New outsourcing standards for the banking industry are "incredibly binding" on IT and risk managers, according to Leif Gamertsfelder, e-security group head of law firm, Deacons Law.
If the standard is not met, he said, it can come under the direction of the Federal Banking Act, which has penalties for breaches.
Released by the Australian Prudential Regulation Authority (APRA) at the end of May, the new standard for authorised deposit-taking institutions (ADIs) comes into effect on July 1, 2002.
Its impact will mostly hit credit unions, and also banks, building societies and mutual societies that outsource key business processes.
"CIOs and their teams have to realise that there is now more obligation on banks and credit unions, so they need to be familiar with the legal issues in outsourcing agreements," Gamertsfelder warned.
APRA, he said, has taken a very holistic approach to defining outsourcing, adding that it is very vague on the details. He said such ambiguity is confusing ADIs about compliance.
Gamertsfelder said APRA's standard is a high priority for most ADIs, but the new rules were "very broad-brush, making it hard for individual banks to determine how to comply with the standard and distracting them from their business".
He said some IT firms have been "ambivalent" about the standard, explaining: "It does bring APRA into their lives. APRA would have rights to access some specific information on contracts."
Advising IT managers to err on the side of caution and to protect their outsourcing agreements, he said: "Don't give away too much ground when disclosing information to APRA. Always query the enforcement mechanism."
Some 230 of Australia's ADI organisations outsource material business functions, 25 of which are banks, according to APRA's head of operational risk for consulting services, Greg Plummer.
Plummer said organisations are not required to comply with the proposed new rules, nor will it cost institutions anything financially to adopt them, he said. Instead, the rules serve as a "statement of best practice" to ensure the safety of depositors' funds with ADIs.
"The standard sets best practice principles to ensure that the board and management of ADIs have policies and procedures to manage effectively the risks arising from outsourcing material business activities," APRA chief executive Graeme Thompson said.
"Each ADI board must satisfy itself and APRA that it has identified and can prudently manage any risk that may materially affect the continued safety of depositors' funds."
Material outsourcing activities are those which have the potential, if disrupted, to significantly impact on the ADI's business operations, reputation or profitability, according to APRA.
Also, those arrangements do not include contractor-type deals involving numerous service providers, short-term contracts or situations where the cost and inconvenience of changing between providers is low, APRA said.
APRA introduced the new rules due to increasing growth over the last few years in the outsourcing of business and technology operations in Australia's banking and finance sector.
Plummer said: "The type of information we're requesting from ADIs is reports of any existing outsourcing agreements, and also monthly reports on service levels."
While organisations already track service levels with their outsourcer, banks needed to be aware that "at the end of the day it's [their] customers who are dealing with the institution", he added.
APRA's draft standard, released in November 2001 for comment was met with some criticism, APRA said. Some IT companies opposed the proposed rules, assuming they would fall under big-brother regulation.
APRA's Plummer called this a "misunderstanding".