OBSERVATIONS FROM THE FINTECH SNARK TANK
The U.S. Treasury released a report titled The Financial Services Sector’s Adoption of Cloud Services identifying banks’ approaches towards cloud computing deployment, the challenges they face, and the potential downsides of having three cloud services providers (CSPs)—Amazon, Google, and Microsoft—dominate the market.
Tiptoeing Through The Tulip Clouds?
A January 2022 New York Times article titled Banks Tiptoe Toward Their Cloud-Based Future claimed:
“Banks have been slow to adopt cloud computing. While Wall Street has long acknowledged the potential of cloud computing to cut costs, they have only allowed their firms to take halting steps. Some firms are held back by old computer systems that are difficult to revamp or retire, making the transition even more tricky.”
Adoption isn’t the issue and banks aren’t “tiptoeing” anywhere.
Cornerstone Advisors’ 2023 What’s Going On in Banking study found that three-quarters of US banks and credit unions already have—or expect to have by the end of 2023—apps running in the cloud. According to the report:
“The DevOps culture present around cloud computing brings development and operations teams into one, paving the way for faster build, testing, and release cycles. Banks are optimistically looking to a cloud future as a means of moving from ‘legacy speed’ to ‘innovation speed.’”
Challenges in Banking Cloud Adoption
Treasury, however, identified challenges that banks face with cloud computing:
- Lack of transparency to support due diligence and monitoring. Information shared by CSPs is often insufficient for banks to identify risks like: 1) internal software dependencies within the public cloud environment; 2) CSP protection against cyber risks; and 3) information regarding operational incidents, including real-time updates and after-action reports.
- Staff shortages and inadequate tools. The report pointed out that many cloud-related security incidents are caused by user misconfiguration of cloud services, compounded by a shortage of personnel with cloud service expertise. In addition, Treasury said tools offered by CSPs may not be “user-friendly” and may be inadequate for security configuration and monitoring.
- Exposure to operational incidents originating at a CSP. Cloud services can improve resilience and security that reduce operational risks, but the services are still vulnerable to operational incidents. Options for resilience configuration—relying on a single CSP, using separate CSPs for different applications, or combining public and private cloud with on-premise infrastructure—often adds additional costs.
Is Cloud Power In The Hands Of Too Few Providers?
Treasury also raised concerns about Big Tech’s market share for cloud services in the banking industry. While recognizing the potential benefits of Big Tech’s scale—like improving interoperability between banks and their vendors—Treasury warned:
“Concentration could expose many financial services clients to physical or cyber risks, and addressing such risks may necessitate action on the part of each financial services client. The key issue for policymakers and financial authorities is in understanding the potential aggregate impacts on financial institutions’ functions and the services that financial institutions provide to consumers and businesses.”
Treasury also identified implications of the cloud service dominance of the three major players on banks’ leverage (or lack thereof) in contract negotiations, noting:
“Financial firms of all sizes consider negotiating contracts with CSPs to be challenging. Smaller institutions noted their lack of bargaining power. Unbalanced contractual terms could limit individual institutions’ ability to measure and mitigate risks from cloud services, which could result in unwarranted risk across the sector.”
What does Treasury intend to do about the Big Tech CSP providers’ market concentration?
“Treasury will prioritize its focus on the concentration of cloud services most important to the functions of the financial sector. If Treasury assesses that cloud services critical to the functioning of the financial sector do not have appropriate resilience and security, Treasury will take actions as appropriate and consistent with its authorities in consultation with appropriate government agencies.”
Current Regulations Are Harmful Enough
For banks, dealing with banking regulations is like playing football with their hands tied behind their backs. Treasury’s implied (or threatened) actions—i.e., breaking up or limiting the CSPs—would amount to turning the banks’ helmets around backwards.
Treasury’s report reflects the current Washington consensus that Big Tech firms have too much market power and should be dismantled. It’s hard to understand how doing that could possible result in improved resilience and security in the banking industry.
Many banks rely on Amazon, Google, and Microsoft for cloud services not just because they have to but because they want to—the big three have the resources and skills to provide cybersecurity capabilities the banks could never build on their own.
The Treasury report does acknowledge that changes in the cloud services provider market would result in higher costs to banks. But Washington never seems to admit that those higher costs will ultimately find their way to consumers.
And when they do, politicians—two Senators in particular (you know who they are)—go (faux) ballistic and call for more regulations and price controls.
How is the Core Market Any Different Than the Cloud Market?
Although the Treasury report was focused solely on the cloud services arena, omitting any mention of the banking core systems market is puzzling.
If Treasury is concerned with smaller financial institutions’ contract negotiation leverage, they might want to start with the core banking—not the cloud—market. The core banking market is dominated by three players—Fiserv, FIS, and Jack Henry—that, collectively, hold three-quarters market share.
Banks Underestimate the Cost of Cloud Migration
Banks can complain all they want about not having contract negotiation leverage with the big CSPs, but the first challenge they need to address is accurately estimating cloud migration costs.
A team of Dutch university professors identified nine cost categories associated with cloud migrations and their assessed their costs at 10 banks:
In five categories—dependencies, legislation, departmental support, re-architecting, and external contractors—at least half of the banks experienced cloud migration cost overruns (versus original estimates). Application dependencies were the most common form of budget overrun. One banker said:
“We had to decompose some applications due to dependencies. Cloud adoption in practice is much slower than expected due these kind of complexities.”
Between a Cloud and a Hard Space
Breaking up the Big Tech cloud services providers—or any other approach to “de-concentrating” the market—isn’t going to solve the cost estimating problems, the contract negotiation challenges, or the operational issues identified in the report.
The policy solutions insinuated by raised by Treasury would keep (or put) banks where they don’t want to be—between a cloud and a hard space.
For a complimentary copy of the Cornerstone Advisors report, Leveraging the Cloud to Accelerate Digital Transformation, click here.