The Association for Financial Markets in Europe (AFME) has outlined some key the potential key regulatory barriers to a more far-reaching adoption of cloud services by banks and financial services firms – a trend that has been greatly amplified by the pandemic but that continues to stumble upon key operational issues.
In a report released on Wednesday in collaboration with consultancy firm Protiviti, AFME identified the main areas of concern where additional support from both legislators and policymakers and regulators and engagement from Cloud Service Providers (CSP) could take steps to lower hurdles for banks to migrate to cloud technology while safeguarding their operational resilience.
“There are concerns that recommendations towards portability and the use of multi-cloud to achieve outcomes sought by regulators (increasing cloud resilience and mitigating concentration risk) will introduce further limitations on adoption,” the report said.
Firms surveyed by AFME warned that portability between multiple CSPs – i.e., the ability to move applications and data from one computing environment to another, allowing for equivalency of functions – can introduce significant technical complexity, stemming from the additional services and integration required. This, the warned, could further inhibit the ability of banks to recover from failures quickly, due to the number of systems, services, and technical components involved.
“Portability poses significant technical limitations and a loss of differentiated cloud benefits as a mechanism for increasing resilience,” the report said, citing “limited benefit in a CSP stressed exit where a bank may have reduced or no access to its data.”
Another set of risks would arise from the fact that a large number of banks is now using a multi-cloud strategy, which the report says allows them to “deploy IT workloads across multiple CSPs [and] take advantage of each CSPs unique service offerings and strengths,” as well as accessing different geographies.
These use cases for a multi-cloud approach, the report emphasises, prevail over its use “as a mechanism to mitigate concentration risk and increase resilience.”
Moreover, “while multi-cloud can reduce concentration risk to some extent, the technical, process and resource complexity needed to support multiple CSPs can lead to decreased resilience overall,” the report said.
AFME and Protiviti said regulators’ approach to the wider adoption of cloud technology should overall be risk- or scenario-based, grating banks “flexibility based on their usage and technical needs.”
Any future regulatory framework should also ensure cross-border convergence between different jurisdictions, they said, on both resilience metrics and risk expectations- based on baseline indicators that would also help regulators quantify any macro-concentration risk across the industry.
The report also recommends setting out clear information sharing and transparency requirements for CSPs – including contingency procedures, security testing and recovery and restoration capabilities.
The mapping and benchmarking of CSPs’ offerings would also boost adoption and safety across the industry, it added.
Finally, the report calls for more robust cloud cross-border data flows and storage, “to prevent further technology and data-related regulatory requirements being introduced that could segment banks adoption of cloud services regionally, […] increasing geographic concentration and cyber and resilience risks.”