The introduction of cloud technologies in the banking sector is subject to a wide range of influences from compliance requirements and security standards. But how can the advantages of the cloud be optimally used, taking into account legal requirements?
Financial institutions face a difficult dilemma: on the one hand, they must meet the call for flexibility, standardization, and agility by using new technologies such as cloud services in order to achieve business goals and increase customer satisfaction. On the other hand, they face unmet regulatory and security requirements. what should be done?
Cloud or not cloud? Many banks and financial service providers are currently concerned with the question of whether cloud-based services or systems are a reasonable and feasible addition or even an alternative to modernizing their existing legacy systems. A redundant driver is the necessary connection to the front-end or customer data systems such as CRM or analytics, which are now only available in the cloud such as Platform as a Service (PaaS) or Software as a Service (SaaS).
Cloud adoption drivers and associated challenges
“Standard” use cases, for example in HR or the workplace, are common candidates for potential use of cloud-based services, as well as specific technical innovations (such as artificial intelligence or blockchain) that can only be obtained from the cloud in an economical way reasonable. Last but not least, the availability or loss of qualified resources for legacy systems or reduced employer attractiveness can also be relevant aspects of dealing with cloud-native technologies.
Purely cloud-based banking platforms are now being used by early adopters, and some financial institutions have announced strategic partnerships with large cloud service providers (CSPs). This encourages many customers, users and departments to demand higher speed and greater flexibility in providing customer services via the Internet or interfaces. Likewise, in-house application development often requires more flexibility and fewer obstacles in providing the required resources and quick “secret” successes with small pilot projects can often be reported as evidence of success.
Fulfilling regulatory requirements makes new opportunities more difficult
But the debate over whether cloud-based platforms or infrastructures are useful or appropriate for development or data storage and to what extent is often slowed down or even nipped in the bud merely by current framework conditions in terms of data protection from a risk management, oversight, and audit perspective – perhaps even in External audit (eg GDPR), information security (eg BSI Basic Protection) and regulatory compliance (eg BaFin/BAIT, EBA Guidelines) must be considered and evaluated.
In the analysis and selection of potential cloud services, the risks are usually difficult or insufficient to assess and the derived protection requirements for the types of data to be used are often too high or high, making potential cloud outsourcing seem impossible. The European Court of Justice’s decision on the ineffectiveness of the July 2020 “EU-US Privacy Shield” (“Schrems II”) with respect to data transfers to the United States also fuels – in addition to the US CLOUD Act (“Clarification of Offshore Legal Use”). Data Act”, 2018) – Data protection experts continue to assess that “secure” use of cloud-based systems from major US cloud providers is not actually possible. Last but not least, regulatory requirements regarding risk reporting (such as MaRisk) in the context of outsourcing management pose significant challenges to many organizations and create question marks once cloud services are up and running.
How to solve the dilemma that arises on the one hand from the need for flexibility, standardization and speed to meet business goals and increase customer satisfaction and on the other hand from seemingly unattainable regulatory requirements?
The beginning of the cloud’s journey
In practice, it has proven to be a viable option for first identifying potential risks, potential risks, and protection needs at the level of specific use cases, taking into account cloud risk controls and standards such as BSI C5 and CIS Cloud Control Matrix (CCM) and defining and assessing ISO 2700xx standards. The next step is to mitigate protection needs through appropriate technical and organizational objective protection measures (such as storage encryption, the principle of mistrust, storage/data center location selection and monitoring/logging mechanisms) and effective risk management. In addition, vendor audits are also possible, for example as part of a “bulk audit” with other organizations in the network. Any necessary acceptance of any residual risks complements the risk-based approach.
When choosing the right cloud service provider, it is important to derive and document the necessary selection criteria and risk management measures taken, the latter, among others, within the framework of written regulations (sfO) and information networks. The use of cloud services, in turn, must meet all technical, organizational, regulatory and financial requirements in terms of implementation as well as monitoring, reporting and emergency management within an overall governance framework (ideally organized by the Cloud Competence Center). All guidelines, measures, and control mechanisms in the context of “cloud playbooks” must be documented in the context of cloud strategy, which in turn underpins corporate strategy in accordance with regulatory requirements.
Conclusion: The Key to Cloud Success
Companies from the financial sector begin their cloud journey strategically with creating the foundation for a rule-compliant cloud operation, or tracking necessary actions, provided that tactical implementations have already “created facts”. Based on the cloud application readiness assessment, cloud capabilities are determined and applications are selected as beacon projects for cloud migration. We recommend that you also consider other projects and strategies that may have direct and indirect effects on the implementation of your cloud strategy.
Risk awareness, transparency, communication, and overall governance are key to maximum security and flexibility in selecting and implementing cloud-based use cases to achieve business and IT goals. In this way, banks can benefit from the speed and innovative power of cloud technology while complying with regulations and security standards.
E-Book “The Application and Use of Future Technologies in Banking – Volume 3”
The article is part of a series of articles on new technology in the banking sector. Subscribers to Der Bank Blog Premium can download the 28-page e-book with all 8 articles directly.
If you are not a subscriber, you can also purchase the e-book here individually.
Not an excellent reader yet?
Bank Blog Premium subscribers have direct access to all paid content in Bank Blog (study resources, e-books, etc.) and many other benefits.
You can learn more about the partner concept of the bank blog here.
Daria Makchanova He is a co-author of the article. She is Deloitte’s Cloud Transformation Consulting Director and expert in defining cloud strategy and managing large-scale IT projects with a focus on cloud technology.
Olaf Schulz He is a co-author of the article. As a consulting partner at Deloitte, he is responsible for client offerings for cloud transformation and systems engineering and works across industries as an expert on cloud transformation and cloud strategy, IT sourcing and agile leadership.