Change The Way You Change How can banks stay ahead of the curve? August 2019 Change The Way You Change| How can banks stay ahead of the curve?
Executive Summary
Cloud’s benefits and value for banks Key success factors for cloud Cloud cyber security Cloud enables banks to improve their transformation Cloud services extend the IT footprint of agility, drive innovation by tapping into Any cloud transformation must start organisations, which might impact the risk cutting-edge technology, leverage industry- with the definition of a cloud strategy of cyber attacks. Robust arrangements specific solutions, and shift their spending aligned with the organisation’s broader for cyber security should therefore be put paradigm from CapEx to OpEx. business strategy, followed by a definition in place. These should cover seven cyber of risk management and governance domains: Network and infrastructure Why have banks been reluctant to use requirements, and a financial analysis security; Identity and access management cloud? justifying the investment. The subsequent (IAM); Data protection; Logging and Regulations, data security, the challenges actual migration to the cloud will call Monitoring; Resilience; DevSecOps; and of transformation to the cloud and the risks for a corporate culture change to drive Governance, Risk, and Compliance. associated with the outsourcing of critical innovation and fully leverage cloud processes have so far discouraged many capabilities. How to select the right cloud service banks from adopting the cloud. Reacting provider to that, major cloud service providers have Compliance with regulatory Finding the best cloud service provider for increased their global physical presence requirements your use cases depends on your current and have already resolved many issues Using cloud services raises complex and future operating model, your own around regulatory and legal obligations, questions about compliance with service offerings and the type of delivery e.g. regarding data location. Transformation regulations, because processing sensitive model you want (IaaS, PaaS, or SaaS). challenges can be overcome by adopting information or client identifying data (CID) Deloitte recommends a framework for a structured approach to adoption of the comes under strict rules. These have so assessing your operating model and the cloud. A thorough risk assessment and far prevented many banks from embracing service offerings of potential cloud service ongoing vendor management process (i.e. the cloud. Since regulations differ between providers, from different perspectives: an ongoing process aiming at nurturing and countries, this report presents the regulatory aspects; compliance; cyber developing the relationship with the vendor general considerations (country-specific security; and technology issues. To avoid to get the most out of their products) considerations can be obtained from your vendor lock-in and comply with legal should enable banks to mitigate data risks local Deloitte offices). obligations, we also recommend banks to and third party risks. go for a multi-cloud strategy.
2 Change The Way You Change| How can banks stay ahead of the curve?
3 Change The Way You Change| How can banks stay ahead of the curve?
Introduction 05 Cloud specifications and meaning 08 Benefits of the cloud for banks 09 Why have banks been reluctant to use the cloud? 12 Key success factors for cloud transformation 16 Cloud cyber security 25 Selecting the right cloud service provider 29 Conclusion 33
Contacts 34 References 35
4 Change The Way You Change| How can banks stay ahead of the curve?
Introduction
Cloud is not the future or an emerging trend anymore: it is the present and it constitutes a critical tool for financial institutions to stay competitive in today’s challenging business environment. Success with process re-engineering and efforts at digitalisation with emerging technologies such as artificial intelligence are dependent on cloud computing. Banking regulators and supervisors recently published guidelines to encourage banks to make more extensive use of cloud services, whilst at the same time stating that banks cannot relinquish their accountability of outsourced IT services.
This report provides an independent perspective on the major opportunities and risk management issues, but also - based on our practical experience - a high-level roadmap to cloud transformation and the common pitfalls that banks should consider. This report also provides tools to answer certain questions about IT: •• How can we seize opportunities while mitigating risks? •• How can we keep up with innovation while not making costly mistakes? •• How do we survive and thrive in the cloud?
5 Change The Way You Change| How can banks stay ahead of the curve?
Leveraging cloud offerings represents I wait until next year?” Embracing the a shift in management attitudes– cloud is a matter of survival in a business Use Case: Deutsche organisations are moving away from a do- environment where innovation, disruption Bank and Quantiguous it-yourself mentality towards using external and competition are pushing banks to Solutions providers with scalable, flexible, faster and improve efficiency and become more agile, “Deutsche Bank today announced sometimes cheaper services. While some while adding value for their customers. that it has acquired Quantiguous organisations are apprehensive about Successful leaders should think ‘cloud Solutions, a Mumbai-based using the cloud, it is an integral component first’ if they want to survive in today's fast software company, to strengthen of today’s service-delivery model and it evolving and competitive marketplace. its Global Transaction Banking enables banks to tap into new market franchise. With the help of opportunities and access new delivery Quantiguous, the bank will channels. accelerate the development of its Open Banking platform that forms Many suppliers and banks are therefore the core for developing innovative moving to a ‘cloud first’ strategy. Cloud client applications and connecting deployments with off-the-shelf offerings corporate clients, FinTechs and are becoming ubiquitous, while on-premise partner companies to Deutsche deployments are becoming the exception. Bank’s Transaction Banking Many RegTech companies [1] offer software platforms and services.” [2] as a service out of the cloud. Banking- focussed boutiques offer managed services which are already compliant with banking regulations across all technology layers (from the infrastructure up to the software), enabling banks to accelerate their adoption of the cloud by providing out-of-the-box compliance with industry- specific regulations.
Banks and major cloud service providers are on a collision course. For example, Amazon offers cash services, credit cards and other basic financial products including Amazon Pay. Another example is Alibaba with its spin-off AliPay, which has over 900 million customers, far more than the largest US bank. Both Alibaba and Amazon have improved their ability to offer business banking services on their platforms. More broadly, there are predictions that devices such as Alexa, Siri or Google Home will be the future of banking, since these smart AI bots will act as a financial assistant in everyday life. To get financial guidance, imagine asking Siri: “Can I afford this car now or should
6 Change The Way You Change| How can banks stay ahead of the curve?
Cloud quick ckeck – Is your bank getting cloud right?
01. Do we understand how cloud can help us reach our strategic objectives? □□ Yes □□ No □□ Better get some advice
02. Do we know which parts of our business will benefit from cloud? □□ Yes □□ No □□ Better get some advice
03. Is your team nervous about transitioning to the cloud? □□ Yes □□ No □□ Better get some advice
04. Do you know what your competitors are doing with cloud? □□ Yes □□ No □□ Better get some advice
05. Can our bank remain competitive without using cloud? □□ Yes □□ No □□ Better get some advice
7 Change The Way You Change| How can banks stay ahead of the curve?
What is Cloud? computing, storage and networking for traditional BPO is to reduce labour costs, customers to build scalable applications. BPaaS reduces labour costs through The cloud consists of a broad range of AWS EC2 is an example of IaaS providing increased automation and economies of offerings where services are provided by ‘virtual machines’. scale. As an example, Deloitte’s BPaaS an external third party and purchased offerings provide managed logs analytics as a service. Offerings vary from basic •• Platform as a Service (PaaS). One level and managed cyber risk with specific computing resources, to platforms, to above IaaS, PaaS provides a managed industry skills, especially for customers in fully functional software ready to deliver environment to develop applications highly-regulated industries. business value. These are referred to such as a Java runtime or a NoSQL respectively as Infrastructure as a Service database. Google Cloud’s App Engine is (IaaS), Platform as a Service (PaaS) and an example of PaaS providing a managed Cloud stack Software as a Service (SaaS). Java, Python, Go or node.JS environment for developing applications without A cloud stack is a software layer that can the need to manage the underlying be deployed on computing infrastructure Cloud deployment models infrastructure. to provide a cloud environment. As an example, Microsoft installs an Azure layer •• Public cloud (off-premise or external): •• Software as a Service (SaaS): This or stack on top of dedicated hardware (e.g. cloud computing services provided by provides user-ready, out-of-the-box HPE, Dell or Lenovo) which creates the suppliers to multiple customers via a software providing a specific built- Azure environment. An Azure Stack can cloud computing architecture that allows for-purpose business service to the also be deployed in a private data centre to customers to share computing resources. customer. Microsoft’s Office 365 is an simulate some features of Azure cloud in a Telekom Cloud or DigitalOcean are example of a SaaS, where customer can private environment. examples of public clouds. A hyperscale use the service without managing any public cloud is a category of public cloud aspects of the underlying software and “Many large corporations, especially those providing a larger pool of resources, infrastructure. for which security is important, such as serving millions of users and combining •• Managed Services (MS): MS are an banks, have tended to prefer private cloud, hundred thousands of individual additional layer of services delivered or a public/private hybrid, because of the computers into a low cost resource on top of cloud services, to manage additional security, perceived or actual, pool with maximum availability. AWS, processes such as 24/7 SLA monitoring, it provides. This hesitancy on the part of Microsoft Azure, IBM, Oracle, Alibaba and operational management, liability large companies is disappearing. Where Google Cloud are prominent providers of frameworks, ecosystem integration, they can, they now tend to deploy public hyperscale public clouds. audit, security, fail-over management, rather than private cloud.” [3] •• Private cloud (on-premise or internal): compliance and other processes. In the cloud computing services owned and banking industry, Avaloq’s Managed operated on-site by a single organisation. Services offering ensures that banks are in compliance with regulations •• Hybrid cloud (integrated public and and manage all the operational and private service): a mixed environment regulatory aspects of the underlying combining public cloud and private cloud systems. or on-premise solutions. •• Business Process as a Service (BPaaS): •• Community cloud: a public or private Business Process as a Service (BPaaS) is a cloud shared by an industry group, form of business process outsourcing government agency, or other association
with similar demands or interests. (BPO) that employs a cloud computing service model to deliver automated Cloud delivery model services sourced from the cloud and •• Infrastructure as a Service (IaaS). This operated within a shared multi-tenant provides low-level resources such as infrastructure. Whereas the aim of
8 Change The Way You Change| How can banks stay ahead of the curve?
Benefits of the cloud for banks
Running a business in the cloud offers numerous advantages, depending on the industry, business size and location.
Deloitte has grouped the potential benefits Each of these attributes brings valuable of IT ownership, which impacts the for banks into the following four categories: benefits when implementing a cloud spending paradigm. A successful cloud strategy. For example, a shift in spending transformation should capture the benefits •• Improve business agility can enable companies to reduce working all four areas. •• Innovate through consumption of capital and free up cash to invest in the external services exploration of new technologies; while an improvement in agility can facilitate •• Leverage industry-specific solutions innovation and also accelerate the shift •• Paradigm shift in IT spending towards IT service consumption instead
Benefits of the cloud for banks
Leverage industry-specific Improve business agility solutions
Innovate through consumption of Paradigm shift in IT spending external services
9 Change The Way You Change| How can banks stay ahead of the curve?
“Many banks around the Improve business agility Innovate through consumption of Major banks heavily rely on legacy systems, external services world are aggressively such as mainframes and old programming Banks need to embrace the cloud fully and pursuing a mobile-first languages, e.g. COBOL: this restricts re-imagine processes. The only way for a business agility. The rise of the digital bank to be competitive in the future will be strategy. Some have economy has put pressure on financial to embrace big data across all its product launched mobile-only bank players, and triggered the need to pursue offerings and leverage AI to change the digital transformation and integrate new customer experience. This cannot happen brands to fend off FinTech digital technologies quickly in order to without at-scale computing and storage. It challengers, while a vast respond to changes in the market and is impossible to re-imagine mobile banking, consumer behaviour. Legacy systems payments or efficient lending without an majority are enhancing sometimes do not provide the appropriate underlying cloud platform. In the future, their mobile apps with new level of agility that is needed to keep up Robo-investors (AI bots that act as portfolio with the pace of change. managers and outperform them) will need features such as person- systems that can process huge volumes to-person payments, FinTech companies were created ‘digital of data, something that banks cannot do and cloud native’. Disruptors such as N26 easily and cost-efficiently on-premise. What personal financial and Revolut are not only able to deliver if banks could carry out credit scoring and management tools, and solutions at much faster pace; they also risk assessment using big data and AI? attract customers and gain market share virtual assistants.” [4].“ due to their user-friendly and innovative Disruptive technologies are strategic solutions, fuelled by an agile, cloud-based assets in the financial industry, but infrastructure. adopting and extracting value from them within a reasonable timeframe can be a Deloitte recommends a multi-stage challenge. What if you could use them as an approach for traditional banks to move outsourced service, instead of hosting and forward from legacy systems towards the owning them? By giving access to a range cloud. This begins with an evaluation of the of specialised tools and services, cloud suitability of the cloud for key applications services provide an ecosystem of Centres and processes, and a gradual shift from of Excellence that can be accessed rapidly legacy systems towards the public cloud through the internet, making organisations (where compatible with regulations) since more competitive. this type of cloud model yields the most benefits in terms of elasticity, functionality State-of-the-art cloud platforms offer and cost efficiency. A hybrid cloud strategy key capabilities in strategic domains such is the industry standard today and there as analytics, blockchain and distributed will be an increasing shift towards the mobile applications enabling software public cloud due to the benefits from development teams in banks to stay ahead hyperscale cloud services. of the innovation curve. Developing or
Stages in the journey from legacy systems to the cloud
Traditional, on-prem IT Introduce Hybrid Migrate legacy Integrated Hybrid Cloud