Bain & Co on myths that hinder cloud in financial services
According to Bain & Company’s latest survey, as more financial services firms migrate operations to the cloud, their decisions are often based on myths that undermine the cloud’s value rather than reality.
Challenger companies in the financial services industry have benefited greatly from cloud technology – using the tech to leverage their innovative products or services.
The scalability, adaptability, and interoperability of cloud has boosted the growth of companies like Starling and Monzo in the UK, Nubank in Brazil, and PasarPolis in Southeast Asia.
Traditional banks, insurers, and other firms have started to respond by migrating some operations to the cloud, often through partnerships with cloud providers.
A recent Bain survey shows that more IT executives aim to gain flexibility and scalability through cloud. This will help them achieve goals including operational efficiency, the use of artificial intelligence to improve customer service, and personalisation of products and services.
The problem is that often these migrations to the cloud are flawed as architectural decisions are sometimes based on myths and misconceptions. It is therefore essential to closely examine the facts and take practical steps to overcome these hurdles.
Myth 1: Data protection and privacy will be compromised
Executives are concerned that unencrypted information will be stored on a cloud provider’s infrastructure, raising the risk of a data breach. The Bain survey shows that “data privacy and security concerns” are a major barrier to cloud adoption in financial services, with 80% of respondents citing “reputation for security, reliability, and availability” among their top five criteria in selecting a cloud provider.
In reality, cloud infrastructure represents a cost-effective way of ensuring compliance with privacy standards. Pseudonymisation – a process where data is separated from direct identifiers – is one option for remotely storing personally identifiable information (PII).
The European Union’s General Data Protection Regulation (GDPR), for instance, relaxes requirements on controllers that use pseudonymisation. Cloud functionality may also help detect and redact PII that is not pseudonymized.
Encryption and effective key management play a critical role in protecting client data and ensuring their privacy. Financial institutions may choose to use the cloud provider’s own key management service, client-side encryption, or have their keys managed by a trusted third party.
Myth 2: It will be harder to fulfill regulatory compliance
Some regulators are concerned about their ability to assess the industry’s IT infrastructure when it is run by a third party. However, cloud technology can play a significant role in reducing the effort required to keep up with regulatory changes.
Cloud services are designed to comply with most regulatory requirements, including third-party validation and regular updates. Contracts can also be localised to comply with local laws and regulations. Cloud-based tools aid compliance at scale by automating policy monitoring and enforcement.
AI tools can alert users to vulnerabilities or misconfiguration. They enable financial institutions to automate certain regulatory reports, freeing up capacity for regulatory strategy and incidence handling.
Myth 3: A company will be dependent on one cloud provider
Becoming dependent on a single provider could result in less flexibility. While cloud transformation may mean committing to a preferred partner, vendor lock-in does not restrict a firm to only one provider.
Larger institutions will probably prefer a multicloud environment, or even multiple single-cloud environments to suit business arms and geographies.
Leading institutions ensure cloud sovereignty by focusing on three dimensions:
- Data sovereignty requires mechanisms to limit data access to specific provider behaviours that are deemed necessary. Such mechanisms include third-party key management, detailed key access justifications, and data-in-use protection.
- Operational sovereignty requires assurances that the people working at a cloud service provider cannot compromise client workloads, for example, by limiting support personnel access or deployment to specific countries.
- Software sovereignty requires financial institutions to control the availability of their workloads and run them wherever they want, without depending on a single cloud service provider. In this context, open-source software and open standards play an important role.
Myth 4: Migration to the cloud increases architectural complexity
The Bain survey shows respondents' on-premises infrastructure to drop by 13% over the next three years, but on-premises deployment is not going away. Companies will have to deal with hybrid architectures.
Executives worry that hybrid solutions can get complicated, which is understandable when it comes to interoperability, for example.
Hybrid multicloud setups can add complexity but modern cloud management solutions can effectively contain this. With careful analysis involving the IT and operations teams, companies can strike the right balance between portability and ease of implementation.
Myth 5: The cloud is not appropriate for the core business
Cloud-based finserv services used to be focused on ancillary services and specific applications like customer relationship management or software development. Now, cloud-native core banking systems are emerging in large incumbents. For example, JPMorgan Chase announced in 2021 that it would move the retail banking’s core system to the cloud.
Cloud technology is regarded as essential for embedded finance, including fast-growing applications such as banking-as-a-service and buy now, pay later (BNPL).
Though there are several paths to transformation, a shared legacy approach that combines cloud-native digital platforms with a bank’s existing digital capabilities may even help those banks avoid a full technology reboot.
Myth 6: An agile transformation does not involve much planning
Most financial executives recognise that cloud transformation is a long journey. They realise that moving too quickly could disrupt and damage the organisation.
Most have found that a phased approach is most effective. However, taking a step-by-step approach without clear direction can also prove misguided – and risky. An agile transformation mandates a clear vision of the desired end game, along with careful preparation and planning.
The Bain survey finds that half of respondents feel unprepared for the governance of a cloud migration and lack a talent strategy. Reaching the desired cloud-based end state will hinge on the organisation learning practical insights and addressing barriers along the way.
Starting the cloud journey with a lift-and-shift migration
A lift-and-shift migration, where a company moves workloads to a new environment with minor or no modifications, is sometimes seen as a sensible approach. In reality, it could lead to problems and deliver a fraction of the potential benefits.
Instead, a high-impact, scalable migration typically involves taking a long-term perspective with thoughtful staging. The first step involves determining the company’s starting point along five dimensions:
- cloud vision and strategy
- transformation plan and economics
- security, risk, and regulatory approach
- cloud-enabled operating model
- technical strategy and execution
Cloud adoption will not happen overnight. It is a journey with clear milestones, including taking into account available budgets and resources.
Since the major hurdles are largely cultural and organisational, senior management will need a clear strategy to achieve their goals. Those that understand and avoid the myths and misconceptions stand a better chance of capturing cloud’s full potential.
READ the full Bain & Company insight.