Asia looks to cloud computing - Risk.net

Author: Clive Davidson
Source: Asia Risk | 19 Dec 2012

Rapid technological advances mean that financial institutions in Asia are looking to cloud computing solutions as an alternative to investing in internal infrastructure. But regulators around the region are cautious about the potential pitfalls involved

The nature of microprocessor development is such that computer capabilities have doubled roughly every 18 months ever since microprocessors were invented more than 50 years ago. In addition to the improvement in individual chips, technologists have devised clever ways to organise them to give even more performance, such as parallel processing architectures and computer grids. The latest innovation is cloud computing: the creation of huge pools of processing and data management resources and making them available online and on demand.

Cloud computing promises enormous performance advances and cost efficiencies, and the transfer of all the headaches of systems implementation, maintenance and upgrades away from user organisations to cloud service providers. These are precisely the issues that many financial institutions are struggling with. Banks, hedge funds, asset managers, insurers and other organisations require ever greater computational power for applications such as counterparty credit risk analysis and economic capital calculation, while at the same time budgets are under intense pressure. As a result, keeping on top of technology advances is becoming increasingly challenging.

Given these challenges, a number of banks in the region are pioneering the use of cloud to support their operations, with Commonwealth Bank of Australia (CBA) and National Bank of Australia (NAB) leading the way. Some hedge funds and other buy side firms are following suit, finding in cloud a way of accessing powerful complex technology they would not be able to afford or manage in-house themselves. Cloud can even offer developing countries a means of leapfrogging the technology development process and taking immediate advantage of advance computing capabilities to create their market infrastructure.

Other institutions are more cautious, raising issues about data security, application control and systems reliability. Regulators in a number of jurisdictions, including Australia, Hong Kong and Singapore, have also expressed concern, and have issued warnings to institutions to look before they leap into the computing cloud.

The key concept of cloud is virtualisation. In traditional computing, an application – such as a value-at-risk (VaR) calculator – sits on a particular machine with its own processor, operating system, memory and storage. With cloud, all these elements are collected in a pool of resources and a ‘virtual’ machine is created that is tailored to the requirements of each user request and only for a long as needed, after which the processors, memory and other elements return to the pool.

In addition to providing virtual machines for specific applications, clouds can also be used to provide more generalised computing facilities, such as IT infrastructure or platforms (virtual machines that run a number of applications). Cloud resources are generally located in dedicated data centres and can operate as private clouds (proprietary to an organisation), or community (shared by a number of organisations), public (open to all) or hybrid clouds (such as private-community).

NAB is a third of the way through a multi-year multi-billion dollar technology transformation programme that includes establishing a substantial private cloud for IT infrastructure, platforms and applications. “Our approach is long term because in the past short-term decisions got banks into the current situation of having to deal with a mix of old and new technologies,” says Denis McGee, chief technology officer. NAB is developing its data centres in partnership with IBM, a leading cloud services provider. Among the benefits of the cloud approach is the reduction in total power requirements for hardware – now a significant cost for any major IT set up – as well as the ability to keep the technology independently up to date of the applications, and the speed and simplicity of providing virtual – as opposed to real – machines for new applications, says McGee. This latter aspect is particularly important in areas where time to market can be critical, such as trading and risk management.

CBA, meanwhile, says that moving to a cloud infrastructure enables it to get a virtual machine up and running for a new application in 90 minutes at a cost of just $150, compared with doing it internally in three weeks at a cost of $10,000. The bank, which spends nearly $1 billion annually on IT, has been moving applications into a private cloud for the past four years and says it has already saved tens of millions of dollars, and expects to save hundreds of millions more in the future by using cloud. Areas where cloud has been particularly effective so far are data storage and application testing and development, where the bank has been able to halve costs.

Last year, Westpac, in conjunction with Microsoft and New York-based pricing and analytics vendor Numerix, ran a pilot project to demonstrate how computationally intensive pricing calculations using Numerix software could be uploaded into Microsoft’s Windows Azure cloud. The pilot showed that what took more than five hours to compute on an in-house machine took less than 30 minutes in the Windows Azure cloud.

The elastic effect
The use of cloud to provide this type of ‘elasticity’ in processing power for ad hoc computational demands – either in short bursts for pricing instruments or longer stretches such as running periodic stress tests – is one of the key areas of interest for the financial industry, says Seattle-based Rupesh Khendry, industry solutions director for capital markets for Microsoft. Other major cloud opportunities include storing the huge volumes of data they now regularly generate, and becoming development and test environments for new applications.

In the latter case, a bank might want significant resources to test a major new business programme, but only need it for six months. Its next development project, however, may require a very different configuration of resources. In this case, cloud can offer a far more efficient and cost-effective way of meeting these demands than conventional in-house architectures, says Khendry.

A number of other risk technology vendors besides Numerix are looking at cloud as a way of providing turbo boosts for calculations. For example, New York-based Risk Integrated has adapted its Specialized Finance System (SFS) risk management and reporting system for commercial real estate and project finance to run in the cloud. It has established a private-community cloud, as well as developed a facility called SFS Cloud-burst that can reach out into a public clouds, such as those provided by Microsoft, Google or IBM, for extra resources for high-intensity portfolio modelling.

Banks with in-house versions of the SFS typically install the system on 10-40 servers with internal infrastructure costs of hundreds of thousands of dollars, says Yusuf Jafry, chief technology officer (CTO) of Risk Integrated. SFS cloud-burst enables users to call up several hundred servers for a modelling session, paying only for the time they use them. Buying this amount of extra servers – that would sit idle for much of the time – is out of the question for banks. Meanwhile, having the performance elasticity of cloud means banks can run more comprehensive and detailed risk models, says Jafry. Although only recently introduced, the cloud-burst and cloud service versions of SFS are already being used by clients; in addition, Risk Integrated is in negotiation with an Asia-based institution to provide it with the SFS cloud service version.

One of the most successful commercial uses of cloud so far is by Apple to support its iPhone, iPad and App Store. By opening its iPhone and iPad platforms to third-party developers, Apple unleashed a tidal wave of creativity that extended the use of its phone for a myriad of business and leisure purposes, including a host of financial apps. New York-based Imagine Software has taken the platform and app concept and applied it to its Imagine Trading System. The company was already offering the portfolio and risk management system as a hosted service.

“We were sitting on all this technological capability and data [in the Imagine Trading System] but its potential was bottlenecked by the ideas and resources we had to tap into it,” says Steven Harrison, president and chief operating officer of Imagine. To overcome this bottleneck, the company introduced an open platform version of its software in July called Imagine Financial Platform (IFP) and the Imagine Marketplace app store. “It’s like we just hired thousands of new programmers around the world, each with their own motivations and expertise to build on top of our platform,” says Harrison.

One of the first to adopt the new Imagine apps is Hong Kong-based hedge fund Nine Masts Capital. It has used Imagine and third-party developers to help it create a number of apps for pre-trade compliance, management of borrowing and improvements in reporting. “As an adviser to funds and trading in a global market, there are a wide number of regulatory changes that require enhanced reporting and complex risk management,” says Elaine Davis, chief operating officer at Nine Masts. “The new IFP has significantly decreased the time it takes for us to get them running.”

The firm already has apps for Hong Kong short reporting and the US Form PF for hedge fund reporting. “We’ve also been able to use the system to create reports quickly for investors. As investors become more savvy in terms of risk, they have their own unique requirements in terms of how they like to receive data,” says Davis. In other words, she says, Imagine apps and the IFP provide a quick, low-cost way of producing the reports.

Warning signs
While Nine Masts, Imagine, Risk Integrated and the Australian banks are among those companies already demonstrating the potential of cloud in financial services, the technology is not without its issues –  and there a number of voices in the market that are urging caution in its deployment. Neil Bartlett, CTO at Toronto-based risk management system provider IBM Risk Analytics, points out that many mature conventional risk systems at banks have been optimised at every level to meet the intense computational demands of pricing and risk analytics.

For example, code is optimised for speed of execution, memory is fine-tuned and data is stored in ways that make it readily accessible during processing. Furthermore, highly efficient parallel processing architectures have been installed to exploit the inherently parallel nature of many pricing and risk applications, where the same process is often repeated many times with changing variables – such as in Monte Carlo simulation.

Because it virtualises hardware resources, cloud undermines this optimisation and can impose a performance penalty, says Bartlett. Risk analytics plucked out from an optimised environment and placed into the cloud today can suffer over a two times performance loss. But as Bartlett also points out, just 12 months ago the performance penalty was more than 20 times, which gives an indication of cloud technology’s rapid evolution.

Meanwhile, there are areas where the performance penalty can be acceptable, such as in the pre-production and testing phase of systems. “Pre-production is an emerging case for cloud because you don’t want to have large hardware resources dedicated to the process, although you still want to do some sizeable tests from time to time,” says Bartlett. It is worth nothing that CBA is a pioneer in this area and is already halving its IT costs by using cloud.

Other voices of concern come from the regulators. The Australian Prudential Regulation Authority (APRA) was among the first to raise concerns. In November 2010 it wrote to banks and insurers warning them that it viewed cloud computing as a form of outsourcing and that any approach must be “subjected to the usual rigour of existing outsourcing and risk management frameworks”, with board and senior management fully informed and engaged. Its key concerns were the potential compromise of a financial institution’s ability to continue operations and meet core obligations following a loss of cloud computing services. Confidentiality and the integrity of sensitive data (including customer information), and compliance with legislative and prudential requirements were other comcerns.

In July 2011, Wan Aik Chye, director and head of the specialist risk department at the Monetary Authority of Singapore (MAS), wrote in similar vein to all the financial institutions MAS supervises, reminding them of their responsibilities with regards to outsourcing – including the use of cloud computing. “In the case of cloud computing, financial institutions should be aware of unique attributes and risks, especially in the areas of data integrity, recoverability and confidentiality as well as legal issues such as regulatory compliance and auditing,” wrote Chye. “In particular, as cloud computing service providers typically process data for multiple customers, financial institutions should pay attention to the service providers’ ability to isolate and clearly identify their customer data and other information system assets for protection.”

Meanwhile, the Hong Kong Monetary Authority told AsiaRisk that it took a similar view and that its existing policy manual on outsourcing applied equally to cloud computing, particularly with respect to data ownership and protection.

Cloud advocates such as CBA and NAB say that although cloud presents some particular issues, many banks throughout the region have all kinds of outsourcing arrangements already in place and accepted by regulators, and that cloud is not very different in terms of compliance.

In addition, cloud service providers say they can help institutions overcome many of these concerns. Microsoft, for example, has data centres in most of the major jurisdictions in the region, which means it can help banks comply with the need to keep client data within local borders, says Khendry. Furthermore, the level of data security at the cloud providers’ data centres is often higher than institutions are able to implement within their own infrastructures.

This is certainly true for smaller, less technologically sophisticated firms. Davis points out that Imagine – with its dedicated data centres that serve a global community of users – is significantly bigger than Nine Masts. “We probably have a bigger risk that our facilities will become compromised than Imagine does,” she says. Furthermore, because cloud exploits the inherent resilience of the internet, it offers multiple access routes and high reliability. This was borne out in October when Hurricane Sandy struck the East Coast of the US where Imagine is based. “We had no availability issues at all with the Imagine service during the period of stress,” says Davis.

Imagine, as a major software vendor, may be a lot bigger than a hedge fund such as Nine Masts, but as Lehman Brothers proved, no financial organisation is too big to fail any more. Davis says that she is  less worried about issues around cloud computing than she is about the possibility that Imagine might go out of business. In that case, what would happen to Nine Masts’ data and apps? Would the firm be able to simply move them to another cloud services provider? This is APRA’s concern about the potential compromise of a financial institution’s ability to continue operations and meet core obligations following a loss of cloud computing services. It would also mean that cloud providers would have to ‘interoperate’, which in turn requires common technological standards.

The migration season
To address these and other concerns about cloud, a consortium of banks, corporates and other major IT users formed the Open Data Center Alliance (ODCA) in 2010. The Alliance’s steering committee includes NAB, Deutsche Bank, JP Morgan Chase and UBS. The ODCA’s aim is “to speed the migration to cloud computing” through the development of cloud computing standards, thereby avoiding vendor lock-in by encouraging interoperability between cloud providers.

One of the ODCA’s initiatives is to create common standard commercial frameworks for the implementation of cloud in individual industries that incorporate their specific regulations and laws. The ODCA is using the International Swaps and Derivatives Association’s Master Agreement model for derivatives transactions. The organisation hopes its frameworks will play a similar role in the growth of cloud computing as the Isda Master Agreements played in the growth of the OTC markets.

The use of cloud is likely to grow significantly in the coming years across the region. IT companies such as Microsoft and IBM are investing huge sums in the underlying technology, while many trading and risk system vendors besides Numerix, Risk Integrated and Imagine are enabling their systems to run in clouds.

In 2011, the Chinese government identified cloud as a strategic emerging industry and is supporting a number of pilot cloud projects – particularly in the financial sector. In addition, Japan, South Korea and India each have projects exploring cloud as a mechanism for delivering banking technology infrastructure services. Meanwhile, Daiwa Institute of Research, NTT Data and Fujitsu have been hired to design a new technology infrastructure for Myanmar and a source has told AsiaRisk that they are proposing to use cloud to help deliver it.

It may take a few more years, but there is no doubt that a strong cloud is settling in across the region’s financial sector.