Regulator warns banks against storing data offshore
Westpac, NAB and ANZ all carry out some of their back-office functions overseas, sparking concerns from unions and politicians over the privacy risk to consumers.
Now the Australian Prudential Regulation Authority has identified "offshoring" as an area of weakness in banks' data management policies.
In a draft guide published on Tuesday, it said outsourcing data management responsibilities increased the risk of sensitive information being mismanaged.
Offshoring could magnify this risk, it said.
To ensure customers' information was properly looked after, the regulator said it expected banks to have a business case that justified the extra risks of holding data overseas, where Australian laws did not apply.
"APRA expects a regulated institution to apply a cautious and measured approach when considering retaining data outside the jurisdiction it pertains to," the regulator said.
The national secretary of the Finance Sector Union, Leon Carter, said the current regulation of data offshoring - which involved APRA, the Attorney-General's Department and the Australian Securities and Investments Commission - was inadequate.
Figures were not available on how much customer data was stored overseas, Mr Carter said, but "a fair amount" would be needed for banks to carry out the administrative work that occurred in cities such as Bangalore and Manila.
APRA's comments were pitched as "guidance" to management, but Mr Carter said there should be regulations requiring customers to give approval before their data was sent overseas.
"We would say the data should not go overseas without the express consent of the consumer," he said.
Frequently Asked Questions about this Article…
APRA warned that offshoring customer financial data is an identified weakness in banks' data management, saying outsourcing increases the risk of sensitive information being mismanaged and that offshoring could magnify that risk.
The article notes that Westpac, NAB and ANZ carry out some back‑office functions overseas, with administrative work commonly occurring in cities such as Bangalore and Manila.
The sector is looking at cost savings to help bolster slowing profits, and some banks are outsourcing back-office functions overseas as part of those cost-cutting efforts.
Offshoring can increase privacy and mismanagement risks because Australian laws may not apply offshore, potentially making it harder to ensure customers' information is properly protected.
APRA expects banks to have a business case that justifies the extra risks, and to take a cautious and measured approach when considering retaining data outside the jurisdiction it pertains to.
According to the Finance Sector Union's national secretary Leon Carter, the current regulation—which involves APRA, the Attorney‑General's Department and ASIC—is inadequate, and he argues stronger requirements such as customer consent should be considered.
The article says figures are not available; union representatives noted that 'a fair amount' of data is likely stored overseas to support administrative work in locations like Bangalore and Manila.
Watch how banks explain and justify any offshoring in their data management policies, whether they meet APRA's expectation for a clear business case and cautious approach, and any regulatory changes or calls for customer consent mentioned by regulators or unions.
Call 1300 880 160
Start a chat
Schedule a call
