More truths revealed.....as usual APRA pricked up ears too late........
02 March 2015 7:14am
http://www.bankingday.com/nl06_news_selected.php?selkey=18265
The Bank of Queensland's three-year offshore cloud computing experiment is over, costing the bank A$10 million. BOQ chief executive Jon Sutton and chief information officer Julie Bale inherited the project from their predecessors, but a combination of "operational and regulatory" issues led to last week’s announcement of the collapse of the project.
The bank first announced its plans to use the Salesforce customer relationship management cloud system in 2012. The then CEO Stuart Grimshaw said that the CRM system would support front line sales staff, providing faster access to customer information and streamlining the number of procedures they had to handle from 128 to 42. However, because Salesforce does not operate data centres in Australia, that customer data had to be held offshore, which in the end proved a bridge too far for BOQ.
In a statement to the ASX Sutton said the decision to cut loose the cloud CRM had been taken because it was not able to meet "operational and regulatory requirements". He said the bank would look at alternative CRM solutions, but did not specify whether those would be on-premise or in the cloud. Changes to the Australian Privacy Principles in March 2014 upped the ante for most organisations holding personal information in the cloud. For BOQ, Australian Privacy Principles 5 and 8 would have posed a particular challenges to its cloud computing plans.
APP 5 introduced a new obligation to tell customers about any cross-border disclosure of information and, where possible, name the countries where the data was held. APP 8 states that organisations remain accountable for the protection of personal data even when it is processed offshore by a third party.
BOQ would also have been obliged to meet Australian Prudential Regulatory Authority expectations that it apply a "cautious and measured approach when considering retaining data outside of the jurisdiction it pertains to." While APRA-regulated entities can use overseas clouds, there is a checklist they are expected to work through to ensure their data stays safe.
Data sovereignty has exercised most organisations in the financial sector, with many choosing to use public clouds to host only website information that contains no personal information, while building internal private clouds to host sensitive data. National Australia Bank, for example, has been working with IBM to construct an internal private cloud.
The computer industry has responded to clients' concerns about data being held offshore, with many companies such as Microsoft, Amazon Web Services, IBM and Fujitsu opening local cloud operations. In contrast, Salesforce still hosts all its Australian users' data offshore. The arrival of locally hosted cloud services has made using public cloud more palatable for a number of banks; Commonwealth Bank was one of the earliest users of Microsoft's Australian Azure cloud while Westpac hosts some data in Fujitsu's local cloud. ANZ's adoption of cloud computing, however, has been constrained by the patchwork quilt of regulation that it has to navigate thanks to its pan-Asian focus.
BOQ CIO Julie Bale could not be reached for comment about the bank's future CRM plans and Salesforce declined to comment on the situation at the bank. The announcement certainly appeared to catch Salesforce on the hop. While the company declined to comment about the failed project, as recently as Friday the website advertising its March 10 user conference being held in Melbourne was still pointing to Jenny Devine, BOQ's social media manager, as a presenter.
Banks quietly shift to the cloud
By Brett Winterford
Dec 13 2010
http://www.itnews.com.au/news/banks-quietly-shift-to-the-cloud-241551
Commentary: APRA warnings too late for many.
Warnings from Australia's financial services regulator APRA may have silenced banks and Government agencies from speaking out about their cloud computing plans, but the regulatory pressure hasn't prevented projects from rolling out. Speaking to customers at the Salesforce.com conference in San Francisco last week, I was consistently asked to refrain from mentioning customer names.
ANZ Bank were publicly named among Salesforce.com's largest customers and I did meet some representatives from another big four bank on the floor that brushed aside concerns about APRA's stance on cloud computing. I was told, for example, that 10 of Australia's 12 largest financial institutions are Salesforce.com customers in some capacity – many of which had started on the path well before APRA pricked up its ears. But no customers in the finance or government sector were willing to speak on the record for fear of drawing undue attention by regulators.
Lindsay Armstrong, executive vice president for Salesforce.com in the Asia Pacific region told iTnews that the earliest adopters of the company's platform in Australia were the telecommunications and financial services sectors. But when it came to naming any – aside from a staff ideas blog used by Telstra – Armstrong said there was "nothing we can comment on."
Wealth management firms appear to have adopted Salesforce.com's tools with vigour – with both Perpetual Wealth Management and ANZ's wealth management arm OnePath (formerly ING Australia and Mercantile Mutual) signed on as customers. Daniel Burton, senior vice president of global public policy at Salesforce.com told iTnews that both "banks and Government agencies are adopting cloud computing wholesale" even as regulators were raising concerns about data sovereignty and location. Burton told iTnews that there was no law in Australia that prevented customer data from freely flowing offshore.
Andrew Milroy, vice president of Frost and Sullivan's ICT practice suggested a simple explanation for the gap between high adoption rates and the willingness of customers to speak out about their experience. Cloud computing "has been adopted by stealth," he said. "It's not so much IT departments saying we're going to throw our Oracle or SAP out and bring in Salesforce.com," he said. "What we're instead seeing is shadow IT groups - business units - starting to adopt the likes of Salesforce.com within the companies. Then the IT department starts seeing what has happened and seeks to legitimise this, and start taking some control.
"The ANZ Bank has some Salesforce.com, CBA has some, most of the financial institutions in Australia have some Salesforce.com," Milroy said. "I can't tell you exactly for what process or to what degree because there is a huge degree of sensitivity around that at the moment. It's clearly something of a political issue in Australia, still."
Burton argued that data sovereignty is a non-issue. "Our experience to date is a customer will look at Salesforce.com, at our overall security and privacy policy, and once satisfied that we are a good steward of their information, they don't really care where the data sits in our system," he said. "They validate Salesforce as an entity, not this data centre versus that data centre." And Milroy agreed, saying that concerns over the location of data "don't make sense."
"There is no reason why organisations can't freely move data around as they choose," he said. "If you are a multinational company or if you have offices, premises, delivery centres in other parts of the world, there is no reason you shouldn't have your data reside wherever it suits you, provided you meet the obligations you have to your customers under agreements with your customers, and of course laws. "But there are no laws in place to prevent any organisation in Australia from having data reside offshore. To do so would be blunting the competitive abilities of those organisations in Australia."