Long reads

Cloud regulation: Resilience and reducing cloud-risk

José Manuel Pérez Bajo

José Manuel Pérez Bajo

Head of Banking Platforms and Cloud Banking, NTT DATA

Cloud computing has revolutionised the way almost all businesses operate, and organisations within the banking and financial services industry are no exception. In recent years, more and more banks have begun a journey towards the cloud in order to access its myriad of benefits; such as cost savings, efficiency, innovation, agility and improved data analytics.

Today, it seems clear that the future of banking is in the cloud, and therefore, banks that do not make the transition risk falling behind their competitors. This risk seems even more heightened by the increasingly fierce competition established banks are facing from up-and-coming fintechs.

As well as offering numerous benefits, however, cloud computing in banking and the financial sector also brings with it a lot of regulatory concerns. One such concern is the cloud’s inherent centralisation and interconnectedness. These are part of what makes the benefits it offers possible, as economies of scale enable cost and efficiency savings. However, they also raise the risk of a domino effect in the event of a failure, and this is especially worrying given the increase in cyber-attacks over the last year.

In addition, the dominance of the cloud market by a small number of American hyper-scalers, such as Amazon, Microsoft, and Google, is a cause for concern, particularly for European policy-makers concerned with data sovereignty. Their control of the cloud space gives these companies a tremendous amount of power and leverage. Moreover, regulators also see a number of other issues as particularly pressing, including a possible diffusion of responsibility in the current model because it is not always clear which actors can be held accountable for what, and data protection concerns related to the other aforementioned concerns.

On the other hand, it must be noted that there are also some potential security advantages to using the cloud, both in the BFS industry as well as more broadly. The scale of operations of cloud providers allows them to roll out significant resilience measures that would not be practical for an individual bank to implement on its own. These measures could include multiple layers of security, such as firewalls, intrusion detection systems, and encryption. By centralising data and applications in the cloud, banks can reduce the number of potential attack vectors and make it easier to monitor and defend against attacks.

The concerns I have discussed have elicited a lot of effort from regulatory authorities in recent years. In the United Kingdom, for example, the Financial Conduct Authority (FCA) and the Bank of England’s Prudential Regulation Authority (PRA) have recently introduced rules and issued guidance to encourage resilience and ensure that cloud-related risks to the financial system are minimised. Another example is Ofcom, the UK’s telecommunications regulator, kick-starting a process of reviewing whether Microsoft, Amazon and Google’s dominance of the UK’s cloud market hinders innovation earlier this year.

Similar efforts are taking place in Europe. The Digital Operations Resilience Act (DORA) was recently adopted by the European Council with the intention of making the financial sector less vulnerable. One of DORA’s main areas of focus is the cloud. Additionally, there is an ongoing and ambitious initiative, Gaia-X, aiming to tackle issues of cloud and data sovereignty. Only time will tell how successful it will be in doing so.

Ultimately, the picture around cloud computing in the banking and financial services sector is complicated. A move towards the cloud seems to be inevitable and even has the potential to minimise cyber-attacks on banks and financial institutions. On the other hand, it also offers the possibility that a successful attack can cause greater damage. To ensure a smooth transition to the cloud and maximise its benefits, it is vital that there is trust and cooperation between banking institutions, cloud providers, delivery partners and regulatory authorities.

Comments: (0)