Despite the cloud’s ability to fuel innovation and industry change, financial institutions remain hindered by a variety of barriers to adoption.
These barriers form the central focus of a new cloud report by the Association for Financial Markets in Europe (AFME) and Protiviti.
The report ‘State of Cloud Adoption in Europe – Preparing the path for Cloud as a critical third-party solution‘ outlines the four key barriers holding back the pace of cloud adoption within the financial services sector.
While the cloud can enable financial service innovation, firms continue to battle with barriers in realising the technology’s full potential.
Here we analyse the barriers identified in the report and discuss the corresponding solutions it puts forward
The concentration of cloud services
Sixty-five per cent of the world’s cloud services are provided by just three entities. The dominance of such a monopoly is raising concerns among financial regulators. The report lays clear the risk of such concentration in the cloud marketplace.
The report urges policymakers to consider how cloud service providers (CSPs) provide transparency on resiliency, dependency and security issues.
It encourages scrutiny of regional dependencies on CSPs and analysis of the underlying control plane within each CSP.
The report recommends that the adoption of multi-cloud strategies should remain at the discretion of individual institutions.
It makes clear how mandatory adoption could increase, rather than address, the aforementioned systemic concentration risk.
The report identifies regulatory complexities as a major barrier to cloud adoption. Accordingly, a fragmented regulatory landscape, slow approval times and general uncertainty are all to blame. The presence of these factors is slowing innovation and the pace of cloud adoption.
Institutions fall subject to multiple different regulators. This setup means that they may request the same information in different formats and through different channels.
In this light, the report requests that authorities consider an approval model for deploying services to the cloud at a platform level. Likewise, it also requests the removal of time requirements for notifications, in order to reduce delays in the approval process.
It encourages greater coordination between the European Central Bank (ECB), European supervisory authorities (ESAs) and national competent authorities (NCAs).
This coordination is to ensure a consistent application of the outsourcing and information and communication technologies (ICT) third-party registers. This may ensure minimum duplication for institutions and supervisors.
The forthcoming EUCS certification framework could have far-reaching negative implications if the proposals to achieve ‘immunity against third-country law’ via EU control requirements are adopted.
The report requests that policymakers and regulators refrain from requiring localisation of data or cloud hosting solutions. Localisation challenges resilience, inhibits innovation and increases operational complexity.
Disruption management in the cloud
Several high-profile cloud service outages have highlighted the need for CSPs to be able to predict, manage and communicate disruptions.
Regulators expect institutions to have primary responsibility for resisting threats to operational resilience, guarding against service disruptions and recovering from incidents.
As a solution to this, the report encourages collaborations between CSPs and institutions. This effort would allow institutions to better understand providers’ tools, resources and configuration settings and ensure the security of workloads and data running within the CSP’s infrastructure.
In addition, CSPs should help institutions understand the service level objectives (SLO) across each service provided and the resiliency and recovery metrics.
The report requests that CSPs aid institutions by providing dependency mapping between services and geographies.
For example, two different services sharing a single point of failure or how an outage that occurs in one region may affect the underlying CSP control plane.
It encourages CSPs to provide greater transparency and detail of root cause analysis (RCA) for incidents and outages. The report also requests the creation of a library of previous RCAs. Such a resource could enable incident trends to be tracked, understood and better managed in the future.
CSPs must provide sufficient education and notice to institutions regarding service updates that may impact their responsibilities and obligations in areas such as security or resilience.
Fiona Willis, associate director of technology and operations at AFME, describes how the cloud is allowing institutions to deliver “agile, scalable and resilient services to their clients.”
Despite this, Willis confirms that cloud adoption is being stalled by “overly complex and unharmonised regulation;” as the report makes clear.
“AFME members believe it’s essential that policymakers don’t inadvertently impact the continued adoption of cloud services,” she continues. “Regulators and policymakers can work together to unlock the full potential of cloud opportunities for the financial services sector.”
Adding to this, James Fox, director of enterprise cloud at Protiviti, states that the technology advocates a significant opportunity to “increase productivity, flexibility and resilience.”
Despite regulation mitigating risks, Fox emphasises the need for “a careful balancing act” between “properly regulating cloud technologies and not stifling innovation or competition within financial services.”