Sudhir Pai, EVP, Chief Technology & Innovation Officer, Financial Services Global business at Capgemini.
Over the last decade, cloud has become one of the fundamental drivers of business transformation. In fact, Gartner predicts that 85% of organizations will embrace a cloud-first principle by 2025 and estimates that over 95% of new digital workloads will be deployed on cloud-native platforms, up from 30% in 2021.
While focus on cloud transformation continues, there has also been a shift in strategy, moving from a “cloud-first” approach to a “value-driven” approach. Instead of simply focusing on the “number of applications” migrated (the typical five Rs: rehost, refactor, revise, rebuild and replace), many business leaders now see cloud as the primary KPI and have begun to look at cloud strategy from a broader perspective measuring the business value, risks and impact.
Financial services institutions (FSIs), in particular, have been incorporating cloud in their strategies to transform their business models and to improve product offerings and customer experiences. Many global FSIs have identified “cloud resilience” as one of the key focus areas, with some even developing solutions like orchestration layers for their systems that seamlessly switches between cloud providers and facilitate alternate data centers for hosting in cases of crises.
Global Cloud Regulations And Guidelines Impacting FSIs
One of the main reasons for this shift can be attributed to the magnified supervision from financial regulators across the globe in areas like “cloud outsourcing,” particularly those related to the concentration risks and their implications for the financial services industry. Regulators so far have offered FSIs recommendations that guide them to leverage the benefits of cloud services while ensuring that any associated risks are effectively identified and managed.
Of late, the increasing attention and response of regulators toward the over-reliance of FSIs on third-party IT service providers, especially the cloud service providers (CSPs), can be seen from the recent regulations and guidelines. These regulations and guidelines emphasize the need for effective multi-cloud operating models with well-defined “exit strategies” offering mandatory support during transition periods to mitigate the risk of service interruptions and their knock-on effects across the financial system.
In the EU, the Digital Operational Resilience Act (DORA), which had been under discussion for a significant period of time, was published in the Official Journal of the EU on 27 December 2022 and will become applicable starting January 17, 2025. What is unique about DORA is that it does not only apply to FSIs but extends to a group of non-financial service providers—e.g., third-party IT service providers—including the cloud computing services, software, data analytics services and data centers.
In the U.K., the Bank of England (BofE) is leading the charge against cloud concentration and third-party IT risks, with the strongest callouts on principles and implications. In BoE’s set of recommendations from the “Future Of Finance” report, published in 2019, cloud and operational resilience is one of the key priorities for financial services firms. According to a 2020 BofE survey, Amazon Web Services and Microsoft Azure accounted for around two-thirds of U.K. banks’ IaaS usage. This means that an outage or a cyberattack on the cloud service providers can potentially disrupt the entire financial system.
In the U.S., cloud computing services are usually governed by state laws, with some federal overlay based on the subject matter of the specific contract. For the financial services industry, The Federal Financial Institutions Examination Council’s (FFIEC) guidance focuses on security risk management principles and the financial services sector’s use of cloud computing. There are other key U.S. regulations—such as the Gramm-Leach-Bliley Act, third-party risk guidance from the Federal Reserve, Office of the Comptroller of the Currency (OCC), Financial Industry Regulatory Authority (FINRA) and The New York State Department of Financial Services (NYDFS)—that the FSIs should consider or comply with while using CSPs’ services.
In Asia, the Monetary Authority of Singapore (MAS) leads the discussions around risks and controls associated with cloud (mainly public cloud). They have laid out risk-management principles and best practice standards to guide financial institutions in managing the technology and cybersecurity risks of public cloud adoption. Complementing the efforts put in by the financial regulators, independent bodies like the Fintech Open-Source Foundation (FINOS), whose membership includes global banks such as Citi, Deutsche Bank, Goldman Sachs, and JPMorgan Chase, have been establishing a common set of controls for cloud services.
How FSIs Will Likely Respond To Regulatory Developments
From an operational standpoint, these regulatory developments across the globe have the potential to influence the FSIs and CSPs as well as their relationship with each other and with the regulators. For financial service firms, outsourcing strategies are likely to be affected. Regulations would impose several new third-party risk management requirements, particularly for a firm’s critical or important functions. This would increase pressure on CXOs to review their strategic decisions around technology partnerships and carefully measure their risk appetite before entering third-party relationships with CSPs.
As far as CSPs are concerned, they will continue to engage with policymakers and financial regulators globally, enabling businesses under new regulations that deliver agility, risk mitigation and seamless interactions. CSPs will start looking for new ways to experiment and develop new products and services on the cloud that will fully comply with the emerging regulatory framework. CSP’s risk and compliance programs will continue innovating on new functionalities and tools to help FSIs efficiently achieve compliance with applicable regulatory requirements. The cloud-risk diversification strategy adopted by FSIs might open up opportunities for small CSPs, especially in their multi-cloud strategy balanced with cost-optimization.
In conclusion, the key stakeholders in the modern cloud ecosystem, mainly the FSIs and CSPs, are likely to be challenged by the evolving regulatory supervision and expose their internal barriers to change. In the long run, though, these initiatives will not only be seen as a compliance exercise but as an accelerator to strengthen operational resilience and develop differentiated capabilities in cloud technology and services.