Cloud Compliance Center

Australia

Select a Topic
Quick Links
Start Comparison
Contract requirements
3. Are there any specific contractual requirements for cloud outsourcing?

Australian Prudential Regulation Authority ("APRA") Prudential Standards and Guidance

Where an APRA-regulated entity will be outsourcing a "material business activity," Prudential Standard CPS 231 ("CPS 231") on Outsourcing imposes requirements regarding the outsourcing agreement. For example:

  • The agreement must be signed before the outsourcing arrangement commences.
  • The entity must notify the APRA as soon as possible and no later than 20 business days after entering into the agreement and provide a key risks summary and details of risk minimization strategies in place.
  • The entity must consult with the APRA before entering into any offshoring agreement (the APRA may intervene and require the entity to make other arrangements).
  • The outsourcing agreement must address certain minimum matters. Notably, this includes the following:
    • The form in which data is to be kept and clear provisions identifying ownership and control of data
    • Liability and indemnity provisions, including an indemnity making the outsourced service provider liable for any subcontractor's failure
    • Business continuity management
    • Confidentiality, privacy and security of information
    • To the extent applicable, offshoring arrangements (including through subcontracting)
    • A clause allowing the APRA access to documentation and information related to the outsourcing arrangement
  • The entity must make notifications on termination of the outsourcing agreement.

Draft Prudential Standard CPS 230 on Operational Risk Management, which is planned to replace CPS 231 from January 2024, proposes some key changes to the above requirements.

Australian Securities and Investments Commission ("ASIC") requirements

From 10 March 2023, financial markets and participants of such markets are subject to updated ASIC market integrity rules containing enhanced technological and operational resilience requirements, including in relation to outsourcing. Requirements for outsourcing arrangements for critical business services include that the outsourcing agreement is documented and legally binding and the following:

  • It describes the nature, scope and quality of the services.
  • It requires notice of subcontracting or material service changes to be given to the operator.
  • It deals with termination and provides for orderly transition following termination.
  • It provides for the orderly transfer of services provided under the outsourcing arrangement to the operator/participant or another service provider in the event of termination of the outsourcing agreement.
Quick Links
{{ $store.state.loadingScreen.message }} ...