Banks face legal constraints in cloud computing

PHOTO: Banks face legal constraints in cloud computing

Businesses know they have to harness technology to keep up with the competition, but what if the laws restrict their ability to do so?

That is the question banks face today as they see other industries reaping the benefits of cloud computing services without being able to fully take advantage of it themselves due to strict data protection rules.

DBS chief innovation officer Steve Monaghan, who spoke on the issue at Cloud Expo Asia last week, noted that these regulations are there for good reason.

"Concerns about security, sanctity of customer data, for us as banks, of course that's absolutely foundational," he said.

However, these regulations mean banks risk falling behind competitors that are not bound by the same rules. These include online financial service providers such as PayPal and peer-to-peer lending companies, which are gaining popularity worldwide.

Mr Monaghan noted that banks are even facing stiff competition from companies whose main business has nothing to do with finance, such as Starbucks.

"Starbucks is the world's most successful mobile payment business. It's really a closed loop deposit currency, which is competing directly against deposits that could be held with banks," he said. What these competitors have that traditional banks do not is access to the low-cost scale, speed and connectivity that cloud computing offers, he added.

Banks are not forbidden from using cloud computing, but the rules are still fuzzy, said Gartner research director Arun Chandrasekaran.

"There is a strong pent-up demand for cloud computing in banks that is constrained by factors including the unclear stance of regulators and other supervisory bodies for the banking industry in most geographies," he said.

The Monetary Authority of Singapore's technology risk management guidelines include a short section on cloud computing. It notes that some cloud service providers host data for multiple companies, and their systems could allow "commingling" of data from different sources.

"Users of such services may not know the exact locations of servers, applications and data within the service provider's computing infrastructure for the hosting, storing or processing of information," the guidelines add.

As a result, banks here that use cloud computing at all are investing only in "private clouds" - installing data facilities within their own premises, said Frost & Sullivan analyst Andrew Milroy.

Mr Chandrasekaran said they also tend to use cloud computing for basic needs like e-mail, file sharing and notes management.

Stefan Security founder Stefanus Natahusada said this is probably comforting to bank customers, who would not want their data uploaded into a cloud.

But he and the other experts added that banks are missing out on the major benefits of "public cloud" - cloud services hosted by a third-party provider.

"Public cloud is cheaper. You pay for what you use, whereas private clouds require heavy capital expenditure," said Mr Milroy. "Public cloud also makes it easier for users to access data and IT resources from any device anywhere and it can better handle peaks and troughs in demand for IT resources too."

Mr Monaghan said the industry is working with technology providers and regulators to find security solutions and reach common ground on these issues. "I don't think those solutions are too far away. Within the next few years, they should be resolved."

Get a copy of The Straits Times or go to for more stories.