Australian Prudential Regulation Authority (APRA)

APRA overview

The Australian Prudential Regulation Authority (APRA) oversees banks, credit unions, insurance companies, and other financial services institutions in Australia. Recognizing the momentum towards cloud computing, APRA has called on regulated entities to implement a thoughtful cloud-adoption strategy with effective governance, thorough risk assessment, and regular assurance processes. Regulated institutions must comply with the APRA Prudential Standard CPS 231 Outsourcing when outsourcing a material business activity — any activity that has the potential, if disrupted, to have a significant impact on the financial institution’s business operations or ability to manage its risks effectively. Based on its review of outsourcing arrangements involving cloud computing services submitted to APRA, APRA published specific, detailed guidance in its information paper, Outsourcing involving cloud computing services to help regulated entities assess cloud providers and services more effectively and guide them through the regulatory issues of outsourcing to the cloud. When outsourcing, including to a cloud service, regulated institutions must also review and consider their ongoing compliance with APRA Prudential Standard CPS 234 Information Security.

Microsoft and APRA

For financial institutions in Australia that are assessing cloud providers and their services, Microsoft has published:

Together they demonstrate how financial firms can move data and workloads to Microsoft Azure with the confidence that they are complying with Australian Prudential Regulation Authority (APRA) regulations and guidance.

To learn about the benefits of APRA-compliant financial services on Azure, read the Regtech meets Fintech: Perpetual and Microsoft transform the finance sector article.

Microsoft response to the APRA Information Paper on Cloud

This Microsoft paper provides detailed guidance for financial services with a detailed response to each issue raised in the APRA Information Paper Outsourcing involving cloud computing services. The APRA guidelines identify three risk categories into which cloud usage typically falls — low, heightened, and extreme inherent risk — and highlight key issues that regulated entities must consider as part of their risk assessment.

The Microsoft response focuses on the two highest risk categories. While cloud services are not prohibited by any risk category, APRA expects you to undertake a commensurately higher level of diligence, and you should expect an increasing level of APRA scrutiny, as you move up the risk categories. APRA lists a range of factors that typically indicate high or extreme inherent risk for cloud outsourcing. Microsoft addresses each of these factors in depth, providing information and tools to help you assess and manage the risk of moving your data and workloads to Azure.

Microsoft also addresses each APRA risk management consideration: strategy, governance, solution selection process, APRA access and ability to act, transition approach, risk assessments and security, ongoing oversight, business disruption, and audit and assurance. Point by point, we give advice and offer tools to help you respond to each issue when deploying Azure.

Get practical support for moving data and workloads to Azure in compliance with APRA regulations: Download the Microsoft response to the APRA Information Paper on Cloud.

Microsoft response to the APRA CPS 234 on Information Security

APRA Prudential Standard CPS 234 Information Security requires regulated institutions to:

  • clearly define information-security related roles and responsibilities;
  • maintain an information security capability commensurate with the size and extent of threats to their information assets;
  • implement controls to protect information assets and undertake regular testing and assurance of the effectiveness of controls; and
  • promptly notify APRA of material information security incidents.

CPS 234 closely mirrors the core Microsoft security framework: protect, detect, and respond.

Microsoft cloud services: compliance with APRA Prudential Standard CPS 234 Information Security sets out each of the relevant CPS 234 regulatory obligations, and maps against it the Microsoft cloud service controls, capabilities, functions, contract commitments, and supporting information to help your APRA-regulated entity comply with its regulatory obligations under CPS 234.

This Microsoft checklist introduces APRA regulatory requirements that financial firms must address when moving to the cloud. It maps Azure against not only the Prudential Standard CPS 231 Outsourcing, but other relevant APRA standards, such as for business continuity and risk management. Completing this checklist helps your financial service institutions adopt Azure with the confidence that it meets the relevant APRA requirements.

By relying on our comprehensive approach to risk assurance in the cloud, we are confident that Australian financial services organizations can move to Microsoft cloud services in a manner that is not only consistent with APRA guidance, but can provide customers with a more advanced security risk management profile than on-premises or other hosted solutions.

Get practical support for moving data and workloads to Azure in compliance with APRA regulations: Download Microsoft cloud services: a compliance checklist for financial institutions in Australia.

Microsoft in-scope cloud services

Frequently asked questions

Do financial institutions need APRA approval before outsourcing material business activities?

No. However, most regulated financial organizations must notify APRA after entering into agreements to outsource material business activities within Australia or consult with APRA before outsourcing those activities outside of Australia.

In addition, if the cloud services are deemed to carry 'heightened or extreme inherent risk' as described in the APRA Information Paper on Clouds, the financial institution is encouraged (but not required) to consult with APRA, regardless of whether the service is provided within or outside of Australia.

Are transfers of data outside of Australia permitted?

Yes. General privacy legislation (which applies across all sectors, not just to financial institutions) permits transfers outside of Australia under certain conditions. Microsoft agrees to contractual terms in line with Australian Privacy Principles so that transfers of data outside of Australia are permitted when you use Microsoft cloud services. However, many of our Australian financial services customers take advantage of the cloud services available from our Australian datacenters, for which we make specific contractual commitments to store categories of data at rest in the Australian geography. These commitments are outlined further in the compliance checklist.

Use Microsoft Compliance Manager to assess your risk

Microsoft Compliance Manager is a feature in the Microsoft 365 compliance center to help you understand your organization's compliance posture and take actions to help reduce risks. Compliance Manager offers a premium template for building an assessment for this regulation. Find the template in the assessment templates page in Compliance Manager. Learn how to build assessments in Compliance Manager.

Resources