Does the regulatory framework support banks’ cloud push?
Cloud services rely on shared infrastructure, creating tension between banks trying to retain control and service providers trying to manage multiple operations.
Historically, banks would host and operate critical infrastructure in their own IT environment, ensuring complete control over how such infrastructure was managed and services delivered, even when some of this operation was outsourced.
As a result, the regulation of outsourcing in the financial services sector is built on the assumptions that banks have ultimate control over their outsourced functions and services.
However, with increased utilisation of cloud services, many of which access and rely on shared resources, tools and infrastructure, these assumptions have created tension between banks being required to retain a level of control over outsourced functions and cloud service providers trying to manage and operate a shared infrastructure for multiple customers.
While cloud services can take many forms, including private, on-premises cloud infrastructure, this article focuses on the use of shared cloud infrastructure and resources by service providers.
Globally, we have seen a shift in the way people spend their money, including significant increases in the volumes of card transactions (particularly contactless payments), where scalability has been key.
The regulation of outsourcing in the financial services sector is built on the assumption that banks have ultimate control over their outsourced functions and services
The ‘on-demand’ nature of cloud services enables quicker adoption without lengthy implementation and development processes or large upfront investment costs. The almost-instant elasticity of cloud services ensures fluctuations in demand can be met and scalability can be achieved with ease.
However, banks can only benefit from cloud services if the regulatory framework allows the service provider to retain responsibility and control over securing the platform, network, applications, operating system and physical infrastructure which it uses.
Operational resilience has been a priority for many of the regulators in the financial services sector, and the UK’s Financial Conduct Authority made it a key focus of its business plans in 2020/2021.
Similarly, the European Banking Authority’s (EBA’s) final guidelines on outsourcing established a framework for all outsourcing arrangements, mandating that financial institutions have effective management and oversight of the outsourced function. The guidelines acknowledge the increased reliance on cloud services, evidencing a positive step towards addressing the unique complexities of utilising cloud services.
However, a single framework designed to address the extremely diverse range of outsourcing arrangements is always going to present challenges.
Control and oversight
In an industry that has become accustomed to having full control over its IT systems, processes and delivery, the interpretation of many has been that effective oversight and accountability, as required by the regulatory framework, still requires control over key risk areas, such as information security, incident management and supply chain.
However, this negates the benefit of procuring a critical function as an outsourced service and is untenable with a shared infrastructure. To enable such customer control would mean the entire business operations of the third-party service provider would have to be governed by customer consensus. Such large scale ‘governance’ is always going to hinder agility and innovation — one of the very reasons banks have come to favour cloud services.
Security is a great example as it is always a top priority for banks. Banks often mandate what they consider to be the most stringent of security controls, and cloud service providers are trying to manage extensive and varying controls being imposed by banks and customers — all of which impact on the shared infrastructure utilised across its entire customer base.
Industry standards, such as ISO accreditations, were developed to enable best practice to be shared and to create a unified standard and level of assurance. Perhaps a greater focus on such shared standards, with greater input from banks at the outset, might prove to be a way forward to facilitate the use of shared cloud services.
Regulation of banks is, of course, critical to protect consumers and the economy as a whole. Banks must remain accountable for outsourced functions to ensure they do not become, in the words of the EBA guidelines, “empty shells”.
However, banks and regulators must get comfortable with the principle that when it comes to a shared infrastructure, banks cannot dictate or control the way the service is provided in a manner they may be accustomed to. Far from becoming empty shells, financial institutions make informed decisions to outsource critical functions where the outsourced technology provides greater security and reliability than their own systems or resources.
They do not need to lose all control, but traditional unilateral decision-making powers of the bank must be replaced by well-managed governance processes, regular communications and detailed dialogue to ensure oversight of the outsourced function if banks are to benefit from shared cloud resources.
Suzie Miles is a partner and Charlotte Kingman is an associate at law firm Ashfords.
