On Tuesday, March 2, 2021, we hosted our Q1 webinar with the European Banking Federation (EBF) on the evolution of Cloud Banking. Melanie Posey (MP), Research Director, 451 Research and Julian Schmücke (JS), Senior Policy Adviser, EBF provided excellent insight into the state of cloud adoption. Below is a summary of the key takeaways and Q&A responses.
As customer interactions become digital by necessity, and as mandatory remote working becomes “normal,” public cloud adoption and migration has moved to the top of banking institutions’ C-suite agendas. In a world where business disruption is the rule and not the exception, banks need IT environments that are optimized to support change. Public cloud offers a range of cost, agility, and efficiency benefits, but it’s not just about technology. Cloud alternatives can help banks with both the business and IT transformations needed to lean into the shift to a digital economy and respond to disruptive shocks, such as the global coronavirus pandemic. Security, regulatory, and organizational challenges must be overcome, however, to ensure strict compliance frameworks are met.
1. Technology is evolving further from data cloud-based processes to Software as Service (SaaS) and outsourcing of core banking processes. Are cloud-based outsourcing processes included in the perimeter of your initiative/forum? (JS)
The EBF Cloud Banking Forum aims to foster harmonization of the supervisory and regulatory framework for cloud adoption by financial institutions (FIs) in Europe. Avoiding detrimental fragmentation of the framework in different European member states helps banks adopt cloud solutions with a cross-border outlook, applying the potential in an economically viable and scalable way. Supervision of banks’ cloud consumption is based on the EBA Guidelines on outsourcing from February 2019. They address all outsourcing, going beyond cloud-specific services used by banks. While the EBF Cloud Banking Forum is aware of the different dimensions, its educational and technical guidance work looks at cloud-specific aspects and the respective requirements in the EBA Guidelines. Working together with the cloud service providers is a very fruitful cooperation, leveraging the cloud-specific expertise on all sides. EU observers, such as the European Commission, EBA, and ECB, kindly provide their perspectives as well.
As part of the approach, different cloud service models (such as SaaS) are differentiated from other models (Platform-as-a-Service, Infrastructure-as-a-Service (IaaS)), where relevant. Since a large number of European banks from multiple member states are contributing to the work, we benefit from different experiences regarding the functions migrated to the cloud. Applying a risk-based approach, discussions are quite aware of the differences in migrating services that are critical or important. As a continuous platform for engagement, discussions can follow the adoption of cloud in a sector. Where banks consider operation of core banking processes in the cloud, the educational and technical guidance work can be specifically helpful, supporting a proper risk-based approach under the regulatory framework.
2. How will cloud impact disaster recovery plans for the banking system? (MP)
Traditional disaster recovery is expensive, requiring redundant hardware and software, as well as networking and datacenter facilities and the associated costs of management and maintenance. Cloud-based disaster recovery can yield operational cost savings, enhanced resiliency, and improved business continuity. However, banks are likely to take a hybrid approach to disaster recovery and business continuity, as well – tapping into hybrid’s ability to facilitate movement of data across multiple environments as needed, leveraging public cloud as either a primary or backup destination for key data. Traditional enterprise-centric technology players, such as VMware, Dell, NetApp, and HPE, are working with the hyperscale cloud providers on DR/BC solutions for enterprise customers. In addition, FIs can also work with GSIs and MSPs that focus on the financial vertical and can develop solutions tailored to hybrid requirements.
3. How is regulation/proposed regulation affecting the banks’ adoption of cloud technology? Are there any concerns/safeguards regarding customer protection on the part of regulators? (JS)
Cloud computing has an inherent cross-border potential, providing capacities for digital innovation to financial entities with an opportunity to scale on demand. When banks consider the adoption of cloud computing under their regulatory obligations, they are aware that the supervisory framework at the European level (i.e., the EBA Guidelines on outsourcing), are to be implemented by the national competent authorities. Legal requirements under the Guidelines, open to interpretation, can be applied differently by supervisors in different jurisdictions. Detrimental fragmentation is the consequence. Where facing this fragmentation across a larger number of jurisdictions, scalability of cloud uptake by the financial sector is slowed down. This can somewhat disincentivise the adoption of the technology.
On the other hand, regulation can also foster harmonization at the European level. Proportionate requirements can provide the foundation for a common approach to core features relevant for cloud computing, most prominently operational resilience. The regulators understand a need for this harmonization, touching upon various aspects, such as cyber security and third-party relationships. The European Commission proposed in 2020 the Digital Operational Resilience Act (DORA). Information and Communications Technology (ICT) third-party provider services, including cloud providers, are addressed with effect on both providers and European financial entities as their customers. The new rules with an ICT-based focus enter into a field that already knows a number of existing requirements, e.g., the EBA Guidelines on ICT risk management or on outsourcing. One important aspect of the legislative work we see today is the proper alignment of DORA with the proven framework by the European supervisors. The EBF seeks to positively contribute to this discussion, seeing value in the Commission’s proposal when introducing a proportionate oversight framework for critical third-party providers.
4. How likely are BigTechs to be increasingly prudentially regulated (particularly in Europe) given the concentration and systemic risks they can pose to FIs? (JS)
The aforementioned DORA proposal is a clear and present dossier in front of the European legislator today. Negotiations in the Council Working Party and among parliamentarians are already ongoing. One dimension addresses critical third-party ICT service providers with a new oversight framework, thereby presenting BigTech companies in respective activities with new requirements. An oversight structure and competences for a new Lead Overseer are proposed. The set-up of oversight is based on cooperation with national competent authorities and their enforcement powers.
But the European Commission also addresses BigTech beyond the ICT dimension. A Digital Services Act package encompasses a single set of new rules applicable across the entire EU, focusing on BigTech platforms. The legislative proposal of the Digital Markets Act addresses large online platforms acting as gatekeepers. Regulation can help to secure fair competition in the market and deliver access modalities for infrastructure and data. The complementary Digital Services Act looks to enhance consumer protection, transparency, accountability, innovation, and competitiveness for online platforms within the single market.
Authorities and stakeholders alike are aware of the BigTech entrance in the financial market specifically. A large number of actors consider related issues, both for the business and the related regulatory framework. To give an example: the EBF engages within the International Banking Federation to look at possible policymaker responses to BigTechs in Finance. Results of these interactions and the IBFed’s work can be found in a report from 2020.
5. Do you think banks will eventually move to a public-only multi-cloud strategy? How can banks overcome security/regulatory concerns to fully move their core/customer-sensitive data to the public cloud? (MP)
Unlikely – nor do they have to in order to derive benefits from the public cloud. Hybrid environments enable banks to migrate front-office/customer-facing apps to public cloud environments, while keeping the data that these apps leverage in a private/on-premises environment. Making this work, however, requires orchestration across the on-prem and off-prem environments to ensure application performance and low-latency networking.
Other ways to reap key public cloud benefits (e.g., flexibility, agility, and reduced CAPEX) include: 1) Tapping into the cloud-like features that hardware vendors, such as HPE, Dell EMC/VMware, and NetApp, are integrating into their on-premises enterprise IT solutions, and 2) Using the hyperscalers hybrid “cloud-to-ground” solutions, such as AWS Outposts, Microsoft Azure Stack, Google Anthos, and IBM Satellite, which offer public cloud tethering (and, in some cases, disconnected private cloud usages) in the enterprise datacenter or other edge locations. However, if organizations want to fully move their core data to the public cloud, security/regulatory concerns can be addressed by geo-fencing data within specific hyperscalers’ availability zones.
6. Do you think that cloud providers themselves could end up being regulated by financial services regulators? And, if this were to happen, would it provide clarity for cloud providers and financial services companies, or would it burden the industry? (JS)
Looking at the supervisory dimension, the DORA oversight framework under negotiation today may not target a formal supervision of BigTechs by the financial competent authorities. But its discussions of the Lead Overseer role for critical third-party ICT providers shows that there is interest and support to establish more formal procedures to gain insights in operational resilience by the providers. This includes cloud service providers.
The EBF sees value in a more specific oversight of critical ICT third-party providers. Harmonization at the European level can certainly have the effect of more clarity. If designed proportionately, such oversight over the providers can also be of added value to the financial entities as their customers. However, the ability of financial entities to adopt technological solutions depends on balancing access to innovative CTPP services with cost and workloads imposed by legal requirements for digital operational resilience. Should the new oversight add, either directly or indirectly, to the burden on financial entities in terms of due diligence, compliance, or assistance of oversight’s later enforcement, the timely uptake of innovative service solutions by the European financial sector will be at risk.
7. To what extent is the multi-cloud adoption a function of different services or functions running in different clouds (e.g., Salesforce, Office 365, and a digital front end on AWS), rather than a single function of application utilizing parallel cloud infrastructures (which is expensive and duplicative)? (MP)
Real world multi-cloud tends to be more about using different public clouds for different jobs. This includes using different SaaS providers for different business functions and/or using different IaaS providers for different workloads (e.g., AWS for customer-facing digital front ends; GCP for data/analytics/AI/ML workloads; Azure for SAP workloads; etc.). Use of multiple public cloud environments for a single workload/application is rare because it is expensive and difficult to maintain. That being said, the hyperscalers (with the notable exception of AWS) and vendors such as HPE and VMware, are developing cloud management platforms that make it easier for organizations to operate multi-cloud environments, which could support parallel cloud infrastructures. But for most organizations, this is more trouble than it’s worth at the moment.
8. To what extent do regulators and banks need to adapt their thinking from a "BPO" type outsourcing world, where everything is very bespoke and clients can set their own policies, versus a public cloud world where they are consuming a standardised service offering based on global policies and standards? (MP)
In the BPO bespoke world of outsourcing, clients could indeed set their own policies, but this world was also expensive (because it was bespoke) and time-consuming. However, it was governed by ITIL standards and best practices, which made it easier for FIs and other firms in regulated industries to develop service management and IT processes that were measurable and auditable. Public cloud is a bit of a different story – the services (both the basic compute/storage building blocks and advanced capabilities, such as Artificial Intelligence/Machine Learning) are indeed standardized, but how enterprises implement and manage the components can be quite different. Similarly, the security, identity, and access management controls and policies that enterprises build into their public cloud environments can also be quite different. So, it’s not so much that regulators have to completely revamp their thinking about IT compliance in a public cloud world – the same principles apply. And the public cloud providers are helping by creating reference architectures for regulated industry and adding enterprise-grade governance and compliance controls to their platforms. While there is not yet an ITIL equivalent for public cloud infrastructures, there probably should be – regulators can work with the public cloud providers to develop these frameworks.