Regulated cloud outsourcing
4. When does cloud outsourcing fall within the scope of the rules?

Australian Prudential Regulation Authority ("APRA") Prudential Standards and Guidance

Under Prudential Standard CPS 231 on Outsourcing ("CPS 231"), an outsourcing will involve a "material business activity" if it "has the potential, if disrupted, to have a significant impact on the APRA-regulated institution's or group's business operations or its ability to manage risks effectively" having regard to various factors, including the following:

  • Financial, reputational and operational impact of a service provider failure over a given period
  • Cost of the arrangement
  • Degree of difficulty in finding an alternative service provider or bringing the activity in-house
  • Ability of the APRA-regulated entity or its affiliates to meet regulatory requirements if there are problems with the service provider

Additionally, Prudential Practice Guide PPG 231 — Outsourcing, indicates that the outsourcing of a significant part of a regulated institution's IT functions supporting its core business will be the outsourcing of a "material business activity." The APRA's notification and consultation expectations under CPS 231 turn on whether a particular arrangement involves low, heightened or extreme inherent risk, and the APRA's Information Paper on Outsourcing Involving Cloud Computing Services provides guidance on when a particular outsourcing will fall within these characterizations.

Prudential Standard CPS 220 on Risk Management and Prudential Standard CPS 234 on Information Security, sets general risk management and information security requirements for APRA-regulated entities. Additionally, Prudential Practice Guide CPG 234 on Information Security and Prudential Practice Guide CPG 235 on Managing Data Risk, provides guidance on information security and managing data risk, respectively. These requirements and guidance are not specific to cloud but nevertheless inform the basis on which such entities organize their data and information security arrangements and engage with third-party service providers such as cloud service providers.

Draft Prudential Standard CPS 230 on Operational Risk Management, which is intended to replace CPS 231 from January 2024, will have implications for cloud outsourcing arrangements. For example, the draft includes a non-exhaustive list of the services that would be classified as "material."

Australian Securities and Investments Commission ("ASIC") requirements

The enhanced technological and operational resilience requirements in the ASIC market integrity rules, which apply from 10 March 2023, apply in relation to outsourcing of "critical business services" meaning functions, infrastructure, processes or systems that in the event of failure to operate effectively would likely to cause significant disruption to a market participant's participant operations or to materially impact the participant's participant services. Notes to the rules indicate that this would generally include functions, infrastructure, processes and systems that deliver or support order acceptance, routing and entry, clearing and settlement of transactions, payments and deliveries of financial products and funds, accounting for or reconciling client money, trust accounts, securities and funds, confirmations and regulatory data reporting.

Australian Securities Exchange ("ASX") rules

Whether exchange rules impact the use of a cloud provider's services depends on the extent to which the outsourcing to the cloud service provider impacts upon the entity's interaction with the ASX. In this context, an arrangement is material if it constitutes the outsourcing of a material business activity. Examples include the outsourcing of the operation of core IT systems used in the participant's activities with the ASX and the outsourcing of the settlement and clearing function.