Banks: Stop saying “yes” to the cloud with folded arms
Fifty years since Canadian engineer Douglas Parkill first hypothesised the widespread use of cloud-based IT services[1], we are still waiting for cloud computing to truly revolutionise the financial services industry. Security, data privacy and compliance concerns have weakened business cases to the extent that banks have often overlooked cloud technology as a major industry disruptor. The risk of IT failure, both during cloud migrations and once IT services have been outsourced to a third-party provider, has often proven too material an operational risk for CIO and CTOs to accept, with their arms firmly remaining folded to the new world of the Cloud.
Yet we find ourselves now in a renaissance period for cloud computing across Financial Services. The information security and resilience of the major third-party cloud providers has now surpassed that of most banks, paving the way for industry-wide acceptance of the technology. 85% of financial enterprises now store sensitive data on the cloud[2] and regulators too are more comfortable with its usage. The FCA itself has stated: “We see no fundamental reason why cloud services […] cannot be implemented […] in a manner that complies with our rules[3].”
Moreover, given recent enhancements in cloud service provisioning and the competitive edge it proffers, banks can no longer ‘risk avoid’ this technology as they once did. In short, the benefits for using this technology, both for incumbent and challenger banks are growing stronger, whilst risk-based counter-arguments in favour of in-house IT solutions are becoming increasingly weaker.
The major challenge for banks, therefore, is not whether they should embrace this cloud renaissance but how. Cloud adoption projects often involve significant cost and effort, a large part of which is spent proving to internal risk and compliance teams that the solutions are suitably controlled and resilient. Whilst the importance of compliance should never be denigrated, often this is too large an ask for standalone projects, with the result that on-premise technology proposals are favoured over cloud-based solutions.
To counter this tendency, leadership within financial services should focus on a clear, enterprise-wide IT strategy which looks to minimise friction between compliance teams and cloud projects. IT policies and procedures should be guided by the principle that cloud control is the responsibility of enterprise architects and portfolio leads, rather than individual project managers. The latter should, wherever possible, be able to leverage standardised documentation, with portfolio leads bearing the burden of, among other things, completing annual vendor evaluations and risk and controls assessments. Such a strategy and approach will not only facilitate the widespread adoption of cloud technology within banks, but also ensure consistency of implementation quality and minimise operational risk.
There can be no doubt that the cloud renaissance will continue to redefine the financial services landscape with growing speed. The most successful banks, however, will not just be those who are ostensibly open to the technology but those who say “yes” with open arms, and enable its adoption by making it bureaucratically viable.