ICAEW.com works better with JavaScript enabled.

How best to regulate the bank cloud boom?


Published: 17 Mar 2022

Exclusive content
Access to our exclusive resources is for specific groups of students, users and subscribers.
The adoption of the cloud by banks is hard to regulate given the rapidly growing supply of services by third parties. But financial regulators are increasingly turning their sights on the megatrend.

When Jeff Bezos returned from blasting into space aboard his rocket New Shepard this summer, he quipped to TV cameras “you guys paid for all this”.

Most would assume Bezos was referring to the hundreds of millions, perhaps billions, of people who have ordered a package or two from the world’s biggest shop. That was only half the story. Amazon’s ‘other’ business Amazon Web Services, the cloud computing arm of the £1.3trn firm, has hauled in just over half of Amazon’s operating income in recent years.

Consumers too might not know that AWS, as well as a small cadre of other third party cloud computing providers, are increasingly hosting more and more global banks’ - or more importantly their customers’ - data. Not only this, but banks are also increasingly outsourcing their most important and core financial systems to the cloud as they increasingly prioritise digitalisation to stem the tide of swelling competition.

These cloud providers mostly come from a cluster of familiar Big Tech names: Amazon Web Services, Google Cloud, IBM Cloud, Oracle and Microsoft Azure raising some concern about that risks might be building in the system and a growing expectation of regulatory crackdown.

Every cloud...

Fintech watchers have been anticipating a shift to cloud-native core banking for years. Today it is becoming a reality, and it’s big business.

When compared with other technology-heavy sectors, banks have typically been slower to adopt the cloud, perhaps in part due to regulation. Takeup for both software as a service (SaaS) and core cloud infrastructure, however, has been rapidly accelerating for the past 18 months.

In 2020, there was a 30 per cent rise in cloud adoption by financial institutions compared with 2018, according to a PwC report with this year looking to see huge gains too.

Prompted in part by the pandemic’s digital boom, the world’s biggest banks are investing billions of dollars in a wholesale overhaul of creaking legacy financial infrastructure and heading for a distributed, cloud-based future.

Established banks are having to fend off fintechs and challenger banks such as Starling Bank and OakNorth Banks who have used the cloud since their early days to grow very rapidly and win millions of customers.

Banks face many threats, not least from non-financial institutions looking to launch banking and digital money services and the cloud powers rapid customer growth and rollout of new products services.

“The pandemic has clearly lit a fuse under cloud adoption with banks having to deliver and scale digital services rapidly. However, the cloud is also a prerequisite for success in the world of open banking and Banking as a Service. These are megatrends, powered and enabled by the cloud, that are shaping the future of banking,” said Andrew Reeves, Head of Cloud, Temenos.

JP Morgan recently revealed its entire US network of Chase retail banks would be moving onto a Thought Machine’s cloud-native core banking platform.

More than two thirds (67 per cent) of banks in fact think they will lose market share within two years if they fail to digitally transform, according to a report from cloud banking platform provider Mambu while 82 per cent are saying they now have a clear strategy for adopting cloud.

Elliott Limb, Chief Customer Officer at Mambu, says the past 18 months have shown banks just how important it is for them to have a robust and agile digital banking offering.

Limb says it's time the industry took note of the financial ‘evolvers’ that are leading the charge in this space.

“These are fintechs, challenger banks, and forward-thinking traditional players that are prioritising purpose-driven services and great customer experience,” he said.

The banking industry is, however, diverging on its approach to digital transformation.

“While retail banking has been slow to respond to the rapid changes in consumer behaviour brought about by the pandemic, there’s an emerging cohort of digital ‘evolvers’ that is bucking this trend,” he said.

Another recent survey of technology executives in the banking sector, conducted by The Economist Intelligence Unit found more than seven in ten (72 per cent) report that incorporating the cloud into their organisation’s products and services is critical, believing it will help them hit their most important goals. Just under half (47 per cent) say that they will do so “to a great extent”.

Two fifths (40 per cent) of respondents said they intend to modernise to a platform-based offering post-pandemic, working with third-party providers.

Cost is the biggest driver of cloud adoption (43 per cent), followed by the adoption of AI (34 per cent) and improving customer experience (21 per cent). Business agility and scalability were together cited by 40 per cent of respondents as top drivers.

But is this trend something to worry about? Are there budding risks that go alongside cloud adoption? Financial regulators are taking note of the trend and are increasingly poised to act.

Cloudy with a chance of (digital) disruption

In September of 2020, the European Union expressed a desire to more deeply supervise through new regulation financial services’ use of cloud technology.

More recently in October of 2021, The Bank of England's Financial Policy Committee hinted at its own future plans to tighten regulation.

It said there was an increasing reliance by the financial system “on critical third parties” such as cloud service providers. These can bring benefits to the financial sector such as improved “operational resilience”, it said.

As these services become more critical, however, it warned of the concentration risk of having a small number of providers and the threat this poses to financial stability “in the absence of greater direct regulatory oversight”.

While it did say regulated firms still have primary responsibility for managing risks that might appear from the cloud and other third-party services it laid out that legislative change would likely be needed.

Travers Clarke-Walker, Chief Commercial Officer at Thought Machine, says the regulator, and the UK’s regulator, in particular, must devote more and more of its attention to the ‘unknown’ in financial services.

“The financial services ecosystem is evolving rapidly, and new technologies and approaches to finance are proliferating that barely existed a year ago. For the regulator to keep up to speed, and fulfil its duties as a balanced champion of financial services innovation and consumer protection, it must continue to engage with key players and consumers,” he said.

For regulators, trying to catch up with the trend, and threats and risks that might arise from the wholesale move to online, Clarke-Walker says, are more complex.

“If anything, any risk of moving online is mitigated by the added assurance of a technology infrastructure provider's impeccable record of maintaining the security of its assets and their commitment to security,” he said.

“The level of security a top-tier infrastructure provider deploys, like AWS or Google Cloud Platform, can never be replicated by in-house technology resources. It would be the equivalent of trying to build your own Fort Knox in-house to protect your assets,” he added.

While the chief risk for the real Fort Knox is some sort of heist, for banks it is outages and data breaches. Both have been a growing concern with recent examples of the former happening to the likes of Facebook bringing down entire sections of the internet.

In recent years too the likes of TSB and Tesco Bank have both suffered reputational risk after IT upgrades that went wrong leading to customer service outages.

“Top-tier infrastructure providers employ a range of tools to ensure that reliability is top of the agenda. Five nines (99.999 per cent) uptime is now not a distant ambition, but a standard feature of technology infrastructure, which in context is less than six minutes of downtime per year, is a gap which continues to close,” Clarke-Walker said.

This means that even large-scale outages across fundamental infrastructure, will not cause any impact to the end customer, he argues.

“Compare this with on-site, server farms, which many banks continue to operate. They are hugely susceptible to fire and floods, to human error, and outages. They look distinctly antique and are an extreme liability, compared to the world of distributed computing,” he added.

Blue sky thinking

How banks should manage their relationships with third party suppliers of IT services, for front and back office, is becoming a more important issue.

Pressure on incumbent banks from both new competitors with new business models and regulators trying to stay ahead of the curve is growing daily.

The pandemic has accelerated the existing digitalisation path in finance and the cloud trend in banking is one of the most pertinent examples. This means regulators hands are increasingly being forced to bring rules into place to mitigate consumer concerns and monitor overall financial risk.

Regulation, however, is tricky. Fintechs and Big Tech are building banking services in the cloud from ‘day one’ and have completely shifted consumer expectations and the competitive landscape. Large banks too are already well on their way to migrating to third parties for more and complex parts of their operations to save costs.

If being ‘cloud native’ is the inevitable path for all banking, incumbents need to manage both the regulatory arbitrage that might in time drive up the costs and erode the savings of reducing physical branches and fully develop their services to make full use of what the technology can offer.

The sky’s the limit. Just ask Jeff Bezos.