Multi-cloud: balancing the cloud concentration regulation risk with the innovation reward

Regardless of size and business mix, most financial institutions have come to understand how cloud and multi-cloud computing services can benefit them. There are cost benefits when it comes to scale, deploying new services and innovating. There are security and resiliency benefits that can be difficult and expensive to replicate on-premises, especially for smaller institutions trying to keep pace with rapidly changing standards. And there is geographic access to new markets – from China to Canada – that require deployment of local, in-country systems under emerging sovereignty laws.

However, as the industry continues to embrace cloud services, regulators are becoming more aware of the challenges associated with cloud computing, especially those that could expose financial institutions to systemic risks potentially undermining the stability of the financial system. The Financial Stability Board (FSB) and the European Banking Authority have urged regulators worldwide to review their supervisory frameworks to ensure that different types of cloud computing activities are fully scoped into industry guidelines.

At the same time, public cloud provider outages have disproved the “never fail” paradigm, and there are growing calls for heightened diligence around cybersecurity risks. This is causing regulators to focus on cloud concertation risks as well because of the potential peril created when the technology underpinning global financial services relies on so few large cloud service providers. 

So how do financial institutions balance the risk versus the reward of the cloud? 

Understanding the risk 

The concern over infrastructure concentration and consolidation is twofold. First is the systemic risk of having too many of the world’s banking services concentrated on so few public cloud platforms. Historically, this problem did not exist as each bank operated its own on-premises infrastructure. Failure in a data centre was always limited to one single player in the market.

Second is the vulnerability of individual institutions, including many smaller institutions, that outsource critical banking infrastructure and services to a few solution providers. These software-as-a-service “hyperscalers” also tend to run on a single cloud platform, creating cascading problems across thousands of institutions in the event of an outage.

In both cases, performance, availability, and security-related concerns are motivating regulators who fear that a provider outage, caused either internally or by bad external actors, could cripple the financial systems under their authority.

For financial services companies, the stakes of a service interruption at a single cloud service provider (CSP) rise exponentially as they begin to run more of their critical functions in the public cloud.

Regulators have so far offered financial institutions warnings and guidance rather than enacting new regulations, though they are increasingly focused on ensuring that the industry is considering plans, such as “cloud exit strategies,” to mitigate the risk of service interruptions and their knock-on effects across the financial system.

The FSB first raised formal public concern about cloud concentration risk in an advisory published in 2019, and has since sought industry and public input to inform a policy approach. However, authorities are now exploring expanding regulations, which could mean action as early as 2022. The European Commission has published a legislative proposal on Digital Operational Resilience aimed at harmonising existing digital governance rules in financial services including testing, information sharing, and information risk management standards. The European Securities & Markets Authority warned in September 2021 of the risks of “high concentration” in cloud computing services providers, suggesting that “requirements may need to be mandated” to ensure resiliency at firms and across the system.

Likewise, the Bank of England’s Financial Policy Committee said it believes additional measures are needed “to mitigate the financial stability risks stemming from concentration in the provision of some third-party services.” Those measures could include the designation of certain third-party service providers as “critical,” introducing new oversight to public cloud providers; the establishment of resilience standards; and regular resilience testing. They are also exploring controls over employment and sub-contractors, much like energy and public utility companies do today.

To get ahead of regulators, steps should be taken to address the underlying issues. 

From hybrid to multi-cloud

Looking at the existing banking ecosystem, a full embrace of the cloud is extremely rare. While they would like to be able to act like challenger and neo banks, many of the largest and most technology-forward established banks and financial services firms have adopted a hybrid cloud architecture – linking on-premises data centres to cloud-based services – as the backbone of an overarching enterprise strategy. Smaller regional and national institutions, while not officially adopting a cloud-centric mindset, are beginning to explore the advantages of cloud services by working with cloud-based SaaS providers through their existing ISVs and systems integrators.

In these scenarios, some functions get executed in legacy, on-premises data centres and others, such as mobile banking or payment processing, are operated out of cloud environments, giving the benefits of speed and scalability.

Moving to a hybrid approach has itself been an evolution. At first, financial institutions put non-core applications in a single public cloud provider to trial its capabilities. Some pursued deployments on multiple cloud vendors to handle different tasks, while maintaining robust on-premises primary systems, both to pair with public cloud deployments and to power core services.

While a hybrid approach utilising one or two separate cloud providers works for now, the next logical step (taken by many fintech startups) is to fully embrace the cloud and, eventually, a multi-cloud approach that moves away from on-premises infrastructure entirely.

Solve for the cloud concentration risks 

Recent service disruptions at the top public cloud providers remind us that no matter how many data centres they run, single cloud providers remain vulnerable to weaknesses created by their own network complexity and interconnectivity across sites. Disruptions vary in severity, but when an institution relies on a single provider for cloud services, it exposes its business to the risk of potential service shocks originating from that organisation’s technical dependencies.

By distributing data across multiple clouds, they can improve high availability and application resiliency without sacrificing latency. This enables financial services firms to distribute their data in a single cluster across Azure, AWS, and Google Cloud while also distributing data across many regions available across these CSPs. 

This is particularly relevant for financial services firms that must comply with data sovereignty requirements, but have limited deployment options due to sparse regional coverage on their primary cloud provider. In some cases, only one in-country region is available, leaving users especially vulnerable to disruptions in cloud service. 

Going beyond the regulations 

Beyond the looming regulatory issues, there are a number of practical business and technology limitations of a single-cloud approach that the industry must address to truly future-proof their infrastructure.

• Geographic constraints: not all cloud service providers operate in every business region and the availability of local cloud solutions grows increasingly important as more countries adopt data sovereignty and residency laws designed to govern how data is collected, stored and used locally. 

• Vendor lock-in: there is a commercial risk in placing all of an institution's bets on one cloud provider. The more integration with a single cloud provider, the harder it becomes to negotiate the cost of cloud services or to consider switching to another provider.

• Security homogeneity: while CSPs invest heavily in security features, in the event of an infrastructure meltdown or cyberattack, a multi-cloud environment can give organisations the ability to switch providers and to back up and protect their data.

• Feature limitations: cloud service providers develop new features asynchronously. Some excel in specific areas of functionality and constantly innovate, while others focus on a different set of core capabilities. By restricting deployments to one cloud services provider, institutions limit their access to best-of-breed features across the cloud. 

With pressure building from regulatory bodies at the same time as consumers increasingly demanding premium product experiences from financial services institutions, harnessing multi-cloud can satisfy both. It provides redundancy, security and peace of mind as infrastructure is not solely dependent on one CSP, while also providing the features and space to innovate on the very best the industry has to offer. Now is the time to embrace multi-cloud.