APRA-regulated entities increasingly use OCCS (outsourced cloud computing services) to reduce margins and optimise the customer experience. Indeed, OCCS is now considered standard in many industries. To help APRA-regulated entities using OCCS, APRA has recently published an updated information paper titled ‘Outsourcing involving Cloud Computing Services’ outlining their requirements.
APRA's prudential standards relevant to regulated entities include CPS Outsourcing [CPS 231], SPS 231 Outsourcing [SPS 231], and HPS 231 Outsourcing [HPS 231]. While the information paper and prudential standards are specific to APRA-regulated entities, they set out a useful risk management matrix for all companies using OCCS. In this article, we summarise these requirements to give APRA-regulated entities an overview of APRA's approach to risk management and prudential guidance principles.