Standard Chartered Bank has for the first time allowed one of its software applications to run on a vendor’s cloud, and intends to increase this dramatically next year.
The bank continues to act within strict regulatory and risk limits, but has made its first steps toward adopting third-party cloud infrastructure to support its growing needs for computing power. Many global banks have to date preferred to rely solely on proprietary servers to handle surging computational needs.
Michael Gorriz, group chief information officer in Singapore, told DigFin the bank has allowed an app he described a ‘risk calculation engine’ to operate on a vendor’s cloud, and that up to five more apps will follow this year.
“This year we’ll go from five apps in production on the cloud to ten times that amount by the end of next year,” he said, provided relevant banking regulators approve.
Sticking to IaaS
He made a distinction between using vendors’ clouds on the basis of software as a service (SaaS), and infrastructure as a service (IaaS). StanChart is hewing to IaaS.
IaaS is a form of cloud computing that offers a virtualization of computing services over the internet. The vendor provides the same kind of infrastructure that a bank would use for on-premise computing, such as servers, storage and networking.
“It’s like an extension of your own data centers,” Gorriz said.
A bank vending IaaS is renting the infrastructure, but remains in charge of administrating projects, including responsibility for data. StanChart uses IaaS to develop and test new software, including that of new fintech partners.
Not only does IaaS let the bank outsource a lot of the heavy data-crunching work for developing products, but it’s a much easier sell to regulators, because the consumer data is synthetic or disguised, as in a regulatory sandbox environment.
(A SaaS model involves the vendor installing and running the apps on behalf of its client, but this might also mean the vendor assumes responsibility for updating the software, for billing end consumers, and securing customer data.)
Risk managing the cloud
The risk-calculation app is a good example of something that’s easy to get approval to outsource to a cloud vendor, because it doesn’t involve customer data at all, says Shameek Kundu, the bank’s chief data officer.
He added the many apps the bank wants to develop on the cloud will be other functions that avoid using customer data, including other risk-management tools.
Banks need to figure out a cloud strategy as a result of digitalization and working with fintech partners (many of which outsource their computing to a cloud).
But while fintech helps banks move faster, it also creates cyber-security pressures.
“We’re racing to the cloud,” said Cheri McGuire, group chief information security officer at Standard Chartered. “But there are only three or four big cloud providers. What if they suffer a data breach, or an outage?”
Such concerns among both banks and regulators worldwide have been an impediment to banks’ shifting activity to cloud providers, even as many other industries have done so.
The first concern is technical: banks conduct due diligence to ensure a vendor’s cloud offering is sound – as is the protection a fintech promises when it taps the cloud.
Compliance is another factor, particularly as cloud services are borderless – but banks, their customers, and their regulators, are not.
Third, risk management plays an equally large role, says McGuire.
The ouches of outsourcing
The concentration risk of having so few vendors at the necessary scale adds to concerns about compromising customer data, or suffering a prolonged loss of online service.
Banks also expect a huge amount of new regulation to come in 2018 that focuses on cyber-security, and so they are reluctant to outsource critical functions to cloud vendors if it means a huge new workload in compliance and reporting.
McGuire adds that regulation around using cloud services varies among countries, even if a vendor’s offering is standardized. “Regulation and privacy rules vary by market, but we own the risk” when outsourcing to a cloud vendor, McGuire said. “We can’t outsource the risk.”
One development that could make working with cloud-based fintechs easier, McGuire suggests, is if these tech partners develop their services under the auspices of a regulator’s sandbox. At least then the bank will have greater confidence that it can create the I.T. architecture to accommodate the fintech in the bank’s own systems.