Australian Prudential Regulation Authority withdraws cloud outsourcing guidance and ends COVID-19 capital and credit data collection

The Australian Prudential Regulation Authority (APRA) confirmed two further measures to simplify the prudential framework, rescinding its 2018 information paper on outsourcing involving cloud computing services and ceasing the “ARF 923.0 Covid-19 Capital and Credit” data collection. The cloud outsourcing information paper was withdrawn in light of Prudential Standard CPS 230 Operational Risk Management (CPS 230), which provides formal supervisory coverage for entities with cloud service provider arrangements. APRA expects regulated entities using cloud services to comply with CPS 230 requirements to manage associated risks and support operational resilience, and cited industry feedback that removing the paper would reduce regulatory burden and improve clarity for material service provider arrangements. Separately, APRA ended ARF 923.0, with the final submission covering the period ending 31 January 2025, noting the collection was introduced in 2020 to support COVID-19 measures and that its cessation follows APRA’s regular review of ad hoc collections and earlier cessations in 2023 and 2024. CPS 230 takes effect on 1 July 2025, replacing Prudential Standard CPS 231 Outsourcing and Prudential Standard CPS 232 Business Continuity Management. APRA indicated it will continue to identify opportunities to further sharpen and simplify the prudential framework.