Dear APRA: Cloud Is Not the Boogeyman!
We’re experiencing a time of unprecedented growth in enterprise cloud adoption and yet some still regard the cloud as a cybersecurity boogeyman, conjuring up an image of evil, long-haired, goatee-sporting hackers gleefully rolling around in a bed full of ill-gotten data .
Cloud has become mainstream: both the private and public sectors have confidence that cloud delivers the cost-effectiveness, agility and security necessary to support on-going digital transformation. However, there is still a lack of awareness among some regulators and senior decision makers around the cloud’s nature and associated risks. These misunderstandings inhibit the adoption of cloud services and jeopardise the viability and competitiveness of Australia’s financial sector .
As disruptive technology in financial services continues to challenge existing business models, Aussie financial institutions are being forced to innovate and stay ahead of the curve. However, their digital transformation journeys are greatly hindered by bureaucratic, outdated, opaque and, ultimately, misguided regulatory hurdles. This is a particularly significant pain point at a time when Innovation & Science Australia (ISA) released a report on Australia’s innovation, science and research system  that highlights the ominous state of Australia’s innovation performance in many areas compared to other OECD countries and the need for radical action in order to produce the globally-scaled Australian companies that will create wealth and increase productivity.
Is APRA stuck in a time warp?
CIOs in all sectors recognise that cloud isn’t just a cost-saving exercise: it has immense benefits and its adoption is essential to delivering the flexibility and innovation needed to respond to critical business requirements quickly, securely, sustainably, and with minimal capital expenditure.
By 2020, 92% of workloads globally will be processed by cloud data centers and cloud workloads will more than triple over the same period. Australian enterprises are boosting their usage and increasing their spend on public cloud Infrastructure-as-a-Service (IaaS) - the Australian IaaS market is forecast to reach over A$1 billion by 2020 and more than half of Australian CIOs are planning to invest more in IaaS in 2017  as they seek to take advantage of the cloud’s economies of scale to build core applications .
In the Australian financial services (FS) sector, firms are required to comply with certain prudential standards and consider the Australian Prudential Regulatory Authority’s (APRA) Information Paper on “shared computing services (including cloud)”, released in July 2015, which takes us back to a time when fear of cloud computing was the norm .
According to APRA, some outsourced services carry a “heightened inherent risk” depending on certain factors. Most of these factors would usually apply to public cloud services and therefore require FS institutions to: (a) employ significant risk management and mitigation techniques to meet their prudential obligations when they consider, implement and run cloud services; and (b) consult with APRA prior to implementing the cloud, including sharing all internal governance and risk assessment documentation with APRA in the process.
As EY have noted, APRA’s underlying approach makes public cloud transitions an uphill struggle and far too cost-prohibitive and complex to be a viable commercial option for some regulated entities. FS players noted in response to the APRA paper that "the regulator seems to be stuck in a time warp, where globalised, multi-tenant technologies are forever trapped as new entrants. Where it all breaks down...is with APRA’s assertion that IT risks are dramatically ramped up when using contemporary outsourced approaches. They just aren’t. Software built by global technology leaders with active clients in every major market in the world is much less risky than software coded and tested "by hand" by developers locally. The best enterprise cloud solutions are more resilient and lower cost, both of which are massively in the best interests of members. Understanding risk is a critical component of decision-making. But the inference that globalised, multi-tenant technology is inherently riskier than locally built and hosted systems is nonsense” .
Giant Australian financial services firms like National Australia Bank (NAB) , SunCorp and Commonwealth Bank of Australia (CBA) shifted to the cloud between 2012 and 2014. CBA’s former CIO, Michael Harte, was majorly pro-cloud. In 2012, Mr. Harte said that common anti-cloud excuses regarding security, regulation and cost were “absolute garbage” . According to Harte, CBA’s cloud shift resulted in 40% savings on services costs across the board, including halving storage, app testing and app development costs. CBA’s $1.25 billion  technology investment has paid off, dramatically improving operational efficiencies and introducing a range of digital initiatives to significantly improve customer service. NAB also said that its cloud switch, announced in 2013, saved the bank nearly 250% on technical operating costs and reduced almost 90% of all incoming internet traffic into NAB's data centres.
FINRA is leading the way
Elsewhere, regulators seem to be taking a pragmatic pro-cloud approach. In the US, AWS reports that many financial services firms have been lured by the cloud , with Capital One Financial expected to migrate many core business and customer applications to AWS and using serverless technology; Intuit, whose tax and payroll software exposes it to strict regulations, moving completely to the cloud, and FINRA (the US Financial Industry Regulatory Authority) migrating all of its critical systems to AWS in a bid to analyse a whopping 75 billion trades per day .
FINRA is the largest independent regulator of securities firms doing business with the public in the US. Its mission is to “pursue investor protection and market integrity” and it oversees virtually every aspect of the US brokerage industry - about 4,100 brokerage firms and approximately 634,000 brokers. FINRA processes in one day the magnitude of data that Visa and Mastercard process in six months, amounting to trillions of records and about 20 petabytes of storage.
FINRA opted for AWS and ditched proprietary infrastructure, leveraging massive processing and storage at large scale and commodity costs, as well as better absorbing 'flash crashes' and other extreme market events by automatically spinning up tens of thousands of nodes on demand and then tearing them down. Steve Randich, FINRA’s CIO, talks about FINRA’s bold move in shifting its “centre of gravity” to the cloud (prompted by the 2010 ‘flash crash’ and the SEC’s push to improve its market surveillance and oversight) . Randich notes the amazing performance benefits of the cloud journey which delivered a 400x improvement in interactive queries compared to the previous platform, with searches that used to take hours now done in seconds and milliseconds, all resulting in enhanced market oversight and investigatory powers for the Wall Street regulator. FINRA notes that its cloud switch was premised on the following:
- cyber security is better in the cloud than it is in privately-managed data centres;
- resiliency is superior in the public cloud compared to on-premise environments given that data is processed ubiquitously and virtually across multiple data centres;
- public cloud is significantly more cost effective as it avoids owning, managing and supporting commodity hardware. As Mr. Randich notes, private cloud is often pushed by people who want to stay within their comfort zone and want to do it all internally to maintain control.
FINRA took an unconventional approach in that mission-critical, data-intensive systems were moved first. FINRA’s move to the cloud wasn’t a simple 'lift-and-shift'. It rethought its data, storage, and compute architecture for elastic environments, as well as its people and processes, to embrace DevOps. This translated into a tidy savings of $1 million annually .
In the UK, the Financial Conduct Authority (FCA) issued guidance in July 2016 which gave the green light to cloud technologies and expressly alludes to the cloud’s merits: increased flexibility and access to innovation for the benefit of firms, their consumers and the wider market. The FCA said it sees “no fundamental reason why cloud services (including public cloud services) cannot be implemented, with appropriate consideration” in a compliant manner. Indeed, Tesco Bank adopted AWS cloud as 'business as usual' in eight months  and HSBC announced only two weeks ago that it has gone live with its first major cloud deployment, revamping a number of its back office processes using Oracle Cloud , to name a few.
The global cloud landscape in 2017
Earlier this month, AWS  posted US$3.53 billion in revenue for the fourth quarter of 2016, up 47% from last year. Cloud growth is also reported  to have boosted Microsoft’s financials, with Microsoft’s commercial cloud business pulling in US$14 billion in revenues per year. As more global providers (such as AWS, Microsoft, IBM and Rackspace) have extended their infrastructure to Australia, the data residency argument for not using cloud has clearly waned.
Similarly, some global cloud providers have gone to considerable efforts to demonstrate that they have addressed the market’s data protection and data security concerns - they enable data storage in one chosen country, provide highly secure services through compliance with global and local security standards and have robust independently verified security credentials. They’ve also developed “community clouds”, which are exclusive to consumers with common regulatory requirements, have terms and conditions that are compliant with the regulatory requirements of the relevant market, allow businesses to configure their cloud services to minimise lock-in and design their contracts and platform to allow customers an easy exit .
What’s next for Aussie FS innovation?
While the Australian financial sector has been quick to adopt new technology as it has emerged, large parts of financial firms' core operating platforms are still based on technology that is "increasingly dated, and not as integrated as it needs to be", said APRA chairman Wayne Byres . Mr Byres recently urged financial firms to continue to invest in maintaining back-end infrastructure and not be distracted by fintech’s “shiny new toys” as APRA were "...very keen to see investment in new technology by financial firms, because...it offers considerable benefit to the soundness, efficiency and competitiveness of the financial system."
It remains to be seen if APRA will catch up with its global peers and champion banking innovation. Will it follow FINRA’s example and go ‘all in’ with cutting edge technologies itself to ensure its own systems are more effective, secure and resilient? Should it not update the 18-months-old Information Paper or issue assurances on certain cloud providers?
The reality is that many global financial players are fully embracing the public cloud without compromising security and compliance, and are achieving superior security and resilience. There is no reason why Australian regulators shouldn’t openly and clearly endorse appropriate, risk-aware cloud-first strategies and standardise the regulatory approval process to make it easier (and cheaper) for FS firms to focus on innovation for the benefit of all stakeholders. Moreover, the burden of proof should arguably shift to financial institutions (and regulators) still operating on legacy infrastructure to explain how they can continue to meet regulatory obligations and tackle the ever-present cyber security threats without moving to the cloud.
Regulators should act as business enablers, not as an expensive hindrance that sends the entire sector into inertia. ASIC commissioner John Price said recently that RegTech offered an “opportunity to move from a rear view mirror to a learning and predictive approach – to change the role (of regulators) from policeman to coach” . Hopefully, inevitable, fast-moving global market forces and the government’s drive to make Australia a top-tier innovation nation will prompt APRA to both modernise its own systems and help firms achieve the technological agility and operational efficiency that is critical for their future survival.
 http://blog.confluence.com/regulators-cloud/  https://assets.kpmg.com/content/dam/kpmg/pdf/2016/04/moving-to-the-cloud-key-risk-considerations.pdf  http://www.innovation.gov.au/event/how-australia-performing-innovation  https://www.telsyte.com.au/announcements/2016/11/22/cloud-uptake-in-australia-soars-with-iaas-spending-set-to-reach-1-billion-by-2020  http://www.cio.com.au/article/609560/6-trends-will-shape-cloud-computing-2017/  http://www.ey.com/Publication/vwLUAssets/EY-law-privacy-and-security-update-november-2015/$FILE/EY-law-privacy-and-security-update-november-2015.pdf  http://www.mortgagebusiness.com.au/breaking-news/8673-apra-s-take-on-cloud-computing-nonsense  http://www.theaustralian.com.au/business/technology/nab-eyes-big-gains-with-cloud-provider/news-story/73e2ec2de102df6a3a9e6f06f506b044  http://delimiter.com.au/2012/11/15/commbank-cio-is-major-cloud-fan/  http://www.computerworld.com.au/article/581754/cba-spends-big-continuous-innovation/  http://www.cnbc.com/2016/11/30/how-amazon-web-services-is-luring-banks-to-the-cloud.html  http://www.computerworld.com.au/article/611551/financial-regulators-use-aws-cloud-analyze-75-billion-trades-daily/  http://technology.finra.org/articles/video/aws-reinvent-2016-steve-randich.html  http://www.zdnet.com/article/finras-moving-hbase-to-amazon-s3-the-back-story/  http://www.computerworlduk.com/cloud-computing/how-tesco-bank-has-adopted-aws-cloud-as-business-as-usual-in-eight-months-3629767/  http://www.computerworlduk.com/cloud-computing/hsbc-completes-first-cloud-implementation-with-oracle-cloud-3653993/  http://venturebeat.com/2017/02/02/aws-posts-3-53-billion-in-revenue-in-q4-2016-up-47-from-last-year/  http://www.cio.com.au/article/613316/cloud-growth-continues-boost-microsoft-financials/?fp=4&fpid=40000  https://assets.kpmg.com/content/dam/kpmg/pdf/2016/04/moving-to-the-cloud-key-risk-considerations.pdf  http://www.investordaily.com.au/technology/40810-don-t-get-distracted-by-fintech-toys-apra?utm_source=InvestorDaily&utm_campaign=13_02_17&utm_medium=email&utm_content=1  http://www.innovationaus.com/2017/02/ASIC-plays-in-RegTech-sandbox