The European Cloud User Coalition has been established. What does this mean for banks?

Announced in late January 2021, the European Cloud User Coalition (ECUC) was established to promote consistency and enforcement of security standards for cloud use across the EU.  A smattering of European players including Allied Irish Bank, BAWAG Group, Belfius Bank, Commerzbank, Deutsche Börse, EFG Bank, Erste Group Bank, Euroclear, ING, KBC Bank, Swedbank and UniCredit have signed up to the ECUC and are participating in the initiative.

We contacted five of these financial institutions and all revealed that they were motivated to join the coalition, as reaching agreement with cloud service providers on a bilateral basis across technical standards, set up of services, data protection measures, and contractual clauses is a very time-consuming process.

Adoption of cloud by financial institutions across the board has exploded over the past five to 10 years. Yet, as is often the case with rapid technological advancements, it is increasingly apparent that regulation of the use of this technology has not quite kept pace nor managed to keep market domination out of the hands of big tech.

Financial institutions are directly impacted by cloud regulation (or lack thereof), with most already deeply committed and progressing in their digital transformation journey. Cloud is a fundamental part of this. By storing data in cloud platforms, financial players can increase efficiency exponentially while expanding and building-out their digital offering.

Collaboration for compliance must be bilateral

Beate Zwijnenberg, chief information security officer for ING, highlights that cloud service providers welcome a collaboration between members of the European financial industry to ease the adoption of their services and compliance with EU rules and regulations.

“With ECUC there is an efficient structure for defining and communicating this position and necessary requirements. It is also a forum to jointly assess strategies in the compliant use of public cloud platforms.”

She explains that in the EU, it is currently up to the individual institutions to agree upon technical standards, as well as setup services and meet contractual clauses. “We want consistent and off-the-shelf standards for the financial industry, for both current and upcoming cloud services.” These standards should in turn increase flexibility, decrease switching costs and reduce potential concentration risk.

The ECUC is likely to see support from the European Commission (EC), and members contacted by Finextra have confirmed that interaction with the EC is currently being established. The banks also noted that they do want to respect existing viewpoints in the space.

Is ISO 27071 no longer the gold standard?

While private clouds are already widely used across financial services, public cloud platforms are becoming increasingly transformative given their flexibility, scalability and resilience standards. The three largest public cloud providers: Amazon Web Services, Microsoft Azure and the Google Cloud Platform, already follow the International Organisation for Standardisation’s (ISO) ISO/IEC 27017 security standard for cloud service providers and users. It appears that compliance with this standard alone does not suffice.

In response to the European Commission’s consultation to digital financial services in August 2020, the ECB loudly bemoaned the absence of an EU challenger capable of taking on the might of Big Tech cloud providers specifically in the US.

"One important challenge in relation to digital finance will be to reassess the dependence of European financial service providers on non-EU providers of critical services and technical infrastructures (e.g. the “cloud”), while EU-based global players have struggled to emerge. This could lead to banks’ reliance on a few non-EU service providers and possible concentration issues at both entity and systemic levels."

Likely also playing a part is the desire to claw back some control of the market, at least to provide an opening for EU cloud providers to enter the market. Should the Commission be effective in requiring a “beefing up” of existing cloud security safeguards, monolithic providers may have to think carefully about their current dominant EU presence.

A billow of cloud strategies

Both Commerzbank and UniCredit have adopted a Multi-Cloud-Strategy. For the former, this means that the bank can work with different cloud service providers. On the other hand, Commerzbank takes a Cloud First approach, whereby the bank always verifies whether a system or application can be implemented in the cloud before adoption.

It appears that the urge to standardise cloud use has been a long journey for the German bank, with Bloomberg reporting in 2019 that the bank sent out invitations to a number of large European counterparts to come together to discuss adopting a unified front for managing cloud service providers.

At the time, Kerem Tomak, who led big data at Commerzbank reportedly said that adoption of standards would mean lenders have more leverage over cloud providers, and it would also ease the job of regulators who wouldn’t need to vet each individual contract. As of January 2021, Tomak is now global chief analytics officer for ING.

Swedbank’s Cloud First strategy uses different cloud services for different applications, the bank explains that it “sets high requirements if systems or applications can be implemented in the cloud, therefore, we appreciate functionalities such as an up-to-date technology stack and security levels.”

UniCredit’s approach to the multi-cloud strategy stems from the belief that cloud can enable innovation and reduce time to market. A spokesperson for the Italian bank explains that “depending on the use case, we use Software-as-a-Service (SaaS) for quick adoption of best practice solutions and other service models for Artificial Intelligence capabilities and infrastructure services.”

Erste Group Bank seeks to get the best of both worlds with its hybrid-cloud approach and is “gradually increasing usage of both private and public cloud depending on the concrete needs and local situation.”

A spokesperson for the bank furthers that it is “building up our capabilities for cloud orchestration and brokerage to be able to reap the full benefit of this approach. Investment in cloud-related capabilities is a key element of our progressive IT modernisation strategy, given the clear benefits of cloud adoption in terms of e.g. automation, flexibility and standardisation.”

ING applies a private cloud concept for most of its applications and services. Similarly to Swedbank, Zwijnenberg says that ING recognises the value of “the up-to-date technology stack, the security level as well as the resilience of the services and the bank is actively exploring opportunities.” In ING’s current context, public cloud is also consumed as part of some Software as a Service solutions.

What’s next on the cloud horizon?

We should expect an upcoming paper to be released by the ECUC during 2021, describing:

• the joint position of the members  
• application of security standards and best practices
• portability of systems
• how to approach exit strategy for use of cloud technology for European financial players.

Stating that the paper may also be “regarded as requirements for compliant public cloud usage” and will be reviewed with EU and Non-EU Cloud Service Providers, it’s clear that the coalition is optimistic their recommendations will be adopted as more than mere guidelines.

ING’s Zwijnenberg concludes that there are some challenging elements to this, which include the development of a widely accepted security framework by the EUCU members and the cloud provider industry. Also, the ongoing maintenance of that framework needs attention.

“ING would encourage some standardisation on cloud services provided in order to increase the exchangeability. This will increase competition and reduce potential concentration risk. This paper may also be regarded as requirements for compliant public cloud usage in the European financial industry.”

When asked whether the coalition will recommend that the security standards or best practices for cloud technologies it formulates should be formally adopted by EU regulators, the five banks responded (almost identically) that while the ECUC members certainly aspire for its published standards to become compliant with regulation, “regulation is independent” after all.