Banks are continuing their cloud transformation as they modernize legacy systems and provide more self-serve experiences to customers through mobile channels. This has become even more important over the past year as we deal with the pandemic.
Fintechs and app-based ‘challenger’ banks are already using cloud-native technologies to connect with customers. While legacy banks need to keep up with new competitors, consumer expectations and emerging technologies, they must also meet strict regulatory and compliance requirements, particularly when it comes to security and privacy.
The events of 2020 have been a catalyst for change, accelerating innovation and cutting through regulatory inertia. Key findings from our global Harvey Nash / KPMG CIO Survey 2020 found that almost half (47 per cent) of respondents say the pandemic has permanently accelerated digital transformation and the adoption of emergent technologies; and they’re prioritizing spend on cloud infrastructure, security and privacy.
Managing risk in the cloud
For legacy banks, when it comes to security and privacy, one of their biggest challenges is managing risk in the cloud. There are several cloud-related standards and best practices that address this, such as those from NIST and ISO. A keystone in their adoption strategy is to assure standards compliance through automation – in this model, cloud platform engineers automate the necessary preventive and detective controls at an infrastructure level. This approach unburdens lines of business from complex infrastructure security requirements so they can focus on developing enhanced customer experiences. Much of the infrastructure level compliance then becomes a by-product of their consumption.
The problem is, automated security engineering is complex and if we don’t understand the risk, we don’t take the risk. Centralized technology organizations within banks need to be in sync with their internal risk control partners, but they’re typically set up more like church and state. Yet, the threat landscape is evolving so quickly that if you’re not agile with your cloud adoption, you may find that six months into your journey, something that was initially deemed secure is no longer considered secure enough.
That’s why it’s important to choose the right strategic build candidates for your cloud program. Focus investments on building a foundation for these visible initiatives and grow incrementally from there. This isn’t easy; the longer you’re at it, the more things change, and the more expensive it gets. We’re also seeing an evolution of cloud itself from hybrid to multi-cloud environments.
The role of containerization
If you’re a CIO, you can’t ignore multi-cloud and hybrid considerations. You need portability, agility but you also want to de-risk vendor lock-in. Container platform strategies are now the go-to to achieve this outcome. However, flexibility historically comes at a price, and true portability often means avoiding the use of managed platform-as-a-service (PaaS) solutions specific to each major cloud provider.
For example, if you’re using containerization for portability, are you going to be forced to containerize services that are actively being commoditized and then manage them yourself on a platform that is foreign to your current workforce? A hybrid approach may be a viable alternative. Here, you’re selectively locking in where switching costs may be low.
You’ll have to ask yourself whether your business case can be achieved at scale and if containerization serves your purpose. Coming up with a framework to make those decisions is essential. Ultimately, CIOs are seeking clarity to find that right balance between being platform agnostic and driving a positive return on investment.
Meeting regulatory compliance in the cloud
Banks must ensure regulatory compliance in the cloud, including customer-centric procedures such as Know Your Customer (KYC) to assess risk and comply with anti-money laundering (AML) laws.
KYC in the traditional sense means going into the branch and showing three pieces of ID. But, the ability to automate this process – and reduce face-to-face interactions – is becoming increasingly important, especially since challenger banks are already doing this.
The next-generation capabilities becoming readily available through cloud service models can make automating KYC and AML easier. However, their adoption is predicated on being able to manage the risks effectively, harness next-generation platforms and integrate these new capabilities into legacy processes. Financial data is sensitive, and from a regulatory perspective, the stakes are high for banks when running a use case like this in a cloud environment.
Self-serve is the future of the industry. But, can you take some of your most-important processes, including Know Your Customer (KYC), and turn them into self-serve options in the cloud? Consider the risks you’re taking on and what the roadmap will look like in terms of time frames and investment dollars. An organization’s maturity will significantly influence the degree to which automation can be applied to important problems, especially ones that are labour-intensive (and not necessarily differentiating).
Legacy banks are competing with — and, in some cases, partnering with — fintechs and app-based challenger banks. Cloud can help them keep pace, but the risks are high, especially when they’re putting their hard-earned reputation on the line. But not keeping pace with industry change and technological innovation is just as risky.