Balancing the scale: cloud and regulation in the banking world

Banks have become technology companies. With massive backend infrastructure to address huge transactional data requirements, extensive operational systems, and increasingly sophisticated customer facing online or mobile portals, banks are typically first adopters of advanced technology in many regions. Some have even jettisoned bricks and mortar altogether in favour of all-digital service delivery for retail as well as investment customers.

At the same time, banks have a foot firmly planted in the old world – the financial services industry is one of the most highly regulated sectors in most developed economies. In Canada, for example, banks are subject to requirements of the Office of the Superintendent of Financial Institutions (OSFI) and the Financial Consumer Agency of Canada (FCAC), and must meeting capital framework requirements of the international Basel III Accord. By virtually all accounts, regulation helped the Canadian banking industry better weather the global financial storm. However, along with greater stability comes greater oversight, substantial audit and reporting requirements and with this, increased need for data governance, management and storage.

Roji Oommen, managing director of financial services at CenturyLink Technology Solutions
Roji Oommen, managing director of financial services at CenturyLink Technology Solutions

It is at this intersection of regulation and data systems that the dependence of financial services organizations on IT is most clear. As Roji Oommen, managing director of financial services at CenturyLink Technology Solutions observed, “Not only is banking regulated from an economic stability perspective, the IT operations of banks are also heavily regulated due to the fact that regulators understand that IT is central to the function that banks play in society.” From this follow highly detailed rules, control points and compliance standards that “very IT savvy regulators” require that bank organizations comply with: “for example, banks will have detailed guidebooks that specify how servers must be hardened to ensure there is no unauthorized access,” Oommen explained, “or how business continuity plans must be documented and what the expected transition times are [in case of downtime], as well as rules around how personally identifiable information must be stored, where encryption keys must be kept, or where data sits at any one time.” Regulators have the right to conduct security/controls audits at any time, and in addition to the increasing cost of ensuring compliance, financial institutions face significant financial or other penalty for violations. Increased cost may also occurs at the IT level through regulatory requirements for the archiving of certain data for specified lengths of time – though this may be mitigated through a tiered storage strategy, or use of lower cost storage for certain data categories.

According to Oommen, regulators allow the institutions a good degree of latitude in their choice of technology, provided compliance can be demonstrated. For the bank faced with accelerating need for infrastructure resources to support growth and/or ongoing digitization of bank processes, cloud is emerging as an increasingly attractive option. As research from the InsightaaS Technology Expenditure Assessment Model - Canada (TEAM-C), which tracks annual Canadian business IT OPEX and CAPEX trends by e-size and industry shows, like most regulated industries, banks have been somewhat slow to pick up on cloud, but there is evidence that the financial sector is becoming more active in exploring cloud options. As of 2014 (the last year for which data is available), banks allocated 5.7% of IT expenditures to cloud and related activities, a figure that is below the average for non-regulated industries (6.6%), but well above use of cloud in government and education.

A good deal of this reticence stems, no doubt, from regulatory pressures for demonstrating and reporting compliance, as shared cloud offerings may entail loss of control over data and its location. So how can the multi-tenant cloud provider address the banks’ simultaneously need for additional resources, for data governance and for the ability to demonstrate compliance through audit or other reporting means? For CenturyLink, the answer lies in a diversity of offerings. Oommen explained: “our view of the market is unique and different than some of the large public cloud providers in that we have a fully functional public cloud that is very similar to what you would get with Amazon or Azure…. If you were building a bank from scratch, you could probably leverage these public cloud resources and encrypt your data. But we think the reality for large, complex institutions is that not everything makes sense for public cloud. For a bank, regardless of the cost – even if you are talking about saving 90 percent of your run rate – there are things that you would not put in public cloud.” A better approach, he believes, is to take advantage of the flexibility offered by hybrid deployments: “the environment we offer scales from private all the way to public, and we allow the bank to decide which components of an application can sit in public, and which components need to reside on dedicated infrastructure.”

To simplify for the adopting organization, the CenturyLink platform provides a single provisioning interface, as well as the ability to dynamically move workloads between private and fully virtual environments – “we think this is a very elegant solution to a complex problem for banks, where you need different kinds of infrastructure for different categories of applications and data,” Oommen explained. This solution assumes, of course, best practice on the part of banking institution in terms of their data classification, and the security process they put into place to protect personal information. Unlike other cloud infrastructure providers, Oommen claimed, CenturyLink allows the customer to “bake in” these process into the company’s platform.

The bank’s reliance on operational automation also means that these organizations typically have significant in-house IT resources, including critical facilities operations personnel, IT administration and development talent, in addition to major IT infrastructure. Over time, banks have also evolved sophisticated, proprietary systems and applications to manage their own requirements, resulting in a form of splendid isolation that may be odd with the service model that many cloud offerings present. In outlining the value proposition of cloud outsourcing for banks, Oommen described another evolutionary characteristic of banks – namely, the fact that many of these have developed heterogeneous operating environments through acquisition, or through the creation of organizational structures that divide the business by functional area/department/offering, etc.: “they may have a hundred different servers running a hundred different versions of an operating system with 25 applications that may or may not be patched at any point in time,” resulting in increased security risk. With adoption of cloud-based infrastructure, however, the environment becomes standardized, and patching and other activities such as virtual security via NFV capability become just another piece in the cloud automation pie. In many smaller institutions – and even with some of the larger banks, Oommen argued, “your internal security controls are not as strong as what you would get from public cloud consumption.” In an increasingly mobile world, where the risky behaviour of thousands of bank service consumers with heterogeneous devices and operating systems introduces new risk, better security is an enticing value proposition.

So though banks are IT-centric, this does not necessarily mean they are immune to risk, nor impervious to the impact of rapid change in the march of advanced technology. As Oommen explained, “changes have occurred over the past ten years, or certainly within the last five, that mean all components of the IT stack are rapidly industrializing.” While a traditional view held that exceptional proficiency in one element of IT conferred competitive advantage for the business, once this capability spread across the industry, advantage evaporated and the issue became one of scale. “In the IT infrastructure space, it has become a game of scale,” he noted, “and it is very difficult for any institution, no matter how sophisticated or large, to gain competitive advantage by being very good at infrastructure.” Ergo, the better alternative is outsourcing – which allows the business to focus on areas where sources of competitive advantage continue to exist. Even if cloud is reduced to an issue of cost, Oommen argued the benefits of the outsourced model: “banks have been building out data centres over the past few years, but a modern data centre costs hundreds of millions of dollars. It might make sense for a bank to own one of these, but certainly not a dozen.” Low levels of the IT stack, i.e. infrastructure, have become commoditized, he added, so the less time and resource devoted to this, the more that is available for innovation for differentiation.

To capitalize on this potential, CenturyLink has invested heavily over the past five years to expand its legacy Savvis support for capital market businesses into the development of advanced cloud and connectivity solutions for the wholesale and retail banking industries. Key to this process has been the interconnection of CenturyLink’s cloud/data centre infrastructure with the company’s global network fabric, which ties into the three hundred or so endpoints used by virtually all exchange businesses: “any asset class, any market class in the world, you can trade over a single connection to our network platform,” Oommen explained. By linking these two strengths, then, CenturyLink has enabled not only the global routing of transactional data, but also allowed the institution to take advantage of computational resources along the way. “Not only can you trade any asset class in any market, if, for example, you wanted to price a synthetic derivative or calculate the risk of a particular transaction, there would be application infrastructure that you could invoke that allows you to run that calculation as a service and route orders directly to the exchange.”

To build and deliver specialized services aimed at the banking community, the company has engaged in acquisitions – such as purchase of the analytics firm Cognilytics – and worked with a number of development partners, including SAP, FICO (consumer credit assessment) and BSC Banks for its anti-money laundering platform. The goal is to partner with firms innovating in the financial services space, while providing infrastructure that is designed to meet the compliance and regulatory standards that the banks have to address. “We produce a certificate,” Oommen explained, “that the bank can take to the regulator, which says that the environment is operated according to the standards that the regulators publish.”

The ultimate argument for cloud in the banking world is to enable common decision science needs to be met through the standardization of banking functions, and to allow the delivery of these as commodity-based services. As example, Oommen pointed to Comprehensive Capital Analysis and Review (CCAR) stress testing required of US banks by the Federal Reserve System, where banks need to prove their loss ratio across their balance sheets in real time: “we’ve got a mathematical toolset that allows you to calculate that risk in real time across infrastructure.” For some time now, CenturyLink’s differentiation strategy in the crowded cloud infrastructure space has been expansion into specialized service areas. For the bank, this means advanced networking capability and cloud at the infrastructure level, but also tools and services that commoditize the bank’s workflow – including processes aimed at satisfying the regulator.

CenturyLink currently works with many of the world’s largest financial services firms, including:

all of Fortune’s top 14 securities firms, 28 of Fortune’s top 30 commercial banks, 10 of Fortune’s top 13 diversified financials, and 10 of Fortune’s top 17 financial data services companies.

 

LEAVE A REPLY