Granularity enters APRA’s cloud computing stance


blog Fascinating news arrives courtesy of iTNews (which does great cloud computing reporting) that the Australian Prudential Regulatory Authority appears to be shifting its historically antagonistic stance towards cloud computing technologies.

Those with long memories will remember APRA — which regulates Australia’s financial services organisations, such as banks and insurance groups, has previously issued warnings about cloud computing, warning that the “innocuous” nature of such services could mask hidden concerns about offshoring. However, in a speech reported by iTNews this week, APRA appeard to take a more granular approach to cloud computing — a data management guide pending and the group’s head of IT risk David Pegrem noting:

“The number one step is to understand and to be able to classify your data in order to understand what data is going out [to third-party service providers] and what level of sensitivity has to do with that data.”

This more practical approach from APRA to cloud computing reflects the approach which the banks are starting to take themselves. A few weeks ago, Westpac revealed, for example, that it was recently able to host some data in Microsoft’s Azure public cloud because no identifiable customer information had headed offshore.

As I wrote a few weeks back, the debate around cloud computing in Australia is becoming more granular and tactical — as organisations gradually shift to a more mature understanding of this new class of technologies. In some ways, this is not a revolution; but an evolution; not a black and white scenario, but one of shades of grey. It’s good to see some recognition from APRA of this fact.

Image credit: Gareth Weeks, royalty free


  1. Not sure you could say APRA is antagonistic to cloud, if anything as the first (and possibly still only) regulator to actually put out a position statement on cloud meant that the issues that should be addressed aroudn data soverignety and security could be discussed properly. The guidance has allowed banks to realise they can talk to APRA about it and get some useful input. If anything their stance legitimises banks including cloud in their forward planning.

  2. Thanks, I agree you can read it as stern (although read other documents from APRA and in context this is a quite politely worded note), but as they said in the original letter there were already a number of existing guidelines that were pertinent to cloud, and the ‘easy to buy’ nature of cloud has meant that not all services being bought could be considered to have complied with the guidelines.

    What this would have meant for what is a relatively new industry is the first rogue or average service that collapsed with a bunch of data sitting in a Singapore/US data center would have torpedoed the whole ‘cloud banking’ push.

    We have been developing cloud based core banking (not just peripherals like email and collaboration) for over 3 years, and we follow the guidelines – especially 231, 232, and 234 – we are ISO27001 certified, and hold the data here in Australia, in top grade data centers. We don’t want people buying insecure, offshore systems, putting confidential data on them and then being surprised when it doesn’t conform to what are reasonable standards of prudence and security needed for banking data.

    While I recognise a lot of the commentary in Australia was negative about the APRA letter, it has helped our conversations with real buyers of cloud based banking systems, and in the international space many of our customer have commented on the fact that APRAs thought processes were ahead of their own regulators – so some credit has to be given for attempting to at least consider the capability and guide discussion.



Comments are closed.