One of Australia's main financial regulators has issued a blunt warning to the entire financial services sector about cloud computing services: the "innocuous" nature of the cloud could mask hidden concerns about offshoring.
The Australian Prudential Regulatory Authority (APRA) oversees banks, credit unions, building societies and insurance companies and, along with sister regulators like the Australian Securities and Investments Commission, is one of the main government instruments for maintaining the stability of Australia's financial system.
In an open letter to its entire constituency issued yesterday (PDF), APRA wrote that although the use of cloud computing was not yet widespread in the financial services industry, several organisations were considering or already utilising selected cloud computing services. Examples of the services companies were adopting included email, instant messaging, scheduling, collaboration and customer relationship management applications, the letter said.
"While these applications may seem innocuous, the reality is they may form an integral part of an institution's core business processes, including both approval and decision-making, and can be material and critical to the ongoing operations of the institution," wrote Puay Sim, the regulator's general manager of its supervisory support division.
Sim added that the institutions it regulated "do not always recognise the significance of cloud computing initiatives" and "fail to acknowledge the outsourcing and/or offshoring elements in them".
"As a consequence, the initiatives are not being subjected to the usual rigour of existing outsourcing and risk management frameworks, and the board and senior management are not fully informed and engaged," the public servant said.
APRA's letter stated that the institutions it regulates are required to consult with the regulator before they enter any offshore agreements involving "material" business activity, or where an arrangement, if disrupted, could have a significant impact on business operations or the institution's ability to manage risk effectively.
The risk assessment organisations are required to carry out before offshoring must include details of the location from which services are to be provided, among other details.
However, the nature of many cloud computing services means a location may not be strictly defined. A number of software-as-a-service providers do not precisely specify in which of their datacentres customers' data is being stored.
APRA's letter said that, to date, cloud computing proposals it had seen "typically lacked sufficient consideration" of factors such as the technology architecture used by providers, how sensitive information was stored and an understanding of the businesses processes involved.
Offshore cloud computing or software-as-a-service deployments among financial services companies in Australia remain rare, although many do operate offshore processing centres in companies like India. One example of a successful deployment has been Mortgage Choice's deployment of Google's enterprise Apps suite.
Large banks such as the Commonwealth Bank and Westpac appear to be focusing on roll-outs of what has come to be termed "private cloud" — datacentre modernisation and virtualisation techniques that provide many of the benefits of cloud computing, but hosted in Australia, avoid any perceived data sovereignty and security issues.