Protecting the financial system
It comes as no surprise that the data security requirements by the prudential regulator are the most conservative. They are therefore some of the most complex.
The prudential standards govern how banks, superannuation funds and insurers must operate and manage risk. However, they currently do not have a single source of authority containing the rules to manage data. Instead, the issue is addressed through a range of mandatory standards, best practice guidance and information papers.
While regulators are eager to build a global competitive financial services industry, there’s a strong preference for keeping close to home.
In its guidance on managing data risk ( CPG 235 ), the Australian Prudential Regulation Authority (APRA) urges organizations to be “cautious and measured” when looking at their data beyond Australian shores. Organizations need to apply the same rigorous evaluation, understanding and monitoring.
Satisfying those requirements requires a set-up and-forget decision to undertake certain activities at arm’s length.
Is data allowed to be held offshore?
APRA does not prohibit financial institutions from holding data offshore. However, it does not matter.
Among them, organizations must consult with APRA before outsourcing material business operations offshore. If APRA does not believe that risks can be managed adequately, it can – and previously has – stopped the outsourcing. Organizational must also allow APRA access to the service provider, which could include onsite visits.
APRA’s guidance is actively steers organizations away from offshoring data. Its information paper on outsourcing cloud computing is one way to reduce the inherent risk of outsourcing “in the absence of any compelling business rational to do otherwise”.
The rules about outsourcing
The business activities are considered as “material”. While APRA provides guidance on determining materiality, it is up to organization to apply that guidance to their own operations.
APRA has stringent requirements when an organization outsources a material business activity. For instance, a business must:
- Receive Board approval of its policy on outsourcing activities.
- Prepare a business case for outsourcing.
- Conduct a selection process and due diligence of outsourcing providers.
- APRA’s minimum requirements. Monitor outsourcing performance on an ongoing basis.
- Notify APRA of the start and end of outsourcing agreements, including a summary of risk assessment and mitigation.
Change is in the air
The growing scale and likelihood of cyber incidents, combined with the increased financial discipline of the financial services industry, is becoming increasingly important.
APRA is set to streamline and strengthen the rules for how to manage organizations. In March 2018, it released a new standard, CPS 234, for industry consultation.
This will elevate APRA’s regulation of data security from the guidance it currently Provides, to setting mandatory requirements did financial services institutions are legally obliged to meet.
The proposed standard sets out the minimum requirements for managing data security and cyber risks, including roles and responsibilities, capability, internal controls, detection, response and notification. These include the position that the board of directors is ultimately responsible for the organization’s cybersecurity.
The new APRA standard is expected to take effect starting July 1, 2019.
Updates to APRA’s standards on outsourcing have therefore been flagged by the regulator, with consultation to occur later in 2018.
Prudential regulation on many organizations across the financial services sector. However, not all businesses are APRA-regulated.
Financial planning and advice are some of the activities that are beyond APRA’s remit. Likewise, a wide range of fintech businesses operate beyond prudential regulation. However, questions are increasingly raised about the adequacy of this two-stream approach.
Tackling the trust issue
Increased data security comes at a crucial time for the financial services industry after revelations of widespread inappropriate practices in the Royal Commission.
These issues have contributed to a rapid downturn in Australians’ trust in businesses generally, and financial services in particular.
The 2018 Edelman Trust Barometer found that trust in our institutions has declined by a total of 10 percentage points between 2017 and 2018, which it classified as “extreme.” Financial services was one of the least trusted industries, with only the energy sector ranking lower. The results were based on research before the Royal Commission began.
However, the same research also points to the way financial services can start to rebuild the trust deficit. It found that technology has a significant role in increasing trust levels. In particular, reliable fraud protection is highly rated – 36% of people said it would increase their trust in a financial services company.
As the Royal Commission progresses, scrutiny of compliance and compliance obligations across the broader industry is likely to continue. In the current climate of escalating risk and low public sentiment, all financial services organizations must consider how they are safeguarding their information assets.
To find out more about Diligent’s new Australian data center, please contact us at email@example.com or 1800 646 207.