Banks have been implementing cloud infrastructure for certain low-risk functions since nearly the technology’s inception. Many banks, however, have shied away from implementing core transaction processing on Cloud infrastructure. But that has been changing in very recent times. In just the past few years banks had already begun to migrate more business-critical and transactional processing to the cloud, and the Covid-19 pandemic accelerated plans across the financial industry.
In a July 2021 Financial Stability Report produced by the Bank of England, they cited that, while cloud computing for banks could sometimes be more reliable than a 100% self-hosting of servers, they had concern about the increasing adoption of public cloud services in the financial industry being provided by only a small number of very large providers. While the overall topic of the report is the Bank of England Financial Policy Committee’s view on the stability of the UK financial system, a section highlighted what the committee perceived as a threat based on its view that big providers could dictate terms and conditions – as well as prices – to key financial firms and that banks’ growing reliance on cloud computing could pose a risk to financial stability as a whole without far stricter oversight.
A large part of the concern the committee came away with is that a small group of large providers shifts the balance of power to the providers’ side and lets them dictate the terms to the whole industry – essentially a lack of capitalism. One concern is that Cloud doesn’t offer valid levels of third-party scrutiny.
In a press conference on the report, Governor of the Bank of England since 16 March 2020, Andrew Bailey (no relation to George Bailey, I presume) said that the financial institution Cloud model “has been developed in quite an opaque and closed fashion.” He went on to say that he understood why and wouldn’t want people “publishing how this thing works in great detail.” While he understands the need to prevent hackers from being handed a guidebook, he sees the need to balance that with more assurance that cloud providers are meeting the levels of resilience that the financial system needs.
What’s this Mean for Banks?
In the press conference the committee was careful not to imply that banks and financial institutions should not move to, or the financial industry should decelerate its move to the cloud. Sam Woods, Deputy Governor Of The Bank of England and Head of the Prudential Regulation Authority, specifically mentioned” …it is not our view that that is a bad thing.” He added that for banks, the Cloud can bring benefits in efficiency and even resilience to cyber-attack.
So, for IT leaders at financial organizations planning a full or partial migration to the Cloud, what do you do with this information? Take it on face value and use a few simple precautionary measures to mitigate the risks.
Familiarize yourself with the regulations and check any potential provider’s compliance. A good place to start is any regulatory body that has oversight in your country. In the US one would be the Office of the Comptroller of the Currency. In the U.S. for example, the overseeing authority is the OCC, a federal agency that oversees the execution of laws relating to national banks. They, along with the other Federal Financial Institutions Examination Council (FFIEC) members, released a report back in April of 2020 (well before the BoE’s report) that, among other things, highlights risk management practices and controls for the safe use of cloud computing for the services financial services sector.
If you’re working with a purchasing department or 3rd party procurement contractor, they most likely already have a process like this in place. If not, you can build the information gathering into your RFI, RFQ, or RFP. Most importantly, all the precautions, reliability, and performance details the above information provides need to be incorporated into your contract with the provider.
As organizations in the financial system flock to the cloud for more and more of their core business and transactions, the Bank of England and others, have raised concerns about the finite marketplace of cloud providers. But, with a little planning and the proper monitoring and management tools in place, financial organizations can mitigate the risks the BoE cited and get full advantage of the benefits of cloud migration.