Concerns remain over how to meet strict requirements regarding regulatory, risk compliance and data-sharing issues. But the adoption of cloud has gone from a position where it was seen as being too risky, to where it’s almost too risky not to adopt as part of an overall IT strategy.
The benefits cloud can bring are many. The migration of products and services from legacy infrastructure to cloud-based systems will cut costs by reducing the heavy investment needed for traditional IT infrastructure with its dedicated hardware, software and related manpower.
The flexibility and scalability of cloud-based systems gives banks the ability to respond quickly to market conditions and customer and technology needs, while closer alignment of technology and business operations increases efficiency. It’s also much easier to launch new and bundled products and services.
Our financial services clients tell us there are still hurdles to overcome and the formation of a working group between Pinsent Masons and the British Banking Association (BBA) has resulted in Banking on Cloud, a report which identifies seven of those hurdles.
One obstacle is the requirement of financial services businesses to have appropriate regulatory oversight over the cloud supply chain. From a legal and commercial perspective, the issue of understanding who the cloud provider’s supply chain is and how the bank can have appropriate oversight is a difficult issue.
Financial Conduct Authority (FCA) guidance provides some clarity on this and focuses on the definition of regulated activity. Uunfortunately the guidance does not go far enough to provide transparency on what that actually means. It seems to me that the issue is the grey in the middle. By that, I mean some services are very obviously not related to regulatory activity. At the moment there is a great deal of onus on the bank as the regulated entity to make that call, and that feels risky.
Banking on Cloud recommends that the working group should establish best practice guidance. Undoubtedly, pooling the different voices of regulated entities and combining their knowledge and experience is to be welcomed, but I think it is important that the regulator is also looped in to that process in some way.
The extent to which the regulator wants to be involved requires to be defined – it may be taking cognisance of what is agreed by the working group and updating FCA guidance, or perhaps contributing to the code of practice. However, I feel that, without the regulator’s involvement, there is the possibility that the financial services sector will not have a sense of a “stamp of approval”, and full-scale adoption of cloud will still be viewed as a risk.
It will also help to have financial services businesses and cloud-providers work together and describe in detail the arrangements being put in place. This dual perspective would be a powerful tool in taking things forward. Another point raised in the report is to ask if the cloud service providers are doing enough to help banks or other financial services get comfortable around the supply chain. Our discussions with cloud providers suggest that they are willing to support initiatives which will provide more clarity in terms of information which satisfies regulatory requirements in relation to supply chain.
It is only a combined effort of BBA members and other stakeholders, allied to engagement from cloud-service providers – with regulator involvement or better still buy-in – which will produce a pragmatic solution to the hurdles in the way of reaping the significant benefits that cloud can offer to banks and their millions-strong customer base.
• Yvonne Dunn is head of TMT (technology, media, telecommunications) at legal firm Pinsent Masons