At this time, high-level enterprise functions such as collaboration tools, customer relationship management and IT operations are the most likely cloud workloads for financial institutions. More fundamental functions, including risk and compliance, capital markets, and consumer and commercial banking, make up 4 percent or less of cloud workloads.
However, trends in cloud computing appear to suggest a firmer embrace in the years to come. Per data from the American Bankers Association, at least 90 percent of banks maintain at least some data, applications or operations in the cloud, and 91 percent expect to increase cloud use in the coming years. This will most likely be for functions that can improve the customer experience, such as digital banking apps and CRM tools.
Banking Compliance Regulations: The Role Risk Plays
There are genuine reasons for banks to be cautious with cloud computing. These don’t stem from technical hesitancy, but rather from a desire to be careful with issues of risk, which carry different meaning for the financial sector than in other fields.
In 2019 testimony before a task force of the House Financial Services Committee, Paul Benda, the American Bankers Association’s senior vice president for operational risk and cybersecurity, explained why the industry has traditionally been slow to embrace the cloud, citing a mix of regulatory concerns, security desires and a goal of risk management.
“Although there are compelling business and operational resilience reasons for financial institutions to consider the use of the cloud, it is critical that financial institutions first put in place strong and effective risk mitigation strategies to address the risks that are unique to the cloud,” Benda told the committee.
His commentary points to Title V of the Gramm-Leach-Bliley Act, a 1999 law that requires banks “to respect the privacy of its customers and to protect the security and confidentiality of those customers’ nonpublic personal information.”
“These standards apply equally, regardless of whether that information is stored or handled by a financial institution or its vendor on the financial institution’s own system or in a third-party cloud,” Benda added in his testimony. “These standards also require that financial institutions have in place incident response programs to address security incidents involving unauthorized access to customer information, including notifying customers of possible breaches when appropriate.”
Despite the concerns about liability and organizational risk, the banking industry collectively sees high potential in the cloud. Benda emphasized a willingness for a more collaborative approach.
“The challenges in this space are complex, and we believe that every stakeholder wants to ensure that the security of these critical systems is maintained and at the same time innovation is not hindered,” he explained.