The use of Cloud Computing by Financial Institutions - TECHNICAL PAPER - 4 JUNE 2020

Page created by Suzanne Chen
The use of Cloud Computing by Financial Institutions - TECHNICAL PAPER - 4 JUNE 2020
4 JUNE 2020

                          m g
                      Fo n d
                        ru kin
  The use of

                        Ba lou
  Cloud Computing
  by Financial

The use of Cloud Computing by Financial Institutions - TECHNICAL PAPER - 4 JUNE 2020

Abbreviations		                                                        3
  1 Introduction                                                       4
  2 Overview of cloud services                                         6
     2.1 Cloud composition                                             6
		2.2 Different cloud service models                                   7
		2.3 Industry experience with cloud                                   8
  3 Why European banks use cloud services                              9
  4 Understanding of cloud computing                                   13
		4.1 Cloud-specific considerations under a risk-based approach        14
		4.2 Categorizing the associated control demand of a cloud offering   14
		4.3 Different roles of banks and Cloud Service Providers             18
		4.4 Careful consideration of cloud migration                         20
  5 Conclusion                                                         24
Glossary			                                                            26
		Annex 1        Use case: IoT                                         29
     Annex 2     Use case: Online Collaboration                        31
		Annex 3-5 Data Use cases preliminary remarks                         33
		Annex 3        Use case: Data Lake Processing                        34
		Annex 4        Use case: Data Discovery Lab                          35
		Annex 5        Use case: Data analysis and regulatory reporting      36
		Annex 6        Use case: Transformational Technologies               37
		Annex 7        Use Case: Early Warning System (EWS)                  38

The use of Cloud Computing by Financial Institutions - TECHNICAL PAPER - 4 JUNE 2020

AD				       Active directory
ADFS 			     Active Directory Federation Services
AI 				      Artificial intelligence
BARE METAL   Base IT infrastructure enabling cloud computing
CAPEX			     Capital Expenditure
COBIT			     Control Objectives for Information and Related Technologies
					        (by the Systems Audit and Control Association)
CSC 			      Cloud Service Customer
CSP 			      Cloud Service Provider
FI 				      Financial Institution
GDPR   		    General Data Protection Regulation
IoT				      Internet of things
ITIL				     Set of detailed practices for IT service management
					        (formerly Information Technology Infrastructure Library)
ML				       Machine learning
NCA 			      National Competent Authority
OPEX   		    Operational Expenditure
SDLC 			     Solution Delivery Lifecycle
SLA 			      Service Level Agreements

VSI 			      Virtual Server Infrastructure

The use of Cloud Computing by Financial Institutions - TECHNICAL PAPER - 4 JUNE 2020

1 Introduction
                                                                                                   other traditional IT paradigms when it comes to
                                                                                                   safeguarding integrity and availability. Cloud
                                                                                                   services embody redundancy, high availability
Over the recent years, cloud computing has                                                         and resiliency thanks to their distributed nature.
become a significant technological enabler for                                                     Public cloud gives the ability to scale at a more
innovative service development. Cloud allows                                                       significant level than financial institutions would be
industries to tap into new service models, utilising                                               able to achieve on their own. Resilience, speed and
its technological advancement for new and better                                                   security are the building blocks of cloud
services to customers, improving productivity,                                                     offerings and the core business of any Cloud
cost-efficiency and flexibility of internal business                                               Service Provider (CSPs). In most cases, CSPs have
processes. Ultimately, cloud computing can provide                                                 stronger security than most individual companies
a foundation for the digital transformation of the                                                 can maintain and manage on-site. Moreover, the
industry in question.                                                                              big cloud providers have large teams of security
                                                                                                   engineers and, given that cloud is (one of) their
The financial sector is in the process of adopting                                                 core businesses, they are continuously investing in
cloud computing to take advantage of the                                                           meeting the strictest and newest security standards
aforementioned benefits. New opportunities for                                                     that constantly adapt to managing evolving threat
service delivery to customers, serving their needs                                                 vectors and threat actors.
and expectations, are as relevant as improving
security, reducing costs and improving flexibility                                                 However, cloud adoption by the financial industry
in the conduct of business. Cloud can also open                                                    has to consider the highly regulated nature of
new markets and enable mature financial services                                                   the sector and pay special attention to stability
institutions to find new ways of competing with                                                    and safety. European banks operate within a
FinTech market entrants.                                                                           framework of financial rules aimed at ensuring
                                                                                                   proper governance and control of risks (internal
The cloud security framework matured fast and                                                      governance guidelines), especially in those
heavily. Nowadays, cloud computing seems to be                                                     situations where third parties are involved in the
as well-placed as (if not better than)                                                             operation of ICT systems1. These rules set

  EBA Guidelines on ICT and security risk management (under development):
the framework for supervisory engagement with            Ultimately, banks would be able to provide more
European banks throughout the entire life of the         innovative services to their customers across Europe,
cloud relationship in the EU’s financial sector.         allowing FIs to focus on their core businesses,
Mindful of possible risks triggered by cloud             while leveraging the specialty of CSPs to provide
technology, thorough assessments are conducted           secure, scalable, reliable, and fast networks and
on the potential impact of cloud on financial            computing.
institutions’ operational risk, to be assessed
against the operational risk posture of the current      This paper aims to support the necessary
IT environment. Hence, understanding of the              understanding of cloud use by financial institutions.
technology and its implications for operational          Mindful of the complexity of both the technology
processes is critical.                                   itself and banks careful implementation of it within
                                                         their business processes, not all relevant aspects
                                                         of cloud can be addressed comprehensively in
This paper aims to support financial institutions        this single document. Instead, additional technical
and competent authorities’ understanding of              papers of the EBF Cloud Banking Forum will target,
the advantages and particularities of cloud              at a later stage, specific issues of relevance. This
computing in areas such as security, risk                is the reason why issues such as cybersecurity,
mitigation and regulatory compliance.                    though highly important for the adoption of cloud
                                                         technology across all industry sectors, will not be
                                                         developed in detail in the following chapters.

Significant features of cloud technology in

                                                                “ Cloud solutions
financial services require special attention and
consideration. Looking at the fast-evolving cloud
service environment as well as the close interaction
of European banks with their supervisors in different
Member States, a harmonised approach to the
considerations presented by national competent                             offer banks
authorities (NCAs) will be essential. Cloud
computing’s potential for agility and flexibility goes                 the flexibility to
                                                                     tailor the scaling
beyond the framework of a single jurisdiction.
A fragmented understanding of cloud by NCAs
regarding key considerations can severely
hamper the systematic approach of European                             up of capacity
banks to cloud, whether they rely on one or
multiple providers in a multi-cloud environment.                          to meet their
By contrast, a harmonious understanding of cloud
across European borders will foster the adoption                         activity levels                  “
of public/hybrid cloud and multi- cloud use by
European banks in a more unified way.


2 Overview of
                                                             Computing resources are used solely by the one
                                                             single organisation, either physically in the
      cloud services                                         company’s on-site data centre(s) (“on-premises”)
                                                             or externally with the third-party provider
In order to gain a deeper understanding of                   (“hosted private cloud”).
the advantages and specifics of cloud computing,
it is necessary first to take a look at existing cloud       A hybrid cloud solution is an integrated cloud
compositions and service models.                             service, using both private and public clouds
                                                             to perform distinct functions within the same
2.1 Cloud composition                                        organisation. Hybrid cloud adoption reflects a
                                                             macro trend common to all financial institutions
Cloud computing deployment can be                            and is viewed as a key enabler for next generation
distinguished according to three categories:                 technologies, free movement of data and
                                                             integration into the ecosystem.
Public Cloud is a cloud computing environment
where cloud solutions are located outside the
bank’s perimeter. Therefore, within a public cloud
setup, not all controls will be operated by the              Hybrid Cloud for the purpose of this paper is
institution itself. This does not change accountability      defined as a cloud computing environment that
of Cloud Service Customers (CSCs) according to               uses a combination of private cloud (where most
the applicable legal framework. Logical access               financial institutions started their cloud journey) and
control functions are provided to the company                public cloud services that may include third party
using publicly hosted cloud services (e.g. through           service offerings such as Platform as a Service
authentication mechanisms), any other company                (Paas), Infrastructure as a Service (IaaS) and
can subscribe to the same services, available over           SaaS (Software as a Service). These platforms
the internet.                                                are connected through automation and
                                                             orchestration tools.
Private cloud solutions are located inside the
banks’ own perimeter and therefore leverage all the
established controls of the respective bank.

service models which will further evolve in the
2.2 Different cloud service models
Cloud services know multiple facets of service
design, each with effects on the role of CSP and                                  When looking at these cloud solutions – especially
CSCs. It is important to recognise that cloud’s                                   from a risk-based approach – distinctions must
potential is not limited to the simple external data                              be made between different models, triggered by
storage, but rather consists of fast-developing                                   technological differences.

   TABLE 1

  Infrastructure as a Service          Platform as a Service                    Container as a Service                     Software as a Service
  (IaaS)                               (PaaS)                                   (CaaS)                                     (SaaS)
  Supplies customers with IT           Supplies customers with an               Offering for container-                    Allows customers to connect
  infrastructure, provided and         on-demand environment                    based virtualisation in                    to and use cloud-based
  managed over the internet on         for developing, testing,                 which CSPs offer a complete                application over the internet
  a pay-as-you-use basis,              delivering and managing                  framework to customers for                 on a subscription basis e.g. an
  e.g. servers and storage.            software applications over               deploying and managing                     online collaboration tool. The
  The two common models of             the internet. The financial              containers, applications                   entire stack is managed by
  delivery for IaaS are ‘bare          institution manages its data             and clusters. CaaS offers a                the service provider.
  metal’ and Virtual Server            and applications.                        completely enabled container
  Infrastructure (VSI). In the case                                             deployment service with
  of bare metal the financial                                                   security and governance
  institution or their designee                                                 control for IT management.
  manages the servers,
  storage, virtualisation, OS,
  middleware, runtime, data
  and applications. In the VSI
  model the financial
  institution manages the OS,
  middleware, runtime, data
  and applications.

Within the CSP market, many engagement models deploy these services to market, for example captive models,
fixed-term contracts, open models, pay per use. Considering these different cloud service models, please take
note of the following overview for IT functions in a hybrid cloud environment (example).


   Hybrid Cloud
                                                            Enterprise GUI                              CI/CD Toolchain

                                                                                                    PaaS                  PS App
                       Application                       CaaS                                        App
                          Data                                           SaaS

                                                                                                              App    Platform
                                                                                                 PaaS                 Service
                    Operating System

                        Network                                 Public                  Hybrid                  Private

2.3 Industry experience with cloud                                                              According to Eurostat, cloud computing usage
                                                                                                by EU enterprises grew rapidly over the last few
Today, the use of cloud – though innovative and
                                                                                                years. While in 2014 it still stood at 19%, in 2016
constantly evolving at a technological level – is
                                                                                                the number increased to 21%2. In 2018, 26% of
generally known to European enterprises. SaaS
                                                                                                EU enterprises with at least 10 persons employed
models have been adopted over the recent years,
                                                                                                purchased cloud computing services3.
familiarising enterprises with subscriptions to
software hosted at CSP facilities.

    FIGURE 3

    Use of cloud computing services and high level dependence on the cloud, 2018 (% of enterprises)


                    United Kingdom



                                                                                                                                                             bosnia and herz
                                                                     Use cloud computing             High level

    FIGURE 4

    Use of cloud computing services in enterprises, by purpose, 2014, 2016 and 2018 (% of enterprises using the cloud)

                                 69                 68
                         70           65 66
                                                               53   53
                        50                                                           48
                        40                                                                     39    38
                                                                                                          32 31
                        30                                                                                         29
                                                                                                                                   23 21
                        20                                                                                                                    17


                                   E-mail          Storage of       Office           Hosting the     Financial or CRM             Computing
                                                   files            Software         enterprise’s    accounting software          power for
                                                                                     database(s)     software     applications    enterprise’s
                                                                                                     applications                 own software

    Source: Eurostat (online data code: isoc_cicce_use)                  2018      2016    2014


3 Why European
                                                       third parties that provide new – sometimes
                                                       tailor-made – general-purpose services.
      banks use cloud 		                               Cloud also creates opportunities for increasing

                                                       specialisation. Banks can dedicate their top talent
                                                       to business problems while leveraging CSPs for
                                                       non-core capabilities like management of
Banks require intensive use of technology for
operation. Traditionally this has been solved by
on-premises systems, deployed locally on the
                                                       Recent mergers and acquisitions in the market
company’s own computer infrastructure. However,
                                                       reflect strategic considerations of market players
the progress of technology has accelerated
                                                       in terms of promising IT tools for future business
dramatically, requiring banks to embrace this
                                                       operation. Market developments show that the
development in the financial market. They do so
                                                       majority of IT tools needed to serve customers’
consciously and strategically.
                                                       needs will run ‘cloud first strategies’ in the future.
                                                       Consequently, slowing down a financial institution’s
Cloud has become a key technology to develop
                                                       path to cloud adoption might limit the institution’s
new financial services and to innovate, to
                                                       competitiveness compared to FinTechs and Big
collaborate with third parties and to compete in
                                                       Techs in particular. Today, banks face an overall
the digital context. The market dictates the speed
                                                       trend in the IT industry, that can be expected to
of change. Flexibility and time to market are
                                                       further increase over time.
imperative for banks and cloud computing is the
technology with the greatest potential to meet both
                                                       A driver for this trend is the opportunity to use cloud
needs. Banks need cloud technology to compete
                                                       for access to transformational technologies. This
with other non-regulated players entering the
                                                       possibility complements the general benefit of cloud
marketplace on a level playing field. Innovative,
                                                       to access vast and increasing volumes of data in
fast-evolving cloud technologies allow banks to
                                                       a cloud-ecosystem. Transformation technologies
take advantage of the best-suited technology for
                                                       are fundamentally and rapidly changing the way
customers and business processes at each moment.
                                                       we think about business today. They are driving
Nowadays customers demand immediacy and
                                                       a shift of investment from legacy technology and
personalisation. This can require banks to rely on

business strategy to investment in more innovative             their legacy counterparts. They support increased
business models, supported by the new innovative               connectivity demands from clients and stakeholders
technologies, and they are essential to undertakings           who increasingly expect rapid access to data and
to remain competitive, viable and potentially                  services.
more secure. For example, Distributed Ledger
Technology promises to transform the speed,                    These cloud business relationships and operational
efficiency and trust of transaction processing.                cooperation with CSPs help to introduce innovative
Analytics and “Big Data” technologies promise to               service solutions, providing hitherto unknown
provide many benefits, including advanced insights             potential for banks’ business processes.
into complex data sets, driving new business
opportunities, reducing fraud and significantly                One of the big challenges in banking IT is to deal
improving cyber security intelligence. Likewise, AI            with peaks in computing demand. They may be
enables increasingly complex interactions between              caused by the typical day cycle (day trading, night
entities, e.g. helping end users with problem                  processing) or by extraordinary events (e.g. major
solving. These transformation technologies may                 financial market news, price changes, marketing
be rapidly integrated into businesses as part of               events). Banks dedicate themselves to the provisions
increasingly complex and dynamic ecosystems,                   of stable, reliable and trusted services for their
which are often more transparent and resilient than            customers. Financial stability is a prerogative.

The migration from on-premises IT solutions to cloud is a conscious and careful journey for banks. It starts from
and evolves the existing IT structures and services of banks. Gradually, private cloud solutions can be built,
transformed into cloud model combinations and finally embraced in a diverse environment. This journey is not
a disruption, but an evolution:


   Managed cloud addresses the management
   of IT by a third party (specialist), regarding
   IT as a commodity rather than a business                           Embrace




                                                                                                 Managed Cloud

                                                                                                 Public Cloud

                                                                                                 Private Cloud

Cloud adoption by European banks along this journey is being driven by several factors: the need for
increased agility/flexibility, reduced infrastructure, more transparent cost and security improvements.

   TABLE 6

                                    Traditional IT on-premises                Cloud-based IT

  Flexibility                       Very limited – flexible to grow,         Very large
                                    but costly and slower

  Time to market                    Long                                     Almost instantaneous

  Cost management                   Not possible once the investment         Dynamic, allowing for forecasting
                                    is done

  Impact on Capital ratio           High                                     Like any other profit & losses expense

  Security                          Solutions for existing services,         Dedicated CSP cloud security
                                    based on inhouse-resources and           offerings as part of their core
                                    external support                         business. Allows for in-built service
                                                                             security solutions and dynamic
                                                                             large-scale inclusion of leading
                                                                             tech (e.g. artificial intelligence).

Looking at IT capabilities, and guaranteeing stable              An example of improved agility can be the move of
operations of the financial system require spare                 selected front-end systems, such as broker-dealer
capacity to be available in case of need. Having                 systems, by some financial institutions into the cloud.
this capacity available in the banks’ inherited                  This allows them to scale up a moment’s notice,
model creates a significant cost footprint and                   while interfacing, either to their own trusted in-house
necessity to maintain infrastructure that may (only)             back-end system or to innovative cloud-based
be needed on rare but significant occasions.                     services, e.g. using distributed ledger technology
Cloud computing provides for an excellent                        such as trade settlement and accounting. In
technical solution to computing demand peaks.                    addition, non-core banking functions such as
It allows service providers to make resources                    Human Resources and customer relationship
available via an accessible network where multiple               management could leverage state of the art cloud
clients can share the same resources.                            service offerings.

Clearly, this requires security considerations.                  In a rapidly changing environment, leaner
A major concern from a risk and compliance                       operating models and a focus on business value
perspective is the network perimeter. CSPs can                   are crucial for financial institutions to succeed.
offer advanced capabilities to individual financial              Cloud services are not only a technological trend
institutions in this area, considering their focus of            which providing ICT solutions with a never-seen-
business and experience in the market.                           before agility/flexibility. They can also have a

significant and positive impact on the financial                                                           purposes. OPEX allows a formerly fixed cost to be
institutions balance sheets. Traditional on-premises                                                       transformed into a variable state. This helps to
IT infrastructure and developments require an                                                              improve competitiveness, to increase reaction times
upfront Capital Expenditure (CAPEX), incurred                                                              of institutions to relevant developments and to
by a business to create future benefits such as the                                                        focus on use case implementation more effectively.
acquisition of assets, which, necessarily, have to                                                         Ultimately, it creates business value.
be designed according to the maximum workload.
The system will not be available until the end of                                                          More specifically, this ‘CAPEX to OPEX’
the project, and usually requires large payments                                                           transformation provides an added value to
in advance. In contrast, cloud-based technology                                                            financial institutions in terms of capital ratio.
allows financial institutions to add new resources or                                                      Today, the current prudential treatment of software
remove them instantly, as required.                                                                        discourages the investment that financial institutions
                                                                                                           make in software assets due to the obligation
This allows IT resources to scale up and down                                                              to deduct them fully from Common Equity Tier 1
according to the business’ needs and facilitates                                                           capital4. There is a need to raise additional CET1
flexibility by a pay-per-use model. Therefore, IT                                                          funds to offset deductions. Using cloud services
operations can move from CAPEX to Operational                                                              provided by CSPs can ease this tension, leading
Expenditure (OPEX), incurred for the day to day                                                            thereby to a reduction of required capital when
functioning of a business. CAPEX and OPEX are                                                              deploying new services.
treated very differently for tax and accounting

       TABLE 7

      Traditional approach to financial services                                                          The target state for financial services

      On-premises and community                                                                           Hybrid Cloud

      Supports banks’ need to:                                                                            Supports new generation of banking services:

              seamlessly connect with people, 		                                                                   emerging ecosystems for financial services.
              organisations, systems and processes                                                                 reduced time to market, increased
              across the globe.                                                                                    agility and scalability by enabling more
              rapidly process, and reliably and safely                                                             rapid adjustment of IT services to support
              store and retrieve large and variable 		                                                             business operations.
              volumes of data.                                                                                     conversion of fixed-asset product-based
              adapt to the changing needs of clients 		                                                            overheads to variable service-based assets
              through offering trusted, high quality and                                                           (CAPEX to OPEX).
              competitive services.                                                                                “Immersion” of banking services into
              share common innovative technologies 		                                                              client systems becomes more feasible,
              with other financial services to customers                                                           clients can get the business services they
              and to create new markets.                                                                           need on demand triggered by the ability to
                                                                                                                   simultaneously use common "services".

    Amendments introduced in the final text of the CRD/ CRR Review (published 7 June) allows to exempt certain investments in software assets from this deduction.
    However, this exemption only applies to those software assets that meet certain conditions (as specified by the EBA in regulatory technical standards to be developed) and only
    applies two years after the entry into force of the Regulation, see Article 36 (1) (b), Article 36 (4).
    See “The NIST Definition of Cloud Computing”, Special Publication 800-145, Sep 2011:


4 Understanding of
                                                       Four important basics regarding data ownership
                                                       and management shall be postulated upfront,

      cloud computing                                  unaffected by raising cloud adaption:

The views of cloud computing by regulators,            ONE
technologists and service users are different.         Banks continue to own their data.
Although not conflicting, they need to be balanced
to enable the most effective use of cloud technology   TWO
in financial services.                                 Banks will choose the geographic location(s) in
                                                       which to manage their data.
To attain a higher level of maturity, a mutual
understanding and agreement needs to be fostered       THREE
through coordination and communication between         Banks can download or delete their data
regulators, technologists and service users. The       whenever they need to.
specifics of cloud technology and its control
demand need to be understood and reflected             FOUR
upon carefully.                                        Banks should consider the sensitivity of their data

“All cloud computing
                                                       and decide how to protect it or make it available,
                                                       i.e. by using suitable cryptographic services for
                                                       encryption and authentication.

                                                       Based on these statements, this paper aims to
risks need to be                                       present different cloud service models, elaborate on

evaluated prior to
                                                       the necessary risk-based approach, help the
                                                       categorisation of the control demands in a cloud

any planned cloud      “                               environment, show the banks’ respective awareness
                                                       and highlight their careful migration to cloud.

Factors that must be taken into consideration
4.1 Cloud-specific considerations 		                   are:
    under a risk-based approach
                                                           the cloud service models (e.g. SaaS, PaaS
As required by the applicable regulation, both
                                                           and IaaS), aligned to traditional computing
banks and NCAs assess the cloud computing
                                                           control areas, where the level of risk relates to
adoption – regarding a specific use case – with a
                                                           the cloud service model selected. In these
risk-based approach.
                                                           models, risk management and the operation
                                                           of IT activities are shared between cloud
However, this makes a common understanding
                                                           service providers and cloud service customers.
of cloud computing risks and available controls
                                                           The “balance” of responsibility for IT control
fundamental. As any transformation of complex
                                                           management shifts from cloud service provider
services may suggest, the journey to a well-
                                                           to service user as we move from the top of the
controlled cloud adoption requires careful
                                                           stack, e.g. SaaS, to the bottom of the stack, e.g.
assessment and mitigation of potential risks.

A common understanding enables:
                                                           The cloud deployment model (e.g. internal,
                                                           public, and hybrid), where routine
   a common “language” or framework for 		                 accountability remains primarily with CSCs
   understanding, assessing and communicating 		           who selected the model for their business, and
   relevant and beneficial cloud computing 		              where their data subject needs to be supportive
   principles and control objectives.                      and informed about data management,
                                                           data location and network management.
   a consistent means to prioritise the most
   significant risk management activities related 		       The specific characteristics of cloud computing
   to cloud adoption and use.                              (e.g. self-service, accessibility across networks,
                                                           resource pooling, rapid elasticity, metered
   a unified position between the EBA/NCAs 		              services), where governance controls are
   and banks, to send clear signals to cloud 		            necessary to provide timely management
   service providers and technology innovators 		          information and escalation/response in case
   about specific financial services requirements.         defined thresholds are breached.

Key risk areas for cloud computing must be
understood in the context of cloud computing’s         4.2 Categorising the associated
technological features and service design.                 control demand of a cloud
Operational risks relate both to the adoption of           offering
cloud computing and to the operation of cloud
services. As in any other service relationship, all    The risk of the different cloud service models needs
cloud computing risks need to be evaluated prior to    to be identified, assessed and managed by banks.
any planned cloud migration, and managed,              This requires understanding of how risk in cloud
when performing operations in the cloud. Therefore,    services can be distinguished and rated, creating
the already existing IT control processes of banks,    the respective control demand.
based on standards such as COBIT or ITIL, need to
be reviewed in light of cloud specifics.

European banks are well aware of the attention            Going up the stack, the implication of the
 that such control demand deserves. Operational            partner in the activity will increase. Using PaaS,
 and financial stability are core concerns prior and       workload distribution will be controlled
 during the usage of cloud services. Consequently,         by the partner. With SaaS, the application
 the selection of services and their migration to cloud    management, including changes (content and
 are conducted consciously.                                timing) will not be handled by the institution
                                                           anymore. However, not all services are equal,
 Cloud operates on the shared ‘responsibility’             and, for instance, there are IaaS services like
 model. This means that depending on how the               Grid IaaS where some additional components
 financial institution is consuming cloud both the         will be managed by the CSP, while in other
 CSP and financial institution must understand their       SaaS implementation processes, such as the
 areas of responsibility with regard to the control        identity and access control, these can remain
 landscape.                                                under control of the CSC. Ultimately, a
                                                           specific control assessment will be needed
 This is not to be misunderstood for the concept of        for each cloud service. It is important to note
 accountability. Accountability remains fixed with         that IT general controls remain relevant
 the financial institution regardless of what services     regardless of where they are operated.
 are being obtained from the cloud. ‘Responsibility’
 for the purpose of this paper should be understood        Ownership of the control framework
 as a term allowing for clear definitions of who is        The framework includes relevant network
 operating specific controls (the CSP or financial         perimeter control, access management and
 institution) and what level of visibility the financial   internal enforcement of rules. Using a
 institution has into how those controls work. There       visual: the network perimeter can be
 are several ways this can be accomplished by              compared to a city wall. The wall itself and
 having a well-defined approach with the CSP.              everything inside follows internal rules. Access
                                                           is granted at the gate under control of the “city
 Different from other IT paradigms, cloud computing        council”. This means for cloud solutions, that
 inherits technological dimensions and features that       in a bank’s private cloud the network perimeter
 can have a positive effect on the control demand.         control and access management are still with
                                                           the institution, whereas in a public cloud
 In order to be fully aware of the evolving service        this control leverages the features implemented
 characteristics, five major dimensions need to be
                                                           and offered by the bank’s partner (the CSP)
 considered regarding the control demand of a
                                                           outside the “city wall”.
 particular cloud offering.

                                                           The legal and regulatory context
 The layer of abstraction sourced, 		                      Depending on the jurisdiction applying to the

 e.g. the selected cloud service model and 		              cloud service contract, the activity supported
 use case. In general, in IaaS the CSC is using 		         by the cloud usage or the location of the data/
 an IT infrastructure deployed and managed                 compute, different levels of data access
 by the CSP, but all processes and activities              and control may be needed. Laws and
 implemented on this infrastructure remain                 regulations may specify requirements for
 under the full control of the institution (e.g.           regulatory notification and approval for the
 workload distribution, Solution Delivery                  use of cloud computing for regulated activities
 Lifecycle, application changes).                          and reporting of material incidents.

Criticality of data                                                  Criticality of function
   Different categories of data can be drawn, 		                        This dimension outlines how dependent the day
   according to their sensibility and the data 		                       to day operation is on the function sourced
   subject. Thus, customer's sensitive personal                         through a cloud service. The criticality is
   data requires higher protection than public 		                       effected by the impact of the function when not
   data used for intra-day risk computing.                              performed properly. For example, while an
                                                                        institution’s business processes could run without
                                                                        an HR system for a short period of time, this is
                                                                        not true for the core banking system, which
                                                                        would bring the institution to halt when failing.

To provide for a better visualisation of the risk dimensions, please consider the following rating grid. Each
dimension is assigned a numerical value according to the described features:

   TABLE 8

 Dimension/       1                       2                    3                      4                       5

 Layer            IaaS                    IaaS plus            PaaS                   PaaS with vendor        SaaS
                  Based on market         Vendor specific      Based on market        specific additions
                  standards               additions            standards

 Control          Private setup           Hybrid, within       Hybrid, within         Hybrid, with            Public setup
                                          network perimeter    network perimeter      partial public setup
                                          all accesses are     accesses are           outside of network
                                          controlled by        partially controlled   perimeter control

 Legal and        Only an EU home         Only EU country      Mainly EU              Mainly non-             Regulation of
                  country regulation      regulation           regulation             EU regulation           “non-recognised”
                  applicable              applicable (but      applicable but also    applicable but from     third countries
 context                                  of more than one     “recognised” third     “recognised” third      applicable
                                          Member State)        countries regulation   countries

 Criticality      Public data             Internal “low-       Internal relevant      Internal relevant       Internal relevant
 of data                                  relevance” non-      non-identifiable       identifiable data       identifiable
                                          identifiable data    data                                           sensitive data

 Criticality      Replaceable and not     Replaceable but      Necessary for          Part of core process,   Unavoidable part
                  relevant part of core   necessary for        external processing    necessary for full      of core process
 of function
                  processes               internal processes                          function, recovery
                                                                                      target in disaster
                                                                                      recovery up to 48h

European banks consider these control dimensions                     To provide for an example, the spider chart
carefully for the identification of cloud-related risks              below contains the intra-day risk computation
and their management. Weighing the dimensions’                       for a trading operation6. This example case is:
interactions and connecting its numerical value,
                                                                          running on hardware which is hosted in the
the following spider chart shall give an indication
                                                                          bank’s home country (legal context),
on how to support awareness visually and how to
guide attention within the risk assessment by banks                       utilising vendor specific additions to an IaaS
for individual cloud service constellations.                              cloud service (layer).

                                                                     -    If the bank’s workload exceeds certain
The higher the assigned number for each risk
                                                                          thresholds beyond the on-site compute
dimension, the more attention to control is likely to
                                                                          capacity, additional capacity in a public cloud
be required by the bank. Visualising the dimensions
                                                                          will be leveraged (burst to public cloud). For the
altogether, figure 9 allows for a graphical
                                                                          purpose of this example, the trading operation
understanding of the need for attention to cloud-
                                                                          in question is considered low with regard to
particularities (according to the growing size of the
                                                                          criticality of function, using non-critical data.
encircled area). It can be used to trigger respective
risk management attention: the bigger the area, the                  -    However, the public cloud is not within the
more attention to control should be dedicated to the                      bank’s network perimeter (control framework).
service from a risk management perspective.

    FIGURE 9

                 Criticality                                                          Layer                  2
                                                2               Control
                 Function                                     Framework
                                                1                                     Control Framework      5
                                                0                                     Legal Context          1
                                                                                      Criticality Data       1
                                                                                      Criticality Function   2
                          Criticality                     Legal
                            Data                         Context

Once the control demand has been understood, a                       by the risk exposure. The ability of the institution
balanced approach can be applied. For example:                       to control the risk can be directly derived from the
In the given case in figure 9, data is considered                    combination of the level control tool provided by
non-sensitive and public (transaction execution                      the CSP and implemented by the bank – allowing
on a regulated market). As a result, no advanced                     a more accurate expression of the level of exposure
controls for data protection have to be added. The                   due to cloud computing – and the exposure itself.
extent of necessary controls will be directly driven
For more examples, please consider the Annex.

“       Cloud computing
4.3 Different roles of banks and
    Cloud Service Providers
The visual tools under 4.2 helps to understand and                     offers a more
                                                                    nuanced controls
assess the potential impact of cloud adoption on
the operational risk of institutions. Central to such
assessment is an understanding of what controls are
in place and what party is in charge of them. It is                  landscape than
important to recognise that cloud computing offers
a more nuanced controls landscape than traditional                         traditional
IT services. In turn, the responsibilities within this
landscape require an understanding of how CSPs                            IT services                       “
and financial institutions in their role as CSCs work

This in no way implies that financial institutions are     Where a CSP supports hosting, and a CSC supports
not living up to the responsibilities placed upon          the management of its computer controls, this needs
them by financial regulation as the basis of               to be viewed as a combined responsibility. Where
continuous financial supervision. The accountability       both hosting and management are supported
of banks remains unquestioned7. European banks             by the CSP alone, this is more akin to traditional
take risk control and financial stability very seriously   outsourcing.
not only for reasons of regulatory compliance but to
deliver the best service possible for their customers.     IaaS and PaaS cloud computing customers are
                                                           building systems on top of cloud infrastructure.
Nevertheless, cloud computing is shaping different         Although the CSC is always accountable and
roles for the parties involved. Traditionally, when        required to supervise and monitor any process
third parties are involved in the provision of a           affecting its activities, the “low level” security and
service, customers specify to them their service           compliance responsibilities are usually divided
demand, followed by the supplier building a                between the CSP and financial institutions as CSCs.
solution to meet the customer’s requirements.              The latter control how they create the architecture
Afterwards, the supplier manages and operates the          and secure their applications and data put on
solution on behalf of the customer. In the case of         the infrastructure. The CSPs on the other hand are
cloud solutions, the CSC does not always fully             responsible for providing services in a highly secure
delegate these functions to the CSP, but the business      and controlled environment as well as providing
model is based on the CSP having product offerings         a wide array of additional security features. A
that the customer can use on a consumption basis.          generic compliance structure for CSPs facilitates the
The CSC itself is responsible for building and             understanding of the control environment and risk
configuring his services in the cloud as he sees           mitigation implemented by the service, supporting a
fit and the CSC remains responsible for the                high level of transparency. The level of information
management and operation of the service.                   provided by the CSP shall be sufficient to ensure
                                                           the financial institution can make informed security
Service hosting controls and service management            decisions instead of decisions based on a notional
controls are distinct from one another.                    perception of security.

    See above Chapter 4.2

Consequently, banks and CSPs operate with the help of a nuanced controls landscape, as indicated by this
exemplary orientation:

          FIGURE 10

                                Enterprise IT *                                      Infrastructure                                                      Platform                                                   Software
                                   (Legacy IT)                                         (as a Service)                                                    (as a Service)                                             (as a Service)

                                  Applications                                         Applications                                                      Applications                                               Applications

                                                                                                                                                                                               Customer Managed
                                                              Customer Managed

                                                                                                                               Customer Managed
                                    Security                                             Security                                                          Security                                                   Security

                                   Databases                                            Databases                                                         Databases                                                  Databases
      Customer Managed

                               Operating System                                      Operating System                                                 Operating System                                            Operating System

                                                                                                                                                                            Provider Managed

                                                                                                                                                                                                                                     Provider Managed
                                 Virtualization                                        Virtualization                                                   Virtualization                                              Virtualization

                                    Servers                                              Servers                                                           Servers                                                    Servers

                                    Storage                                              Storage           Provider Managed                                Storage                                                    Storage

                                  Networking                                           Networking                                                        Networking                                                 Networking

                                 Data Centers                                          Data Centers                                                      Data Centers                                               Data Centers

                         *If operated by the own entity

The technological nature of cloud, paired with                                                                                                    are invited to consider figure 10 carefully when
distinct roles for both CSPs and CSCs, requires a                                                                                                 assessing the management of relevant risks by
close look at the division of controls for a cloud                                                                                                banks according to applicable financial regulation.
service in question. In order to reflect this evolving                                                                                            The cloud service models PaaS and SaaS show a
controls landscape in banking supervision, NCAs                                                                                                   visible difference to other IT paradigms.

To reflect the cooperative nature of the controls landscape, please consider the following controls origin:

        FIGURE 11

                                                                                 Controls "inherited" from the cloud service provider

                                                              Managed by CSP                                                                          E.g. Physical & Environmental

                                                                                                    Common controls

                                                                                                                              E.g. Patch & config management: cyber security;
                                                  Managed separately by both CSPs and CSCs
                                                                                                                              employee training & awareness; employee screening

                                                                                   Controls specific to cloud service customers

                                                                                                                              E.g. Service & communications' protection; sensitive
                                                             Managed by CSCs
                                                                                                                              data protection; data location; data deletion/porting

    Based on the figure at: . While innovative cloud services constantly evolve,
    thereby preventing an exhaustive and static overview, this simplified visual will help to understand the distinction between management features according to cloud services in question.
Projecting the understanding of the different roles in            The responsibility over the management and
the controls landscape to the cloud service models                operation of IT controls may be shared with CSPs.
available, please consider figure 12. CSCs remain                 The degree of control allocation depends largely
accountable for computing, although with cloud                    on the cloud service model, with more controls
computing they no longer operate all the IT controls              managed and operated by CSCs in IaaS than in
in the cloud computing infrastructure themselves.                 SaaS.

        FIGURE 12



The environment of cloud services provided to                     Cloud solutions provide for technological
financial institutions is continuously developing.                opportunities to lift an application or landscape
Based on the understanding of control demand,                     out of its current hosting environment and shift it to
control origin and shared responsibility, the                     another. For example, lift-and-shift of on-premises
institutions can engage with CSPs on a new                        hosting to the public cloud. This would include a
operational process that may be required to                       migration of three top layers: application, database
manage the relationship and the shared obligations                and OS layer. Besides the speed of such migration,
for management effectively.                                       advantages can include cost-effectiveness, reduced
                                                                  disruption and quick return on investment.
4.4 Careful consideration of cloud
    migration                                                     However, such technical solutions for rapid
                                                                  migration does not automatically imply financial
Business users of cloud services need to consider                 institutions seeking out cloud solutions in a
various issues before moving their own activity into              less secure – because rapid – way. Quite the
cloud service productivity tools. European banks                  opposite, “lift-and-shift” solutions are weighed
choose a strategic and carefully planned approach                 by financial institutions in the light of responsibility
to using cloud computing9, which has a positive                   and regulatory framework. While companies
effect on the identification and management of                    may choose to “lift and shift” in terms of moving
risks10.                                                          applications in their current state, meaning no
     See Chapter 3 for the banks journey to cloud.
     See Chapter 4.2 for support tool regarding risk awareness.
modernisation or other changes, they still re-                                                A careful adoption of cloud in the financial
evaluate the control landscape. Careful planning                                              industry should consider general assumptions:
and agreements are necessary not only regarding
controls, but the operational processes that will                                             -       Appropriate standardisation of technology
be required to manage effectively the relationship                                                    components and services, interfaces and
between the CSP and CSC. This can include                                                             controls can enable universally understood,
organisational steps such as monthly Service Level                                                    seamless and secure interconnectivity and
Agreements (SLA) and risk reporting meetings,                                                         appropriate isolation between cloud-ready
periodic reporting to executive management and/                                                       networks.
or board as well as other actions – depending
on workload and data criticality. Consequently,                                               -       A gradual cloud adoption uses commonly
financial institutions consider a transformative                                                      understood service models and use-case
development towards cloud on basis of a carefully                                                     scenarios, driving towards the highest possible
established cloud migration strategy. This strategy                                                   level of abstraction from technology resources.
clearly defines the business outcomes the financial
institution is seeking and the timeframe to achieve                                           Figure 13 shows the typical landscape of a
predefined goals.                                                                             financial institution’s services, ranging from highly

   FIGURE 13

   Target Technology Framework

     Overview – Technology Areas
                                 INTERNAL NETWORK                                   A                           EXTERNAL NETWORK
       Consumer & Client, Private and Business Clients, Internal Hub, Branch, Employee, Systems like PoS, ATM. Connect by internal and external Network           1

      Security, Client, Data, and System protection for all areas. Functional federation to the areas, but central data analysis                                  2

      Management & Control, Service Mgmt, Resource placement, utilisation, monitoring and commercial management. Functional federation to the areas               3

                                                                                                                                                             4                   B
          Software as a Service                                                              Software as a Service
          Use cases with compliance requirements to stay internal incl.                      Use cases incl. security / access governance,
          security / access governance, commercial and technology interface                  commercial and technology interface
                                                                                                                                                                      Start with highest level of abstraction


          Private Cloud (IaaS, CaaS and PaaS)                                                    Private Virtual Cloud – Data (IaaS, CaaS and PaaS)
          Platform for                                                                           Platform for
          Virtualized environments, Container technologies,                      Hybrid          Virtualized environments, Container technologies,
          Databases as a service, etc..                                                          Databases as a service, etc..

          Specialised Infrastructure             Shared Infrastructure                           Shared Infrastructure       6     Specialised Infrastructure 7
          Physical Hardware /                    Consolidation on shared                         Consolidation on shared           Physical Hardware /
          Appliances supporting                  hardware where systems           Lift /         hardware where systems            Appliances supporting
          revenue generation,                    don’t move to platforms          Shift          don’t move to platforms           revenue generation,
          competitive advantage                  for technical or economical                     for technical or economical       competitive advantage
          scenarios                              reasons                                         reasons                           scenarios

         IaaS, CaaS, PaaS, SaaS = Infrastructure-, Container-, Platform- and Software- as a Service, VM = Virtual Machine, example of a common abstraction layer

                                                                         FOR INTERNAL USE ONLY

customised platforms (lower left corner) to highly                                                            FOUR - internal and external SaaS to be
generic software as a service offering (upper right                                                           considered if the function is standardised across
corner, box labelled No. 4).                                                                                  markets.

For the banks to leverage cloud technologies, an                                                              FIVE - compatible, interoperable Hybrid Cloud
educated decision must be taken on whether cloud                                                              Compute Platform.
service and deployment models will best suit the
banking service needs according to efficiency,                                                                SIX - use available IaaS where it is not
efforts to migrate, security, complexity and                                                                  economically viable to transform to the Hybrid
interoperability and which models these are.                                                                  Cloud.

This can be achieved by mapping the status quo                                                                SEVEN - use specific infrastructure only if needed
and the future needs for the cloud service layers                                                             e.g. for latency aspects; keep overall footprint low.
as part of the above mentioned cloud migration
                                                                                                              Following these steps, banks can achieve a fit-for-
ONE - consistent interface layer for all consumers.                                                           purpose adoption of cloud services. Combined
                                                                                                              with the sound awareness for the controls
TWO - federated and requirements-based                                                                        demand11 , a well-controlled cloud environment
implementation of security.                                                                                   for financial services can be established.

                                                                                                              On their journey to the cloud, financial
THREE - orchestrated monitoring and control
                                                                                                              institutions can consider – within their individual
                                                                                                              cloud migration strategy – certain helpful
                                                                                                              elements for different steps of the way:

        TABLE 14

                           Explore                                    Envision                                  Enable                     Execute

                         Understand                                  Recognize the                             Define Adoption             Rethink
                         the Cloud                                   Case for Change                           Approach                    Enterprise Arch

                         Understand                                  Drive Shared                              Select Cloud                Design Solutions
                         Value Prop                                  Vision                                    Providers                   for the Cloud

                         Chart Cloud                                 Analyze Cloud                             Upgrade the                 Implement and
                         Landscape                                   Opportunities                             Organization                Integrate Solutions

                                                                     Build the                                 Revamp Tools                Operate in
                                                                     Business Case                             and Processes               the Cloud

        Source: 'To the Cloud: Cloud Powering an Enterprise’12

     See Chapter 4.2
     Pankaj Arora, Raj Biyani, Salil Dave, ‘To the Cloud: Cloud Powering an Enterprise’, 2011, McGraw Hill.
Untouched from the technological development                               ‘Service Broker’ function. It allows business
and the changes of IT architecture, European banks                        operation in a multi-cloud environment, utilising
serve their customers with service solutions covering                     service solutions from a multitude of CPSs. While
the full range of financial needs. However, cloud                         doing so, financial institutions stay alert to the
technology can assign a new dimension to the IT                           consequences for operational risk and the control
management that underpins financial services.                             capacities. Ultimately, attention by institutions and
Within the cloud environment, banks – utilising                           NCAs – based on a risk-based approach – should
cloud computing for the benefit of customers and                          focus on the successful management capabilities of
business processes – find themselves in the nexus                         banks for the indicated service brokerage. Applying
of this modern service operation. Additional to the                       the management function, European banks then
traditional infrastructure dimension, IT evolves into                     use the changed IT capacities for the execution of
the role of ‘Service Broker’. Management skills, e.g.                     traditional as well as innovative financial services.
regarding vendor relationships, become important.

European banks carefully design their journey to
cloud in accordance with such an envisaged

   FIGURE 15

   IT as Service Broker

                         AppDev                                End User                           Clients



                                        Bare Metal      IaaS      CaaS       PaaS          SaaS

                       Physical                      Virtual               Private Cloud            Public Cloud


5 Conclusion
                                                         risks associated with new technology is often a
                                                         challenge. That is why it is important that the risks
                                                         perceived by banks are reconciled with those risks
The gradual adoption of cloud computing is a             of greatest concern to regulators. Acknowledging
macro trend common to all industries, progressing        the fast-developing cloud environment, European
at a measured pace as the industries, including the      banks and CSPs aim to support this process. Based
financial sector, gain maturity in their understanding   on a thorough awareness of risk dimensions, banks
of cloud and their capabilities increase. Used wisely    carefully migrate services to cloud with attention
it can help to control cost in a more efficient way,     to consistency, security and corresponding risk
improve the flexibility of the business model, allow     management. The visualisation provided under
operational specialisation and improve resilience.       Chapter 4.2, picked up further by examples in the
With cloud computing further evolving, more              annex, aims to support this awareness. CSPs on the
advantages are expected to become apparent               other hand actively engage with their customers to
in the future. As IT is the backbone for banking         provide services in a highly secure and controlled
operations, associated efforts are a big contributor     environment. Together, both parties operate in
to healthy and competitive financial institutions.       the face of cloud-specific control demand and an
                                                         evolved controls landscape following the innovative
Cloud computing is a key enabler for a successful        technological nature of cloud.
data economy and service delivery, as it can
seamlessly connect banks with other financial            NCAs are invited to consider the aspects presented
institutions, customers and FinTech innovators. The      in this paper when conducting their own assessment
pervasive and secure use of cloud – benefitting          of institutions’ risk identification and management
customers and banks alike – supported and                with regard to cloud services. This should reflect the
consistently governed through a risk-centric             increasing ‘service brokerage’ role of institutions
approach by banks is in alignment with the already       for their IT capacities, based on cloud solutions
existing risk management culture of banks.               in a multi-cloud environment. Resting on the EBA
                                                         GL and following their own risk-based approach,
As much as cloud computing supports financial            NCAs find themselves in a key position to
innovation, the understanding and quantification of      contribute to a harmonised supervisory framework

for cloud adoption in Europe. Without a common
understanding of cloud by regulators, European
banks and CSPs, different national approaches
                                                               “is Cloud computing
                                                                   a key enabler for
could provide for regulatory fragmentation across
Europe, ultimately hampering cloud adoption by
financial institutions.
                                                                    a successful data
This paper aims to contribute positively to the
                                                              economy and service
discussion on cloud, sharing fundamental                            delivery, as it can
information as a basis for current and future
supervisory engagement with European banks and              connect banks with other
CSPs. A harmonised regulatory approach to
cloud will help to facilitate its innovative potential in
                                                                 financial institutions,
finance, foster its adoption by the European banks
and aid the financial sector in further endeavours of
                                                              customers and FinTech
digital transformation.                                       innovators seamlessly.“


Back-end systems         Systems which do backend processing of data which can be accessed
					                    e.g. by front end systems (e.g. ledgers, booking).

CaaS				                 Offering for container-based virtualisation in which CSPs offer a
					                    complete framework to customers for deploying and managing
					                    containers, applications and clusters. CaaS offers a completely enabled
					                    container deployment service with security and governance control for
					                    IT management.

CI/CD toolchain          Continuous integration and continuous deployment of code changes
					                    into existing instances at any time not being restricted by predefined
					                    release cycles or change windows. To enable this, highly standardised
					                    coding and testing principles are necessary as well as highly automated
					                    test and deployment procedures to control the risk of change.

Cloud computing          An innovation in computing that allows for the use of an online network
					                    (‘cloud’) of hosting processors so as to increase the scale and flexibility
					                    of computing capacity. Cloud allows industries to tap into new service
					                    models, utilising its technological advancement for new and better
					                    services to customers, improving productivity, cost-efficiency and
					                    flexibility of internal business processes.

Cloud deployment model   Defines rules and guidance on where workloads are deployed. For
					                    example, highly critical workloads to be deployed on a private cloud.
					                    Low criticality functions can be deployed on a public cloud.

Cloud service model      Outlining the usage of cloud services with definition of IaaS, PaaS,
					                    CaaS and SaaS.

You can also read