The benefits of cloud computing are greatest on public networks like those of Amazon and Microsoft, but financial institutions have held back because of security and other perceived operational and compliance risks. IBM says it is addressing those concerns with what it calls “the world's first financial services-ready public cloud.”
The technology is being developed in close collaboration with Bank of America, a major IBM customer that is on what it terms a “seven-year cloud journey,” having streamlined its multiple-data-center architecture and migrated a significant share of IT workloads onto private cloud infrastructure.
The platform that BofA, as the so-called first collaborator, will be using on IBM's public cloud will be available to other institutions and their suppliers. It is described in a November 6 announcement as a safe and regulatory-compliant environment that “can potentially enable independent software vendors (ISVs) and software-as-a-service (SaaS) providers - from the smallest fintechs to more established vendors - to focus on their core offerings to financial institutions with the controls for the platform put in place.”
Bank of America chief operations and technology officer Catherine Bessant said: “This is one of the most important collaborations in the financial services industry cloud space. This industry-first platform will allow Bank of America to use the public cloud, putting data security, resiliency, privacy and customer information safety needs at the forefront of decision-making. By setting a standard that addresses the concern of hosting highly confidential information, we aim to drive the public cloud to a safety level that is unmatched.”
“Security, Resiliency and Compliance”
The work with BofA has been underway for 18 months, but Curt Leeman, IBM managing director responsible for the company's relationship with the Charlotte, North Carolina-based banking giant, said in an interview that the collaborative process does not stop there. “Others will have a voice” in shaping the ongoing development, including the ISV and SaaS communities, in the interest of “safely and securely engaging on the public cloud.”
Leeman said the result can be “industry-changing,” with the benefits of lower costs, reduced risks and increased latitude for innovation extending to smaller banks as well.
“The financial services-ready public cloud will help give financial institutions an opportunity to more efficiently assess the security, resiliency and compliance of their technology vendors,” IBM said. “Participating financial services software providers may benefit from the platform's security validation. Only ISV or SaaS providers that demonstrate they comply with the platform's policies will be eligible to deliver offerings through the platform.”
Benefits and Systemic Implications
The attraction of cloud, and ultimately public cloud, is explained in the just-released EY-Institute of International Finance 10th annual global bank risk management survey: “cost efficiencies, gains in reliability and resilience, the ability to leverage highly sophisticated analytics, and faster software deployment,” and, if implemented effectively, stronger information and cybersecurity safeguards.
“Banks recognize they cannot accrue the scale benefits by remaining purely on private cloud,” the report says. “They have to move to hybrid (public and private) or public cloud capabilities.”
Regarding specific cloud risks, 92% in the survey of risk executives from more than 90 banks worldwide mentioned security of customer data. That was followed by security of bank data at 77%, customer data integrity or destruction 63%, bank data integrity or destruction 63%, compliance or legal risk 62%, and reputational risk 62%.
Cloud-related risks are on the regulatory map and have given rise to systemic concerns.
The U.S. Financial Stability Oversight Council's 2018 annual report put them in the context of outsourcing and third-party exposure, noting that institutions are “using outside cloud computing services to supplement existing technology infrastructures for data storage, redundancy, and computational capacity. These services have information and cost benefits, but relying on outside firms for critical data and services also creates risks.”
An August 2019 article by Lee Reiners, executive director, Global Financial Markets Center, Duke University School of Law, and law graduate David Fratto, argues that cloud computing is “a new source of systemic risk” and should be recognized as such by the FSOC, which is responsible for identifying threats to stability and, for supervisory purposes, the designation of certain entities as systemically important.
The U.K. House of Commons Treasury Committee, in an October report on IT failures in the financial services sector, found the cloud service provider market to be a source of systemic risk and said a case can be made for regulation of the likes of Amazon, Google and Microsoft to ensure high standards of operational resilience.
Technology and Regulatory Components
IBM said it approached its public cloud solution by drawing on its history, technology and relationships with 47 of the Fortune 50 companies and the 10 largest financial institutions in the world. For the regulatory-compliance component, IBM and Bank of America are working with Promontory, the Washington, D.C.-based consulting group that IBM acquired in 2016.
The flexibility and freedom of choice of open sourcing is integral to the design. IBM said its public cloud “uses Red Hat OpenShift as its primary Kubernetes environment to manage containerized software across the enterprise, and includes more than 190 API driven, cloud-native PaaS [platform as a service] services to create new and enhanced cloud-native apps.”
"The financial services-ready public cloud represents an ongoing focus from Bank of America, IBM and Promontory to help develop a technology ecosystem where regulations can be addressed," said Bridget van Kralingen, IBM's senior vice president, global industries, clients, platforms and blockchain. “Together we plan to help our customer address their ongoing compliance requirements, coupled with highly scalable, standardized capabilities that will be built to help serve today's modern financial services industry.”
“We recognize that we must help create an environment where financial services institutions can address their regulatory requirements and expectations,” said Eugene Ludwig, Promontory founder and CEO. “Bank of America, IBM and Promontory are uniquely suited to help give the industry and vendors confidence in the quality of this cloud platform.”
IBM said it amounts to “the only industry-specific public cloud platform that can provide preventative and compensatory controls for financial services regulatory workloads, multi-architecture support and proactive and automated security, leveraging the industry's highest levels of encryption certification.”