After many years of warnings from federal regulators of the risks out outdated legacy systems, this week, the Treasury Department released a report raising concerns of systemic risks cloud computing poses to the banking sector. The full report came with the announcement of a steering group made up of regulators, financial firms, and industry to address a list of specific issues. Most were directed at shortfalls by Cloud Service Providers (CSPs), chiefly Amazon Web Service (AWS), Microsoft’s Azure, and Google Cloud Platform (GCP).
The list of main concerns from the Treasury includes:
- Not enough insight into outages and reliability by CSPs
- Shortages of skills industry-wide, particularly for migration to cloud environments
- Vulnerability of financial firms from elsewhere at their CSP
- Market concentration/power among only a few CSPs
- The resulting terms and pricing power of CSPs
- Regulatory conflicts for global organizations
Much of the report echoes the themes from other federal agencies about the desire to reign in big tech with potentially another layer of regulatory pressure. Pointed criticism of the tech aside, the more significant theme is the difficulty smaller FIs have adopting cloud technology.
One example is platform certification. For a long time, the holy trinity of certification for cloud service providers was HIPPA (health care PII), FedRAMP (for US federal government department), and System and Organization Controls (SOC) I/II for financial services. However, SOC reporting is identified explicitly as a shortfall for smaller organizations:
Some financial institutions Treasury interviewed indicated that most CSPs provide SOC2 audit reports at least annually. SOC2 engagements are designed to be flexible and do not prescribe specific controls. This flexibility could be seen as a drawback that limits the independence and utility of the engagement. Some financial institutions Treasury interviewed noted that SOC2 reports were helpful but not sufficient for understanding the control environment and potential security risks for particular services.
It’s worth noting that the report doesn’t indicate that the certification standards aren’t sufficient for protection. It’s the gaps in the ability of banks and financial service providers to consume the services in a consistently secure way.
The issue is that the complexity of cloud deployments, mainly in the non-standard configuration between providers, is too much for banks to consistently use securely.
And consumability is where this all this leads. Aside from the broader attempts to tamp the influence of large tech firms, expect this effort to produce more industry-based solutions. The focus will be on more standards for services and likely more assumptions of risk by CSPs.
As steering group members, Amazon, Microsoft, and Google will advocate for themselves and, with a lot of lobbying, keep the legal mitigations for themselves to a minimum.
However, much like Facebook asking for regulatory oversight for consumer privacy, heavy-handed regulations often benefit the incumbents. Despite making business more complicated and expensive, it’s often crafted on what already exists and presents a much more difficult hurdle for new entrants; an instant regulatory moat.
Sidebar: It might be tempting to view all this as a compliance and security lens. Let the CISO address it with process, audit, and IT compliance.
However, in a more holistic sense, this is about control and governance.
Mark Levine at Bloomberg has a tongue-in-cheek thought experiment on compliance…
In general, the chief compliance officer at any company has a dial in front of her that she can turn to get More Crime or Less Crime, and at a normal company — a bank, for instance — her job consists of (1) turning it most of the way toward Less Crime, but (2) not all the way, and (3) acting very contrite when politicians and regulators yell at her about the residual crime. “We have a zero-tolerance policy for crime,” she will say, and almost mean it.
If those controls are ramped up to ensure zero crime or even little suspicious activity, the bank stops functioning and serving stakeholders, including society. You can look at Credit Suisse’s backpedaling of increased risk controls in Asia as an example.
In much the same way, adopting technology becomes a set of linked dials. Faster time to market often comes with more risk (both in execution and compliance). Competitive pressures will often dictate the pace of change, and playing catch up is a terrible place to be trying to balance those concerns. Having a well-thought-out approach, driven by the needs of your specific customers, and not necessarily the roadmap of your key vendors, is an excellent first start. Look to place bets where you can best leverage your limited budget and focus on getting closer to and delighting your customers.
We are here to help. If you’re looking to develop options or need to quickly and efficiently test your ideas with your market, reach out.