‘Cloud’ is now mainstream in Australia’s banking sector


analysis It’s finally happened. After years of expressing concern about the privacy risks, regulatory challenges and technical inadequacies of the new clutch of technologies broadly known as “cloud computing”, Australia’s financial services sector has embraced the new paradigm wholesale. It’s about time.

It wasn’t that long ago that the words “cloud computing” represented something of a taboo for Australia’s big banks and insurance giants. In the context of stern warnings from regulators like the Australian Prudential Regulatory Authority and a strong history of maintaining their own physical IT infrastructure in all areas, this is one sector which didn’t jump on the cloud computing paradigm early. While other industries embraced technologies such as Salesforce.com, Google Apps and Amazon Web Services with aplomb, the land of cloud computing was one which, to Australia’s financial services giants, appeared cloaked in stormclouds.

You only need to search any of Australia’s major IT media outlets for “cloud” and “banks” to see this kind of pessimism in action. The most recent batch of anti-cloud sentiment was probably reported this time last year, when ANZ Bank chief information officer Anne Weatherston pooh-poohed the cloud phenomenon and said it could be another five years before Australia’s banks got serious about the cloud, but the anti-cloud sentiment started as early as 2007, when the Commonwealth Bank evaluated Google Apps and found it wanting.

I’ve covered enterprise IT in Australia for the best part of a decade now, and during that time I found it hard to imagine that we might see a major Australian bank using a software as a service platform such as Salesforce.com for a mission-critical purpose, for example; let alone platforms such as Amazon Web Services or Google’s Cloud Platform which have been the darling of startups almost since they were launched.

But something cracked this year in that steel gate of denial.

This month Amazon Web Services launched a dedicated datacentre in Australia to serve local clients. The foundation customer? None other than the Commonwealth Bank itself; one of the largest consumers of IT products and services in Australia, and one of the most anti-risk.

We now live in a world where the chief information officer of the Commonwealth Bank – a man personally responsible for spending billions of dollars on information technology – stood up in front of the entirety of Australia’s IT industry and said that he had had enough of all of the “excuses” which the industry had been holding the cloud back with for the past decade.

Security excuses for not moving to the cloud, regulatory excuses, financial excuses: According to Michael Harte, all of these excuses are “absolute garbage”.

And CommBank is reaping the benefits of using Amazon’s platform: to the tune, Harte told the AustralianIT this week, of tens of millions of dollars. Hardly pocket change: And you don’t have to be an accountant to imagine that the bank is one of Amazon’s largest Australian customers right now. And the bank is not the only major Australian financial services organisation to feel this way.

At a media briefing several weeks ago, National Australia Bank was singing from the same choirbook. In fact, the bank’s group executive of Group Business Services Gavin Slater and executive general manager of Enterprise Transformation Adam Bennett, couldn’t stop talking about the cloud.

NAB, the pair told media, now only paid for what it actually used in its IT infrastructure outsourcing contract with IBM. But it’s not just servers and storage that the bank is consuming from the cloud. It’s also telecommunications, where the bank has moved its huge enterprise contract with Telstra to a consumption-based pricing model as well, during its recent network consolidation.

Then there’s Oracle’s CRM on demand platform, which NAB is deploying to service its business banking platform. The platform is hosted by Oracle in Australia. And like CommBank, NAB is also getting its head around public cloud computing platforms, which it doesn’t host customer information on, but it does host marketing material from. Then there’s the way the bank has set up its entire private cloud infrastructure along environmental lines in an effort to contribute heavily to its carbon neutrality.

You’ll have to stop me there; I’ve rabbited on about what CommBank and NAB are doing long enough.

But allow me to talk a little about Bank of Queensland, which last month revealed it was deploying Salesforce.com as one of its new customer relationship management platforms for front-line staff, and how the bank recently told its investors that software as a service platforms would allow it to boost its flexibility and cut its capital investment in IT infrastructure.

Or, allow to talk a little about ANZ, which was already also using Salesforce.com, although Singapore’s regulators don’t appear too keen about the situation. Or about ING Direct, which has been so enthusiastic about Microsoft’s private cloud offerings that it decided to virtualise its entire core banking infrastructure in a so-called “bank in a box” model that allows it to deploy copies of its entire banking platform to developers for testing and development purposes.

Or what about Westpac, which already has its own private cloud and also uses Microsoft’s Windows Azure platform, as well as implementing a project to punt its collaboration platform into the cloud. The bank has even publicly discussed the potential to pool some IT infrastructure and applications between banks – for example, in the area of mortgage platforms, where the bank believes there is no competing advantage in the different platforms operated by the major banks.

To be honest, I could go on like this forever, but I suspect most of you would get bored; unless you work in banking IT infrastructure, in which case you’re probably making a note of all of these examples, so that you can demonstrate to your boss that everyone else is doing this kind of stuff and your particular organisation should be too.

So how and why did this happen?

Personally I don’t know for sure, but I suspect that it’s as simple as the fact that Australia’s major financial services organisations experimented with various cloud computing technologies over the past several years, and nothing much went wrong, apart from a few early bugs. Certainly I haven’t heard of any catastrophes involving mass customer data loss or huge outages.

Buoyed by early wins, I would surmise, Australia’s financial services giants further examined the business case for adopting cloud computing technologies in various areas of their businesses and found it so compelling that they couldn’t ignore the opportunity. And things progressed from there. Right now, I’m betting that most of Australia’s banks and insurers are looking to push everything they can into the cloud. In the absence of any examples of huge problems (the ‘excuses’ that Michael Harte talked about at the Amazon launch) and in the presence of the cloud’s compelling business case, there is no reason to do anything else. And what we’re seeing right now is the banks gradually going hog wild for the cloud.

The “tens of millions” of dollars in savings figure which Michael Harte threw around this week? That sounds like the very definition of what Gartner, in its legendary hype cycle, would describe as the “Plateau of Productivity”. I doubt many would have thought we’d be here this soon; I certainly didn’t just a year or so ago.

So what’s next? That’s the easy part. Government. With Australia’s financial services sector jumping on the cloud bandwagon, the next target for cloud computing vendors should be the nation’s departments and agencies, which have historically been even more risk-averse than the banks. We’re already seeing some early deployments of SaaS and cloud computing technologies in forward-thinking states such as NSW, and I’m sure that virtually everyone in IT management in any government agency in Australia right now is aware that they will need to integrate the cloud into their IT strategy for the next five years – or be left behind.


  1. This is a good roundup of things in the financial sector Renai … one can take harte that momentum is growing at the big end of town (to make a pun).

    It is interesting, however, to puzzle over why the Singaporean regulators have come down so solidly ‘anti-cloud’ … does anyone have any insights into this?

    My view is that what we are seeing in Australia is just a progressive shift in thinking as folks with a business outcomes hat on gain experience of early stage adoption and find that “cloud services actually are good”. It really then is just about taking a pragmatic view of the tradeoffs between the different sourcing options: in-house, shared services, outsourcing and cloud services.

    There are two main thrusts to the story: (1) Cloud services can actually be a better, faster, less expensive and less risky alternative to existing ways of sourcing selected infrastructure environments and applications … mainly due to the brutal economies of massive global scale. (2) Cloud services can also act as a catalyst and enabler of business innovations that are just not possible using traditional methods and solutions that are restricted within the enterprise firewall. This second story is the most important – and is all about breaking a cycle of executive thinking founded on ICT as a scarce and cumbersome resource and about living in the global networked digital economy. Think agile, think social and think mobile.

    Cloud services will be the core engine of the digital economy. Learning how to safely leverage the power of cloud services before your competitors will be a competitive advantage … not because it will reduce costs but because it will fuel innovation and productivity. Early adopters will work out to how provide new products and services that are only possible when the enterprise is an integral part of the digital economy … not just peering at it distrustfully through the letterbox slot of the enterprise firewall door.

    Sure, there are issues and challenges relating to data sovereignty, security and privacy … problems to be solved … but most enterprises really need to ask themselves some hard questions about how compliant and secure their ICT environment is today. As budgets tighten, assets age and the enterprise perimeter becomes ever more porous due to consumerization, BYOD, social networking etc. the challenges of maintaining high quality and secure in-house ICT capabilities are slipping away from all but the largest and best funded enterprises.

    Executives that stonewall cloud services are simply delaying the organisational learning that will be essential to their success in the digital economy … and to their very survival … IMHO ;-)

  2. “Sure, there are issues and challenges relating to data sovereignty, security and privacy …”

    For some especially Government Departments this is currently still the big issue against cloud computing , especially the reach of some other Governments. Any company with a US parent can be particularly vulnerable.

    That may or not be so bad but it is an issue one I’m not that happy with.

    • Ausgnome,

      For some agencies and some data this is a material issue, sure. Even so, however, we need to remember that if US intelligence agencies have a legitimate need to access your data then they will likely be able to do so via collaboration with Australian intelligence agencies.

      In any case, most government agencies are losing, or have already lost, the battle for perimeter security (read the audit reports …) so there is no general argument that “cloud is always less secure than in-house IT” … indeed early adopters have found that the opposite is true. I spoke at the DSD CyberSecurity conference in Canberra recently and the general mood on this was that we need to take a much more pragmatic view of these issues. One of the speakers described his experience as an invited hacker at DefCon18 (a social engineering hacking competition in Las Vegas). 25 major global enterprises were attacked … only one defended itself successfully … Google. Why? Because data and information security is core business for them … they have good technology and train their people well.

      If your agency’s IT budget is well funded, you have modern assets, your IT staff have up to date skills and you ensure that all agency staff are well trained in information management and practical data security … including defending against social engineering attacks … then you may not need to worry about cloud services. You are one of the lucky few “ICT self sufficient” agencies left. This situation, however, is becoming the exception rather than the rule.

      The problem is that most agencies like to sweep the inadequacy of their ICT capabilities under the carpet on a “lets just hope for the best” basis … hoping for a big project soon that can be used to fund a technology refresh. As budgets dry up agencies will need to think more creatively about how to source ICT capabilities. Not everything can or should go in the cloud … but some things can and this will relieve some of the funding pressure as well as being a catalyst for changing executive thinking about the benefits of standardised vs. customised systems. Its a forward looking leadership thing.

      There are already Australian agencies that are using public cloud services for mission critical applications – after full consideration of their compliance obligations. This is because they have taken a pragmatic assessment of the benefit/risk tradeoffs … and have concluded that the benefits are compelling and the risks are justified and manageable (or are less than in the alternative in-house, shared service or outsourcing IT project approach).

      My view is that the imperative is to learn how to secure data adequately in public cloud services rather than to assert in a casual (lazy?) way that it can’t be done. This is the journey the early adopters are on. My view is that the destination is well worth it because the constraints of the status quo are becoming all too apparent.

      • Steve

        I’m fine in general with the Cloud as such. In the area I am in the real setback as been the legal departments and politics that have held back adoption of cloud services.

        Although i’m not so sure the “Legitimate ” access part of your response, call me a conspiracy theorist but I do not think all the “Agencies” are pure and angelic and responsible.

        • The problem is caused by the fact that the legal, procurement policy and other compliance style folks have no accountability for policy or service delivery outcomes. Stasis, for them, is a good – low risk – outcome. The risk parameters stay the same as they are today … i.e. unacceptably high but well known.

          It takes leaders to have a vision of better policy and service delivery outcomes and to chase these against the head wind of those that view change as something to be resisted.

          The counter view is the “white blood cells” perspective. Compliance and risk folks are doing good work defending the public sector against “silly and risky” ideas from the private sector. The global financial crisis was, after all, caused by unbridled private sector adventurism. The public sector cannot afford this kind of moral and operational bankruptcy … teachers need to be in the classrooms, care workers need to be in the community, soldiers need to be in readiness, customs folks need to defend the borders, police need to be on the streets, the tax base needs to be protected, nurses in the wards etc. So, the compliance folks do have some valid arguments.

          The trick is for responsible outcomes-focused public sector executives to work out how to safely learn how to take advantage of innovations like public cloud services. Hands on experience is the best – and only – way. It cannot be an academic discussion …

          Solution? (1) Thought leadership – understand the big picture and encourage discussion about how to move towards where the future is already emerging (like this one). (2) Case studies – learn from the stories of early adopters. (3) Peer interactions – talk to your peers in other agencies that already have hands on experience of cloud services (4) Get safe and prudent hands on experience of cloud services yourself.

          Then you will know the facts of the benefit/risk trade-offs and be able to see data sovereignty and security issues in their proper context.

Comments are closed.