On February 25, 2015, David Tanis, Manager of Information Systems and Frontline Analytics for Commonwealth Bank of Australia was quoted during a Gartner Information Management Summit in Sydney as saying:
“The policy needs to be clear," said Tanis. "We like our data managed by the company, for the customers and kept here in Australia."
Also in late February, 2015, the Bank of Queensland (Australia) announced that it is abandoning its Salesforce-based CRM system, due to “a failure to meet operational and regulatory requirements” with the cloud-based computer system. The Bank took a $10 million write-off. Liam Walsh, the reporter at the Brisbane Courier-Mail who wrote this story explained:
“Cloud-based systems and outsourcing of information-technology have previously been in the sights of the banking watchdog, the Australian Prudential Regulation Authority. APRA just last year, in a response to the Financial System Inquiry, said while it was not in favour of one technology or another, it had key concerns about cloud computing. These were for banks to be able to continue operations following a loss of cloud services, and issues surrounding confidentiality of data and meeting prudential requirements.”
“We work towards the MAS standards in Singapore,” ANZ chief information officer Anne Weatherston said, describing the challenge of operating in 32 geographies. They’ve come out and said absolutely, categorically no cloud. APRA is not quite as prescriptive yet as MAS, but the APRA view is that we [Australia] will follow their lead.”
You might think that concern over cloud computing is “old-fashioned” thinking on the part of the Australian bank regulators. But Peter Horne, an Aussie financial technology executive, pointed us to the specific APRA regulation:
“Outsourcing/offshoring of data management responsibilities
47. Continued industry developments allow a regulated entity to more easily move data management responsibilities to service providers or other entities within a group (both on- and offshore). This increases the risk that data lifecycle controls may be inadequate, with problems potentially magnified when offshoring is involved. The possible causes of this increased risk include control framework variations, lack of proximity, reduced corporate allegiance, geopolitical risks and jurisdictional-specific requirements.
48. APRA expects a regulated entity to apply a cautious and measured approach when considering retaining data outside the jurisdiction it pertains to. It is important that a regulated entity is fully aware of the risks involved and makes a conscious and informed decision as to whether the additional risks are within its risk appetite.”
~ Page 13, Prudential Practice Guide CPG 235 – Managing Data Risk September 2013
Peter explained that what the Australian and Singapore financial regulators (and the financial industry) fear is U.S. government spying on their citizens’ bank accounts. He also pointed me to an earlier post he had penned in 2013, in which he predicted that the U.S. government’s insistence on its ability to implement back door surveillance without a warrant was going to severely damage the suppliers of cloud-based solutions that are headquartered in the U.S. Here’s an excerpt:
“[Twenty years ago, the US NSA] tried to make the use of an encryption chip called "Clipper" mandatory so that the US government could intercept foreign communications. Those efforts failed, but the delays meant that we could not start full scale eCommerce projects in Australia for over 2 years from when we could have started them, and it meant that we were at a competitive disadvantage to US companies]…These shenanigans by the zealots of the US intelligence communities not only disadvantaged non-US companies; they were in serious danger of putting US companies at serious risk of losing their place in the new race. The US does not have the monopoly on knowledgeable, smart, and motivated technologists, and so people started to solve the problem for themselves…. I hope someone with some ounce of wisdom is thinking about this in the US government. The drums are banging, the technologists are activating, and the cypherpunks are printing new t-shirts. History tells us that if you keep going, you are going to find that those outside the US actually have the smarts and economic power to hit you where it hurts - in your tech industry. Things will slow down, tempers will go up, industry will get hurt, not a lot will be achieved, and you'll have to change, because if there is one thing America likes more than chasing boogie men, it is its industries making money and its people in jobs.
We don't have to go through this lesson again, do we? It's only been 20 years since the last time.”
~ Peter Horne, Cautionary Tales of Restrictive U.S. Internet Policies