Can you store ASIC-regulated documents in the cloud? Yes — but there are conditions. The regulatory guidance is clearer than most people realise, and most cloud providers meet the standard. Here's what it actually says.

What ASIC requires

ASIC's primary record-keeping requirements come from the Corporations Act 2001 and associated regulations. The key points:

Records must be kept in writing in English (or readily convertible)
Records must be available for inspection by ASIC on request
Records must be maintained for the required period — typically seven years for financial services records
Records must be tamper-resistant — you can't modify them after the fact without leaving a trace

The cloud question

Nothing in the legislation specifies where records must be physically stored. ASIC's published guidance confirms that electronic record-keeping, including cloud storage, is acceptable — subject to meeting the substantive requirements above.

In practice, this means: you can store regulated records with a cloud provider, but you remain responsible for ensuring they're retained, retrievable, and tamper-resistant. If your cloud provider goes bust, loses the data, or gets breached, ASIC holds you responsible, not them.

What to look for in a provider

For ASIC-regulated workloads, prefer providers that offer:

Australian data residency — simplifies Privacy Act compliance and reduces regulatory risk
Immutability or WORM-style storage — records can't be modified or deleted during the retention period
Comprehensive audit trails — evidence of who accessed what, when
Documented retention and deletion — the provider actually retains records for the full period and deletes them at the end
A clear exit path — you can extract your records in a usable format if you need to switch providers

The tamper-resistance question

This is the one most cloud providers get wrong. A plain object store (S3, Azure Blob, Google Cloud Storage) can be configured with versioning and retention policies that meet the tamper-resistance requirement. But you have to actually configure them — the default settings typically don't. A VDR with built-in immutable audit logging gets you there by default.

The financial services adviser rule

For licensed AFS providers, ASIC RG 104 applies. It specifically allows electronic records but requires them to be backed up, protected from unauthorised access, and readily retrievable. The practical test: if an ASIC investigator asked for a client file from three years ago, could you produce it within a reasonable time?

Practical advice

Don't overthink it. Pick an Australian-data-residency provider with proper audit trails and immutable storage. Document your retention policy. Run a quarterly spot-check to confirm records are retrievable. That's 90% of what ASIC cares about.