The events of the past two years have provided an unprecedented catalyst for financial institutions to accelerate the adoption of new technology and overcome legal and regulatory hurdles of the past.
Financial institutions will always say that technology is key to accelerating change – the challenges were all about making it happen in practice. The Covid-19 pandemic pushed organisations to adapt in record time and to use technology to solve problems faster than ever before.
A few months into the pandemic, Microsoft CEO Satya Nadella said that Microsoft had seen “two years of digital transformation in two months”, as customers adopted cloud solutions at pace. As we emerge from the pandemic, for many financial institutions, the short and medium-term goals are all about keeping the ‘pedal to the metal’ in terms of changing how services are delivered to customers. The alternative is to risk irrelevance.
The infrastructure on which financial institutions rely is fundamental to the evolution of their service delivery. The biggest change has been the move to the cloud by financial institutions.
Financial institutions can be divided broadly into two groups – those who are seeking to move to the cloud to take advantage of the benefits it offers, and those who were ‘born in the cloud’. Typically the latter will be challenger financial institutions and the fintechs which established financial institutions compete with. There is little room left for a third group – financial institutions not willing to consider any cloud adoption at all.
Some of the key drivers for moving to the cloud are:
Financial services firms have been using the cloud for some time. In 2017 Pinsent Masons collaborated with UK Finance on a study on the challenges that banks faced when moving to the cloud.
Since that time, the rationale for financial institutions to move to the cloud has only become stronger. The challenges identified in 2017, such as issues concerning the management of data, the effective supervision of a cloud providers, and concerns around data location and access, have not entirely gone away, but they have been mitigated.
Yvonne Dunn
Partner
The Covid-19 pandemic pushed organisations to adapt in record time and to use technology to solve problems faster than ever before
A key difference now is that regulators are demonstrably more positive about the cloud for financial services, albeit not without some reservations. Not too long ago, the ideal of a major bank running systems on the public cloud would have been laughed out of the room, but that is happening now.
Cloud providers too have become more mature. Compliance programmes, continued policy engagement with regulators and contracting positions which accommodate regulatory requirements are now expected aspects of the market’s leading cloud service providers.
Public cloud adoption is still relatively new among European insurers, but that is likely to change. One of the key growth areas for cloud adoption in insurance is in relation to underwriting and pricing, where greater use of AI to drive decisions means that greater processing power is needed.
Financial institutions will point to a number of factors that can drive a move to the cloud. Flexibility and scalability are key drivers.
Financial institutions are working with artificial intelligence and machine learning solutions as part of processing data and generating customer insights. Given the scale of the data held by established financial institutions, this kind of activity can quickly soak up the capacity of an on-premise data centre, whereas cloud offers a more flexible solution.
In addition, the volume of transactional data can be unpredictable, which makes the flexibility that cloud can offer attractive.
Cost savings are another key factor. The installation and maintenance of on-premise IT systems is lengthy and costly, whereas using the cloud reduces the hardware cost and can move the charging model to a service-based, variable cost model.
One of the major positives about moving to the cloud is security, which is ironic since a few years ago concern around security was one of the main reasons why financial institutions and their regulators were wary of moving to the cloud.
Given the rapidly evolving threat landscape, cloud infrastructure is arguably better protected than in-house. However, the major cloud providers are obviously a significant target for hackers, and so security concerns have not gone away. Financial institutions tend to focus on the fact that the cloud provider’s business is much bigger than a single financial institution, which provides the incentive to keep up with security threats and avoid significant outages.
There remain challenges for financial institutions in moving to the cloud. Large financial institutions fear vendor lock-in. This risk can be mitigated by building operating systems that allow the financial institution to move between cloud providers. This also allows financial institutions to select best-of-breed applications, since all the main cloud providers will have specific strengths.
Vendor lock-in is also linked to concentration risk. As financial institutions become more reliant on cloud, this raises the risk that a financial institution is perceived to be over-reliant on one cloud service provider.
The other angle to concentration risk is where several financial institutions have important infrastructure running on the same cloud provider. The market in cloud services is concentrated, with the ‘Big 3’ of AWS, Microsoft and Google dominating.
Regulators have been expressing concern about concentration risk, and are emphasising the responsibility that sits with financial institutions to ensure that data is protected in the cloud. Financial institutions are likely to develop multi-cloud solutions to mitigate against concentration risk as well as the more commercial concerns of vendor lock-in.
Cultural and business challenges also arise. Cloud migration needs to be treated as a business project, not an IT project, and it needs senior executive sponsorship. That means that the cloud solution is truly treated as the infrastructure platform for business development and change, as opposed to an end in itself. This also links to the need for culture change in financial institutions – the move to the cloud needs to sit within an overall vision and strategy and not be buried in the technology team.
One of the key perceived barriers to moving to the cloud for financial institutions is regulatory compliance. Regulators are positive about the cloud, and are making use of it themselves, but they do require that financial institutions do not compromise their stability, operational resilience or security in moving to the cloud.
Operational resilience is a hot topic for financial institutions, with the Bank of England, PRA and the European supervisory authorities all publishing guidelines and requirements on this topic in recent months.
In the EU, the Digital Operational Resilience Act includes proposals to regulate digital operational resilience in a harmonised way, and in the UK, the 2022 Queen’s Speech referred to the UK government’s plans for new legislation to support resilient outsourcing to technology providers in the financial services sector.
In October 2021 the Bank of England’s Financial Policy Committee said: “The increasing criticality of the services that CTPs provide, alongside concentration in a small number of providers, pose a threat to financial stability in the absence of greater direct regulatory oversight.”
The committee suggested that additional measures, including legislative change, may be required. Recently the European Securities and Markets Authority (ESMA) released a working paper on financial stability risks from cloud outsourcing.
ESMA’s key suggestions were around emphasising the importance of carrying out due diligence on cloud service providers and using multi-cloud solutions as a backup, which places the onus on financial institutions to develop their infrastructure in way that facilitates that.
All of this means that financial institutions need to be comfortable that moving to the cloud is not going to compromise the security of their systems and data, their ability to exercise oversight, their compliance with regulation and their operational resilience.
It is possible to achieve regulatory compliant cloud contracts. All of the major cloud service providers recognise and address the specific needs of financial services institutions.
It can be more challenging with software-as-a-service providers, but despite this there is a path to contract that does not involve the financial institution taking unacceptable risk.
To achieve this, it is important to focus on the regulatory requirements, but also to consider their context and underlying intent. Experience of working with the regulatory rules in the context of third-party contracts should permit creative solutions to get to contract that do not compromise on regulatory risk.