Finance, Multi-Cloud, and The Elimination of Cloud Concentration Risk

Regardless of their size and business mix, most financial institutions have come to understand how cloud and multi-cloud computing services can benefit them.

There is the cost-effective flexibility to scale, deploy new services, and innovate to stay aligned with rapidly changing customer expectations. There are security and resiliency benefits that can be difficult and expensive to replicate on-premises, especially for smaller institutions trying to keep pace with rapidly changing standards. And there is geographic access to new markets – from China to Canada – that require deployment of local, in-country systems under emerging sovereignty laws.

As the industry continues to embrace cloud services, regulators are becoming more aware of the challenges associated with cloud computing, especially those that could expose financial institutions to systemic risks potentially undermining the stability of the financial system. Oversight bodies such as the Financial Stability Board (FSB) and the European Banking Authority have urged regulators worldwide to review their supervisory frameworks to ensure that different types of cloud computing activities are fully scoped into industry guidelines.

At the same time, public cloud provider outages have disproved the “never fail” paradigm, and there are growing calls for heightened diligence around cybersecurity risks.

Regulators are increasingly focused on cloud concentration risk, or the potential peril created when so much of the technology underpinning global financial services relies on so few large cloud services providers. An outage or cyberattack, they worry, could derail the global financial system.

Part 1: What is cloud concentration risk for financial services?

The concern over infrastructure concentration and consolidation is twofold.

• First is the systemic risk of having too many of the world’s banking services concentrated on so few public cloud platforms. Historically, this problem did not exist as each bank operated its own on-premises infrastructure. Failure in a data center was always limited to one single player in the market.

• Second is the vulnerability of individual institutions, including many smaller institutions, that outsource critical banking infrastructure and services to a few solution providers. These software-as-a-service “hyperscalers” also tend to run on a single cloud platform, creating cascading problems across thousands of institutions in the event of an outage.

In both cases, performance, availability, and security-related concerns are motivating regulators who fear that a provider outage, caused either internally or by bad external actors, could cripple the financial systems under their authority.

Such a service shock is much more than a hypothetical worry. In October 2021 Facebook suffered a huge global outage. More than 3.5 billion people who rely on the social network’s applications were without service for more than five hours after Facebook made changes to a single server component that coordinates its data center traffic.

Like Facebook, the big three cloud service providers (CSPs), Microsoft Azure, AWS, and Google Cloud, have all suffered similar outages in recent years. For financial services companies, the stakes of a service interruption at a single CSP rise exponentially as they begin to run more of their critical functions in the public cloud.

Regulators have so far offered financial institutions warnings and guidance rather than enacting new regulations, though they are increasingly focused on ensuring that the industry is considering plans, such as “cloud exit strategies,” to mitigate the risk of service interruptions and their knock-on effects across the financial system.

The FSB first raised formal public concern about cloud concentration risk in an advisory published in 2019, and has since sought industry and public input to inform a policy approach. In June 2021, the Monetary Authority of Singapore issued a sweeping advisory on financial institutions’ cybersecurity risks related to cloud adoption.

Meanwhile, authorities are exploring expanding regulations, which could mean action as early as 2022. The European Commission has published a legislative proposal on Digital Operational Resilience aimed at harmonizing existing digital governance rules in financial services including testing, information sharing, and information risk management standards. The European Securities & Markets Authority warned in September 2021 of the risks of “high concentration” in cloud computing services providers, suggesting that “requirements may need to be mandated” to ensure resiliency at firms and across the system.

Likewise, the Bank of England’s Financial Policy Committee said it believes additional measures are needed “to mitigate the financial stability risks stemming from concentration in the provision of some third-party services.” Those measures could include the designation of certain third-party service providers as “critical,” introducing new oversight to public cloud providers; the establishment of resilience standards; and regular resilience testing. They are also exploring controls over employment and sub-contractors, much like energy and public utility companies do today.

Hoping to get out ahead of regulators, the financial services industry and the hyperscalers are taking steps to address the underlying issues.

Part 2: Why financial services are evolving from hybrid to multi-cloud

Looking at the existing banking ecosystem, a full embrace of the cloud is extremely rare. While they would like to be able to act like challenger and neo banks, many of the largest and most technology-forward established banks and financial services firms have adopted a hybrid cloud architecture – linking on-premises data centers to cloud-based services – as the backbone of an overarching enterprise strategy. Smaller regional and national institutions, while not officially adopting a cloud-centric mindset, are beginning to explore the advantages of cloud services by working with cloud-based SaaS providers through their existing ISVs and systems integrators.

Typically, financial institutions already pair multiple external cloud providers with on-premises infrastructure in an enterprise-wide hybrid cloud approach to IT. In these scenarios, some functions get executed in legacy, on-premises data centers and others, such as mobile banking or payment processing, are operated out of cloud environments, giving the benefits of speed and scalability.

Moving to a hybrid approach has itself been an evolution. At first, financial institutions put non-core applications in a single public cloud provider to trial its capabilities. These included non-core systems running customer-facing websites and mobile apps, as well as new digital, data, and analytics capabilities. Some pursued deployments on multiple cloud vendors to handle different tasks, while maintaining robust on-premises primary systems, both to pair with public cloud deployments and to power core services.

At MongoDB, we’re increasingly seeing customers, including many financial services companies, run independent workloads on different clouds. However, we believe the real power of multi-cloud applications is yet to be realized.

While a hybrid approach utilizing one or two separate cloud providers works for now, the next logical step (taken by many fintech startups) is to fully embrace the cloud and, eventually, a multi-cloud approach and move away from on-premises infrastructure entirely.

Take Wells Fargo. The US-based bank recently announced a two-provider cloud infrastructure and data center strategy, adding that its long-term aspirations are to run most of its services in the public cloud, with an end goal of operating agnostically across providers and free of its own data centers.

Part 3: Solve cloud concentration risk with cross-cloud redundancy

For an industry as tightly regulated and controlled as financial services, and with so much sensitive data being moved and stored, security and resilience are critical considerations.

Recent service disruptions at the top public cloud providers remind us that no matter how many data centers they run, single cloud providers remain vulnerable to weaknesses created by their own network complexity and interconnectivity across sites. One might argue that even a single cloud provider has better uptime stats than an on-premise solution, but recent outages highlight the need for operational agility, given the high availability and performance requirements of critical applications.

When an institution relies on a single provider for cloud services, it exposes its business to the risk of potential service shocks originating from that organization’s technical dependencies, cyberattacks, and vulnerabilities to natural disasters or even freak accidents.

Cross-cloud redundancy solves cloud concentration risk

Cloud disruptions vary in severity, from temporary capacity constraints to full-blown outages, and financial services companies need to mitigate as much risk as possible.

By distributing data across multiple clouds, they can improve high availability and application resiliency without sacrificing latency. With multi-cloud clusters on MongoDB Atlas, financial services firms are able to distribute their data in a single cluster across Azure, AWS, and Google Cloud. MongoDB Atlas extends the number of locations available by allowing users to choose from any of over 80 regions available across major CSPs – the widest selection of any cloud database on the market.

This is particularly relevant for financial services firms that must comply with data sovereignty requirements, but have limited deployment options due to sparse regional coverage on their primary cloud provider. In some cases, only one in-country region is available, leaving users especially vulnerable to disruptions in cloud service. For example, AWS has only one region in Canada and Google Cloud has two. With multi-cloud clusters, organizations can take advantage of all three regions, and add additional nodes in the Azure Toronto and Quebec City regions for extra fault tolerance.

Several MongoDB customers in the financial services sector have already taken steps toward a true multi-cloud approach by building nodes in a second CSP using MongoDB Atlas. These MongoDB customers are using a 5-and-1 architecture, typically with one CSP as the primary, majority provider, coupled with a secondary backup CSP.

In this scenario, the primary CSP holds most of the operations the bank or financial institution needs to run a specific solution, e.g. mobile banking, with the second CSP used for disaster recovery and regulatory compliance in case the first provider has a major outage or service interruption. Often this secondary CSP also acts as a primary for other services at the firm.

Part 4: The limits of a single-vendor public-cloud solution

In part 1 we explored the evolution of cloud adoption in the financial services sector and the growing attention on infrastructure concentration risk created from hybrid cloud approaches incorporating only one or two isolated or loosely connected public cloud service providers.

Beyond the looming regulatory issues, there are a number of practical business and technology limitations of a single-cloud approach that the industry must address to truly future-proof their infrastructure.

Drawbacks to a single-cloud or hybrid approach include:

Geographic constraints

Not all cloud service providers operate in every business region. Choosing a provider that satisfies today’s location needs seems sensible now, but could prove limiting in the future if an organization expands into new geographies that are underserved by their chosen cloud service provider. A multi-cloud strategy extends the geographic availability of data centers to a longer list of countries served by all the major providers.

The availability of local cloud solutions grows increasingly important as more countries adopt data sovereignty and residency laws designed to govern how data is collected, stored and used locally. Sovereignty rules mandate that data collected and stored within a country be subject to the laws, regulations and best practices for data collection of that country. Data residency laws require that data about a country’s citizens be collected and stored inside the country, regardless of whether it ultimately gets replicated and sent abroad.

For global financial services companies, this creates thorny technical, operational, and legal issues. Addressing those issues holistically through a single cloud provider is nearly impossible.

The topic continues to draw the attention of lawmakers around the world, beyond the handful of countries such as Russia and Canada that drove initial action around these policies.

The European Union, for one, is actively scoping a unified EU sovereignty policy and action plan to address its growing concerns about control over its data. Following the success of the General Data Protection Regulation, the Digital Markets Act is set to further shape data policy and regulation in the region.

Vendor lock-in

Aside from the technical risks of working with a single cloud provider, there is also commercial risk in placing all of an institution’s bets on one cloud provider. The more integrated an institution’s applications are within a single cloud provider, and the more it relies on the third-party services of that single provider, the harder it becomes to negotiate the cost of cloud services or to consider switching to another provider.

Over time, as services are customized and adapted to a single cloud provider's protocols and data structures, it becomes operationally challenging to migrate to a different cloud environment. The more intertwined a company’s technical architecture is with a single cloud provider, the more difficult it is to design an exit strategy without putting the business at risk of performance lags, heavy “un-customization” work, or price gouging.

By locking in, institutions also lose power to influence service quality should the vendor change the focus of its development, become less competitive, or run into operational problems.

Eventually, innovation at the financial services firm slows to the speed of the chosen CSP. Even integrating external apps and services becomes a challenge, reminiscent of the monolithic architecture the new cloud environment was set to replace.

Security homogeneity

Cloud service providers invest heavily in security features and are generally considered among the most sophisticated leaders in cyber-security. They proactively manage threats through security measures deployed across customer connection points. For financial services, top cloud providers offer enhanced security to meet strict governance requirements.

From a risk standpoint, monitoring and securing a single-cloud hybrid deployment is easier than managing threats across multiple clouds. From the perspective of a threat surface, a single cloud poses fewer risks because there are fewer pathways for would-be hackers. The challenge, though, is responding to an event in a single-cloud environment should an incident, intentional or otherwise, occur.

In the event of an infrastructure meltdown or cyberattack, a multi-cloud environment can give organizations the ability to switch providers and to back up and protect their data.

Feature limitations

Cloud service providers develop new features asynchronously. Some excel in specific areas of functionality and constantly innovate, while others focus on a different set of core capabilities, including Google Cloud’s AI Platform, for instance, Microsoft Azure’s Cognitive Services, and the AWS Lambda platform which enables server-less, event-driven computing.

By restricting deployments to one cloud services provider, institutions limit their access to best-of-breed features across the cloud. They’re locked in to using whatever is available on their platform, rather than being able to tap in to advances across clouds. Over time, this can limit innovation and put organizations at a competitive disadvantage.

Part 5: Commercial and technical benefits of multi-cloud for financial services

As the financial services industry accelerates its cloud-first mindset, more institutions find that a multi-cloud strategy can better position them to meet the rapidly changing commercial, technical, and compliance demands on their business. What’s more, a fully-formed multi-cloud strategy provides an opportunity to partner with the most sophisticated and well-resourced service providers, and to benefit from leading-edge innovation from all of them.

The recognition that a single cloud provider is not only limiting them but may be a hindrance is dawning to the leadership of many banks. As the CEO of one large investment bank told MongoDB, “Multi-cloud is an opportunity for us to unlock the full value of each location, not water things down with abstractions and accept the lowest common denominator.”

In addition to facilitating access to leading-edge innovations, a multi-cloud approach offers financial services firms multiple additional benefits.

Optimize performance

Rock-solid service availability and responsiveness are the cornerstones of performance planning in financial services. The goal of any architecture design is to limit downtime and minimize application lag while aligning processing resources to the specific needs of each application.

While even single cloud providers log higher uptime than most on-prem solutions involving multiple data centers, a multi-cloud architecture offers additional resiliency and flexibility to meet internal and client performance SLAs that before only mainframe technology (so called Sysplex-cluster) could achieve with 99.9999% availability.

In a multi-cloud environment, institutions can dynamically shift workloads among cloud providers to speed up tasks, respond to service disruptions, reduce latency by supporting traffic locally, and address regulatory concerns about one-cloud provider vulnerability. Optimizing for all of these factors yields the best customer experience and the most efficient and cost-effective approach to infrastructure.

Scale dynamically for task and geography

Scalability and locality is critical. Increasingly, customer demands on product experience are pushing financial services providers to meet new requirements that can sometimes be best delivered through geographic scaling and being close to the end user.

It’s not just about who has the greatest amount of storage or the fastest CPU available anymore – it may mean maximizing application responsiveness by running computing resources close to the end-user. This is only becoming more relevant with the roll-out of 5G edge services and the growth in real-time edge computing it requires.

Access to multiple clouds creates opportunities to dynamically balance task execution locally for maximum efficiency across geographies, be that California, New York, or Singapore. It also enables institutions to scale storage requirements up and down across providers based on need and cost. In a fast-paced commercial environment, financial institutions can quickly deploy applications at scale in the cloud. By running in multiple clouds, financial institutions have the opportunity to arbitrage cost and performance without compromising their business strategy.

Adapt to business changes

Financial services companies can stay nimble by building flexible multi-cloud capabilities that enable them to adapt quickly to new regulatory, competitive, and financial conditions. This is as true for challenger banks such as Illimity or Current as it is for established institutions such as Macquarie or NETS.

An effective multi-cloud strategy can be a solution to managing regulatory, compliance and internal policy changes by replacing a patchwork of solutions with a common framework across cloud providers.

The ability to move seamlessly among cloud providers gives institutions the capability to quickly address situations such as new data sovereignty laws or a merger by shifting workloads to a more advantageous provider.

Avoid vendor lock-in

With IT costs continuing to grow as a proportion of overall spending, running a multi-cloud strategy can help institutions better manage technology outlays to third-party providers by helping them to avoid vendor lock-in. Not all services are designed equally and switching services between providers can have a multi-million dollar impact on cloud provider bills.

In any industry, overreliance on one supplier creates financial and operating risks. The more interconnected, or “sticky”, a single-cloud solution becomes, the more challenging it is to unwind it, should it no longer meet the institution’s needs. And by concentrating services with one provider, companies risk losing financial leverage to negotiate contract terms.

By taking a multi-cloud approach, institutions can choose among providers competitively, without being locked in, either commercially by a technical dependency. A multi-cloud approach also allows financial institutions to push harder on providers to develop for their particular needs.

Harness innovative features

The ability to tap into cloud capabilities such as artificial intelligence and machine learning is a major benefit of working with cloud service providers.

Through a multi-cloud approach, developers can select features from across cloud providers and deploy the technical building blocks that best suit their needs. They can run their workloads using different tools on the same data set, without having to do manual data replication. That means institutions can access popular services such as AWS Lambda, Google Tensorflow Cloud AI and Azure Cognitive Services without cumbersome data migrations.

As consumers increasingly demand premium product experiences from financial services institutions, those institutions can gain competitive advantages by deploying best-of-breed applications into user services.