Regulatory complexity is making it harder for Financial Institutions to adopt Cloud services | AFME

Share this page
Press Releases
Regulatory complexity is making it harder for Financial Institutions to adopt Cloud services
06 Dec 2022
Download Links
​ ​

A new report published today by the Association for Financial Markets in Europe (AFME) and Protiviti outlines four key barriers holding back the pace of Cloud adoption within the Financial Services sector.


The report entitled “State of Cloud Adoption in Europe - Preparing the path for Cloud as a critical third-party solution” finds that while Cloud can clearly be an enabler for financial services innovation, some key barriers are currently making it harder for firms to adopt and fully leverage its potential.


Fiona Willis, Associate Director of Technology and Operations, at AFME, said: “The benefits of Cloud technology for the growth of the financial services sector are clear, allowing financial institutions to deliver agile, scalable and resilient services to their clients. However, our report finds the rate of adoption of Cloud technology is currently being held back by overly complex and unharmonised regulation.”


“AFME members believe it is essential that policymakers, in the EU and globally, do not inadvertently impact the continued adoption of Cloud services. We therefore make key recommendations to help ensure regulators and policymakers can work together to unlock the full potential of cloud opportunities for the financial services sector.”


James Fox, Director, Enterprise Cloud at Protiviti, said: “Cloud technology is increasingly critical for financial institutions, creating a significant opportunity to increase productivity, flexibility and resilience in support of their digital transformation initiatives. Regulators are quite rightly taking steps to make sure that the application of Cloud technologies within financial services is properly regulated to avoid any potential risks or issues that could harm the global financial system. However, a careful balancing act needs to be struck between properly regulating Cloud technologies and not stifling innovation and competition within the financial services sector, and as our recent report shows, the current regulatory complexity is making it more difficult for financial institutions to adopt the Cloud.”


The paper sets out four key challenges that financial institutions are currently experiencing, including:


  1. Concentration of Cloud Services: ​Globally, 65% of Cloud services are provided by just three entities, whose dominance is raising concerns among financial regulators, highlighting the risk of concentration in the Cloud marketplace.
  2. Regulatory Complexity: Regulatory fragmentation, uncertainty and the time required for regulatory approvals is preventing financial institutions from innovating, slowing the pace of Cloud adoption. FIs are also subject to multiple different regulators that may ask for the same information in different formats and through different channels.
  3. Data Localisation: The forthcoming EUCS certification framework could have far-reaching negative implications if the proposals to achieve “immunity against third-country law” via EU control requirements are adopted.
  4. Management of Disruption in the Cloud: Several high-profile Cloud service outages have highlighted the need for greater visibility and confidence in Cloud providers’ abilities to predict, manage and communicate disruptions to their Cloud services. Regulators expect FIs to have primary responsibility for resisting threats to operational resilience, to guard against service disruptions and to recover from incidents.


The paper provides 9 recommendations for policy makers in order to help address these challenges:


Concentration of Services

  1. We urge policymakers to consider how CSPs could be encouraged to provide greater transparency on resiliency, dependency and security issues within cloud services, specifically greater visibility and analysis of dependencies between regions and the underlying control plane[1] within each CSP.
  2. We recommend that the adoption of multi-cloud strategies should remain at the discretion of individual FIs and should not be mandatory, as such a mandate could increase, rather than address, systemic concentration risk.


Regulatory Complexity

  1. We request that authorities consider an approval model for deploying services to the cloud at a platform level or remove time requirements for notifications, in order to reduce delays in the approval process.
  2. We encourage greater co-ordination between the European Central Bank (ECB), European Supervisory Authorities (ESAs) and National Competent Authorities (NCAs) to ensure a consistent application of the outsourcing and Information and Communication Technologies (ICT) third-party registers to ensure minimum duplication for FIs and supervisors.


Data Localisation

  1. We request that policymakers and regulators refrain from requiring localisation of data or cloud hosting solutions, as it challenges resilience, inhibits innovation, and increases operational complexity.


Management of Disruption in the Cloud

  1. We encourage CSPs to proactively help FIs understand their tools, resources, and configuration settings and ensure that workloads and data running within the CSPs infrastructure are properly secured. In addition, CSPs should help FIs understand the Service Level Objectives (SLO) across each service provided and the resiliency and recovery metrics.
  2. We request that CSPs aid FIs in proactively architecting for greater resilience by providing dependency mapping between services and geographies, for example, that two different services share a single point of failure or how an outage that occurs in one region may affect the underlying CSP control plane.
  3. We encourage CSPs to provide greater transparency and detail of Root Cause Analysis (RCA) for incidents and outages within a CSP and create a library of previous RCAs, so that incident trends can be tracked, understood and better managed moving forward.
  4. We ask CSPs to provide sufficient education and notice to FIs for service updates that may impact FIs’ responsibilities and obligations in areas such as security or resilience.


– Ends –


Rebecca Hansford

Head of Communications and Marketing