Bank Use of Cloud Technology

link to page 1



December 3, 2021
Bank Use of Cloud Technology
The banking industry has been a prominent, if sometimes
on premises or off-site, and may be managed by the
skeptical, adopter of cloud technology. Proponents promise
company or a third-party provider.
scalability, flexibility, and cost savings, among other
(2) Public cloud: companies share resources in the same
benefits. However, the technology also introduces potential
data center and possibly the same physical server at the
operational risks and policy concerns, such as systemic risk.
site of the cloud service provider or a third-party facility.
Banking’s steady, but not advanced, adoption of this
(3) Hybrid cloud: a model that employs both private
technology (as shown by its position along the “adoption
and public cloud solutions.
curve” in Figure 1 below) reflects this trade-off.
(4) Community cloud: entities with a similar purpose
What Is the Cloud?
share cloud infrastructure.
Put simply, cloud users pay cloud service providers (CSPs)
Banks and the Cloud
to use CSPs’ computing resources (e.g., servers and
One survey revealed that, prior to the COVID-19 pandemic,
mainframes), rather than purchasing and maintaining their
nearly 91% of banks and other financial institutions were
own. According to the National Institute of Standards and
using the cloud or considering using it in the near future.
Technology, cloud computing is a “model for enabling
Since the pandemic, media reports suggest cloud adoption
ubiquitous, convenient, on-demand network access to a
has increased as banks sought to cut costs, meet public
shared pool of configurable computing resources.” By the
demand for online services, and manage teams of remote
same definition, the five hallmark characteristics of the
workers. Still, while bank adoption of any cloud service is
cloud are (1) on demand service; (2) broad network access;
relatively high, the overall percentage of bank workloads in
(3) resource pooling; (4) rapid elasticity; and (5) measured
the cloud is comparatively low. One consulting firm that
service, or the ability to monitor or limit quantities used.
works extensively with banks and other financial
Transferring the maintenance of computing resources to a
institutions has estimated that between 8% and 10% of
CSP allows banks to avoid certain administrative tasks
global bank business is conducted in a cloud environment.
(such as patching and backups) and investment costs. Cloud
Generally, banks are more likely to migrate to the cloud
services also allow a company to quickly grow and then
functions that focus on internal bank business, including
shrink with demand, paying only for what it used.
finance, legal and regulatory compliance, and human
There are four ways banks and other companies may deploy
resources (sometimes referred to as enterprise applications).
cloud technology, often called cloud deployment models:
On the other end of the spectrum, core banking services are
likely to be among the last to convert. Core banking
(1) Private cloud: resources are dedicated to and for
services refer to the systems that facilitate vital bank
sole use of one company. These services can be hosted
business, including processing transactions, updating
accounts, and reconciling ledgers.
Figure 1. The State of Cloud Adoption

Source: Accenture.
Notes: Strategic: adoption of cloud is intended to confer a competitive advantage. Mainstream: adoption is common among businesses in
the industry. Experimental: not in ful production; business success does not hinge on cloud use.
https://crsreports.congress.gov

Bank Use of Cloud Technology
Benefits to Banking in the Cloud
that stems from high concentration among few providers,
noting that a “service interruption or cyber event at a
Banks have migrated to the cloud from on-premises
critical vendor with a large number of clients could result in
infrastructure solutions for a number of reasons, including
widespread disruption in access to financial data and could
saving time and money, improving security, and gaining
impair the flow of financial transactions.” Traditional bank
flexibility. Adopting the cloud can help banks avoid the
risks such as market and liquidity risks, not normally cloud
cost of initial investment and regular maintenance of
computing concerns, can rise if the banks’ abilities to
computing infrastructure. In addition, banks no longer have
transact are impeded by cloud-related disruptions.
to designate personnel and physical real estate or account
for the associated costs when they outsource solutions to
Antitrust: Obstacles to data portability, such as proprietary
off-site CSPs and data centers, particularly in a public cloud
technology and restrictive vendor contracts, may make
deployment model. Storage of applications and data in the
switching CSPs difficult. In addition, barriers to entry for
cloud provides enhanced operational resilience for periods
new providers are high because entry into the cloud market
of disruption. Some argue that banks are (potentially) safer
requires massive investments in IT infrastructure.
in the cloud because cloud service providers invest heavily
Accordingly, competition issues in the cloud industry may
to protect against cyberthreats. Running applications in a
be of interest to Congress. Various antitrust bills were
“platform-as-a-service” model allows banks to test and
introduced in Congress in the summer of 2021 to curb the
deploy application upgrades on a rolling basis instead of
power of large technology platforms. H.R. 3849—which
through significantly more momentous and time-consuming
would impose interoperability and data-portability
upgrades. Finally, access to advanced computing power
requirements on certain tech platforms—may be relevant
may allow banks to perform advanced analytics on
for CSPs, though it is unclear whether the bill as drafted
customer data.
would encompass such firms. In June 2021, the House
Judiciary Committee reported the legislation to the House
Risks
floor. As Congress considers the bill, it may seek to clarify
Due to the highly regulated nature of banking and policy
whether CSPs would be subject to its requirements.
focus on safety and soundness, banks have historically been
somewhat skeptical about adopting cloud technology, citing
Financial Crimes Investigations: Another relevant policy
potential risks. Cloud use does not generally elevate typical
issue is the role that CSPs may play in financial crimes
bank risks, including market, credit, and liquidity risk.
investigations. According to a report from the Federal
Instead, cyber, operational and vendor, and associated
Reserve Bank of San Francisco’s Fintech office, privacy-
regulatory compliance risks are bigger concerns.
enhancing technologies typically make it difficult for CSPs
to read data under certain circumstances. However, as
Cyber risk: Exposures to cyber risk change, and may
“detailed information is required to prosecute financial
increase, for banks with increased reliance on advanced
crime ... there is a question as to how much granular
information technology (IT) solutions, including the cloud.
identifiable information entities, and service providers, like
On one hand, CSPs are arguably more adept at managing
cloud storage, should be able to provide.”
certain types of attacks, as they have specialized workers
managing security across all their clients. On the other
Bank supervision: The scope of bank supervision may
hand, banks are targeted by unique adversaries employing
expand to CSPs as the cloud becomes more integral to bank
novel attacks because of their high exposure to IT and their
operations. This may lead to technical resource mismatches
role in credit intermediation.
as well as relationship management issues for CSPs that
may not be used to thorough inspections. The Federal
Third-party service provider (TSP) risk: From a
Reserve Bank of Richmond performed a formal exam of
regulatory perspective, banks are still responsible for
AWS in April 2019. Close integration between banks and
negative consequences that may occur as a result of using a
cloud providers may accelerate regulators’ call for regular
TSP, including a CSP. Moreover, in a shared responsibility
examination of CSPs to monitor aspects of their
relationship, banks and CSPs are responsible for discrete
relationships with banks, including security and financial
tasks of a shared work stream. It is therefore incumbent on
system stability risks.
each to know where one’s responsibility ends and the
other’s begins. Failure to do so may cause misconfiguration
CRS Resources
risk, which occurs if either party fails to satisfy one of its
CRS Report R46332, Fintech: Overview of Innovative
responsibilities, such as selecting the appropriate security
Financial Technology and Selected Policy Issues,
settings. Moreover, compliance and operational failures
coordinated by David W. Perkins
rising from the reliance on TSPs may also create
reputational risk.
CRS Report R46119, Cloud Computing: Background,
Status of Adoption by Federal Agencies, and Congressional

Policy Issues
Action, by Patricia Moloney Figliola
Broader risks to bank adoption of cloud technology pose
CRS Report R46875, The Big Tech Antitrust Bills, by Jay
certain policy issues that may be of interest to Congress.
B. Sykes
Concentration: The cloud market is concentrated in three
Paul Tierno, Analyst in Financial Economics
CSPs—Amazon Web Services (AWS), Microsoft Azure,
and Google Cloud—that collectively account for between
IF11985
60% and 70% of market share. In its 2019 Annual Report,
the Financial Stability Oversight Council discussed the risk
https://crsreports.congress.gov

Bank Use of Cloud Technology


Disclaimer
This document was prepared by the Congressional Research Service (CRS). CRS serves as nonpartisan shared staff to
congressional committees and Members of Congress. It operates solely at the behest of and under the direction of Congress.
Information in a CRS Report should not be relied upon for purposes other than public understanding of information that has
been provided by CRS to Members of Congress in connection with CRS’s institutional role. CRS Reports, as a work of the
United States Government, are not subject to copyright protection in the United States. Any CRS Report may be
reproduced and distributed in its entirety without permission from CRS. However, as a CRS Report may include
copyrighted images or material from a third party, you may need to obtain the permission of the copyright holder if you
wish to copy or otherwise use copyrighted material.

https://crsreports.congress.gov | IF11985 · VERSION 1 · NEW