The attractions are obvious: in todays data-saturated world, cloud computing allows large institutions to rapidly expand their IT capacity, boost efficiency and slash infrastructure costs. The downside? New security threats, amplified by stricter rules on protecting customer data, and a dependence on third-party providers for potentially vitalservices.
It is with an eye on the downside that banks have been slow in adopting cloud computing, which involves on-demand access to a shared pool of computing resources, such as servers andapplications.
Earlier this year, the European Banking Authority (EBA) set out to change this in Europe, publishing draft recommendations for firms to enable them to reap the benefits of cloud computing, while ensuring that risks are appropriately identified and managed. The second objective is to harmonise, across the European Union, supervisors expectations of banks using the cloud. The EBA tells Risk.net it plans to publish final guidance in the fourth quarter of thisyear.
Cloud enthusiasts say such measures as well as ongoing work by cloud providers to meet banks unique needs are all steps in the rightdirection.
Luke Scanlon, Pinsent Masons
There is light at the end of the tunnel, and this [EBA] consultation will help a lot, says Luke Scanlon, who advises clients at law firm Pinsent Masons on newtechnologies.
The proverbial tunnel islong.
Take cyber security. On the one hand, cloud providers such as the leader of the pack, Amazon Web Services are likely to have security processes and technology that are at least as advanced as those of their banking clients, thanks to their technical expertise and economies of scale. On the other hand, providers can pass on a banks data or system management to yet another contractor, increasing security risks present in traditionaloutsourcing.
The EUs General Data Protection Regulation, coming into force next year, will up the ante on data security. The new rules require, among other things, that bank customers are able to request that their personal data held is deleted. One practical outcome, say lawyers, is that banks will have to clarify to cloud providers exactly how they should handle and categorise data to ensure it can be easily isolated and deleted ifrequired.
Of more concern are potentially punitive fines up to 4% of annual global turnover for firms found guilty of data breaches caused by neglect. The size of the potential fines is attracting a lot of attention from both clients and cloud service providers, says Peter George, partner at law firm Baker McKenzie, and responsible for the firms annual cloud computing survey. There will be contractual disagreements over where liabilitylies.
One way to spot and mitigate such outsourcing risks is to undertake regular audits of third-party providers, as banks in most EU countries are already required to do. The EBAs consultation now closed sets out similar guidance with a specific focus on cloud suppliers, and Scanlon at Pinsent Masons welcomes what he sees as a flexible approach to a difficulttask.
Cloud computing involves distributing data across any number of physical locations. Scanlon says that, given the largest cloud providers host services for thousands of banks, regular physical audits would be inefficient, costly and would create risks for other banking clients, related to the security of theirdata.
Rahul Prabhakar, in charge of regulatory compliance for financial services in Europe, Middle East and Africa at Amazon Web Services, puts it another way: A constant stream of people walking through our premises presents securityrisks.
Peter George, Baker McKenzie
The EBA recognises these challenges in its document and endorses alternative options where an outsourcing institution does not employ its own audit resources. These options are pooled audits, performed jointly with other banking clients, and third-party certifications or audits, provided they conform to widely recognised standards and meet the needs of the outsourcingbank.
This is a really positive step, Scanlonsays.
Prabhakar also welcomes the EBAs stance on audits but says the order of preference should be reversed. The EBA and other regulators should consider clearly stating that, one, logical [de-facto] access is more appropriate than physical access and, two, that third-party reports and certifications or pooled audits are more preferable than individualaudits.
Some regulators have been more prescriptive. Canadas Office of the Superintendent of Financial Institutions insists on being able to audit banks across their functions, says Robert Paolino, the former chief risk officer for Canada at Japanese bank MUFG. This effectively requires that data is stored within the country especially data considered as sensitive under Canadas PrivacyAct.
Oversight of cloud providers is even harder if they employ subcontractors. This may keep costs low but banking clients may not have a direct relationship with the provider of significant parts of the cloud service as a result. Its been a struggle to square that circle, says Jonathan Kirsop, partner at law firm Stephenson Harwood in London.
One solution has been for cloud providers to give notice that they are appointing a subcontractor and give clients the right to terminate that particular service. This does provide theoretical control over the supply chain, saysKirsop.
The EBAs draft advice on what it calls chain outsourcing says banks dont need to pre-approve every subcontractor, and providers can simply give clients notice of any subcontractor changes rather than require each change to be approved by all clients.
The EBA also proposes that the outsourcing institution should carefully delineate which activities can be subcontracted, and that any subcontractors fully comply with the obligations placed on the original cloud provider. The outsourcing agreement should also require the cloud provider to notify any changes to subcontracting arrangements in time for its clients to carry out a riskassessment.
A strategy for severing the relationship with a provider is another hurdle banks have to clear before cloud computing can properly take off in theindustry.
How do you extricate yourself from a cloud computing contract when youre dependent on the provider? asks George at BakerMcKenzie.
Guidance on outsourcing to the cloud released by the UKs Financial Conduct Authority (FCA) last year suggests that banks should ensure exit plans are documented, understood by appropriate staff and fully tested. It says banks should monitor concentration risk and consider how they would respond if a service provider were tofail.
Peter George, BakerMcKenzie
However, the details remain largely untested. No bank has ever exited from a significant public cloud technology arrangement, the BBA, a UK banking trade body, and Pinsent Masons wrote in a January discussion paper. The report focuses on the cloud model that is available to the general public, with Amazon Web Services the best-knownexample.
As a result, frictions arise as to the contractual terms between banks and cloud service providers and other third parties leveraging public cloud. There is added pressure as parties do not have the benefit of experience to call upon, the paper continues. The BBA is therefore calling on the FCA to work with the banking industry to produce a due diligence checklist for banks migrating from cloudcontracts.
The draft EBA guidance also acknowledges concentration risk inherent in cloud computing, not only from the point of view of individual institution but also at industry level where large suppliers of cloud services can become a single point of failure when many institutions rely onthem.
Among other recommendations, the EBA advises banks to develop key risk indicators to spot deterioration in the cloud service to unacceptable levels, and to prepare alternative solutions and plans for transitioning to them from the out-of-favour cloudprovider.
Not only will a smooth transition to another provider ensure the banks services are unaffected, but it will also spare the bank reputational damage from a failure by a thirdparty.
Neither the EBA nor the FCA guidance contains tips on negotiating contracts with cloud providers, which comes with its own unique challenges.
In traditional bespoke outsourcing, financial services clients tend to have a lot of bargaining power and are able to use their own master services agreements, says Kirsop at Stephenson Harwood. With a cloud service, its a one-to-many solution. Suppliers cant have lots of different terms or policies for different clients. Clients have to get comfortable with standard terms, with limited ability to negotiate around them. Thats the fundamentaldifference.
Finally, as with most banking activities in the post-financial crisis era, regulation can be a key determinant of the spread of innovativepractices.
The EBA wrote in its draft guidance that uncertainty among banks about how supervisors expect them to handle cloud computing poses a barrier to its adoption.
In Indonesia, banks are blocked outright from migrating to the cloud due to their regulators requirement that all critical services be hosted within the countrys borders. For banks, who could they find in Indonesia that could host those services? The big [cloud] providers dont want to set up data centres in Indonesia; its not viable for them right now, says Manish Chawda, partner at Singapore consulting firm Pragma, which specialises in cyber and technologyrisks.
Differences in rules between jurisdictions present another headache for banks.
Jonathan Scott-Lee, Standard Chartered
Standard Chartered, for example, has operations in 68 emerging markets. As the bank is ramping up its use of cloud computing, the answer is not as might be assumed to take a highest common denominator approach, says Jonathan Scott-Lee, the Singapore-based global head of compliance, data, technology, operations and outsourcing at StandardChartered.
For a start, a gold-plated cloud strategy would eliminate most if not all of the cost efficiencies of the cloud. Second, even the highest specifications can fall foul of some regulatory environments: China, for example, mandates specific regulatory standards on the commercial use ofencryption.
I advise our digital teams to develop technology as globally as possible but that is flexible enough to allow software to be deployed in local environments, Scott-Lee says. For example, a cloud-based system could be linked to a locally housed database for client information for jurisdictions where the regulator requires data on clients to be heldlocally.
However, the trend is now towards ironing out regulatory differences around cloud computing, as illustrated by the EBAinitiative.
Jeroen Prins, a London-based financial services technology risk expert at PwC, sums up: For key jurisdictions we believe that similar principles apply and it is now feasible for the larger banks to adopt cloud servicesglobally.
Continue reading here:
Heads in the cloud: banks inch closer to cloud take-up – Risk.net (subscription)
- What is cloud computing? - Definition from WhatIs.com - March 4th, 2019
- Cloud - Wikipedia - February 19th, 2019
- Cloud computing: A complete guide | IBM - February 7th, 2019
- FusionCloud Full-Stack Private Cloud - Huawei Enterprise - February 4th, 2019
- What is cloud computing? | IBM - January 24th, 2019
- What Is Cloud Computing? | The Basics of Digital Outsourcing - January 22nd, 2019
- Cloud Computing - Yahoo - January 13th, 2019
- Best Sellers in Cloud Computing - amazon.com - January 2nd, 2019
- Cloud Computing Explained by Common Craft (VIDEO) - January 2nd, 2019
- Cloud Computing Trends: 2017 State of the Cloud Survey - December 25th, 2018
- Cloud Computing Overview - tutorialspoint.com - December 25th, 2018
- 15 Top Cloud Computing Service Provider Companies - December 25th, 2018
- Cloud computing: Hardware & Software Security: Online ... - December 23rd, 2018
- Cloud Solutions from Cisco - Cisco - December 23rd, 2018
- Cloud Computing | The MIT Press - December 23rd, 2018
- Learn Cloud Computing Tutorial - javatpoint - December 23rd, 2018
- Standards - IEEE Cloud Computing - December 23rd, 2018
- Benefits of cloud computing | IBM Cloud - November 10th, 2018
- Cloud Computing Trends: 2018 State of the Cloud Survey - November 10th, 2018
- What is cloud computing? - LinkedIn - November 5th, 2018
- What is cloud computing? | TechRadar - September 25th, 2018
- Cloud Computing 2nd Edition: 2018: Mr. Ray Rafaels ... - September 23rd, 2018
- Cloud Computing - Articles & Whitepapers | Oracle Technology ... - September 23rd, 2018
- Cloud Computing: Theory and Practice: Dan C. Marinescu ... - September 23rd, 2018
- Programming Lesson Plan: Program Your Partner - September 5th, 2018
- Cloud Computing | Definition of Cloud Computing by Merriam ... - July 26th, 2018
- Cloud computing information, news and tips ... - April 30th, 2018
- Cloud computing - A simple introduction - Explain that Stuff - March 15th, 2018
- Doug H. - Boston Cloud Computing Meetup (Boston, MA) | Meetup - December 16th, 2017
- Cloud computing at Ifes, IFs, and hospitals | RNP - December 16th, 2017
- Cisco and Google Find Mutual Interest in Cloud Computing ... - October 28th, 2017
- How to Invest in Cloud Computing -- The Motley Fool - October 28th, 2017
- What is cloud computing? Everything you need to know now ... - September 19th, 2017
- How The Automotive Industry Is Leveraging Cloud Computing - CXOToday.com - September 7th, 2017
- Huawei ups its bet on cloud computing with broader support for Microsoft apps - GeekWire - September 7th, 2017
- Cloud computing to drive Billabong's omnichannel experience - Chain Store Age - September 6th, 2017
- Cloud Computing Testbed Chameleon Renewed for Second Phase - HPCwire - September 6th, 2017
- The Software Alliance Advances Discussion on India's Cloud Computing Policy - ETAuto.com - September 6th, 2017
- Assessing Alibaba's Cloud Computing Opportunity - Market Realist - Market Realist - September 2nd, 2017
- 3 No-Brainer Stocks to Buy in Cloud Computing - Motley Fool - September 1st, 2017
- Telecom ponders future amid surging cloud computing popularity - TechTarget (blog) - September 1st, 2017
- Walmart Taps Nvidia for Massive Cloud to Take on Amazon - Fortune - August 31st, 2017
- Guest Commentary: Cloud computing tackles emerging cyber threats - Security Systems News - August 31st, 2017
- It's Only the Early Innings for Cloud Computing - Morningstar.com - August 29th, 2017
- What are the key benefits of cloud computing? - Information Age - August 29th, 2017
- VMworld 2017: Everything you need to know about VMware's hybrid cloud strategy - ZDNet - August 29th, 2017
- Saudi Telecom Company creates cloud computing giant - ComputerWeekly.com - August 29th, 2017
- Now with VMware and Pivotal, the Cloud Native Computing Foundation is becoming the hub of enterprise tech - GeekWire - August 29th, 2017
- Cloud Computing | HHS.gov - August 27th, 2017
- Oppo, Vivo plan to move cloud storage to India - Economic Times - August 27th, 2017
- Top 2 aspects of cloud computing you need to consi - Accountingweb.com (blog) - August 27th, 2017
- Biz Cloud Computing - Four States Homepage - August 27th, 2017
- Marketo decides to go all-in on cloud computing, and picks Google as its home - GeekWire - August 27th, 2017
- Cloud Computing Confirmed for Travers | TDN | Thoroughbred Daily ... - Thoroughbred Daily News - August 27th, 2017
- Why 2017 Is The Year To Understand Cloud Computing - Nasdaq - August 23rd, 2017
- Microsoft acquires cloud computing firm Cycle Computing to boost ... - The News Minute - August 23rd, 2017
- The Benefits of Multi-Cloud Computing Architectures for MSPs - MSPmentor - August 23rd, 2017
- VMware shares to surge more than 20% because the Amazon cloud threat is overblown: Analyst - CNBC - August 23rd, 2017
- Goldman Sachs just poured $45 million into a company picking up Amazon's slack in the cloud - Yahoo Finance - August 23rd, 2017
- Cloud Computing confirmed for Travers Stakes 2017 - Horse Racing ... - Horse Racing Nation - August 23rd, 2017
- Cloud computing in focus at e-Commerce forum - Oman Tribune - August 21st, 2017
- World's Largest Open Source Cloud Computing Summit to be Hosted in Sydney - Business Wire (press release) - August 21st, 2017
- AT&T, GE and Oracle offer juiciest cloud salaries, new data reveals - Cloud Tech - August 21st, 2017
- Cycle Computing will make Microsoft Azure more appealing to more enterprises - TechRepublic - August 21st, 2017
- Manage containers in cloud computing to prevent sprawl, cut costs - TechTarget - August 19th, 2017
- Business continuity is the ultimate killer application for cloud - ZDNet - August 19th, 2017
- Thailand urged to opt for cloud computing - The Nation - August 19th, 2017
- Cyberattacks Rain Down on Cloud Computing Infrastructure ... - Bloomberg BNA - August 19th, 2017
- Brown to decide Monday if Cloud Computing runs in the Travers - Horse Racing Nation - August 19th, 2017
- Cloud computing reversal: From 'go away' to 'I can't miss out' - InfoWorld - August 18th, 2017
- Alibaba Stock: Why Cloud Computing Could Be Equivalent to AWS - BNL Finance (press release) (registration) (blog) - August 18th, 2017
- Microsoft Acquires A Cloud Technology Company From Right Under Google And Amazon's Noses - Inc.com - August 18th, 2017
- Alibaba's cloud computing revenue almost doubles - SiliconANGLE News (blog) - August 18th, 2017
- Big Data and Cloud Computing Software, Platforms, and Infrastructure 2017 - 2022 - Markets Insider - August 18th, 2017
- Microsoft acquires cloud-computing orchestration vendor Cycle Computing - ZDNet - August 16th, 2017
- Cloud computing decision guide: Breaking down 7 top solutions for healthcare - Healthcare IT News - August 16th, 2017
- Amazon: Earnings Are Not The Holy Grail - Seeking Alpha - August 16th, 2017
- Notes: Cloud Computing still in running for Travers - Albany Times Union - August 14th, 2017
- Assessing the key reasons behind a multi-cloud strategy - Cloud Tech - August 14th, 2017
- Intel runs rule over new data centre storage design - Cloud Tech - August 14th, 2017