APRA reminds regulated institutions of their technology outsourcing obligations

25 September 2012

APRA’s most recent issue of APRA Insight, released last Wednesday, highlighted the risks associated with outsourcing by authorised deposit-taking institutions (ADIs).

In a financial climate in which ADIs are pursuing cost saving and efficiency measures, the regulator warns against ADIs seeking efficiencies through outsourcing and offshoring of critical support functions, including technology functions. Particularly, APRA claims that in many cases it has found that outsourcing and offshoring arrangements have not been subject to sufficient due diligence and risk management assessment.

Noting an increase in the number of reported technology outsourcing and offshoring arrangements, APRA expressed concern that the concentrated use of common vendors and offshore locations across the ADI industry increases the risks associated with particular vendors and offshore locations. APRA considers that serious system outages are often avoidable, and the result of a poor knowledge retention and high reliance on third parties by ADIs. APRA has created a cross divisional working group to evaluate outsourcing risks.

Currently, for a regulated institution to outsource a material business activity, it is required to meet the requirements of Prudential Standard CPS 231, which include:

  • meeting APRA requirements with respect to due diligence and risk assessment, monitoring compliance, business continuity and contingency planning;
  • consulting with APRA prior to entering any offshoring arrangement (and APRA may bar any such arrangement if it is not satisfied that risks are managed appropriately); and
  • Including a contractual provision with its third party vendor that gives APRA the right to access documentation and information of the vendor, and also make on-site visits to the vendor’s premises, to satisfy itself that prudential requirements are being met.

A material business activity includes any activity that has the potential to have a significant impact on the business operations or risk management capability of a regulated institution. APRA has indicated that it considers that services such as mail (including instance messaging), scheduling (calendar), collaboration (including workflow) applications and CRM solutions can constitute material business activities. Such services are one of the first in a line of applications and functions that regulated institutions are, or are considering to be suitable for migration to the cloud, which APRA also considers a form of outsourcing.

ADIs are advised to review their outsourcing and off shoring policies and procedures so as to ensure compliance with the prudential standards and to ensure that best practice is followed with respect to risk assessment, due diligence, contracting, and disaster recovery planning and contract management.

The APRA Issues Paper is available here.

The content of this publication is for reference purposes only. It is current at the date of publication. This content does not constitute legal advice and should not be relied upon as such. Legal advice about your specific circumstances should always be obtained before taking any action based on this publication.

Related Content


Helen Clarke

Partner. Brisbane
+61 7 3228 9818


James North

Partner. Sydney
+61 2 9210 6734


Philip Catania

Partner. Melbourne
+61 3 9672 3333