Firms' Public Cloud Concerns Based on Regulatory Interpretation, not Technology

A discussion around moving to the public cloud in financial services will more often than not be accompanied with talks regarding security, access and control of the data.

However, according to panelists at this year's Toronto Financial Information and Technology Summit, the majority of issues around a firm's willingness to move to the public cloud is in regards to regulatory expectations.

"Truth be told, the difficulty we're having with consuming public cloud has more to do with non-tech problems than with technology problems," said Damian Smith, director of infrastructure strategy at TD Brank. "What are our regulators' expectations? What kind of audit rights can we get? The things that we expect as a big customer of vendors that cloud providers and that sort of extreme commodity model are simply not interested in sort of playing that game. So trying to reconcile the corporate expectations with the new capabilities in order to derive the value from that new operating model has been the biggest challenge that we've had."

Dennis Cote, a former vice president of infrastructure planning and engineering at Toronto-based bank CIBC, echoed a similar sentiment. He said that in some cases the vendor technology is "light years ahead" of what can be produced internally.

The problems arise, Cote said, when people try to interpret the regulatory requirements. Regulators have only written rules to a certain degree, according to Cote, and it's hard to find specific examples that require providers to give up information about where firms' data lies within their servers.

"You'll never know where your data sits in an Amazon. But you can sit there and say, ‘Ok, how do I focus this in? How do I get something where the regulator feels that I am taking accountability for the data and make sure that I'm not giving up accountability?" Dennis Cote

Vendors aren't always willing to pass along those details, so it's a matter of finding different ways to make sure everyone feels safe being associated with that specific provider.

"You'll never know where your data sits in [Amazon Web Services' cloud]," Cote said. "But you can sit there and say, ‘Ok, how do I focus this in? How do I get something where the regulator feels that I am taking accountability for the data and make sure that I'm not giving up accountability?"

Rares Pateaneu, the director of Toronto-based Green Bank Capital, also mentioned the law as a potential pain point that is too often overlooked, in his opinion.

"What happens when something goes wrong [in the public cloud]? Who's at fault? Whom can you sue? Who will be responsible for the damages? What happens if there is a breach of the cloud provider and your data is compromised? Who is going to reconstruct that and from where? And if they can't, who's going to pay for it?" Pateaneu said. "Those are a lot of questions that, particularly in the English-speaking world where the law is precedence-based, have very few answers. So that is a thing to really worry about."

Consider the Experience

If a firm does make the move to the public cloud for a system or application, TD Bank's Smith said there are three directions a firm can take. First, in a traditional silo-based organization, a company can simply go for Infrastructure-as-a-Service (IaaS) to address its efficiency obligations.

A firm can also have an application design-based conversation in which they engage the cloud to change the way the firm's applications function.

However, according to Smith, the most interesting approach is by coming at it from a user-experience perspective.

"This is not about cloud as in technology. This is about a way of doing things that I can then change my users' experience in some way by pushing capacity and functionality as close to the edge as possible," Smith said. "Things like TD Bank and our Toronto data centers. If I've got somebody vacationing in London, their experience is going to be significantly different than if I'm suddenly spinning up capacity in AWS in London."

Pateaneu ended the conversation by pointing out that general questions ─ such as, ‘What is the best strategy to move to the cloud?' and ‘What are the pros and cons to moving to the public cloud?' ─ are flawed.

"The question is not whether you move to the cloud or not, but what do you move to the cloud? And the pros and cons are very strongly related to where your core competencies and your differentiating factors are," Pateauneu said. "The more generic something is the further away it is from your core competencies, the more it is probably beneficial to move it to somebody whose core competencies are that particular thing."

The Bottom Line

The biggest concerns for many firms around moving to the cloud aren't regarding the actual technology but understanding the regulatory requirements about what you need to know regarding where your data is stored.