Banks have traditionally kept close control of their IT, supporting large in-house teams and, until recently, building their own datacentres. However, this is set to change as banks look closely at the opportunities and cost savings offered by cloud computing technologies.
Banks are reluctant to adopt public cloud technologies where computing resources are made available, usually on shared infrastructure, to multiple customers and accessed via the internet. But by contrast, there is growing interest in using private clouds (here computing resources are provided exclusively to the bank over a private network, rather than over the internet, and from behind the bank's firewall.
This is the number one concern of bank IT executives. Banks are reluctant to hand over control of business-critical functions to anyone, let alone public cloud providers.
Public cloud providers have identified this concern and both they and industry bodies such as the Cloud Security Alliance have sought to demonstrate a commitment to cloud security - in particular, through promoting their compliance with recognised security standards for outsourcing.
The outsourcing of business-critical functions by banks is subject, in most jurisdictions, to specific regulation.
In Europe, banks are required to comply with the Markets in Financial Instruments Directive (MiFID).
Banks that do outsource business-critical functions by placing them into a public cloud still need to retain the ability to assess, supervise and enforce provider performance, manage risks through appropriate contractual remedies, and maintain the security of and access to data.
As a result, banks are yet to commit such business-critical functions to the public cloud.
Banks need to store and process huge amounts of data, including proprietary confidential information and customers' personal data.
Public cloud services offer huge storage capacity and cheap processing power with the ability to ramp up processing power and find new capacity quickly during times of peak demand.
Yet the responsibility for such data placed by banks into a public cloud will usually not transfer to the public cloud provider on such placement, but will remain with the bank.
As a result, banks need public cloud providers to accept stringent data security obligations - something public cloud providers are reluctant to commit to.
Public clouds can be run from data centres located anywhere in the world. Public cloud providers use multiple data centres in multiple jurisdictions to meet capacity demands.
Yet the benefits offered by such flexibility - for example, allowing on-demand scalability by moving data from one datacentre to another - are often outweighed by the banks' need to ensure an adequate level of protection for transferring data and comply with their obligations under applicable data protection legislation.
The reliability or availability of public cloud services and the performance of those public cloud services is an issue for an industry that needs guaranteed real-time access to business-critical data and business-critical applications running when they need them.
Each well-publicised service failure by a public cloud provider reduces confidence in using a public cloud to run business critical applications or store business critical data.
Added to this is the lack of contractual remedies in a standard public cloud provider's agreement for service failures.
Intellectual property rights protection
Public clouds can offer bank IT departments cheap processing power for application development and testing and capacity for large-scale data storage.
But disputes over the ownership of the intellectual property rights in applications created and data stored in a public cloud can - and do - result if public cloud providers' standard agreements do not set out precisely who owns what intellectual property rights.
The banks and private clouds
Banks' reluctance to commit business-critical functions to the public cloud should not be read more widely as a reluctance to commit such functions to a private cloud.
Private clouds would seem to be the next logical step for banks, following the efforts they have been taking to virtualise their server farms to reduce hardware and lower energy and infrastructure costs and adopt software-as-a-service products, for example, for customer relationship management. However the following key issues need to be considered:
Banks need to decide what applications and data go into a private cloud and what applications and data it retains under its own control.
Where banks decide to use private cloud, stringent IT and data security obligations need to be put in place in the agreement with the private cloud provider to ensure that the bank can meet all its responsibilities.
The private cloud provider needs to put in place appropriate technical and organisational measures to protect the bank's applications and data.
All security measures need to be regularly reported on by the private cloud provider as part of the governance process and freely auditable by the bank and its regulators.
The service level agreement between the bank and the private cloud provider needs to set out, in detail, stringent availability and performance service levels and the bank's remedies where the private cloud provider fails to meet such service levels.
The bank and its regulators need unfettered access to audit the private cloud provider's performance of the outsourced services.
Banks need to be able to port data and applications easily into and out of a private cloud, between private clouds and, in the future, between private and public clouds as part of a hybrid cloud.
The agreement needs to place detailed obligations on private cloud providers to provide all necessary assistance with any such porting process and, where things go wrong, to fix the problem, rather than seeking to simply shift responsibility to the bank or another cloud provider.
How easy, technically, such portability is, of course, is another matter.
Intellectual property rights protection
Any agreement with a private cloud provider needs to clearly set out, and properly protect, the ownership rights of any intellectual property in the data or applications the bank intends to place into, or develop in, a private cloud.
Added to this will be the standard contractual protections for the bank against third-party intellectual property rights infringement.
Private clouds present lower barriers to adoption for banks. The legal and regulatory compliance risks are lower. But, where a third-party is building and delivering the private cloud, legal and regulatory compliance issues still remain for banks and need to be addressed, in detail, in the agreements between the banks and their service providers.
Banks need to consider all these factors in order to properly manage such risks, and before choosing whether to switch to a private cloud.
Martin Hayward is an associate in the technology, media and telecoms sector at international law firm Simmons & Simmons.
This was first published in October 2010