APRA’s most recent issue of APRA Insight, released last Wednesday, highlighted the risks associated with outsourcing by authorised deposit-taking institutions (ADIs).
In a financial climate in which ADIs are pursuing cost saving and efficiency measures, the regulator warns against ADIs seeking efficiencies through outsourcing and offshoring of critical support functions, including technology functions. Particularly, APRA claims that in many cases it has found that outsourcing and offshoring arrangements have not been subject to sufficient due diligence and risk management assessment.
Noting an increase in the number of reported technology outsourcing and offshoring arrangements, APRA expressed concern that the concentrated use of common vendors and offshore locations across the ADI industry increases the risks associated with particular vendors and offshore locations. APRA considers that serious system outages are often avoidable, and the result of a poor knowledge retention and high reliance on third parties by ADIs. APRA has created a cross divisional working group to evaluate outsourcing risks.
Currently, for a regulated institution to outsource a material business activity, it is required to meet the requirements of Prudential Standard CPS 231, which include:
A material business activity includes any activity that has the potential to have a significant impact on the business operations or risk management capability of a regulated institution. APRA has indicated that it considers that services such as mail (including instance messaging), scheduling (calendar), collaboration (including workflow) applications and CRM solutions can constitute material business activities. Such services are one of the first in a line of applications and functions that regulated institutions are, or are considering to be suitable for migration to the cloud, which APRA also considers a form of outsourcing.
ADIs are advised to review their outsourcing and off shoring policies and procedures so as to ensure compliance with the prudential standards and to ensure that best practice is followed with respect to risk assessment, due diligence, contracting, and disaster recovery planning and contract management.
The APRA Issues Paper is available here.
The content of this publication is for reference purposes only. It is current at the date of publication. This content does not constitute legal advice and should not be relied upon as such. Legal advice about your specific circumstances should always be obtained before taking any action based on this publication.