This week, Australian Prudential Regulation Authority (APRA) chairman, Wayne Byres addressed the future impact of fintech on the financial sector in Australia and expressed concern about the challenges of regulating the ‘rapidly-shifting’ environment in the financial sector.
This discussion anticipates consumer data rights (CDR) and the open banking regime, which will require banks to share data with fintechs with consumers’ consent.
According to Byres, the regulator’s predominant concern is with risk management and cyber security.
Byres also suggested that, throughout the developments in the space, the risks have not been well-understood by what he referred to as the ‘decision-makers’. He noted that cyber security is one area in which the larger regulated entities have made considerable investment.
Earlier this year, the regulator introduced CPS 234 Information security Management: A New Cross Industry Consultation, the first standard that focussed on tackling cyber risk.
Released after two prominent, international cyber-attacks, the standard also coincided with the implementation of the Notifiable Data Breach regime and the General Dara Protection Regulation (GDPR) that protects the personal data of EU citizens.
When it comes to keeping up with the capricious environment, however, Byres said the challenge for regulators is much the same as it is for businesses, and stressed that, while outsourcing and partnering is not a new phenomenon, the way it is manifesting poses an increasing challenge for the regulator. This is happening in what Byres describes ‘business critical’ areas, as opposed to peripheral areas.
“An ecosystem of small providers will challenge management models, as well as regulatory understanding of risks, as more data and activity sits outside the (increasingly narrow) regulated entity. It poses an interesting thought experiment: in the extreme, if all the processes in a bank were disaggregated into their specialist parts, which parts would we call ‘the bank’?” Byres said.
He explained that the opposing challenge comes from the large institutions that are dependent on ‘largely-unregulated’ providers.
Updated Cloud Standards
On the same day as the release of the APRA address, the regulator also released updated guidance on outsourcing cloud technology entitled, Outsourcing Involving Cloud Computing Services.
This is an update to a paper published in 2015, and comes as a result of APRA’s acknowledgement that there has been an increased uptake in businesses using cloud technology.
While the regulator does acknowledge that risk exposure depends on how businesses intend to use cloud solutions, however, there are some general processes that should be observed.
The paper notes some of the ‘observed weaknesses’ of strategy when looking at cloud technology include:
proposals driven solely by cost considerations rather than a clearly-defined strategy and architectural roadmap;
business cases and reporting to the Board and/or senior management that only focuses on benefits and do not provide adequate visibility of associated risks; and
failures to sufficiently understand or address changes in required organisational capability.
When it comes to governance oversight for APRA-regulated entities, there should be clear detail and an outline of decision-making and responsibilities.
The paper states that the appropriate governance ‘should form a view of risks’, and risk controls, and ensure both are in line with the risk appetite.
When considering the selection process for any cloud solution, special attention should be given to the alignment of the desired architecture and risk management frameworks. There must also be engagement with risk, security or assurance functions.
“A comprehensive due diligence process, including independent assessments, rather than placing sole reliance on attestations by the provider and customer references, would normally be conducted. Typically, the intent would be to verify the maturity, adequacy and appropriateness of the provider and services selected (including the associated control environment), taking into account the intended usage of the cloud computing service,” it states, in the paper.
The paper also identifies that the standards give APRA right of access and that the regulator conducts site visits of service providers.