“Regulators are supposed to have concerns; that’s their job”
Earlier this year the Bank of England (BoE) was told by Huw van Steenis that it needed to “embrace” the cloud. Its response was more of a polite air kiss.
The UBS group managing director had been brought in to lead a review of the “future of finance” and his report was relaxed about financial services (FS) firms shifting mission-critical workloads onto cloud technologies. These, he wrote, have “matured to the point they can meet the high expectations of regulators and financial services.”
While there is no shortage of cloud-native FS businesses in operation — from Monzo to Goldman Sachs’ Marcus — the BoE’s response was a reminder of just how much work the cloud industry still needs to do to persuade boards that the cloud is safe.
The central bank — which has a circa. £500 billion balance sheet, and itself relies heavily on old-fashioned mainframes — remained concerned about “concentration risk and lack of substitutability” it responded to van Steenis in June.
To AWS’s Scott Mullins — the company’s head of worldwide financial services business development — the concerns are overwrought, and misunderstand cloud architectures.
Speaking to Computer Business Review, he is more circumspect than to say it this bluntly, and chooses his words carefully: “Regulatory agencies are always supposed to have concerns. That’s what their role is. [But] I don’t believe that there is a risk of concentration risk.
“We have these conversations with customers and with the regulatory agencies and [try to explain that] you’re actually reducing concentration risk when you move to the cloud, because of the way that you can architect applications within cloud services.”
The former equities trader, whose 20 year career in financial services spans roles at JPMorgan Chase, Nasdaq, Merrill Lynch, and Penson Worldwide, has a hands-on appreciation for the issue: at Nasdaq, he co-foundedthe FinQloud platform — designed to provide broker-dealers with a storage and retrieval tool to help meet US Securities and Exchange Commission rules surrounding trade record retention obligations.
He told Computer Business Review: “When you move to the cloud, you have the opportunity to build in different ways. It all comes down to engineering.
“When I was a product manager– responsible for building and running a business — I had to have a primary infrastructure that I ran that included like my development, and my test, and production environments. I also had to have a secondary disaster recovery or a business continuity infrastructure in a separate location. That’s how we did business. We viewed it as ‘here’s how we manage risk: we’ve got our primary infrastructure and we’ve got our secondary infrastructure somewhere else that’s probably sitting in a cold status’; you have a hot and a cold status.”
“Today when you move to the cloud, you actually have the ability to build in resiliency to your applications first and foremost. And so if I’m an organisation in London, I can use the different availability zones to architect my application in a way that makes it much more resilient than if it was just sitting in a data center co-location facility, because I’m using the services in a way that span across those availabilities.
“If something does happen to one component within one of those availability zones. The application itself doesn’t fall over. It doesn’t fail. It actually has the ability to continue to operate based on the way we architected the application across that region and those availability zones. From a disaster recovery, business continuity perspective, we’ve been able to demonstrate to business leaders as well as the regulators the ability to actually move those operations from one availability zone to another and back.”
Give Me My Hardware Back…
Some will be eternally unconvinced: one financial services sector player told Computer Business Review an anecdote that captured the extent to which many like to have immediate access to their hardware: in this story, a hedge fund’s owner took a visceral dislike to/suspicion of a new tenant in a shared co-location facility, despite his server racks being discretely locked in a dedicated environment. “Within hours” their team turned up in the co-lo facility and started ripping out hardware.
(“Rumour has it they even had armed guards”, we were told by our source.)
This desire (irrational though cloud’s most vocal advocates might say it is) to have your hardware in close proximity, always, is deep-rooted in the FS sector. AWS’s Mullins sees the cloud giant’s new “Outposts” platform as providing inroads for AWS into boardrooms where such attitudes continue to hold sway. (AWS Outposts essentially puts “AWS infrastructure” (dedicated servers, APIs and other tools) into a data centre location of your choice, as a fully managed service). He told Computer Business Review: “We are going to see major adoption of Outposts within FS.”
Six months after its cloud wobble, the Bank of England early this month published a consultation paper from the Prudential Regulation Authority (PRA) on operational resilience for UK banks. Its only mention of cloud, in 68 pages is absurdly vague and suggests that while there are still concerns, it is just unable to articulate them clearly.
As the report puts it: “International interconnectedness is increasing, for example as UK firms may outsource to cloud computing providers operating in a number of different countries. While this can improve firms’ resilience, it also gives rise to new risks to operations which the PRA expects firms to manage effectively.”
Quite what that means is anyone’s guess, but those with strong opinions can put them to the PRA in writing by Friday 3 April 2020. Meanwhile, AWS looks set to keep winning business. As Mullins tells us: “People aren’t always comfortable with change because change means doing something different. [But] I think when you when it comes down to it, it’s all about making sure you can equip your people with the right skill sets.
“[FS businesses should] give teams the ability to actually experiment without fear of failure and to learn those new skills and apply those new skills.
“I think the organizations that we see do that and do it early, and make an investment in training? Their folks are the ones who are going to be the most successful.”