balance the regulatory risk of cloud concentration with the reward of innovation
Regardless of business size and composition, most financial institutions have realized how cloud and multi-cloud IT services can benefit them. There are cost advantages in terms of scale, deployment of new services and innovation. There are security and resiliency benefits that can be difficult and expensive to replicate on-premises, especially for smaller institutions trying to keep pace with rapidly changing standards. And there is geographic access to new markets – from China to Canada – that require the deployment of local systems in the country under new sovereignty laws.
However, as the industry continues to embrace cloud services, regulators are increasingly aware of the challenges associated with cloud computing, particularly those that could expose financial institutions to systemic risks that could compromise system stability. financial. The Financial Stability Board (FSB) and the European Banking Authority have urged regulators around the world to review their supervisory frameworks to ensure that different types of cloud computing activities are fully considered in the guidelines for industry.
At the same time, public cloud provider outages have refuted the “never fail” paradigm, and there are growing calls for increased due diligence regarding cybersecurity risks. This causes regulators to also focus on cloud co-ordination risks due to the potential peril created when the technology that underpins global financial services relies on so few large cloud service providers.
So how do financial institutions balance the risk versus the reward of the cloud?
Understand the risk
The concern about infrastructure concentration and consolidation is twofold. The first is the systemic risk of having too many global banking services concentrated on so few public cloud platforms. Historically, this problem did not exist because each bank operated its own on-premises infrastructure. Failure in a data center has always been limited to a single player in the market.
Second, the vulnerability of individual institutions, including many smaller institutions, that outsource critical banking infrastructure and services to a few solution providers. These software-as-a-service “hyperscalers” also tend to run on a single cloud platform, creating cascading problems across thousands of institutions in the event of an outage.
In either case, performance, availability, and security concerns motivate regulators who fear that a provider outage, caused internally or by external bad actors, could cripple the financial systems under their jurisdiction.
For financial services companies, the stakes of service disruption at a single cloud service provider (CSP) increase exponentially as they begin to run more of their critical functions in the public cloud.
So far, regulators have offered financial institutions warnings and guidance rather than enacting new regulations, although they are increasingly working to ensure the industry considers plans, such as “cloud exit strategies”, to mitigate the risk of service disruptions and their repercussions. effects on the entire financial system.
The FSB first raised official public concern on cloud concentration risk in an advisory published in 2019, and has since sought input from industry and the public to inform a policy approach. However, the authorities are currently studying the extension of the regulations, which could mean action as early as 2022. The European Commission has published a legislative proposal on Digital operational resilience aimed at harmonizing existing digital governance rules in financial services, including testing, information sharing and information risk management standards. The European Securities and Markets Authority warned in September 2021 of the risks of “high concentration” among cloud computing service providers, suggesting that “requirements may need to be imposed” to ensure business and industry resilience. whole system.
Similarly, the Bank of England’s Financial Policy Committee said he believes that additional measures are necessary “to mitigate risks to financial stability arising from the concentration in the provision of certain third-party services.” These measures could include designating certain third-party service providers as “critical”, introducing new oversight of public cloud providers; setting resilience standards; and regular resilience testing. They also explore controls over employment and contractors, much like energy and utility companies do today.
To get ahead of regulators, steps must be taken to address the underlying issues.
From hybrid to multicloud
Given the existing banking ecosystem, full cloud adoption is extremely rare. While they wish they could act as challengers and neo-banks, many of the largest and most tech-advanced banks and financial services companies have embraced a hybrid cloud architecture – connecting data centers across site to cloud-based services – as the backbone of an overall business strategy. Smaller regional and national institutions, while not officially adopting a cloud-centric mindset, are beginning to explore the benefits of cloud services by working with cloud-based SaaS providers through their ISVs and service integrators. existing systems.
In these scenarios, some functions are performed in on-premises legacy data centers and others, such as mobile banking or payment processing, are operated from cloud environments, providing the benefits of speed and scalability.
The shift to a hybrid approach was itself an evolution. First, financial institutions placed non-essential applications in a single public cloud provider to test its capabilities. Some have pursued deployments across multiple cloud providers to handle different tasks, while maintaining robust on-premises backend systems, both to partner with public cloud deployments and to power core services.
While a hybrid approach using one or two separate cloud providers works for now, the next logical step (taken by many fintech startups) is to fully embrace the cloud and eventually a multi-cloud approach that will completely away from the on-site infrastructure. .
Solving Cloud Concentration Risks
Recent outages at major public cloud providers remind us that no matter how many data centers they operate, single cloud providers remain vulnerable to weaknesses created by the complexity of their own network and the interconnectivity between sites. Disruptions vary in severity, but when an institution relies on a single cloud service provider, it exposes its business to the risk of potential service shocks from that organization’s technical dependencies.
By distributing data across multiple clouds, they can improve high availability and application resiliency without sacrificing latency. This allows financial services companies to distribute their data in a single cluster across Azure, AWS, and Google Cloud while distributing data across multiple regions available on these CSPs.
This is especially relevant for financial services companies that need to comply with data sovereignty requirements, but have limited deployment options due to poor regional coverage on their primary cloud provider. In some cases, only one region of the country is available, which makes users particularly vulnerable to cloud service interruptions.
Go beyond regulations
Beyond the looming regulatory issues, there are a number of practical business and technology limitations of a one-size-fits-all cloud approach that the industry must address to truly future-proof its infrastructure.
Geographic Constraints: Not all cloud service providers operate in all business regions, and the availability of local cloud solutions is becoming increasingly important as more countries adopt sovereignty and residency laws. data designed to govern how data is collected, stored and used locally.
Vendor lock-in: There is a business risk in placing all of an institution’s bets on a single cloud vendor. The greater the integration with a single cloud provider, the more difficult it becomes to negotiate the cost of cloud services or consider switching to another provider.
Security consistency: While CSPs invest heavily in security features, in the event of an infrastructure collapse or cyberattack, a multi-cloud environment can give organizations the flexibility to switch vendors and back up and protect their data.
Feature limitations: Cloud service providers develop new features asynchronously. Some excel in specific areas of functionality and constantly innovate, while others focus on a different set of core capabilities. By limiting deployments to a single cloud service provider, institutions limit their access to the best features of the cloud.
With increasing pressure from regulators at the same time as consumers increasingly demand premium product experiences from financial services institutions, multi-cloud mining can satisfy both. It provides redundancy, security, and peace of mind because the infrastructure isn’t solely dependent on a CSP, while providing the functionality and space to innovate on the best the industry has to offer. Now is the time to embrace multicloud.