Customers’ expectations have evolved considerably in recent years. This is true for virtually every interaction of customers with their surroundings, and financial services providers are not an exception to it. Financial institutions (FIs) need to adopt and actively utilize new technologies to meet such evolving customer expectations, transforming their businesses and developing new capabilities to become more efficient and generate more value for customers. In this context, cloud computing is an important aspect of the financial system, as it enables the technology changes that banks and other financial institutions need to pursue. Cloud can help firms expedite processes, reduce risks and increase efficiency, as well as enhancing the ability to identify business opportunities and revenue streams, being a core element to positively impact customers through more personalized proposals, at better prices through safer and less risky operations. Cloud computing in finance began with non-core business processes, such as human resources and admin systems. Today, however, core processes such as credit risk management, payment transactions, and customer due diligence moving to the cloud.
This paper will cover key aspects and impact of cloud technology in financial services sector. It describes how cloud computing as a technology enables companies to compete in the financial services landscape, highlighting benefits and identifying risks and mitigants. Significantly, it also considers the risks associated with the scenario of not migrating to cloud. Such may in fact be the highest risk scenario for a financial institution, if they choose to be static while others are migrating towards transforming technologies and new ways of using data to explore new profitable and innovative business models. Consequently, financial institutions are defining their strategy on cloud. The mix on the different cloud service and deployment models will depend on each player’s strategy, but the decision to at least migrate to some form of cloud is obvious.
Cloud Computing Technology
“Cloud computing enables convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction”. The NIST definition of cloud computing describes five essential characteristics, three service models and four deployment models.
With cloud computing multiple customers share the same physical resources. Financial institutions defined their ‘cloud strategy’, depending on their capabilities and size. These strategies are created by combining the available cloud deployment and service models.
A cloud deployment model is distinguished by size, ownership, and access. The deployment models are private, public, and hybrid clouds, while the Banking Authority recognize community clouds as a sub-type. While the banking authority definitions on the different models are very concise, they are also in line with the ones given by other institutions. The private cloud leverages a firm’s existing computer servers or, in some cases, can be hosted by a cloud service provider using a virtual private cloud. The primary thing is the infrastructure is available for the exclusive use by a single organization. On the other end, a public cloud is offered by a cloud service provider (CSP) to multiple customers who share the same cloud infrastructure.
A hybrid cloud comprises of two or more distinct cloud infrastructures. The two clouds operate as unique entities but are bound together by standardized technology that enables data and application portability (e.g. cloud bursting for load balancing between clouds). In a hybrid cloud, organizations can overcome the shortcomings of both private and public clouds depending on the need. Data and applications can move between private and public platforms for greater flexibility.
Lastly, community cloud refers to an infrastructure available for the exclusive use by a specific community of institutions, also includes several institutions of a single group.
Benefits / Impact of Migrating to Cloud
- Synchronize the enterprise. Improved integration of businesses through sharing data, driving integrated decision making, and moving more faster to resolving customer issues. Building connected data sets; enabling deeper, more insights and analytics; enhancing collaboration through new tools, and increasing speed of decision making.
- Drive business innovation. Help innovate and driving strategy to build new customer experiences, build and market offers, improvise operations, and manage talent through leveraging tools such as AI, AR, VR, machine learning, IoT platforms, image recognition, etc. Leveraging new tools and capabilities to increase revenue, reduce costs, more consistent operations, and retain personnel in a more effective manner.
- New talent and new ways of working. Aligning technology with business unit needs to benefit functions requiring new talent and new ways of working. Tech capabilities and solutions attract new workers and provide access to ecosystems with new skill sets—DevOps, UX, UI etc. Impact is enabling process improvements such as automation or human augmentation to improve productivity and create organizational integration, resulting in agility and transparency.
- Building resilient in operations. Improvise organization’s overall resilience to respond more quickly—be it disruption, or physical outages. Moving from organization’s data center but gaining ability to replicate data and app services across more than a single data center or region.
- Enhance IT security. This is different from the mindset that is existing that clouds are not secured. Large cloud service providers have extreme security standards—and have a substantial track record. These environments can be as secure or more secure than on-premises only when implemented correctly and with skilled and trained security.
- Scale computing costs as required. Computing resources can be scaled as needed and support cost efficiencies using dynamic cost pricing. Helping organizations with the way they pay for tech move away from up-front capital expenses towards core products. Organizations can respond more quickly to market trends or changes in other priorities.
Key concern often raised with respect to cloud is security. It is important to remember that the cloud is not something that is intangible - it does require physical servers with huge computing power. What is different from the ‘traditional’ IT infrastructure is the location of these servers, how those servers communicate with each other and their users, the architecture behind them.
It is observed that many of the risks of cloud are the same as those of any IT infrastructure, with the difference that they are under the management of a third-party provider, the CSPs.
However, it would be fair enough to say that the large cloud service providers are as secure, or at times even more secure than the IT infrastructures of the most advanced financial institutions. Security is one of the most important aspects of the CSPs’ business models: they have the expertise and adequate resources both in terms of capital and resources, evident in their annual expenses to keep their systems secure, the lack of known major disruptive events in their small historical downtime. Morpheus data indicates that the total time lost from cloud outages of the 3 top CSPs in 2017 was an aggregate of just 16 hours (across all industries, not just financial services).
The improvisations in the cloud security will drive fewer security failures and incidents than traditional infrastructures. This is already being observed, and there are many private and public organizations that now rely on cloud to be a more secure solution.
Risk and Mitigation
Beyond security the other aspects that get impacted in financial institutions when using cloud, and how these are being mitigated and managed:
- Data loss. Data losses could happen due to failures, deletion or disasters. According to the what type of data is lost, the issue can be more or less concerning, but in most cases the larger cloud service providers have disaster recovery systems in place to enable prompt recovery.
- Lack of appropriate skilled resources. This could happen as there is a continuous war for talented IT resources not just in financial services but across industries. Imagine a single misconfiguration could compromise all the systems using the cloud. This is not a concern with large cloud providers but it does exist with the smaller players.
- Outsourcing. At times, cloud companies outsource some of their functions to 3rd or even 4th party. Financial institutions should be informed when this sub-contracting is taking place, and who is the contractor and what type of information will they have access to and the services they will provide. It is important to ensure the quality and the checks are in place and the security in not compromised in any way. In addition, according to banking cloud computing regulations, outsourcing institutions cannot do chain outsourcing of risk management to third parties.
- Cybercrime. Is it just the financial services institutions who are leveraging technology or cloud? The answer is ‘no’. The cyber criminals have access to the similar technological advancements. Like banks, cloud service providers build their solutions with security in mind, and demonstrate high cyber-resilience. Be it being in-house or utilizing cloud services, cyber risks cannot be eliminated completely, they can only be avoided, reduced or transferred. Financial firms must determine how to balance their businesses and decision within their risk profile. As public cloud is more critical and prevalent throughout, financial institutions and regulators need to consider how the responsibilities over the controls in place should be shared, and how to adapt the traditional enterprise-wide risk frameworks to accommodate the adoption of cloud. One way most FIs have done is to start with hybrid approach (utilizing the benefits of public cloud, private cloud) and integrating with legacy systems. While being on cloud they try not to build dependency on one cloud service provider and try to utilize the benefits of each depending on the size, need, features and capabilities that each of them offers.
- Financial stability. Risks to financial stability arising due to digital transformation of financial institutions are becoming more and more important for authorities and regulators, especially when that process create single points of failure. This is mitigated by following a multivendor strategy, so that there is no one key cloud provider for any given institution. Different departments have the flexibility to choose their own CSP as a vendor. The choice could vary from AWS, Azure, Google, Alibaba and so on.
- Data Interoperability and Portability. It is essential to ensure data interoperability and portability within the cloud, amongst the large number of competing cloud providers for data storage and retrieval. Each technology has the risk of ‘vendor lock-in’, where a financial institution is dependent on a single cloud provider and cannot easily move in the future to a different vendor without incurring additional costs, legal constraints, or facing technical incompatibilities. That means having more difficulties to move data into, around and out of the cloud, as well difficulties if for any reason (example could be cloud service provider stops providing services due to business reasons) they want to exit their cloud. There are lot of tools that help the institutions mitigate this risk and keep their data accessible.
Risks of Not Moving to Cloud
Till now we discussed the positive impact, the risks faced due to cloud technology. However, this discussion would be incomplete without talking about what if cloud technology was not there? Or what if a financial institution would choose not to move on cloud. There is a definitely a risk of being left behind and security risk too.
Any information technology infrastructure has vulnerabilities, and continuing the traditional mainframe architecture for all activities does not guarantee a higher level of security when compared to cloud solutions. On the contrary, some of the traditional technology risks become much more relevant if financial institutions want to match up with their customer expectations. With the big data sets coming into consideration not having enough computer capacity to store and process the huge amount of information that is required to provide a personalized experience is a major risk that cannot be ignored.
Redundancy is another important aspect, as cyberattacks are on the rise and organizations need to plan for back-up that allows them to recover data and be up and running their business as soon as possible. That requires both capacity and resources, especially if inhouse. FIs must have a high level of operational resiliency, and it is more difficult to ensure running obsolete system in the new challenging environment.
Not migrating to cloud would mean retaining all legacy systems that are not dynamic, expensive to update and maintain, and are not designed to meet need of unexpected demand require long timelines to provision for infrastructure.
So, the opportunities and emerging trends in financial services driving adoption of the cloud include:
- Shortened time-to-market for new services through leveraging cloud-based, agile DevOps approaches.
- Breaking silos and achieving greater operational efficiency, at lower costs and with minimal CAPEX investments.
- Conducting analytics in the cloud, for enhanced business intelligence, strategic planning, targeted marketing, analytics-based requests for questions, cross-product analytics.
- Customer-facing web apps and portals that streamline self-service, provide efficient channels for promoting new products and services, and generally enhance customer satisfaction and engagement.