“Using third-party providers, including cloud providers, may bring benefits to firms such as cost efficiencies, increased security, and more flexible infrastructure capacity. These benefits can support more effective competition.” FCA, Finalised Guidance
The potential benefits of cloud for banks are compelling: ability to scale up IT capacity rapidly, to focus on the business and customers rather than system maintenance and upgrade concerns, reduce operating costs – and, importantly, enable the innovation banks need to ‘digitally transform’ their business so they can compete more effectively against traditional competitors and on more of a level playing field with the fintechs.
All very enticing. Yet, over the last decade there hasn’t exactly been a stampede towards banking in the cloud.
Security Initially a Concern
An initial reluctance was driven largely by security concerns. This was confirmed in our own surveys: in 2011, 50 percent of banks interviewed cited security as one of the biggest hindrances to movement to cloud.
It is, however, much less of an issue today, with the 2017 Temenos banking survey showing this figure had dropped to 22 percent. It is now widely accepted that the Hyperscale security processes and technology offered by leading public cloud providers such as Microsoft Azure, Amazon Web Services (AWS), and Google frequently exceed those of all but the largest banks.
In testament to this, the US Depository Trust and Clearing Corporation (DTCC), the main US securities clearing house that processes 100 million transactions per day, states it is “transforming trade processing and analytics using AWS.” The US Options Clearing Corporation (OCC) also announced plans in 2018 to move its operations into cloud computing to battle the threat posed by cyber-crime.
Regulatory Barriers to Adoption
Regulation was also seen as a barrier to adoption – for 39 percent of respondents to our survey in 2012, but but in our 2017 survey, that figure had fallen to 29 percent. Why is this? One reason is that regulators have engaged more with cloud providers and cloud adoption over the last couple of years, recognising that cloud is here to stay and acknowledging the positive role cloud plays in financial services. Indeed some regulators are themselves cloud users: the US Financial Industry Regulatory Authority (FINRA), for example, moved about 90 percent of its data volumes to the cloud, using it to capture, analyse and store a daily influx of 37 billion records.
The examples set by DTCC, FINRA and OCC are solid proof that regulators are much more comfortable with cloud for banks now.
But while they are definitely moving in the right direction, it is happening at a slower pace than many banks want.
Two main factors have exacerbated the situation: the absence of a single authority for cloud law and a lack of clarity in guidance given by the multiple authorities. The good news is that these challenges are being addressed.
The lack of harmonised regulatory approaches across different jurisdictions and regulatory bodies has complicated things for banks moving to cloud, as they have to consider multiple rules and regulations relating to data privacy and financial services. Within the EU, for example, regulations from the European Banking Authority are supplemented by local compliance requirements from member states.
Even within a country, there may be more than one regulatory or supervisory body to contend with. In the UK, for example, while the Financial Conduct Authority (FCA) clarified guidance for firms outsourcing to the ‘cloud’ and other third-party IT services in July 2018, stating in its September 2018 ‘Regulation round-up’: “Overall, we did not identify significant concerns,” the Bank of England’s Prudential Regulation Authority (PRA), which has different statutory objectives, continues to research the situation but has not come out with specific regulation on cloud to date.
This complexity has been acknowledged and is being addressed, with efforts being made now to reduce or align the differing regulatory jurisdictions on whose cloud guidelines banks rely.
For example, at the end of July 2018 the FCA announced in an amendment to its FG16/5 guidance that UK banks, building societies, designated investment firms and IFPRU investment firms should ignore its domestic guidelines and instead refer to the EBA’s Cloud Recommendations.
The Need for Clarity
The “guidance” issued by the regulators over the past two or three years aimed to set out best practice and expected standards – but it lacked clarity and left a good deal of uncertainty among banks as well as their cloud partners.
When the EBA issued new guidance on outsourcing to the cloud at the end of 2017, in a 78 page document, it was ‘principles-based’ and was challenged by banks and service providers for lacking the kind of detail they needed to ensure cloud polices were compliant.
The good news is that the EBA is responding to these concerns. It held further consultations to get additional feedback on its recommendations. The final document, planned for release in Q2 2019, will update the EBA 2017 recommendations and also the Committee of European Banking Supervisors (CEBS) outsourcing guidelines.
So definitely moving in the right direction.
A change in attitude from cloud providers also seems to be helping.
Cloud Providers More Receptive to Regulatory Concerns
The relationships between banks and third-party vendors such as the ‘big three’ (Microsoft, Google and Amazon) cloud providers are inevitably under scrutiny from regulators, as these companies are much less regulated than their financial services customers.
There appears to have been a shift from cloud providers to address regulators’ concerns over security, privacy and financial services regulation – alongside a corresponding willingness from regulators to work with cloud service providers on adoption guidelines.
Industry comment suggests that efforts are being made (by Microsoft and Amazon in particular) to recognise that their financial services customers have regulatory obligations that they must support. A good first step and one to build on.
The benefits of banking in the cloud are now recognised by regulators. The FCA statement in our introduction is an example of this. With security concerns receding and efforts being made by regulators to smooth the path to cloud, it is time for banks to feel more confident about investing in a cloud strategy.
And One More Thing…
It is perhaps ironic, given their initial concerns, that the regulators themselves are in fact partially driving the move to cloud: the scale of IT capability now required to comply with recent, more complex regulatory demands like FRTB, as well as to perform the sophisticated risk and pricing calculations expected today cannot be achieved cost-effectively on-premise..