Choosing your SaaS Partner: Culture and Regulatory Obligations

5 Minute Read

Stewart Davies
Stewart Davies – Commercial Director SaaS, Europe, Temenos

If you are still evaluating whether or not to embrace cloud migration, you are already behind 90% of companies, according to a study by 451 research and featured in Forbes magazine recently. But what is the acceleration in adoption? Gartner forecasts the end-user spending on public cloud services to reach $396 billion globally by the end of 2021 and grow 21.7% to reach $482 billion in 2022. Additionally, by 2026, Gartner predicts public cloud spending will exceed 45% of all enterprise IT spending, up from less than 17% in 2021.

“The European Cloud Computing Market size exceeded USD 35 billion in 2020 and is expected to grow at 15% CAGR between 2021 and 2028. Increasing demand for digital transformation of various industries across the region is likely to drive the industry demand. Various government agencies across the EU have invested heftily in cloud computing initiatives, augmenting the adoption of cloud-based services in the region.”

There are many good reasons businesses choose the Cloud over ‘old-fashioned’ ways of computing and data storage.

However, just like any other new technology, cloud migration comes with some fresh elements to consider, but in reality, they are fewer than most banks think. If banks deploy a range of protections and oversight measures, they can considerably reduce the impact of these considerations. The benefits far outweigh the limitations. Banks can now consume business services and not endure the costly overheads of running data centers—they no longer have to be infrastructure providers—they can remove the CAPEX of infrastructure build forever! This allows banks to move the cost to the P&L and recognize the costs as they grow.

Importantly in the open new world of APIs, banks can focus on their customers’ needs and make API journeys that are unique for their target market, crafting innovative new products to delight their customers. This is a significant step-change for a bank to move from delivering technology to delivering experiences.

Risk Assessment

In this section, I outline some considerations banks must consider to address risk and mitigation factors for cloud or SaaS projects. In their 2020 report, the European Central Bank’s 2020 edition of its ECB Banking Supervision: Risk Assessment Report (reported on by Finextra) identified the main risk factors that the Eurozone banking system is expected to face over the next three years. The report identified the three most prominent risk drivers expected to affect the euro area banking system over the next three years, which are: (i) economic, political and debt sustainability challenges in the euro area, (ii) business model sustainability and (iii) cybercrime and IT deficiencies. Points ii and iii can be directly and positively impacted by the use of cloud services, especially when you consider that these risks are increased by:

• The continued digitization of financial services
• The obsolescence of specific banking information systems
• The interconnection with third-party information systems

Financial services companies globally face the very same problems. According to a cybersecurity report by Boston Consulting Group, banking and financial institutes are 300 times more likely to suffer a cyberattack than other companies. A recent Accenture study found that the average cost of data breaches for financial services companies globally is $18.5 million per annum. Therefore, carefully picking your Cloud partner is crucial!

To protect and mitigate these risks, SaaS vendors need to provide an appropriate level of assurance. For example, Temenos continues to invest heavily in this area and attained the highest standards, including SOC1, 2 & 3 and ISO27001, 27017, 27018, 22301 standards across all of its cloud services in The Temenos Banking Cloud. The rigorous implementation of these standards, in combination with the FI’s oversight, helps banks to evidence their controls over the supply chain. The results of a bank risk assessment combined with the level of assurance provided by the SaaS vendor serve many aspects. They include: Security, Service Continuity and the treatment of personal data.

Based on more than 800 responses from IT professionals working in the financial services industry worldwide, another recent Infoblox report examined how the COVID-19 shutdowns challenged the financial services industry’s core infrastructure. Banks, insurers, and other financial institutions report costly consequences to falling short of protecting their massive data troves from cloud-based attacks and network disruptions more than one year into the pandemic. The Infoblox report also noted instances of the following:

  • Cost of Data Breach: Financial firms that experienced a data breach reported estimated average losses of roughly $4.2 million per attack, with US organizations hit hardest at $4.7 million in estimated losses.
  • High Cost of Cloud-Based Threats: The Cost Financial Services Companies an Estimated $4.2 Million in the US according to the MENA Report, Albawaba (London) Ltd., May 2021.Tentative Decision Making: The remedies are there, but some FIs are just not using them! It seems they need better advice.
  • Persistent Attacks and Threats on Systems: More than 50% of respondents to the above survey expect to face a combination of IoT attacks, cloud vulnerabilities, including misconfigurations and data manipulation attempts over the next 12 months.
  • Network outages also result in costly burdens: Institutions lose an estimated $3.2 million on average, with Asia-Pacific followed by European institutions carrying the heaviest losses at $4.3 million and $3.1 million, respectively. Selecting SaaS partners who take cloud services and add additional layers of security and governance leads to enhanced and shared benefits for banks. This is derived from the combined investment of both the cloud provider and SaaS partner.

So what can be done about these risks?

Setting Your Security Strategy

IT leaders need to take a vigorous role and are key in managing SaaS partners and agreeing on security strategies. Management needs to keep up with new legislation on data protection. For example, on 04 June 2021, the European Commission adopted new Standard Contractual Clauses (SCCs) for the transfer of personal data from the EEA to third countries.

Any contracts entered into after 27 September 2021 will need to use the New EU SCCs. Still, there is a transition period of 18 months to allow businesses and organizations to make changes to their contractual agreements so that contracts using the old EU SCCs and concluded before 27 September 2021 will remain valid until 27 December 2022.

The critical point to note from the above is that a SaaS contract needs to be a living document that naturally develops over time to take into account changes in law, security and governance standards. In a similar move in 2020, the California Consumer Privacy Act (CCPA) was introduced — and other privacy regulations in countries such as Brazil and India are expected soon. Companies need to be ready to meet regional data governance and residency requirements or face substantial penalties as companies work globally. For example, GDPR violations can cost companies up to €20 million or 4% of their total worldwide annual revenues, whichever is higher.

Move with your employees not against them

How do you prepare your company’s employees for such a significant change as moving to the Cloud? The bank’s culture is often overlooked, but it is vital to ensure that the bank organization is ready for SaaS from top to bottom. Post-pandemic businesses are now transitioning to the Cloud at an intense rate, adopting cloud solutions and deploying cloud environments into their infrastructures. However, to successfully transition to the Cloud, you need to prepare your employees for the shift and get them up to speed on the cloud solutions you plan. That will mean training them properly since cloud deployments work in a very different way to on-premise ones

One of the benefits of the Cloud is that you can use Temenos’ sophisticated software and Open banking architecture to spin up some significant innovations to your customer offerings. That is why you chose a cloud solution but making sure that your staff know the pace of innovation will mean that they have to step up to the plate more often and faster than usual!

The Role of regulation is changing – Get On The Side of the Regulators

From being the biggest sceptics against Cloud, regulators are now championing it since Cloud-based systems are more secure than traditional, bank-run data centers. The central banks and regulators, like Bundesbank in Germany, are recommending SaaS-based systems.

Banks that had already moved to the Cloud before the Covid-19 pandemic found it easy to change their customer services and offerings since they could do so remotely. Banks with on-premise data centres found it extremely difficult to effect change since they had to enter the data centres with the necessary physical pandemic restrictions. Remember now – the regulator is your friend – so stay on the right side!

Filed under:

Stewart Davies
Stewart Davies – Commercial Director SaaS, Europe, Temenos