Why Banks are Being Slow to Invest in Cloud Computing
We are in the midst of a new technological revolution, but its progress is being halted by outdated data protection laws, and the reluctance of governments to adapt in light of these new opportunities.
Cloud computing poses massive benefits across the board – to businesses, governments and individuals. Benefits include greater flexibility, disaster recovery, automatic software updates, greater cost effectiveness, better efficiency and a reduced environmental impact. [1] In particular, the financial services industry would benefit massively from investing in cloud computing, so that they can save the money they are currently spending on huge data centres and the staff to run them. Outsourcing customer transaction data, market information, trading data and more to a hybrid cloud, run by a public cloud provider such as Amazon Web Services or Google Cloud, but only accessible by that particular bank is arguably the best way to cut back on unnecessary expenditure.
Naturally, the data that banks handle is very sensitive, either regarding the individual customer’s financial information, or traders’ operations. If compromised, this could present a massive threat to the bank, and may even cause it to collapse, hence the reluctance of some banks to outsource their data. However, the cloud providers are likely to spend more on security, as this is one of their main business areas!
Unfortunately, a lot of countries have very outdated data protection laws, which specify that banking data generated in that country must remain there. This means that even if big banks wanted to outsource their data to the cloud, a lot of them would be unable to do this at all, or would at the very least lose a lot of the benefits of doing it, as they wouldn’t be able to transfer it across borders.
One example of this is the Swiss. Credit Suisse (the biggest bank in Switzerland) generates 2-4 GB of trading data/minute (10 million trades/day). On top of this, the bank processes 10-20 million market updates/minute, meaning it has a (constantly growing) annual data store (replicated globally) of over 10 PB (1 million GB) [2]. This requires large data centres all over the world, and hence a lot of expenditure! As such, Credit Suisse are keen to outsource their data to the cloud. Unfortunately, Swiss data protection laws state that all Swiss banking data must remain in Switzerland [3], meaning that a lot of the benefits to outsourcing to cloud are lost. However, the Swiss government have been re-evaluating their data protection laws over the past 12 months to provide more leniency with regard to this, but the overhaul is an evolution, not a revolution. [4]
Despite these hindrances, progress is being made, as is evidenced by the Swiss law changes. Yet, more progress needs to be made, and quickly, so that proper security regulations can be put in place surrounding sensitive outsourced data.
A good example of progress is that the CIA have been outsourcing some of their data to Amazon’s cloud [5]. Obviously, CIA data is highly sensitive, so this commitment should indicate to other organisations that it is a safe and smart thing to do – the Agency is leading by example! Of course, there were many critics to this move, but over time, we should expect to see these critics dwindle in number, as cloud computing becomes safer and more popular.
References:
[1]: www.skyhighnetworks.com/cloud-security-blog/11-advantages-of-cloud-computing-and-how-your-business-can-benefit-from-them/
[2]: www.credit-suisse.com/ch/en/your-careers/recruitment-technology-microsite.html
[3]: www.admin.ch/opc/de/federal-gazette/2003/2101.pdf
[4]: iapp.org/news/a/revision-of-the-swiss-data-protection-act-evolution-but-not-revolution/
[5]: www.theatlantic.com/technology/archive/2014/07/the-details-about-the-cias-deal-with-amazon/374632/
Further reading: info.skyhighnetworks.com/rs/274-AUP-214/images/WP-Cloud-Adoption-and-Risk-Report-Q4-2016.pdf
Image: http://electronics.howstuffworks.com/tech
10 comments on “Why Banks are Being Slow to Invest in Cloud Computing”
Comments are closed.
I think this is a very interesting argument that you’re making. Certainly there are many benefits to outsourcing public cloud service as having a single entity, such as the Credit Suisse Bank you mentioned, having to manage huge amounts of data on their own is not a viable option. I think that right now, however, there is reason for large companies, especially banks, to be speculative of these public cloud services as the data they are handling can be extremely sensitive and often using public cloud services allows these cloud services to gain rights to access the data. So although there are certainly many benefits to using public cloud services it is understandable why companies who deal with sensitive information, like banks, would not be as open to outsourcing to public cloud services as they would not want third parties to have access to the data.
It’s interesting to note how banks are actually getting on board quickly with cloud computing today. While some financial services provided by banks involve a lot of data that needs to be protected at all costs, there is a whole other side to banking that will thrive by implementing cloud computing as a resource. Banks today are making the most of this age of cloud computation by introducing hybrid clouds into their business models. While the storage of sensitive data about customer accounts are better of being on private cloud hosted internally by banks or financial services organizations, it is extremely beneficial to use public clouds through the likes of AWS and others to facilitate faster, flexible, and more efficient computing.
The banking industry’s biggest obstacle to transferring completely to the cloud is because of most countries’ laws that demand that data storage needs to be carried out within the country itself. However, a smart move by AWS is how, today, they are currently expanding and setting regional offices all over the world to work around this legal obstacle. For example, in India, Amazon Web Services opened shop a year ago and is currently tying up with banks all across the nation as their cloud provider. Banks today are choosing to implement a hybrid cloud structure to reduce their dependence on hardware, while simultaneously ensuring in-house control of their data.
What is still currently unsure is the cost structure of such cloud computing services. Is it more cost effective for banks and financial services companies to outsource their data storage and computation completely to the likes of AWS or are these services going to cost the same as investing and managing their own servers? While it is clear that the only way to more efficient computing is through investing in the cloud, the value of using the cloud for storage from a cost perspective is still uncertain. Another point to keep in mind is that while banks realize that investing in the cloud is the natural next step, this move is going to take time because of the billions already invested in constructing and managing their own infrastructure until now.
Agree with this entirely. As Sanukta suggested if AWS makes their services available in the right jurisdiction then maybe that addresses part of the problem. Those types of banks are Global and a lot of their static and market data is global too. Whilst transactions can be linked to one location what do we do about data that everyone should access (e.g FX Rates)?
Very interesting article Chris! I would also point out that the general IT of banking services is so heavy and holds so much technical debt that it is hard to make such a great move. Programmers do not necessarily fantasize on working in the banking industry, the turnover in their teams is quite important, the management is not agile and this leads to many layers in the way that their technical foundations is structured. We could maybe think of a new type of organizational behavior for their IT team that could lead to a more dynamic and clean advancement?
Users who have LIKED this comment:
Let me comment about data protection and classification of bank data because my background is bank technology.
Two years age, I did a survey about data protection of almost all G20 countries; our team found three types. Fist type is to protect data which has originated within a country: for example, France and German. Second is not to regulate intentionally: U.S.A. and U.K. This is probably to maintain its position as a financial pivot. Third is simply yet to make laws: some ASEAN countries.
To manage data centrally, banks have to submit SLA (Service Level Agreement) to regulators. Outsourcing data is more difficult because this needs third-party-agreement. As a result, banks are required to commit data security although third-party-vendor, which actually stores data, is uncontrollable for banks. If third-party-service fails, it is banks which have to pay huge fines. This is why banks hesitate to outsource data.
Next, it is useful to classify “data” rather than using a single term. Basically there are three types. Customer data of corporate, customer data of individuals and non-customer data. Individual data always has the strictest regulations. Market data (not transaction records) is public and categorized into non-customer data.
In my opinion, banks will start outsourcing “non-customer data” first, which is less important but huge. After validating availability of cloud, they will outsource corporate data and lastly individuals data. Or, banks will use cloud just as a platform of application and will not outsource customer data itself. In this case, cloud processes customer data as encrypted information.
Because of the nature and sensitivity of bank data, and all the privacy concerns; my suggestion is they should adopt a private cloud instead. Thy could lease the infrastructure privately and ensure that the terms and conditions of the privacy and location of data are met. With a good agreement contract and clearly stated consequences of breach of data migrating to the cloud will be made easier. I think service providers would be open to discussions about this, and if they really want the tender, they can meet these conditions.
I would think of the recent pace in adopting cloud for financial industry has been picking up lately. Most of the financial institutions in US are entering into a partnership model with cloud provider for a cloud-based offering to support enterprise services. These kind of efforts are helping to migrate data from a traditional infrastructure to a virtual infrastructure and speed up the strategy of digital advancement through partnerships with fintech companies in the near future.
Its true that cloud computing can provide many useful aspects for Banks, making it more accessible and cutting the costs while ensuring that the organisation can still operate efficiently. However, i agree with Patricia, due to the sensitivity of the data related to banking, there are always risks such as hacks or breaching of data. For a Bank to be able to make the big jump to cloud computing, they must first ensure the privacy and safety of the data stored in cloud as loosing this sensitive data to others could prove to be a massive problem for both the organisation and its customer base. Using private cloud that is specific for an organisation could help to reduce the risk.
This is a very interesting conversation. I find Alexandra’s point quite interesting (banks are not attractive for programmers). That might very well be. Still, the finance industry as a whole seems to be of interest to entrepreneurs and programmers. In Zurich alone, the home base of the bank mentioned in the blog, Credit Suisse, there are well over one hundred fintech start-ups and the number raises month by month. Actually, in preparation of the technological change big banks and insurances are trying to foster this fintech ecosystem.
Still, as mentioned several times in the comments, laws and safety concerns are preventing financial institutions from moving faster. Especially moving to the cloud. Talking about the security and privacy of data, we have to be more specific. Because the risk is not only an intrusion by hackers. The privacy of customer data is also jeopardised if other parties, like intelligence services, gain access to it. Therefore, the comparison of Credit Suisse vs. the CIA moving to the cloud seems rather paradoxical.
Thank you all for your feedback! It’s interesting to hear all of the discussion for/against different cloud types. For me, hybrid cloud presents an exciting opportunity to harness public cloud and its benefits for non-sensitive data (e.g. market information), whilst maintaining the security that comes with private cloud for sensitive data.
In response to Samuel’s point – the mention of the CIA’s outsourcing of data to loud was simply to point out that it is possible with sensitive data. However I hear where you are coming from! The conflict of interests between banks and intelligence agencies is an important debate at the moment. In fact, it is believed to have been this conflict that drove Switzerland’s data protection overhaul – to provide more transparency to help stop tax evasion!