The industry has until the end of March to make submissions regarding the draft code.
The Draft Prudential Practice Guide released by APRA states clearly that it is not intended as an all-encompassing framework governing data management, rather it offers a series of guidelines regarding monitoring and managing data risk.
The far from prescriptive approach taken by the Guide allows organisations to assess their own appetite for data risk. While it does not outlaw outsourcing, offshoring or use of cloud services it notes that risk could be magnified through offshoring as a result of “control framework variations, lack of proximity, reduced corporate allegiance, geopolitical risks and jurisdictional-specific requirements.”
It notes that; “APRA expects a regulated institution to apply a cautious and measured approach when considering retaining data outside the jurisdiction it pertains to. It is important that a regulated institution is fully aware of the risks involved and makes a conscious and informed decision as to whether the additional risks are within its risk-appetite.”
APRA also indicated that organisations needed to ensure there were no jurisdictional hurdles or technical complications that would stall APRA from being able to access data as required to fulfil its prudential obligations.
The draft guide also points to the risks that may be introduced by allowing end users to bring or develop their own technology. It notes that traditional data management policies may not be able to adequately manage the risk that this introduces, and special attention and policies might be required.