Cloud & Regulation: A Lever for the Financial Sector

Author: Michael Renotte

29/04/2019

Cloud

Cloud & Regulation: A Lever for the Financial Sector

Regulation is often seen as an obstacle to cloud adoption. On the contrary, Proximus NXT views it as a way to deliver cloud solutions in an efficient and secure manner. For Jacques Ruckert, Director of Solutions and Innovation at Proximus NXT, when cloud aligns with regulation—particularly in the financial industry—the combination becomes a catalyst for innovation and a driver of business growth.

How can public cloud help financial sector companies reduce costs or generate new revenue? What substantial benefits does it bring?

J.R.: Public cloud enables the full automation of many operations and reduces day-to-day operational overhead. Companies can therefore focus their resources on the IT tools that power their core business. A strict separation between data and compute makes it possible to design services that process data only when truly needed. Companies can also create a data processing “pipeline”, for example a Hadoop cluster, use it while working on the data, and then delete it afterwards—without ongoing costs or infrastructure management.

Moreover, the vast capacity reserves of major cloud providers enable usage-based pricing models that are highly attractive financially. Companies can, for example, run hundreds of servers for one hour instead of a single server for hundreds of hours at the same cost, achieving significant efficiency gains. The latest innovations in task parallelisation—no longer theoretical—now allow large volumes of data to be processed in real time. This makes it possible to generate valuable business insights by analysing financial data in near real time, a process that would have taken days or even weeks a few years ago.

This increase in resource scalability has enabled the deployment of technologies capable of analysing data in very short timeframes. Google has implemented this in its cloud by developing machine learning models designed for organisations that do not have data science specialists.

In addition, there are many ready-to-use models, such as those used daily for speech and text recognition, translation, or facial recognition. These APIs (Application Programming Interfaces) are easy to integrate into business applications, enabling companies to build their own tailored artificial intelligence solutions for their core activities.

But what about regulatory compliance and values such as trust and reliability, which underpin the privileged relationship banks have with their customers?

J.R.: Banks indeed operate in a highly regulated environment. Their primary responsibility is to manage their clients’ assets. As a result, financial institutions are also responsible for the IT infrastructures that form the backbone of their operations. They must therefore address a series of key questions relating, among others, to data location and control, privacy compliance, traceability of operations, subcontracting chains, system resilience, and exit strategies from providers. This list is far from exhaustive.

More than 15 years ago, Luxembourg established a legal framework allowing banks to outsource IT systems. This specific legislation applies to service providers entering into outsourcing agreements with the financial industry. These providers are regulated to reduce operational risks and breaches of confidentiality. The key concept behind this regulatory framework—which has fostered a strong financial ecosystem—is “PSF” (Professional of the Financial Sector). In practical terms, an IT service provider must obtain approval from the financial regulator in order to serve a bank.

The latest evolution of this framework is CSSF Circular 17/654, known as the “Cloud Circular”, which applies to any financial institution wishing to outsource IT services to a cloud infrastructure. This circular allows regulated entities—financial institutions or PSFs—to use public cloud services provided that strict governance rules are followed.

In summary, Luxembourg now has a coherent regulatory framework that financial institutions and PSFs must comply with when outsourcing IT services to the public cloud. This regulation ensures compliance with a set of obligations and principles. At Proximus NXT, we have implemented an operational and contractual framework to address these key requirements. We also believe these principles are equally relevant to other sectors that are highly sensitive in terms of security and confidentiality. We observe this through our ongoing dialogue with non-regulated clients.

What is the situation at European Union level?

J.R.: The European Banking Authority (EBA), whose mission is to strengthen the European financial supervisory system, has recently published a set of recommendations for banks wishing to outsource services to cloud providers. We have been pleased to observe that there is a near-perfect alignment between EBA recommendations and CSSF guidelines. This confirms that Luxembourg is at the forefront of regulated cloud outsourcing in the financial sector. This is an advantage for Proximus NXT because, even though every European bank remains supervised by its national regulator, we can facilitate cloud adoption for financial institutions across Europe, as we are de facto aligned with EBA recommendations.

How does Proximus NXT perceive this regulated market? What role do you intend to play and what means do you have?

We see regulation as a lever, and Proximus NXT’s role as that of a catalyst and accelerator of cloud transformation for financial institutions. Proximus NXT positions itself as an intermediary between banks and public cloud service providers.

We combine the strengths of public cloud with the capabilities of our own hosting infrastructures to enable the processing of data from private environments, for example, and to help implement effective exit strategies. We work in particular with our partner Cisco, leveraging its network and server solutions. Cisco’s new cloud-centric products enable consistency between public and private clouds and allow them to be managed through a single dashboard.

We have also established the necessary contractual framework with our cloud partner Google. We believe Google Cloud is well suited for the financial sector, not only because of its strong position in data processing, but also—and above all—because of its open-source approach, which facilitates the implementation of exit strategies. We are convinced that customer choice and flexibility are what matter most to Google, not to mention the high security levels of its infrastructure. Google is, for example, the only major cloud provider with its own backbone network interconnecting all the regions where it operates.