Banks have been implementing cloud infrastructure for certain low-risk functions since nearly the technology’s inception. Many banks, however, have shied away from implementing core transaction processing on Cloud infrastructure. But that has been changing in very recent times. In just the past few years banks had already begun to migrate more business-critical and transactional processing to the cloud, and the Covid-19 pandemic accelerated plans across the financial industry.
In a July 2021 Financial Stability Report produced by the Bank of England, they cited that, while cloud computing for banks could sometimes be more reliable than a 100% self-hosting of servers, they had concern about the increasing adoption of public cloud services in the financial industry being provided by only a small number of very large providers. While the overall topic of the report is the Bank of England Financial Policy Committee’s view on the stability of the UK financial system, a section highlighted what the committee perceived as a threat based on its view that big providers could dictate terms and conditions – as well as prices – to key financial firms and that banks’ growing reliance on cloud computing could pose a risk to financial stability as a whole without far stricter oversight.
A large part of the concern the committee came away with is that a small group of large providers shifts the balance of power to the providers’ side and lets them dictate the terms to the whole industry – essentially a lack of capitalism. One concern is that Cloud doesn’t offer valid levels of third-party scrutiny.
In a press conference on the report, Governor of the Bank of England since 16 March 2020, Andrew Bailey (no relation to George Bailey, I presume) said that the financial institution Cloud model “has been developed in quite an opaque and closed fashion.” He went on to say that he understood why and wouldn’t want people “publishing how this thing works in great detail.” While he understands the need to prevent hackers from being handed a guidebook, he sees the need to balance that with more assurance that cloud providers are meeting the levels of resilience that the financial system needs.
What’s this Mean for Banks?
In the press conference the committee was careful not to imply that banks and financial institutions should not move to, or the financial industry should decelerate its move to the cloud. Sam Woods, Deputy Governor Of The Bank of England and Head of the Prudential Regulation Authority, specifically mentioned” …it is not our view that that is a bad thing.” He added that for banks, the Cloud can bring benefits in efficiency and even resilience to cyber-attack.
So, for IT leaders at financial organizations planning a full or partial migration to the Cloud, what do you do with this information? Take it on face value and use a few simple precautionary measures to mitigate the risks.
- This outlook on banking and cloud received a lot of press around the world despite the fact it was only a small part of a much larger report specific to the UK financial system and what BoE is doing to remove or reduce any risks to it. So, the first thing to do is to consider if this information even applies to you as a bank outside of the UK (assuming you’re not a bank in the UK reading this).
- Are the predominant providers in your market the same as those in the UK report? (they probably are).
- Are they as “opaque and closed” in your country as this report depicts them in the UK?
- Are there regulations in your country or region that more thoroughly govern cloud provider transparency around security?
Familiarize yourself with the regulations and check any potential provider’s compliance. A good place to start is any regulatory body that has oversight in your country. In the US one would be the Office of the Comptroller of the Currency. In the U.S. for example, the overseeing authority is the OCC, a federal agency that oversees the execution of laws relating to national banks. They, along with the other Federal Financial Institutions Examination Council (FFIEC) members, released a report back in April of 2020 (well before the BoE’s report) that, among other things, highlights risk management practices and controls for the safe use of cloud computing for the services financial services sector.
- Apply a well thought out procurement process. In this case that means including an RFI in your RFP process. A Request For Information is a document that asks for information from cloud providers about offerings. It is usually a preliminary document sent early in the buying process with the purpose of gathering general information about a vendor’s ability to meet a company’s needs and solve unique problems but can be built right into the RFP. In this case your RFI can request details about security related aspects of the provider, including vendors they use, security processes and more. Typically, you’ll want to gather details on these areas to help mitigate risks:
- List of certifications & standards compliance
- How they manage data security, data governance and business policies
- Complete listing of technologies, versions & service roadmap
- Service vendors, dependencies & partnerships, and security
- Statistics on reliability & performance
- Details on migration support, vendor lock in & exit planning
- Specifics of business health & the overall company profile
If you’re working with a purchasing department or 3rd party procurement contractor, they most likely already have a process like this in place. If not, you can build the information gathering into your RFI, RFQ, or RFP. Most importantly, all the precautions, reliability, and performance details the above information provides need to be incorporated into your contract with the provider.
- The third recommendation will be uncovered in the 2nd but it’s so critical to overall security in the cloud for financial institutions that it bears a stand-alone mention. You need to know who is running your system. Moving your company to the cloud is like moving into a skyscraper. You don’t own the building, but rather lease rooms or floors inside of it. You don’t control the security system to get into the building. You don’t have access to the infrastructure. You need to know what you have access to and what you don’t. Transaction processing or Message Oriented Middleware will often fall into the latter category. Not only is your cloud provider not going to monitor and manage it for you, they’re not going to notify you of missed transactions, backlogs, or traffic jams – all things that can bear a heavy cost to your organization in dollars and time and affect your company’s reputation. Make sure that you have proper access and a plan for proper observability in place as you migrate. For a more detailed look at the best practices, download this paper on what you need to know before you migrate to the cloud.
As organizations in the financial system flock to the cloud for more and more of their core business and transactions, the Bank of England and others, have raised concerns about the finite marketplace of cloud providers. But, with a little planning and the proper monitoring and management tools in place, financial organizations can mitigate the risks the BoE cited and get full advantage of the benefits of cloud migration.