By John Ingold and Michael Moerman
Canada’s highly concentrated financial services market is dominated by the top 11: Six Domestic Systematically Important Banks (D-SIBs), one large foreign bank, one large regional co-operative, and three large life insurance entities.
The fear for many is that darker skies are ahead, driven by concentration risk, coupled with a lack of transparency to actual cloud providers’ risk profile. Other risks such as privacy, security, and regulatory compliance, especially during these times, are well known to the industry and regulators. Many cloud providers have established dedicated sites in Canada now, which avoids financial institutions having to move data cross-border, and many of these providers certify for SOC 2 and ISO27001 compliance as well as financial industry and health privacy standards (e.g., PIPEDA, HIPA, etc.).
What is it?
Cloud computing isn’t going anywhere. Financial services firms have embraced the cloud in many different ways, realizing benefits, including:
• Reduced costs and complexity
• Accelerated change including ability to efficiently scale
• Improved efficiency, access, security, resiliency
It comes in many forms, including private, public, community and hybrid. Cloud services models include:
• Infrastructure as a Service (IaaS) – such as flexible processing capacity, communication networks, storage either as dedicated hardware or ‘virtualized’ resources
• Business Process as a Service (BPaaS) – provision of standardized and/or automated building blocks, optimized by the service provider
• Platform as a Service (PaaS) – provision of hardware and software tools to support development activities
• Software as a Service (SaaS) – including application management and maintenance
While no definitive ranking of cloud providers exists in Canada, they can be grouped into:
• Leaders/big tech – Amazon, Google, IBM, Microsoft
• Telecom – Bell, Telus
• Specialized – Long View, CentriLogic
• Software as a Service solution providers – Oracle, Salesforce, Temenos, Workday
While at first glance, the above list seems to offer a wide range of potential diversification, it’s essential to do a deep dive on concentration risk. Cloud service providers and, more broadly, fintechs currently operate in a loose regulatory oversight framework.
Concentration: Concentration risk is the risk arising from having many cloud services provided by a single vendor that could fail to perform adequately and potentially lead to disruption in services.
Having a single vendor may enable better pricing, access to specialists, potentially more influence on vendor strategy and product direction, and less administrative burden – regarding periodic reviews. However in a worst-case scenario, said critical cloud services providers could be unable to perform the contracted services for their clients, leading to significant disruption to the financial institution and potential ripple effects to the market at large if more than one such institution is impacted.
Canadian financial institutions have, to a degree, utilized similar cloud services providers to address technology modernization initiatives, leading to cross entity concentration risk. Some examples:
• Leaders/big tech: All major financial institutions utilize Microsoft Office 365.
• SaaS: Workday’s Human Capital Management SaaS has been implemented by six of the top 11 financial institutions.
Most financial institutions are adopting Salesforce not only as a CRM platform but as a toolkit to build different solutions for their workforce.
• IaaS: Many Canadian financial institutions use one of the Big Tech providers for IaaS.
This risk can be partly reduced by proper due diligence and continued oversight of the cloud services providers, as well as acting on early warning signals. You can reduce the risk further by having a well-defined cloud strategy that utilizes multiple ‘best fit’ cloud services providers. In this era of consolidation and rapid technological change, we encourage a focus on diversification and resiliency testing. By focusing on these areas, you can ensure the financial institution can repatriate or transition out services to move from one cloud service provider to another if required.
What should you do?
There are ways to address these risks and ‘brighten the sky’:
• Multi-vendor: Establish a multi-vendor cloud strategy to limit concentration risk
• Due diligence: Ask cloud service providers about in-market plans, transition out services and speak to selected relevant customers
• Contract review: For new/existing contracts with cloud service providers ensure transition out services are specified
• Resiliency testing: Establishing robust playbooks, risk scenarios and testability help speed up recovery. This includes testing transition services between cloud providers. Consider alternatives to cloud-based services as part of your business continuity planning and disaster recovery solutions do not solely rely on the ability to switch to a different cloud region within the same cloud provider.
• Establish portability: Enable moving workloads across platforms through effective design and execution through container orchestration
• Key risk indicator (KRI) tracking: Define and monitor common KRIs across all cloud service providers
Taking these steps can help organizations establish trust in their technology and maintain a secure operations environment.
John Ingold has been focused on delivery of business and technology consulting services to financial services and public sector clients in the Canadian market and globally for over 30 years. John is a senior professional with experience leading transformation programs focused on risk management, finance, compliance, enabled by large program management delivery and technology implementation experience.
Michael Moerman is Capco’s technology practice Lead. He has over 15 years of experience architecting, designing and developing software solutions, and over five years of experience managing various aspects of the development lifecycle of medium and large-scale software solutions from the front-office to the back-office for financial institutions in Asia, Europe and Canada.