Australia's banking regulator the APRA has released a
warning to the financial services sector about the use of cloud
computing services. The Regulator has identified that many of the
bodies it regulates do not subject cloud computing solutions to the
rigorous analysis required when they outsource material business
processes to a cloud solution provider. While APRA has released no
specific guidelines on the use of cloud computing services, it
highlights that the Prudential Standards it has published in
relation to "Outsourcing", "Business
Continuity" and "Management of security risk in
information and information technology" continue to be
applicable to cloud computing solutions.
APRA also highlighted regulated institution's requirement to
consult with APRA before entering into any outsourcing agreements
which involve material business activities. As part of this
consultation APRA expects regulated institutions to conduct
comprehensive risk assessments. In APRA's opinion risk
assessments require a detailed understanding of the architecture of
the solution and the type of information impacted by the
Depending on the particular solution, cloud computing generally
involves delivery of services through the internet. Consequently,
data might be stored in various servers, in different locations,
potentially outside Australia. Benefits of this solution include
virtually instantaneous scalability making the solution arguably
more cost effective. That said, the distributed architecture of
cloud computing gives rise to the following issues:
the transmission of data between various servers and storage of
data on multiple servers increase the potential for unauthorised
third party access or interception
Australia laws like the Privacy Act 1988 (Cth) place
certain restrictions and limitations on organisations transferring
certain types of data outside States or Australia. In supplying
data into the cloud, regulated institutions will need to know where
this data will be transmitted and stored to ensure compliance with
where data crosses into another jurisdiction, it will become
subject to that jurisdiction's laws. These laws may be less
stringent than Australia's or provide that jurisdiction's
government with certain rights in relation to that data which do
not exist in Australia
given the disaggregated nature of the cloud, it may be
difficult to ensure that all data contained within a cloud has been
returned or destroyed should a regulated institution seek to
terminate the arrangements with the cloud solution provider. Again
this raises issues in relation to a regulated institution's
ability to manage and control sensitive information.
To some extent these risks can be mitigated through appropriate
contractual protections. However contractual causes of action may
be cold comfort where there has been an unauthorised release of
sensitive data resulting in significant reputational damage for the
financial service provider and its business. As APRA has
highlighted, it is therefore critical that the nature of the
technology architecture, the type of data involved and related
legislative requirements are considered and assessed before a
regulated institution enters a cloud computing solution.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
The issue of recording telephone calls was recently considered in the Federal Court in Furnari v Ziegert  FCA 1080.
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).