Skip to main content

Banking – Data Governance Obligations

Frazer Walker helped AMP Bank identify all data related governance regulations, standards and guidelines applicable to the bank as legal obligations and good business practice, including CPS 234 and GDPR.

The Challenge

The use of data and data analytics are key competitive levers for organisations operating in an increasingly digital market place.  As the collection and use of data increases exponentially, so do the risks of data misuse and privacy breaches.  Subsequently, governments and regulatory bodies are playing an increasingly important role in regulating and controlling the use of data via standards and guidelines.

As the bulk of data related regulations, standards and guidelines are relatively new, it is possible many organisations are not fully compliant.  This was particularly the case with APRA’s CPS 234 Information Security standard which commences on the 1 July 2019.

The challenge was to identify AMP Bank’s data governance obligations and to integrate the findings with the parallel development of various related governance and risk forums.

Our Work

AMP Bank’s data governance obligations are influenced by a number of Australian and international entities, plus AMP Group policies and standards.  The objective of this engagement was to identify the full scope of relevant data governance obligations to be used to inform the development and implementation of effective data governance at AMP Bank.

A comprehensive search was conducted to identify the full scope of data governance obligations.  Within Australia, there are many industry bodies and regulators who publish banking related regulations, standards and/or guides.  To avoid duplication and repetition, only the original sources of regulations were described in detail.

International data governance regulations, such as GDPR, were also considered as they play a part by potentially influencing the development of Australian regulations and laws.  International regulations also provide entities with an opportunity to identify international best practice, beyond regulatory obligations.

Throughout this engagement, weekly workshops were conducted with the data team at AMP Bank to discuss the implications of the findings to date and to facilitate the inclusion of the findings into governance and risk forums being developed in parallel.

The Outcome

The final deliverable was a description of the relevant local and international governance regulations, standards and guidelines that AMP Bank must and/or should comply with.  The client took our advice that international regulations that may not be legal obligations should also be included in the complete view of data governance obligations within the Bank’s governance and risk framework.


For more information please contact Ian Chisholm, Phone: +61 401 316 004, Email: