Cloud computing is a technology that uses computing resources in a way that can be automatically expanded according to demand through the network, and allows customers to pay according to their usage. Different from traditional computing dominated by proprietary data centers, cloud computing involves relatively standardized services that a service provider provides to many different customers on a large scale. From non-critical services such as e-mail management and application development to core functions such as payment processing and data storage; Various financial institutions represented by banks and asset management companies are currently using cloud services.
Effective regulation and supervision of cloud use by financial institutions: (1) provide the background for financial institutions to use cloud computing, as well as relevant advantages and risks; (2) Review the current regulation and its structure of financial institutions using cloud computing; (3) Three measures and suggestions to reduce the cloud computing obstacles in a wide range of financial institutions.
Application background of financial institutions and cloud computing
(1) From data center to cloud technology
In the 1950s, with the advent of the first large-scale commercial computer, banks began to use computers. Many years later, to the 1980s and 1990s, banks gradually used personal computers and information technology data centers alternatively to replace the old terminal technology. Now, in order to meet the growing demand for information technology (IT) and provide customers with more innovative high-quality remote and mobile services, financial institutions have begun to shift from proprietary IT infrastructure to cloud computing. According to the analysis and industry research of the U.S. Treasury Department, the migration of core financial service activities to the cloud will greatly increase due to the need to process large amounts of data and provide mobile priority digital banking services in the next decade.
(2) Cloud service model
The nature and extent of the control and risk borne by financial institutions when using cloud services depend on the service model they adopted. Cloud services can be divided into three basic models: infrastructure, software and platform. Infrastructure-as-a-service model involves the use of computing infrastructure, such as the server, storage capacity or network; The software-as-a-service model allows customers to run software developed by third-party service providers on remote ECS; Platform-as-a-service model can provide more structure than infrastructure model, and is more flexible than software model. It supports customers to develop and use software on the development infrastructure provided by application hosting and cloud service providers. The choice of service mode by financial institutions depends on their own needs and technical capabilities.
(3) Private cloud and public cloud
In addition to different service models, cloud providers also provide different deployment models. "Private cloud" refers to cloud resources dedicated to a single customer, while "public cloud" involves the use of standardized and commercialized cloud infrastructure by multiple different customers. This paper mainly focuses on the use of public cloud, that is, the infrastructure use of computing resources owned, managed by a third party and shared with other customers. There are two reasons: (1) public cloud provides the unique benefits of standardization, commercialization and corresponding economies of scale; (2) The relationship between financial institutions and public cloud providers is fundamentally different from the traditional outsourcing relationship - financial institutions use the public cloud to share computing resources with thousands of other customers from different jurisdictions.
Application advantages of cloud computing
(1) Reduce costs and improve efficiency
The complexity of banking business and the rising cost of proprietary data center lead to the continuous investment of financial institutions in new hardware infrastructure. In contrast, cloud providers provide customers with the ability to automatically scale up when additional resources are needed and automatically scale down when demand decreases. The automation and measurement of cloud resources help to reduce the cost of technology infrastructure and convert a large amount of early capital expenditure into smaller continuous operating costs. In addition, the lower upfront cost of cloud computing also makes it easier for financial technology innovation enterprises to compete with mature financial institutions, which has great potential in improving services and expanding financial channels - especially for consumers in developing countries or service deficient markets.
(2) Improve security and resilience
Global cloud providers have a huge operation scale (from hundreds of data centers to transportation centers to decentralized development teams). They use automated mechanisms to quickly detect and repair problems, which can greatly restrict human intervention in data, so as to reduce the risks related to manual processes such as human errors. At the same time, the distributed nature of cloud storage and processing and the fact that cloud providers can use more computing resources than a single financial institution make it possible to provide greater operational flexibility for financial institutions.
(3) Data analysis and technical management
Cloud computing allows financial institutions to access computing resources on demand. Automatic scalability makes cloud computing particularly suitable for real-time analysis of large data sets, which allows users to continuously record and analyze a large amount of data. Financial institutions and regulators can also use cloud-based data analysis tools to better monitor compliance and deepen their understanding of financial system risks. Cloud computing makes better application of complex data analysis, which not only improves the risk management of a single financial institution, but also promotes the benign development of the whole financial system.
Risk of cloud computing applications
(1) Technical risk
Technical risks related to cloud computing include capacity planning failures, unsafe or incomplete data deletion, multi-tenancy and hypervisor vulnerabilities. Whether the financial institutions use traditional data center arrangements or cloud services, capacity planning (dealing with potential resource depletion) is necessary. Since cloud providers can store data across multiple facilities, if the data of a financial institution is not encrypted, there is a risk of confidential data leakage. Cloud services’ reliance on virtualization lead to possible system failure or network attack if there are vulnerabilities in the virtual monitor. For this technical vulnerability, present cloud service providers have developed corresponding software and hardware to reduce the vulnerability of virtual machine monitors to network attacks.
(2) Operational risk
The adoption of cloud computing will also expose financial institutions to operational risks, such as "lock-in" risk, that is, the risk of financial institutions relying too much on specific service providers. However, financial institutions can solve the lock-in risk by operating across multiple cloud providers and using open source technology, allowing them to move data and utilize services across different environments. In addition, the dependence of financial institutions on a few dominant cloud providers may lead to risks at the level of the entire financial industry. If cloud computing becomes a part of the core infrastructure of the financial system, the industry-level risks brought by the concentration of cloud providers will be greater.
Existing regulatory framework
It is constructed by comprehensively reviewing the regulatory requirements and guidelines for the use of cloud storage by financial institutions in different jurisdictions, and focus on the outsourcing standards of financial institutions and other relevant regulatory policies issued by the Federal Financial Institutions Examination Council (FFIEC) and the European Banking Authority (EBA).
(1) Prerequisites for outsourcing
Although the preconditions for adopting cloud services vary in different jurisdictions, they all require financial institutions to conduct a preliminary risk assessment of cloud service providers and specific services to be adopted. In addition, regulators usually require financial institutions to notify or obtain the approval of regulators before outsourcing their business to cloud service providers (especially when outsourcing involves important functions). On the one hand, financial institutions are required to do sufficient due diligence and conduct a comprehensive risk assessment of outsourcing activities; On the other hand, financial institutions shall timely notify the corresponding regulatory authorities or communicate with the regulatory authorities on the important contents of planned outsourcing.
(2) Continuing obligations
Regulators require financial institutions to continuously conduct risk assessment and management after signing the cloud service agreement. Many regulators also require financial institutions to obtain certain information and access rights from their cloud service providers. First, in terms of monitoring and control, regulators under the outsourcing standards of FFIEC and the regulatory guidance of EBA usually require financial institutions to continuously monitor their cloud service providers. Other regulators require financial institutions to take specific measures to effectively regulate service providers, including cloud providers, for a long time.
Secondly, in terms of audit, regulators holddifferent views on which institutions can rely on the cloud service providers or the audit and certification provided by them. While some jurisdictions require financial institutions' internal or external auditors to audit cloud service providers, other jurisdictions allow financial institutions to rely only on cloud service providers' external auditors or internal audit departments - as long as they meet certain regulatory standards.
Finally, in terms of information and access rights, an important factor in promoting effective supervision is to ensure access to certain information and corresponding access rights; Regulators usually want financial institutions' cloud service contracts to include some basic information and access rights, but there are some differences in the scope of authority requirements (what financial institutions and their regulators must access).
(3)Security of data and system
On the one hand, regulators put forward comprehensive security measures and policies, requiring financial institutions to maintain higher security standards in personal data to protect customers' privacy and confidentiality. On the other hand, some jurisdictions also put forward specific restrictions on how cloud service providers use and store data from financial institutions.
(4)Requirements of data storage
Some jurisdictions impose corresponding restrictions on the storage and processing of data transferred to cloud service providers in cross-border cloud outsourcing. Regulators found several problems that triggered requirements of data jurisdiction, including: (1) whether the security and flexibility standards within the jurisdiction of the cloud provider are satisfactory; (2) Whether the data outside the jurisdiction in which the financial institution is located will continue to be available to regulators in that jurisdiction; (3) Whether the privacy rules of the cloud provider's location adequately protect customers.
(5) Continuous operation and emergency plan
In order to ensure the credibility of financial institutions' use of cloud services, regulators require financial institutions to prepare continuous operation plans to deal with service interruptions and some emergencies. On the one hand, in terms of operational flexibility, financial institutions are required to monitor the flexibility of their cloud service providers and plan for potential service interruptions. On the other hand, in terms of exit mechanism, it is particularly important to formulate exit mechanism to ensure that financial institutions can transform from outsourcing service providers according to the needs of commercial or technical reasons, which is important to solve the locking-in risk.
Promote the application of cloud computing in the financial field
(1) Introduction of community audit
Audit is a key part of due diligence and supervision. In community audit, financial institutions audit with other financial institutions sharing the same cloud provider, which can effectively eliminate redundancy and vulnerabilities caused by repeated monitoring. In addition to being more efficient, community audit will also provide a forum for financial institutions to identify areas of common concern. The audit results can be secretly shared with regulators, so as to improve the overall guarantee of cloud provider's security and control environment. Financial institutions also face some practical challenges, such as the need to reach reasonable private agreements on audit funds and management methods; the difference in scale and complexity determines the different ways that financial institutions use cloud computing, which will also produce different security and flexibility problems. Therefore, it is necessary to clarify the corresponding scope of community audit.
(2) Supervision of coordinatingcross-border
Another obstacle for financial institutions to widely adopt cloud technology is the cross-border nature of cloud services. Therefore, problems such as overlapping jurisdictions unique to cloud services should first be solved through direct cooperation between regulators. In order to ensure the consistency and predictability of market participants, regulators should seek consensus around the common substantive principles regulating the use of cloud computing by financial institutions. At the same time, in order to ensure the flexibility of the application of substantive principles, regulators should focus on developing risk-based principles for financial institutions to use cloud services, rather than focusing on specific technical standards.
(3) Strengthen the risk-oriented dialogue at the industry level
The risk dialogue based on the industry level helps to deepen the understanding of financial institutions on the impact of the widespread use of cloud computing. Given that cloud providers have customers across a wide range of industries, this could improve co-operation between financial regulators and regulators in other sectors, such as national security authorities and standards bodies, which also interact with cloud providers on an ongoing basis and face common issues. Communication and cooperation between cross industry regulators may eventually make financial regulators realize that the use of cloud computing by financial institutions will not bring new risks to the financial industry, which will promote financial institutions and regulators to better embrace this new technology.