Public cloud adoption in banks and financial institutions is increasing, especially since the beginning of the pandemic, when the public had to rely on digital banking and contactless payments. Further, higher COVID related volatility in capital markets led to unprecedented trading volumes prompting capital markets firms and trading venues to seriously consider public cloud (e.g., Nasdaq plans to move all its 28 markets to public cloud by 2030). In a research conducted by the Economist Intelligence Unit (EIU) in 2021, 72% of banking IT executives surveyed believed that cloud will help their organisations achieve their business objectives and over 80% of them had a clear cloud adoption strategy.
Also increasing is the concern among financial industry regulators globally on what they see as increasing levels of outsourcing of banking technology to a few public cloud providers. The risk due to such dependence is referred to as concentration risk and most regulators are now considering this as a major risk to the stability of regional and global financial systems.
At least for now, financial regulators are demonstrating a more balanced, mature and an outcome driven approach to managing this risk. This is primarily because of the opportunities for competition, innovation and financial inclusion public cloud offers. The situation, however, may evolve as the dependence on public cloud and the corresponding risk grows, requiring further oversight of not just the banks but also of cloud service providers.
This blog discusses the key concerns financial regulators have around concentration risk, how this risk may be mitigated and what the future looks like for banking on public cloud from a regulatory perspective.
- Why are the regulators worried?
- What do the regulators want banks to do?
- How can banks mitigate concentration risk?
- What can the industry expect?
- Conclusions
Why are the regulators worried?
Traditional concerns of regulators around security and resilience have largely been addressed. Public cloud, with its shared responsibility model, is largely considered more secure than on-premises infrastructure while a widespread public cloud footprint offers opportunities for greater resilience. Regulators are now turning their attention to concentration risk and transparency in the operations of cloud service providers.
Concentration risk arises when a bank or a financial institution hosts all of its material business services on a public cloud offering. This risk also arises when a large number of banks and financial institutions host their material business services on a limited number of public cloud offerings. Business services are considered material if their failure or disruption result in a systemic impact on a bank individually or on the entire financial system.
Concentration risk has consequences far beyond just the resilience of cloud infrastructure. Following three scenarios alone are enough to keep regulators on the edge. Each of these cases can lead to severe disruption to banking and finance if banks are locked in with a particular cloud provider and do not have sufficient capability or capacity in-house to run their material services off public cloud,
- Big tech makes decisions that disadvantage banks. Cloud service providers may make commercial, technical and logistical decisions that may not favour banking and finance. Banking and finance is just one industry vertical utilising cloud services, not necessarily the largest in terms of revenues for cloud providers.
- Big tech thinks it is too big to fail. Cloud service providers may experience the Lehman moment where they think they are too big to fail and take risks that lead to their insolvency causing disruption to all their customers, including banks. What makes it worse is that banking is a common service for all other industries that is used practically in every business transaction no matter how big or small.
- Geopolitical risks. All large cloud providers are headquartered in the United States except Alibaba, which is headquartered in China. In case these governments pass legislations that do not align with the regulatory requirements in other jurisdictions, it may lead to geopolitical consequences.
If any such scenarios occur, regulators fear a stressed exit of banks from the public cloud. Without the preparation for a stressed exit, banks risk serious disruption to their material services which will result in loss of confidence in the regional and global financial systems.
What do the regulators want banks to do?
For the regulators, banks outsourcing hosting of their services to public cloud does not mean that they can outsource the responsibility and accountability for the uninterrupted operations of their services on the cloud. Banks need to demonstrate that they will be able to ensure business continuity in case they have to perform a stressed exit from their public cloud provider in case of a catastrophic event. This is in addition to them fulfilling on public cloud all the regulatory requirements, especially those related to security, resilience and data residency.
Banking’s public cloud adoption has been successful when regulators have avoided being prescriptive to the banks on how to fulfill regulatory requirements on public cloud. Here as well, regulators should avoid being prescriptive about how banks may mitigate the cloud concentration risk. This requires defining measures of success for the banks to demonstrate that they have successfully mitigated the cloud concentration risk. These may include stressed exit exercises that banks have to execute to demonstrate confidence in their strategies.
How can banks mitigate concentration risk?
Most banks adopting a public cloud strategy are looking at cloud portability across private, hybrid and multiple clouds. Traditionally, this has been controversial because of the costs involved and the apprehension that applications may not be able to fully utilise the capabilities a cloud platform provides especially when pursuing multi-cloud. However, cloud portability is the only viable approach currently to mitigate cloud concentration risk. The EIU research mentioned above suggests that over 80% of the banking IT executives think that multi-cloud will become a regulatory prerequisite for cloud adoption of banks.
Banks may want to invest in a platform that abstracts cloud native capabilities from the applications that consume them and the long-lived evolution and governance of the platform as a product. Cloud portability then impacts just the platform and not the applications that consume them. This may also not be easy or straight forward. But, this investment will provide a unified approach to applications to consume common business agnostic cloud capabilities. Business application development teams can then also focus on application specific and business differentiating capabilities and features.
Where application development teams do need to consume cloud capabilities not currently in the platform, they should adopt architecture techniques such as hexagonal architecture to provide similar levels of decoupling. At the same time, application development teams should engage with their technology governance function and platform teams to discuss assimilating these capabilities into the platform in the future.
Data egress from the public cloud has often been referred to as the key obstacle to cloud portability. Most public cloud providers charge for data egress and the cost of moving data out in case of a stressed exit can become exorbitant for cloud native banks. Banks can approach this challenge in the following ways:
- Negotiate: Banks can negotiate with their cloud provider that data egress for business continuity should not be charged or should be charged at a lower rate.
- Reduce: Banks should highlight the information that they critically need for regulatory, operational and business continuity purposes so only that may be considered for egress. They may also consider compaction and compression to further reduce egress costs.
- Increment: Periodically and incrementally backing up their data either on-premises or to a different cloud provider may make egress more affordable and further enhance business continuity.
What can the industry expect?
Regulators are moving ahead to bring regulatory oversight on cloud providers and big tech to ensure the resilience of financial services. The European Commission has published the Digital Operational Resilience Act (DORA) and UK regulators are hinting at regulatory oversight on public cloud providers. How successful the regulators will be is still to be seen as the big tech will challenge the jurisdiction of foreign regulators. Furthermore, historically, big tech has considered regulation as stifling innovation.
Big tech may have to collaborate with regulators in complying with these regulations rather than confronting them, just as the banks have for adopting public cloud. At the same time, banks and financial institutions may require public cloud providers to standardise the complaint consumption of cloud capabilities. The European Cloud User Coalition (ECUC) is a coalition of European banks that is jointly agreeing on the requirements for compliant public cloud usage by financial institutions in the EU. Together, the banks, cloud providers and regulators should develop outcome driven approaches to minimise concentration risk and ensure regulatory compliance.
We may also see unbundling of public cloud for financial services so cloud providers can focus and limit regulatory scrutiny while still being able to innovate. Some may point to previous failed attempts by the regulators to break up big tech firms, however, those were largely focused on anti-trust as opposed to concerns on achieving very specific outcomes. We may start seeing the emergence of public cloud offerings just for financial services from the existing cloud providers, like the IBM Cloud for Financial Services. These may be easier to regulate in the future while isolating the rest of the firm from the impact of regulatory oversight.
Conclusions
The role of public cloud in increasing competition and innovation in banking is undeniable, which has led to greater financial inclusion. Regulators’ concerns on concentration and resilience are also justified and need to be addressed. It is in the interest of banks, cloud providers and regulators to work together in achieving the outcomes of the regulations rather than being prescriptive about them. Innovation and compliance do not have to be in tension with one another.
Banking on the Cloud 