Challenger companies in financial services have benefited greatly from cloud technology. The enhanced scalability, adaptability, and interoperability that cloud offers have been central to the growth of firms such as Starling and Monzo in the UK, Nubank in Brazil, and PasarPolis in Southeast Asia.
Traditional banks, insurers, and other financial services firms have begun to respond by migrating selective operations to the cloud, often through partnerships with cloud service providers. Deutsche Bank, for instance, announced that it will use the cloud to boost innovation through use cases, such as pay-per-use models as an alternative to purchasing assets outright. In insurance, Nationwide in the US is transforming its IT shared services organization to enable an API-first strategy.
A recent Bain survey shows that more IT executives aim to gain flexibility and scalability through the implementation of a cloud strategy (see Figure 1). These traits are crucial to realizing goals such as revenue growth; operational efficiency; personalization of products and services, which hinges on a consistent, real-time view of the customer; and artificial intelligence in the contact center.
CIOs want speed, responsiveness, and scalability
But here’s the rub: As more financial services firms migrate operations to the cloud, their architectural decisions are often based on myths and misconceptions (see Figure 2). Cloud transformation poses real challenges, but these can be addressed by examining the facts and taking practical steps to overcome the hindrances.
These myths hinder cloud adoption
Myth: Data protection and privacy will be compromised
Given the sensitive personal information used in financial services operations, executives worry that unencrypted information will be stored on a cloud service provider’s infrastructure, raising the risk of a data breach, which would violate data protection regulations. The Bain survey shows that “data privacy and security concerns” are a big barrier to cloud adoption in financial services (see Figure 3). In fact, 80% of respondents in banking and insurance cited “reputation for security, reliability, and availability” among their top five criteria in selecting a cloud provider.
Financial services firms worry about fortress penetration
In reality, cloud infrastructure represents a cost-effective way of ensuring compliance with privacy standards. Pseudonymization—meaning the separation of data from direct identifiers—represents one option for remotely stored personally identifiable information (PII). The European Union’s General Data Protection Regulation (GDPR), for instance, relaxes several requirements on controllers that use pseudonymization. Cloud functionality may also help detect and redact PII that is not pseudonymized.
In addition, state-of-the-art encryption and effective key management play a critical role in protecting client data and ensuring clients’ privacy. Financial institutions may choose to use the cloud provider’s own key management service, client-side encryption, or have their keys managed by a trusted third party. More recently, cloud providers have introduced multiple ways to facilitate the seamless integration of external key managers, further enhancing data protection and privacy without compromising usability.
Financial services firms also worry that cloud functionality, especially for projects involving advanced analytics, requires granting providers access to sensitive, unencrypted data. However, with recent advances in cloud technology, providers are now able to preserve privacy without compromising on analytical functionality. Machine learning and computation increasingly are applied to encrypted data stored in the cloud.
Myth: It will be harder to fulfill regulatory compliance
One might think that it becomes harder to comply with regulatory requirements after transitioning to the cloud. Some regulators are concerned about their ability to assess the industry’s IT infrastructure when it is run by a third party. However, cloud technology can actually play a significant role in reducing the effort required to keep up with regulatory changes.
Cloud services are designed to comply with a large number of regulatory requirements right out of the box, including third-party validation and regular updates that reflect the latest regulatory changes. Contracts can be localized to comply with local law and regulations. Moreover, cloud-based tools facilitate compliance at a large scale by automating policy monitoring and enforcement. For instance, they detect critical configuration changes and alert compliance officers to security events.
In addition, compliance controls can be located at one place, reducing the chance of accidental misconfiguration. It is also possible to restrict access for the provider’s employees to certain areas or countries. Most cloud services now include data residency controls, reflecting the need of financial institutions to ensure full transparency.
AI tools do even more. They alert users to vulnerabilities or misconfiguration. They enable financial institutions to automate certain regulatory reports, freeing up capacity for regulatory strategy and incidence handling. The framework of cloud logging supports a full audit trail for all activity on the cloud.
Myth: A company will be dependent on one cloud provider
Another myth is the fear of becoming dependent on a single provider, resulting in less flexibility. While cloud transformation may involve reducing the number of suppliers and even committing to a preferred partner, vendor lock-in does not attach a firm to only one cloud provider. In fact, many cloud service providers are taking steps to ensure cloud sovereignty for their clients.
Larger institutions, in particular, will likely operate in a multicloud environment—or, in some cases, a multitude of single-cloud environments across business lines and geographies. The Bain survey shows that the number of public clouds used by large organizations, including financial institutions, is almost 50% higher than for small organizations. About 80% of cloud spending focuses on the primary vendor, but spending on other vendors has increased considerably over the past year.
Leading institutions ensure cloud sovereignty by focusing on three dimensions:
- Data sovereignty requires mechanisms to limit data access to specific provider behaviors that are deemed necessary. Such mechanisms include third-party key management, detailed key access justifications, and data-in-use protection.
- Operational sovereignty requires assurances that the people working at a cloud service provider cannot compromise client workloads, for example, by limiting support personnel access or deployment to specific countries.
- Software sovereignty requires financial institutions to control the availability of their workloads and run them wherever they want, without depending on a single cloud service provider. In this context, open-source software and open standards play an important role.
Myth: Migration to the cloud increases architectural complexity
The Bain survey points out that, across industries, respondents expect the share of on-premises infrastructure to drop by a combined annual rate of 13% over the next three years, but on-premises deployment clearly is not going away. Thus, companies will have to effectively deal with hybrid architectures in the future.
Executives often worry that hybrid architectures can grow very complex. There are understandable reasons behind this concern. For example, the need for interoperability in hybrid on-premises and multicloud environments continues to be a challenge for many companies (see Figure 4).
In a complex technology environment, interoperability becomes more important to CIOs
Consequently, hybrid multicloud setups can add a level of complexity. However, modern cloud management solutions can effectively contain such complexity, by facilitating container orchestration and management, policy and security automation, traffic monitoring, and management across platforms. In addition, API management layers reduce the number of point-to-point connections and facilitate the integration of third-party services. Such third-party services are instrumental for ecosystems and platform business models.
As a result, with careful analysis involving the IT and operations teams, companies can strike the right balance between portability and ease of implementation.
Myth: The cloud is not appropriate for the core business
Initially, cloud-based services in financial services were focused on ancillary services and specific applications such as customer relationship management or software development. Digital attackers then emerged with the cloud at the center of their business. Now, cloud-native core banking systems are cropping up in large incumbent institutions. For example, JPMorgan Chase announced in 2021 that it would move the retail banking’s core system to the cloud.
More broadly, cloud technology is widely regarded as essential for embedded finance, including fast-growing applications such as banking-as-a-service and buy now, pay later, which thrive on agility and interoperability.
Though there are several paths to technology transformation, a shared legacy approach—combining cloud-native digital platforms with a bank’s existing digital capabilities—may even help banks to avoid a full reboot of technology.
Myth: An agile transformation does not involve much planning
Most financial executives recognize that the cloud transformation entails a long journey. They are aware that pushing for a “big bang” change would involve great risk and would likely disrupt the entire organization.
Most financial institutions have found a phased approach to be more effective. However, simply taking a step-by-step approach without clear direction can also prove misguided and turn out to be equally risky. A truly agile transformation mandates a clear vision of the desired end state, along with careful preparation and planning.
For example, many organizations still do not establish an adequate cloud operating model to manage the transition. The Bain survey finds that roughly half of respondents feel unprepared for the governance of a cloud migration and lack a talent strategy that includes refactoring applications as well as managing a hybrid environment.
As with most agile projects, cross-functional collaboration is the best way to align the entire organization. Reaching the desired cloud-based end state will hinge on the organization learning practical insights from agile pilots to systematically uncover and address barriers along the way.
Starting the journey
A lift-and-shift migration, where a company moves workloads from a source environment to a new environment with minor or no modifications, is sometimes seen as a sensible approach. In reality, it will likely lead to problems and deliver only a small fraction of the potential benefits.
To start, lift-and-shift does not address any underlying complexity, and legacy processes will migrate to the cloud unchanged. Cloud-based data lakes may end up being swamped with context-free data disconnected from practical use cases. Workloads may get fragmented, preventing any meaningful economies of scale.
Instead, a high-impact, scalable migration typically involves taking a long-term perspective with thoughtful staging. The first step involves a diagnostic to determine the company’s starting point along five dimensions:
- cloud vision and strategy;
- transformation plan and economics;
- security, risk, and regulatory approach;
- cloud-enabled operating model; and
- technical strategy and execution.
As a part of the diagnostic, executives will map the organization’s capabilities, assess the point of departure relative to the target state, and identify key hindrances or essential capabilities, especially from the customer’s viewpoint.
Once the diagnostic is complete, cloud adoption will not happen overnight, but rather as a journey with clear milestones—taking into account available budgets and resources as well as critical dependencies across the entire book of work.
Since the major hurdles are largely cultural and organizational, senior management will need a clear-eyed articulation of how the cloud will support their strategy, the timeline to achieve their ambition, how to foster cross-functional collaboration, and who is accountable for which initiatives. Those that counter the myths or misconceptions with an informed plan and a consistent execution stand a much better chance of capturing the cloud’s full potential.