As Australia prepares for stricter compliance and risk management regulations, numerous financial services firms are concentrating on detecting and addressing any deficiencies in their current strategies for risk management and compliance.

Recent research shows that in the last quarter, the financial sector reported the second-highest number of data breaches across Australia. It’s no surprise then, that the government is taking an active role in trying to increase resilience. As one example, in Australia, CPS 230, scheduled to take effect from 1 July 2025, will apply to all Australian Prudential Regulation Authority (APRA) regulated entities in financial organisations, where new requirements for risk management will be introduced.

To navigate these changing regulatory demands and pave the way for future growth, APRA-regulated entities must strategically invest in technology solutions that support governance, risk, and compliance - by understanding their biggest pitfalls and areas of opportunity. However, there have been several misconceptions in the financial industry regarding risk management and compliance strategies, especially around two of the biggest areas of vulnerability. Running outdated and unsupported software, and single-supplier failure or vendor lock-in.

Misconception #1: Running outdated or unsupported software isn’t a big deal.

A recurring pain point with FSI organisations is running outdated software systems. A surprising number of Australian businesses continue to run outdated software today which leads to several problems, such as compatibility issues or a violation of security policies. This is where updates are heavily encouraged to remove this risk. That said, updates require outages and a significant depth of knowledge, which can too easily be touted as a valid rationale for postponing updates. Organisations are more likely to run the risk of outdated software rather than inconveniencing their customers with a significant downtime period. This was demonstrated recently when a major telecommunication organisation hadn’t maintained upgrades to their servers and software, which led to a significant server crash resulting in millions of customers being without mobile or internet for several hours.  

This issue not only creates operational hurdles but also has significant reputational and compliance consequences as regulations tighten. For example, under the new regulations, actions like this would be a breach, especially around technology refresh management. An unpatched system is an insecure system which fails to meet regulatory requirements for Information Security.

Misconception #2: Vendor lock-in and single-supplier failure won’t happen to me.

FSIs are most likely to end up in a vendor lock-in due to lessening the number of vendors they engage in to remove themselves from acting as a system integrator. However, putting all data into one vendor opens FSIs up to risk in terms of regions going offline, losing pricing leverage and the ability to make a deal.

As regulations change, this is further incentive to choose technologies that are vendor agnostic, that are easy to resource, and ensure the resourcing for technologies also isn’t coming from single providers. Open-source software presents a compelling argument for both improving operational efficiencies and protection against vendor lock-in, so data can flow freely and ensure compliance requirements are adhered to.

When FSI organisations are not using open-source software, it’s generally because they don’t have a defined support path or have fears about security and updates. However, open source can be a powerful ally in staying up to date with compliance needs and offering greater support to improve business outcomes.

The flow-on effect of FSI risk regulations

In a market with tightening regulations, FSIs need to identify managed platforms that leverage open-source technologies and take care of automated maintenance and updates on a weekly basis so that organisations are always running supported software. Some companies provide updates and information for when the end-of-life for certain platforms will occur so that financial service organisations can plan for any downtime that is needed months in advance.

When it comes to single supplier failure, these managed platforms step into these supplier arrangements to run across multiple clouds – in line with financial regulations – so organisations can easily migrate data between their service providers, be that AWS, Google, MS Azure, Oracle or others, in a matter of minutes.

IDC has calculated that the benefit to one of our customers for using a data management platform is in the region of more than $1.68 million per year, with a 340% three-year return on investment. By reducing downtime and keeping the organisation in the know, these managed platforms provide incomprehensible value. 

When considering future proofing against changing regulations and risk, financial service organisations in Australia and New Zealand should consider strategies that leverage open-source technologies but also reduce pain points associated with ongoing management and maintenance. Smarter decisions upfront can help to reduce the risk of single supplier failure while also offering significant financial and performance advantages.