The power of the cloud to provide a flexible and scalable way of keeping data has led to a dramatic rise in its use in financial services. But a scattershot approach risks exposing banks and their customers to security threats.

Furthermore, the eagerness of European institutions to invest in their own cloud offerings leaves them at the mercy of Big Tech companies from overseas. Now, 19 European banks are fighting back by creating the European Cloud User Coalition (ECUC).

Jim Banks talks to ING’s chief information security officer Beate Zwijnenberg, CEO of UniCredit Services Daniele Tonella, and David Zeller, Group CTO at Raiffeisen Bank, about what the ECUC means for the industry.

The financial services sector of today is unrecognisable from twenty years ago – and the process of evolution continues even now, driven by unstoppable technological advances. Where online banking was once cutting edge, now it is the norm.

As customers conduct their financial transactions in cyberspace and banks rework their legacy systems to gain efficiency, one technology looms large over it all – the cloud.

Whether building their own private cloud infrastructure, or leveraging the public cloud services provided by Amazon, Google and Microsoft, banks are transforming the way they store and manage valuable data.

“Cloud computing is completely changing the way businesses store and access their data,” says Daniele Tonella, CEO of UniCredit Services, the ICT provider company to the UniCredit Group.

“Whether you choose private, hybrid or public cloud architecture they can offer many benefits – reduced time-to-market and innovation, pay-as-you-go contracts, greener IT, modern infrastructure, and cost sustainability.”

Unicredit, like many banks, is using cloud services for a vast array of applications. One example is shifting its High Performance Computing Cluster (HPCC), a global back-end application, to the cloud.

The bank has elected to use a pay-as-you-go model, which enables cost to change in accordance with variations in daily workload and the modular nature of tasks, which can be switched on and off to save on computing power.

Not unrelatedly, UniCredit has chosen to use public cloud architecture rather than its own private cloud infrastructure to leverage the scale and expertise of a large-scale provider.

“The use of this platform for risk analysis has skyrocketed over the last ten years,” Tonella explains. “We needed to increase the computational capacity of our infrastructure and started IT analysis in 2018 to identify possible solutions. Moving HPCC to the cloud guarantees flexibility and scalability in real time of our computational capacity and helps manage any peaks in usage.”

“Public cloud technology enables users to take advantage of ‘on-demand’ infrastructure and service solutions on a pay-per-use basis, without having to invest in computing capacity or a data centre infrastructure,” he adds.

A similar pattern is emerging at ING, which uses a private cloud architecture for most of its core banking applications, and is mixing private and public cloud services to offer its customers better, faster and more personalised experiences.

Its choice of private cloud for its core systems means the bank retains control over the location and management of its most crucial data – though it remains open to using public cloud architecture for the development of additional products and services in future.

“ING is an early adopter of cloud technology and sees it as an important element in its digital transformation,” says Beate Zwijnenberg, ING’s global CISO.

“In an increasingly digitalised world we look towards balancing security with flexibility in all areas of our business. The benefits of having cloud within the financial services industry as a whole cannot be highlighted enough.

“First of all, there is the reduced time-to-market, as it provides a growing and readily available set of services we can use. Secondly, there is the accelerated time-to-volume – with public cloud regions spread across the globe, it becomes easier to scale our platforms and services.”

As a concept, then, cloud services offer unprecedented benefits – but there are risks with the execution of any cloud strategy in practice. First, all the major cloud services providers are Big Tech companies based overseas – Amazon, Google, Microsoft – and must meet Europe’s stringent regulatory requirements for security and privacy.

Second, agreeing to technical specifications can be cumbersome and time-consuming. Fortunately, the industry has come together to meet these challenges head-on.

“The benefits of having cloud within the financial services industry as a whole cannot be highlighted enough.”

Forthright and focused

For UniCredit, ING and a host of other European financial institutions, the wider adoption of cloud services is littered with operational and regulatory challenges, each of which could derail their efforts to optimise the benefits of such a flexible systems architecture.

“European banks face the same challenges,” says David Zeller, Group CTO at Raiffeisen Bank, which is transitioning many parts of its IT infrastructure to the cloud.

“On the one hand, cloud companies offer great technology to enable our business but, on the other side, security and regulations force banks to be cautious about cloud usage and outsourcing. Having a common voice towards cloud providers helps to build awareness and impact with the cloud providers for the specific needs of the finance industry.”

“For all the benefits that cloud technology brings, it also brings its challenges,” agrees Zwijnenberg. “Regulatory requirements make it challenging to adopt public cloud services. Take, for example, the impact of legislation such as the Digital Operation Resilience Act (DORA) and rulings such as Schrems-II.

“Then there is the challenge of portability, as currently migration between cloud providers can be challenging and time-consuming. Lastly, public cloud adoption for financial institutions is challenging due to the specifics of cloud computing, as it is being regarded as outsourcing.”

DORA, for its part, is the EU’s effort to streamline third-party risk management processes across financial institutions, with a view to improving cybersecurity and operational resilience.

The ECUC’s Position Paper, which outlines its key goals and priorities, currently recommends clarifications to the scope and application of DORA, including an alignment with existing standards.

Schrems-II, meanwhile, is a ruling made by the Court of Justice of the European Union in mid-2020, which affects all transfers of personal data between EU member states and external markets with lower levels of data protection, particularly the US.

The European Commission has since published a draft update of the standard contractual clauses to be used in personal-data-transfer situations to recipients outside the EU. Among other things, it carries the potential for large fines – 4% of worldwide revenue – for compliance breaches.

In Europe, the response to the difficulties of cloud transition has been the formation of the European Cloud User Coalition (ECUC) by 19 banks, among them UniCredit and ING, along with Allied Irish Banks, Erste Group Bank and Swedbank, to name but a few.

“To agree on a bilateral basis with cloud service providers on standards, set-up of services and contractual clauses is very time-consuming,” says Zwijnenberg.

“In addition, they welcome a joint position from the European financial industry. With the ECUC, there is a platform for jointly defining and communicating the position and our requirements.”

“As ING, we want consistent and off-the-shelf standards for the financial industry, for both current and upcoming cloud services,” she adds.

“These standards should, in turn, increase flexibility, decrease switching costs and reduce potential concentration risk. The other key factor that led to the setting up of the ECUC is to share knowledge and best practices in an informal way within the coalition.”

The ECUC has been constructed as a forum for discussion within the financial services industry and as a platform to give the industry a voice, not only when engaging with cloud services providers (CSPs), but also when discussing the future of cloud with regulatory bodies.

The financial services industry is keen to exploit public cloud solutions to improve time-to-market and time-to-value, as well as security and flexibility. But first it needs to ensure that it has a united front in addressing relationships with both CSPs and regulators, as well as discussing problems and solutions among themselves.

Through the ECUC, banks have precisely such a platform, one which could bring mutual benefit to all stakeholders.

“Cloud service providers can solve specific challenges once and, in doing so, satisfy multiple customers at the same time, leading to compliant and secure cloud solutions for financial institutions,” Zwijnenberg believes.

“Regulators could leverage our requirements to formulate thresholds for CSPs in order to be appropriate for banks.”

“The other key factor that led to the setting up of the ECUC is to share knowledge and best practices in an informal way within the coalition.”

Speaking in unison

The ECUC Position Paper provides a clear template for how its members want to approach key issues – not only those relating to specific pieces of legislation such as DORA, but also the broader themes of outsourcing, risk management, data security, and data privacy requirements.

It further includes specific points requiring model terms for cloud service agreements. These function as a​ checklist for banks to use in constructing their own cloud service agreements.

“The purpose of the ECUC is to unite financial institutions as cloud users on a level playing field and to channel our requirements into a joint position to leverage European standards for the use of public cloud services in the financial industry,” says Zwijnenberg.

“It’s true, it does take time and effort to get 19 financial institutions’ viewpoints aligned, as we’re coming from different starting points and backgrounds. By working together as a large group, we have more impact than each on our own.”

For their part, CSPs have taken notice of the ECUC, regarding it as a coalition to be taken seriously. For the banks, a key advantage is that they no longer have to duplicate their efforts, as they can share knowledge, learn from the lessons of others and pool their collective expertise from different areas to coordinate an approach that suits all members.

“Cloud service providers welcome a joint position from the European financial industry,” argues Tonella. “With the ECUC, there is an efficient structure for defining and communicating this position and the derived requirements, which will then be more likely fulfilled.

“The synergy of the coalition of these banks definitely makes it easier to address the challenges we are all facing. At the European level, this coalition improves the adoption of cloud services that are fully compliant with European bank regulation.”

“For sure it makes a difference if 19 European banks raise the same points with one voice, as each bank would do it individually,” adds Zeller.

“Also, from a communication channel point of view, the points are addressed not with an individual account team from the cloud provider, where information might get lost, but with central counterparts within the cloud providers that focus typically on the security and compliance aspects of their platform.”

Banks want to ensure that Europe’s high standards on data protection are applied throughout their cloud services, wherever in the world they’re hosted. Though in its early days, the ECUC is helping the industry make great strides towards making this a reality.

With every bank moving key services into the cloud, or at least examining its potential benefits, the ECUC’s membership could continue to grow, giving the industry an even stronger voice in shaping how this revolutionary technology defines the industry.

This article originally appeared in Future Banking winter 2021.