Clouds forecast for financial services

By Paul Kelly

Bank of England seeks clarity over cloud service providers’ resilience

Cloud services allow users to store files and applications on remote servers run by third parties in a virtual space or cloud and then to access the data via the internet. They remove reliance on physical equipment and data centres. Like many industries, the financial sector has been using cloud services since they emerged around 2006 but has limited their function to peripheral operations like email or HR rather than core transaction processing or critical tasks.

Covid forced a change. The scales have swung in favour of cloud-heavy strategies, organisations becoming more focused on technology. With both employees and customers having to work remotely, digital transformation projects gained momentum and cloud adoption plans accelerated. Major retail banks including Lloyds, HSBC, NatWest and Barclays intend to shift core customer-related data to cloud services. Santander has moved 200 servers to the cloud every working day over the past two years. Sam Woods, CEO of the Prudential Regulation Authority commented recently, “We’ve crossed a further threshold in terms of what sort of systems and what volumes of systems and data are being outsourced to the cloud.”

The benefits of cloud-based operations are attractive. Technology infrastructure costs can be half those of traditional, on-premises data centres. Efficient, quicker processes are enabled which mean further savings, scalability is simpler and faster and customers can enjoy an effective, tailored service. New products and digital tools can be developed and launched sooner. Through an ESG lens, cloud facilities are more energy efficient; Santander claims its cloud migration has reduced the amount of energy its IT infrastructure consumes by 70%. The vast amounts of data financial institutions rely on to run successfully have historically demanded immense data centres with which smaller community banks or lenders couldn’t compete. Cloud technology allows smaller financial service providers to contend.

So far, so good. Why is the Bank of England uneasy then about plans to outsource customer data storage? Fundamentally, concerns largely concentrate on the market dominance of the three main tech giants: Amazon, Google and Microsoft. According to data released by tech analysis firm Gartner, the top five cloud service providers currently account for 80% of the market. Reliance on such a small pool of suppliers increases the odds that entire systems could be affected by cybersecurity risks, hacking and outages. Major online banking services, including Barclays, TSB, the Bank of Scotland, Tesco Bank and Sainsbury’s Bank, were either entirely or partially inaccessible for a short period on 22nd July following an outage. At a May congressional hearing, Wall Street’s top six banks cited cybersecurity as the greatest threat they face. JPMorgan Chase alone spends $600 million annually on cybersecurity measures.

Alongside the issue of risk concentration on the big three, their control of the market creates fear they have free rein to dictate prices and the terms of their services. More worryingly, that they could potentially withhold key information about risks from clients and regulators. It’s this operational secrecy and the speed with which organisations are adopting cloud facilities for critical data that are making the Bank of England nervous. Andrew Bailey said in the July 13th Financial Stability Report press conference, “As they become more integral to the system we have to get more assurance that they are meeting the levels of resilience that we need.” Evidently, there must be a certain level of confidentiality over the precise workings of cloud services to keep them safe from hackers. Regulators, however, need evidence that the data security measures in place are adequate. The Bank is working with the FCA and the Treasury to tackle cybersecurity threats, but their influence is limited without international cooperation since most cloud service providers are based overseas. And it’s a race against time. “The big problem here is technology is moving faster than regulators.” Sarah Kocianski, Head of Research at fintech consultancy 11:FS.

The rapid pace of cloud implementation puts pressure on cross-border regulators like the Financial Stability Board and the Bank for International Settlements to set global standards now to protect customer data and support compliance and monitoring.