Cloud: Does it deserve a bad rap from the Treasury?
In October, the UK Treasury Committee published a report on IT Failures in the Financial Services Sector and in November, it launched an inquiry that will focus on “the common causes of operational incidents in the sector, the ways in which consumers lose out as a result of such incidents.”
With bank branches and cash machines disappearing, customers are increasingly expected to rely on online banking services. However, the current level and frequency of disruption to these digital services and resulting consumer harm has been deemed “unacceptable” according to the Committee.
This is fundamentally an issue of operational resilience, and the service outages cited by the Committee are ultimately IT problems.
The report made a number of recommendations which, once evaluated as part of the inquiry, are likely to become the basis for regulation. One of the recommendations took aim at the cloud and cloud providers as a point of failure.
This raises the question – when it comes to operational risk and catastrophic outages, is the cloud a problem or a solution?
Regulators highlight the cloud as a risk for IT failures
In the IT Failures in the Financial Services Sector report, the Treasury Committee singles out the cloud as a “source of systemic risk” and “there is, therefore, a considerable case for the regulation of these cloud service providers to ensure high standards of operational resilience.”
“The consequences of a major operational incident at a large cloud service provider, such as Microsoft, Google or Amazon, could be significant. There is, therefore, a considerable case for the regulation of these cloud service providers to ensure high standards of operational resilience.”
Treasury Select Committee, Report on IT Failures in the Financial Services Sector
As institutions continue to migrate from on-premise systems over to public clouds, the fear here is that any outage at a major cloud provider could impact multiple institutions at the same time.
Furthermore, any security vulnerabilities uncovered by hackers could be exploited across multiple systems.
For lawmakers the cloud platform represents a single point of failure they cannot ignore.
While systemic risk due to the cloud is certainly something that needs to be mitigated, regulators need to understand that – despite its faults – the financial services industry is better off with, rather than without the cloud.
Why we shouldn’t retreat from the cloud
While the cloud can create risks around operational resilience, it also solves many of the problems outlined by the Committee including:
- Resilience – Despite the hype around public cloud, the majority of institutions still don’t use it. New data is hard to come by but a snap poll at SIBOS earlier this year revealed 44% are already in the public cloud, 35% are catching up, and 19% are considering it for the future. Most operational failures are due to existing infrastructure, not cloud. And the reality is that by adopting the cloud – ideally a multi- or poly-cloud approach to guard against a single point of failure – banks are much more likely to ensure systems don’t fall over.
- Security – Cloud providers outspend banks by sheer nature of size and breadth of industries that use them, not to mention their own services. Providers are able to identify and mitigate threats at mass scale. Systems in the cloud are therefore inherently more secure than those that are not.
- Migration – When banks “embrace new technology, poor management of such change is one of the primary causes of IT failures”. The cloud is critical to any migration efforts and the utilisation of new technologies. This is a question of approach not the use of cloud per se. Often the could can assist with testing prior to go-live, providing easy access ‘on tap’ to as much infrastructure as is needed to run non-functional testing.
- Modern – Cloud infrastructure is built using the latest leading-edge technologies and undergoes a faster rate of evolution, as these technologies further modernise or become obsolete. The cloud is quite simply the best way to ensure the latest and best technologies and systems are in place
Beyond operational resilience the use of the cloud by UK financial institutions is important to the progress of our industry for a host of other reasons that regulators must be careful not to ignore.
More than a silver lining
There is no doubt that the cloud is essential to ensuring operational resilience, but it goes further than that. The cloud is critical to banks delivering the right services at the right price to consumers as well as driving overall competition in the market. Key benefits include:
- Cost – Banks are seeing falling revenues and increasing costs that threaten “free” banking in the UK. This commodification could have a serious knock on effect to consumers as institutions begin to charge for services that were once “free”. The cloud either limits or reduces many of these costs. On a transaction basis for example, the cloud can handle higher volumes at lower costs. According to a BBVA survey, one bank estimated it is saving up to 60% in payments transaction costs by eliminating the need for hardware, software or specialist payments technical teams.
- Services – The cloud has allowed banks to develop valuable consumer and business services that can be quickly adopted by third party providers (TPP) hosting their own services within the same cloud platforms – ultimately creating a “network effect” and reducing overall costs for their customers.
- Open Banking – PSD2 was instigated to drive competition and innovation in the market for the benefit of customers and the wider economy. Cultivating an API-led banking ecosystem is intricately linked with cloud. It is leveraged by all the new age Fintechs and neo-banks to host their solutions at cost, if not for free. In fact, cloud is the biggest driver for supporting the pay-per-use model and gig economy.
Be careful what you wish for
Based on the Treasury’s report, the cloud and cloud providers are likely to be seen as the problem. Yes, we need to be more aware of the operational risks associated with the cloud, and yes, some providers do need to be regulated – at least to the standards that banks’ infrastructure would be.
But in my view the benefits and opportunities the cloud presents far outweigh the risks.
By singling out the cloud’s problems without highlighting its benefits there is a danger that the inquiry will slow or even stall public cloud adoption which would be bad for the industry and the country.
At present the majority of banks systems are not in the cloud. Thus, the majority of the operational resilience issues to date are tied to existing legacy systems and migration issues.
With the right approach, cloud is not only the answer to operational resilience failings, but also the answer to how we ensure the UK financial sector serves the need of consumers and the wider economy. But this can only be done with the support of the Treasury.