There is no doubt that many industries are embracing the cloud, but financial services organisations are slow to transition and are lagging behind.
So, why is this?
Simply, financial service firms are concerned about their regulatory compliance, the complexity of functional replacement, security and control. In July of this year, the FCA published its guidelines on the use of cloud technologies. They describe the cloud as “a broad term”, so naturally stakeholders have differing interpretations. From the FCA’s perspective, they see the cloud as encompassing a range of IT services, provided in various formats, over the internet. This includes private, public or hybrid cloud as well as Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS). Essentially, the FCA does not prohibit the use of the cloud, clearly stating that the firm’s fiduciary duties and liabilities remain internal. In relation to other regulatory jurisdictions, similar guidelines can be found on this matter.
Despite this, control and security remain a key concern for firms. We’ve all heard about loss of data from the cloud. Given the regulatory compliance obligations, there is an understandable nervousness around using the cloud to store client and internally sensitive data. It is true a number of cloud providers are meeting this challenge, through audited controls. But convincing the risk managers at financial institutions is an issue in itself.
We must also consider that institutions already have systems integrated into their infrastructure, allowing trades to be captured, sent to settlement systems, added to risk platforms, booked into the firm’s records, and so on and so forth. In short, firms have an abundance of technology platforms and services on hand. This makes it very difficult to replace any functional component. The downstream impact alone is often unknown and poses a very real threat to the business. In a recent paper titled ‘Fintech and the evolving landscape’, Accenture commented that bank investment remains tied up with adjusting legacy technology. Banks are continuing to employ a static method of annual investment allocation for activities designed to ‘change the bank’. So far, we have seen the larger firms continue to run internal systems, despite the higher costs.
Where is cloud really being used?
Research tells us that only some services are being outsourced to cloud-based providers. This includes CRM, email and application development. In truth, these are not core to business operations. However, they do consume a large amount of resources and therefore it makes sense to outsource. Additionally, a number of firms are using public cloud infrastructure to test new or updated applications, and are moving them back into the internal production environment upon completion. Again, this makes a lot of sense – test environments are expensive and often only needed for short periods of time.
Is there middle ground?
For public cloud-based services, it remains a challenge and we don’t see this changing any time soon. However, we have seen significant investment in the development of private cloud services, especially amongst financial institutions. This is particularly so as the use of private cloud means that firms retain internal control of how and where services are accessed and distributed. Most importantly, by having control of the data you ensure regulatory compliance.
For firms offering cloud-based solutions orientated around operationally sensitive areas such as credit and capital management, book and records and transaction/position management, the journey to the cloud is going to be a much harder one. The need to overcome client concerns around security will be ever-present. The option of using a private cloud will help the situation, as being able to show your firm is audited is a massive plus.
Any outsourcing solution will need to minimise the pain of adoption. In practice, this means light touch, fast time to market and scalable solutions operating in a controlled and auditable environment. Cloud services that support and augment, rather than replace existing in-house systems or processes, are likely to be embraced more readily. This is a more evolutionary rather than revolutionary approach. As long as the services are offering real business value, there should be uptake. Take Softek for example: we have adopted a full-service hosted solution in a private cloud for capital, credit and risk management. This is built on what we view as innovative technology which includes a rules engine, sophisticated data model and a flexible reporting engine. All running in a near real-time capable data centre, which also hosts a central store of highly cleansed reference data.
There are many different examples of how firms have drawn value from our private cloud-based solution oriented approach. These range from managing firms’ client credit policies, accounts, intra-day monitoring and alerting capital positions to the more complex or sensitive activities. For example, conducting ad hoc bespoke stress tests (post Brexit), data mining tasks across 9 million wealth management accounts, through to Basel III capital reporting and internal cost of funding for securities finance.
What is clear is the majority of cloud-based activities are limited to specific areas. For the most part, this includes non-critical services and activates that does not put client and firm data at risk. This limitation manages risk to an acceptable level and ensures regulatory compliance. However, it is also clear that where the participants including banks maintain control and see value they will outsource critical services and invest in the ‘private cloud’. After all, every financial institution, large or small, will tell you that technology – cloud-based or otherwise – is critical for day to day operations. Therefore, it is crucial for success.
By Andrew Powell, Managing Director, Softek Computer Services Inc