Long reads

How should banks grapple with regulation when crafting their cloud strategy?

Paige McNamee

Paige McNamee

Reporter, Finextra

Digital transformation is becoming further intertwined with cloud migration across financial services. The flexibility, scalability, security, and resilience that cloud environments offer are far superior and incomparable with their predecessors, and financial institutions across the board recognise this value. They appreciate that to compete with digital native competitors and continuously meet consumer expectations, adoption of cloud has become a non-negotiable.

However, navigating this transition is a challenging prospect, thanks to a regulatory landscape that sees frequent change and is highly varied from one jurisdiction to the next.

In conversation with experts from Microsoft, Lunar, and CGI, we explore the key challenges financial institutions are facing in this journey, and how partnering with experienced technology providers can be a true leg-up for incumbents and challengers alike.

Are financial institutions still reluctant toward shifting onto the cloud?

The Nordic neobank Lunar is a digitally native competitor with strong experience in the space. While the bank has been cloud native since day one – getting to this stage was no mean feat according to Sebastian Sommer Akselsen, head of Nordic infrastructure at Lunar.

The neobank spent a significant amount of time and effort in their quest for approval from the Danish Financial Supervisory Authority (FSA) to become the first regulated entity in Scandinavia to host their data in Amazon Web Services (AWS).

Akselsen observes that many Danish financial institutions wish to migrate to the cloud, but their efforts in recent years have been hampered for many reasons. Some of these may be the lack of knowledge of cloud services from the institutions themselves, others relate to understanding the regulatory framework when hosting data in the cloud. The lack of knowledge around what storing data in, and migrating data to the cloud really entails, along with this complex regulatory framework, is likely contributing to reluctance toward cloud uptake, he explains.

Also, financial institutions and incumbents meet challenges from regulatory entities due to the way they approach hosting data in the cloud. “This may be a result of the combination of lacking internal knowledge and capabilities of how to manage data, how to define the strategy for hosting and managing data, and how to build a cloud infrastructure that fulfils regulatory requirements.”

“Some other banks have tried to move their data to the cloud as we have done, and they've been rejected. We don't know why they've been rejected, but an assumption could be that it has something to do with the way they have chosen to approach security measures, the data they want to host, or how they want to host it.”

Furthermore, he explains that younger, more technologically agile institutions might have had an easier time with cloud regulations, as they do not have legacy systems, and the regulators “may see greater risks in tier one systemic banks migrating to the cloud, where millions of customers can be impacted.”

Ainsley Ward, VP business development, payments solutions, CGI, agrees with the challenge of education, stating: “One of the things that you find when you have a significant technology change, is that there's always a knowledge gap: there are people who understand what it is, but there are very few people that fully understand what is needed to reap the benefits from that technology change.”

“That's why we’re seeing rightful reticence - if you don't understand something, you probably shouldn't leap into it with both feet. The reticence may well be justified, but the benefits are so huge that people need to go through a knowledge transformation in order to completely understand the new cloud environment - so that they can capitalise on what are quite significant benefits.”

Marcus Martinez, financial services industry expert at Microsoft believes that one of the reasons incumbent financial institutions remain concerned about cloud adoption because these institutions are very conservative by nature. Yet, they now need to realise is that this concern is misplaced.

“Gone are the days where you have a relationship with a single bank, the reality today is that a large chunk of customers are multi-banked.”

Because of this shift (largely driven by open banking), Martinez explains regulators – the UK being a primary example – are now pushing the industry toward an unprecedented level of interoperability which makes adopting cloud capabilities a question of when rather than if.

The open banking landscape created  an entirely new ecosystem with new participants that now can access customer data from incumbents in a consent based and secure way. Banks which are not thinking “along the lines of having a scalable, secure cloud-based infrastructure, they’re really facing not only new risks but also missing opportunities to reinvent their business model for a new market dynamics that is based on multisided platforms.”

Ward notes that throughout his 20 years in the industry, he has seen a lot of new technologies introduced, and cloud platforms are just another form of technology. “It presents a better method for securely storing data in a more flexible,  way that allows you to pay for what you need rather than what you will eventually need.”

What are the regulatory pressures and concerns for financial institutions migrating their operations onto the cloud?

When shifting technologies, the ability to evidence strategy and prove strength of data protection is increasingly important in the digitised world of financial services. This is particularly the case under GDPR, where the onus lies on institutions to prove that they not only have understanding of the regulations, but that the material used to prove this is robust, accessible and secure.

Ward explains that this is another level of responsibility for financial institutions, adding that “the burden of proof naturally lies with those looking to reap the benefits of the cloud environment. That means that banks need to either grow to deliver that ability in house, or they need to work with vendors that can assist with the process and help provide the necessary evidence.”

Akselsen elaborates that a lot of the pressure being felt by financial institutions had come from the outsourcing regulations being seen in Europe. While complexities around multiple interpretations of outsourcing rules have been simplified with the unified approach under the EU’s Schrems II decision, there remains difficulty in agreeing to how data sharing and security will be negotiated between parties.

Akselsen argues that it can be challenging to get certain companies to acknowledge that when they begin to host this data at a cloud provider, it becomes their responsibility as a partner who host data in the cloud to meet the relevant regulations. 

“At Lunar we make it very clear to our potential partners what their obligations are as an outsourcing partner hosting data in the cloud. We expect them to take full responsibility of the cloud provider, including availability, security and data protection.”

The Nordic bank ensures that where personal data is involved, vendors aren’t granted access. This is done through encryption keys that aren’t accessible to the vendor.

When it comes to data responsibility, Martinez notes that data protection falls with both the financial institution and the provider – “we ensure that the data is localised in line with the customer’s business requirements, but also we give the tools to the customer to make sure that they can understand how to manage their data estates across jurisdictions. It is truly a partnership.”

Akselsen is comfortable working the larger cloud providers, as he explains that they are closer to understanding and better serving the complex regulations within financial services. There is a tricky balance being struck at present however, as the transition period toward full compliance with Schrems II requirements means providers are asking clients to take on more risk and liability.

“The regulatory changes, with Schrems II being the latest, continuously challenge regulated entities in how to host data in the cloud when global cloud providers are used. Aspects such as data encryption, segregation of data, location of support services and the like is currently of much discussion, and the global cloud providers are not fulfilling all aspects of the EU regulation yet,” comments Akselsen.

“If Lunar were not a cloud native company, I would see greater risks in this than perhaps we do. Third parties can be useful here not only as vendors for cloud hosting, but also to act as consultants to help build a compliant cloud infrastructure.”

Despite these challenges, Askelsen is adamant that the benefits of working with these providers far outweigh the risks.

On Schrems II regulation, Martinez furthers that rules around cross-border data transfers are becoming an even greater concern for regulators and global financial institutions : “At Microsoft we are developing  the EU Data boundary programme to meet these requirements and address the needs of our European customers regarding data localization commitments. I think that's a big thing and what we’ve seen is just the beginning.”

Ensuring the resilience of the cloud migration process explains the attention regulators are giving financial institutions and their data strategies at present. “The regulators are concerned with systemic risk in the industry as a whole, not necessarily at the institutional level only. Because every bank is making their own decisions around how to migrate to the cloud or how to use cloud technology, they want to ensure that this industry wide cloud adoption process is not creating any kind of systemic risks.”

However, for financial institutions, demonstrating the operational resilience of their migration and future cloud management strategies is not an easy process. Martinez adds that a large chunk of the legacy technology within large financial institutions is not cloud native. “It’s a very complex process, and banks must be able to provide evidence that their operational resilience plans are in place to handle any exemptions or disruption. These are very much specific to each institution.”

How do regulatory pressures impact cloud transition strategy?

Ward believes that training and partnerships are fundamental to managing regulatory pressures. Training key stakeholders is equally important as training tech employees, as whenever you’re addressing a knowledge gap, the more people who understand the better. Finding the right cloud provider as partner means looking for a player who can not only deliver a platform with strong security, but one with the right amount of experience in the game.

He argues that if you're learning to drive you don't consult someone who learnt to drive yesterday, you find experienced drivers who know how the roads work, who know all the different scenarios, and the impact of different weather types.

“It is exactly the same if you're looking for somebody that's going to guide you through what is a highly complex environment. The attack vectors into the cloud are very different from the ones into a traditional data centre. This is because in some ways with it being in an environment that is slightly more public, there is a potential risk of more exposure because your data is not fully in your control - you're actually entrusting it to somebody else.”

While the idea of entrusting this data to others might seem unnatural to banks, Ward furthers that it has been done before when they shifted toward outsourcing card systems: “It's the same leap of faith, but for some reason, because it has the mysterious ‘cloud’ word around it people don’t see it that way. A lot of it is about perception, but if you break it down into basic principles, it’s easy to rationalise.”

Martinez notes that financial institutions need to understand that this complexity is not going away. “What we have seen over the last 10 years is that the speed of innovation in financial services outstrips the capacity of regulators to create new regulations. My view is that it is critical for banks to rethink their data strategy if they want to manage regulatory change in an efficient and cost-effective way.”

He argues that a common data model should be adopted to take a practical, holistic view of how a customer is viewed by banks. The banks which do so will be in a position to “leverage technologies like AI and machine learning that are very advanced, can understand contexts, and even the meaning of specific paragraphs or specific legislations. To me that's the key for effective data use – AI should augment the compliance aspect of the bank.”

Echoing Akselsen’s comments around education, Martinez also believes that it’s imperative to engage with internal stakeholders about the business strategy.

While historically this type of infrastructure project would have remained strictly in the hands of the technology division, cloud adoption requires a fundamental shift to the management of data assets, it involves more stakeholders in the organization than would have been needed in the past.  

“Performing internal outreach and buy-in from people like the product owner on the business side, the chief risk officer within the bank, or the treasurer, to make sure that they fully understand that what these changes mean is essential to building a consistent message and transition plan.”

 Everyone across the financial institution must understand what is happening so that when the regulator has conversations with employees (as they frequently do), the same message is being delivered.

Why are cloud providers well positioned to assist financial institutions in their data compliance regimes?

The moving parts of cloud regulation present persistent problems for both financial institutions and cloud providers. Martinez lists multiple regulations including GDPR and its various interpretations across jurisdictions, it’s related court ruling such as the Schrems II, and the US’s cloud regulation differing from state to state.

“Every regime is different, and because cloud providers like ourselves are having these conversations in many different countries, we understand the global impact, and have the expertise and scale to manage those conversations in a way that a bank which is tied to a specific geography does not.”

On top of this, Martinez explains that by working with a cloud provider, financial services institutions unlock valuable resources to focus on designing the experience in a way which suits the specific needs of their customers.

With Microsoft Cloud for Financial Services for instance, “Every technology is already integrated into the platform in seamless way. This means that as a bank, you can invest less time trying to make the technology work and more time thinking about the experiences they want to create for their customers.”

“Cloud is one of our core businesses. 20 years ago, it would have made sense for banks to manage their own infrastructure. But today it's becoming a distraction and is economically unattractive. Also, when you consider the investment we make in infrastructure, security, talent – it’s really unmatched.”

Martinez furthers that banks should not be technology service providers, they should be banks, “but for historical reasons banks they have a very complex and old technology infrastructure. Because this is our core business, I think we are in a very good position to help them with their transition to this new reality.”

Akselsen explains that Lunar’s decision to partner with AWS from day one was because the bank perceives much greater upside than risks when it comes to hosting in the cloud.

“Scalability and security, we believe are much higher with one of the global cloud providers than with the alternatives. I would much rather be hosting my data and trust that AWS is more secure than some of the smaller cloud or on-premises solutions you can get.”

Additionally, the ability to scale in seconds using Azure, AWS, or Google was highly attractive to the neobank, whose growth projections and internal ambitions meant that the alternatives were not feasible. Akselsen adds that the alternatives to storing data in the cloud, were to use one of the local hosting providers, which uses racks in their own datacenter and not yet using cloud services. Whenever Lunar would need them to get something done its very expensive and slow.

“You can basically just sign up to Amazon with a credit card and you're good to go. The difference is just so significant, it's a completely different game.”

The story is the same with microservices, “as soon as we see that one of our services is starting to get pressured, we can set up a new instance and continue scaling. It gives us so much flexibility because our transaction volume, just over a single day or month is quite volatile.”

Akselsen concludes: “We perceive this as a must for the future. If the incumbents want to compete in the future financial market they also need to go down this path, and I think they need to get more knowledge of this internally. They could work with third parties to help them in setting their data strategy and the dialogues with the regulatory entities to ensure that they have a plan for storing data in the cloud meanwhile fulfilling regulatory requirements.”

Comments: (1)

Andrew Smith
Andrew Smith - RTGS & ClearBank - London 08 October, 2021, 16:23Be the first to give this comment the thumbs up 0 likes

There are some real basics that I still feel all but one Cloud provider struggle with to give a bank comfort. You have to take into consideration a few things, 

1. Where is my data at rest, where is it replicated?

2. What pathways are used for data in transit?

3. How is public internet infrastructure used by my Cloud provider

4, Does the Cloud provider meet the regulatory demands that could be placed on them (right to inspect for example). 

5. Does my Cloud provide have sufficient policies and processes in place to enable all of the above - and are they able to prove this at an audit

In my experience, only Azure meets all of these 5 points - and it is probably why Microsoft is doubling down with its extended Azure vision, financial services cloud (which is Azure with additional apps). 

It makes zero sense for a bank to operate "on-prem" anymore, there is no way they can compete with the investment made into availability/DR. performance, storage and security, let alone deliver on the flexibility and additional capabilities that cloud computing models brings. (Maybe Facebook needs to have a re-think too).