Is It Getting Cloudy in Banking?

Following on from the Cloud Banking Europe event a few weeks back, we thought a brief article was needed to get the message to a wider audience. The main theme of the seminar was Regulation and Compliance, aiming to explain cloud within the industry. However it was apparent that within the broad group of attendees there was a lack of understanding of IT governance rules and regulations within the industry.

I personally thought that some of the discussions were out of date due to the fast paced cloud environments changing on a monthly basis. The two main regulators in the financial industry are the PRA and the FCA.

The Prudential Regulation Authority (PRA) is a part of the Bank of England and ‘is responsible for the prudential regulation and supervision of banks, building societies, credit unions, insurers and major investment firms. It sets standards and supervises financial institutions at the level of the individual firm.’

The Financial Conduct Authority (FCA), formally the FSA, is a financial regulatory body in the United Kingdom, but operates independently of the United Kingdom government, and is financed by charging fees to members of the financial services industry. The FCA maintains the integrity of the UK’s financial markets and focuses on the regulation of conduct by both retail and wholesale financial services firms, with a consumer focus.

Over the two days a varied selection of speakers were present, together with vendor exhibitions in the main foyer. It was interesting to see and talk to vendors that are working within the financial services space and listen to their view on what drives banking tech to the cloud and also what is hindering adoption. The general consensus is three fold.

• Speed
• Resiliency
• Security

These points are extremely important in any industry moving to a centralised outsourced model, however even more so for the financial industry. So, lets discuss each one in more depth.

Speed (low latency)

Whilst this is extremely important within any market sector adopting cloud principles, within the financial sectors this is critical. With the complex trading systems and principles within each asset class of the banking world (commodities, futures, forex etc that are very fast flowing), a few milliseconds time delay is disastrous. For other asset classes such as fund management this time delay is not so critical.  Fast links to exchanges are key for fast order routing and this is the mainstay for any financial order routing connectivity. However this does depend on how and the frequency of trading for any given firm.

Resiliency

Part of the regulations that authorised firms need to comply with is Disaster Recovery. As part of FCA adherence, this is a main point and should be taken very seriously. Hosting with a cloud provider does not automatically give you Disaster Recovery, you have simply moved your infrastructure to someone else and now your technology abides by their own procedures and policies. This is a misconception that many firms fall foul of and unless you state what you want in regards to Disaster Recovery, you will be unpleasantly surprised! Although the FCA guidelines are stated very clearly in a very large handbook, the actual policies are very difficult to understand, unless you are from an IT and financial business background, which is very rare.

Security

Again, this is paramount for any firm moving to a cloud-centralised infrastructure (even more so in a hybrid example). With over $3 trillion generated from cybercrime, this is more than all of the drugs traffic trade globally and it highlights the incredible scale of fraud. There are best practice guidelines demonstrated within the FCAs handbook for regulated firms however this can be hard to implement if your cloud provider does not understand the specific security governance from your regulator, and lets face it its not easy to understand even if you are from that market sector let alone if you are a cloud provider that’s services every industry.

So, from a compliance point of view IT governance for the banking industry is an absolute nightmare and requires a lot of thought and planning.

Some of the main points highlighted within the FCAs manual for guidance include:

• IT Governance and Strategy
• Risk Management
• Information Security and controls
• Security Practices
• Logical Access Security Administration
• Security Monitoring
• Business Continuity Planning and Disaster Recovery
• Offshoring/Outsourcing

As an example, take this question set out within the FCA working manual (and this is only one heading within outsourcing).

A common platform firm must in particular take the necessary steps to ensure that the following conditions are satisfied:

1. The service provider must have the ability, capacity, and any authorisation required by law to perform the outsourced functions, services or activities reliably and professionally;

2. The service provider must carry out the outsourced services effectively, and to this end the firm must establish methods for assessing the standard of performance of the service provider;

3. The service provider must properly supervise the carrying out of the outsourced functions, and adequately manage the risks associated with the outsourcing;

4. Appropriate action must be taken if it appears that the service provider may not be carrying out the functions effectively and in compliance with applicable laws and regulatory requirements;

5. The firm must retain the necessary expertise to supervise the outsourced functions effectively and to manage the risks associated with the outsourcing ,^5 5and must supervise those functions and manage those risks;

6. The service provider must disclose to the firm any development that may have a material impact on its ability to carry out the outsourced functions effectively and in compliance with applicable laws and regulatory requirements;

7. The firm must be able to terminate the arrangement for the outsourcing where necessary without detriment to the continuity and quality of its provision of services to clients;

8. The service provider must co-operate with the appropriate regulator and any other relevant competent authority in connection with the outsourced activities;

9. The firm, its auditors, the appropriate regulator and any other relevant competent authority must have effective access to data related to the outsourced activities, as well as to the business premises of the service provider; and the appropriate regulator and any other relevant competent authority must be able to exercise those rights of access;

10. The service provider must protect any confidential information relating to the firm and its clients;

11. The firm and the service provider must establish, implement and maintain a contingency plan for disaster recovery and periodic testing of backup facilities where that is necessary having regard to the function, service or activity that has been outsourced. 

Confused? I am guessing you are! Now lets add in a hybrid approach where more than one service provider will be involved – how on earth can you achieve the appropriate governance when various cloud providers are being utilised.

My vision for banking and technology in the future (specifically cloud) would be one of more automation as this is much easier to regulate. This coupled with the correct education and guidance on cloud technologies from the regulators themselves, which I think is a must. The current rules and governance set out from the governing bodies has not changes since 2008 (pretty much the birth of cloud) and desperately needs addressing.

However with this said, we have been invited to two separate seminar days based at the FCAs premises to discuss these issues and to provide input on potential changes moving forward.

If cloud has a major part to play in the banking world it is imperative that the governing body should provide the correct advice on the technology utilised with the corresponding governance. At the end of the day, the regulator is funded wholly by the fines it distributes amongst its member firms. To me it seems unfair that a firm should suffer a fine from the governing body who regulates their understanding of the cloud technology, when the regulator itself has a lack of technical understanding.