Public cloud – Benefits and regulatory challenges

Public cloud

The ongoing COVID-19 has proven that the cloud is an inevitable technology that every organization should adopt to be more resilient, effectively manage operational risks, and ultimately be ‘part of the solution’ to recover from the pandemic.

Cloud offers numerous, adaptable and versatile ways to consume a wide range of technologies and services, such as business applications, processing power, and data storage, that can revolutionize businesses’ function.

For financial institutions (FIs), all cloud models and services are rapidly becoming mission-critical. Yet, public cloud use is of greater interest and scrutiny within the industry today largely because of the increasing adoption of public cloud (both by FIs and their third-party providers).

Public cloud implies a new shared responsibility model for both FIs and cloud service providers (CSPs) in areas such as management of data centers and infrastructure (servers), security (data access), and risk and compliance (applicability of regulatory requirements).

Benefits of public cloud

The public cloud brings significant benefits to financial institutions in many areas, including risk mitigation, cost savings, innovation, and productivity gains. The benefits include:

  • Effective risk mitigation: Ensures increased operational resilience and continuity of service by distributing the risk of disruption across on-premises and off-premise infrastructures. The cloud infrastructure greatly reduces geographic concentration/systemic risk compared to on-premises environments. Cloud enables the businesses to benefit from the cybersecurity capabilities and tools of the CSPs who invest billions in advanced cybersecurity, thus offering better protection. Cloud also offers the capability to architect and build workloads that can withstand unexpected outages and security threats.
  • Innovation: Cloud provides greater business agility, providing flexible computing capacity for experimentation and development through various models like Software as a Service (SaaS) and Platform as a Service (PaaS), increasing scalability and reducing project lead times. This flexibility allows FIs to run IT workloads/applications as required without retaining a large IT footprint. This enables them to quickly develop, test, and roll out new products or features. Cloud also provides endless access to advanced technologies and capabilities (data analytics, machine learning, and artificial intelligence), which they cannot get in any other way, or at the same quality, cost, and speed. These technologies enable FIs to deliver better products and services to their customers, improve their ability to fight financial crime, and manage risk.
  • Cost savings: Another biggest advantage of the cloud is the reduced spend on procuring on-premises data centers, hardware, and associated operations and maintenance by migrating to an on-demand usage of services pay-as-you-go basis. This improves the overall cost management, and consumption, providing greater transparency and control.
  • Productivity gains: The increased operational efficiency ultimately allows for increased speed and agility in existing IT and operations through greater automation and self-service. The public cloud also allows companies to take new products and services to market quickly.

Regulatory challenges

Although the benefits of public cloud are overwhelming, adoption and implementation of public cloud by FIs are still complex due to sometimes conflicting regulatory requirements.

The challenges stem from inconsistent requirements around audit and cybersecurity and varying regulatory frameworks, ranging from treating cloud as being automatically a form of outsourcing (e.g., MAS consultation on Notices to Banks and Merchant Banks on Management of Outsourced Relevant Services) to treating cloud as critical third-party service providers (e.g., the draft EU Digital Operational Resilience Act, the Korean Financial Services Commission (“FSC”) Proposed amendments to the Electronic Financial Transactions Act) and considering oversight of CSPs.

Examples of regulatory challenges include:

  • Rule-based prescriptive framework on cloud adoption in many jurisdictions, which impedes a uniform cloud-based architecture deployment, needed to support a global network.
  • Differing standards and regulatory requirements across jurisdictions on materiality/criticality thresholds, data protection, encryption requirements, approval requirements, third-party audits, risk governance, certifications, requirements on access by the regulator to data stored on public cloud, etc. Public cloud strategies are global, so these regional or local differences and inconsistencies are problematic. They will lead to a fragmented architecture for FIs, resulting in increased complexities and risk.
  • Data localization requirements (or regulations amounting to ‘de facto’ data localization requirements) which lead to restrictions on cloud locations and ownership of CSPs.
  • Lack of level-playing field due to inconsistent requirements for FIs, digital banks, and ‘BigTechs.’
  • Regulators’ concerns regarding the resilience of CSPs, market concentration and the potential impact of CSPs on financial stability.
  • Hindrance to cloud adoption due to at times challenging outsourcing regulations, including, for example, complicated and lengthy regulatory notification/approval requirements.

How do we solve these challenges?

First, The regulators should recognize and embrace the benefits that the public cloud can bring. They should support technology-neutral and activity-based regulation to ensure a level playing field and support innovation and technology adoption. Second, the regulators, the financial services industry, and CSPs should have an open dialogue to aid in the early identification and resolution of key regulatory issues and concerns. The dialogue at the global and regional levels is essential to design common principles and approaches to cloud regulation and rules that could then be implemented nationally to avoid fragmentation as much as possible.

And finally, any regulation on FI’s public cloud usage should be principles-based and outcome-focused, taking into account the cross-border nature of cloud and enabling the financial services industry to implement it practically. Such a principles-based approach will avoid regulation becoming stale as technology changes and avoid the need to finetune/add on adjuncts, leading to overly complex regimes. Regulators should also refrain from micromanaging cloud adoption and refrain from introducing a new risk category for the cloud. Instead, they should focus on systemic issues and resilience and seek assurance in financial service’s pre-existing governance, information security, and outsourcing requirements.