Benefits of Cloud and FCA Compliance for Financial Services
18th June 2021
Guest blog by Richard Smith, Independent Enterprise Architect and Technology Consultant
Most financial organisations in the UK are on, or about to embark on, a journey to the cloud – whether they’re considering the use of cloud services, undergoing migrations, or building cloud-native platforms.
With the vast array and flexibility of cloud offerings, there is no “one size fits all”. Financial institutions in the UK must consider many aspects, so let’s shed some light on some of them in this blog.
WHAT IS CLOUD COMPUTING?
Cloud is often a word that gets bandied around a lot, sometimes with little context. Cloud is a ubiquitous term attached to an ever expanding range of services, so what cloud means to any individual or business will often align to their experience and perceived value of those cloud offerings.
Personally, I view cloud as the consumption of technology services as a utility.
After all I don’t need to build a power plant to consume electricity and I don’t need to purify and pipe water to drink it! So, do I really need to build a huge catalogue of technology services and infrastructure, and hire thousands of engineers and developers to consume those services?
Re-diverting resource and focus from utility, embracing cloud and re-focusing on innovation allows an organisation to keep up with and even exceed the competition.
What about the regulators view? (After all, in the financial services sector, it’s important we understand the regulators’ view). Typically, the definition used by the various regulators for cloud services is along the following lines:
- Cloud computing encompasses a range of IT services provided in various formats over the internet.
- This includes private, public or hybrid cloud, as well as Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS).
- Cloud services are constantly evolving.
THE BENEFITS OF CLOUD SERVICES
What benefits can you expect through adoption of cloud services?
In my opinion, they include:
- Access to large catalogues of ever evolving services, many that are specifically aimed at the needs of financial services organisations including Know Your Customer (KYC), Anti Money Laundering (AML), Online and Mobile Banking and Core Banking services
- Faster provisioning times – after all, time really is money and the provision of technology services can burn up significant resources
- Resilience, availability, reliability, and quality of service – all priorities for financial organisations but also for regulators
- Flexible capacity where you pay only for what you use. Getting services which are “right-sized” aids efficient operational expenditure, linking operational costs to services, aiding the analysis of value benefits and reducing the need for “front-loaded” expenditure and capacity planning
- Eliminating barriers to access. This really benefits start-ups but can also help any organisation wanting to compete with established larger players with greater resources. Investing in infrastructure can be expensive and time consuming, diverting resources from innovation and blocking progression
- Avoiding costly infrastructure refresh cycles – under cloud services, these are taken care of by a third party
- Enhanced options for Disaster Recovery and Business Continuity
- Enhanced security
In the long term, it will become more difficult to operate in-house infrastructure due to increased costs of equipment, restricted availability of on-premise software solutions and difficulty in attracting and retaining staff.
You can adopt cloud services as you go. Today you may want to simply replace your data centre, but tomorrow you may wish to consume AI, advanced data analytics and IoT services.
IS CLOUD CHEAPER THAN ON-PREMISE INFRASTRUCTURE?
Is cloud cheaper? Yes, maybe; it’s not quite an “apples for apples” comparison.
IT is not cheap, but it’s necessary for a financial services organisation to operate effectively and compete in the market. How long can this be achieved without cloud services?
In terms of direct cost comparisons:
- It can be hard to compare the price of apples and oranges. When you take into consideration all the CAPEX investment and ongoing OPEX costs to run on-premises, the cloud can start to look cheaper
- Adoption of cloud services alone, does not necessarily lead to staff reductions
- Initial implementation and migration costs may be high. Certain services may require major re-work to operate within a cloud environment if you are seeking to directly replicate your current technology estate
- Some services can’t be compared, the latest technology innovations are usually supplied using a cloud model, built on cloud technologies – certain cloud offerings cannot be practically reproduced on-premise
- Overall IT costs could go up as the advantage of technology enables growth of the business
- Even when the cloud doesn’t deliver direct cost savings, return on investment (ROI) is likely to be higher through the adoption of cloud strategy
- Focussing only on costs misses the point of cloud adoption.
FCA COMPLIANCE AND REGULATORY CONSIDERATIONS FOR ADOPTION OF CLOUD IN FINANCIAL SERVICES ORGANISATIONS
This is a dry subject, verging on arid, but financial services is a regulated sector and organisations operating within this sector need to be aware of guidelines and requirements when adopting cloud or outsourced services.
In terms of specific regulations, depending on the nature of a financial services business, the breadth of offerings and territory reach, the following may be applicable:
- FG16/5 (FCA) – Guidance for firms outsourcing to the ‘cloud’ and other third-party IT services
- EBA/REC/2017/03 – Recommendations on Outsourcing to Cloud Service Providers
- EIPOA – Guidelines on outsourcing to cloud providers. (Applicable to EU and not UK but still a useful guide)
- Various chapters of the Senior Management Arrangements, Systems and Controls manual (SYSC – FCA) which include chapters 1.2, 3.1.1R, 4.1.1R, 8, 13.9
- EBA/GL/2019/02 – EBA guidelines on outsourcing arrangements
- Payment Services Directive 2 (PSD2) related, including Payment Services Regulation (PSR) 2017, Strong Customer Authentication Regulatory Technical Standard (SCA RTS) and UK RTS
The regulatory space continues to evolve, and the following consultations are expected to result in policy decisions:
- CP19/32 – Building operational resilience: impact tolerances for important business services
- CP29/19 – Operational resilience: impact tolerances for important business services
These regulations set out hundreds of pages of rules, but the high-level matrix below can help to summarise and emphasise my next point:
Yes, to be compliant you will need to study and understand the regulatory requirements, but essentially these are “informed common sense” for building “fit for purpose”, resilient systems which avoid lock-in and can be audited.
Regulators are not looking to block cloud adoption; they see the benefits of cloud services and many are embracing cloud services themselves.
INTERNAL CONSIDERATIONS FOR ADOPTION OF CLOUD – A CHECKLIST
For brevity, I have not listed every possible consideration, but for each department, there are different aspects to look at:
- Operations & Execution departments
- Are services providing the required resilience and performance?
- Are the services a good fit for existing functions?
- Sales & Marketing departments
- Do the services support customer engagement?
- Do the services provide insights into what the customer wants?
- Risk & Compliance departments
- Are the services conformant and support the organisation’s regulatory obligations?
- Is management information available for reporting obligations?
- Business Support departments
- Are the services providing the business what it needs?
- Are the services good value? What is the ROI?
- Are the services adequately supported?
- Do we have the right people and partners?
- What are the training requirements?
- Are Information Security considerations being addressed?
HOW DOES MY BUSINESS MOVE TO THE CLOUD?
After evaluating the benefits of cloud adoption and analysing the regulatory and internal considerations, what’s next? How does an organisation progress cloud adoption?
What approach do you follow?
- Big bang – Aggressively remove all on-premises services and adopt 100% cloud services in a like-for-like migration?
- Iterative slow burn – Adopt cloud gradually, based on new requirements as they come along?
- Transformation and change – Modernise the organisation and offerings, leading to new requirements, possibly replacing all technology services but ensuring a “cloud-first” strategy is adopted?
- Other options……?
The best approach for moving to the cloud is individual to your organisation but determining this approach needs to avoid two traps:
- “Boiling the ocean” where indecision leads to paralysis or arguable worse, doing no upfront investigation and planning
- “Getting lost in the weeds” where firefighting individual issues delay the way to the cloud.
An architecture approach could be best summarised as iterative cycles of Discovery, Definition, Design and Delivery (“4D”) with a focus on “just enough, just in time”.
- What is the current business and technology landscape?
- What are any constraints (e.g. company or sector policies)?
- What does the business want to do?
- What is coming on the technology horizon?
- Are there other opportunities?
- Direction of travel – what is the current IT roadmap?
- Issues to address and changes required
- Solutions to adopt
- Potential partners
- Translating the concepts into deliverable elements
- Delivery facilitation
- Project divide and assignment
- Interfacing with partners
There is no “one size fits all” for resourcing but there are some common skills you would likely need regardless of scenario:
- Cyber and Information Security
- Organisation Change Management
- Enterprise Architecture
- Technical Architecture
- Domain specialists/analysts
- (For cross-functional team members)
Unfortunately, many of these skills are scarce in the current market, especially:
- Cyber Security
- Organisation Change Management
- Enterprise and Technical Architecture.
Consider other models of gaining skilled resources rather than direct hire and employment:
- Contract and Freelance
- Outside IR35
- Solution providers
- Resource Augmentation Partner
- Architecture as a Service
A recap on moving to cloud:
- Do a cycle of 4xD to get the organisation ready for the cloud
- Cloud is about maximising capability through outsource of capability. If SaaS satisfies your requirement great, if not, try PaaS. If PaaS satisfies your requirement great, if not, try IaaS
- There is no single approach; cloud services provide flexibility, so don’t be afraid of mixing options
- Resource for success
And remember – JUST ENOUGH, JUST IN TIME!
FIND A PARTNER TO EASE YOUR JOURNEY TO CLOUD
Moving to the cloud is possible and beneficial for financial organisations. Regulators don’t want to block cloud adoption and they see the benefits – regulatory compliance and guidance are common sense approaches to protecting organisation services and integrity, the customer and the market.
Cloud adoption can be flexible including hybrid cloud and multi-cloud strategies and the right partners can help you on your journey to the cloud.
Get in touch
Connect with Richard Smith via his LinkedIn profile here: https://www.linkedin.com/in/rsmithgsltd
Alternatively, you can contact CSI if you would like to discuss any of the points raised in this blog using our contact page.