Jean-Baptiste Bres

Chief Information Security Officer

Public Cloud ☁️ - Australia and New Zealand Regulatory Landscapes


More than ever, financial institutions in Australia and New Zealand are moving toward public cloud computing as a way to benefit from easy to use, flexible, cost effective and reliable infrastructures and services. Moving to cloud solutions also enables customers to take advantage of the most advanced security capabilities and innovations because public cloud services generally adopt those innovations first and have a much larger pool of threat intelligence data to draw upon.
Despite its substantial benefits, cloud computing also creates a complex new environment for financial institutions to navigate. Regulators in Australia and New Zealand are evolving their requirements and guidelines. It results in a growing expectation that financial institutions have a robust governance over their outsourcing process and ensure a high level of oversight of their cloud service providers.

In this article, the term "financial institutions" is used broadly, to include any entity that is regulated by the Australian Prudential Regulatory Authority (APRA) or The Reserve Bank of New Zealand (RBNZ). These entities include banks, credit unions, general insurers, life insurers and superannuation entities.

Regulation in Australia

In Australia, banks, credit unions, general insurers, life insurers, superannuation trustees and other financial institutions are regulated by the Australian Prudential Regulatory Authority (APRA).
APRA has published several requirements ("Prudential Standard") and guidelines ("Practice Guide" and Information Paper) that financial institutions should be aware of when using cloud services, including:
  • APRA Information Paper "Outsourcing involving cloud computing services"
  • APRA Prudential Standard: Outsourcing (CPS 231)
  • APRA Prudential Practice Guide: Outsourcing (PPG 231)
  • APRA Prudential Standard: Information Security (CPS 234) - enforceable from 1 July 2019
  • APRA Prudential Standard: Business Continuity Management (CPS 232)
  • APRA Prudential Standard: Risk Management (CPS 220)
  • APRA Prudential Standard: Fit and Proper (CPS 520)
  • APRA Prudential Practice Guide: Managing Data Risk (CPG 235)
The latest version of each document can be found on the APRA website at https://www.apra.gov.au/industry-standards-and-guidance.
APRA requirements and guidelines define the high-level minimum standards expected by the regulator from financial institutions. Most of the requirements can be seen as framework orientations and do not contain details of technical or functional expectations. It remains the responsibility of the financial institution to define what is appropriate in context and to set up the appropriate controls and protections.
As such, it is for the financial institution to define the level of risk to which it is exposed, and to what degree it will be managed.


Regulation in New Zealand

The Reserve Bank of New Zealand (RBNZ) is the prudential regulator for registered banks, non-bank deposit takers, finance and insurance companies, building societies and credit unions. The Financial Markets Authority regulates the terms of financial products, disclosure and enforcement.
Requirements and expectations associated with Cloud Services fall under the Reserve Bank’s BS11 Outsourcing Policy. The latest version of that document can be found on the Reserve Bank website at https://www.rbnz.govt.nz/regulation-and-supervision/banks/prudential-requirements/outsourcing-policy.

Cloud Services

In both Australia and New Zealand, usage of cloud services by financial institution is permitted. From the regulators’ perspective, it is a financial institution’s responsibility to ensure that such services are considered, treated and controlled according to the risk they represent.
It is important for a financial institution to have a very clear understanding of its responsibilities and of the Cloud provider responsibilities prior to entering into a contractual agreement. Cloud services are typically a shared responsibility model. The figure below presents a high-level view of the usual responsibilities of each party based on the Cloud model selected.

Cloud Responsibility Table

To understand better what shared responsibility mean, you can refer to this excellent article from Microsoft https://blogs.msdn.microsoft.com/azuresecurity/2016/04/18/what-does-shared-responsibility-in-the-cloud-mean/.

It is also very important to understand that while operational responsibilities are shared, regulators consider that financial institutions cannot outsource the risk associated. This mean that whatever model selected, financial institutions are fully responsible for understanding the risks and ensuring they are adequately mitigated.
To that purpose, having a clearly defined Cloud strategy and performing an assessment of the Cloud service provider could provide confidence that the applicable regulatory requirements have been met.
While the strategy and assessment are not mandatory, they are a good way for financial institutions to gain understanding of the regulatory requirements and to learn how their Cloud providers can help meet these requirements.
The assessment also becomes a very valuable tool if notification or consultation with APRA is required (see below Regulatory Approval).

Regulatory Approval

Regulatory approval is a not a requirement in Australia, nor in New Zealand, when outsourcing activities or contracting for Cloud services.
In Australia, financial institutions must however:
  • Notify APRA after outsourcing material business activities (see below) within Australia; or
  • Consult with APRA before outsourcing material business activities outside Australia;
  • In addition, for cloud services deemed to carry heightened inherent risk (see below), the financial institution is encouraged to consult with APRA, regardless of whether the service is provided inside or outside of Australia.

Material Business Activity

A “Material Business Activity” is an activity that has the potential, if disrupted, to have a significant impact on the financial institution’s business operations or its ability to manage risk effectively. The definition of a material business activity is very specific to the organisation and to the context of the outsourcing. The consideration of the materiality of an activity involves a close understanding of the organisation’s business processes and technical assets that are impacted by the outsourcing. In the case of a cloud services, it is critical to consider scenarios such as what would happen if the cloud provider was to fail during the provision of services and how a security incident would impact the financial institution and its customers.

Heightened Inherent Risk

Cloud services are deemed to carry “heightened inherent risk” if they present an increased likelihood of a disruption, or where a disruption would result in a significant impact for the financial institution.
To help with identifying such services, APRA lists a range of factors that typically indicate such risk, including exposure to environments which are available to non-financial industry entities, unproven track record and a high degree of difficulty in transitioning to alternate arrangements or ensuring business continuity.

Transfer of Data Outside of Australia / New Zealand

Outside of the consultation requirements when outsourcing material activity (see above Regulatory Approval), there is no restriction by the regulators or by privacy legislation in transferring data outside of Australia or New Zealand as long as they align with the Privacy Principles set out in the Privacy Act 1988 (Cth) in Australia and in the Privacy Act 1993 in New Zealand. For Australia, this is where:
  • the individual consents
  • the financial institution reasonably believes that the service provider is subject to legislation or a binding contract to protect information similar to those in Australia / New Zealand
  • The provider agrees to contractual terms in line with the applicable Privacy Act.
While Cloud providers might agree to privacy terms in line with the Australian Privacy Act and the New Zealand Privacy Act, it is a good idea to take advantage of the cloud services available from Australian or New Zealand data centres.



Disclaimer
This article is not legal or regulatory advice. You should seek independent legal advice on your cloud services project and your legal and regulatory obligations. The views and opinions expressed in this article are solely those of the author. These views and opinions do not necessarily represent those of StatePlus or its staff.