In the financial services industry, banks can no longer operate in the digital world without cloud technology. Adoption of the cloud has many organisations shifting focus from on-premise solutions to cloud models due to its flexibility, reliability and security. The cloud also removes the burden of maintaining and updating systems, allowing banks to invest time, money and resources into core business strategies with the utilisation of real-time access to data.

However, as banks become increasingly reliant on cloud, questions around concentration risk have been raised by the likes of the Financial Conduct Authority and the Bank of England. With no contingencies in place for disaster scenarios, cloud outages can cause serious, long-term problems.  Finextra takes a deep dive into why regulators and central banks are concerned about cloud concentration risk, its perceived risk to financial stability, the solutions legislation can offer and the benefits of multi-cloud.

What is cloud concentration risk?

Cloud concentration risk can be defined as when a bank’s overreliance on one cloud service provider presents operational risks and creates financial stability risks on a regional or global scale. Concentration risk also emerges if a number of banks have key operational or market infrastructure capabilities running on one cloud service provider.

As it stands, the cloud services network is concentrated with Amazon Web Services, Google Cloud and Microsoft Azure leading the pack. It could be argued that cloud services is a difficult game to get into. Comparably smaller providers and even those with solid and robust offerings, like IBM and Oracle, are picking up steam but struggle to compete on an equal level.

With a renewed interest in operational resilience because of the COVID-19 pandemic, global regulators are ramping up their evaluation of the shared responsibility model and considering whether the bank or the cloud service provider is responsible for events that put financial stability at risk.

In conversation with Finextra, Omar Bashir, principal consultant at Thoughtworks, explored the different forms of concentration risk. 

The first risk identified by Bashir is the initial move of putting all of your data and services onto the cloud, rather than in physical data centers. Data centers have their own sets of risks, but in order to keep pace in a dynamic business environment, ignoring cloud is no longer an option for financial services.

“If there is an issue with the cloud provider, then a number of financial institutions that are on that cloud provider get impacted, which can then impact the financial stability within a region or globally.” Bashir also pointed out that most cloud providers are headquartered in the US, further concentrating the risk. He added that this poses “a geopolitical concentration risk for cloud. If, for instance, the US decides to place legal or regulatory bounds on those cloud providers, that will have implications for cloud users in the EU and other parts of the world.”

This transition has been easier for neobanks. Gary Delooze, chief information officer at Nationwide, observed that these smaller banks “don't have the legacy, 50 years of technology that's been built in data centers. They have a nice, clean piece of paper to start with. And if you're starting from now, everything you build would be cloud based.”

Overdependence on cloud with limited or no fallback raises the question of what happens when a cloud provider becomes insolvent. Bashir mentioned that there are already some examples of smaller cloud providers becoming insolvent, which resulted in data loss (e.g., e2e in the UK and Nirvanix in the US). Currently, there isn’t any formal plan, outside that of individual institutions, over what needs to happen if a cloud provider becomes insolvent.

Adding to this is the issue of operational transparency within the cloud, what providers are doing with said data and where they are holding and processing it in the layers of abstraction that the cloud provides.

Bashir commented: “Behind the scenes, under the layers of abstraction, cloud providers may or may not decide to change the format of the data or store it in the way they seem fit for their infrastructure or for their platform.” This means that in the case of a potential insolvency, while data could be accessed, it may not be in a format that is usable to customers.”

This is a concern shared by Delooze: “What I think has been worrying for regulators this time is that we’re outsourcing where we’re putting that data, we’re outsourcing into the cloud. We’re putting it into someone else’s infrastructure, into their data centers. For the regulators this is understandably concerning, if we’re putting everything into data centers and it disappears, they’re not held to the same standards as we are. This becomes a problem.”

Jason Maude, chief technology advocate at Starling Bank’s view is a little different. He believes that “there are risks but I don’t think they are particularly large.” He went on to explain that “if something went wrong with a cloud provider, that would be very impactful. However, the probability of that happening seems very unlikely.”

Overall, these risks boil down to two key points: transparency and resilience. If cloud is concentrated in just a few players, how do we ensure that these data centers are secured? How and where is data stored and processed, and what is the plan when something goes wrong?

How can cloud concentration risk be resolved with legislation?

One part of the solution for concentration risk could come in the form of legislation. Many data related regulations are already in place, however, there are fewer mitigating risks around cloud resiliency or backup related mandates. The European Cloud User Coalition (ECUC) and the PRA have released position papers and supervisory statements, respectively.

The PRA’s supervisory statement focuses on outsourcing and third-party management, and the burden appears to largely fall onto firms themselves. This is contrasted with the ECUC, which places the majority of the responsibility on the cloud service providers.

Within their position paper, the ECUC covers a range of requirements for cloud services including privacy, security, backup functionality, high availability and disaster recovery. The aim of the paper seems largely to overcome older legislation and encourage the wider adoption of cloud computing. 

In 2019, the European Banking Authority (EBA) also released general outsourcing guidelines, inclusive of cloud. These guidelines place the data responsibility on the individual institutions, similar to the PRA. The EBA’s detailed guidelines focus on the responsibility of the institutions to ensure data is protected within the cloud.

On the ECUC, Maude commented: “I think they’re trying to set up the conditions to create a European cloud provider, which is really hard because the reason Amazon, Google, and Microsoft are the three biggest cloud providers is because they have a huge amount of technical know-how.”

Bashir commented on the aims of this legislation: “What the regulators are probably thinking now is, will there be a Lehman moment, where a cloud provider has become more adventurous and taken risks that can lead them in a direction where they are failing and risking the financial system that is reliant on them.”

Legislation can clearly provide plenty of expectations for what the future of cloud will be, but this is only the beginning. Legislation will always lag slightly behind technology and innovation, which means that the onus to create resilience and disaster proofing becomes that of the banks and financial institutions.

Is multi-cloud a viable solution?

Legislative bodies are attempting to do their part to make the cloud resilient, but in the meantime, there are several techniques financial institutions can apply to make their cloud strategy ‘disaster proof.’

On this, Maude pointed to the need for stringent disaster testing, similar to simulation for regional outages. However, the overwhelming consensus from those that Finextra interviewed was that a multi-cloud strategy would be the key in creating resilience for the long-term. A recent IBM study saw single cloud, private or public usage drop from 29% to 3%.

Maude reiterated this: “Most banks will have to move to a multi-cloud solution or a cloud neutral solution, where they can operate on multiple different cloud providers simultaneously.”

Some banks remained cautious over this technique. Shubhanga Prasad, director of strategy, product and technology at OakNorth said: “There are risks associated with being multi-cloud as well, because while we’re talking about edge computing and related functionalities, these are still nascent technologies. For your service that’s on Azure to be speaking to AWS, customers can start experiencing latency and it can impact customer experience. The perceived risk of AWS going down, versus us having to invest in Azure or Google Cloud, the balance is more towards AWS being more safe.”

Prasad explored OakNorth’s strategy stating: “To date, we have found that we don’t necessarily need to look at multi-cloud. We have multiple locations with the same cloud provider as a back-up plan.'' Whether there is a need for an altogether separate multi-cloud is a debate many technologists are having, according to Prasad. However, he does acknowledge that multi-cloud is the future, as “the progress in edge computing will enable cloud to cloud communications to be far more effective.”

Ian Haynes, global head of cloud services at HSBC has a positive outlook for multi-cloud: “Both cloud technology and the regulatory environment continue to evolve. Innovation can be achieved in many ways, from using cutting edge data science and machine learning, delivering improved functionality and increased automation, to cost reductions from faster deployment and more efficient use of scalability. Public cloud offers financial services institutions the ability to architect for resilience in a way that is not possible for on-premises technology.”

Despite this positivity over the future of multi-cloud, the question of regulation of data on the cloud remains. However, the answer to this may come in part to the consideration of cloud as a utility. Delooze explains, “if you go back 200 years ago, people generated their own electricity. We don't generate our own electricity anymore. Everybody adopts a grid or taps into the grid. Equally, we first started building computers, and then people built their own computers, now we all buy them from a provider or lease CPU time on a server somewhere.

“The general trend over time is to move from very specific technologies to utilities. Cloud is a utility. It's a provision of capacity. It's a provision of service. And as the industry is maturing, I see more and more organisations moving to cloud, and more and more of the utility kind of computing model becoming the standard model.”

Bashir concluded: “If cloud has to become a utility, then it may at some point in the future have to be treated like a utility, and governed like a utility, facilitating convenient switching between the providers, like other utilities. That will also address key regulatory concerns and enhance cloud's potential in continuing to provide the financial services industry a platform for innovation, competition and growth leading to financial inclusion and prosperity for millions.”