Firms are increasingly exploring the benefits of cloud-based options for a range of tasks and applications. A panel of industry leaders discusses key topics, including how to best deploy cloud computing, its most effective uses, the impact of regulation on its adoption and the long-term advantages cloud adoption offers
What is leading capital market firms to consider cloud computing?
Alex Sayles, Beacon: Quite simply, flexibility, agility, total cost of ownership and time-to-market. Compute infrastructure isn’t a core business for capital markets, it’s a utility. Managing an internal data centre requires keeping ahead of the curve on hardware refreshes, power density, disaster recovery and capacity planning. Most internal data centres are either capacity-constrained or suffer from low utilisation as markets evolve. New initiatives driven by markets or regulatory needs suffer from significant delays and upfront capital investments for acquiring hardware, for which lead times of three to six months are typical.
Disaster recovery planning often requires the provisioning of large idle capacity. The internal data-centric approach has led to the design of applications for co-location, which means global firms end up with many small data centres scattered across the globe. Evolving cyber threats and recent speculative execution vulnerabilities in hardware increase the cost and risk of managing this internally.
Cloud data centres, with their economies of scale and diversity of workloads, allow cloud providers to offer significant flexibility and time-to-market of minutes. Software-defined infrastructure and elastic compute application programming interfaces (APIs) enable thousands of cores to be provisioned within moments and shut down when idle. Most finance workloads are ‘bursty’; these are ideal candidates for cloud, where you can shift compute to different regions based on demand.
A properly designed cloud architecture can provide safe experimentation in sandboxes in single audit trails and at security checkpoints. Using containers, encryption at rest, virtual private cloud and granular firewalls, and having the ability to redirect traffic and compute at a moment’s notice makes the cloud more secure than internal data centres.
Darren Voisey, Excelian Luxoft Financial Services: The main factors are restrictions within on‑premises data centres combined with the need for agility and innovation. Cloud providers offer on-demand infrastructures and services. This enables customers to gain a ‘start-up mindset’ by adopting new processes that aren’t tied to their physical procurement processes, which often leads to over-specified hardware that can take months to become available.
Combined with a high level of automation, cloud users can achieve things on a scale that is impossible in-house: for example, being able to rent ‘always available’ services such as artificial intelligence (AI) and machine learning.
María Cañamero, Moody’s Analytics: As banks look for ways to conduct business faster and more cost-effectively, they seek a cloud-first approach to regulatory technology. Banks are increasingly considering cloud-enabled solutions as a way to reduce costs, improve the speed of their operations and extract more value from back-and middle-office systems. Banks can achieve not only organisational agility through cloud-native regulatory and balance-sheet management solutions, but greater transparency in terms of application costs.
By leveraging technology – cloud in particular – financial institutions can achieve greater efficiencies, become more competitive and better serve customers.
Earlier this year, Moody’s Analytics enhanced its software and service offerings for the banking industry by making its regulatory compliance and balance-sheet management solutions available on the cloud. Solutions now available on the cloud include the Moody’s Analytics RiskAuthority platform, the RiskConfidence Asset-Liability Management (ALM) and Impairment system, the Regulatory Reporting Module, the RiskFoundation Discovery solution and Scenario Analyzer.
Arnaud de Chavagnac, Murex: Capital markets firms have many motivations for moving to cloud. Companies want to achieve digital transformation, which – because cloud infrastructure can be kept up to date with frequent innovation – requires state-of-the-art technology, agility and simplicity.
Cloud computing provides the scalability of unlimited capacity, the flexibility of a pay-as-you-go model and the benefits of outsourcing commonplace activities. Time-to-market is also a factor. With cloud, capacity can be increased in minutes, whereas many financial institutions require months to order and install new hardware. Ultimately, moving to cloud brings reduced total cost of ownership and greater transparency about that cost, because every unit consumed is monitored and metered.
The risk domain is the root of technical changes taking place with regulatory requirements, such as initial margin and the Fundamental Review of the Trading Book, which require portfolios to be re-evaluated across a high number of market data scenarios and time periods. Performing such sophisticated calculations requires extra hardware capacity that can be swiftly mobilised; only cloud can offer this.
Paul McEwen, UBS: Cloud technology is a catalyst for modern development and delivery of business value. Cloud comes with a high level of velocity, fast‑paced innovation and a truly dynamic, demand-driven cost paradigm; it also drives standardisation and velocity together.
Ash Majid, SMBC Capital Markets: The turnkey scalability offered by cloud computing is preferable to an in-house solution. Cloud allows increasing computational power on demand, avoiding the usual in-house lag between when the decision is made and when it can be implemented. It also costs less to implement and maintain, so it is an easy area from which to cut costs and may be seamless to users in the firm.
What tasks and applications is cloud computing most suitable for?
Arnaud de Chavagnac: Applications across the front office, back office and risk function can now benefit from cloud because of the performance, stability and security already attained by providers after millions of deployments across countries and industries.
Development and test installations on the cloud can enable rapid development and an optimised development operations project mode. This type of installation is used for a proof of concept, typically lasting a few weeks; it is often taken as an intermediary step before moving usage onto cloud, at which point questions about security, performance, availability and reversibility would take longer to address.
A particularly relevant use case is grid computing for pricing complex structured products on demand on a large set of central processing units or graphics processing units. Cloud removes the need to purchase these units in advance, which makes sense when most grids are used for only a few hours each day. The grid is less critical in security terms because sensitive information, such as counterparty names, is not sent to it.
Cloud also offers production benefits. Having the main production of the application on the cloud means the user pays exactly and only for the capacity they require. The alternative to this is traditional on‑premises installations, which are comparatively rigid in terms of capacity, and compel users to estimate future usage. The result is that you either oversize and pay for capacity you don’t use, or undersize, potentially limiting your business.
Putting disaster recovery on the cloud is another type of deployment that is gaining popularity as users pay only for storage and replication bandwidth, not for computing power when the disaster recovery site is not used. A hybrid cloud approach of moving certain software components onto the cloud is also proving popular because it allows a selective and progressive journey to cloud.
María Cañamero: In the past, we have seen banks starting their cloud adoption in departments such as human resources (HR), customer analytics and customer relationship management (CRM), among others.
More recently, cloud and software-as-a-service (SaaS) have increasingly become the deployment models of choice for banks to address their regulatory technology needs. Many financial institutions are adopting cloud computing in core business activities such as loan origination, risk management, regulatory compliance, ALM, and finance and accounting.
A recent Moody’s Analytics survey, which polled personnel in risk functions in several banks across Europe, found cost-efficiency to be the main reason banks plan to migrate to cloud. Nearly half of survey respondents said the flexibility and scalability afforded by cloud deployment is driving their cloud agendas. One-third of those polled said the benefits of SaaS range from increased frequency of product releases to a reduction in the need to manage software upgrades and maintain infrastructure.
Paul McEwen: There are some tasks and applications that are more suitable for cloud than others: grid computing because of its dynamic nature, and scale-out web applications or data innovations such as data analytics, AI and machine learning are best suited. We also see SaaS having another boost, which is usually more associated with HR, CRM and service management.
Alex Sayles: The most suitable applications for cloud computing process large amounts of data using compute-expensive calculations and models. Analysing this amount of data and creating complex financial models typically requires significant processing capacity, throughput and reliability. Data-intensive financial modelling and the workload it generates can be sporadic, requiring variable amounts of computation that traditional firms find hard to procure, afford or even administer. This is one of the problems the Beacon platform can help solve, allowing clients to take advantage of the cloud without needing to become experts in constructing a secure and scalable cloud infrastructure environment. Beacon works with clients anywhere on the path to the cloud in a way that makes it easy for them to evolve at their own pace.
Applications that need global deployment are another prime candidate. Cloud data centres are available in all major financial hubs, and elastic compute can be shifted on demand during market trading hours. Most firms have already moved to virtual desktops in internal data centres. The cloud is another evolution in which even applications are virtualised and made portable across devices.
Beacon’s software-defined infrastructure ensures consistency among Beacon-provisioned resources, which drives down support costs. Automating infrastructure management is the key to making scalable use of elastic infrastructure. This lets clients pay for compute only when they use it, and creates new pools of compute – at any scale – in minutes, not months. Enterprise-class elastic compute management minimises costs, eliminates upfront capital charges for hardware, and allows cheap and quick experimentation with compute-expensive business models.
Darren Voisey: The easiest are low-risk, low-confidentiality systems with minimum connectivity to on-premises systems. However, I’d be surprised if this applied to many financial applications. Excelian Luxoft Financial Services is involved in more challenging projects, where the benefit outweighs the effort.
Cloud projects are typically related to:
- Moving low-utilisation infrastructure to the cloud. Cloud elasticity can offer cost benefits; these are typically high-performance compute grids common within finance organisations.
- Data centre space constraints. Systems that need to scale to meet demand, such as ad hoc backtesting. The cloud offers the scale and capability to easily switch machine specification.
- On-demand development and test environments. Especially where synthetic data can be used. Infrastructure-as-a-service enables environments to be automatically deployed and sized to meet demand.
- Migrating systems built on internal cloud. Typically, container-based systems with high levels of automation that map well onto public cloud services.
- Reducing entry costs. For example, AI and machine learning pay-as-you-go cloud offerings can be attractive compared with the upfront costs associated with on-premises infrastructure.
- Cloud-first strategy. Can be used either as part of a cloud-first strategy or to leverage cloud services. New projects are becoming increasingly cloud-native.
Ash Majid: Applications requiring high levels of computational power, such as those running pricing and risk simulations for complex derivatives instruments – risk analytics, for example, are most suitable for cloud. The platform also provides a convenient storage conduit for the large sets of data these applications produce, making it easier for users across the organisation to access the data.
What obstacles are firms likely to encounter when introducing cloud computing?
María Cañamero: Typical challenges to cloud adoption include:
- Security in a cloud environment. This is one of the main obstacles for financial institutions to consider when migrating to the cloud.
- Data protection and data residency requirements (regulations and compliance). Financial institutions migrating to the cloud need to ensure their cloud operations address the data protection laws and data residency requirements in each country they operate in – or where their data is stored and/or processed.
- Operating model and cultural changes. The adoption of cloud – particularly SaaS – requires new internal IT processes and a different set of skills. These changes need to be anticipated by management and embraced by the workforce.
- Exit plan. When migrating to the cloud, financial institutions want to avoid the risk of ‘lock-in’ with a particular cloud vendor.
Arnaud de Chavagnac: Regulators and auditors have strict data protection and security guidelines that could prevent full cloud adoption. However, there are many situations where cloud security standards are greater than in-house security, given the level of investment by cloud providers. In the latter case, security becomes another driver of cloud adoption.
Other obstacles that should not be underestimated include change management issues – such as new governance to implement new skills. Application modernisation costs may be a factor if the application needs to be redeveloped before it can be ported on the cloud. Also, some older interfaces might not be compliant with security standards or cloud technology.
Darren Voisey: The two biggest initial obstacles are compliance and security. Typical questions Excelian Luxoft receives from clients include: Can we put customer data into the cloud? And who has access to it? The answer is: you have the keys and the control.
Categorise data and document how it must be controlled, transmitted and stored. Cloud can even help improve security. Take time to understand the latest security operations tooling and processes.
Another potential obstacle is that existing accounting models may discourage the replacement of old on-premises servers with new cloud infrastructure. The operational expenses cloud model means IT users no longer have fixed, amortised and budgeted costs; cloud spend must be closely monitored and reviewed.
Finally, having knowledge on how to move to the cloud or where to start can be a hurdle. But that’s where cloud partners, such as Luxoft, come in.
Ash Majid: The foremost concern for stakeholders is data security, so the greatest obstacle is allaying fears that data sent to the cloud will remain secure. Recent cyber attacks have demonstrated that even the best-guarded systems may not be impenetrable. The risk of a firm’s data being compromised is real.
Alex Sayles: All cloud vendors support low-level APIs to request new virtual machines, but the only thing those APIs deliver is an unsecured computer on the internet. Properly integrating each requested computer into the broader infrastructure – connecting them to databases, file systems and code, making them available for applications or computations – takes a lot of extra work, especially when security is considered. In addition, cloud vendor APIs do not automatically allow clients to pay for compute only when they need it; when clients request a computer, they typically keep it and pay for it, until it is explicitly released.
In contrast, the Beacon platform includes a comprehensive elastic infrastructure service built on top of the cloud vendor APIs that wraps up the complexity of integration and pay-as-you-go infrastructure in a scalable and secure way, so clients do not have to manage it themselves. In this way, the developers running the parallel calculations – or the end-users running applications that access parallel compute – never have to remember to make provision for compute themselves; the Beacon platform manages it elastically to minimise the overall cost.
Paul McEwen: Clearly, we need to have a strong focus on security and client confidentiality. But this is as much a cultural challenge as anything else.
What should firms consider when selecting a cloud provider?
Darren Voisey: Most tier one organisations that work with Excelian Luxoft are already using cloud, and many have or are planning to use multiple providers. With regard to choosing one provider over the other, consider differentiating services, pricing, data centre locality and security accreditations as potential selection factors. Sometimes, picking an infrastructure stack similar to your own data centre is also enticing.
Often, choosing a provider can depend on existing relationships. If a firm has used a particular provider before, the chances are they will use them again, especially for applications that connect to other systems. It makes sense to put them wherever the rest of your connected systems reside.
Ash Majid: The three most important considerations are the safety and security a provider can deliver, the potential for turnkey scalability and the cost.
Arnaud de Chavagnac: The cloud is a modern construct, allowing the freedom to move quickly. However, having plenty of options to fit customers’ different situations is crucial. Murex aims to give clients the capacity to innovate while selecting what is right for their needs.
Cloud providers must demonstrate that their offerings are secure and available in the relevant regions. They should demonstrate better price-performance ratio of the applications onto the cloud, and propose new standard offerings that will help customers focus on core competencies.
The application must already have been certified with the target cloud provider – as is the case with Murex’s offering. The partnership between application vendor and cloud provider is important: it must enable first‑class support for a mission-critical system, and its evolution needs to prove that it will continue to bring benefits for customers. Murex, for example, works with Amazon Web Services (AWS) and Microsoft Azure.
Paul McEwen: It depends on their strategy. For us it was important to select a primary partner that can provide single vertical solutions and also enables across a spectrum of services, allowing bigger volumes and, with that, an additional financial benefit. Additionally, it was key to have someone that understands hybrids, as this will be a multiyear journey and we therefore need co-existence for some time to come. There may be other considerations, such as regulatory accreditations, security or global coverage, but this gap between the big cloud service providers is closing.
María Cañamero: When selecting a cloud vendor, financial institutions need to partner with trusted vendors that can provide the desired level of security for their cloud operations, meet data protection requirements and define an exit plan that suits their business needs.
- Partner reputation. When migrating to the cloud, financial institutions should look for trusted cloud partners that are able to address the requirements of their cloud operating model and regulatory reporting needs.
- Security. While cloud computing becomes more mature, security remains a key consideration when migrating. When selecting a cloud provider, financial institutions should ensure the cloud vendor offers high security standards, including end-to-end data encryption techniques, encryption key management, identity management and access control.
- Data residency and other requirements. Financial institutions must ensure they and their cloud partners meet data residency requirements in all relevant jurisdictions. They need to have control over the data flows and jurisdiction over where the data is stored and processed.
- Exit plan. Financial institutions must make sure they partner with vendors that offer agnostic solutions, and whose applications can be re-internalised or redeployed – in a private cloud or in a different public cloud environment, for example.
How can firms best manage the potential risks associated with cloud computing?
Ash Majid: Choosing the right cloud provider is the best way to manage risk. Understanding the provider’s security measures helps a firm to make better-informed decisions. Thereafter, it’s vital to ensure connections from the firm to the cloud are secure.
Paul McEwen: We involved the risk and compliance teams, which allowed us to approach the cloud with a ‘secure-by-design’ principle.
Darren Voisey: By starting security and compliance conversations as soon as possible. Train staff and use cloud partners to aid technology adoption. Refine understanding of in‑house systems from security, data and infrastructure perspectives so you can prioritise which to move first, and manage and secure them appropriately in the cloud.
Arnaud de Chavagnac: First, they should assess the exact limit of their cloud appetite, such as whether the customer is ready to put data on the cloud. Second, they should involve their security team from the outset of the process. Third, they should use experience gained on other cloud migration projects for less critical systems. And, finally, firms should seek assistance from system integrators to execute cloud migration projects with the relevant cloud skills and experience, and establish the right governance around cloud usage and consumption.
Alex Sayles: Building a scalable platform is challenging not just from a technological perspective, but also because many organisational models do not scale. This can be a considerable risk for many firms embarking on a journey to the cloud. Techniques that work with smaller organisations, where a small team of experts can effectively manage their infrastructure stack with bespoke knowledge and ad hoc approaches, begin to fail as the stack grows to hundreds or thousands of computers, developers and users.
One example of this scaling challenge is infrastructure management. An organisation with a small infrastructure stack might manage it through a dedicated infrastructure team. Members of that team understand the components and can manually keep them configured by logging into each box one by one. Beacon solves this problem with software-defined infrastructure. Instead of manually configuring computers, configuration occurs automatically when a machine spins up. The details of the configuration are determined by Beacon’s infrastructure configuration scripts, which define complex infrastructure stacks in an algorithmic way.
What are the main barriers to wider adoption – has regulation helped or hindered progress?
Alex Sayles: The short-term barriers have been mostly experienced or solved by now – migration complexity, security and controls. In 2016, following the publication of the UK Financial Conduct Authority’s (FCA’s) final guidance for regulated firms outsourcing to the cloud, it was clear there was no fundamental reason why financial services firms could not use public cloud services, as long as they complied with the FCA’s rules. This statement and guidance alone, at least in the UK financial sector, removed regulatory uncertainty over use of the cloud.
Regulatory compliance does not need to be the enemy of innovation. In fact, taking a risk-avoidant approach to experimenting with new technologies is usually a fast path to obscurity in today’s business landscape, where innovation and competition can arise from anywhere. Banks, hedge funds, asset managers, insurance firms and other participants in the financial services ecosystem should seek out technologies that not only meet compliance and security needs but also enable agility and flexibility.
Darren Voisey: Previously, regulation was considered a barrier, but now most regulators work with cloud providers to issue adoption guidance to meet regulations. The scale of infrastructure required to meet regulatory demands can even drive cloud adoption – cloud is the new normal.
Moving a couple of applications onto the cloud will spark wider organisational changes. Firms should keep close track of where spend is
going and review their disaster recovery approach. Firms may believe they
no longer require capacity planning, but the agility that cloud infrastructure offers often leads to increased usage.
To gain the greatest benefit, companies need to continually invest in existing cloud projects to incorporate cloud innovation as it becomes available. This could be changing to better, cheaper server types, or replacing infrastructure with a new platform-as-a-service offering to reduce operational costs, such as container services.
Organisations should also ensure their enterprise licences are cloud-friendly and avoid being locked into named locations and annual peak licence usage. The option to have 1,000 servers processing 1,000 tasks for an hour rather than 10 servers for 100 hours could be useful. Cloud costs are the same, while software licences may not be.
It is important to consider there will almost always be systems that won’t be ready to move to cloud due to data classification, platform incompatibility or restrictive licensing.
Paul McEwen: Regulators are also on a journey to better understand the impacts of the cloud – we found them to be open and genuinely interested in making this work. Good examples are the recent update to the Swiss Financial Market Supervisory Authority’s outsourcing circular and the work of several banking associations across Asia‑Pacific and Europe working closely with the regulators.
Ash Majid: If scalability is the best value the cloud can provide, then an artificial barrier is created based on the size of firms interested in cloud adoption. Many financial institutions may not be large enough to worry about scalability. Furthermore, with data security a key concern, if a cloud provider cannot demonstrate better safeguards than the firm’s internal measures, it may be difficult to justify the move with stakeholders.
Where does cloud offer the greatest potential for the future?
Paul McEwen: This is hard to predict, given the fast pace of innovation, but there is real potential in the area of AI, powered by machine learning and hyper-scale data analytics. This will also help power what we are doing more broadly in terms of innovation.
Arnaud de Chavagnac: Cloud is the foundation of application vendors’ research and development into making functional innovations. Cloud’s cross-sector roll-out provides the opportunity for application vendors to select the most relevant features for their business. In addition, cloud could impact project resources by freeing them up to create new offerings to maximise end‑user satisfaction. Application vendor business models may also change with the emergence of new managed services and moving to run on the cloud.
Ash Majid: The answer lies in its scalability. As financial instruments continue to become more complex, the need for increased analytics heightens. Since the financial crisis, risk managers have also enhanced their tools to better manage potential risks. Stress testing and scenario analysis are now the norm and, in the area of counterparty credit risk management, firms are pricing in more valuation adjustments. This requires increased computational power that can sometimes be tricky for financial firms to provide efficiently because of limitations on time and, sometimes, space. Firms are reverting to a focus on their core competencies and are less keen on developing their IT expertise despite the fact a firm cannot operate without IT. Therefore, the greatest potential for cloud computing is to allow firms to focus on what they do best, something that is not limited to financial services firms. I can see any industry that demands high computational power – pharmaceutical, biotech, oil and gas, or aerospace, for example – leveraging cloud computing.
María Cañamero: After some hesitation, the financial services industry is widely embracing cloud computing and entering into a fundamental transformation of its business and operating models.
In the banking sector, cloud is increasingly being adopted in the loan origination space, regulatory and compliance functions – including regulatory reporting and calculations, know-your-customer and anti-money laundering compliance, and International Financial Reporting Standard 9/current expected credit loss model – and other core aspects of the banking business, such as ALM.
In April, Moody’s Analytics launched the first of several new SaaS banking offerings on AWS. The new generation of products is fully optimised for the cloud, and features enhanced business intelligence, data management and industry-leading reporting tools.
We believe these offerings have a lot of potential in the banking regulatory technology – known as regtech – market, with SaaS being perceived as the preferred service model with the highest return on investment.
Alex Sayles: Beacon believes the cloud offers significant potential across many fields in the financial industry: data analytics, model forecasting, backtesting, automation, AI, data science and distributed ledgers, to name just a few. These fields would not be as powerful, useful or productive without wide-scale use and adoption of the cloud. But Beacon believes the most significant potential is how the cloud enables organisations and professionals to be much more productive, efficient and better able to extract value from their technology. The consequences will be that firms and technology organisations will be leaner, facilitating either better operating margins or more capabilities for deploying IT professionals to higher-margin, more strategic activities.
Darren Voisey: The potential is in its agility and innovation. It’s very hard to adopt new technologies in this industry, but once a firm moves to cloud, it’s an easier conversation to have.
It’s also wise to build on a cloud provider’s innovation – for example, cloud has been driving infrastructure evolution, and has allowed users to:
- ‘Run Docker on cloud infrastructure’ to ‘Docker-as-a-service’ to ‘run my container’
- ‘Run a web application on cloud infrastructure’ to ‘run my web application’ to ‘decompose a web application into functions and run those’.
Cloud’s agility in adopting new capabilities such as AI, machine learning, big data and serverless computing is impressive. I can’t wait to see what it brings us next.