APRA warns about data risk
The Australian Prudential Regulatory Authority has written to banks and other ADIs warning them about the importance of properly using and storing data.APRA is also asking for comments on a detailed guide to managing data risk.The regulator's warning comes as banks examine "cloud technology" - essentially, internet-based systems that provide computing power and data storage as needed.CBA confirmed last month that it is moving some of its computing on to the cloud platform of leading provider Amazon, which recently established Sydney cloud facilities. CBA's chief information officer, Michael Harte, said then that external cloud platforms could cost a tenth of internally provided facilities. ANZ is also using some cloud facilities, but has voiced caution about how much APRA will allow the banks to use cloud platforms.The letter to the banks, from APRA's general manager of policy development, Neil Grummitt, says the regulator "considers it important that regulated institutions understand the risks associated with data and are able to identify and put in place sound risk management practices in this regard."The APRA guide identifies outsourcing and offshoring as areas where banks need to exercise caution. Both practices increase the risk of inadequate control of data through its life, the guide says, "with problems potentially magnified when offshoring is involved."It also warns institutions to "apply a cautious and measured approach when considering retaining data outside the jurisdiction it pertains to."APRA does not ban either outsourcing or offshoring. But, it says, ADIs will need to show that they can keep operations going "following a loss of services"; maintain the quality of important data; comply with legal and prudential requirements; and keep access open to APRA itself. And it also has a long checklist of management steps that will be needed before it will approve outsourcing or offshoring.