Despite greater cloud adoption in Asia, many organizations remain fearful of the regulatory, data privacy and operational risks associated with cloud computing. How can they overcome these concerns in order to harness the speed, agility and KYC benefits of #cloudreadydata?
While some regulators are proactively clarifying outsourcing rules to provide a more enabling environment for cloud adoption in Asia, regulatory restrictions, including data localization requirements, still exist in many other countries in the region.
Cloud adoption contributes to improved data analytics, as well as more robust KYC and AML regimes, with organizations better able to detect fraud and criminal activity.
Data security risks mean it’s crucial that compliance teams have the adequate resources to implement a company-wide cloud strategy.
While Asia once lagged far behind the U.S. and Europe in its adoption of cloud computing, the region has now firmly embraced the technology.
Spending on public cloud services and infrastructure in the Asia Pacific (excluding Japan) is forecast to have exceeded US$15 billion last year, an increase of 36 percent over 2017.
Banking accounts for a significant chunk ($1.85 billion) of this spending, with a cloud computing strategy an increasingly critical element for the sector. Migrating to the cloud offers financial institutions new business opportunities, as well as increased efficiency and cost savings.
However, companies must weigh the business case against the potential regulatory, data privacy and operational risks — a topic that was discussed in depth at the recent Refinitiv Pan Asian Regulatory Summit in Hong Kong.
The case for cloud adoption in Asia
Cloud adoption has been driven by several factors in Asia.
Firstly, the opening of data centers across the region by major providers such as Amazon Web Services and Google Cloud has removed concerns associated with data offshoring, making cloud computing an easier proposition to sell to compliance teams.
Better bandwidth connectivity to emerging economies in the region has also made it easier to offer cloud services from hubs such as Singapore.
Secondly, banks are starting to embrace virtualization technologies such as virtual machines, which emulate real computers, or Docker containers, which provide virtualization at the operating system-level, to drive down costs and reduce their data center footprint.
Moreover, the risks of declining to move to the cloud have become clearer.
Power of data analytics
Cloud-based computing and analytics can provide the speed, agility and competitive edge that businesses need in the digital era. The cloud boosts the power of data analytics by overcoming the storage limitations of on-premise servers in legacy IT systems.
This allows financial institutions to derive benefits from data-driven insights when it comes to evaluating client risk profiles, managing relationships with customers and making HR decisions, including identifying high-performing staff.
The cloud also makes it easier for financial institutions to test products, services and system updates through sandbox mechanisms. Moreover, a new generation of cloud-based analytics can help institutions better detect fraud and criminal activity such as money laundering.
The compliance challenge
However, even as it becomes more deeply embedded in the corporate fabric, cloud computing remains a headache for compliance officers.
A Gartner poll in 2018 indicated that cloud computing was a chief concern for senior executives in risk, audit and finance, while the Pan Asian Regulatory Summit found that compliance professionals consider cybersecurity and data protection as the key barriers to cloud adoption.
Most banks in Asia are still in the first stages of cloud maturity, characterized by a preference for private over public cloud, mainly because of data privacy concerns.
It’s critical that migrating to the cloud is thought through from a systemic perspective and does not happen piecemeal. It’s not uncommon for shadow IT systems to spring up as more fast-moving teams unilaterally begin using cloud-based services without the knowledge or vetting of corporate IT.
This poses data security risks, which is why it’s crucial that compliance teams have the adequate resources to implement a company-wide cloud strategy.
Watch: What technology will transform the financial sector in the next 5-10 years?
Avoiding human errors
Companies also need to be acutely aware that using a cloud service provider is not traditional outsourcing. Clients and providers have a shared responsibility when it comes to the security and compliance controls your data is surrounded by and managed through.
For example, while the cloud provider will offer tools to encrypt data, it’s the company or financial institution that needs to know exactly what information to encrypt.
Many financial institutions worry about physical security at data centers operated by cloud service providers, but the weakest link is more likely to be a company laptop accidentally left in a coffee shop.
Educating employees about the value of the data they work with and carry around is extremely important, as is having controls in place to catch and minimize human errors when they occur.
Different regulatory frameworks
Regulators still play a pivotal role in facilitating — or inhibiting — the growth of cloud services. In Asia, some regulators are proactively clarifying outsourcing rules and guidelines, while restrictions and obstacles to cloud adoption still exist in others.
In its 2018 report, the Asia Cloud Computing Association singled out Hong Kong, the Philippines, South Korea and Singapore as places that had made progress in eliminating blocks to cloud adoption.
However, South Korean regulators still require financial institutions to seek approval before using cloud services, and that personal information is stored within the country.
India has recently required all payment service operators to store their payments data within Indian borders to allow unrestricted regulatory access. Indonesia has similar requirements.
China, on the other hand, has seen an enormous growth in cloud adoption, though cloud users continue to grapple with the government’s stringent information security and data onshoring requirements, especially for the financial services sector.
To comply with data protection regimes, companies will need to know where exactly their data is stored and processed. Europe’s General Data Protection Regulation, for instance, requires data to be stored in regions the European Commission has recognized as having adequate levels of data protection.
Cloud computing proves its worth
The differing regulatory frameworks in Asia account for why cloud adoption has been driven by the opening of data centers by service providers such as Amazon or Google in the region.
Knowing that your data is going to be stored in the same country your company is based in makes it much easier to comply with local laws.
It’s important to note, however, that data security is not a matter of physical location, nor is it necessarily quicker to access data stored locally.
While banks have more regulatory hoops to jump through than other sectors, cloud computing has already proved its worth to financial institutions.
Expect to see the sector shift more of its core banking systems — the software that supports a bank’s most common transactions like loans and account opening — into the cloud in the immediate years ahead.
For more information, read our Pan Asian Summit post-event report