Security isn't banks' only hang-up about moving to cloud

Register now

Some banks are moving quickly to the cloud, but for many others the decision to relocate applications and data there is not simple.

A recent survey conducted by Refinitiv found that Wall Street banks’ investments in the public cloud will account for 48% of tech budgets in 2020. These banks and others are aiming to save money, pay only for the computing resources they consume and let a cloud vendor handle their spikes in volume.

But they have to contend with a growing array of governance and compliance concerns. Some regulators’ words and actions have upped the ante.

Equating cloud computing, outsourcing

Regulators have recently been equating cloud computing with outsourcing, which gives some bankers angst because it means they would still be liable for mishaps.

“Even if you have identified who has responsibility for what controls, you’re still outsourcing your services and your control of that data, and the firm is still going to be responsible,” said Salvatore Montemarano, a senior examiner at the Securities and Exchange Commission. He is one of several federal regulators who have said banks will be responsible for any data breaches at cloud providers they use.
Some banks are moving quickly to the cloud, but for many others the decision to relocate applications and data there is not simple.

A recent survey conducted by Refinitiv found that Wall Street banks’ investments in the public cloud will account for 48% of tech budgets in 2020. These banks and others are aiming to save money, pay only for the computing resources they consume and let a cloud vendor handle their spikes in volume.

But they have to contend with a growing array of governance and compliance concerns. Some regulators’ words and actions have upped the ante.

Equating cloud computing, outsourcing

Regulators have recently been equating cloud computing with outsourcing, which gives some bankers angst because it means they would still be liable for mishaps.

“Even if you have identified who has responsibility for what controls, you’re still outsourcing your services and your control of that data, and the firm is still going to be responsible,” said Salvatore Montemarano, a senior examiner at the Securities and Exchange Commission. He is one of several federal regulators who have said banks will be responsible for any data breaches at cloud providers they use.

A compliance executive at a global U.S. financial institution backed up the notion that if you go to the cloud, you are outsourcing and still responsible.

“You are accountable for the data, for the processing that happens and anything that goes wrong in the cloud,” she said. “If it doesn’t work, you can’t say, 'I’m sorry, it’s my service provider not working today.' No, it’s you. Anybody using an external service provider, cloud or anything else, you have the accountability to your customers that it is as secure and as reliable as on-premise.”

In some jurisdictions, that means regulators have the right to approve any moves to cloud computing. Such approvals can take 90 to 180 days, which in the world of agile computing is an eternity.

“There is a saying, it takes a village,” she said. “It feels like it takes several nations to come together and get you to the cloud.”

Data 'residency'

The compliance executive at the global bank said data residency — the physical location where information is housed — is a big issue for cloud computing. Global banks have to be hyperaware of data privacy and security regulations in each country.

“Can you actually move the data to the cloud where the cloud is located?” she said. “Because cloud doesn’t mean the data flies around anywhere and is easily blown away by the wind like a real cloud is. It still physically materializes itself somewhere. There are people who have physical access to that data, and some people in Europe don’t like that the U.S. has access to a lot of the data in the U.S. as well as in the European data centers.”

To Europeans, privacy is a human right, she said.

“Respect that and make sure you know which databases you can’t move and how you have to anonymize data to move it,” she said.

Smaller organizations do not have to be as concerned about where their data physically resides.

Scott Essex, chief compliance officer at Citizens Financial Group in Providence, R.I., said because his bank does not operate internationally, he does not have to worry as much about data residency.

“But I think these concerns and issues are converging into the privacy, cybersecurity and then the ethical use of the data,” he said.

U.S. banks are subject to data privacy regulations such as the California Consumer Privacy Act for customers in that state and the General Data Protection Regulation for any clients living in Europe.

“Regulators will always be focused on client-facing activities, systems and interfaces much more than any proprietary business process’s handling of data and information,” said Jonathan Frieder, compliance technology lead in Accenture’s finance and risk practice.

“If you've got customers that reside in a particular locale, where the data resides is important for understanding what regulation you may be subject to,” he said. “So even if you select a cloud provider, it's important know where their physical data centers are — that needs to factor into the decision.”

Cloud providers typically offer data center locations around the world where data and applications can be housed. Choosing a location is part of the contract negotiation process, Frieder said.

Legacy technology

One of the largest obstacles for banks going to the cloud is their aging technology infrastructure, according to Frieder.

“I don't think you will see large financial services firms go all in on the cloud, mostly due to a lot of the legacy existing technology they have,” he said. “It's deemed as too much of a lift from a cost, resources and maybe time perspective to move it.”

Banks have to do a lot of risk assessment work before they can consider migrating to a public cloud.

“Even the most seemingly trivial technology initiatives can get bogged down and you find a lot of red tape,” Frieder said. “If you've got a 40-year-old mainframe, it might be too risky to even think about transitioning.”

Breaches not necessarily a deal-breaker

The large global bank compliance executive said security is the main thing she looks for in a cloud provider.

“We have regulators ask about the service-level agreements and compare the service providers,” she said.

The Capital One/Amazon Web Services data breach did put a halt to at least one large bank’s plans to shift computing to AWS. But for many others, that prominent breach has not factored into their cloud decisions.

“Cybersecurity issues have become so commonplace, they’re expected,” Frieder said. “It’s not a question of whether a firm might get breached. It's a question of when. I don't think anything tends to surprise most people anymore.”

A compliance executive at a global U.S. financial institution backed up the notion that if you go to the cloud, you are outsourcing and still responsible.

“You are accountable for the data, for the processing that happens and anything that goes wrong in the cloud,” she said. “If it doesn’t work, you can’t say, 'I’m sorry, it’s my service provider not working today.' No, it’s you. Anybody using an external service provider, cloud or anything else, you have the accountability to your customers that it is as secure and as reliable as on-premise.”

In some jurisdictions, that means regulators have the right to approve any moves to cloud computing. Such approvals can take 90 to 180 days, which in the world of agile computing is an eternity.

“There is a saying, it takes a village,” she said. “It feels like it takes several nations to come together and get you to the cloud.”

Data 'residency'

The compliance executive at the global bank said data residency — the physical location where information is housed — is a big issue for cloud computing. Global banks have to be hyperaware of data privacy and security regulations in each country.

“Can you actually move the data to the cloud where the cloud is located?” she said. “Because cloud doesn’t mean the data flies around anywhere and is easily blown away by the wind like a real cloud is. It still physically materializes itself somewhere. There are people who have physical access to that data, and some people in Europe don’t like that the U.S. has access to a lot of the data in the U.S. as well as in the European data centers.”

To Europeans, privacy is a human right, she said.

“Respect that and make sure you know which databases you can’t move and how you have to anonymize data to move it,” she said.

Smaller organizations do not have to be as concerned about where their data physically resides.

Scott Essex, chief compliance officer at Citizens Financial Group in Providence, R.I., said because his bank does not operate internationally, he does not have to worry as much about data residency.

“But I think these concerns and issues are converging into the privacy, cybersecurity and then the ethical use of the data,” he said.

U.S. banks are subject to data privacy regulations such as the California Consumer Privacy Act for customers in that state and the General Data Protection Regulation for any clients living in Europe.

“Regulators will always be focused on client-facing activities, systems and interfaces much more than any proprietary business process’s handling of data and information,” said Jonathan Frieder, compliance technology lead in Accenture’s finance and risk practice.

“If you've got customers that reside in a particular locale, where the data resides is important for understanding what regulation you may be subject to,” he said. “So even if you select a cloud provider, it's important know where their physical data centers are — that needs to factor into the decision.”

Cloud providers typically offer data center locations around the world where data and applications can be housed. Choosing a location is part of the contract negotiation process, Frieder said.

Legacy technology

One of the largest obstacles for banks going to the cloud is their aging technology infrastructure, according to Frieder.

“I don't think you will see large financial services firms go all in on the cloud, mostly due to a lot of the legacy existing technology they have,” he said. “It's deemed as too much of a lift from a cost, resources and maybe time perspective to move it.”

Banks have to do a lot of risk assessment work before they can consider migrating to a public cloud.

“Even the most seemingly trivial technology initiatives can get bogged down and you find a lot of red tape,” Frieder said. “If you've got a 40-year-old mainframe, it might be too risky to even think about transitioning.”

Breaches not necessarily a deal-breaker

The large global bank compliance executive said security is the main thing she looks for in a cloud provider.

“We have regulators ask about the service-level agreements and compare the service providers,” she said.

The Capital One/Amazon Web Services data breach did put a halt to at least one large bank’s plans to shift computing to AWS. But for many others, that prominent breach has not factored into their cloud decisions.

“Cybersecurity issues have become so commonplace, they’re expected,” Frieder said. “It’s not a question of whether a firm might get breached. It's a question of when. I don't think anything tends to surprise most people anymore.”

For reprint and licensing requests for this article, click here.