Blog article
See all stories »

IFTTT: or what happens when banking finally hits the cloud

There is a whole bunch of really smart people in FinTech of which Leda Glyptis, Chris Skinner, Sam Maule and all the other gals and guys at 11:FS are just a few. While each has a mind of their own, what they do have in common is a deep-seated conviction that the banking industry isn’t doing a terribly good job of transforming itself and that the digitalisation of banking is just 1% done.

In a recent blog post, Sam Maule draws a compelling - albeit unlikely - analogy between Spanx foundational underwear and the absolute imperative for banking to work on overhauling its core so that it stops being sluggish, flabby and out-of-breath, and instead becomes a lean and agile purveyor of service equal to the demands of customers’ banking dreams through real-time cloud-based digital systems.

Sam's blog caught my eye because it came out just a few days after the European Central Bank and the Bank of England both issued some chastening comments about the use of third-party providers for key IT services (particularly in the area of cloud computing), giving forewarning of stricter standards to come in the form of minimum level of service provisions.

(Given the ongoing debacle at TSB, the timing of the Bank's comments won't come as a surprise to anyone...)

Now… here’s the thing: the ECB, the Bank of England and other international supervisors including the BIS, are increasingly concerned that the dominance of a small number of cloud vendors means that most firms are not in a strong position to negotiate appropriate contractual terms with their providers, which is creating unhealthy market asymmetry, concentration risk and heightened systemic vulnerability in the financial services industry.

This situation can leave banks caught between a rock and a hard place in relation to regulatory requirements about outsourcing, given the limited leverage they have with their cloud supplier - who is unregulated - to deliver service levels which are compliant with the regulations.

But… if banks finally start listening to Uncle Sam Maule and Co. and really engage in transforming their businesses by rehabilitating their core, then the reliance of the banking industry on cloud technology and third-party providers is only going to increase. Which means concentration risk increases, cyber risk increases and regulators start getting really ansty about systemic resilience and the eventuality of a catastrophic meltdown.

So… if we take as a reasonable assumption that banks will indeed see the light and move en masse and in earnest to the cloud – not because it is fashionable or supposedly cheaper, but because it is arguably the only technology architecture which matches the economics of their future business models and allows their entire businesses to be agile and scaleable, not just their IT function; and if we continue to assume that keeping regulators and supervisors happy is a non-negotiable hygiene factor required to play at this banking game, then...

...If this is the case, the timing looks about right for banks to put their competitive differences to one side and band together to mutualize their negotiating power in favour of industry-wide standards in the area of best-practice cloud computing.

Because if individual banks lack the clout needed to demand changes to standard terms of service then it makes sense to join forces, with the aim of redressing the imbalance of power which is today too heavily loaded in favour of the big-name cloud providers, such as AWS.

This type of self-organizing industry mechanism already exists in the payment card sector, in the form of a contractual standard known as PCI-DSS. The PCI Standard is mandated by the major card brands and is administered by the Payment Card Industry Security Standards Council.

The standard was created to increase controls around cardholder data to reduce credit card fraud. All entities, merchants and service providers which store, process, or transmit cardholder data must meet PCI DSS requirements. Requirements for certification vary depending on the number of transactions an entity processes, and the manner in which they are processed.

In simple terms, if you want to be a player in the payment credit card space, then these are the rules. Take them. Or leave them.

It’s another reasonable assumption to say that third-party cloud providers, no matter how dominant they currently are, will want the burgeoning business generated by the banking industry’s eventual move of its entire core infrastructure to the cloud. Now that the regulators are getting involved, the status quo is untenable into the long-term which means finding a way forward is a must for all parties.

While banks-as-competitors make for uneasy bed-fellows, banks-as-buying-units have an incentive to work together on collaboratively strengthening their negotiating power relative to tech and cloud providers, by uniting themselves into a collective standard-setting body: any third-party vendor who wants the banks’ business badly enough would need to adhere to a robust set of contractual provisions agreed at the industry level which address security management, policies, procedures, network architecture, software design and other critical protective measures intended to proactively protect the integrity of the bank’s business.

Whether or not the incentive is strong enough for the banks to coordinate such an initiative voluntarily is debatable. But a firmer nudge in the right direction from a stern-but-benevolent regulator could give just the right impetus to spur alignment between cloud providers and the banking industry, in order to put regulators’ minds at ease and for customers to finally get the service levels they need from the banks they deserve.


a member-uploaded image

Comments: (0)

Anne Leslie-Bini

Anne Leslie-Bini

Associate Director


Member since

15 Apr



Blog posts




This post is from a series of posts in the group:

Information Security

The risks from Cyber cime - Hacking - Loss of Data Privacy - Identity Theft and other topical threats - can be greatly reduced by implementation of robust IT Security controls ...

See all