By Kannan Agarwal

Cloud computing has been heralded as one of the game-changing technologies for business.

The Bank of England’s (BoE) Future of Finance report in June 2019, citing data from McKinsey & Co, indicates that adoption of cloud technology could cut bank costs by 30% to 50% and “firms should be able to benefit from the agility, cyber security and platform for innovation that this technology offers”.

Companies that have switched to the cloud are reaping the benefits – higher productivity, lower cost, improved time-to-market, and enhanced security. But financial institutions have been slow on the uptake.

Cloud What?

The ‘cloud’ is a metaphor for the Internet. Cloud computing is the outsourced, on-demand delivery of IT resources – servers, storage, databases, networking, software, analytics, and intelligence – over the Internet and clients are billed on a pay-as-you-go basis.

For non-techies, the term ‘cloud computing’ is a bit of a misnomer. Far from being an intangible space where data is hosted, operating a cloud infrastructure requires high-powered servers with risks similar to those of any other IT infrastructure. What is different is where the servers are located (on site vs. off premise), its architecture and how cloud servers communicate.

There are three types of cloud:

+ Public cloud: Infrastructure that is available for use over the Internet; it exists on the premises of the cloud provider. Organisations as well as individuals can procure public cloud services from third-party providers without having to invest in the hardware or management and maintenance of the system. With a public cloud infrastructure in place, applications can also be deployed and scaled much faster. As long as there is Internet connectivity, every employee can access the same application anywhere in the world using their device.

+ Private cloud: Designed for a single organisation or specific community, the infrastructure may exist on or off premises. Other interchangeable terms are ‘internal cloud’ or ‘corporate cloud’. Through the use of firewalls and internal hosting, a higher level of security and privacy can be achieved, ensuring data and ongoing operations are secure and not accessible by third parties, including the vendor. It is similar to managing a traditional data centre in terms of headcount, management, accountability, and maintenance schedule.

+ Hybrid cloud: A combination of private and public cloud infrastructure,  which allows data and applications to be shared and segregated. The public cloud stores basic data and applications whilst the private cloud retains security over sensitive data and mission-critical applications. Its main advantage is ‘cloud bursting’, i.e. a configuration to cope with spikes in private cloud processing demands, such as during Covid-19 when remote work access became an overnight necessity for many. When the demand for private cloud applications exceed 100% of its capacity, the overflow traffic is directed or ‘bursts’ into the public cloud to ensure uninterrupted services. Once peak demand subsides, traffic flow reverts to the original configuration.

Gaining popularity is the multicloud, which is sometimes confused with hybrid cloud although the two are different. Multicloud is a strategy which involves subscribing to multiple public cloud services from more than one vendor and is deployed for a variety of reasons – as a risk mitigant in the event that demand may overwhelm a single provider; geographic requirements to deploy resources in several regions; to maintain resiliency, i.e. the ability of the system or data centre to recover quickly from a disruption (power outage, equipment failure, or security breach); or avoid vendor lock-ins.

Service offerings on the cloud are classified as follows:

Infrastructure as a Service (IaaS)

The fundamental computing hardware – servers, networks, software – is delivered as a service over the Internet by a cloud service provider. The client does not manage or control the cloud infrastructure but does have control over operating systems, storage, and applications.

Platform as a Service (PaaS)

A platform such as an operating system and other services which is delivered over the Internet. Unlike IaaS, users can subscribe to immediately use applications but will have no control over cloud hardware.

Software as a Service (SaaS)

Provides the capability of running providers’ applications on a cloud infrastructure. The applications are accessible from multiple devices (e.g. web browser, mobile phone) or a programme interface. Users do not manage or control any part of the infrastructure or application capabilities except for certain application configuration settings.

Function as a Service (FaaS)

A relatively new product, FaaS is the capability to deploy codes (i.e. functions) on a cloud infrastructure. Also known as ‘serverless computing’, developers install a code or function on the cloud platform, which will only be activated when there is a demand by the user. When there is no demand, the server process is idle. The automatic scaling lowers cost as clients are charged only for resources used, not idle time.

Not ‘If’, but ‘When’

Like all businesses, banking is under significant pressure to introduce digital capabilities. A cloud-based infrastructure is critical for enabling such digitalisation.

However, Accenture’s 2018 Cloud Readiness Report, a survey of 35 retail banks, indicates that many banks have not laid the foundation for a rapid and orderly transition to flexible cloud-based systems:

  • 53% of respondents believe cloud-based technologies are having the biggest impact on improving the operational efficiency of their industry. Despite this, 63% do not have a cloud roadmap and key performance indicators to measure progress.
  • 43% of banks say they do not have a cloud strategy or have only started to implement basic cloud practices.
  • Whilst 83% of respondents say that information technology (IT) has had “preliminary” or “thorough” discussions with business units about cloud strategy, two-thirds say that fewer than half of their lines of business are currently using cloud.

Although the leap is inevitable, the business case for banking is inherently more complex. The cost-benefit analysis includes trade-offs that are largely unique to financial institutions:

> Integration with heritage systems: The investment (cost, infrastructure, reskilling) to transition from legacy to cloud technology is significant for banks which have spent decades maintaining and upgrading IT infrastructure as well as acquiring staff with the requisite skill set.

> Cost savings: It’s a misconception that moving to the cloud will translate into tangible savings in all cases. Depending on the cloud architecture (most incumbent banks operate on either a private or hybrid cloud; challenger banks have the advantage of being cloud native from onset), there may be little difference between the cost of operating a private cloud and maintaining private servers in a typical data centre. A recent Forbes article, Banks’ Inevitable Race To The Cloud, quotes the CEO of a credit union: “It’s a myth that it’s cheaper. We’ve found that sometimes it’s more expensive than what we can do for ourselves. But it makes you spend what you should have been spending all along. Do it because simplifying the environment makes it easier to scale.”

> Business continuity: Customer expectations have evolved. Banks are no longer benchmarked against their peers but against tech giants such as Google, Amazon, and Facebook to provide near-instant, on-demand banking services with no scheduled downtime. Delivering the optimal customer experience is necessary for banks to remain relevant, even if the numbers don’t always stack up in the near or medium term.

> Regulatory compliance: Financial firms insist that they lack clear regulatory guidelines as to which critical services might be outsourced to the cloud, reporting requirements and anticipated oversight from authorities. A survey by fintech Finastra reports 43% of UK firms cite complex regulatory requirements as a key barrier to adopting new technologies, including cloud.

> Security: There’s been a discernible shift in security concerns. When cloud technology in finance was floated circa 2013, banks’ foremost concern was about data security in the cloud. Cloud providers today have allayed fears with multiple resiliency measures, such as data spread across multiple geographies for disaster recovery and superior threat management capabilities. The BoE’s own fieldwork suggests that the cloud could enhance cyber resiliency, especially in smaller financial firms which invest less in cyber defences. The more pressing security issue today, as Bill Glasby, Chief Technology Officer at Heritage Bank, succinctly puts is the “operators’ ability to configure the tools. The problem is that it’s all home-brew today.”

Fortunately, for banks embarking on a cloud strategy or still in ‘science project’ mode, there are several independent guides as reference: The European Network and Information Security Agency’s Cloud Computing: Benefits Risks and Assessments for Information Security manual remains a detailed, if slightly dated, guide for preliminaries; whilst the International Institute of Finance’s three-part Cloud Computing in the Financial Sector series advantageously highlights multiple risk perspectives in banking environments.

Stereotypes are Easy but Expensive

Financial market players must be vigilant of in-built prejudices, especially when it comes to technology. Losing out on an opportunity can be as costly as an unimpressive quarter.

Jessica Lam, Head of Strategy at WeLab, which operates one of the first virtual banks established in Hong Kong, shared her team’s experience during a Refinitiv-hosted online forum.

“Prior to us applying for the virtual banking license, we sat down and thought about how we were going to assign this tech stack (the set of technologies an organisation uses to build a web or mobile applications).”

The team proceeded to scope out a multicloud deployment system and spoke to a couple of reputable consultants in the market. She said: “They came back and proposed that we should have a main server hosted on the cloud and the backup should be a physical server, as in hardware. My team fell off their chairs…then we [also] heard this from multiple vendors.”

“Their rationale was not because of a capability issue, but they understood that [it] was what the regulator would be more comfortable with. That was their perception of the regulator.”

Lam and team decided against it. In their opinion, it was not the way to build a bank for the 21st century. Instead, they put forth their initial idea to the regulator and clearly outlined the benefits of a cloud platform in their proposal. Today, WeLab deploys a multicloud infrastructure and tech stack.

“There is a lot of misconception about regulators,” says Lam, “in terms of what they’re receptive to. Simply because it hasn’t been done before, doesn’t mean that they’re not willing to accept it. You just need to know how to talk to them in terms of showing them the pros and the cons and make them feel comfortable from a security standpoint.”

A cautionary tale, perhaps, for banks to get out of their own way.

Milestones and use cases of banks leveraging cloud computing

  • March 2019: UOB becomes the first organisation in Southeast Asia to adopt VMware Cloud on Amazon Web Services (AWS) for the bank’s hybrid cloud infrastructure as a “fast and cost-effective way to migrate mission-critical applications, or even entire data centres, to the cloud”. Jointly engineered to comply with UOB’s security requirements, this allows the bank to deploy applications with robust disaster protection and optimised access.
  • December 2018: Bloomberg reports that UBS Group AG signed a deal worth hundreds of millions of Swiss francs to use Microsoft Azure Cloud Services to reduce costs while complying with strict Swiss privacy laws. The Swiss bank would begin to store data at Microsoft’s secretly located, purpose-built facilities near Zurich and Geneva and scale back its own 25 data centres over the next four years.
  • A global financial services firm began using a PaaS private cloud five years ago. It evaluated public cloud providers in 2016 and currently has two wholesale trading apps on a public cloud.
  • A leading investment bank has been using a public cloud provider for regulatory reporting solutions. It is conducting pilots with two vendors for a cloud-based IaaS solution.
  • A major bank in North America currently is on a private cloud and getting its feet wet on public cloud, primarily using SaaS and IaaS. The bank expects to be multicloud in the next four years.

Kannan Agarwal is a researcher with Akasaa, a boutique content development and publishing firm with presence in Malaysia, Singapore, and the UK. His focus is digital content and Big Data analytics.