In digitization projects, outsourcing infrastructure to cloud service providers can be a suitable foundation for modernization. The technical possibilities have existed for some years, but banks, in particular, are skeptical, despite the technological maturity of cloud offers. Above all, the requirements of banking supervision and concerns about data security make them reluctant to take the step towards cloud banking. With the necessary compliance know-how, and taking into consideration the right criteria when choosing a service provider, the hurdles on the way to the cloud can be successfully overcome.
KPMG and Bitkom's 'Cloud Monitor 2018' study shows that IT security and compliance are perceived to be the biggest challenges on the way to the cloud. No wonder that compliance with legal requirements, such as the General Data Protection Regulation (GDPR), is the first priority for the companies surveyed when it comes to evaluating potential cloud providers. Transparency in the security reviews, and a contractually regulated exit strategy, are also very popular with respondents.
Concerning the dreaded data breaches or hacker attacks, the study is reassuring: The benefits of cloud solutions include a high level of security. A continuously updated technical infrastructure and needs-based updates of the security systems ensure that this can be more effectively guaranteed in modern data centers than with in-house solutions – especially if it is a service provider with industry-specific offers. According to the study, in the twelve months prior to the survey, there were more security-critical incidents within internal IT systems than with the public cloud solutions being used.
Which Cloud Models Are Available for Financial Institutions?
The solution options in cloud computing for banks are diverse. The Recommendations on Outsourcing to Cloud Service Providers of the European Banking Authority (EBA) define four delivery models that differ in their administrative characteristics:
- The private cloud, where infrastructure is available exclusively to a single institution;
- The public cloud, where multiple users rent flexible IT infrastructure and server capacity;
- The community cloud, an infrastructure that can only be used by a specific business community;
- The hybrid cloud, which combines several infrastructure variants.
These terms, however, do not represent a universally accepted standard in the service provider market, so it is advisable for companies to find out from the various suppliers exactly what the nature of the cloud service is, and then choose an infrastructure that suits the requirements of their own IT.
Especially banks commonly operate sensitive data and applications exclusively in a private cloud environment or keep them completely within local installations, even today. In doing so, they seek to prevent customer data from different institutions being mixed or visible to other cloud users, which would violate the rules of supervision. But even a public cloud can meet the regulatory requirements if it is multi-client capable and complies with other central criteria.
What Regulations Should Banks Take into Account When it Comes to Cloud Computing?
For banks, cloud computing implies different obligations than operating a banking platform on a local installation, since the performance of typical banking services by third parties, such as cloud service providers, is viewed as outsourcing in the legal context. Institutions such as the EBA or the German Federal Financial Supervisory Authority (BaFin) have therefore already created regulations that set the framework for cloud computing. They define, for example, the level of controls and the procedures that must be put in place as part of outsourcing the risk, and which measures are applicable in the event of an emergency.
BaFin specifies the legal context for risk management on the basis of the German Banking Act (KWG) within the Minimum Requirements for Risk Management (MaRisk) and Circular on the Supervisory Requirements for IT in Financial Institutions (BAIT). Topics that are covered in these documents are, among others, the technical organization of IT systems, requirements for information security and what constitutes an appropriate emergency concept in the case of a disruption. They also describe the requirements for outsourcing to external cloud service providers. The Compliance Controls Catalogue (C5) 2020 of the German Federal Office for Information Security (BSI) is also one of the basic guidelines when it comes to certifications for companies with high security requirements in cloud computing.
Cloud Banking and Banking Supervision
After discussions with financial companies that demonstrated the need for an official assessment of cloud computing from the perspective of the supervisor, BaFin and the Deutsche Bundesbank published an Orientation Guide about this topic at the end of 2018. It informs the market in detail about the regulatory requirements associated with the use of cloud services for material outsourcing. With this further step, BaFin wants to give companies more certainty in the application of legal requirements.
The realization of information and auditing rights for regulators and banking institutions is a crucial point in this, since the statutory requirements of supervision do not hold the cloud provider responsible, but rather, the banks directly. This aspect therefore needs to be separately addressed in the agreements between supplier and bank. It includes, for example, full access to the provider's premises, servers and data centers for on-site audits. These examination rights may not be contractually limited by measures such as graded examination procedures or standardized audit reports. Also, certificates or other proofs do not legitimate the refusal of the control and examination rights.
The Orientation Guide also points to possible simplifications for financial institutions. Conducting collective reviews of multiple institutions that are affiliated with the same supplier or using evidence from the supplier, based on established standards and audit reports from approved third parties, may be options to facilitate the review process.
Choosing the Right Cloud Provider for Financial Institutions
High availability security gateways, automatic failover, and redundancy of critical system components are just a few of the things that the supervision stipulates for the secure normal operation of cloud services; an elaborate undertaking that banks often cannot accomplish without their own specialized IT departments. Selecting the right provider is therefore decisive to ensure cloud security and, at the same time, maximize the potential of the technology.
Secure IT Infrastructure: Servers, Data Centers, Networks
Server and network security are the basis for secure data transfer in the cloud, as they are crucial for the prevention of unauthorized access. Certain compliance regulations require that banks must always be aware of where their data is physically located and how the data streams of different cloud customers are separated.
Also, the geographic location of the infrastructure is a critical point for data security, as it is often demanded that the data centers processing financial data of German banks are located within EU territory. This is the only way to ensure legal certainty regarding strict European data protection requirements and to exclude the possibility of moving critical data to less regulated regions.
Compliance Know-how and Contractual Design
However, a suitable cloud supplier for financial IT is not only characterized by secure server configuration, but also by a deep understanding of regulatory and security issues. Finally, the ability to integrate into existing systems can be the determining factor for the selection of a supplier. Banks should rely on experienced service providers who are familiar with all industry-specific guidelines, who are able to meet these, and who can easily integrate existing systems.
Universally recognized certifications, in particular for IT security, verify the know-how of the service provider. In addition, all data protection and IT security aspects must be contractually regulated between the supplier and the customer in order to meet regulatory requirements. To ensure a stable performance, Service Level Agreements are defined which, among other things, regulate in detail the availability and reaction times in the event of a failure and give all parties the necessary legal certainty.
Cloud computing is a complex issue; for banks, the extensive requirements for material outsourcing pose a major challenge. Since experienced service providers for banking solutions deal intensively with the industry-specific regulations, they can help financial institutions meet security and compliance requirements without neglecting their own individual specifications and business needs. Whether banks outsource individual applications that map distinct aspects or business areas of banking, or rely on the data cloud as the basis for a digital restart – the prerequisite for a successful implementation is the accurate adaptation to legal requirements.
In the future, financial companies will increasingly rely on a short time-to-solution and the dynamics of innovative technologies to remain competitive in the market. Cloud computing promises shorter commissioning times, lower initial costs and reduced maintenance costs: Optimizing existing systems with a cloud solution could be a suitable starting point for many financial institutions to pioneer the digitization of their business.
Image Sources: Teaser: Warchi - 685296154 - iStock; Infographic: knowis AG