hit tracker
Friday, March 1, 2024
HomeLatest NewsOpinion | Myths and realities of the financial sector's journey to...

Opinion | Myths and realities of the financial sector’s journey to the cloud

Date: March 1, 2024 Time: 07:57:17

In the article dated May 17, we probably explained what cloud computing is, its opportunities and challenges, and its importance for all economic activity, including the financial sector.

Now we are going to go a step further and we are going to explain the myths and realities of the journey of the financial sector, in particular the banking sector, to the cloud.

Let’s start with the myths. First myth: the banking supervisor does not let banks go to the cloud. This is not true and proof of this is the existence of neobanks, that is, 100% digital banks, without physical branches, which operate entirely through mobile channels or the web and which in many cases are already born entirely in the cloud. Another example of this is the migration to the cloud that many traditional banking entities are undertaking for part of their banking services. Second myth: the banking supervisor has approved the use of the cloud by banking entities. It is also false, since the cases are analyzed one by one, as we will explain below. Third myth: the banking supervisor must be notified of everything that is taken to the cloud. Incorrect too, since you only have to notify the outsourcing of critical services. Fourth myth: banks migrate their services to the cloud overnight. It is not true, at least for the entities that do things correctly, especially if we are dealing with critical services. It is not a Big Bang, but a gradual migration. The usual thing is to start with a pilot phase, continue with a project phase and only if everything has gone well, move on to the production phase.

And now let’s go with the realities. Starting with the regulatory level, you have probably heard of the Digital Operational Resiliency Act (DORA) and the requirements it imposes on third parties. However, in practice, DORA is not yet fully applicable, pending the development of second and third level regulations. But that does not imply that there is a legal gap, quite the contrary. Indeed, resulting from the application of Bank of Spain Circular 3/2022, in particular rule 43, as well as the Guidelines on outsourcing of the European Banking Authority.

Continuing with the opportunities and mechanisms to mitigate the risks. Undoubtedly, cloud computing offers real opportunities in terms of scalability, easy availability of technological updates, ubiquity, resource optimization and cost reduction. But to enjoy these opportunities and get the most out of them, you have to manage the risks properly. The aforementioned regulations require entities to have an outsourcing policy approved by the board and to review it every two years. In the outsourcing policy, entities must compare their providers with the market alternatives, analyze the continuity of the provider in the market, its reputation and economic viability, take into account the outsourcing chains, as well as define an exit plan to be able to er change providers or relocate cloud services back to your premises. Through the Outsourcing Policy, it is intended that the Entities identify Specific Outsourcing Risks included in the regulations, SUCH AS LEVEL DD and concentration and dependence on a Supplier, Subcontracting (also known as “Fourth Party Risk”), the risk that the provider to which it is outsourced requires financial support, operational and technological risk, reputational risk or the risk of breach of contract, among others. Once mitigated, the residual risk must be aligned with the risk appetite of the financial institution.

Third, let’s discuss the role of the bank supervisor. As we said before, it is not necessary to notify the bank supervisor of everything that is taken to the cloud, just the notification of critical outsourcing. Significant institutions will notify the ECB and less significant institutions will notify the Bank of Spain at least two months before the effective use of the function begins. The procedure is of no objection, so that two months have elapsed since the notification, positive silence will operate and the entity will be able to start making use of the cloud service. The documentation required by the supervisor is varied, but especially highlights the contract between the entity and the provider, the service level agreements, the entity’s outsourcing policy, as well as evidence of its approval, the risk analysis, both general as specified and exit plan. In addition, it is required that the contract between the entity and the provider contain a series of clauses such as the right of access and audit by the financial institution and the supervisors, the right of termination and exit, notification of incidents (for example , attacks, data breaches), notification of material changes (such as changes in supplier regions) or notification of changes in the subcontracting chain. The supervisor allows the presentation of a draft contract, but once signed, it must be sent by the entity within a maximum period of 15 days.

Finally, the migration of services to the cloud is a shared responsibility between the bank and the provider. Although the entity delegates the service to the provider, it cannot eliminate responsibility entirely. After all, the one that shows its face in front of the final customer is the bank. For this reason, it is essential that the bank and the provider work as a true team and that both have professionals specialized in the matter.

The cloud could become an opportunity for the banking sector to free itself from managing more operational and technological issues, focusing on the core of what its business has always been: raising financing and granting credit. . For this reason, it is important to continue delving into this issue and discovering the different angles of the debate. And we will continue at it. See you in the next chapter of the financial sector’s journey to the cloud.

* This website provides news content gathered from various internet sources. It is crucial to understand that we are not responsible for the accuracy, completeness, or reliability of the information presented Read More

Puck Henry
Puck Henry
Puck Henry is an editor for ePrimefeed covering all types of news.

Most Popular

Recent Comments