Financial institutions are adopting cloud as part of their IT infrastructure, especially in their public-facing services.
It makes sense. Cloud services are great at Internet-facing service delivery. This approach offloads a significant load of technical weight to the hyperscaler, while offering a high level of security and third-party certification.
But, when we look at all the other supporting services and back-end systems, there are struggles to continue the cloud journey – in part due to financial services compliance considerations.
Why is this? And how can it be addressed?
1. What’s slowing things down?
The reasons differ per organisation, but we see some common causes.
Those front-end services that often serve as a flexible interface between the customer and the other systems are easier to deliver in cloud, whereas the supporting services and backend systems store and process the actual client and financial information. And there are onerous financial services compliance considerations here, because these types of information are heavily regulated by authorities (so harder to deliver in cloud).
Coming from a risk-averse background and a solid base in traditional, data centre-oriented IT, financial institutions struggle to assess the impact and risk of moving those types of data to the public cloud. And even if they take the first hurdle of assessing the need, the next challenge is actually seeing through a proper cloud migration.
2. The hidden dangers of lift and shift.
Being risk averse, it’s tempting to treat cloud merely as a more flexible data centre. So many financial institutions just lift and shift (rehost) their IT infrastructure into cloud - as lift and shift is the easiest way to keep using the same security approach as with the previous data centre setup.
Being risk averse, it’s tempting to treat cloud merely as a more flexible data centre. So many financial institutions just lift and shift (rehost) their IT infrastructure into cloud.
It’s easier to explain for those responsible for cloud implementation when they have to report to internal (often siloed) stakeholders or supervising authorities. These parties often struggle to fully understand true cloud or true cloud-native security.
Because of this, they tend to hold back any cloud innovations beyond rehosting. Combined with risk-averse behavior, this slows down cloud migration and innovation, as they see no real advantages beyond (maybe) lower costs.
The problem financial institutions face is that the lift-and-shift approach cannot leverage the flexibility and agility of cloud. Sure, it creates a stable, approved de facto situation that most people seem to understand. But it removes the opportunity to digitally transform further, bringing the cloud journey to a grinding halt.
But it doesn’t have to be like this. We’ve seen fintechs make cloud-driven financial services possible.
So, what should the traditional big banks and financial organisations do to reboot their cloud journey?
3. Let’s get to the heart of it - those regulatory challenges.
The thing that makes this industry one of the most complicated to migrate to cloud is the financial services compliance landscape. There’s no getting away from it. The financial sector needs to comply with all the usual privacy regulations like GDPR, cope with complications like Schrems II when processing privacy data outside the EU, whilst addressing the sentiment of the public not to put all privacy data in the hands of the hyperscalers.
Plus, they need to comply with financial regulations coming from the EBA as well as taking local specifics into account. And on top of that, for critical infrastructure like financial services, DORA regulations are coming, which are even more strict and extensive.
And although times are gradually changing, the majority of the financial services compliance frameworks and standards are still based on traditional IT infrastructure using a data centre setup, firewalls, DMZs and other non-cloud technologies.
4. Why is it so hard to get right?
Depending on the (internal and external) stakeholders’ and auditors’ knowledge and experience with cloud and the shared responsibility model, this complicates cloud transformation.
The controls in the rules and regulations regularly need to be translated into a cloud context, which can result in fierce discussions due to lack of cloud knowledge.
And, especially in big financial institutions, the different stakeholders that need to be involved in the cloud journey are often siloed into different teams with their own needs to address.
The controls in the rules and regulations regularly need to be translated into a cloud context, which can result in endless discussions due to lack of cloud knowledge.
This results in different viewpoints, which tend to block the cloud journey because of the risk-averse behaviour of those stakeholders.
And cloud is often treated as a special case within the IT services portfolio. This is caused by the way cloud grows into the organisation, starting off with a small initiative, growing to deliver some specific services, but not integrating into the proper IT or business processes.
Especially when looking from the perspective of financial services compliance, the cloud management processes need to be integrated properly in IT management and the GRC processes.
5. How do you win with financial services compliance and cloud?
Taking this into account, this is what we recommend you do when you want to start or reboot your journey into cloud, keeping financial services compliance front and centre:
1. Manage cloud knowledge.
If you want to use cloud, you need to understand cloud. And this is not only applicable to the engineers working on cloud, but also for the compliance, security and risk officers who need to manage and approve financial services compliance, security and risks of cloud usage.
2. Understand shared responsibility.
Managing cloud is all about shared responsibility. The cloud service provider will provide you with a high level of inherent security guardrails to support your financial services compliance, but they’re useless if they aren’t properly configured and maintained.
And this needs to be done in context of the processes running in cloud and information being processed in cloud, within the boundaries of the compliance, security and risk policies. You need to manage the entire stack in alignment, not as individual layers.
3. Integrate your cloud.
Cloud is not different, cloud is not special and so cloud must be part of your IT services portfolio. It needs to align with your financial services compliance, security and risk demands, just like your data centre, your laptops or the offices you are using. So you need to integrate your cloud management processes within your IT management processes, which must align with your business processes.
This requires effort. Cloud asset management is not the same as traditional IT asset management. Cloud security is not the same as traditional IT security. But there’s no way around it - it must be done if you want to make your cloud journey successful.
4. Align your stakeholders.
The topics of financial services compliance, security and risk often fall among different teams, residing in different parts of the organisation, having different concerns. If you bring the different stakeholders together, having the proper understanding of cloud and shared responsibility, you’ll see that those differences will align and reboot your digital cloud journey.
6. Maybe you need a little help with financial services compliance to drive your cloud journey?
If you’re a financial institution and you’re struggling with your cloud journey, we can support you. We’re cloud natives, with strong experience in the financial sector, meaning we know how to translate regulatory requirements into cloud-specific financial services compliance frameworks or technical requirements.
If you’d like help with your Governance, Risk Management and Compliance (GRC) specifically, our Cloud Risk Pathfinder workshop is aimed at finding the blockers and aligning your stakeholders to reboot your cloud journey. And our GRC maturity assessment will give you an elaborate understanding of your cloud GRC status then provide you with a roadmap on how to best continue your cloud journey.
We can also give general guidance with our cloud advisory services, map out and deliver a skills roadmap with our in cloud training specialists or manage change with our transformation offerings.
Are you set up for digital resilience in the cloud?
For financial services, basic continuity planning has always been part of keeping up with regulations.
But two factors are driving business continuity up the agenda for FSI right now:
- The current geopolitical instability in Europe
- New regulations like DORA and NIS that require businesses to leverage digital technologies like the cloud to keep running in the event of a disruption or emergency
We have a cloud-based strategy to achieve business continuity - helping you use cloud to safeguard critical data and keep essential services running during disturbances.
Get in touch.
Sander is standing by to help your organisation with financial services cloud compliance