Australia's finance industry is struggling to adopt public cloud computing, governed by a conservative regulator that judges every offshoring deal on a "case by case" basis.
The industry - watched over by the Australian Prudential Regulatory Authority (APRA) - is among those most keen to drive down IT costs using cloud models, under which computing resources are outsourced in an on-demand, pay-per-use model.
Among the industry's biggest cloud advocates is Michael Harte, CIO at the Commonwealth Bank, who predicts he could save his organisation up to 80 percent of its IT costs if purchased in an elastic, on-demand fashion.
"For too long infrastructure, software and some service providers have had the upper hand of lock-in, term deals, high pricing and underperformance," Harte told The Australian late last year.
"The traditional licensing business model is worn out and somewhat broken in the new cloud context.
"We can use our market-making presence to get services that are standardised, openly contestable and paid for on a unit price and per-unit consumption basis."
But to date, Harte and his peers have had little joy moving to this new model. The reality of cloud computing - as it stands today - is that the only players able to offer truly elastic cloud computing of a scale suited to the finance or Government sectors are hosting servers, storage and software in the United States or Singapore.
Australia's largest organisations - especially in Government and the finance sector - face regulatory difficulties when attempting to host applications and data overseas.
Bruce McCabe, research analyst at KPMG, says that among large organisations surveyed for his research, "every large ASX100 company struggles with the regulatory aspects of cloud computing."
The finance sector, he says, is "the most sensitive" to the issue.
First, organisations are worried about Australian law, such as PCI compliance for the storage of credit card information, or adherence to the National Privacy Principles, which requires an organisation's management to be accountable for where customer data is stored.
In the cloud, data can be shifted from virtual machine to virtual machine or even across data centres. CIOs would struggle to be able to vouch for exactly where a given file resides under such a model.
Domestic regulations aside, McCabe says organisations are just as concerned about the local regulations of any country where data resides under a cloud outsourcing agreement.
"CIOs are just as concerned about things like the [United States] Patriot Act," says McCabe. "The U.S. Government could access this data at any time and plenty of other countries have similar regulations.
"It's challenging as hell."
Subsequently, while Westpac, ANZ and the Commonwealth Bank have each looked at proof of concept trials for cloud computing technologies, none of the large finance sector organisations have taken to the public cloud model.
Commodity items like email or CRM "could certainly be put into the cloud and it would operate quite well," says Bruce White, chief information officer at the Greater Building Society.
But data sovereignty and security issues are holding him back.
"I'm not able to put anything into the cloud at this stage."
Regulation
No explicit regulations prevent a financial services organisation from having its applications or customer data hosted by a third party data centre, regardless of international borders. However, APRA has published a series of guidelines to the management of risk in any outsourcing agreement, which renders the use of public clouds extremely difficult.
Broadly speaking, APRA asks that deposit-taking institutions (banks and other financial organisations) have a board-approved policy on outsourcing, and a risk management framework in place that includes provisions for country, compliance, contractual, access and counterparty risks.
If an organisation outsources to a local provider, it needs to notify APRA within 20 business days.
But if it wishes to outsource to a data centre hosted offshore, it must notify APRA first to "demonstrate" to the regulator that appropriate risk management procedures are in place.
The financial company must also include a clause in its service agreement with an outsourced provider that allows APRA access to the third party - a difficult barrier if a company is hosting data offshore or can't verify which data centre a particular data set is hosted in.
While fairly prescriptive, these guidelines leave the regulator in a position to determine whether a financial services organisation can outsource to a cloud provider on a case-by-case basis.
"It is a bit of a grey area at the moment, there's not a lot of black and white," says Bob Hayward, chief technology officer at IT services player CSC.
Hayward believes that the rate of uptake of cloud computing has "taken APRA by surprise".
Risk takers
There have been modest levels of cloud computing adoption among Australia's mid-sized organisations, says McCabe.
"Those organisations that do are aware of the fact that they are in a [regulatory] grey area, but really want to use services hosted overseas," he says.
Take Perpetual Private Wealth, for example, a mid-sized financial services organisation that is attempting to host its CRM systems in a Singapore data centre.
Perpetual's general manager of strategic initiatives, Nathan Jacobsen, included Salesforce.com as part of a wider revamp of the wealth management firm's systems.
Jacobsen drew up risk management reports and gained board approval. But in a conversation with iTnews in April, he revealed APRA raised concern over data sovereignty with the company during a routine review.
"[APRA's interest] illustrates that doing this is unique. Even our regulators are not used to this," he said at the time.
Within hours of the story, requests were made of iTnews to edit the story in light of APRA's audit.
Salesforce.com insists the project is going ahead, but Jacobsen has now been gagged from speaking to the press about the project any further.
Whether it's APRA cracking down or Perpetual's own self-censorship, regulatory uncertainty is in play.
Defending APRA
Not everybody in the industry is concerned by APRA's approach.
Take Real Insurance, which is currently renting Microsoft's Exchange system from the vendor's Singapore data centre.
Markus Strauss, head of IT at Real, says the insurance firm found APRA to be "reasonable and happy to engage with us. Our approach is to be transparent with APRA and disclose what we're doing."
Strauss says Real Insurance didn't have any trouble with the regulator as "the services were not mission critical for operating the company or having an impact on customers.
"These are things we'll have to deal with as we look at [offshoring] line of business and mission critical systems," he says.
David Curran, executive general manager at the Commonwealth Bank, was also comfortable with the level of regulation.
"We make sure that with any types of challenges in and around the cloud and data management space, we're fully transparent with APRA," he says. "The governance of our data is clearly articulated, well defined and rigorously followed."
Neither Strauss nor Curran desired a clearer line between what is acceptable to the regulator and what is off limits.
"If I was APRA, I'd be reluctant to draw a line," Strauss says. "They should look at this on a case-by-case basis. Locking in a blanket rule is probably not the right way to go. The onus is on us to be transparent with APRA and demonstrate what we are doing is safe and beneficial, to ensure their concerns are addressed. I wouldn't expect APRA to say: X is OK and Y is not."
Curran says APRA has to work on a case-by-case basis to keep up with the pace of change in technology and business.
"The issue you would have in being in technology is that things change every day, policies and procedures," Curran says. "Would the line be the same today as it is tomorrow? It has to come down to governance and the policies you apply and the application of that to your data - and that is very clear."
Hope for a local industry
KPMG's McCabe asserts that any uncertainty over the legalities of hosting the applications of the finance sector in public clouds is "a good story" for local IT industry.
"The key outcome from our research is that organisations want to take advantage of the cloud - they see the benefit, but they want infrastructure hosted within Australian borders," he says.
"Some of the [financial sector CIOs] have been quite vocal about this," agrees Hayward, himself a former analyst. "They have expressed some frustration at how long it has taken to get this kind of offering hosted in the local market."
McCabe concludes that the cloud "isn't airy fairy stuff anymore".
"There really is a significant opportunity in the local market to base cloud infrastructure from within our borders," he says. "I see it as inevitable that a local cloud computing industry emerges and has a healthy market."
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
