Analysis: Grey clouds hang over Australia's finance sector

Australia's finance industry is struggling to adopt public cloud computing, governed by a conservative regulator that judges every offshoring deal on a "case by case" basis.

The industry - watched over by the Australian Prudential Regulatory Authority (APRA) - is among those most keen to drive down IT costs using cloud models, under which computing resources are outsourced in an on-demand, pay-per-use model.

Among the industry's biggest cloud advocates is Michael Harte, CIO at the Commonwealth Bank, who predicts he could save his organisation up to 80 percent of its IT costs if purchased in an elastic, on-demand fashion.

"For too long infrastructure, software and some service providers have had the upper hand of lock-in, term deals, high pricing and underperformance," Harte told The Australian late last year.

"The traditional licensing business model is worn out and somewhat broken in the new cloud context.

"We can use our market-making presence to get services that are standardised, openly contestable and paid for on a unit price and per-unit consumption basis."

But to date, Harte and his peers have had little joy moving to this new model. The reality of cloud computing - as it stands today - is that the only players able to offer truly elastic cloud computing of a scale suited to the finance or Government sectors are hosting servers, storage and software in the United States or Singapore.

Australia's largest organisations - especially in Government and the finance sector - face regulatory difficulties when attempting to host applications and data hosted overseas.

Bruce McCabe, research analyst at KPMG said that among large organisations surveyed for his research, "every large ASX100 company struggles with the regulatory aspects of cloud computing."

The finance sector, he said, is "the most sensitive" to the issue.

First, organisations are worried about Australian law, such as PCI compliance for the storage of credit card information, or adherence to the National Privacy Principles, which requires an organisation's management to be accountable for where customer data is residing.

In the cloud, data can be shifted from virtual machine to virtual machine or even across data centres. CIOs would struggle to be able to vouch for exactly where a given file resides under such a model.

Domestic regulations aside, McCabe says organisations are just as concerned about the local regulations of any country where data resides under a cloud outsourcing agreement.

"CIOs are just as concerned about things like the [United States] Patriot Act," McCabe said. "The U.S. Government could access this data at any time and plenty of other countries have similar regulations.

"It's challenging as hell."

Subsequently, while Westpac, ANZ and the Commonwealth Bank have both looked at proof of concept trials for cloud computing technologies, none of the large finance sector organisations have taken to the public cloud model.

Bruce White, chief information officer at the Greater Building Society said commodity items like email or CRM "could certainly be put into the cloud and it would operate quite well."

But data sovereignty and security issues are holding him back.

"Certainly, in my position, I'm not able to put anything into the cloud at this stage."

Regulation

There are no explicit regulations preventing a financial services organisation from having its applications or customer data hosted by a third party data centre, regardless of international borders.

But APRA has published a series of guidelines as to the management of risk in any outsourcing agreement (see APS 231 [PDF], GPS231 [PDF], LPS 231 [PDF], PPG231 [PDF] and PPG 234 [PDF] for further reading) which renders the use of public clouds extremely difficult.

Broadly speaking, APRA asks that deposit-taking institutions (banks and other financial organisations) have a board-approved policy on outsourcing, and a risk management framework in place that includes provisions for country, compliance, contractual, access and counterparty risks.

If an organisation outsources to a local provider, it needs to notify APRA of a new outsourcing agreement within 20 business days. But if it wishes to outsource to a data centre hosted offshore, it must notify APRA first to "demonstrate" to the regulator that appropriate risk management procedures are in place.

The financial company must also include a clause in its service agreement with an outsourced provider that allows APRA access to the third party - a difficult barrier if a company is hosting data offshore or can't verify which data centre a particular data set is hosted in.

While fairly prescriptive, these guidelines leave the regulator in a position to determine whether a financial services organisation can outsource to a cloud provider on a case-by-case basis.

"It is a bit of a grey area at the moment, there's not a lot of black and white," says Bob Hayward, chief technology officer at IT services player CSC.

Hayward believes that the rate of uptake of cloud computing has "taken APRA by surprise."

"A year ago nobody is doing this, then one day all these customers are looking to the cloud," he said.

Read on to Page 2 to learn about how how an IT manager was gagged over a cloud computing project...

Risk takers

McCabe said there has been modest levels of cloud computing adoption among Australia's mid-sized organisations.

"Those organisations that do are aware of the fact that they are in a [regulatory] grey area, but really want to use services hosted overseas," he said.

Take Perpetual Private Wealth, for example, a mid-sized financial services organisation that is attempting to host its CRM systems in a Singapore data centre.

Perpetual's general manager of strategic initiatives Nathan Jacobsen included Salesforce.com as part of a wider revamp of the wealth management firm's systems.

Jacobsen went through most of the hoops required by APRA, drawing up a risk management report and successfully gaining board approval.

But in a conversation with iTnews in April, Jacobsen revealed that APRA raised concern over data sovereignty with the company during a routine review.

"[APRA's interest] illustrates that doing this is unique. Even our regulators are not used to this," he had said at the time.

Within hours of the story going live, requests were made of iTnews to edit the story in light of APRA's audit.

Salesforce.com insists the project is going ahead, but Jacobsen has now been gagged from speaking to the press about the project any further.

Whether it is APRA cracking down or Perpetual's own self-censorship - one way or another, regulatory uncertainty has come into play.

Defending APRA

Not everybody in the industry is concerned by APRA's approach.

Take Real Insurance, which is currently renting Microsoft's Exchange system from the vendor's Singapore data centre.

Markus Strauss, head of information technology at Real said the insurance firm found APRA to be "reasonable and happy to engage with us."

"Our approach is to be transparent with APRA and disclose what we're doing," he said.

Strauss said Real Insurance didn't have any trouble with the regulator "on the basis that the services were not mission critical for operating the company or having an impact on customers.

"These are things we'll have to deal with as we look at [offshoring] line of business and mission critical systems," he said.

David Curran, executive general manager at the Commonwealth Bank was also comfortable with the level of regulation.

"We make sure that with any types of challenges in and around the cloud and data management space, that we're fully transparent with APRA," he told iTnews. "The governance of our data is clearly articulated, well defined and rigorously followed."

Neither Strauss nor Curran desired a clearer line between what is acceptable to the regulator and what is off limits.

"If I was APRA, I would be reluctant to draw a line," Strauss said.

"They should look at this on a case-by-case basis. Locking in a blanket rule is probably not the right way to go. The onus is on us to be transparent with APRA and work with them - to demonstrate what we are doing is safe and beneficial, to ensure their concerns are addressed. I wouldn't expect APRA to say: X is OK and Y is not."

Curran said APRA has to work on a case-by-case basis to keep up with the pace of change in technology and business.

"The issue you would have in being in technology is that things change every day, policies and procedures," Curran said. "Would the line be the same today as it is tomorrow? It has to come down to governance and the policies you apply and the application of that to your data - and that is very clear."

Hope for a local industry

KPMG's McCabe asserts that any uncertainty over the legalities of hosting the applications of the finance sector in public clouds is "a good story" for the local IT industry.

"The key outcome from our research is that organisations want to take advantage of the cloud - they see the benefit, but they want infrastructure hosted within Australian borders," he said.

"Some of the [financial sector CIOs] have been quite vocal about this," agrees Hayward, himself a former analyst. "They have expressed some frustration at how long it has taken to get this kind of offering hosted in the local market."

McCabe concludes that the cloud "isn't airy fairy stuff anymore."

"There really is a significant opportunity in the local market to base cloud infrastructure from within our borders," he said. "I see it as inevitable that a local cloud computing industry emerges and has a healthy market."