Due to the continuing low interest phase, increasing competition and an increased level of price consciousness among customers, banks are confronted with increasing cost pressure. As a consequence, many institutions revert to focusing on their core competencies by reducing their degree of vertical integration and sourcing non-core services on the market. This applies especially to operational services, for which the market already offers a broad range. The vertical extent of sourcing measures ranges from the outsourcing of simple IT services (IT outsourcing / ITO) to the handling of entire business processes (business process outsourcing / BPO).
Cloud Computing holds the Promise of significant Cost and Innovation Advantages
The significant cost advantages advertised on the market make cloud computing as a technological concept particularly interesting in this context.
Cloud computing generally offers the possibility to bundle geographically dispersed IT resources and to offer them as IT services for common use to a multitude of customers by use of a network. Cloud computing offers range from basic IT services such as computing capacity or data storage (infrastructure-as-a-service [IaaS]) to preconfigured runtime and development environments, e.g. server and database systems (platform-as-a-service [PaaS]), and the provision of standardized multi-client software applications such as SAP (software-as-a-service [SaaS]).
In this context, there are different operating models for cloud computing, which allow the realization of the cost advantages of cloud computing to an increasing extent in the following order. A private cloud is a form of virtual, dedicated hardware that is made available exclusively to one customer, while virtual resources in a public cloud are made available to an almost unlimited number of clients in an automated way. By means of demand-based distribution over several data centers (if necessary), economies of scale and efficiency advantages can be leveraged. In case of a public cloud it is, however, next to impossible to trace where the underlying physical hardware and the data stored on it are located geographically. They disappear into “thin air”. In addition to these two types, there are also hybrid clouds, which aim to pool the advantages of both operating models by combining private and public virtualized resources, and community clouds, in which a closed group of users can share virtualized ressources.
A key characteristic of cloud computing is the possibility to adapt the scale of storage and computing capacity to the given need. In traditional ITO projects, IT resources are—broadly speaking—closed down at the outsourcing company and rebuilt at the new service provider. When using cloud computing, the allocation of virtual resources increases and decreases flexibly in terms of scope and design according to changing customer needs.
Numerous studies show that, on average, approx. 80–90% of the computing capacities available in companies’ IT landscapes remain unused (e.g. Siegele, L. Let It Rise: A Special Report on Corporate IT. The Economist ). Especially for banks that need to keep costly resources such as CPU or storage available all year to cover peaks in demand and end-of-month due dates, cloud computing also holds the promise of an attractive possibility to counteract cost pressure to a certain extent by reducing excess capacities and variabilizing IT costs.
While the traditional use of IT requires an IT administrator to become active in order to setup and provide a newly requested IT service, cloud computing allows the users to avail themselves directly of the desired services as needed by means of a self service portal. Especially this transition from a delivery model to a consumption model represents a paradigm shift and thus distinguishes cloud computing decisively from the mere virtualization of IT infrastructures, which are already being used by some banks (e.g. Deutsche Bank) in private clouds or by data center operators such as GAD and FinanzInformatik.
Low level of Acceptance in the Banking Sector, despite Technological Maturity
Companies from other industries already benefit from the varied opportunities and advantages of cloud computing—in terms of services and operating models as well as the complete use of cloud characteristics. However, in Germany’s banking environment, only the few cases of limited use in the form of a virtualization of IT infrastructures (as described above) can be observed. At the same time, traditional ITO up to BPO in all varieties is fairly common in the financial industry. We wondered what might be the reason for the banking industry’s reluctance and have talked to people from the banking industry and cloud service providers to find out.
Our interviews with representatives of banks as well as current surveys clearly show: banking institutions are afraid to lose control of their data when using cloud computing. Customer and transaction-related data are very valuable for banks, which is why the requirements of the financial industry towards its IT solutions are very high, especially with regards to security. For example, under the German Federal Data Protection Act, personal data must not get outside the European Union in the context of order data processing. Moreover, banks need to ensure that the German supervisory authority BaFin can exercise its information and audit rights at all times. For this purpose, it needs to be guaranteed that physical resources can be clearly identified/located and made accessible. If you believe the marketing promises of cloud providers, the technological maturity of cloud computing is already very advanced and still improves continuously. They state that in terms of organization and technology, it is already possible at this point to ensure compliance with the manifold legal and regulatory requirements. Thus, it appears that there are some discrepancies between the perceptions of the two sides. Upon closer inspection, this impression is reinforced.
Scepticism towards Banks lies in a Lack of Trust
Advantages such as improved cost reductions, more flexibility and a focus on core competencies sound very promising to banks. Nevertheless, banks consider cloud computing to be less or not at all suitable compared to traditional ITO with regard to fulfilling the high security requirements in place for banks. In traditional ITO, it is possible to use tailored solutions that match the specific requirements of the respective customer. In contrast, the advantages arising from cloud computing mainly originate from a reduction to standards. To leverage cost advantages, cloud providers offer only standardized SLAs and try to limit guarantees regarding compliance with data protection and data security requirements as much as possible. From the banks’ point of view, only certain parts of their complex infrastructure could be transferred to a cloud anyway. With a view to data protection, they consider the ensuing financial risks to be significantly higher than the potential financial benefits. Banks are worried that providers might behave opportunistically and refuse to accept responsibility for operational security. In fact, cloud computing does offer the possibility to tighten the SLAs at an extra charge, but due to new issues arising in the context of cloud computing with a view to data protection and data security, a sound and binding legal basis is still missing. In contrast, for traditional ITO both the providers’ and the customers’ side can draw on ample experience. Due to the positive reports of the forerunners of this trend, more and more banks trust the know-how of established ITO providers and their ability to create compliance with regulatory requirements. At least in the banking sector, cloud computing is still waiting for some convincing success stories.
Banks cannot ignore the advantages in the long run and should take action
In summary, the following can be said: Improvements in the communication on the part of the cloud providers regarding legal security will promote a more genuine interest of banks in cloud computing. Proactively offering guarantees regarding the compliance with regulatory requirements and data protection provisions could be such an improvement. But above all, the geographical specification/limitation of the physical data storage locations, which is already possible in terms of technology, would be an important step. In this context, the trust of banks could be strengthened in particular by means of certifications by trustworthy third parties.
Cloud computing has long become more than just a hype. It holds opportunities that should be seized at an early stage. Against the backdrop of the increasing cost pressure, banks should not close their minds categorically to cloud computing and stand idly by, but should actively gather experience and explore new possibilities. Assuming a systematic focus on their core competencies and continuing cost pressure, banks will not be able to forego the benefits of cloud computing in the medium to long term. Therefore, they should continue to promote standardization plans and should prepare for the use of cloud services. Considering all individual layers and details, sensible use cases for cloud computing should be examined. For example, sensitive data and applications can remain in the dedicated private cloud, while Sales can profit significantly from the flexibility of cloud computing and the resulting short time to market in the development of new services, especially in mobile banking. Depending on the field of application, suitable service and operating models should be identified and used in order to enhance competitiveness. In order to build and strengthen mutual trust, it is recommendable to begin with outsourcing uncritical standard functions (e.g. payroll, office or communication applications) to selected providers. The experience gathered from such projects forms a solid basis for greater endeavors.