Yes, there are notification requirements that may apply depending on the type of entity, the nature of the outsourcing and other circumstances:

Australian Prudential Regulation Authority ("APRA") Prudential Standards and Guidance

Where an APRA-regulated entity will be outsourcing a "material business activity," Prudential Standard CPS 231 on Outsourcing ("CPS 231") imposes the following requirements for the entity (or the head of its group):

• Notify the APRA as soon as possible and no later than 20 business days after entering into the outsourcing agreement, and provide a key risks summary and details of risk minimization strategies in place.
• Consult with the APRA if offshoring to a service provider outside Australia.
• Advise the APRA of any significant problems that have the potential to materially affect the outsourcing arrangement and, therefore, materially affect the business operations, profitability or reputation of the group.
• Make notifications on the termination of the outsourcing agreement.

Additionally, the APRA may request the external auditor of an institution, or an appropriate external expert, to assess the entity's risk management processes with respect to the outsourcing of a material business activity. 

Draft Prudential Standard CPS 230 on Operational Risk Management, which is planned to replace CPS 231 from January 2024, proposes to impose new requirements to notify the APRA as soon as possible, and not later than within 72 hours of becoming aware of a material operational risk incident.

The APRA Information Paper on Outsourcing Involving Cloud Computing Services also "encourages" consultation with the APRA prior to entering into any arrangement (regardless of whether offshoring is involved) when the proposed arrangement involves heightened or extreme inherent risks. There is guidance in the paper as to when this will be the case.

The general notification requirements of Prudential Standard CPS 220 on Risk Management ("CPS 220") and Prudential Standard CPS 234 on Information Security ("CPS 234") (and associated guidance) will also need to be considered when using a cloud services provider. For example, among other things:

• CPS 220 imposes obligations to provide the APRA with copies of an entity's risk appetite statement, business plan and risk management strategy. It also requires an entity to notify the APRA on becoming aware of a significant breach of, or material deviation from, the risk management framework, or that the risk management framework does not adequately address a material risk.
• CPS 234 imposes obligations to notify the APRA of certain material information security incidents, and of certain material information security control weaknesses, and this would need to be accounted for in third-party cloud service provider engagements.

Australian Securities Exchange ("ASX") requirements

As noted above, entities that are participants with the ASX and ASX Clear must comply with a notification requirement for the offshoring and outsourcing of material business activities with the ASX.