Regulators are looking at cloud banking apps, especially around resilience, recovery and concentration of providers.
Stephen Brobst, chief technology officer at Teradata, said EU regulators are concerned that the main cloud providers are all American firms — AWS, Microsoft, Google, and perhaps IBM — What would happen if the United States cut off banks’ access to their clouds?
Turkey, he said, does not allow its banks to use cloud platforms, a move that looks wise with President Donald Trump’s recent threat to impose sanctions on that country over its actions in Syria. The other leading cloud providers — Alibaba Cloud, Tencent Cloud and Huawei — are Chinese, which have their own set of political issues.
The Financial Stability Board (FSB) in a recent report said “…there may be new issues for authorities and financial stability that stem from the scale of services provided via the cloud and the small number of globally dominant players,” while noting that it sees no immediate financial stability risks arising from the use of cloud by FIs.
The use of cloud provides many benefits, from reducing investment costs, better security, greater flexibility and allowing financial firms to scale more quickly, the report said.
But the role of regulators is to look for potential problems, and the FSB asked what would happen if a cloud provider went out of service. It said that while some banks uses two cloud providers that was probably for different applications, and more a happenstance than strategy. Banks may have added layers of concentration risk they aren’t aware of if they use third party providers for functions such as CRM or HR, who use the same cloud providers that the banks use for their processing.
The FSB also asked if regulators would have difficulty evaluating outsourced operations — would the bank examiners have the same access to cloud operations that they have to on-prem systems? Even more worrisome, would banks maintain the IT expertise to understand their own technology if they are paying someone else to run them?
Theoretically cloud could offer the potential to move operations from one provider to another, but the lack of industry standards makes that an uncertain task. Bob Evans in his Cloud Wars report, which listed Salesforce and SAP as top cloud providers, cited another issue — proprietary technology.
“In one of the most significant developments in the cloud in all of 2018, Amazon said that it is ripping all of its Oracle databases and replacing them with home-grown technology. If Amazon can demonstrate that its own databases can run its business without a hitch, that will open up a potentially huge new business opportunity for AWS.”
AWS is aggressively moving to be a comprehensive provider, perhaps somewhat similarly to the way IBM was a broad tech provider to financial services. In addition to its cloud offerings it will provide edge networks and on-prem computing where clients want, or require it, reported Diginomics.
As Kurt Marko wrote in his report, AWS CEO Andy Jassy didn’t mention multi- or hybrid-cloud enterprise infrastructure once in his long keynote. At its Re:invent conference Jassy said AWS is 24 months ahead of its No. 2 competitor. Marko also referred to an interview that Jassy gave to Silicon Angle where John Furrier wrote:
“…it has become commonplace by industry analysts to lump together “the big three” cloud providers, as if they’re running at roughly equal speeds.
“Microsoft Azure and Google Cloud Platform have carved out reasonable positions for themselves, but they’re investing heavily, trying to keep AWS in sight.”
From Silicon Angle’s vantage point, it looks as if concentration in cloud is going to continue to grow, although it is worth noting that Bob Evans has a different take on it.
One problem FSB reports in multi-cloud environments is that they are prone to misconfiguration which can lead to data breaches. The Bank of England’s Prudential Regulatory Authority, in its report on Outsourcing and Third Party Risk, said that concentration could limit an FI’s ability to exit a cloud provider. It said the EBA wants a registry of outsourcing by the end of 2021.
It also noted that severe concentration in technology is nothing new for financial services, mentioning mainframes and cash machines as two other cases.
“Firms should develop their business continuity and exit plans, in particular for stressed exits, during the pre-outsourcing phase once they have determined that a planned outsourcing arrangement is material,” the BoE report said.
Whether that is practical is a whole other question.