09 July 2019 Julian Cunningham-Day – Clare Murray – Lindsey Brown – Jennifer Calver Regulatory framework
One of the nine core themes of the Bank of England’s Future of Finance report is “Enabling innovation through modern financial infrastructure”. A key recommendation for how to achieve this is for the Bank of England to “embrace cloud technologies, which have matured to the point they can meet the high expectations of regulators and financial services”. Cloud technology has become increasingly important to the digital economy, and the use of cloud by financial firms will only increase. Given the potential risks, the Bank of England has a key role in ensuring that firms use it in a safe and sustainable way.
Cloud is becoming mainstream, even in financial services
Cloud as an enabler
Cloud computing is no longer a “new” technology. It is increasingly used in the financial services sector as a means for firms to enable innovation, improve services and secure competitive advantage. The FoF report acknowledges, however, that adoption of the public cloud has been slower amongst financial institutions than in other sectors as a result of the costs of migration, management concerns over the use of new technologies and cautious regulators.
That said, research suggests up to a quarter of the activities of the largest global banks may already be on the public cloud or software hosted on the cloud. The FoF report identifies that banks are using cloud for customer relationship management, HR and accounting (but not, generally, for core banking services). Looking forward, McKinsey & Company suggest up to 40%–90% of banks’ workloads globally could be hosted on public cloud or software as a service in a decade.
Impact of Fintechs
The FoF report identifies that “the next generation of financial firms will likely widely use public cloud technology”; this is already being seen in the market with new entrants like Monzo and Starling making extensive use of AWS. These new market entrants are focused on providing an excellent customer experience and have embraced cloud technology to deliver this. They are disrupting the market and forcing established firms to change more rapidly in order to compete.
There are many benefits in using cloud
Agility, innovation and data analytics
The Bank of England’s (“the Bank”) response to the FoF report notes that since new entrants will be unencumbered by the problems faced by longer-standing firms with antiquated, patchwork IT systems they will be able to be far more agile in responding to changing consumer demands.
Using cloud also provides firms with access to the best analytical tools. Banks are sitting on mountains of data and being able to analyse this properly requires the processing power which can be offered by cloud solutions. These analytics tools should help banks in monetising the data they already have and in better using that data to service their customers.
Access to expertise
Cloud providers are experts in their chosen fields. Facilitating the use of cloud solutions therefore opens banks up to a range of products and expertise which even the most well-resourced in house IT teams would not be able to offer. These additional products can, in turn, enhance user experience and drive competition in the market.
Security and resilience
Security of cloud solutions has previously been viewed by financial services regulators as a significant risk. However, as we have been discussing with financial firms for a number of years, cloud providers can potentially offer a greater level of security than banks can themselves provide. Cloud providers trade on their security reputation; a significant outage or data breach could prove catastrophic to their viability as a business.
Given the frequency with which the financial system is coming under cyber-attack, security is only becoming more important. The FoF report acknowledges that “even the best-resourced financial firms invest less in cyber-defences that cloud providers” and that, particularly for smaller firms, a move to cloud could improve their cyber security and resilience.
This could also offer a better solution for firms with patchwork legacy systems which are either coming to the end of their supportable life or contain a number of vulnerabilities in the joins between those systems.
The reduced costs which can be achieved as a result of the economies of scale offered by cloud are a well-known benefit. Research by McKinsey & Company suggests that cloud has the potential to reduce IT infrastructure costs by between 30% and 50%. These savings could free up cash for firms to spend on enhancing their consumer offering.
But there are also risks to address…
The Bank notes that operational resilience of firms is “critically important” and becoming as important as financial resilience. The FoF report indicates that, as part of this, resilience and effective management of technology infrastructure is paramount.
Firms looking to use cloud will therefore need to ensure they have robust processes in place to ensure that failure of, or disruption to, their provider will not impact on the bank’s ability to continue its core services, for example by ensuring that there are multiple backups and a robust disaster recovery process for getting back online quickly. It will be fundamental that banks fully understand what would happen in the event of a failure or disruption, and that should an issue arise, that it is handled effectively.
Recent high profile disruptions have shown that any such failings can have far reaching consequences for a bank with the regulators, its customers and its market reputation.
Currently the cloud services market is dominated by a handful of large providers and, as noted in the FoF report, AWS and Microsoft account for almost half of all revenue in this area. This raises concerns about concentration risk and the impact which the failure of a single provider could have on the financial services landscape. One provider holding significant amounts of data for a number of banks may also make them a more tantalising target for hackers.
On the other hand, the FoF report also acknowledges that reducing the concentration risk poses additional questions about how best to ensure oversight of a large number of individual providers.
Loss of control
It is clear from both the FoF report and the Bank’s response that one of the key concerns from regulators has been, and still is, the loss of control associated with cloud computing. While IT was all provided on-premises, it did not matter that the technology might have been provided by IBM or Microsoft as the regulators could still walk in to the firm’s premises and have a look at what was going on.
With cloud, regulators do not have that same level of control and nor do the banks themselves. Regulators are therefore going to have to get themselves comfortable with being one step removed for any real shift to the cloud to be supported.
…and regulatory barriers preventing wider adoption
The FoF report highlights that, according to a new Finastra survey, 43% of UK firms said complex regulatory requirements were the key barrier to adopting cloud collaboration.
There are numerous regulatory considerations associated with cloud, including relating to data protection, information security and bank secrecy. From a financial services perspective, in our experience it is often the audit and security requirements, such as those found in the February 2019 EBA Outsourcing Guidelines, which cause the most friction between firms and cloud providers. Certainly, we see Fintechs frustrated by being unable to meet banks’ stringent requirements relating to audit and security as they are unable to provide each bank with the access to premises (data centres in particular) which banks demand or to provide differing levels of IT security to comply with each bank’s own policies.
Balancing benefits against risks
As the benefits of cloud are further understood, including in relation to security, it may be that the benefits to both providers and users of financial services are starting to carry more weight than the risks and are tipping the balance in favour of the use of public cloud. However, the FoF report highlights that policies will need to respond to this emerging reality if the UK wishes to remain a leading venue for international finance and ensure that UK financial firms are competitive and are on a level playing field to new business models.
Further, the Bank will need to build expertise and play a leading role, in collaboration with other authorities, shaping use of public cloud in the financial sector.
What’s happening next?
New regulatory guidance
The Bank has committed to publishing a supervisory statement in 2019 which will describe “the PRA’s modernised policy framework on outsourcing arrangements, including a focus on cloud technology and setting out conditions that can help give firms assurance on its use”.
It will be interesting to see whether this incorporates a move towards removing the audit and security barriers mentioned above by, for example, including a specific proposal for use of pooled audits of cloud providers and standardised security certification, both of which are referred to in the EBA Outsourcing Guidelines.
If standardised certification is so onerous that only the biggest cloud players will be able to achieve certification, this could have an unintended consequence of decreasing competition and increasing concentration risk.
Both the FoF report and the Bank’s response recognise the importance of taking an international approach to the regulation of cloud use in financial services. The FoF report recommends collaborating with international regulators for a longer-term approach to cloud oversight. Financial services firms rarely, if ever, operate in a single jurisdiction and public cloud, by its nature, pays no attention to borders.
The Bank has therefore committed to lead the conversation around cloud globally. Consistent regulation of cloud across jurisdictions should help smooth the adoption of cloud within global banks with competing national regulations to contend with.
A cloud storm?
Removal of existing regulatory barriers to adoption of public cloud will certainly result in greater use of public cloud in financial services, opening up opportunities for both firms and Fintechs, but it does not necessarily follow that there will be a sudden rush in traditional banks moving their entire operations to the cloud. Such projects involve significant IT transformation and therefore significant time and cost, especially where interfaces with old and often bespoke IT systems are involved.
The requirements of the GDPR also need to be considered when moving personal data to the cloud or when making those new uses of personal data which are opened up by the ability to harness the processing capabilities of cloud computing.
“Changing the boundaries of financial services regulation”
While the FoF report recommends that the Bank embraces cloud technologies, it also emphasises the need for the Bank to be vigilant to the emerging vulnerabilities. It sends a warning shot to the larger cloud providers that if the removal of barriers to cloud adoption results in significant concentration of core banking functions with one or more provider, then the Bank may view those providers as “systemically important” and look to “include aspects of cloud service providers’ operations in the Bank’s direct oversight”.
Financial services regulation of tech companies is clearly something which is currently on the Bank’s and other regulators’ minds. For example, both Mark Carney and Mu Changchun of the People’s Bank of China have commented on the requirements for regulatory oversight of Facebook’s foray into the payments space with its cryptocurrency, Libra.
Next up in our Future of Finance Series
In the next instalment of our Future of Finance Series we will look at the Bank’s messages relating to the theme of “supporting the data economy through standards and protocols. Stay tuned by signing up to our FintechLinks blog.