Regulator concerns about resilience and security could slow cloud adoption in financial services

Report by Association for Financial Markets In Europe highlights the pressure financial services firms face as they seek to balance the need for innovation with regulatory requirements

The pace of cloud adoption in the financial services space could be dampened markedly unless the sector can find a way to address regulatory concerns about the resilience and security of the platforms offered by providers.

That is one of the standout statements in the Association for Financial Markets In Europe’s (AFME) Building resilience in the clouds report, which was compiled with assistance from consultancy firm Protiviti and features contributions and insights from cloud users from across the financial services sector.

The report states that although “the use of cloud and cloud service providers [CSPs] offers a significant uplift in resilience and security compared to banks’ on-premise environments”, regulators remain concerned about the security and resilience of the public cloud.

In response to such concerns, some firms have pursued a multi-cloud strategy, whereby their data and applications reside within environments operated by multiple CSPs, and others have taken steps to ensure they can port their workloads to an alternative platform if needed.

However, the report suggests such measures are not quite enough to appease regulators, who fear technical barriers could prevent firms from pulling their data out of a preferred provider’s cloud. It also suggests multi-cloud setups could end up lowering a firm’s overall resilience, rather than enhancing it.

“While banks increase migration to the cloud and seek to identify the appropriate solutions, there are concerns that recommendations towards portability and multi-cloud to achieve outcomes sought by regulators will introduce further limitations on adoption,” says the report.

“Portability poses significant technical limitations and a loss of differentiated cloud benefits as a mechanism for increasing resilience.”

On this point, the report cites an example whereby a bank may struggle to access its data in the event of a “stressed exit” from a CSP’s platform if, for example, the provider in question goes out of business.

The report continues: “Multi-cloud strategies, while used for contingency and resilience, are primarily adopted for accessing unique services across CSPs. While multi-cloud can reduce concentration risk to some extent, the technical, process and resource complexity needed to support multiple CSPs can lead to decreased resilience overall.”

For these reasons, neither portability nor multi-cloud should be “viewed as appropriate or mandated as primary mechanisms to address regulatory concerns regarding cloud resilience and risk”, says the report.

It goes on to make four recommendations about how, with additional support from policymakers, regulators and CSPs, financial services can ensure they are moving to the cloud in a safer, more resilient way.

These recommendations include advising CSPs to provide banks and other financial institutions with the information they need to compare the exit-planning procedures for their respective platforms, and present this in a common format.

CSPs also need to be more transparent about their security testing, recovery and restoration capabilities, and this information needs to be made more readily available to regulators and end-users, says the report.

Other recommendations include making sure there is a “regional and global alignment on cloud resilience and risk expectations” and that “cloud cross-border data flows and storage” are encouraged in the interests of preventing additional regulatory and technical barriers cropping up that could segment the adoption of cloud services regionally.

“We believe these recommendations provide practical guidance for building further confidence, trust, transparency and capability in cloud services within capital markets as adoption increases,” says the report.

Report gives way to panel discussion

The report’s publication coincided with a roundtable at AFME’s European Capital Markets Technology and Innovation Virtual Conference, whose participants included representatives from Barclays Bank, Standard Chartered Bank, Google and Protiviti.

Cloud adoption within the financial services sector has markedly picked up in recent years, following the publication of various pieces of guidance that have detailed the steps these highly regulated entities need to take to ensure their move off-premise is conducted in a safe, secure and resilient way.

At the same time, the financial sector’s stalwarts have found themselves under growing pressure to revamp and digitally transform their offerings because of changing customer expectations, as the demand for online and mobile backing services has snowballed.

A raft of disruptive startups have also entered the market, which has seen pressure piled on the incumbents to embrace technologies and ways of working that will make it easier for them to respond to changing market conditions and competitive threats, which includes moving to the cloud.

On this point, panel participant and head of Barclays Bank’s cloud centre of excellence, Steve Hooper, hailed the business agility improvements that its move off-premise has brought about, and the difference it has made to the firm’s ability to weather the Covid-19 pandemic.

Barclays is in the midst of a multi-year, multi-cloud and enterprise-wide migration of its IT estate, with Hooper confirming that the company has a mix of private and public cloud stacks underpinning its operations.

“We have 100 services generally available to application teams across the Barclays estate, and we are deploying material workloads across both our public and private offerings, with material workloads in a number of regulatory jurisdictions,” he said.

“This has allowed us to rapidly respond to unexpected changes like Covid and the challenges that placed, and a number of the cloud technologies and services that we offer were pivotal to our ability to respond to issues like call centre availability and allowing our staff to access call centre capability safely.

“Lockdowns in different countries and different areas resulted in customers who would normally go into branches and have face-to-face operations, moving more towards [using] our digital or call centre channels.”

Hooper added: “It’s fair to say we would have struggled greatly without our ability to exploit cloud agility and capacity to make those services available rapidly.”

While regulators have given the green light for financial services firms to use cloud, and the sector’s major players – such as Barclays – talk up the benefits of using the technology, concerns persist about the financial services community’s growing reliance on a relatively small number of public cloud firms.

Read more about cloud use in the financial services industry

As previously reported by Computer Weekly, the Bank of England’s Financial Policy Committee mooted the idea in July 2021 of introducing additional policy measures to mitigate the “financial security risks” posed by the financial services community’s over-reliance on a handful of suppliers.

“The increasing reliance on a small number of CSPs and other critical third parties could increase financial stability risks without greater direct regulatory oversight of the resilience of the services they provide,” a report published by the committee said at the time.

Standard Chartered Bank’s global head of cloud and DevOps, Sebastian Wedeniwski, used the session to detail how his firm – which has a presence in 59 markets across Europe, the Middle East and Africa (EMEA) – has negotiated the move to cloud since starting out on its journey in 2013 with AWS.

In that time, the company’s use of cloud has gone through three distinct phases, starting with an experimental, proof-of-concept set of work that focused primarily on using AWS’s compute capabilities so it could assess the risk of using cloud. It has also broadened out its public cloud partners to include Microsoft Azure over time.

“This work gave us a lot of lessons learned, in terms of requirements, how we should do resiliency, and operations,” said Wedeniwski.

Phase two of Standard Chartered’s cloud migration was concerned with what needed to be done to move its first 15 applications to the cloud, and the third phase involved taking what Wedeniwski referred to as a “cloud factory” approach to scaling up the company’s off-premise ambitions.

This, in turn, gave way to the company announcing a formalised, five-year, cloud-first strategy in 2020. “This is the board and whole management team now working to bring 50% of our core banking systems and trading systems into the public cloud,” he added. “And, of course, all new applications are built natively for the cloud.”

The company now has more than 60 applications running in the public cloud, across multi-regions, as a result of this work.

But having got to this point, said Wedeniwski, the company now has a “huge focus” on meeting the resiliency expectations of regulators, including the Prudential Regulation Authority, as it works to shift even more of its workloads off-premise.

“The target for the next four years is to get 75% of all workloads into the cloud,” he said. “This is where we are right now. I can say that every workload we moved to the cloud is a success and brings business value.

“Nevertheless, we are working closely with the cloud service providers and not all services that we need for resilience are always available in all regions. Then there are regulations [in other countries] where we also have to consider data requirements and also the requirements of failover scenarios, etc. But this is where we are and it’s a huge success story for us.”

Read more on Infrastructure-as-a-Service (IaaS)

Data Center
Data Management