BOQ's cloud computing experiment fails to clear hurdles

The Bank of Queensland's three-year offshore cloud computing experiment is over, costing the bank A$10 million.

BOQ chief executive Jon Sutton and chief information officer Julie Bale inherited the project from their predecessors, but a combination of "operational and regulatory" issues led to last week's announcement of the collapse of the project.

The bank first announced its plans to use the Salesforce customer relationship management cloud system in 2012.

The then CEO Stuart Grimshaw said that the CRM system would support front line sales staff, providing faster access to customer information and streamlining the number of procedures they had to handle from 128 to 42.

However, because Salesforce does not operate data centres in Australia, that customer data had to be held offshore, which in the end proved a bridge too far for BOQ.

In a statement to the ASX Sutton said the decision to cut loose the cloud CRM had been taken because it was not able to meet "operational and regulatory requirements". He said the bank would look at alternative CRM solutions, but did not specify whether those would be on-premise or in the cloud.

Changes to the Australian Privacy Principles in March 2014 upped the ante for most organisations holding personal information in the cloud. For BOQ, Australian Privacy Principles 5 and 8 would have posed a particular challenges to its cloud computing plans.

APP 5 introduced a new obligation to tell customers about any cross-border disclosure of information and, where possible, name the countries where the data was held. APP 8 states that organisations remain accountable for the protection of personal data even when it is processed offshore by a third party.

BOQ would also have been obliged to meet Australian Prudential
Regulatory Authority expectations that it apply a "cautious and measured
approach when considering retaining data outside of the jurisdiction it
pertains to."

While APRA-regulated entities can use overseas clouds, there is a checklist they are expected to work through to ensure their data stays safe.

Data sovereignty has exercised most organisations in the financial sector, with many choosing to use public clouds to host only website information that contains no personal information, while building internal private clouds to host sensitive data.

National Australia Bank, for example, has been working with IBM to construct an internal private cloud.

The computer industry has responded to clients' concerns about data being held offshore, with many companies such as Microsoft, Amazon Web Services, IBM and Fujitsu opening local cloud operations. In contrast, Salesforce still hosts all its Australian users' data offshore.

The arrival of locally hosted cloud services has made using public cloud more palatable for a number of banks; Commonwealth Bank was one of the earliest users of Microsoft's Australian Azure cloud while Westpac hosts some data in Fujitsu's local cloud.

ANZ's adoption of cloud computing, however, has been constrained by the patchwork quilt of regulation that it has to navigate thanks to its pan-Asian focus.

BOQ CIO Julie Bale could not be reached for comment about the bank's future CRM plans and Salesforce declined to comment on the situation at the bank.

The announcement certainly appeared to catch Salesforce on the hop. While the company declined to comment about the failed project, as recently as Friday the website advertising its March 10 user conference being held in Melbourne was still pointing to Jenny Devine, BOQ's social media manager, as a presenter.