By Bharat Bhushan, CTO, Banking and Financial Markets (EMEA), IBM
Today, cloud computing is not only critical to the future success of the European financial sector. It also sits at the heart of the continent’s COVID-19 economic recovery plan. However, due to concerns relating to regional independence and operational resilience, the European Commission (EC) is wary of financial institutions central to Europe’s success becoming too dependent on individual cloud providers.
To address this, European Banking Authority (EBA) regulations dictate that organisations must have clear “cloud exit” strategies in place to ensure data, applications and workloads can be moved swiftly and securely between clouds as and when required. But with many cloud services built on proprietary technologies, vendor lock-in is a common problem.
The UK’s Financial Conduct Authority (FCA) takes a similar position. Its guidance for firms outsourcing to the cloud stipulates that companies must ensure they are able to exit outsourcing plans without disruption to services, or their compliance with the regulatory regime.
With migration to cloud expected to accelerate this year, financial CIOs and CROs need support to ensure the investment decisions they make in 2021 will facilitate the long-term portability of digital assets required to comply with industry standards.
The importance of regional resilience and competitiveness
Partly a response to the strength of the technology sector in China and the US, Europe is pushing hard to boost local digital ecosystems and reduce dependence on external service providers. This is important for the finance sector for several reasons.
First, Europe has a distinct legal framework governing the use of data which could put organisations at risk of non-compliance if they use foreign services operating under different set of rules. Second, the EC is keen to ensure the resilience of organisations critical to its regional competitiveness. By locating more digital infrastructure in-region, and ensuring it is subject to local data laws, Europe is in a better position to protect key industries as they migrate to cloud.
It is this desire to safeguard key industries that informed EBA regulations for financial institutions. In any highly regulated sector, the use of third-party vendors to fulfil mission critical functions will carry a certain amount of risk. And in the case of banking, regulators are insisting businesses show they have identified these risks and are taking steps to mitigate them.
Finding a cloud service partner, not just a provider
A major concern as banks transition more of their operations to the cloud, is that they will become overly reliant on service providers. Due to the complexity of processes and systems involved, and the fact some providers operate closed ecosystems built on proprietary technologies, this can make it practically impossible for a company to extricate itself from the relationship if later required.
Depending on the amount of data involved, the type of application, and levels of complexity and embeddedness, migrating everything from one provider to another, from scratch, with no pre-existing exit plan in place, could take a prohibitively long period of time. Potentially a multi-year project, and too long according to the EBA.
Avoiding this scenario depends on asking the right questions before further migration even begins. Ultimately, your Cloud Service Provider (CSP) needs to be more than just another tech vendor. They should be a true partner prepared to proactively support both migration and wider business transformation.
This means selecting CSPs with financial sector pedigree, that are part of an ecosystem of industry relevant Independent Software Vendors (ISVs), and have experience supporting organisations in highly regulated industries.
A best case scenario involves a CSP that is already working closely with regulators to proactively demonstrate the compliance of their offering. Compliance should be baked into cloud platforms. Further, commitment to monitoring of shifting international regulatory obligations simplifies the compliance challenge for CIOs and their teams.
Compliance by design
When it comes to facilitating cloud exit, perhaps even more important than industry experience is that the CSP selected subscribe to design and architectural principles compatible with the easy portability of data and applications. Application design, for example, can ease the process of cloud exit if modern application development architectures like microservices are employed.
A cloud native architectural approach, the use of microservices sees applications developed as a series of independently deployable smaller components, or services. This is a stark contrast to the monolithic service-oriented architectures where even a small change to application configuration can involve broad, time consuming updates to code, often resulting in significant downtime.
By employing this approach, Europe’s financial organisations ensure it is technically possible to efficiently port specific components from one cloud to another in the event exit is required. It also makes it simpler for team members who may not have been involved with developing the original application to fulfil this requirement, as it is easier for them to break down and understand the code base involved.
This ability to move components incrementally is particularly important in an industry like banking where users expect and demand 24/7 uptime from a range of critical applications. From balance checks to money transfers, any interruption to these services stands to have a huge impact on customer confidence and overall business performance.
Leaving the door open to cloud exit
Beyond optimised application design, CSP partners should also recognise the reality of how most of the financial sector is currently using cloud and configure their architectures accordingly. Like most enterprises, the banking sector is still in the early stages of migrating mission-critical workloads to cloud. And the majority are using a mix of on-premise, public and private cloud from multiple vendors.
Instead of facilitating this to drive efficiencies, the proprietary cloud models employed by many CSPs become a hurdle that businesses have to overcome. Not only do they block integration and reduce the opportunity for innovation, they also limit the portability required to comply with EBA obligations.
To avoid this, banks should embrace a hybrid cloud model built on open source technologies, allowing them to run workloads, data and services across any environment. From public and private cloud, to data centres and the network edge, irrespective of the vendors involved.
This is especially important in European banking where EBA regulations specifically demand that organisations use more than one vendor to limit dependency and increase resilience. In this mandated multi-cloud environment, a primary CSP offering an open, cloud agnostic hybrid cloud model removes the complexity for banks, allowing seamless switching between services as and when required.
A good example of the benefits this confers is what happens in the event of an outage. Should a bank’s cloud service fail mid loan application, customer relationships will likely suffer should service not promptly resume.
A CSP able to integrate, monitor and initiate a controls framework over any cloud service, regardless of vendor, can ensure this is never an issue, automatically switching between services without customers ever realising there was a problem.
Looking at the bigger picture
Of course, selecting the right service is just one part of the puzzle. Outside of technology, banks will need to work with their CSP to design exit strategies and initiate a regular testing regime to ensure plans are fit for purpose. It is worth checking out guidance from the European Banking Federation’s Cloud Banking Forum as the group has published some insightful technical papers in recent months going into this topic in more detail.
Looking at the bigger picture for Europe’s banks, open technologies and vendor agnostic clouds aren’t just critical to cloud exit compliance, they are also increasingly central to business success. Organisations need cloud freedom to compete. As competitors and entire industries experiment and adopt new ways of working, interoperability, portability and reversibility are critical to the ability to innovate freely. They will be the ultimate differentiating factor.