Singapore regulator casts doubt on banking clouds

Powered by SC Magazine

Too risky, says Monetary Authority of Singapore.

Banks considering using third party cloud computes for core applications are likely to meet strong opposition from regulators, according to an executive at the Monetary Authority of Singapore.

Tony Chew, director of technology risk at the Monetary Authority of Singapore told a security conference in the United States that regulators were unlikely to allow a bank to put customer data into the cloud without significant due diligence, pointing out that in Singapore such behaviour could be punished with a three year jail term and a hefty fine.

"[Cloud] vendors do not understand the regulatory system and laws applying to financial services," he told McAfee's Focus 2010 security conference in Las Vegas.

Chew also pointed to outages that have affected Amazon Web Services, Google App Engine, and Microsoft Azure, suggesting that there would be a huge loss of confidence in a bank that could not continue to process transactions.

Chew was also concerned by what he termed the 'nested cloud' - scenarios in which cloud providers use services from other providers to deliver a service. A hypothetical example would be an application offered by one provider that runs on virtual servers from Rackspace and uses storage from Amazon S3.

Chew pointed to disclosures in US SEC 10-Q filings by various cloud providers as examples of further cause for concern.

Rackspace's filing, he said, notes that the majority of its customers do not pay the extra fees charged for disaster recovery services. Rackspace customers have experienced interruptions in service, he said.

"How could a bank use such a facility?" he asked, noting that 10-Q filings by Google and (among others) contain similar disclosures.

While legal requirements differ between countries, regulators generally require financial institutions to demonstrate the reliability, availability, resiliency and recoverability of their systems.

In Australia, this process is overseen by the Australian Prudential Regulatory Authority (APRA) via a series of published guidelines.

The Monetary Authority of Singapore has also issued various sets of guidelines to financial institutions. Among its requirements is the mandatory use of two-factor authentication for online banking sevrices - which Chew said has practically eliminated Internet banking fraud in Singapore. He expects to add specific guidelines around cloud computing to the list in 2011.

The writer travelled to Las Vegas as the guest of McAfee.

Copyright © . All rights reserved.

Singapore regulator casts doubt on banking clouds
Top Stories
Windows 10 lands in Australia
Campaign to get business to upgrade kicks off.
NSW to build its own myGov
Service NSW digital profiles available by September.
Android bug leaves a billion phones open to attack
Hackers only need phone number to target devices.
Sign up to receive iTnews email bulletins
Latest Comments
Should law enforcement be able to buy and use exploits?

   |   View results
Only in special circumstances
Yes, but with more transparency