Jul 21, 2015

APRA calls out cloud-computing risks for banks

The financial regulator has highlighted the new risks being created as the industry makes greater use of cloud computing to cut costs and compete with technology-based rivals.
In a paper published on Monday, the Australian Prudential Regulation Authority said more outsourcing was occurring in a way that involved the sharing of information technology (IT) assets, or cloud computing.
After conducting a review of these outsourcing arrangements, it also warned of several "weaknesses" in how the industry was managing the shift.
With banks eyeing cost cuts, one way to save money is to make greater use IT infrastructure built and maintained by external companies, rather than a bank's own staff.
APRA, which regulates banks, insurers, and superannuation funds, said cloud computing was being used increasingly for "higher-order" services such as software, and this heightened risks for the industry.
"Risk-management practices, including risk identification and mitigation techniques, are still maturing for these types of arrangements, elevating the level of risk to APRA-regulated entities," it said.
Moreover, an APRA review had found several shortcomings, including: outsourcing proposals being driven purely by a desire to costs; business cases not taking proper account of the risks; and inadequate consideration of data security.
"In light of weaknesses in arrangements observed by APRA, it is not readily evident that risk management and mitigation techniques for public cloud arrangements have reached a level of maturity commensurate with usages having an extreme impact if disrupted," the paper said.
In a sign of these risks, Bank of Queensland in February wrote off $10 million on a new customer relationship management system, which was at least partly cloud-based, after it failed to meet "operational and regulatory requirements".
APRA also noted that cloud computing could bring benefits in the form of greater economies of scale.
APRA did not outline new prudential standards relating to cloud computing or outsourcing, but said that further guidance was worthwhile because of the recent growth in outsourced IT that involved shared computing services.
Research from Macquarie analyst Mike Wiblin last year highlighted the rise of cloud computing as one of several forces contributing to greater competition on banks from technology-based firms.
Cloud computing put powerful data analysis tools in the hands of smaller rivals to banks, and this added competition would prompt banks to overhaul their own IT systems, he said.
"It's no longer a situation where the major banks are the only ones that have highly capable IT systems" Mr Wiblin said.
PwC financial services leader Hugh Harley said that while APRA was not introducing any new prudential standards, it was effectively "putting everyone on notice that particular care needs to be applied".
"I think the main point is that this is an evolving area, so by definition, not all the risks can be known at this stage," he said.
APRA has also previously cautioned banks about keeping customers' financial data overseas as a result of offshoring – saying in 2012 it was an area of weakness in banks' data management policies.

No comments: