Change the Way You Change How Can Banks Stay Ahead of the Curve? August 2019 Change the Way You Change| How Can Banks Stay Ahead of the Curve?

Change The Way You Change How can banks stay ahead of the curve? August 2019 Change The Way You Change| How can banks stay ahead of the curve?

Executive Summary

Cloud’s benefits and value for banks Key success factors for cloud Cloud cyber security Cloud enables banks to improve their transformation Cloud services extend the IT footprint of agility, drive innovation by tapping into Any cloud transformation must start organisations, which might impact the risk cutting-edge technology, leverage industry- with the definition of a cloud strategy of cyber attacks. Robust arrangements specific solutions, and shift their spending aligned with the organisation’s broader for cyber security should therefore be put paradigm from CapEx to OpEx. business strategy, followed by a definition in place. These should cover seven cyber of risk management and governance domains: Network and infrastructure Why have banks been reluctant to use requirements, and a financial analysis security; Identity and access management cloud? justifying the investment. The subsequent (IAM); Data protection; Logging and Regulations, data security, the challenges actual migration to the cloud will call Monitoring; Resilience; DevSecOps; and of transformation to the cloud and the risks for a corporate culture change to drive Governance, Risk, and Compliance. associated with the outsourcing of critical innovation and fully leverage cloud processes have so far discouraged many capabilities. How to select the right cloud service banks from adopting the cloud. Reacting provider to that, major cloud service providers have Compliance with regulatory Finding the best cloud service provider for increased their global physical presence requirements your use cases depends on your current and have already resolved many issues Using cloud services raises complex and future operating model, your own around regulatory and legal obligations, questions about compliance with service offerings and the type of delivery e.g. regarding data location. Transformation regulations, because processing sensitive model you want (IaaS, PaaS, or SaaS). challenges can be overcome by adopting information or client identifying data (CID) Deloitte recommends a framework for a structured approach to adoption of the comes under strict rules. These have so assessing your operating model and the cloud. A thorough risk assessment and far prevented many banks from embracing service offerings of potential cloud service ongoing vendor management process (i.e. the cloud. Since regulations differ between providers, from different perspectives: an ongoing process aiming at nurturing and countries, this report presents the regulatory aspects; compliance; cyber developing the relationship with the vendor general considerations (country-specific security; and technology issues. To avoid to get the most out of their products) considerations can be obtained from your vendor lock-in and comply with legal should enable banks to mitigate data risks local Deloitte offices). obligations, we also recommend banks to and third party risks. go for a multi-cloud strategy.

2 Change The Way You Change| How can banks stay ahead of the curve?

3 Change The Way You Change| How can banks stay ahead of the curve?

Introduction 05 Cloud specifications and meaning 08 Benefits of the cloud for banks 09 Why have banks been reluctant to use the cloud? 12 Key success factors for cloud transformation 16 Cloud cyber security 25 Selecting the right cloud service provider 29 Conclusion 33

Contacts 34 References 35

4 Change The Way You Change| How can banks stay ahead of the curve?

Introduction

Cloud is not the future or an emerging trend anymore: it is the present and it constitutes a critical tool for financial institutions to stay competitive in today’s challenging business environment. Success with process re-engineering and efforts at digitalisation with emerging technologies such as artificial intelligence are dependent on cloud computing. Banking regulators and supervisors recently published guidelines to encourage banks to make more extensive use of cloud services, whilst at the same time stating that banks cannot relinquish their accountability of outsourced IT services.

This report provides an independent perspective on the major opportunities and risk management issues, but also - based on our practical experience - a high-level roadmap to cloud transformation and the common pitfalls that banks should consider. This report also provides tools to answer certain questions about IT: •• How can we seize opportunities while mitigating risks? •• How can we keep up with innovation while not making costly mistakes? •• How do we survive and thrive in the cloud?

5 Change The Way You Change| How can banks stay ahead of the curve?

Leveraging cloud offerings represents I wait until next year?” Embracing the a shift in management attitudes– cloud is a matter of survival in a business Use Case: Deutsche organisations are moving away from a do- environment where innovation, disruption Bank and Quantiguous it-yourself mentality towards using external and competition are pushing banks to Solutions providers with scalable, flexible, faster and improve efficiency and become more agile, “Deutsche Bank today announced sometimes cheaper services. While some while adding value for their customers. that it has acquired Quantiguous organisations are apprehensive about Successful leaders should think ‘cloud Solutions, a Mumbai-based using the cloud, it is an integral component first’ if they want to survive in today's fast software company, to strengthen of today’s service-delivery model and it evolving and competitive marketplace. its Global Transaction Banking enables banks to tap into new market franchise. With the help of opportunities and access new delivery Quantiguous, the bank will channels. accelerate the development of its Open Banking platform that forms Many suppliers and banks are therefore the core for developing innovative moving to a ‘cloud first’ strategy. Cloud client applications and connecting deployments with off-the-shelf offerings corporate clients, FinTechs and are becoming ubiquitous, while on-premise partner companies to Deutsche deployments are becoming the exception. Bank’s Transaction Banking Many RegTech companies [1] offer software platforms and services.” [2] as a service out of the cloud. Banking- focussed boutiques offer managed services which are already compliant with banking regulations across all technology layers (from the infrastructure up to the software), enabling banks to accelerate their adoption of the cloud by providing out-of-the-box compliance with industry- specific regulations.

Banks and major cloud service providers are on a collision course. For example, Amazon offers cash services, credit cards and other basic financial products including Amazon Pay. Another example is Alibaba with its spin-off AliPay, which has over 900 million customers, far more than the largest US bank. Both Alibaba and Amazon have improved their ability to offer business banking services on their platforms. More broadly, there are predictions that devices such as Alexa, Siri or Google Home will be the future of banking, since these smart AI bots will act as a financial assistant in everyday life. To get financial guidance, imagine asking Siri: “Can I afford this car now or should

6 Change The Way You Change| How can banks stay ahead of the curve?

Cloud quick ckeck – Is your bank getting cloud right?

01. Do we understand how cloud can help us reach our strategic objectives? □□ Yes □□ No □□ Better get some advice

02. Do we know which parts of our business will benefit from cloud? □□ Yes □□ No □□ Better get some advice

03. Is your team nervous about transitioning to the cloud? □□ Yes □□ No □□ Better get some advice

04. Do you know what your competitors are doing with cloud? □□ Yes □□ No □□ Better get some advice

05. Can our bank remain competitive without using cloud? □□ Yes □□ No □□ Better get some advice

7 Change The Way You Change| How can banks stay ahead of the curve?

What is Cloud? computing, storage and networking for traditional BPO is to reduce labour costs, customers to build scalable applications. BPaaS reduces labour costs through The cloud consists of a broad range of AWS EC2 is an example of IaaS providing increased automation and economies of offerings where services are provided by ‘virtual machines’. scale. As an example, Deloitte’s BPaaS an external third party and purchased offerings provide managed logs analytics as a service. Offerings vary from basic •• Platform as a Service (PaaS). One level and managed cyber risk with specific computing resources, to platforms, to above IaaS, PaaS provides a managed industry skills, especially for customers in fully functional software ready to deliver environment to develop applications highly-regulated industries. business value. These are referred to such as a Java runtime or a NoSQL respectively as Infrastructure as a Service database. Google Cloud’s App Engine is (IaaS), Platform as a Service (PaaS) and an example of PaaS providing a managed Cloud stack Software as a Service (SaaS). Java, Python, Go or node.JS environment for developing applications without A cloud stack is a software layer that can the need to manage the underlying be deployed on computing infrastructure Cloud deployment models infrastructure. to provide a cloud environment. As an example, Microsoft installs an Azure layer •• Public cloud (off-premise or external): •• Software as a Service (SaaS): This or stack on top of dedicated hardware (e.g. cloud computing services provided by provides user-ready, out-of-the-box HPE, Dell or Lenovo) which creates the suppliers to multiple customers via a software providing a specific built- Azure environment. An Azure Stack can cloud computing architecture that allows for-purpose business service to the also be deployed in a private data centre to customers to share computing resources. customer. Microsoft’s Office 365 is an simulate some features of Azure cloud in a Telekom Cloud or DigitalOcean are example of a SaaS, where customer can private environment. examples of public clouds. A hyperscale use the service without managing any public cloud is a category of public cloud aspects of the underlying software and “Many large corporations, especially those providing a larger pool of resources, infrastructure. for which security is important, such as serving millions of users and combining •• Managed Services (MS): MS are an banks, have tended to prefer private cloud, hundred thousands of individual additional layer of services delivered or a public/private hybrid, because of the computers into a low cost resource on top of cloud services, to manage additional security, perceived or actual, pool with maximum availability. AWS, processes such as 24/7 SLA monitoring, it provides. This hesitancy on the part of Microsoft Azure, IBM, Oracle, Alibaba and operational management, liability large companies is disappearing. Where Google Cloud are prominent providers of frameworks, ecosystem integration, they can, they now tend to deploy public hyperscale public clouds. audit, security, fail-over management, rather than private cloud.” [3] •• Private cloud (on-premise or internal): compliance and other processes. In the cloud computing services owned and banking industry, Avaloq’s Managed operated on-site by a single organisation. Services offering ensures that banks are in compliance with regulations •• Hybrid cloud (integrated public and and manage all the operational and private service): a mixed environment regulatory aspects of the underlying combining public cloud and private cloud systems. or on-premise solutions. •• Business Process as a Service (BPaaS): •• Community cloud: a public or private Business Process as a Service (BPaaS) is a cloud shared by an industry group, form of business process outsourcing government agency, or other association

with similar demands or interests. (BPO) that employs a cloud computing service model to deliver automated Cloud delivery model services sourced from the cloud and •• Infrastructure as a Service (IaaS). This operated within a shared multi-tenant provides low-level resources such as infrastructure. Whereas the aim of

8 Change The Way You Change| How can banks stay ahead of the curve?

Benefits of the cloud for banks

Running a business in the cloud offers numerous advantages, depending on the industry, business size and location.

Deloitte has grouped the potential benefits Each of these attributes brings valuable of IT ownership, which impacts the for banks into the following four categories: benefits when implementing a cloud spending paradigm. A successful cloud strategy. For example, a shift in spending transformation should capture the benefits •• Improve business agility can enable companies to reduce working all four areas. •• Innovate through consumption of capital and free up cash to invest in the external services exploration of new technologies; while an improvement in agility can facilitate •• Leverage industry-specific solutions innovation and also accelerate the shift •• Paradigm shift in IT spending towards IT service consumption instead

Benefits of the cloud for banks

Leverage industry-specific Improve business agility solutions

Innovate through consumption of Paradigm shift in IT spending external services

9 Change The Way You Change| How can banks stay ahead of the curve?

“Many banks around the Improve business agility Innovate through consumption of Major banks heavily rely on legacy systems, external services world are aggressively such as mainframes and old programming Banks need to embrace the cloud fully and pursuing a mobile-first languages, e.g. COBOL: this restricts re-imagine processes. The only way for a business agility. The rise of the digital bank to be competitive in the future will be strategy. Some have economy has put pressure on financial to embrace big data across all its product launched mobile-only bank players, and triggered the need to pursue offerings and leverage AI to change the digital transformation and integrate new customer experience. This cannot happen brands to fend off FinTech digital technologies quickly in order to without at-scale computing and storage. It challengers, while a vast respond to changes in the market and is impossible to re-imagine mobile banking, consumer behaviour. Legacy systems payments or efficient lending without an majority are enhancing sometimes do not provide the appropriate underlying cloud platform. In the future, their mobile apps with new level of agility that is needed to keep up Robo-investors (AI bots that act as portfolio with the pace of change. managers and outperform them) will need features such as person- systems that can process huge volumes to-person payments, FinTech companies were created ‘digital of data, something that banks cannot do and cloud native’. Disruptors such as N26 easily and cost-efficiently on-premise. What personal financial and Revolut are not only able to deliver if banks could carry out credit scoring and management tools, and solutions at much faster pace; they also risk assessment using big data and AI? attract customers and gain market share virtual assistants.” [4].“ due to their user-friendly and innovative Disruptive technologies are strategic solutions, fuelled by an agile, cloud-based assets in the financial industry, but infrastructure. adopting and extracting value from them within a reasonable timeframe can be a Deloitte recommends a multi-stage challenge. What if you could use them as an approach for traditional banks to move outsourced service, instead of hosting and forward from legacy systems towards the owning them? By giving access to a range cloud. This begins with an evaluation of the of specialised tools and services, cloud suitability of the cloud for key applications services provide an ecosystem of Centres and processes, and a gradual shift from of Excellence that can be accessed rapidly legacy systems towards the public cloud through the internet, making organisations (where compatible with regulations) since more competitive. this type of cloud model yields the most benefits in terms of elasticity, functionality State-of-the-art cloud platforms offer and cost efficiency. A hybrid cloud strategy key capabilities in strategic domains such is the industry standard today and there as analytics, blockchain and distributed will be an increasing shift towards the mobile applications enabling software public cloud due to the benefits from development teams in banks to stay ahead hyperscale cloud services. of the innovation curve. Developing or

Stages in the journey from legacy systems to the cloud

Traditional, on-prem IT Introduce Hybrid Migrate legacy Integrated Hybrid Cloud

egay egay egay ae ae ae Cou Cou Cou

egay u u CCooeu Coe u Couu Coe Cou Coe Cou aa

aon aonaaon

• un raton factory • uture chane e

stabsh basene • • eent taret oeratn ode y • efine taret oeratn ode • eratonasaton of new ways of e scuss vson • • oete financa and sutabty • en nteraton of dfferent workn • Hheve stratey anayss envronents • eveoent n new envronents

hat can do to run y for ess How do ake sure et the best hen can see the tanbe • • • n o n oney? vaue out of oud? financarocess advantaes? How can adat y oransaton to • e e • hat s oud and how can ake • hat s y concrete oud stratey • How does ths affect y ncrease y benefits fro oud? C u

use of t? n ractce? oransaton as a whoe?

10 Change The Way You Change| How can banks stay ahead of the curve? owning new technologies becomes an Paradigm shift in IT spending obsolete burden when they can be used Cloud provides a shift from CapEx (Capital Use Case: Commerzbank in applications as a service in a seamless Expenditure) to OpEx (Operational “[E]ine Bank kann keine Infrastruktur manner. Expenditure), switching from asset bereitstellen, wie es Amazon, Google ownership to service consumption. The oder Microsoft können. Der Aufbau Leverage industry-specific solutions following advantages emerge from this von leistungsfähigen und skalierbaren Using IaaS or PaaS to build applications change in ownership structure: Systemen über eigene Rechensysteme offers enormous flexibility in terms •• Flexible pricing (only pay for what ist sehr kostenintensiv. Die Tech- of design and functionality; however, you use). Only consumed services are Giganten bieten zudem spezielle flexibility also comes with challenges. charged for. This may lead to cost savings, Entwickler-Tools und Betriebssysteme, Highly-regulated industries such as especially for punctual and intensive die dabei helfen, Algorithmen weiterzu- banking have a complex burden of workloads such as daily, monthly and entwickeln. Doch man muss das Rad regulations and compliance, which makes year-end processing. However, there may ja nicht neu erfinden. Daher nutzen a do-it-yourself option for applications or may not be cost savings, depending on wir diese Anbieter für unsere Zwecke development both costly and risky. the company’s use of the cloud. und setzen auf eine hybride Cloud- Banking-focussed solutions delivered as Strategie.” [5] higher level services such as SaaS or BPaaS •• No upfront infrastructure investment. can provide an out-of-the-box solution Taking away large upfront costs enables Use Case: Deutsche Bank and help banks cope with the regulatory organisations to reduce their working “CloudMargin, the award-winning burden by ensuring regulatory compliance, capital, and the cash this releases can creator of the world’s first and only auditability, transparency and security be used to pursue other ventures for collateral and margin management along the whole value chain, from the growth or innovation. It is important to solution native to the cloud, and provision of infrastructure to the delivery keep in mind that some upfront costs Deutsche Bank, Germany’s leading of the service to the end-user. A Managed such as costs of integration, connectivity bank, announced today that, as part of Services provider can guarantee end-to- and migration can still be incurred when its global transformation programme, end responsibility and act as a single point moving to the cloud. the bank is working with CloudMargin of contact for banks, greatly simplifying •• No depreciation, renewal costs or to integrate the CloudMargin platform operations and management. This shift to obsolescence of infrastructure. into its Collateral infrastructure. In service consumption replaces the in-house With the purchase of infrastructure addition to cost savings, the move software development processes, delivery there is always the risk of aging and is expected to improve the client and operations model that banks have, obsolescence: this can be avoided by experience by creating a networked and this inevitably has implications for the consuming resources as a cloud service. solution for Deutsche Bank’s collateral organisation and its employees. management, resulting in additional transparency, reduced operational risk Cloud service providers can deliver and simpler processes.” [6] banking-specific solutions, such as core banking, risk analytics with comprehensive Use Case: Deutsche Bank portfolio management, securities and Avaloq management, online banking platforms, payments or back office services such as “The introduction of the Avaloq settlement services, corporate actions Banking Suite enabled Deutsche Bank services, and reconciliations. Providers Luxembourg to migrate its various benefit from economies of scale by re-using business areas into a new, unified cash their solutions across multiple customers, ledger, enabling it to offer its customers and so in many cases are able to offer their the full range of services while reducing service to banks at a lower cost than an complexity, risks and costs, and paving in-house process. Standardisation can also the way for future growth. The relevant be achieved when using mid- to high-level banking areas migrated in one move services such as PaaS or SaaS; however from the existing core banking system little standardisation is available from IaaS to the Avaloq IT platform.” [7] due to the wide variety of design choices that remain available to the developer. Use Case: DZ Bank “DZ Bank sees the benefit from Other functions are not automatically Cloud computing, especially in the provided when using IaaS or PaaS, public Cloud offering in that it helps such as disaster recovery, integration, to improve the bank's cost efficiency supportability and operability assurance: and reduce time-to-market. Cloud these aspects can also be handled by SaaS computing makes the bank more providers that specialise in banking. agile so that it is able to cope with first demands on capacity.” [8]

11 Change The Way You Change| How can banks stay ahead of the curve?

Why have banks been reluctant to use the cloud? The cloud has been widely adopted across various industries and has become a pillar for IT systems of modern companies. Yet challenges remain for banks, mostly because of strict data regulations, doubts around data security, third party risks and transformation challenges.

Regulations having data physically located in the same National regulatory authorities often insist country. Most of the major cloud service that data held by domestic companies providers offer data centres in Germany should be kept only on servers in that and very few do not offer data centres in country, and that access to data should Europe at all. only be possible from within the country; and they may also impose legal obligations Banks need to understand the legal relating to investigations or data recovery, structure and framework within which or about the location of employees. This the cloud company operates, and that it means that a cloud service provider has may need to comply with the regulations to use local servers, which creates a major in multiple jurisdictions – including the challenge for the operating model of global Clarifying Lawful Overseas Use of Data Act cloud service providers. (CLOUD Act) of the USA − as shown by the efforts of a US law enforcement through Major cloud service providers have tried to US courts to gain access to data on a cloud increase their global footprint by building service provider's server in the Republic of more data centres in new locations close Ireland. to their customers. This helps banks meet some of the regulatory requirements by

12 Change The Way You Change| How can banks stay ahead of the curve?

Data security security systems should also be From a technological point of view, relying Keeping data safe from unauthorised considered. In the case of SaaS or BPaaS, on a cloud service provider to run critical external access or damage/corruption is a data cannot be accessed by the CSP unless systems in the cloud should not be challenge for the financial services industry. it is agreed or needed to provide the considered riskier than running the same Client-side encryption guarantees that an service, for example to restore data or systems on-premise, provided that the external party or even the Cloud Service ensure business continuity. In order for cloud service provider is compliant with Provider (CSP) cannot access data, since banks to pursue the optimal strategy and financial regulations (e.g. for data retention, the bank and not the CSP holds the processes to protect information, Data data access, auditability) and the encryption and decryption keys, making it Protection & Privacy should be a pillar in appropriate design and best practices are impossible for the provider to access their cyber security strategy. implemented. To mitigate supplier risks, readable data. However, client-side organisations should implement a process encryption may affect performance and Third party risks to manage the lifecycle of the supplier significantly limit the benefits of the cloud, Running central systems in the cloud such relationship and clearly align business goals such as search capabilities, artificial as core banking systems creates a with the services from the cloud service intelligence and analytics – thus a trade-off dependency on the cloud service provider. provider, while also managing risks and between functionality and security must be This calls for a risk assessment and vendor maintaining an exit plan. found. Integration with on-premise management process to ensure alignment solutions for data management, identity between the business objectives and and access management policies and other service delivery from the CSP.

Deloitte’s holistic cloud security framework

sbty nto coud usae to dscover sbty nto data usae n the coud hadow Risk entrased data rotecton ocy Data Protection ankn and scorn the securty Management anaeent & Privacy caabtes of the coud rovders caton of data rotecton and ashboards to enabe decsons rvacy contros ke encryton about rsk and coance n the tokensaton data oss reventon and coud dta rhts anaeent for use wth coud servces eﬁne and enforce coud oces and standards

Vigilance

ontor securty nforaton and events for acous actvtyusae wthn coud servces ashboards to enabe securty oeratons teas

dentfy rortse and reedate vunerabtes for nteence to dentfy threats to your coud servces coud servces and rovders

13 Change The Way You Change| How can banks stay ahead of the curve?

Transformation challenges processes, operating model and resources. Use Case: Commerzbank Most major banks rely heavily on systems For example, a lack of cloud talent is that run legacy applications. In order to another major roadblock for banks. Given “A lot of times we think of move these applications to the cloud the broad range of impacts that moving digital transformation as a and fully reap the benefits of such a to the cloud may cause for organisations, technology dependent process. transformation, applications need to go transformation constitutes an upfront The transformation takes place through re-design and refactoring, which investment which is why many banks when employees learn new skills, can be a costly and risky step. Simply hesitate. change their mindset and adopt switching virtual machines from a data new ways of working towards the centre to a cloud infrastructure will not end goal.” [10] deliver the full capability of cloud services: applications should be broken down into API-connected microservices and use ‘cloud-native’ components to optimise costs, resilience and availability. Since mainframes do not integrate well with cloud applications, banks face a situation that must be addressed in most cases with a ‘big bang’ approach, raising the transformation risks even higher. IT is not the only part of a company impacted by cloud - the transformation causes a broad rethinking of the company’s

Deloitte’s IT Vendor Management Framework

14 Change The Way You Change| How can banks stay ahead of the curve?

15 Change The Way You Change| How can banks stay ahead of the curve?

Key success factors for cloud transformation

Using cloud is not just a project: it is a fundamental change in the DNA of a company. To benefit fully from the advantages of the cloud, organisations need a digital transformation that goes well beyond a simple project. Deloitte recommends an approach to cloud transformation that consists of five phases, from strategy to cultural change.

Cloud strategy Many large organisations already have a Define your objectives for the cloud. The ‘cloud first’ strategy in place, meaning that benefits must be clearly articulated – with any project they look to the cloud greater operational efficiency, flexibility, before considering the in-house or agility, increased revenue generation, traditional outsourcing alternatives. A cloud reduced costs, enhanced security, better strategy should take into consideration not risk management, return on investment, only the present but also the future; to name but a few. Cloud strategy should embracing cloud enables banks to adopt follow IT strategy, which should align with tomorrow’s technology more easily, the business strategy. Cloud initiatives blockchain being just one example. should always be linked to business value and fit with the overall corporate strategy. Deloitte has developed a framework of six building blocks on which you can construct a sound cloud strategy.

16 Change The Way You Change| How can banks stay ahead of the curve?

“ Organisations often struggle to define a cloud strategy, or to link it to their broader business strategy. Consequently, they find it difficult to generate genuine business value from this type of digital transformation. Cloud has most definitely arrived and is here to stay as a key element of corporate strategy – not just IT strategy, but overall business strategy.” [3]

Deloitte’s cloud strategy framework

17 Change The Way You Change| How can banks stay ahead of the curve?

Risk management services is subject to the laws and Use Case: KfW and ATICO Moving services to the cloud transfers regulations of the country where the data is some of the responsibilities for risk stored. The European Union’s rules also “After the evaluation phase, KfW management to the third party cloud apply to data held outside its territory. The opted for a central application service provider. However, it is only the General Data Protection Regulation (GDPR), – ACTICO Compliance Suite. management of the risks that is which came into effect in May 2018, is The functionalities enabled transferred: accountability for the risks still designed to improve data protection for EU the automated processing of resides with the bank, and not the cloud citizens whose data is collected, stored and all compliance-relevant issues, service provider. The company’s processed by organisations. However, the such as sanctions lists checking, operational risk management framework scope of the Regulation extends to financial transactions monitoring, must therefore take account of the special companies using servers outside the EU, if anti-money laundering. The new circumstances arising from cloud service those servers hold data of EU citizens. The compliance environment enables adoption. An important element of the full implications of GDPR and other data KfW Group to achieve more framework should be to classify the privacy laws must be understood. efficient KYC and onboarding information assets - such as intellectual processes for banking customers.” property, customer databases and financial In order to mitigate third party risks [11] information - so that the inherent risks can stemming from a cloud service provider, be managed. The service contract should organisations should follow a holistic include: approach, analysing risks into categories or ––terms that define the right to audit the ‘risk domains’ and mapping them to cloud environment operating model components in order to ––contractural conditions associated to ensure monitoring and controls are the bank's exit strategy effective on an ongoing basis. In addition, ––a business continuity plan covering the organisations should consider a full scope of the cloud service multi-cloud strategy for mitigating risks ––IT service management procedures and associated to a cloud service provider. controls Which services on cloud would introduce In accordance to that, the operating model vendor lock-in? Should we consider of the bank is then redesigned to ensure multi-cloud strategy for disaster recovery? the right team structure and capabilities What if there are security leaks identified in are in place to manage the cloud services. a cloud provider? What if the cloud provider does not have a datacenter in the region of It is particularly important for banks to interest? What if the other cloud provider is consider legal and regulatory compliance having a solution for a critical problem for during their risk assessment, which should us? All these risks are to be evaluated for a involve the risk management functions and cloud provider. A multi-cloud strategy is other stakeholders, and should be based crucial for mitigating such risks and should on the ‘three lines of defence’ model. be designed appropriately. Compliance with national laws and regulations on data is a problem that must be addressed. Who owns the data? In which countries should the data be stored? Who is permitted to access the data stored in another country? Data hosted on cloud

18 Change The Way You Change| How can banks stay ahead of the curve?

Deloitte's holistic Third Party Risk Management Framework

Within the organisation a risk for any outsourcing initiative, laws and regulations on data is management framework should be in order to understand the key a thorny problem that must be created for the cloud, and a clear risks and embed controls into the addressed and the full implications risk report should be drawn from contract. Supplier risk must be of GDPR and other relevant data it. It is essential to understand the factored into the equation. secrecy and data privacy laws operational and compliance risks must be understood and adhered of outsourcing. Plotting a route The risk of intruders gaining to. A decentralized approach with through all the risks and regulatory access to IT systems has forced multi-cloud strategy should be complexities will ensure that the organisations to improve cyber considered. company gets the planned benefits security. Cyber risk deserves special from the cloud. Due diligence attention and security must be should be a standard requirement tight. Complying with national

19 Change The Way You Change| How can banks stay ahead of the curve?

Governance cloud by an organisation. These should Banks must define how decisions consider controls for business processes, specific to cloud solutions will be made. applications, data, infrastructure, and Governance processes relating to the use organisational management. Structured of cloud services should be developed: governance is required to monitor who is able to request them, how many performance continually, improve service resources can be provided, and what effectiveness, and align investments with approvals are required. In addition to business objectives. setting quotas, providing visibility and reporting usage will help to hold users To avoid new or additional risk, governance accountable. Organisations should should ensure proper due diligence and establish a robust cloud governance security, and should specify standards structure, with three pillars of governance describing which services are permissible and ranking of elements within each pillar and which are not. In practice that could from strategic to functional. mean for example that business services can get integrated and used, as long the How can governance be made sufficiently service is built on Microsoft or Google flexible to manage risk while supporting cloud components, if these vendors have innovation and cost reduction? already been approved for use by the Establishing governance and controls company. provides direction for the adoption of the

Deloitte's IT Governance framework

20 Change The Way You Change| How can banks stay ahead of the curve?

Key dimensions to build a cloud transformation case

Financial analysis impact time-to-market, innovation and A business case should be developed to competitiveness (as outlined earlier in this justify the migration of workloads to a report). While these business benefits must cloud environment, in order to mitigate be considered in each case, they may be risks relating to cost management. difficult to evaluate quantitatively and are Organisations should analyse the heavily dependent on the organisation’s quantitative financial benefits of transition structure and strategy. We therefore to the cloud. C-Suite executives want propose three areas for analysis in building to know: What are the cost drivers for a financial case for the cloud from an IT cloud transformation? What are the high- perspective. level benefits of embarking on a cloud transformation? How may these benefits be realised? Financial benefits from cloud will not be limited to IT, since they will

21 Change The Way You Change| How can banks stay ahead of the curve?

Cloud migration Use Case: HSBC and Applications may follow different migration Transporting legacy applications to the Oracle ERP paths, ranging from a simple ‘lift-and- cloud is a thorny challenge for many shift’ where applications are re-hosted banks – for this reason Deloitte acquired “Global banking giant HSBC used in a cloud environment without further Innowake® [13], which can translate Oracle ERP Cloud to re-engineer amendments, to a complete refactoring Cobol/PL1 code into Java code, helping to the financial management of the application using ‘cloud native’ refactor legacy software into cloud-ready processes across its global components. Each approach has pros and applications. Operations, Services and cons: for instance a complete refactoring Technology division. The bank is costly and creates vendor lock-in, but it In case of mass migration, an Application transformed procure-to-pay, also allows applications to leverage fully the Migration Centre of Excellence should be expenses and project accounting capabilities of the cloud such as elasticity, created to benefit from efficiencies and across its global operations high availability and high resilience. Re- economies of scale. After migrating, ensure and functions, not just in the platforming applications on PaaS is a trade- shutdown of legacy on-premise systems to organisation of its global service off chosen by many organisations, since in avoid parallel operations and costs. companies. Ultimately, all third many cases it provides most benefits from party costs and a significant the cloud without the lock-in. Organisations portion of the global cost base are should proceed with a phased approach managed by Oracle ERP Cloud.” to conduct migration in an efficient manner. [12]

Deloitte's Cloud Migration Methodology (DCMM)

pplication igration C Continuous Migration Evolution & Feedback

raton rortsed High Degree More Manual, rated anddates raton st of Automation less Automation catons gile Based igration prints

gaon

raton hases Cou ooo Teng un annng gaon negaon ounaon een eane e heue hase 1 hase 2 hase 3 hase 4 hase ssential ervices pplication arget pplication pplication anding one iscovery rchitecture maintenance and Cloud nboarding ependency igration ecution support Governance apping rchitecture et up target pplication est and validate onitor ecurity, egal and pp uitability igration lan inrastructure ntegration migrated workloads perormance Compliance ssessment ilot ove application to nrastructure moke and ptimise cloud stablish Cloud C pplication

ctvtes cloud environment ntegration perormance test workloads migration path Right size perational btain BU analysis inrastructure ntegration acceptance Business Case

22 Change The Way You Change| How can banks stay ahead of the curve?

Corporate culture and innovative abilities whilst reducing Organisations should follow a culture Cloud is not just about technological risks and delivery cycles. Corporate change roadmap. Employees need to be transformation, but also about adapting culture needs to change, from a mind-set guided towards cloud with that roadmap. the corporate culture to use of the focused on static, policy driven operations Thereby, the transformation to cloud cloud, and adopting a new mind-set for towards small entrepreneurial units that should be understood as more than a working and collaborating in order to have a much greater freedom of choice. technical implementation: it is an end-to- leverage the technology: 'Think Cloud'. Business leaders should embrace the end transformation across all dimensions People need to start thinking cloud, for entrepreneurial spirit and empower of the bank. example by adopting DevOps practices. business units to take advantage of the DevOps is a contraction of ‘Development flexibility offered by the cloud in line with and Operations’, and is a paradigm for the defined governance structure. What if software production which consists of analytics and benchmarking tools could be streamlining the application lifecycle from accessible in much finer (‘granular’) detail, development to production. DevOps enabling smaller business units to make enables companies to increase their agility better-informed decisions?

Deloitte's Culture Activation Roadmap

trategy nsight ctivation

Define a copelling cultural se cultural diagnostic, ctivate culture through design aspiration aligned to the interviews and data analysis to thinking, agile executions, our organisations strategy define gaps culture tools and accelerators rramiing tthe challllenge underrsttand,, epllorre,, syntthesiise desiign orr tthe bestt vallue What challenge are we trying to resolve? What do stakeholders think/eel/say about What solutions will deliver the culture we What outcome are we seeking to deliver the current culture? What insights can help need? How should we manage culture through organisational culture? us realign our culture? implementation? • etermine scope, objectives, purpose business • plore stakeholders and the system within wihich • evelop culturesolution prototypes challenges drawing upon cultureprinciples and they reside • est and refine (in loops culture prototypes to culture transormation best practice • ynthesise insights and define design principles determine best value • Clearly articulate strategic intent and culture hypotheses • ecide and implement culturesolutions which aspirations • dentiy ideas to address unmet needs and harness deliver best value opportunitites

23 Change The Way You Change| How can banks stay ahead of the curve?

“Through 2022, at least 95% of cloud security failures will be the customer’s fault.” [14]

24 Change The Way You Change| How can banks stay ahead of the curve?

Cloud cyber security

Cloud is not only redefining the IT landscape but also how security measures are designed and implemented. In particular, the migration to a virtual data centre forces organisations to rethink security and privacy from the ground up.

At one time, the security of cloud service Security of the cloud providers was a significant concern for The cloud service provider is responsible many companies, worried that cyber for the reliability, security and compliance attackers would find it easier to penetrate of the services that make up the cloud. the cloud than on-premise systems. These include responsibilities for the Even today this issue – together with integrity of the hardware, software, privacy concerns – is one of the biggest networking and facilities that run the cloud barriers to cloud adoption. However, services. cloud security (at least at the hyperscale cloud service providers) can in fact be Security in the cloud a positive argument for adoption of the Organisations should implement controls cloud, since cloud service providers invest for elements which they are responsible more in security than most multinational for. This will depend on the cloud services companies will ever be able to. Security is they use. For example, if an organisation in effect part of the main business process transfers an application to an IaaS of cloud service providers, and not just a environment, it is responsible for some of support process. the infrastructure security and all levels above (see Figure 13). On the other hand, organisations using SaaS solutions are only responsible for the data, governance and security compliance.

25 Change The Way You Change| How can banks stay ahead of the curve?

Security responsibilities in the cloud

Cyber security perspective in the cloud

User / hadow hird party risk Concentrated risk Business and consumers rganisations are Cloud providers are a using the cloud with or dependent on cloud bigger target because without cyber controls providers‘ controls that‘s where the data is

odern ttack urace Controls Gap he walled organization raditional cyber risk (ie with clearly deﬁned controls need to etend rontiers is replaced by a to the cloud at a time hybrid, more complicated when many organisations technology environment are barely keeping up with eisting threats

26 Change The Way You Change| How can banks stay ahead of the curve?

It is important to understand that the Third party Risk Modern Attack Surface division of responsibilities for securing When a company uses cloud services it New technology and digital solutions bring cloud workloads differs between the connects its infrastructure to a cloud new methods of cyber attack and make old types of service. However, the liability for service provider’s. Security for the overall ones obsolete. The cloud is no exception. data stored and processed in the cloud, system depends not only on the Employees of cloud-enabled organisations as well as overall security of a cloud organisation using the cloud services, but often work from any devices anywhere on based solution, always remains with the also on the cloud service provider’s the planet, making it more difficult than organisation using the cloud services. security controls. Theoretically, however, ever to protect the organisation’s data. Not the cyber risks are the same as with the only must the intranet and cloud workloads What is new from cyber security on-premise infrastructure. This means that be secured, but every user device should perspective in the cloud? physical security of the cloud service also have technical measures in place to As businesses move to cloud computing, provider equipment, software and protect data. To add to the problem all the employees in principle are able to access hardware updates, internal governance cloud-enabled devices in the organisation their work applications and corporate processes and technical controls have to must be monitored 24/7 and in real time, resources through almost any internet- be assessed by a potential user in since once a security breach occurs it won’t connected device. As a result, they want accordance with its own security and take long for the hacker to target the ‘crown and expect ‘anywhere-access’ on a device privacy requirements. Organisations jewels’ of the organisation’s information of their choosing. For internet enabled considering a cloud solution should insist and data. services data is transmitted through on seeing the cloud service provider’s unsecure public internet networks and controls and certifications, and check Nonetheless, the monitoring and security thus the ‘old’ security solutions for in-house whether there is a single place where such of user devices is an issue that occurs both systems does not offer the protection documents are stored (e.g. a trust portal or for equipment connecting to on-premise required. In fact, perimeter-based security similar). If gaps in controls are identified, and cloud. Securing the infrastructure has not been effective for some time the organisation should either switch to a against attacks, however, is a task which against modern cyber threats; and with different cloud service provider or close the cloud services providers have to fulfill for cloud computing it is even less effective. gaps with its own security controls. their environments. Due to their massive There is also a shift from segregated IT investment in security, patches and fixes systems to a cloud environment where Concentrated Risk are usually done much faster in the cloud virtual machines and networks share the An accumulation of valuable items will than on-premise. same physical resources, posing different attract the attention of people with security challenges for cyber professionals. malicious intent. This is true for valuable Controls Gap physical items as well as information. The Using cloud services requires a re-think of User/Shadow IT risk of a successful attack is greater for a the controls an organisation should use. The accessibility and ease of subscription cloud service provider because it would Monitoring and securing a cloud-only or to cloud services created a situation in probably involve the information of many (more often) hybrid environment needs which employees are able to use cloud different customers. Companies have to new methods, processes and technology, applications for work-related data rely on their cloud service provider to because even the most mature and safe exchange that were not approved by the address and mitigate many of the risks cloud service provider technology still company IT. Similarly business units could since they cannot manage the risks depends on customers using it in a secure buy cloud services they wanted without themselves within the shared way. Risks of failure are high - attacks can following procurement procedures, or responsibilities model. Cloud service go undetected, data can be lost, and giving consideration to security or privacy providers in their turn are highly motivated reputation can be damaged. issues. There were various reasons for this, to invest significantly in defence measures but the consequences were often the same to maintain their ability to withstand the – breached accounts, leaked data, malware threats and make attacks on them spread across the company. Organisations cost-prohibitive. In order to select the right need to have an answer to this problem in cloud service provider, organisations order to protect its digital assets. A key should examine closely how cloud service element is to be able to identify and providers are managing such risks and manage the cloud services that are used or what kind of contractual liability they have could be used from the organisation’s for a breach of data security. In addition managed devices and networks. they should examine additional risk mitigating functions.

27 Change The Way You Change| How can banks stay ahead of the curve?

Addressing cyber risks in the cloud at rest, in transit, and in use: core elements Other design concepts and tools are Cyber risks need to be addressed as are encryption, key, and certificate cross-region replication of virtual instances, organisations embrace cloud, mobile, social management. multi-availability zone deployments, and analytics technologies. Organisations and data archiving services. The domain should develop a cyber risk framework that Vigilant DevSecOps, encompasses secure focuses on delivering end-to- end cloud The Vigilant pillar involves the provision configuration, vigilant security monitoring, cyber risk capabilities, incorporating and integration of information, from and resilient deployment designs. It is considerations about privacy, security, both on-premise and cloud sources, worth mentioning that while IaaS provides monitoring, incident response, and to enable security teams to identify, the building blocks for resilient systems, governance for integrating cloud services detect, and respond more effectively to their effective implementation still relies on across the organisation. In Deloitte’s Cyber security threats. The domain Logging the development teams and no availability Risk Management framework there are and Monitoring involves techniques for is guaranteed by the cloud service provider three pillars (“Secure. Vigilant. Resilient”) detecting security events, collating a at the application level, since their SLAs and seven cyber risk domains. multitude of log sources, and integrating stop at the infrastructure level in the with a Security Information and Event case of IaaS. On the other hand, SaaS Secure Monitoring (SIEM) system to monitor the solutions and managed cloud services can The Secure pillar of a cyber risk cloud, to enable the organisation to identify provide SLAs at the software level, giving management framework provides where critical data assets reside, who contractual guarantees of higher level protective elements. It contains three accesses them, and how they are used. services resilience compared to IaaS or domains. The first domain, Network and PaaS providers. Infrastructure security, covers the virtual Resilient infrastructure with a focus on protecting The Resilience domain covers designs for The aforementioned security concepts network traffic, hardening endpoints like ‘always on’ capabilities, and new models are brought together to achieve business API gateways and protecting services. for contingency planning, recovery, and goals with secure software. To define Identity and access management, the resilience. As cloud computing becomes and manage the cyber risk requirements second domain, is designed to help a more integral part of core business specific to the organisation, the address different cloud requirements operations, it becomes necessary to Governance, Risk, and Compliance (GRC) for authentication, authorisation, reduce downtime due to disruptions, from domain provides guidance for establishing access governance and accountability. minutes to seconds. A mature cloud service governance, policy, standards, processes, Specific elements include multi-factor provider provides accessible features such technology, and reporting, in order to authentication, privileged access as scalable, on-demand APIs that allow achieve the goals of the organisation. management and access certification. companies in a cost-effective way to create In conclusion, through the use of a cloud The third domain, Data Protection, covers redundant infrastructure and back-ups security framework an organisation is controls recommended for protecting data with low latency to reduce disruption. able to design, implement and operate cloud services securely and benefit from the inherent security features that cloud Deloitte’s Cyber Risk Management framework service providers provide as part of their service.

“It is no longer acceptable for security teams to hold back cloud initiatives with unsubstantiated cloud security worries. Security and risk management leaders should be tasked to develop new approaches to securely and reliably leverage the benefits of SaaS, PaaS and IaaS.” [15]

28 Change The Way You Change| How can banks stay ahead of the curve?

Selecting the right cloud service provider: A two- step approach

The large number of cloud offerings on the market makes it difficult for organisations to find the right supplier. To this end, Deloitte proposes a two-step approach to shortlisting and assessing cloud service providers.

Step 1: Evaluate your IaaS and PaaS future, most off-the-shelf solutions will be and services an organisation would need to provider based on your SaaS needs delivered as SaaS. This spectrum should use from the cloud, a decision can be made The market for cloud services contains define the requirements for IaaS and PaaS about which provider should be selected different delivery models (IaaS, PaaS, SaaS) services that the cloud service provider to carry out the risk assessment and due available to banks, ranging from local must be able to deliver. diligence, in order to minimise the number players to global hyperscaling cloud service of providers to be assessed. providers with local data storage. SaaS providers build their services on top of PaaS or IaaS services. As an example, Deloitte proposes an evaluation of cloud A bank should begin by choosing its cloud SAP’s ERP solutions can be used as a SaaS service providers according to two key service provider(s), which have the best hosted in Amazon Web Services, Google dimensions: SaaS spectrum coverage for the essential Cloud or Azure Cloud infrastructure. Based 01. Scaling capabilities services the bank wants to use, since in the on an inventory of all relevant applications 02. Banking specialisation

The cloud standard pyramid

29 Change The Way You Change| How can banks stay ahead of the curve?

Scaling capabilities Deloitte cloud appetite framework A bank needs to decide from which locations it would like to receive cloud services. For example, regulations in the home country Global of the bank might prevent the bank from A1 transferring customer or financial data

abroad. It may therefore be essential for s e i t the cloud service provider to have a global i l i footprint with data centres in multiple regions b a p and with the ability to scale. a c g n i l

Banking specialisation a c

Some cloud service providers offer generic services such as IaaS or PaaS to various A2 industries, while other cloud service providers provide tailor-made solutions specific to banking. In general, it is easier and less risky A3 ocal for banks to select providers with banking specialisation and knowledge of financial industry laws and regulations, that can Generic Banking speciﬁc for example offer transparency with their Banking specialisation internal control system, provide access to audit reports, and have templates for service SaaS spectrum of three applications (A1, A2, A3) in this example, can help contracts that are compatible with local laws organisations define their PaaS and IaaS requirements. and regulations.

With the Deloitte framework for defining the required SaaS spectrum, a bank can narrow down the list of available cloud service providers to a shortlist of providers that are able to meet its needs. This shortlist of providers then needs to be assessed further in order to select the one that is most suitable High-level cloud service provider assessment framework for the organisation’s requirements.

Step 2: Assess the shortlist of cloud service providers Below we summarise the key aspects for ecurty oance evaluation of cloud service providers by banks.

echnooy Data security, data governance and nteraton servce roada business policies What is the cloud service provider’s position regarding the CLOUD Act and the provision of client data to foreign governments? Where are endor ockn its data centres located? Since security and eendences Cou eno compliance regulations vary from country to artnershs et annn eauaon country, organisations operating worldwide need to be aware of the jurisdiction in which their cloud service provider hosts data, how the data is protected from unauthorised usness ontracts oercas access, and what are its policies regarding anent s local and foreign laws on matters such as data disclosure to foreign authorities (e.g. CLOUD Act). usness heath eabty contnuty erforance

Evaluate the cloud service provider’s capabilities in terms of security operations, security governance and system security, and make sure that it has demonstrable risk-based controls aligned with your organisation’s own For each of these dimensions, there are a number of key aspects to security processes and policies. Verify that consider and important questions to answer.

30 Change The Way You Change| How can banks stay ahead of the curve? user access and actions are auditable and are involved in the provision of the cloud service and intellectual property must be carefully in alignment with the security responsibilities and look for potential flaws or mismatches prepared. as set out in the organisation’s business with the cloud service providers claimed policies or service contract. certifications. SaaS providers typically build Business alignment their services on top of major IaaS providers, Ensure that the chosen cloud service provider Compliance with regulations, so it must be clear from where and how the understands the business of the organisation certifications and standards service is being delivered, and if this fits with and the precise objectives it seeks to achieve Ensure that the cloud service provider follows the organisation’s own policies. with the cloud. The focus should be on high- compliance guidelines that apply to your level business value such as streamlining industry and organisation. Whether you are Contracts, commercials and SLAs product delivery or reducing time to value, committed to GDPR, SOC 2, PCI DSS, HIPAA, Cloud agreements can appear complex, rather than low-level, technical indicators such ISO 27000 series or some other standard, SLA definitions in particular. Cloud service as server up-time or database throughput. make sure you understand what it will take to providers often use complex terms and accomplish compliance once your applications conditions that make it difficult to compare Organisations within a vertical industry such and information are in a cloud environment. the service levels of different providers. It is as banks should make sure that the cloud important to understand the level of service service provider understands the industry; Understand where your duties lie regarding promised by each cloud service provider in certain cases, this can mean choosing a compliance, and which aspects of regulations and perform a market research to compare smaller specialised player like Rackspace in the cloud service provider will enable you offerings and get the best value for money. preference to a hyperscale provider, in order to comply with. Verify that the provider’s to leverage industry-specific tools. compliance certificates are valid and obtain Reliability and performance guarantees of resource allocations such as Analyse performance of the service provider Managed Service Providers (MSPs) deliver headcount and budget to maintain these against their SLAs for the last 6-12 months managed cloud services and act like a broker standards in the future. and the cloud service providers transparency between the end-user and an IaaS or PaaS with audit reports and control frameworks. provider. MSPs provide an additional layer of Integration with other systems, hybrid Downtime is inevitable and every cloud management to handle contracting, financial cloud capabilities service provider will experience it at some management, security and compliance, and Consider how processes or data hosted in point. What matters is how the cloud service can also deliver industry-specific capabilities. the cloud will integrate into your workflows provider deals with any downtime. Ensure now and in the future. For example, if your the monitoring and reporting tools on offer Vendor lock-in and exit planning company has already invested heavily in a are sufficient and can integrate into the Lock-in is a risk not just because of costs, provider’s ecosystem (e.g. Microsoft’s Office organisation’s overall management and but also because a bank must be able to 365), it may be a good idea to use cloud reporting systems. Ensure that the selected change and adapt to new regulations and services from this same provider (in this cloud service provider has established, requirements. Being able to move workload case Microsoft Azure), since some of them documented and proven processes for on-premise (Hybrid Cloud) or using open grant licences and often free credits to their dealing with planned and unplanned standards helps to ensure continuity of the customers. downtime. service. Vendor lock-in usually stems from proprietary technologies that do not integrate Integration between a private and public Evaluate the cloud service provider’s with those of competitors, or from inefficient cloud enables banks to create efficient, remedies and liability limitations when service processes or contract constraints. The coherent hybrid applications. This integration issues arise, as well as its disaster recovery portability of applications may be impacted can be facilitated by using the same stack provisions, processes and its ability to if they heavily rely on unique proprietary in the public cloud as in the private data support the organisation’s data preservation components. Ideally an organisation should centre. OpenStack provides an open-source expectations, including recovery time choose value added services that have and open standards stack to build highly objectives (RTO). This should include at least competitive similar alternatives, monitor the compatible applications with no lock-in and criticality of data, data sources, scheduling, availability of those services in the market to enables more customisation than branded backup, restore and integrity checks. spot risks of lock-in early enough, and plan an stacks. Managed versions of OpenStack can exit strategy at the start of its relationship with be delivered by vendors such as Rackspace, Business health, continuity and a chosen cloud service provider. RedHat, IBM or Suse. SaaS solutions should company profile provide APIs to connect applications to other While the assessment of the technical and Technologies and service roadmap data sources and interact with the bank’s operational capabilities of a potential supplier Understand where the cloud service provider systems. is obviously important, you must also take is heading over the next three to five years time to consider the financial health and and make sure it aligns with the organisation’s Service dependencies and profile of your shortlisted providers. cloud and business objectives. Does the partnerships provider plan changes that would involve re- Cloud service providers may have If a cloud service provider gets into trouble, it coding applications? Will there be a change in relationships with other providers to deliver may not have enough financial resources to its certifications or security standards? Assess their services. Evaluate these relationships meet its obligations or refund losses; to this the impacts on workloads and take them and the levels of accreditation, technical end, a business continuity plan in case of a into consideration when building the case for capabilities and staff certification of the default of the cloud service provider including cloud. underlying providers. Analyse dependencies notification period, data migration support

31 Change The Way You Change| How can banks stay ahead of the curve?

Another short quiz

What’s your take on cloud?

□□ Cloud solutions do not cater to our requirements

□□ The way to proper cloud adoption seems cloudy

□□ We’re already in the cloud

□□ Call me

32 Change The Way You Change| How can banks stay ahead of the curve?

Cloud provides transformative opportunities for organisations and is a Conclusion vital competitive component in today’s challenging market place. Cloud is not an easy technology to adopt, but the potential benefits and opportunities outweigh the challenges and risks associated with cloud transformation. To maximise cloud’s added value, an organisation should follow a structured approach, starting with the definition of a clear strategy (and involving a wide range of stakeholders), clarity of vision and expectations, knowledge of options, understanding of business drivers (both opportunities and risks), proper planning, disciplined execution and ongoing governance and management. This report has set out the steps an organisation should consider in order to get things right and become a best-in-class cloud-first company that thrives in today’s competitive market.

33 Change The Way You Change| How can banks stay ahead of the curve?

Meet the team

Sandra Bauer Partner Frankfurt am Main [email protected]

Olaf Scholz Partner Frankfurt am Main [email protected]

Marlene Beyer Manager Düsseldorf [email protected]

Dennis Nolte Consultant Hannover [email protected]

34 Brochure / report title goes here | Section title goes here References [1] Deloitte, “RegTech Universe,” Deloitte, [Online]. Available: [16] Deloitte, “2019 Banking and Capital Markets Outlook https://www2.deloitte.com/lu/en/pages/technology/articles/ - Reimagining transformation,” Deloitte Center for Financial regtech-companies-compliance.html. [Accessed April 2019]. Services, 2018. [2] Deutsche Bank, “Deutsche Bank acquires India-based FinTech [17] Amazon We Services, “DBS Bank Case Study,” Amazon We start-up Quantiguous Solutions to accelerate the bank’s Open Services, [Online]. Available: https://aws.amazon.com/ Banking strategy,” Deutsche Bank, 15 May 2018. [Online]. solutions/case-studies/dbs-bank/. [Accessed February 2019]. Available: https://www.db.com/newsroom_news/2018/ [18] Microsoft, “Societe Generale's complex financial simulation deutsche-bank-acquires-india-based-fintech-start-up- platform expands on Azure Service Fabric architecture,” quantiguous-solutions-to-accelerate-the-bank-s-open- Microsoft, April 2018. [Online]. Available: https://customers. banking--en-11578.htm. [Accessed August 2019]. microsoft.com/en-us/story/ [3] Deloitte, “Maintain control in the cloud,” 2018. societe-generale-complex-financial-simulation-platform- [4] Deloitte, “The value of online banking channels in a expands-on-azure-service-fabric-architecture. [Accessed mobile-centric world,” Deloitte Insights, 2018. February 2019]. [5] K. Tomak, “Der Bank Blog: Wie die Commerzbank aus Daten [19] Gartner, [Online]. Available: https://www.gartner.com/ Produkte macht,” 31 July 2019. [Online]. Available: https:// newsroom/id/3871416. www.der-bank-blog.de/commerzbank-daten-bankprodukte/ [20] Deloitte, “Secure and Private Computing for Banks on a Cloud digital-banking/37655791/. [Accessed August 2019]. Platform,” 2015. [6] Deutsche Bank, “Deutsche Bank transforms global collateral [21] Deloitte, “The cloud is here: embrace the transition - How management with CloudMargin platform,” 7 February 2019. organizations can stop worrying and think cloud,” 2017. [Online]. [22] Deloitte, “The future of banking - Seven wicked problems for Available: https://www.db.com/newsroom_news/2018/ banks in their strategic transformation,” [Online]. Available: deutsche-bank-transforms-global-collateral-management- https://www2.deloitte.com/nl/nl/pages/financial-services/ with-cloudmargin-platform-en-11793.htm. [Accessed August articles/the-future-of-banking.html. [Accessed March 2019]. 2019]. [23] Gartner, “Magic Quadrant for Public Cloud Infrastructure,” [7] Avaloq, “Avaloq onboards Deutsche Bank Luxembourg,” 2018. Avaloq, May 2018. [Online]. Available: https://www.avaloq. [24] Finextra, “BNP Paribas Fortis, HSBC open developer portals,” com/en/news/-/asset_publisher/vCbePfJNFpkG/content/ [Online]. Available: https://www.finextra.com/ avaloq-onboards-deutsche-bank-luxembourg. [Accessed newsarticle/33491/ February 2019]. bnp-paribas-fortis-opens-developer-portal. [Accessed March [8] Primeur Magazine, “DZ Bank believes in Cloud computing but 2019]. has to move with caution,” 29 September 2015. [Online]. [25] NelsonHall, “Wealth & Asset Management BPS - Market Available: http://primeurmagazine.com/weekly/ Segments: Overall & New Digital Banking Models Focus,” AE-PR-11-15-77.html. [Accessed August 2019]. 2018. [9] Bundesanstalt für Finanzdienstleistungsaufsicht, [26] Amazon Web Services, “Department of Defense Cloud “Informationstechnik: EBA veröffentlicht Empfehlungen für Computing Security Requirements Guide,” [Online]. Available: Auslagerung,” BaFin Journal, vol. Januar, p. 13, 26 March 2018. https://aws.amazon.com/compliance/dod/. [Accessed March [10] R. V. Zicari, “On Digital Transformation, Big Data, Advanced 2019]. Analytics, AI for the Financial Sector. Interview with Kerem [27] Swiss Bankers Association, “Cloud Guidelines: A guide to Tomak,” ODBMS.ORG, 8 July 2019. [Online]. Available: http:// secure cloud banking,” 2019. [Online]. Available: https://www. www.odbms.org/blog/2019/07/ swissbanking.org/en/media/positions-and-press-releases/ on-digital-transformation-big-data-advanced-analytics-ai-for- secure-cloud-banking-sba-guidelines-pave-way-towards- the-financial-sector-interview-with-kerem-tomak/. [Accessed future?set_language=en. [Accessed 26 March 2019]. August 2019]. [28] Microsoft, “UBS taps Microsoft Cloud to power [11] ACTICO, “Automating KYC and Onboarding Processes: KfW business-critical tech,” April 2017. [Online]. Available: https:// Group Accelerates Customer Profiling and Onboarding by news.microsoft.com/2017/04/26/ Centralizing Compliance Applications,” [Online]. Available: ubs-taps-microsoft-cloud-power-business-critical-tech/. https://www.actico.com/customers/ [Accessed March 2019]. automating-kyc-onboarding-processes-kfw/. [Accessed [29] P. M. Mell and T. Grance, “The NIST definition of cloud August 2019]. computing, SP 800-145.,” National Institute of Standards & [12] Oracle, “Top Oracle partners are building successful ERP cloud Technology, 2011. businesses. Here’s how.,” Oracle, 2016. [Online]. Available: [30] M. Schweiz, “News,” 5 March 2019. [Online]. Available: https:// https://blogs.oracle.com/profit/cloud-confident. [Accessed news.microsoft.com/de-ch/2019/03/05/ February 2019]. big-interest-for-the-microsoft-cloud-region-switzerland-the- [13] Deloitte, “Application Modernization powered by innoWake,” swiss-microsoft-cloud-provides-entirely-new-opportunities- [Online]. Available: https://www2.deloitte.com/us/en/pages/ in-the-areas-of-data-management-regulatory-compliance- technology/solutions/application-modernization.html. and-governance/. [Accessed 26 March 2019]. [Accessed April 2019]. [31] Google Cloud, “Infrastructure,” 12 March 2019. [Online]. Available: [14] Gartner, “Is the Cloud Secure?,” 2018. https://cloud.google.com/blog/products/infrastructure/ [15] Gartner, “Security of the Cloud Primer for 2019,” Gartner, new-gcp-region-in-zurich-growing-our-support-for-swiss-and- 2019. european-businesses. [Accessed 26 March 2019]. Diese Präsentation enthält ausschließlich allgemeine Informationen und weder die Deloitte Consulting GmbH noch Deloitte Touche Tohmatsu Limited noch ihre Mitgliedsunternehmen oderderen verbundene Unternehmen (insgesamt das „Deloitte Netzwerk“) erbringen mittels dieser Präsentation professionelle Beratungs- oder Dienstleistungen. Diese Präsentation ist insbesondere nicht geeignet, eine persönliche Beratung zu ersetzen. Keines der Mitgliedsunternehmen des Deloitte Netzwerks ist verantwortlich für Verluste jedweder Art, die irgendjemand im Vertrauen auf diese Präsentation erlitten hat. Diese Präsentation ist vertraulich zu behandeln. Eine Weitergabe an Dritte –auch in Auszügen – bedarf unserer vorherigen schriftlichen Zustimmung.

Deloitte bezieht sich auf Deloitte Touche Tohmatsu Limited („DTTL“), eine „private company limited by guarantee“ (Gesellschaft mit beschränkter Haftung nach britischem Recht), ihr Netzwerk von Mitgliedsunternehmen und ihre verbundenen Unternehmen. DTTL und jedes ihrer Mitgliedsunternehmen sind rechtlich selbstständig und unabhängig. DTTL (auch „Deloitte Global“ genannt) erbringt selbst keine Leistungen gegenüber Mandanten. Eine detailliertere Beschreibung von DTTL und ihren Mitgliedsunternehmen fi nden Sie auf www.deloitte.com/de/UeberUns.

Deloitte erbringt Dienstleistungen in den Bereichen Wirtschaftsprüfung, Risk Advisory, Steuerberatung, Financial Advisory und Consulting für Unternehmen und Institutionen aus allen Wirtschaftszweigen; Rechtsberatung wird in Deutschland von Deloitte Legal erbracht. Mit einem weltweiten Netzwerk von Mitgliedsgesellschaften in mehr als 150 Ländern verbindet Deloitte herausragende Kompetenz mit erstklassigen Leistungen und unterstützt Kunden bei der Lösung ihrer komplexen unternehmerischen Herausforderungen. Making an impact that matters – für rund 286.000 Mitarbeiter von Deloitte ist dies gemeinsames Leitbild und individueller Anspruch zugleich.