Public Cloud Potential Is Limitless
Banks are keenly aware of the digital potential of the public cloud—in which they contract an on-demand third-party provider over the public internet to get computing services and infrastructure that are managed by the provider and shared with multiple organizations. The benefits of large-scale cloud adoption for any company are numerous. For banks, the advantages can be a differentiating factor in their Darwinian race. We see several key benefits (see table 1).
Public Cloud Still Has Teething Troubles
Banks' use of public cloud is already commonplace for noncritical tools, such as those linked to marketing, human resources, data analysis, collaboration and content management, office tools, or customer relationship management, as data for U.K. banks shows (see chart 1). Across Europe, 88% of banks have used the cloud for these noncritical functions for about five years, according to the European cybersecurity agency ENISA. In Japan, the rate of cloud adoption for noncritical services is 100% for large banks and above 80% for tier 1 regional banks, according to Japan's financial services authority. In China, mega banks and joint stock commercial banks show adoption rates of over 90%.
However, for more critical applications in public cloud--particularly those involving personally sensitive data--and developing a transformational cloud infrastructure and strategy, which ultimately means using cloud as a business asset, banks are still at a trial phase. A 2018 survey by Accenture, a consultancy, found only 37% of banks had a cloud strategy execution roadmap and used key performance indicators to measure progress (see chart 2).
One clear illustration that banks are only in the early stages of cloud maturity is that they largely use hybrid cloud solutions (see chart 3). These combine on-premises tailor-designed cloud IT resources and infrastructure (so-called private cloud) with a solution contracted externally and shared by many customers (public cloud). According to IT management software company Flexera's "2020 State of the Cloud Report," 74% of firms surveyed (representing 750 global organizations) utilize hybrid cloud.
It is unsurprising that banks feel more comfortable running their critical highly sensitive IT infrastructure in-house rather than externalizing it. While public cloud offers banks numerous benefits in terms of costs and deployment, the private cloud allows them to maintain control of their own systems. Moving applications and data to the cloud comes with relevant challenges and responsibilities (see table 2).
Cloud-Supplier Concentration Risk Should Be Manageable For Banks
Although many regulators see single-name cloud supplier concentration as a growing concern, we think that larger banks are generally limiting these risks by adopting multi-cloud models, working with more than one provider. Data residency requirements can also play a role in reducing concentration risk on foreign providers and even encourage business opportunities for some.
In this context, the public cloud market has expanded rapidly over the past decade, last year exceeding the $240 billion mark, from less than $50 billion a decade ago (see chart 4). With just a few providers leading the race, this has led to a market that is quite concentrated (see chart 5), with most cloud-suppliers being from the U.S. Nevertheless, banks in most jurisdictions usually rely on these mature and well-known tech giants, which offer high security and compliance standards, as well as solid financial viability. Furthermore, we believe large banks are sufficiently mitigating potential concentration risks by working with at least two cloud suppliers, which also supports price and service competitiveness. Increased partnerships with multiple cloud suppliers will, over time, diversify banks' single-name concentration on its historical IT infrastructure partners. On the flip side, the multi-cloud approach is not always able to accommodate the whole range of proprietary features that each cloud provider offers.
In China, however, we are seeing a different trend. Banks tend to operate primarily with local public-cloud suppliers, and a few large banks have gone a step further and themselves become public cloud providers, as in the case of China Construction Bank Corp and China Merchants Bank Co. Ltd. Within the next few years, we think this could become the norm in many other countries, as banks face revenue pressure from structurally low interest rates and look for new revenue streams. In particular, large international banks with the technological resources and footprint to provide such services to smaller banks and nonfinancial corporations may expand into this business.
Outsourcing Digital Services Could Commoditize Banking Business
The fast-moving nature of the cloud has led to a long list of "as a service" solutions that banks can externalize. So far, it seems that Software as a Service (SaaS) appears most popular among banks (see chart 6). But other solutions, such as Infrastructure as a Service (IaaS), and Platform as a Service (PaaS) and Business Process as a service (BPaaS) may also make headway (see table 3). One effect of COVID-19 forcing banks to enable resilient remote working is that investment in IaaS and PaaS are likely to expand, particularly in the short term, according to research firm Gartner (see chart 7).
|Types Of Public Cloud Solutions Used By Banks|
|Software as a Service (SaaS)|
|Software that is available via a third-party over the internet on a subscription basis, allowing data to be accessed from anywhere.||Banco Santander hired cloud computing company Appian Corporation to migrate over 2,000 processes in its back-office retail Spanish operations to the Amazon Web Services public cloud. With its low-code software, Appian permits businesses--rather than developers--to write their own applications without other traditional computing programming, thus simplifying migration processes.|
|Platform as a Service (PaaS)|
|Offers an on-demand environment for developing, testing, delivering and managing applications over the internet.||BNP Paribas partnered with IBM to create a dedicated platform on IBM’s public cloud that could continuously benefit from economies of scale, research, and development offered by IBM. In this way, the bank’s application development and test operations run on the public cloud for rapid testing and deployment, although customer data remains in the private cloud. Additionally, IBM's cloud know-how brought a security framework with special compliance-control and encryption features, allowing the bank to meet stringent regulatory requirements.|
|Business Process as a Service (BPaaS)|
|The vendor supplies business process outsourcing solutions to companies to facilitate the delivery of products and services.||Standard Chartered Bank recently partnered with Microsoft Azure to develop a cloud-first strategy, which will include using Azure’s AI and data analytic capabilities to enhance and automate business processes as well as personalization of products and services. The first set of capabilities to move to Azure will be the bank’s trade finance systems, improving cross-border trade processes between the bank and its corporate and institutional clients.|
|Infrastructure as a Service (IaaS)|
|Enables firms to reduce their amount of physical hardware by contracting services for IT resources such as storage, capacity, network bandwidth, security technologies, and virtualization.||HSBC partnered with Google Cloud to move its legacy data warehouse to BigQuery, Google’s fully managed serverless data warehouse. By doing so, HSBC solved capacity and business constraints, focusing on innovation rather than managing infrastructure. It used the migration of its U.K. data center as a template and developed a tailored process for following migrations. Google’s Cloud solution offered flexibility, scalability, and agility.|
The trend toward outsourcing "as a service" combined with open banking and the use of application programming interface (API)-driven platforms, suggests that banking as a service (BaaS) may potentially evolve to become a new way for customers to conduct financial transactions. This would change the way in which customers interact with banks. BaaS provides banking products and services (such as loans, payments, deposits, or accounts) as a service using an existing licensed bank's regulated infrastructure with modern API-driven platforms (see chart 8).
BaaS gives customers access to fast, interactive, and engaging banking experiences. It also provides banks with new customers and some additional revenue streams, even if such revenues are so far less significant. BaaS is gaining momentum in the U.S., where we see it as particularly interesting for midsize and smaller banks , which have a greater need to gain scale or simply remain relevant for customers. For instance, earlier in 2020, Google announced partnerships with several banks to launch Google Plex through its Google Pay application, a new digital checking and savings account offering smart payment options, rewards, and financial management services. Google will provide the front-end, intuitive user experience and financial insight, while relying on the banks' existing infrastructure and regulatory compliance. Similarly, in Australia, major player Westpac has recently partnered with buy-now-pay-later firm Afterpay to offer banking products such as transaction accounts through a new BaaS platform.
BaaS nevertheless harbors some business risks. In the short term, we believe Big Techs will focus on becoming key IT vendors providing vertical solutions to banks, rather than becoming full-fledged banks. However, in time tech giants could leverage their power to dictate terms and pricing, as Apple has done with its digital wallet service, Apple Pay. In the longer run, BaaS could pose risks to banks' recognized brands and reputation, which could gradually be forgotten by customers as banks play a role in the back end, ultimately becoming invisible players. BaaS could also turn Big Techs into serious competitors to incumbent banks, as they would agglutinate banks' valuable customer data and could eventually use it to their advantage.
Banks' Cloud Strategies Could Impact Ratings
The comparative development of cloud strategies within different jurisdictions could impact our view of a banking system's competitive dynamics under our banking industry country risk assessment (BICRA) analysis. This is because increased shifts to the cloud can make banks more competitive through new products or new markets, and lead to improvements in efficiency and overall profitability. Regulators can also play a pivotal role in facilitating or inhibiting cloud developments by banks, also affecting our view of a system's industry risk. For the time being, we find it difficult to identify clearly leading and lagging banking systems when it comes to cloud adoption. While some jurisdictions face higher disruption risks related to technology, regulation, and customer preferences overall, cloud growth trends can vary greatly from bank to bank (see "The Future of Banking: Research By S&P Global Ratings," Sept. 14, 2020).
We see both opportunities and potential threats for banks that could impact our assessment of business and risk position of a bank's stand-alone credit profile (SACP). On the one hand, banks with more applications and data in the public cloud can offer more agile and flexible business models, and can easily scale costs up or down, as needed. Banks that use BaaS partnerships or that offer cloud services to corporate clients could also potentially benefit from more diversified sources of revenues, reduce their dependence on traditional revenue streams, and support revenue stability. All of these factors could have a positive impact our business position assessment.
On the other hand, as downside risks from the pandemic persist (see "Global Banks 2021 Outlook: Banks Will Face The Next Test Once Support Wanes," Nov. 17, 2020) and customer preferences shift toward a self-service digital model, banks are having to rethink their operating structures to maintain efficiency. This includes reducing their branch network and employee base and investing more heavily in IT. Certainly, there is room to trim bank branches further in many countries (see chart 9). As banks do so, we expect their commercial propositions to become more digital, requiring an increase in IT investment over the coming years. Technology and communication expenses of global rated banks that report such information have remained relatively stable over the past four years, according to S&P Global Market Intelligence, a division of S&P Global, as is S&P Global Ratings (see chart 10). At end-2019, these represented about 9% of total expenses. Not only do we expect to see a surge in technological expenses, we also anticipate that cloud developments will take a relevant portion of it. Banks that are better equipped to switch to digital will find it easier to preserve their efficiency in the short term, and benefit from cost-synergies in the medium term. Although efficiency gains will be limited over 2020-2022 across our global top 50 rated banks, some countries offer great room for improvement (see chart 11).
Another factor that can affect our assessment of banks' business positions is the way in which management teams implement the digitalization and cloud migration. Large banks with complex operations could face operational risks in case of mismanagement that could diminish our view of a bank's management team. While larger players have more resources to invest in cloud transformation, they may also face greater challenges to integrate their complex legacy environments in multiple business segments and geographies. Smaller players, such as regional banks or challengers, might find it easier if they invest wisely in the key enablers for a successful transition to the cloud.
Finally, increased cloud adoption comes along with security risks, such as cyber attacks, with the potential to rapidly increase banks' reputational risk, as well as risk of regulatory intervention or legal sanctions. Such was the case for Capital One Financial Corp., which suffered a data breach on its public cloud and compromised customers' social security and bank account numbers (see "Capital One Financial Corp.'s Data Breach Increases Reputational Risks, Although The Direct Costs Appear Manageable," July, 30, 2019). We believe cloud-based attacks may be more detrimental to credit ratings than those related to theft of customer data, because they have the potential to disrupt or inhibit operations for the whole enterprise (see "Cyber Risk In A New Era: Remedy First, Prevent Second," Sept. 17, 2020).
Digital designer: Tim Hellyer; Editor: Jennie Brookman
- Global Banks 2021 Outlook: Banks Will Face The Next Test Once Support Wanes, Nov. 17, 2020
- Cyber Risk In A New Era: Remedy First, Prevent Second, Sept. 17, 2020
- The Future of Banking: Research By S&P Global Ratings, Sept. 14, 2020
- Capital One Financial Corp.'s Data Breach Increases Reputational Risks, Although The Direct Costs Appear Manageable, July 30, 2019
- The Future Of Banking: Will Retail Banks Trip Over Tech Disruption? May 14, 2019
This report does not constitute a rating action.
|Primary Credit Analyst:||Miriam Fernandez, CFA, Madrid + 34917887232;|
|Secondary Contact:||Markus W Schmaus, Frankfurt + 49 693 399 9155;|
|Research Contributor:||Karim Kanj, Frankfurt + 49 69 3399 9109;|
No content (including ratings, credit-related analyses and data, valuations, model, software or other application or output therefrom) or any part thereof (Content) may be modified, reverse engineered, reproduced or distributed in any form by any means, or stored in a database or retrieval system, without the prior written permission of Standard & Poor’s Financial Services LLC or its affiliates (collectively, S&P). The Content shall not be used for any unlawful or unauthorized purposes. S&P and any third-party providers, as well as their directors, officers, shareholders, employees or agents (collectively S&P Parties) do not guarantee the accuracy, completeness, timeliness or availability of the Content. S&P Parties are not responsible for any errors or omissions (negligent or otherwise), regardless of the cause, for the results obtained from the use of the Content, or for the security or maintenance of any data input by the user. The Content is provided on an “as is” basis. S&P PARTIES DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE, FREEDOM FROM BUGS, SOFTWARE ERRORS OR DEFECTS, THAT THE CONTENT’S FUNCTIONING WILL BE UNINTERRUPTED OR THAT THE CONTENT WILL OPERATE WITH ANY SOFTWARE OR HARDWARE CONFIGURATION. In no event shall S&P Parties be liable to any party for any direct, indirect, incidental, exemplary, compensatory, punitive, special or consequential damages, costs, expenses, legal fees, or losses (including, without limitation, lost income or lost profits and opportunity costs or losses caused by negligence) in connection with any use of the Content even if advised of the possibility of such damages.
Credit-related and other analyses, including ratings, and statements in the Content are statements of opinion as of the date they are expressed and not statements of fact. S&P’s opinions, analyses and rating acknowledgment decisions (described below) are not recommendations to purchase, hold, or sell any securities or to make any investment decisions, and do not address the suitability of any security. S&P assumes no obligation to update the Content following publication in any form or format. The Content should not be relied on and is not a substitute for the skill, judgment and experience of the user, its management, employees, advisors and/or clients when making investment and other business decisions. S&P does not act as a fiduciary or an investment advisor except where registered as such. While S&P has obtained information from sources it believes to be reliable, S&P does not perform an audit and undertakes no duty of due diligence or independent verification of any information it receives. Rating-related publications may be published for a variety of reasons that are not necessarily dependent on action by rating committees, including, but not limited to, the publication of a periodic update on a credit rating and related analyses.
To the extent that regulatory authorities allow a rating agency to acknowledge in one jurisdiction a rating issued in another jurisdiction for certain regulatory purposes, S&P reserves the right to assign, withdraw or suspend such acknowledgment at any time and in its sole discretion. S&P Parties disclaim any duty whatsoever arising out of the assignment, withdrawal or suspension of an acknowledgment as well as any liability for any damage alleged to have been suffered on account thereof.
S&P keeps certain activities of its business units separate from each other in order to preserve the independence and objectivity of their respective activities. As a result, certain business units of S&P may have information that is not available to other S&P business units. S&P has established policies and procedures to maintain the confidentiality of certain non-public information received in connection with each analytical process.
S&P may receive compensation for its ratings and certain analyses, normally from issuers or underwriters of securities or from obligors. S&P reserves the right to disseminate its opinions and analyses. S&P's public ratings and analyses are made available on its Web sites, www.standardandpoors.com (free of charge), and www.ratingsdirect.com and www.globalcreditportal.com (subscription), and may be distributed through other means, including via S&P publications and third-party redistributors. Additional information about our ratings fees is available at www.standardandpoors.com/usratingsfees.
Any Passwords/user IDs issued by S&P to users are single user-dedicated and may ONLY be used by the individual to whom they have been assigned. No sharing of passwords/user IDs and no simultaneous access via the same password/user ID is permitted. To reprint, translate, or use the data or information other than as provided herein, contact S&P Global Ratings, Client Services, 55 Water Street, New York, NY 10041; (1) 212-438-7280 or by e-mail to: firstname.lastname@example.org.