Banks quietly shift to the cloud

Commentary: APRA warnings too late for many.

Warnings from Australia's financial services regulator APRA may have silenced banks and Government agencies from speaking out about their cloud computing plans, but the regulatory pressure hasn't prevented projects from rolling out.

Speaking to customers at the Salesforce.com conference in San Francisco last week, I was consistently asked to refrain from mentioning customer names.

ANZ Bank were publicly named among Salesforce.com's largest customers and I did meet some representatives from another big four bank on the floor that brushed aside concerns about APRA's stance on cloud computing.

I was told, for example, that 10 of Australia's 12 largest financial institutions are Salesforce.com customers in some capacity – many of which had started on the path well before APRA pricked up its ears.

But no customers in the finance or government sector were willing to speak on the record for fear of drawing undue attention by regulators.

Lindsay Armstrong, executive vice president for Salesforce.com in the Asia Pacific region told iTnews that the earliest adopters of the company's platform in Australia were the telecommunications and financial services sectors.

But when it came to naming any – aside from a staff ideas blog used by Telstra – Armstrong said there was "nothing we can comment on."

Wealth management firms appear to have adopted Salesforce.com's tools with vigour – with both Perpetual Wealth Management and ANZ's wealth management arm OnePath (formerly ING Australia and Mercantile Mutual) signed on as customers.

Daniel Burton, senior vice president of global public policy at Salesforce.com told iTnews that both "banks and Government agencies are adopting cloud computing wholesale" even as regulators were raising concerns about data sovereignty and location.

Burton told iTnews that there was no law in Australia that prevented customer data from freely flowing offshore.

Andrew Milroy, vice president of Frost and Sullivan's ICT practice suggested a simple explanation for the gap between high adoption rates and the willingness of customers to speak out about their experience.

Cloud computing "has been adopted by stealth," he said.

"It's not so much IT departments saying we're going to throw our Oracle or SAP out and bring in Salesforce.com," he said. "What we're instead seeing is shadow IT groups - business units - starting to adopt the likes of Salesforce.com within the companies. Then the IT department starts seeing what has happened and seeks to legitimise this, and start taking some control.

"The ANZ Bank has some Salesforce.com, CBA has some, most of the financial institutions in Australia have some Salesforce.com," Milroy said. "I can't tell you exactly for what process or to what degree because there is a huge degree of sensitivity around that at the moment. It's clearly something of a political issue in Australia, still."

Burton argued that data sovereignty is a non-issue.

"Our experience to date is a customer will look at Salesforce.com, at our overall security and privacy policy, and once satisfied that we are a good steward of their information, they don't really care where the data sits in our system," he said. "They validate Salesforce as an entity, not this data centre versus that data centre."

And Milroy agreed, saying that concerns over the location of data "don't make sense."

"There is no reason why organisations can't freely move data around as they choose," he said. "If you are a multinational company or if you have offices, premises, delivery centres in other parts of the world, there is no reason you shouldn't have your data reside wherever it suits you, provided you meet the obligations you have to your customers under agreements with your customers, and of course laws.

"But there are no laws in place to prevent any organisation in Australia from having data reside offshore. To do so would be blunting the competitive abilities of those organisations in Australia."