Cloud

Why Banks Have Been Slow to Embrace the Cloud — and What Could Soon Change That

While compliance and regulatory concerns have hindered cloud uptake in the banking industry, consumers might push them to embrace the public cloud.

Ernie Smith

Ernie Smith is a former contributor to BizTech, an old-school blogger who specializes in side projects, and a tech history nut who researches vintage operating systems for fun.

Industries old and new have been transformed by cloud computing in many ways.

The banking and financial services industry, while often one of the earliest to embrace digital technologies, has taken a more careful approach to cloud computing. That’s not necessarily due to a lack of interest, but rather to a desire to balance security and regulatory concerns with the clear benefits of agility the cloud delivers.

A recent New York Times piece discussing the challenges of cloud-driven banking laid out the sector’s careful approach, as well as the factors that might encourage a change down the road.

Data: Cloud Computing Adoption in Banking Financial Services

Research from Accenture’s Banking Cloud Rotation Index found that 12 percent of the industry’s workloads have been pushed to the cloud in North America. While somewhat low compared with other industries, North American banking is significantly ahead of the European market, which has seen just 5 percent of workloads brought into cloud infrastructure.

By and large, banks continue to lean toward hybrid cloud environments, though that is changing. In North America, 39 percent of banks are primarily in the public cloud, with 55 percent primarily in hybrid environments.

“I think what struck me most was that nearly every bank has taken off on its journey to the cloud, but very few have gotten more than a few feet off the ground,” Mike Abbott, a global banking lead for Accenture, says of the index’s findings.

I think what struck me most was that nearly every bank has taken off on its journey to the cloud, but very few have gotten more than a few feet off the ground.”

Mike Abbott Global Banking Lead, Accenture

At this time, high-level enterprise functions such as collaboration tools, customer relationship management and IT operations are the most likely cloud workloads for financial institutions. More fundamental functions, including risk and compliance, capital markets, and consumer and commercial banking, make up 4 percent or less of cloud workloads.

However, trends in cloud computing appear to suggest a firmer embrace in the years to come. Per data from the American Bankers Association, at least 90 percent of banks maintain at least some data, applications or operations in the cloud, and 91 percent expect to increase cloud use in the coming years. This will most likely be for functions that can improve the customer experience, such as digital banking apps and CRM tools.

Banking Compliance Regulations: The Role Risk Plays

There are genuine reasons for banks to be cautious with cloud computing. These don’t stem from technical hesitancy, but rather from a desire to be careful with issues of risk, which carry different meaning for the financial sector than in other fields.

In 2019 testimony before a task force of the House Financial Services Committee, Paul Benda, the American Bankers Association’s senior vice president for operational risk and cybersecurity, explained why the industry has traditionally been slow to embrace the cloud, citing a mix of regulatory concerns, security desires and a goal of risk management.

“Although there are compelling business and operational resilience reasons for financial institutions to consider the use of the cloud, it is critical that financial institutions first put in place strong and effective risk mitigation strategies to address the risks that are unique to the cloud,” Benda told the committee.

EXPLORE: Can cloud computing help financial institutions manage regulatory compliance?

His commentary points to Title V of the Gramm-Leach-Bliley Act, a 1999 law that requires banks “to respect the privacy of its customers and to protect the security and confidentiality of those customers’ nonpublic personal information.”

“These standards apply equally, regardless of whether that information is stored or handled by a financial institution or its vendor on the financial institution’s own system or in a third-party cloud,” Benda added in his testimony. “These standards also require that financial institutions have in place incident response programs to address security incidents involving unauthorized access to customer information, including notifying customers of possible breaches when appropriate.”

Despite the concerns about liability and organizational risk, the banking industry collectively sees high potential in the cloud. Benda emphasized a willingness for a more collaborative approach.

“The challenges in this space are complex, and we believe that every stakeholder wants to ensure that the security of these critical systems is maintained and at the same time innovation is not hindered,” he explained.

Click the banner below to unlock exclusive cloud content when you register as an Insider.

Banking Compliance Regulations: Where Technology Can Help

Major cloud service providers, including Microsoft Azure, Google Cloud and Amazon Web Services, are doing their best to ease banks’ concerns about risk management.

Microsoft, for example, launched Microsoft Cloud for Financial Services to help financial institutions manage areas where cloud services can make a real impact. One such area is customer onboarding and engagement, where banks could take advantage of the CRM tool Dynamics 365.

Tools like these are rebuilt specifically for financial institutions, with compliance and regulatory considerations managed at the start, so that necessary use cases like collaboration play nicely with compliance approaches.

There are also areas where cloud-based solutions might be the best option for risk-based considerations. Artificial intelligence tools, for example, can help financial institutions get a better grasp of a customer’s risk profile in areas such as lending.

Cloud Infrastructure: Strategies Banks Should Use to Mitigate Risk

Financial institutions that haven’t embraced the cloud, or have done so in only limited ways, can look at several areas to build a modern digital infrastructure that meets both the demands of compliance and the convenience that customers expect.

Infrastructure assessments. A recent VMware study reported that 87 percent of financial sector respondents were concerned with the security posture of the shared service providers they used. But these challenges are not entirely on the service providers. Simply put, misconfiguration can create serious security issues that need to be resolved. By using processes such as vulnerability assessments, penetration testing and perimeter testing, financial institutions can better understand how their digital infrastructure can handle the complexity of a cloud-based or even a multicloud world.
Software-based threat management tools. In a world where cybersecurity threats are growing — especially in the financial sector, where more than a quarter of institutions have reportedly faced some form of destructive cyberattack — it’s important to take seriously the need for threat mitigation tools. They can help detect issues as they emerge and help manage them through automation.
Access management. Insider threats are a real concern, especially in the financial industry. Deploying methods to help mitigate them, including multifactor authentication and strong key management policies, can help enable compliance amid a shift to the cloud. Building with access in mind could also have organizational benefits: In its recent story on this topic, the New York Times noted that at least one major bank was able to embrace remote work after moving its infrastructure to AWS.

Working with an external partner such as CDW Amplified™ services can help banks uncover ways to implement a cloud-based strategy carefully, while still addressing the risk factors that are a fact of life for financial institutions.

The truth of the matter is, the tensions that have forced a more careful approach to cloud uptake among banks are complex, but they can nonetheless be mitigated.

Getty Images/ alexsl