Long reads

The cloud oligopoly, regulation, and the collaboration conundrum in the financial ecosystem

Madhvi Mavadiya

Madhvi Mavadiya

Head of Content, Finextra

Consumers are evolving. They now expect the same agile customer experience from their financial services providers that they are offered elsewhere by other industries.

Searching for ways to optimise the digital experience for customers, financial institutions have been leveraging the elasticity, flexibility, and cost-effectiveness of cloud computing. The technology is now central to digital transformation strategy in financial services today.

UK regulators have also taken an active step in ensuring that operational resilience and business continuity guidelines are put in place so that incumbent financial players remain accountable for their use of emerging technology, especially in times of economic distress such as during the Covid-19 pandemic.

However, these frameworks also allow financial institutions to remain on an equal footing to fintech firms, the latter having been established to address consumer dissatisfaction.

What does the future hold for cloud in the UK?

Partnering with technology-savvy organisations helps financial institutions eliminate the heavy lifting that takes up precious time and resource, allowing for focus on innovation. Further, it is evident that cloud adoption is accelerating, and multi-cloud has become the new normal, because seamless integration is desired and required to meet consumer expectations.

The public vs. private debate has ended; in the same way that financial institutions are no longer required to choose between public and private cloud, they are not beholden to pick AWS, Google Cloud, Microsoft Azure or Oracle for all workloads anymore.

With public cloud providers now offering private cloud fabrics, there are better tools to operate a hybrid of the two with a multi-cloud approach. This allows banks, building societies, capital markets firms and insurance firms to collaborate with regulators, cloud providers, and systems integrators to create competitive offerings for customers.

This collaboration is integral to customer satisfaction and retention. Financial institutions continue to provide their services under the framework set out by regulators, whilst cloud provider services are leveraged with the utilisation of platforms offered by systems integrators. This unity of digital transformation of financial services can help drive the creation of tailored customer services in an agile manner.

However, in most cases, partnerships can result in the relinquishing of control and financial institutions that are reliant on the cloud oligopoly are put at risk, as the services offered by larger cloud providers could be shut down without notice or could be subject to external threats.

On this five-pronged approach, cloud infrastructure services, the trusted partnerships that stem from outsourcing arrangements, and what the future holds for cloud in the UK, Finextra spoke to:

  • Sudhir Chopade, chief technology officer, GGM, Cognizant;
  • Daniel Meere, head of BFS consulting, UKI, Cognizant;
  • Roland Emmans, head of technology sector for HSBC UK commercial banking; and
  • Orlando Fernández Ruiz, senior technical specialist, governance, remuneration and controls team, prudential policy, Bank of England.

What comes after the tipping point of technology?

With evolving customer needs, regulators are implementing mutually beneficial frameworks to ensure there is a level playing field between financial institutions and fintech firms – all the while, Covid-19 is increasing an organisation’s cost pressure, the financial services sector has been pushed over the tipping point of technology.

In March 2021, the PRA issued a policy statement with the FCA and the Bank of England on ‘Outsourcing and third party risk management,’ clarifying the PRA’s approach to regulatory framework areas such as governance, risk management, business continuity planning and the management of outsourced relationships.

In this statement, the PRA has embraced the notion of third-party risk and all types of third-party dependencies, rather than solely looking at outsourcing arrangements. This is timely because across industries, organisations have accelerated the digitisation of customer and supply-chain communication and internal operations by three to four years.

Further, according to recent research, the share of digital products and services in their portfolios has accelerated by a staggering seven years. The pandemic established a unique operational and business environment, advocating a large-scale shift to remote working and digital channels in a short space of time. This also allowed cloud – a flexible, scalable, high capacity, and cost-efficient infrastructure – to come to the fore.

Investment into cloud is set to increase. Chopade comments that “we were only seeing five to 8% of production transaction workloads fully migrated to cloud, but the last 12 months have significantly impacted this and many enterprises now have ambitious plans to increase this to 50 to 60% over a 12–18-month period.”

Meere highlights that as consumer expectations of financial services are now driven by what they experience from other industries, where cloud’s high capacity is being leveraged to store vast amounts of data, financial institutions must “cloudify more of their operations to be able to deliver against customer expectations,” he says.

On an operational level, as data is stored on a cloud provider’s server, financial institutions “no longer need as much office space, which means they no longer need as many people as before, so their operating model fundamentally changes, and you get a lot more remote delivery. Changes to the financial services operating models are greatly enabled by cloud.”

Validating that partnerships are crucial and ecosystem players must work together to tackle these problems, Emmans states that “cloud will be vital to the way we all work in the future.

Further, “the cloud is a fundamental part of providing efficient and effective remote working tools and this will be essential as businesses get themselves tomorrow ready. The compute power of the cloud will also be vital in the development of data processing as businesses increasingly become aware of the power of the data they hold.”

“Improving data analysis and measurement will support the evolution of businesses as they strive to provide better products and services and the best customer service,” Emmans adds.

Ruiz provides a similar view, agreeing that there is anecdotal evidence that cloud usage by financial institutions has increased rapidly in the UK, particularly in their response to the Covid-19 pandemic and the shift to a mass remote working environment.

However, Ruiz elucidates that “cloud is quite strategically pivotal in that it provides the underlying IT infrastructure that we need to rely on to leverage other technology solutions like artificial intelligence or big data analytics.

“There are undeniable benefits from an operational resilience perspective. If cloud services are appropriately configured and overseen, they can typically provide stronger resilience than the traditional on-premises IT infrastructure that many firms have relied on historically.”

He adds that while there are clear benefits for adoption, there are risks that stem from the technological complexity of cloud that is amplified by a shortage of relevant skills and resources in some financial institutions.

Therefore, regulators in this area must enforce supervisory framework to “keep pace with technology transformation, which is a challenge, because of rapid evolution, but in the end, that is what we are fundamentally aiming for.”

The benefits of partnering with the tech-savvy

Technology is not a core competency for financial institutions but is the true accelerator in their journey towards innovation.

Sourcing better-placed partners to collaborate with could help traditional financial players balance cost, agility, innovation and deliver to market at a faster rate. However, all five ecosystem players should understand that technologies such as the cloud are merely platforms, or providers of infrastructure-as-a-service, not plug-and-play business strategies.

Using the fintech industry as an example, Meere states that in many ways traditional financial institutions are looking to learn from their “dynamic” nature and the way in which “they know instantly what the customer wants and respond to it.”

Meere adds: “Some of that is because they have smaller customer bases, and they affect fewer customers when they change. Some of that is because they just have a different mindset. There is a real advantage to financial institutions in being able to absorb some of that culture and outsource some tasks that would take banks a long time and cost to deliver.”

Historically, legacy players dismissed fintech firms and were on a mission to either acquire or annihilate them. Today, as they look to partner with tech-savvy companies, both parties must understand the risks associated with outsourcing. While financial institutions are regulated entities, fintech firms must also operate with standards in mind.  

Chopade believes that this may result in conflict: “Innovation cannot be outsourced, and financial institutions must understand relevance and the fact that fintechs are not only part of the ecosystem but are also competing with them.

“However, financial institutions talk about ‘cloud-first’ platforms, but just embarking on cloud is not going to provide innovation, flexibility or even a cost benefit, unless there is a cultural change within the organisation.”

Technical debt, knowledge debt, operational debt, service debt, mindset shift

Organisations with aging infrastructure are still struggling with technical debt, the implied cost of additional rework caused by choosing an easy solution instead of using a better approach that may take longer. In addition to this, many who still believe in the misconceptions surrounding cloud, may not have the foundational infrastructure to support cloud migration, or the time or resource.

As a starting point, a mindset shift needs to occur. As Meere says, financial institutions need to realise “that I’m going to be providing services to customers, but actually someone else provides that service to me.”

On one hand, while you may have the advantage of scale, lower cost, flexibility and agility, there is a reduction in the control that is exerted over services, and yet, financial institutions must still be regulated for use of them. By using cloud, financial institutions are truly putting customers first, as Chopade explains.

“Interoperability and portability are extremely important as your applications can be connected, integrated, or even expose a datapoint. While we talk about open APIs, interoperability and portability require a different mindset. The customer life journey must be considered to offer ‘financial-services-as-a-service’.”

However, debates have arisen around the subject of interoperability, portability, and the cloud, covering how financial institutions, to remain agile and innovative, must relinquish control to their trusted partners, but remain responsible and accountable for the services that are being provided to their customers by these third parties.

What happens when a cloud provider decides to arbitrarily turn off their services? Should financial institutions be comfortable with this loss of control? Should the risk be spread across all ecosystem players? What is the risk of being reliant on a cloud oligopoly?

Ruiz provides the regulator’s perspective. “One of the core principles in the existing regulatory regime around outsourcing of facilities management firms is that they cannot outsource responsibility or accountability to a provider.”

He continues: “Firms will have to implement appropriate governance and controls to oversee the delivery of any service, or utilise the new PRA operational resilience framework, which is not an entirely new study, but brings together initiatives like operational risk management and business continuity,” Ruiz explores.

Relinquishing control, remaining responsible and accountable

Cloud infrastructure is forcing financial services executives to think about not owning their own infrastructure, relinquishing an element of control, and being encouraged to work to a service level dictated by an outsider.

Meere agrees with Ruiz’s point and explores how regulators are continuously making the point that relinquishing control does not mean outsourcing the accountability. Banks “can control the outcomes by their own performance and create an environment where all constituent parts can work together to deliver the right outcome.”

The industry is still in the testing phase when it comes to cloud, or only non-critical activities have been moved to cloud infrastructure.

Ruiz explains that new policies have considered contingency planning and exit strategies, in a technology agnostic manner and the PRA expects any third party to deliver and maintain a business continuity plan in the event of an operational disruption.

“This means that third parties would have to look for alternative mechanisms of continuing to provide important business services and minimise the risk of disruption, with a real emphasis on a stress test.”

While he continues to say that in the event of disruption, financial institutions may be able to move workloads to other cloud providers leveraging the multi-cloud approach or bring workloads to on-premises in a timely manner, they must “think ahead, develop playbooks and test them wherever possible. If the situation arises where financial institutions must make difficult choices, there is a level of preparation that is required, and this idea of testing underpins operational resilience.”

When considering a controlled multi-cloud approach, Chopade continues to say that there are many more elements at play among the five entities: the financial institution, the cloud provider, the systems integrator, the regulator, and the customer, as discussed earlier.

“Today, there is no common, controlled architectural principle. Where the cloud providers are providing the technology and regulatory authorities are providing the framework, how can a financial institution play itself into the cloud ecosystem, without duplicating, replicating, or creating more obstacles to cloud migration? Financial institutions must collaborate to create a common framework, that is the next step.”

Emmans also brings it back to the consumer. “Essential to this question is how consumers want to run their lives in the future. While we are seeing some Big Tech using their own methodology to build whole ecosystems through one platform, interoperability remains an issue.”

Using video conferencing as an example, Emmans continues to say that “there are many players and many platforms, but they don’t all operate well together. I would expect to see increased efforts to implement ‘front ends’ that sit over these platforms that are intuitive and user friendly and give the consumer an overall view.

“Alongside this we see greater awareness from consumers and corporates of data privacy and data security. Regulators will play an even more important role in the future as governments identify how they regulate Big Tech to protect their citizens, this is something that is being welcomed in many areas.

“While we are all comfortable accepting cookie disclaimers when we visit websites at the moment, in the future this could be replaced with a more overarching statement with greater regulatory input and control,” Emmans says.

Summarising, Meere adds: “Historically, financial institutions have created and managed their own infrastructures. Now that is happening less and less. The regulator is also moving towards the cloud and is also thinking about how it enables cloud to deliver its data requirements.

“As all these financial institutions move towards the same endpoint of a cloud enabled infrastructure, what is the opportunity for them to collaborate, rather than compete?” Meere asks.

Regulators are keeping a close eye on cloud infrastructure services

In the UK, whereas the Prudential Regulatory Authority (PRA) focuses on the security and resilience of the overall banking system and the Financial Conduct Authority (FCA) looks at the impact on customers, their treatment and access, an increasing number of regulatory bodies agree that movement towards cloud is beneficial for all.

Where regulators are concerned, they require the assurance that as banks move towards an ecosystem model, where they own and operate less, and consume more externally sourced services, they have implemented the right governance and control to ensure that they have the same level of security, integrity, and resilience within their systems.

As Ruiz states, regulators are solution agnostic and “to prescribe a multi-vendor strategy as a one-size fits all model would be counterproductive for a number of reasons.” For instance, if two providers are running concurrently, in-house teams need to be sufficiently skilled to oversee each of those providers, or duplicate resource if necessary.

A lack of transferability and interoperability can also compound costs unnecessarily. Further, in the same way that several cloud providers can be utilised, there is a spectrum of resiliency options that need to be considered in the frame of portability also, as different availability zones can be an advantage in times of regional disruption.

Ruiz adds: “Five to 10 years from now, technology may develop to make processes a little easier so firms should keep an eye out for best practices and emerging initiatives that can strengthen their resilience, but there is never going to be a static discussion.”

It is evident that UK regulators are efficient and keep pace with the evolution of technology and of course, the fintech industry. As Meere says, “regulators have to strike that balance between the organisations that are non-regulated and those that are regulated so they can see what’s coming next. What the fintechs are doing now, the larger banks will do next.”

In addition to this, as Chopade outlines, the Big Tech hyper-scaling cloud providers are also “delivering every single day. With new changes being deployed rapidly, how can a bank continuously consume without disrupting normal operations. A multi-cloud framework needs to be created to resolve this too.”

In early 2020, the European Insurance and Occupational Pensions Authority (EIOPA) identified the need to develop a specific framework on outsourcing to cloud service providers, in the context of the analysis performed to answer the European Commission Fintech Action plan and following discussions and exchanges with stakeholders.

Referencing these guidelines, Chopade mentions that these are the framework components that should be applied as compliance requirements. “The EIOPA are just making it explicit, and perhaps the mechanism will be different.” Meere agrees that this is needed.

“The risk is that banks are moving at different paces, without a framework and without standards in place. The job of regulation becomes even more difficult because there is no benchmark to assess banks against. This allows banks to come together and collaborate on a framework that works for all entities.

“The regulators in the UK have moved from rules-based to principles-based regulation, so they're keen to set out the broad brushstrokes. And then for organisations to interpret that against their own business models, which makes a lot of sense, it provides room for manoeuvre, but can sometimes mean that the lines get blurred.

“I think the framework is absolutely necessary and it should be welcomed, and if people are able to agree on how they implement it, then I think you'll find it be more successful,” Meere believes.

Advice for creating a common, agnostic architecture

Technology must become more of a strategic ambition for financial institutions, and technologies such as cloud must lie at the heart of any organisation’s plans.

Emmans explores how while traditionally the CIO has "focused on the data risk side of technology, leading on data security and privacy and the tools required, the CTO is focussed on ‘keeping the lights on’ as well as having one eye on the strategic objectives of the business and future innovations.”

Emmans adds: “With such importance put on these roles I would expect them to become more granular and more clearly defined in the future. I particularly expect to see this when it comes to responsibilities relating to business transformation and shaping the overall future strategy of a business.”

For financial institutions wanting to migrate operations and workloads to cloud, Chopade says that is a question of ‘hand-holding.’ He says: “How do you hand hold someone to get on that journey and make that journey a success? There are three elements: technology, culture and people.”

Chopade goes on to say that “while multiple financial institutions should collaborate, this is an opportunity for the future. For a single financial institution to make their cloud transformation a success and to really adopt the cloud. It starts with:

  1. Creating a common architecture and an agnostic framework, which is not isolated to one public or private environment.
  2. Defining the blueprint and the transformation path, questioning what the current landscape looks like and how heterogeneous the technology is from an application perspective.
  3. Implementing an auditing process in case of eventualities.”

As a concluding comment, Meere adds that: “Collaboration with cloud providers, systems integrators and regulators stops financial institutions from opening themselves up to more risk and deliver products that is best for the customer, not best for the financial institution.”

Comments: (1)

Andrew Smith
Andrew Smith - RTGS & ClearBank - London 16 April, 2021, 11:392 likes 2 likes

Great read. A few points that I think maybe a little missleading in their however....

A regulated institution can not reliquish accountability and must have control in place at all times. Moving to the Cloud does not mean you are reliquishing control or accountability at all, in many ways you are able to gain greater levels of control and your internal governance and processes should ensure / prove that. As for accountability, this can never be shifted.

The PRA position on outsourcing has remained pretty consistent, and though Cloud is being adopted by all banks in some form, the issues of dependencies, third parties, PPT, control and accountability havent changed much, nor do they need to. 

I would also state that, the chances of one of the big providers having to withdraw a service / "shut down" as you put it is simply never going to happen. There is no scenarieo or risk of this whatsoever. Likewise external threats are larger when NOT using the cloud, as to are internal threats and areas of resiliency. 

There are many challenges for Cloud providers to meet the needs of the financial services sector, and to be frank, my experience is that only a few can actually meet all the requirements. Microsoft Azure have a number of FCA amendments and are even launching what they call their "financial cloud" services within Azure. Others like AWS have caught up and can provide the comfort levels and control that regulated businesses must have. But, and it is a big BUT, most havent. As a CTO/CIO in a bank you must challenge things like, right to inspect, data residency, data in flight paths, granular levels of security, access, authentication, true resiliency, collaboration regarding fighting cybercrime, private connectivity and many other aspects. As I say, when you get into the real detail there are few providers who meet all of your needs and therefore your regulatory obligations.