used to assist in understanding how data is captured, processed, retained, published and destroyed;
  • access to data is only granted where required to conduct business processes;
  • data validation, correction and cleansing occur as close to the point of capture as possible;
  • controls are implemented to ensure that data processing continues to meet data quality requirements;•automation (where viable) is used as an alternative to manual processes;
  • data quality is assessed to ensure it is acceptable for the intended purpose;
  • ongoing business process-specific training is run for staff to educate them as to their responsibilities in maintaining data quality;
  • there is timely detection and reporting of data issues to minimise the time in which an issue can impact on the institution;
  • ongoing checks are performed by internal risk or audit, supported by reporting mechanisms (e.g. metrics, exceptions) and management reviews; and
  • data destruction and retention controls are implemented to ensure that data confidentiality and quality requirements are not compromised as a result of risks associated with the destruction and storage of data.

Outsourcing and offshoring of data management responsibilities

Importantly, APRA expects a regulated institution to apply a cautious and measured approach when considering retaining data outside the jurisdiction it pertains to. When outsourcing or offshoring data management responsibilities, APRA expects that a regulated institution would be able to demonstrate the following:

  • the ability to continue operations and meet core obligations following a loss of services;
  • maintenance of the quality of critical or sensitive data;
  • compliance with legislative and prudential requirements; and•a lack of impediments (from jurisdictional hurdles or technical complications) to APRA being able to fulfil its duties as prudential regulator (including timely access to data in a usable form).

The draft Prudential Practice Guide 235 can be accessed here. APRA is seeking comment on the Guide from industry and interested parties by 29 March 2013.