Regulators’ concerns over resilience and security could slow cloud adoption in financial services



The pace of cloud adoption in financial services could slow significantly unless the industry finds a way to address regulatory concerns about the resiliency and security of vendor-offered platforms.

This is one of the most striking statements of the Association for Financial Markets In Europe (AFME) Building resilience in the clouds report, which has been compiled with the help of consulting firm Protiviti and features contributions and insights from cloud users from across the financial services industry.

The report states that although “the use of the cloud and cloud service providers [CSPs] offers a significant improvement in resilience and security compared to banks’ on-premises environments, ”regulators remain concerned about the security and resiliency of the public cloud.

In response to these concerns, some companies have pursued a multi-cloud strategy, in which their data and applications reside in environments operated by multiple CSPs, and others have taken steps to ensure that they can shift their workloads. working towards an alternative platform if necessary.

However, the report suggests that such measures are not enough to appease regulators, who fear technical hurdles prevent companies from removing their data from the cloud of a preferred provider. It also suggests that multi-cloud setups could end up reducing a company’s overall resiliency, rather than improving it.

As banks increase cloud migration and seek to identify appropriate solutions, there are concerns that portability and multi-cloud recommendations to achieve the outcomes that regulators are seeking will introduce further limitations to the adoption, ”the report says.

“Portability poses significant technical limitations and a loss of the differentiated advantages of the cloud as a mechanism for increasing resiliency. “

On this point, the report cites an example where a bank may have difficulty accessing its data in the event of a “stressed exit” from a CSP platform if, for example, the service provider in question goes bankrupt.

The report continues, “Multi-cloud strategies, although used for contingency and resiliency, are primarily adopted to access single services across CSPs. While multi-cloud can reduce concentration risk to some extent, the technical, process and resource complexity required to support multiple CSPs can result in decreased overall resiliency. “

For these reasons, neither portability nor multi-cloud should be “considered appropriate or mandated as primary mechanisms to address regulatory concerns about cloud resilience and risks,” the report said.

It then makes four recommendations on how, with additional support from policymakers, regulators and CSPs, financial services can ensure they migrate to the cloud in a safer and more resilient manner.

These recommendations include advising CSPs to provide banks and other financial institutions with the information they need to compare exit planning procedures for their respective platforms, and to present them in a common format.

CSPs also need to be more transparent about their security testing, recovery and restoration capabilities, and this information needs to be made more readily available to regulators and end users, the report says.

Other recommendations include ensuring that there is “regional and global alignment on cloud resilience and risk expectations” and that “cross-border data flows and storage in the cloud” are encouraged. in the interest of preventing the emergence of additional regulatory and technical barriers that could segment the adoption of cloud services at the regional level.

“We believe these recommendations provide practical guidance for building the trust, confidence, transparency and capacity of cloud services in capital markets as adoption increases,” the report said.

The report gives way to a round table

The report’s release coincided with a panel discussion at the AFME Virtual Conference on European Capital Markets Technology and Innovation, which was attended by representatives from Barclays Bank, Standard Chartered Bank, Google and Protiviti.

Cloud adoption in the financial services industry has accelerated significantly in recent years, following the release of various guidance documents that have detailed the steps these highly regulated entities need to take to ensure that their Offsite move is carried out in a safe, secure and resilient manner.

At the same time, pillars of the financial industry have found themselves under increasing pressure to reorganize and digitally transform their offerings due to changing customer expectations, as demand for online and mobile support services has balled. of snow.

Many disruptive startups have also entered the market, resulting in increased pressure on incumbents to adopt technologies and ways of working that will make it easier for them to respond to changing market conditions and competitive threats. , including the move to the cloud.

On this point, Steve Hooper, panelist and head of Barclays Bank’s cloud center of excellence, praised the improvements in business agility his move off-site made and the difference it made to capacity. of the company to overcome the Covid-19. pandemic.

Barclays is in the midst of a multi-year, multi-cloud and enterprise-wide migration of its IT infrastructure, with Hooper confirming that the company has a mix of private and public cloud stacks at the base of its operations.

“We have 100 services generally available to enforcement teams across the Barclays domain, and we deploy heavy workloads on our public and private offerings, with heavy workloads in a number of regulatory jurisdictions. “, did he declare.

“This has allowed us to respond quickly to unexpected changes like Covid and the challenges it has posed, and a number of the cloud technologies and services we offer have been critical to our ability to respond to issues like uptime. call centers and to allow our staff to securely access call center capability.

“The lockdowns in different countries and different areas resulted in customers who would normally go to branches and have face-to-face operations, moving more to [using] our digital or call center channels.

Hooper added, “It’s fair to say that we would have struggled a lot without our ability to leverage the agility and capacity of the cloud to make these services available quickly. “

As regulators have given financial services firms the green light to use the cloud, and major industry players – such as Barclays – talk about the benefits of using the technology, concerns persist about the growing dependence the financial services community with respect to a relatively small number of public services. cloud computing companies.

As previously reported by Computer Weekly, the Bank of England’s financial policy committee raised the idea in July 2021 to introduce additional policy measures to mitigate “financial security risks” posed by over-reliance on the community. financial services to a handful of suppliers.

“The growing dependence on a small number of CSPs and other critical third parties could increase financial stability risks without greater direct regulatory oversight of the resilience of the services they provide,” said a report published by the committee at the time.

Standard Chartered Bank’s Global Head of Cloud and DevOps, Sebastian Wedeniwski, took advantage of the session to detail how his company – which is present in 59 markets in Europe, Middle East and Africa (EMEA) – negotiated the transition to the cloud since its inception. on his journey in 2013 with AWS.

During this time, the company’s use of the cloud went through three distinct phases, starting with a set of experimental proof-of-concept work that primarily focused on utilizing the computational capabilities of AWS. in order to assess the risk of using the cloud. It has also expanded its public cloud partners to include Microsoft Azure over time.

“This work has allowed us to learn many lessons, in terms of requirements, resilience and operations,” said Wedeniwski.

The second phase of Standard Chartered’s cloud migration was about what needed to be done to move its first 15 applications to the cloud, and the third phase was to take what Wedeniwski called a “cloud factory” approach to doing. evolve the company’s off-site facilities. ambitions.

This, in turn, gave way to the company’s announcement of a formalized five-year cloud-focused strategy for 2020. public cloud, ”he added. “And, of course, all new apps are built natively for the cloud.”

The company now has more than 60 applications running in the public cloud, across multiple regions, as a result of this work.

But having come to this point, Wedeniwski said, the company is now focused on meeting the resilience expectations of regulators, including the Prudential Regulation Authority, as it strives to shift its workloads off-site even further. .

“The goal for the next four years is to bring 75% of all workloads to the cloud,” he said. “This is where we are now. I can say that every workload we have moved to the cloud is a success and brings business value.

“Still, we work closely with cloud service providers and not all of the services we need for resilience are always available in all regions. Then there are regulations [in other countries] where we also need to consider the data requirements and the requirements of the failover scenarios etc. But that’s where we are and it’s a huge achievement for us.


Leave A Reply

Your email address will not be published.