What regulators need from the financial cloud
This blog post was written by Frontline’s Senior Advisor and Head of Equities, Dan Davies, in collaboration with IBM.
A couple of years ago in Chennai, I got an insight into the relationship that financial regulators have with technology. I was doing some training for one of a large global bank’s offshore operations and I had brought my laptop with me to present some slides. Before I could get onto the campus – let alone into the building, I had to hand my computer over to a security guard, who passed it on to a specialist security guard who made me boot it up, unlock it and let him run a scan. My laptop was then handed back to me with tamper-proof stickers across all the ports, and instructions that this would be repeated every single day of my week’s stay.
I asked my host why the measures were so draconian, and he answered that it was a risk management exercise. “The regulators don’t really recognise the concept of an external service provider. If there’s something wrong with your laptop, and it causes a security breach, they aren’t going to be coming round here asking questions about Frontline Analysts – it’s going to be our chief executive in the hot seat”.
If banking supervisors take that kind of view of a consultant walking into an offshore centre with a laptop, you can be sure that their view of cloud services is going to be based on a similar principle – there is no such thing as delegation of responsibility in a regulated industry. That’s why, in financial services at least, the fundamental requirement for a cloud project, in my view, is that compliance and security, to a financial industry standard, have to be designed in from the ground up.
If you read through documents like the EBA Guidelines, you can see this. Although senior supervisors have expressed a lot of enthusiasm for the flexibility and cost control that the cloud makes possible, the previous specific guidance on the use of cloud providers has been folded into the general outsourcing regime, and it’s almost entirely about security and governance. And that’s because, from a regulatory point of view, their concern about tech solutions is exactly the same concern that medieval merchants had in Florence – strict control over who is allowed to see the ledger, and even stricter control over who is allowed to make entries in the ledger.
For a lot of bankers and financial services managers, this is the “iceberg” of regulatory compliance, rarely seen or considered. While investors’ attention is captured by the changes in capital and liquidity requirements and accounting policies, there is a huge amount of activity carried out from day to day simply to perform the core function of making sure that the systems work properly and reliably, and can be demonstrated to do so. As IBM’s Bharat Bhushan, as much as 80-90% of all banking tech systems are designed around these “universal controls”, common to every territory and business model.
There’s a similar tip-and-iceberg element to the public statements of senior bank supervisors like Korbinian Ibel of the ECB. In the headlines, regulators are excited about the cloud – they take seriously the conclusions of the Van Steenis Report that cloud use can help to reduce costs and increase the flexibility of business models. But when they start looking at specific applications rather than general principles, the true concerns come to the fore.
And these concerns are not just about security and reliability per se – they’re about responsibility. The core principle of the regulatory guidelines is that, effectively, there is no such thing as a cloud when it comes to accountability for outcomes. Whether a system exists on a mainframe in head office, an outsourcing centre or in the public cloud, the buck stops in the same place. Furthermore, the supervisors jealously guard their own powers, particularly with regard to auditing and inspecting anything they need to, and they expect that any move to the cloud will not reduce transparency.
The rulebook is based in a paradigm where the fundamental activity of bank supervision was to go down into the vaults, look over the loan files and so on. In order to satisfy the regulators, the financial cloud is going to need to provide them with analogies and equivalents to the things they’re used to doing. And it’s going to need to be auditable – as far as I can see, the key step for financial services is to prepare a mapping of all the existing processes and controls to their equivalents in the cloud. “Move fast and break things” isn’t really an option in a regulated industry.
There is, though, a real incentive for the bank supervisors to get over their risk aversion. As they have said in speeches over the last five years, regulators are well aware that much of the financial industry is suffering from decades of underinvestment in technology systems, exacerbated by wave after wave of imperfectly executed merger integrations. They also know that the biggest risk to the European banking sector is poor profitability, and that in terms of delivering sustainable long term cost improvement, digitalisation – including the cloud – is the only game in town.
Which means that, as I see it, the supervisors are incipiently in favour of financial services tech moving to the cloud, as long as the cloud providers can avoid triggering their biggest fears. They have had bad experiences in the past with ambiguous boundaries of regulation, so they are going to be concerned at the idea of having key functions delegated to unregulated entities. But above all, bank supervisors fear a loss of visibility. If they are going to be brought along on the move to the cloud, the cloud computing industry needs to show them that they are still going to be able to see and do everything which they could before.
All of which suggests to me that what IBM has done with its recent pivot to cloud services is likely to be the kind of approach that goes with the grain of what regulators need. A financial services cloud needs to be designed from the ground up around the central fact that it’s a regulated industry, and that every step in the process needs to be able to demonstrate, to an outside authority with considerable reason to be sceptical, that it’s both robust technically and able to deliver compliance with all the regulatory standards. This isn’t necessarily a point which implies any particular model of private, public or hybrid cloud provision; it’s the fundamental principle of financial business, applied to cloud computing.