Cloud adoption by the Financial Services Industry (FSI) is accelerating. A 2017 Accenture study revealed that 82% of banking organizations are already using the public cloud in some form, while the research firm Markets and Markets predicts that the finance cloud market will grow to $29.47 billion by 2021, at a remarkable CAGR of 24.4% (2016-2021).
Like many highly regulated sectors, cloud adoption by the finance sector began with “peripheral” apps related to email, HR, CRM, etc. Today, however, business-critical apps are being deployed on public cloud infrastructures. Capital One, for example, has made one of the largest public cloud deals ever with AWS. And the venerable banking giant, J.P. Morgan, went live in 2017 with three core apps in the public cloud—two related to wholesale trading and the third to risk modeling.
This blog post examines the forces that are accelerating the velocity at which the FSI is embracing the cloud.
No Longer “Nice to Have”
Banks and financial institutions are under pressure from a number of directions. There are new regulatory demands for enhanced transparency and freer flows of data. Customer bases are changing, with high expectations for personalized, real-time, always-available services. Shareholders are urging banking and other financial institutions to grow faster and at higher profit margins. And there are many innovative fintech and regtech competitors out there who can respond agilely to dynamic market signals.
In the face of these pressures, the cloud offers critical value propositions to the FSI for both legacy apps and new apps.
Despite the widespread use of mainframes in the FSI, there are still opportunities to shift full apps or selected workloads to the cloud and reap many operational and strategic benefits:
The more a legacy app is refactored for the cloud, the more benefits it will bring to the organization above and beyond operational efficiencies from lifting and shifting its underlying infrastructures. The most transformational benefits, however, are gained from new apps that are born in the cloud.
First and foremost, the speed of innovation is accelerated. By adopting a cloud-based DevOps culture, banks and other financial institutions can considerably shorten the time-to-market for new apps—from many months or even years to cycles as short as 60-90 days. In an environment of continuous integration (CI) and continuous deployment (CD), finance companies can respond as quickly as their competitors to changing market needs and expectations.
As millennials become the dominant demographic group, traditional customer engagement modalities are no longer adequate. Today’s always-connected consumers expect the kind of customer experience that only cloud-based technologies can provide: secure, omni-channel, robust, and instantaneous. The return on investment is significant. Gallup found, for example, that in the US retail banking sector, fully engaged customers contribute 37% more annual revenue to their primary bank than disengaged customers. They also maintain more products with their bank and keep higher deposit balances in their accounts.
The era of open banking has already begun in the UK and in Europe, with the Revised Payment Service Directive (PSD2) forcing banks, insurance companies, and other financial institutions to open up APIs that make customer data securely available to third parties if the customer so consents, as well as support transactions carried out by these third-party service providers. Financial institutions can grudgingly comply with the new open banking requirements, or they can see it as an opportunity to capture new value through the creation of a fabric of financial services for their customers. In any case, it will be difficult to build secure APIs for fragmented, closed legacy apps, and open banking will accelerate the drive to create new apps with cloud-native architectures.
Changing Perceptions about Data Security and Privacy
Security and compliance concerns—perceived or real—used to be the biggest constraint on financial organizations embracing the cloud. In a December 2015 report published by ENISA (the European Union Agency for Network and Information Security), data confidentiality, data breach, compliance, and legal issues were shown to be the major reasons why financial services companies were hesitant to migrate critical workloads to the cloud.
Today, however, it is generally acknowledged that the cloud providers have hardened the security profile of their infrastructures and managed services to the point where data may be more secure on the public cloud than in on-premises data centers. The tools, services, and best practices offered by the cloud providers to help customers hold up their end of the shared responsibility model are mature enough to support highly robust data security and compliance in the cloud.
Granted, traditional data security approaches are not effective in the high-velocity cloud environment, and financial services companies determined to truly leverage the transformational power of the cloud must fundamentally re-examine their approach to data security. A recent McAfee study on the state of security in the public cloud offers three best practices for enhancing data security in the cloud:
The last point on this list is particularly relevant to the FSI, which makes heavy use of hybrid cloud architectures. According to data from Intel Security, the finance and insurance sectors both strongly favor hybrid architectures.
Compliance and the Evolving Regulatory Environment
Regulators are buying into the reality of the cloud and are adapting compliance requirements accordingly. Two examples of recent regulatory legislation and guidelines that will have a significant impact on the FSI are the General Data Privacy Regulations (GDPR) and the new European Banking Authority (EBA) guidelines for working with cloud service providers.
Much has been written lately about the GDPR enacted by the European Union, which went into effect on May 25, 2018. It goes without saying that the highly sensitive personal data held in the cloud by financial services companies is subject to the most stringent level of data protection and privacy controls mandated by the GDPR.
FSI companies that collect and store personal data on EU residents will be liable for heavy fines for non-compliance (2% of annual turnover or up to €10 million, whichever is higher) and even heavier fines for actual breaches that endanger the rights and freedoms of the data subjects (4% of annual turnover or up to €20 million, whichever is higher).
In addition, the GDPR gives data subjects greater control over their personal data, with the right to know what data is being held and for what purpose, the right to correct data, and the right to be erased/forgotten. As FSI companies deepen their penetration into the cloud, they should ensure that their architectures allow them to comply with these GDPR directives.
The EBA has issued a guidance for the use of cloud service providers by financial institutions that comes into effect on July 1, 2018. The objective of the guidance is to allow FSI companies to leverage the benefits of cloud services while adequately identifying and managing the related risks.
A financial organization is responsible for ensuring that its cloud service provider—or prospective provider—operates risk, security, and personal information management systems to a standard that satisfies the guidance. Some of the relevant standards include ISO 27001 for information security management, BS 10012:2017 for GDPR best data protection practices, and the Cloud Security Alliance (CSA) Star Certification.
Outsourcing has always been problematic for the FSI. In recognition of the collaborative nature of cloud providers, however, the new guidance sets the framework within which it is acceptable for a cloud provider to outsource an element of the service it provides to a financial organization.
In general, the guidance will require providers and institutions to align their risk and monitoring programs around shared standards, with risk and compliance teams on both sides working together closely.
A Final Note
The financial services industry is undergoing a fundamental transformation as innovative fintech startups that are mobilizing advanced cloud-based technologies challenge the hegemony of Tier 1 players. The large banks, payment companies, and insurance companies have had no choice but to respond in kind and, quite frankly, the big winners are us, the consumers.
However, given the sensitive nature of their business, all financial institutions—large or small, young or centuries-old—are subject to the same stringent regulations that protect their customers’ assets and personal data. Financial institutions will have no choice but to adopt next-generation cloud-native platforms that can effectively and securely manage complex hybrid multi-cloud environments.
CloudCheckr helps ensure compliance with the CIS (Center for Internet Security) Benchmark and PCI (Payment Card Industry) through hundreds of Best Practice Checks. Change Monitoring allows for accountability when security configurations change, and gives administrators the opportunity to remediate misconfigurations. Invoices can be generated to multiple decimal places of precision, and converted to foreign currency, for complete control. Encryption can be enforced, both in-transit and at-rest, via CloudCheckr’s Security Best Practice Checks.