Euro bank regulator: Don't follow the crowd. Stay off the cloud

An EU financial regulator has warned that banks moving to the cloud are at risk of vendor lock-in as well as transferring IT jobs to "subcontractors from high-risk areas".

The EU Banking Authority, which regulates the financial regulators of member states, has issued a report looking at the risks of "fintech", the fashionable name for "IT that makes financial institutions work".

Among the inevitable prognostications on blockchain and the like, the report focused on public, hybrid and private cloud, warning that low upfront costs could potentially mask deeper problems – doing so in simple language, presumably targeted at senior executives and PFYs.

"For applications for which security is of prime concern, a private cloud could be considered preferable, as it allows the most flexibility in data processing and security. On the other hand, private clouds are typically less scalable and more expensive than public clouds," said the report.

It continued, focusing on hybrid cloud business models: "The role of IT staff in institutions could possibly undergo a significant transformation in this case, with increased cloud outsourcing services, and could possibly convert into support and consultation for cloud service selection, engagement and management."

Banks should also be wary of leaving all the IT nitty-gritty – the mundane but vital things such as physical and software security – to cloud providers, said the report.

Being a report from an EU institution, it also took a swipe at the small number of players in the largely US-dominated cloud market, stating: "At the global level, risk of concentration on a limited number of CSPs could be elevated if a significant number of institutions use the same CSP's infrastructure."

Bringing to mind the various US-v-EU legal cases on data residency, in particular the famous Microsoft Ireland email dispute, the report also gave a veiled hint that its authors don't want to see those disputes repeating themselves over financial data.

"There may be uncertainty over the jurisdiction where the data is held, given that many large CSPs operate in multiple jurisdictions with potentially fungible data centres," said the report.

A specific warning that will resonate with many IT folk was on the topic of subcontracting. The EU Banking Authority did not hold back, saying that "the use of subcontractors from a high-risk area/country could negatively affect the wider operational risk and reputation risk of the institution".

Just to make the point clear, they added: "Moreover, the institution's competence in sufficiently controlling the technological infrastructure used by a CSP [cloud service provider] could affect the ICT outsourcing risk of the institution."

The age-old vendor lock-in chestnut got a fresh roasting as well, with the authority saying newer banks in particular "may find it difficult to exit and migrate to a new CSP or re-initialise a service. In addition, potential concerns about moving to alternative CSPs (eg, possible substandard performance or interruption of supplier service) may deter institutions from adequately addressing this risk."

The full report can be read on the EBA website as a 56-page PDF. ®