Request a free, personalized demonstration of Alex

The problem

APRA CPG 235 applies to all financial institutions, including any entity that engages in activities related to the offering and/or administration of deposit products and/or insurance products in Australia. The purpose of CPG 235 is to ensure that financial institutions effectively manage their information security risks, which can be done by implementing effective controls over personal information held or accessed by an organization and those who have access to this information.

It’s not just about ensuring compliance with APRA CPG 235; it’s also about protecting your business reputation (and the reputation of the financial industries overall), and complying with CPG 235 can help you with other regulations such as GDPR.

A holistic approach at each stage of the data lifecycle can help companies meet their CPG 235 requirements

Clause 27 of CPG 235 specifies that regulated entities must be able to present their understanding of the flow of data and processing undertaken within their enterprise (i.e. data lineage). To meet your CPG 235 requirements, you have to understand the whole lifecycle of your data and demonstrate this to the regulator. This means being able to answer questions like:

  • Where does my data come from?

  • What are the processes that link one activity or participant with another?

  • How can I track my data as it moves through these processes?

To answer these questions, you can use Alex Solutions Automated Data Lineage. It shows what data is created or ingested in each process step, who uses the information, how it is transformed and where it goes next. The diagram also shows whether there are any gaps in your tracking system—places where it’s not clear how you’re gaining access to or using particular pieces of information.

APRA instituted CPG 235 Managing Data Risks to leverage data governance standards to help ensure the safety and stability of banks as well as the financial system.

Alex is tailored to help you comply with APRA Data Regulation CPG 235. It’s a unique solution that manages your entire data lifecycle by automatically creating a single record of all your data from capture through to disposal. With Alex, you can:

How can Alex help you comply with CPG 235?

Alex is a data catalog that can help you manage your data across the entire lifecycle. Alex has been designed with a specific focus on compliance and governance programs such as CPG 235, GDPR, CCPA and others.

Alex provides a metadata workspace, creating one source of truth for all metadata related to your enterprise systems and applications. By automating data discovery and profiling, Alex helps you identify and mitigate data risks. Alex can help you implement controls, automate manual processes and resolve data breaks.

How Alex really excels at getting you CPG 235 compliant and ready to report to regulators is via Automated Data Lineage which enables you to demonstrate the full movement and transformation. Alex Data Lineage can also help you to identify the cause of a problem with real-time impact analysis. For instance, if you notice that your users can’t access some data because no one has updated it then you should be able to figure out which user hasn’t done their job. To do this, all you need is a record of every time someone accesses or updates a piece of data, which is automatically captured in Alex.

Why is data lineage important?

The reason why data lineage is so important is that it visualizes the entire data flow from ingestion to egestion and helps to identify problems and issues in the way your enterprise handles its data.

Your enterprise may have a problem with data quality, security, privacy, governance or something else. The only way you can fix those problems is by identifying them first, and Alex Data Lineage helps you do this rapidly, at scale, in an automated fashion.

Data lineage can also help you to identify opportunities for improvement. For instance, if you find that many of your users are using the same data sets in different ways then it makes sense to create a new set of data with all the fields that they need and make it available to everyone.

Data Lifecycle and Disposal

To best comply with CPG 235, we recommend that you create data lineage diagrams for each of the critical, regulated business processes that touch data within your enterprise. The purpose of the diagram is to identify all of the systems and people involved in handling data and how it moves and transforms in your systems.

Alex Automated Data Lineage helps you map out each step in which data such as PCI information is processed from its point of origin through any manual touch points. Some of the world’s largest banks use Alex Data Lineage directly to report compliance with CPG 235 to APRA. Additionally, these lineage diagrams can reveal areas where manual data processing (which introduces risks such as error) can be reduced via automation. For example: If an employee manually enters data into multiple systems on behalf of customers, they should be able to do so using only one system instead. This way, all instances where customers’ PII/PCI is recorded can be kept together in one place rather than requiring multiple places where that information resides separately. The lineage diagram can also reveal any potential vulnerabilities in the process that could be exploited to access or modify sensitive data, enabling you to modify and tune access and usage controls.


Data is at the heart of every business activity, and data security has become a key concern for all enterprises but particularly financial services institutions. When it comes to ensuring compliance with CPG 235, organizations need a holistic approach that accounts for every stage in the data lifecycle. This means understanding where your data lives and how it moves through different systems. Reach out to us today for a free, personalized demonstration of how Alex can automate your CPG 235 compliance program today:

Request Demo