The Cloud – What’s Stopping Financial Institutions?

This blog looks at what might be holding financial institutions back from migrating to the cloud and how that relates to MYHSM’s services.

The majority of financial institutions have or are developing a cloud strategy, and most are already making some use of the cloud. There are a number of reasons why the cloud is an attractive alternative to running your IT in the traditional manner of owning and operating in-house data centres, including:

• reduced costs, and costs of cloud computing continuing to decline because of competition between cloud service providers
• nimbleness, speed to market, competitiveness, and responding to the threat of the challenger banks
• scalability
• avoiding the continuing cycle of equipment obsolescence and replacement
• access to third party data and applications
• integration with fintech partners, which is being accelerated by open banking initiatives
• temporary additional capacity for testing

The benefits seem to be compelling. However, many systems, especially from established banks, are still running in the traditional architecture. So, what’s holding them back? And what role can specialised service providers like MYHSM play in helping them move to the cloud? Let’s look at the main obstacles to moving to the cloud:

Security

The most commonly cited reason for companies to stop and think about the cloud is security. And these security doubts are largely around the storage of data by third parties. In addition to fears that a third party’s data storage might be breached, there is the concern of banks and their national regulators about data sovereignty – which country the data will be stored in.

Banks are right to worry about security, of course. But a good quote is from Eve Aretaxis of ACI, who says in the 2021 Time Capsule from PYMNTS.com that: “Risk-averse banks… are warming to the fact that the big cloud providers can spend more on security in a month than any bank could spend in a decade.”

And if you look specifically at a service like MYHSM’s, we don’t store data at rest. We handle only individual transaction data, which is securely encrypted while being sent between ourselves and the financial institution and exists only instantaneously and inside the secure envelope of a certified Payment Hardware Security Module (HSM). So, the MYHSM service can begin to deliver the benefits of the cloud to the financial institution without raising concerns of how or where data is stored.

The other major concern relating to security is loss of control over security-sensitive operations. To a certain extent, these fears can be mitigated by examining the third party’s procedures, and by using data centres (such as those operated by MYHSM’s partner Equinix) which are PCI DSS approved, and service providers (like MYHSM ourselves) which are PCI PIN approved; these approvals encompass security operations. In relation to MYHSM, because our service is specialised and limited in scope, most operations remain entirely within the control of the user organisation. To reiterate, the MYHSM service can lead the user into the world of the cloud without requiring them to forego their established procedures.

The question of cost

Although the cloud will deliver cost benefits over time, established players with legacy IT systems will face an immediate cost hit in moving these systems to the cloud. This can be expensive, time-consuming, and require skills and tools that the company does not have. Whilst this is not a problem faced by newcomers, for established players it is a classic investment-now-versus-future-gains evaluation that they will have to make.

One of the attractions of the MYHSM service is that it can work with payments systems that are architected as either traditional on-premise applications or cloud applications. So, it can deliver cloud benefits for the Payment HSM aspects of a payments system while the system as a whole is being migrated to the cloud – or indeed, if the payments system remains in-house.

Regulatory Uncertainty

The financial world is heavily regulated, at both national and industry levels. Financial institutions cannot move systems to the cloud if there is a danger that this will not meet with the approval of their regulators.

Although the UK’s Financial Conduct Authority has published guidelines for cloud adoption and argued that there is nothing to prevent banks from implementing compliant cloud services, the European Central Bank issued warnings in 2019 about the hazard of the cloud, and the Bank of England may consider testing the resilience of financial institutions to cloud threats.

This will undoubtedly delay the migration of many banking applications to the cloud. But again, a point solution like MYHSM’s can be deployed in isolation without requiring the whole application to be cloud-based. And in terms of industry approval, the data centres and the MYHSM service are approved to the relevant PCI standards.

Conclusion

Reluctance to move over to the cloud because of concerns over security are probably unfounded, but financial institutions will need to perform due diligence in the context of their own systems. On the other hand, the cost of migration of legacy systems and seeking clarity on the regulatory landscape are brakes on a rapid move to the cloud. But while all these issues are being settled, there is no reason why a point solution like MYHSM’s could not be deployed.

If you want to discuss how MYHSM can help you move your IT architecture to the cloud, email us at info@myhsm.com.