The Cloud’s Siren Song

Cloud providers are wooing cost-conscious financial firms. But shared computing has its own risks.

At the annual Sibos conference in London in September, alongside the usual exhibitors—global banks, fintechs and financial-software providers—attendees also encountered representatives from Big Tech companies such as Amazon and Google.

While these giants are relative newcomers to global banking and financial services, the large global banks have long feared that Big Tech might one day eat their lunch.

Indeed, Google and Amazon have launched their own payment solutions, but they weren’t touting these at Sibos. Instead, they were eagerly talking up their web services and cloud computing divisions, which provide shared computing and hosting services.

Along with Microsoft’s Azure, Amazon Web Services (AWS) and Google are positioned as leaders in worldwide cloud infrastructure as a service, according to research consultantcy Gartner. In financial services, digital-first challenger banks like the UK’s Monzo and Starling, and the US’s Capital One, are case studies for AWS, which pioneered infrastructure as a service back in 2006.

Increasingly, financial-services firms are shutting down their data centers and moving computing to shared space. Goldman Sachs, which reportedly was buying computing as a service as early as 2016, uses AWS to manage risk and meet internal demand for computing power.

HSBC noted the benefits of moving to the cloud amid “capacity challenges” in its data centers and, in 2018, HSBC expanded its use of Google Cloud services. This year, the bank was an early customer of Google Cloud’s new Anthos service, which enables a hybrid approach by managing services on-premises or in the cloud or as workloads running on third-party cloud services like Microsoft and AWS.

“High-performance computing is a popular use case for cloud computing,” says Ian Massingham, director of DeveloperTechnologyandEvangelism at AWS. “These supercomputing clusters can be expensive for banks to run on their own, especially if they are underutilized.”

Most challenger banks’ technology stack is run entirely in the cloud. But until now, mainstream banks have typically shied away from “public cloud” providers such as AWS, citing data privacy and security concerns. Some banks have opted instead for private-cloud solutions using dedicated infrastructure on- or off-premises, or hybrid solutions that combine public and private cloud solutions.

New Risks for Old

Are mainstream banks wise to be skeptical of public cloud solutions? The cloud provides flexibility, but the UK’s Financial Conduct Authority (FCA) says it can also introduce risks that need to be identified, monitored and mitigated. “These risks primarily affect the degree of control exercised by the firm and specific issues such as data security,” the regulator states in its guidance for financial-services firms looking to outsource IT. Cloud customers have less control of the degree to which they can tailor the service and less control of the data, such as where it’s stored, the FCA cautions.

Earlier this year, in what was billed as one of the largest-ever banking data breaches, the account information of Capital One’s US and Canadian customers was hacked by a software engineer who previously worked at AWS, which provided cloud infrastructure to the bank.

The Capital One data breach prompted members of the US House Committee on Financial Services to call for cloud services to be placed under “an appropriate and enforced regulatory regime.” Other technology providers have voiced concerns about current data-protection methods in the cloud, such as anonymization.

The Association for Financial Markets in Europe (AFME) also recently published a list of recommendations to help public cloud computing realize its full potential across the capital markets. It outlined several barriers to adoption, including legacy IT complexity, security implications, regulatory concerns, a lack of standardization among cloud providers and long-term considerations such as concentration risk.

Even providers caution that companies can’t sidestep their own responsibilities by shifting applications and IT resources to the cloud. “We are only responsible for certain aspects of the [IT] stack,” says Massingham of AWS. “We’re quite explicit about the responsibilities of financial-services providers who are regulated entities.”

One of those responsibilities is to ensure their cloud provider has a high level of resiliency, adds Adrian Poole, head of Financial Services in the UK and Ireland for Google Cloud. “They should also have an exit strategy if something goes wrong,” he says.

Despite the risks, the cost savings, agility and flexibility have made it almost too compelling for traditional banks to resist the call of the cloud. Cloud computing is definitely here to stay, but as the larger banks move both critical and noncritical applications to the cloud, they shouldn’t expect a magic bullet. Cloud services providers are likely to come under increased regulatory scrutiny, and at the least, their customers will need to monitor these developments closely.