European banks need a compliant cloud by design

Through Bharat Bhushan, CTO, Banks and Financial Markets (EMEA), IBM

Today, cloud computing is not only essential to the future success of the European financial sector. It is also at the heart of the continent’s COVID-19 economic stimulus plan. However, due to concerns over regional independence and operational resilience, the European Commission (EC) fears that financial institutions critical to Europe’s success may become too dependent on individual cloud providers.

To address this problem, European Banking Authority (EBA) regulations require organizations to put in place clear ‘exit from the cloud’ strategies to ensure that data, applications and workloads can be moved quickly and efficiently. securely between clouds as needed. But with many cloud services based on proprietary technologies, vendor lockdown is a common problem.

The UK’s Financial Conduct Authority (FCA) takes a similar position. Its guidelines for companies that outsource to the cloud state that companies must ensure that they are able to terminate outsourcing plans without disrupting services or their compliance with the regulatory regime.

With the migration to the cloud set to accelerate this year, financial CIOs and CROs need support to ensure that the investment decisions they make in 2021 will facilitate the long-term portability of the digital assets needed to operate. comply with industry standards.

The importance of regional resilience and competitiveness

Partly in response to the strength of the tech sector in China and the United States, Europe is working to boost local digital ecosystems and reduce reliance on external service providers. This is important for the financial industry for several reasons.

First, Europe has a separate legal framework governing the use of data, which could put organizations at risk of non-compliance if they use foreign services operating under a different set of rules. Second, the EC is keen to ensure the resilience of organizations essential to its regional competitiveness. By locating more digital infrastructure in the region and ensuring that it is subject to local data laws, Europe is in a better position to protect key industries as they migrate to the cloud.

It is this desire to protect key industries that has guided EBA regulations for financial institutions. In any highly regulated industry, there is some risk involved in relying on third party vendors to perform mission critical functions. And in the case of the banking sector, regulators insist that companies show they have identified these risks and take action to mitigate them.

Find a cloud service partner, not just a supplier

A major concern as banks move more of their operations to the cloud is that they will become too reliant on service providers. Due to the complexity of the processes and systems involved, and the fact that some vendors operate closed ecosystems built on proprietary technologies, this can make it virtually impossible for a business to exit the relationship if it is needed at a later stage.

Depending on the amount of data involved, the type of application, and the levels of complexity and integration, migrating everything from one vendor to another, from scratch, with no pre-existing exit plan in place, could take a long time. prohibitive period of time. Potentially a multi-year project, and too long according to the EBA.

To avoid this scenario, you need to ask the right questions before the migration even begins. Ultimately, your cloud service provider (CSP) needs to be more than just a technology provider. They must be a true partner ready to proactively support both the migration and the larger transformation of the business.

This means selecting CSPs with a financial industry pedigree, who are part of an ecosystem of independent software vendors (ISVs) relevant to the industry and who have experience supporting organizations in highly demanding sectors. regulated.

Ideally, a CSP already works closely with regulators to proactively demonstrate the compliance of their offering. Compliance must be built into cloud platforms. In addition, the commitment to monitor the evolution of international regulatory obligations simplifies the compliance challenge for CIOs and their teams.

Compliance by design

When it comes to making it easier to move out of the cloud, perhaps even more important than industry experience is that the selected CSP adheres to design and architecture principles compatible with portability. easy data and applications. Application design, for example, can ease the process of getting out of the cloud if modern application development architectures such as microservices are used.

A cloud-native architectural approach, the use of microservices sees applications developed as a series of smaller components or services that can be deployed independently. This is in stark contrast to monolithic service-oriented architectures, where even a small change in application configuration can involve extensive and time-consuming code updates, often resulting in significant downtime.

Using this approach, European financial organizations ensure that it is technically possible to efficiently port specific components from one cloud to another in the event that an exit is required. It also makes it easier for team members who may not have been involved in the development of the original application to fulfill this requirement, as it is easier for them to break down and understand the basics of code involved.

This ability to move components incrementally is especially important in an industry like banking where users expect and demand 24/7 availability of a range of critical applications. From balance checks to money transfers, any disruption to these services can have a huge impact on customer confidence and overall business performance.

Leave the door open when the cloud comes out

Beyond optimized application design, CSP partners also need to recognize the reality of how most of the financial industry currently uses the cloud and configure their architectures accordingly. Like most businesses, the banking industry is still in the early stages of migrating critical workloads to the cloud. And the majority use a mix of on-premises, public, and private clouds from multiple vendors.

Instead of facilitating this to increase efficiency, the proprietary cloud models employed by many CSPs are becoming a hurdle for businesses to overcome. Not only do they block integration and reduce opportunities for innovation, they also limit the portability required to comply with EBA obligations.

To avoid this, banks must adopt a hybrid cloud model based on open source technologies, allowing them to run workloads, data and services in any environment. From public and private cloud to data centers and to the edge of the network, regardless of the vendors involved.

This is particularly important in the European banking sector where EBA regulations specifically require organizations to use more than one provider to limit dependency and increase resilience. In this mandatory multi-cloud environment, a back-end CSP offering an open and agnostic hybrid cloud model removes complexity for banks, allowing seamless switching between services as needed.

A good example of the benefits this confers is what happens in the event of a failure. If a bank’s cloud service fails during a loan application, customer relationships will likely suffer if the service does not resume quickly.

A CSP capable of integrating, monitoring, and initiating a control framework over any cloud service, regardless of vendor, can ensure this is never a problem, automatically switching from a service to each other without customers realizing there was a problem.

Looking at the bigger picture

Of course, choosing the right service is only part of the puzzle. Outside of technology, banks will need to work with their CSP to design exit strategies and run a regular testing regime to ensure that the plans are fit for purpose. It’s worth checking out the advice of the European Banking Federation’s Cloud Banking Forum, as the group has released insightful technical papers in recent months that address this topic in more detail.

Looking at the big picture for European banks, open technologies and vendor independent clouds are not only critical to cloud exit compliance, they are also increasingly critical to the success of the business. ‘business. Businesses need the freedom of the cloud to be competitive. As competitors and entire industries experiment and adopt new ways of working, interoperability, portability and reversibility are essential to the ability to innovate freely. They will be the ultimate differentiator.