The majority of financial institutions have or are developing a cloud strategy, and most are already making some use of the cloud. There are a number of reasons why the cloud is an attractive alternative to running your IT in the traditional manner of owning and operating in-house data centres, including:
- reduced costs, and costs of cloud computing continuing to decline because of competition between cloud service providers
- nimbleness, speed to market, competitiveness, and responding to the threat of the challenger banks
- avoiding the continuing cycle of equipment obsolescence and replacement
- access to third party data and applications
- integration with fintech partners, which is being accelerated by open banking initiatives
- temporary additional capacity for testing
The benefits seem to be compelling. However, many systems, especially from established banks, are still running in the traditional architecture. So, what’s holding them back? And what role can specialised service providers play in helping them move to the cloud? Let’s look at the main obstacles to moving to the cloud:
The most commonly cited reason for companies to stop and think about the cloud is security. And these security doubts are largely around the storage of data by third parties. In addition to fears that a third party’s data storage might be breached, there is the concern of banks and their national regulators about data sovereignty – which country the data will be stored in.
Banks are right to worry about security, of course. But one of my favourite quotes is from Eve Aretaxis of ACI, who says in the 2021 Time Capsule from PYMNTS.com that: “Risk-averse banks… are warming to the fact that the big cloud providers can spend more on security in a month than any bank could spend in a decade.”
And if you look specifically at services that don’t store data at rest, you find they only handle individual transaction data, which is securely encrypted while being sent between the technology provider and the financial institution. It exists only instantaneously and inside the secure envelope of a certified Payment Hardware Security Module (HSM). These services can deliver the benefits of the cloud to the financial institution without raising concerns of how or where data is stored.
The other major concern relating to security is loss of control over security-sensitive operations. To a certain extent, these fears can be mitigated by examining the third party’s procedures, and by using data centres (such as those operated by Equinix) which are PCI DSS approved, and service providers which are PCI PIN approved; these approvals encompass security operations.
The question of cost
Although the cloud will deliver cost benefits over time, established players with legacy IT systems will face an immediate cost hit in moving these systems to the cloud. This can be expensive, time-consuming, and require skills and tools that the company does not have. Whilst this is not a problem faced by newcomers, for established players it is a classic investment-now-versus-future-gains evaluation that they will have to make.
What businesses need is a payments systems that is architected as either a traditional on-premise applications or a cloud application. So, it can deliver cloud benefits for the Payment HSM aspects of a payments system while the system as a whole is being migrated to the cloud – or indeed, if the payments system remains in-house.
The financial world is heavily regulated, at both national and industry levels. Financial institutions cannot move systems to the cloud if there is a danger that this will not meet with the approval of their regulators.
Although the UK’s Financial Conduct Authority has published guidelines for cloud adoption and argued that there is nothing to prevent banks from implementing compliant cloud services, the European Central Bank issued warnings in 2019 about the hazard of the cloud, and the Bank of England may consider testing the resilience of financial institutions to cloud threats.
This will undoubtedly delay the migration of many banking applications to the cloud.
Reluctance to move over to the cloud because of concerns over security are probably unfounded, but financial institutions will need to perform due diligence in the context of their own systems. On the other hand, the cost of migration of legacy systems and seeking clarity on the regulatory landscape are brakes on a rapid move to the cloud. But while all these issues are being settled, there is no reason why a point solution could not be deployed.