Since mainstream cloud computing services entered the financial sector several years ago, financial institutions (FIs) in Canada have viewed cloud computing as a tool to revolutionize the way they operate and do business. Many FIs have undergone cloud transformations in recent years as solutions on the market have reached new levels of maturity for the sector.
This enthusiasm has been tempered by efforts to satisfy ever-increasing regulatory scrutiny on FIs’ operations and outsourcing arrangements. Tensions remain between the use of cloud-based solutions and developing regulatory requirements, requiring those in the sector to think carefully about how to strike a balance between risk and reward, and how to stay adaptive to ongoing change from both regulators and the available technologies themselves (for more on regulatory developments in the financial services space, see “Financial institutions should expect more enforcement”). We expect these competing pressures will remain an ongoing focal point in the financial services sector in the years ahead.
As certain cloud providers have proactively embraced compliance with regulatory requirements, such as the B-10 Outsourcing Guidelines issued by OSFI, FIs have become more comfortable hosting important workloads on IaaS (infrastructure-as-a-service) and PaaS (platform-as-a-service) services, while also replacing local software installations with SaaS (software-as-a-service) platforms. These new products often: provide faster performance and sleeker user interfaces; come equipped with ready-made algorithms that analyze and report on data in new ways; and better position FIs to satisfy consumers who have come to expect the simplicity and ease of a wide variety of apps that leverage the “as-a-service” model which has been adopted from ride-sharing to grocery shopping to home maintenance.
Most cloud solutions offered to FIs have “out of the box” functionality, allowing an FI to select its configurations without making wholesale changes to the underlying technology itself. They are built on shared software, hardware and networks and use shared resources located at shared service locations. Cloud providers often will not allow any customers (even their largest ones) to have direct access to or approval rights over any of these solutions.
Financial institutions in Canada are working to make the most of what the cloud has to offer while mitigating regulatory risk at the same time.
There are upsides and downsides to these standardized offerings. The former includes a more stable technology base that is consistent for all of the cloud provider’s customers, lower capital and maintenance costs, and scalability to respond to changes in usage patterns. The latter include a lower degree of direct oversight and control over the product, its security and continuity, and the inability to approve (or prevent) changes.
Without sufficient oversight and control, an FI may put its operations at risk and run afoul of regulators’ guidance. The core principle of this regulatory guidance is that outsourcing an internal function (or procuring an important service) does not excuse the FI from a failure to perform that function or service. As the B-10 Outsourcing Guidelines state, federally-regulated entities “retain ultimate accountability for all outsourced activities”. So how does an FI address this risk while making the most of what the cloud as to offer? The key is to ask questions, demand answers and hold cloud providers accountable for them.
Below are some of the questions that FIs should ask about any potential cloud solution.
Sometimes, the cloud provider’s response to many of these questions is: “trust us”, pointing to the hundreds or more sophisticated FIs who all receive the same services and have the same contract terms. This answer will not satisfy a financial regulator. While financial services are an industry built on trust, that trust must be earned through information and accountability.
Below are some strategies to help ensure an FI can satisfy its compliance obligations when contemplating a cloud-based opportunity:
Whatever information and answers are uncovered in this process, the cloud provider should make contractual commitments to the standards and processes it discloses to the FI. Ultimately, FIs that ask the right questions, perform appropriate diligence and prepare well for adapting to and integrating cloud-based services, will reap the benefits of their new capabilities faster and with greater ease.