Share via

Australian Prudential Regulation Authority (APRA)

APRA overview

The Australian Prudential Regulation Authority (APRA) oversees banks, credit unions, insurance companies, and other financial services institutions in Australia. Recognizing the momentum towards cloud computing, APRA has called on regulated entities to implement a thoughtful cloud-adoption strategy with effective governance, thorough risk assessment, and regular assurance processes. Regulated institutions must comply with the APRA Prudential Standard CPS 231 Outsourcing when outsourcing a material business activity—any activity that has the potential, if disrupted, to have a significant impact on the financial institution's business operations or ability to manage its risks effectively. Based on its review of outsourcing arrangements involving cloud computing services submitted to APRA, APRA published specific, detailed guidance in its information paper, Outsourcing involving cloud computing services to help regulated entities assess cloud providers and services more effectively and guide them through the regulatory issues of outsourcing to the cloud. When outsourcing, including to a cloud service, regulated institutions must also review and consider their ongoing compliance with APRA Prudential Standard CPS 234 Information Security.

Microsoft and APRA

For financial institutions in Australia that are assessing cloud providers and their services, Microsoft has published:

Together they demonstrate how financial firms can move data and workloads to Microsoft Azure with the confidence that they are complying with Australian Prudential Regulation Authority (APRA) regulations and guidance.

To learn about the benefits of APRA-compliant financial services on Azure, read the Regtech meets Fintech: Perpetual and Microsoft transform the finance sector article.

Microsoft response to the APRA Information Paper on Cloud

This Microsoft paper provides detailed guidance for financial services with a detailed response to each issue raised in the APRA Information Paper Outsourcing involving cloud computing services. The APRA guidelines identify three risk categories into which cloud usage typically falls—low, heightened, and extreme inherent risk—and highlight key issues that regulated entities must consider as part of their risk assessment.

The Microsoft response focuses on the two highest risk categories. While cloud services are not prohibited by any risk category, APRA expects you to undertake a commensurately higher level of diligence, and you should expect an increasing level of APRA scrutiny, as you move up the risk categories. APRA lists a range of factors that typically indicate high or extreme inherent risk for cloud outsourcing. Microsoft addresses each of these factors in depth, providing information and tools to help you assess and manage the risk of moving your data and workloads to Azure.

Microsoft also addresses each APRA risk management consideration: strategy, governance, solution selection process, APRA access and ability to act, transition approach, risk assessments and security, ongoing oversight, business disruption, and audit and assurance. Point by point, we give advice and offer tools to help you respond to each issue when deploying Azure.

Get practical support for moving data and workloads to Azure in compliance with APRA regulations: Download the Microsoft response to the APRA Information Paper on Cloud.

Microsoft response to the APRA CPS 234 on Information Security

APRA Prudential Standard CPS 234 Information Security requires regulated institutions to:

  • clearly define information-security related roles and responsibilities;
  • maintain an information security capability commensurate with the size and extent of threats to their information assets;
  • implement controls to protect information assets and undertake regular testing and assurance of the effectiveness of controls; and
  • promptly notify APRA of material information security incidents.

CPS 234 closely mirrors the core Microsoft security framework: protect, detect, and respond.

Microsoft cloud services: compliance with APRA Prudential Standard CPS 234 Information Security sets out each of the relevant CPS 234 regulatory obligations, and maps against it the Microsoft cloud service controls, capabilities, functions, contract commitments, and supporting information to help your APRA-regulated entity comply with its regulatory obligations under CPS 234.

This Microsoft checklist introduces APRA regulatory requirements that financial firms must address when moving to the cloud. It maps Azure against not only the Prudential Standard CPS 231 Outsourcing, but other relevant APRA standards, such as for business continuity and risk management. Completing this checklist helps your financial service institutions adopt Azure with the confidence that it meets the relevant APRA requirements.

By relying on our comprehensive approach to risk assurance in the cloud, we are confident that Australian financial services organizations can move to Microsoft cloud services in a manner that is not only consistent with APRA guidance, but can provide customers with a more advanced security risk management profile than on-premises or other hosted solutions.

Get practical support for moving data and workloads to Azure in compliance with APRA regulations: Download Microsoft cloud services: a compliance checklist for financial institutions in Australia.

Microsoft in-scope cloud platforms & services

Office 365 and APRA

Office 365 environments

Microsoft Office 365 is a multi-tenant hyperscale cloud platform and an integrated experience of apps and services available to customers in several regions worldwide. Most Office 365 services enable customers to specify the region where their customer data is located. Microsoft may replicate customer data to other regions within the same geographic area (for example, the United States) for data resiliency, but Microsoft will not replicate customer data outside the chosen geographic area.

This section covers the following Office 365 environments:

  • Client software (Client): commercial client software running on customer devices.
  • Office 365 (Commercial): the commercial public Office 365 cloud service available globally.
  • Office 365 Government Community Cloud (GCC): the Office 365 GCC cloud service is available for United States Federal, State, Local, and Tribal governments, and contractors holding or processing data on behalf of the US Government.
  • Office 365 Government Community Cloud - High (GCC High): the Office 365 GCC High cloud service is designed according to Department of Defense (DoD) Security Requirements Guidelines Level 4 controls and supports strictly regulated federal and defense information. This environment is used by federal agencies, the Defense Industrial Base (DIBs), and government contractors.
  • Office 365 DoD (DoD): the Office 365 DoD cloud service is designed according to DoD Security Requirements Guidelines Level 5 controls and supports strict federal and defense regulations. This environment is for the exclusive use by the US Department of Defense.

Use this section to help meet your compliance obligations across regulated industries and global markets. To find out which services are available in which regions, see the International availability information and the Where your Microsoft 365 customer data is stored article. For more information about Office 365 Government cloud environment, see the Office 365 Government Cloud article.

Your organization is wholly responsible for ensuring compliance with all applicable laws and regulations. Information provided in this section does not constitute legal advice and you should consult legal advisors for any questions regarding regulatory compliance for your organization.

Office 365 applicability and in-scope services

Use the following table to determine applicability for your Office 365 services and subscription:

Applicability In-scope services
Commercial Exchange Online Protection, Exchange Online, Office 365 Customer Portal, Office Online, Office Services Infrastructure, OneDrive for Business, SharePoint Online, Skype for Business

Frequently asked questions

Do financial institutions need APRA approval before outsourcing material business activities?

No. However, most regulated financial organizations must notify APRA after entering into agreements to outsource material business activities within Australia or consult with APRA before outsourcing those activities outside of Australia.

In addition, if the cloud services are deemed to carry 'heightened or extreme inherent risk' as described in the APRA Information Paper on Clouds, the financial institution is encouraged (but not required) to consult with APRA, regardless of whether the service is provided within or outside of Australia.

Are transfers of data outside of Australia permitted?

Yes. General privacy legislation (which applies across all sectors, not just to financial institutions) permits transfers outside of Australia under certain conditions. Microsoft agrees to contractual terms in line with Australian Privacy Principles so that transfers of data outside of Australia are permitted when you use Microsoft cloud services. However, many of our Australian financial services customers take advantage of the cloud services available from our Australian datacenters, for which we make specific contractual commitments to store categories of data at rest in the Australian geography. These commitments are outlined further in the compliance checklist.

Use Microsoft Purview Compliance Manager to assess your risk

Microsoft Purview Compliance Manager is a feature in the Microsoft Purview compliance portal to help you understand your organization's compliance posture and take actions to help reduce risks. Compliance Manager offers a premium template for building an assessment for this regulation. Find the template in the assessment templates page in Compliance Manager. Learn how to build assessments in Compliance Manager.