One of Australia’s main financial regulators has issued a blunt general warning to the entire financial services sector regarding cloud computing services, warning that the “innocuous” nature of such services could mask hidden concerns about offshoring.
The Australian Prudential Regulatory Authority oversees banks, credit unions, building societies and insurance companies and, along with sister regulators like the Australian Securities and Investments Commission, is one of the main government instruments for maintaining the stability of Australia’s financial system.
In an open letter to its entire constituency issued yesterday (PDF), APRA wrote that the use of cloud computing was not yet widespread in the financial services industry, but several organisations were considering, or already utilising, selected cloud computing services — with examples including email, instant messaging, scheduling, collaboration and customer relationship management applications.
“While these applications may seem innocuous, the reality is they may form an integral part of an institution’s core business processes, including both approval and decision-making, and can be material and critical to the ongoing operations of the institution,” Puay Sim, the regulator’s general manager of its supervisory support division, wrote.
Sim added that the institutions it regulated “do not always recognise the significance of cloud computing initiatives” and “fail to acknowledge the outsourcing and/or offshoring elements in them” — which could be a risk.
“As a consequence, the initiatives are not being subjected to the usual rigour of existing outsourcing and risk management frameworks, and the board and senior management are not fully informed and engaged,” the public servant said.
The strongly worded letter — in which APRA also warns its ability to fulfil its duties as prudential regulator should not be compromised by cloud computing services — is not the first time the regulator has become enmeshed in the public eye for its views on cloud technologies.
In June, technology publication iTNews.com.au published an account by local company Perpetual Private Wealth, which had been attempting to host its customer relationship management systems in a Singapore datacentre — involving software as a service vendor Salesforce.com.
APRA’s regulations forced the company to draw up a risk management report, according to its general manager of strategic initiatives, Nathan Jacobsen, and get board approval for the project. But even then further concerns about data sovereignty popped up. iTNews.com.au reported, however, that other financial services companies were happy with APRA’s approach.
APRA’s letter states that the institutions it regulates are required to consult with the regulator before they entered any offshoring agreement involving what it calls a ‘material’ business activity — in other words, where an arrangement, if disrupted, could have a significant impact on business operations or an institution’s ability to manage risk effectively.
The risk assessment which organisations are required to carry out before offshoring must include details of the location from which services are to be provided — among other details.
However, the nature of many cloud computing services would appear to mediate against a location being strictly defined in some cases. A number of providers of software as a service or on-demand applications, for example, sometimes do not precisely specify which of their datacentres customers’ data is being stored in, as they can be part of an amorphous global cloud.
In APRA’s letter, it stated that to date, assessments of cloud computing proposals that it had seen “typically lacked sufficient consideration” of factors such as the technology architecture used by providers, how sensitive information was stored and an understanding of the businesses processes involved.
The news comes as offshore cloud computing or software as a service deployments amongst financial services companies in Australia remain rare, although many do operate offshore processing centres in companies like India. One example of a successful deployment has been Mortgage Choice‘s deployment of Google’s enterprise Apps suite. CommBank IT czar Michael Harte has previously spoken of the need to work with regulators on the issue of cloud computing.
Large banks such as the Commonwealth Bank and Westpac instead appear to be focusing on rollouts of what has come to be termed ‘private cloud’ computing technology — datacentre modernisation and virtualisation techniques which provide many of the benefits of cloud computing, but in a model that can be hosted in Australia, avoiding any perceived data sovereignty and security issues.