It is clear that Cloud is going to feature in banks’ IT landscapes.  What is less clear is where it will feature, how it can be incorporated strategically, the risks presented to the organisation and the regulatory framework under which it will eventually operate.  It is important that banks take the lead on this before they are eclipsed by other actors. Indeed, much has been written of the imperative for banks (and, for that matter, all businesses) to digitize their operations in order to compete with nimble new entrants and provide cost-effective, secure and customer-centric services. Everyone knows the theory. And, in theory, the cloud offers an all-encompassing solution to many of the most pressing challenges faced by banking institutions, it is:

  1. Cost effective. The cloud’s modular pay-on-demand model means that firms pay only for the hardware and software they use, reducing human and technical investment;
  2. Responsive. It is fully flexible and scalable, which gives organisations the opportunity to respond to market and customer needs, and;
  3. Agile. Crucially, its standardised and adaptable format favours an agile approach, affording the integration of new technology.

In short, it offers cost-efficient innovation. However, in practice, when looking at cloud adoption across different industries, the banking sector is lagging towards the bottom of the table, with more than 70 per cent of institutions saying that their cloud projects are at initial or trial and testing stage.

Cloud computing is a perfect illustration of the ‘tension’ between innovation and regulation. While many banks have successfully used the cloud for non-core activities such as CRM, HR or financial accounting, cloud usage for core services is a very different story. Leaving aside the complexity of preparing for the migration of such systems and the translation of databases required, uncertainty about future regulatory demands is the main barrier for adoption.

International regulators have publicly recognised the benefits of the cloud for competition, innovation and economic development (regulators around the world are cloud users themselves!); nevertheless, the concentration of operational risk in the hands of three main cloud service providers (CSPs), Amazon, Google and Microsoft, allied to mounting cyber-risk, is understandably sounding the regulatory claxon. Furthermore, while banks own their IT estate and architecture, they cannot be sure they have priority in any change stack or outage situation. In a cloud environment, they cede this control to the CSP and (potentially) drop down a priority list that includes not only competitor banks, but government agencies and other “critical infrastructure providers” to the real economy.

This means that banks face what seems a recurring problem: managing differing local regulatory responses to a global issue. While the Bank of England is considering how to stress test the effects that potential discontinuation of service could have on customers, on the other side of the Atlantic, the Office of the Comptroller of the Currency has started to scrutinise banks’ relationships with cloud providers.

Of course, there is no silver bullet to this problem. Nonetheless, new problems do not always require a new solution. Firstly, early regulatory engagement is key. At this stage, the regulatory response is far from defined and firms must take advantage of the recent regulatory shift to a more outcome-based approach. In the UK, the autumn consultation on firms’ operational resilience presents an ideal opportunity to share industry concerns.

The industry has already pointed out that regulators are placing too much onus on traditional financial service firms when cloud providers, the ones holding vital information, are competing with banks for customers. This is where the regulatory perimeter may need redefining. In an attempt to protect customers, regulators could be inadvertently pushing them to purchase products from firms that are not under their watch (people are making payments through their Facebook messenger!). It is arguable that the sometimes opaque use of data by the main CSPs, accusations about the dissemination of misinformation and the potential consequences of a major cyber-attack make these firms as systemically important as big banks. Indeed, their global footprint requires intervention from the G20 before the system is irreparably damaged. Too big to be hacked?

Secondly, and despite the compliance challenges, those that wait for a clearer regulatory framework to upgrade to the cloud will lose competitive advantage. In order to move from their initial or testing phase, organisations need a comprehensive, regulatory-aware cloud strategy. While many institutions have pockets of cloud deployment, a disjointed approach is only likely to add further layers of complexity and therefore hamper its secure management. Only institutions with a well-defined operating model, setting out where cloud will and will not feature, will be able to understand what sort of capabilities and talent they need to execute their plan and deal with the scarcity of professionals with the right set of skills to implement and simultaneously mitigate transition risk. The risk and compliance functions will need to step into a strategic role in the cloud migration journey.

Cloud implementation adds to the controls challenge many organisations are experiencing. The increasing range of operational risks that financial institutions face, allied to the introduction of personal accountability, have resulted in an explosion in the volume and scope of controls. Many have found that established control processes have not been designed to accommodate some of the more progressive technologies of today; cloud migration being a case in point. Indeed, transitioning core services and data to the cloud has become an unenviable management task, with both operational and personal risk considerations stalling progress. First and foremost, risk mitigation begins with the establishment of an effective governance framework, augmented by an analytics-driven execution risk analysis to enable informed decision-making for accountable executives.  While the mitigation of risk is a crucial consideration, failure to act could result in greater long-term challenges derived from both legacy system resilience and ceding competitive advantage to competitors.

As the interconnectedness of different industries and the use of third parties continues to grow, we are likely to engage in similar debates often. However, some of the business practices we have been advocating for the last decade, such as robust programme planning, effective risk management and a more agile controls environment, are still valid despite the mounting complexity firms face.