APRA alarm over data
Westpac, NAB and ANZ all carry out some of their back-office functions overseas, sparking concerns from unions and politicians over the privacy risk to consumers.
Now the Australian Prudential Regulation Authority has identified "offshoring" as a key area of weakness in banks' data management policies.
In a draft guide published on Tuesday, APRA said outsourcing data management increased the risk of sensitive information being mismanaged.
To ensure customers' information was properly looked after, the regulator said it expected banks to have a business case that justified the extra risks of holding data overseas, where Australian laws did not apply.
"APRA expects a regulated institution to apply a cautious and measured approach when considering retaining data outside the jurisdiction it pertains to," it said.
With banks facing slow revenue growth due to weak demand for credit, it is the latest warning from APRA over cost cutting that could have unintended consequences.
Finance Sector Union national secretary Leon Carter said the current regulation of data offshoring - which involved APRA, the Attorney-General's Department and the Australian Securities and Investments Commission - was inadequate.
Figures were not available on how much customer data was stored overseas, he said, but "a fair amount" would be needed in order for banks to carry out the administrative work that went on in cities such as Bangalore and Manila.
APRA's comments were pitched as "guidance", but Mr Carter said there should be regulations requiring customers to give approval before their data was sent overseas.
Frequently Asked Questions about this Article…
APRA cautioned banks that offshoring customer financial data increases the risk of sensitive information being mismanaged. In a draft guide it identified offshoring as a weakness in banks' data management and said institutions must justify any extra risks of holding data overseas where Australian laws may not apply.
The article names Westpac, NAB and ANZ as banks that carry out some back‑office functions overseas, a practice that has drawn concern from unions and politicians over consumer privacy risks.
Banks have been looking at offshoring to cut costs as a way to bolster slowing profits and cope with weak revenue growth caused by lower demand for credit, with administrative work often moved to cities such as Bangalore and Manila.
APRA expects regulated institutions to have a clear business case that justifies the additional risks of storing data offshore and to take a cautious, measured approach when considering retaining data outside the jurisdiction it pertains to.
APRA’s comments were issued as guidance in a draft guide rather than as new binding regulations. However, some stakeholders, like the Finance Sector Union, want formal regulations requiring customer consent before data is sent overseas.
Holding data in overseas locations can mean Australian privacy laws and regulatory protections do not apply, increasing the risk that sensitive customer information could be mismanaged or subject to different legal standards.
According to the Finance Sector Union national secretary Leon Carter, figures are not available on the total amount of customer data stored overseas, though he said a 'fair amount' would be required to support overseas administrative centres.
Unions argue current regulation involving APRA, the Attorney‑General’s Department and ASIC is inadequate and have called for stronger rules—such as requiring customers to give approval before their data is sent overseas—to better protect privacy.
Call 1300 880 160
Start a chat
Schedule a call
