“And the OSPAR goes to…”: Singapore banks warm up to the public cloud

In the last few months, Singapore’s banking sector has been allowing audited hyperscale public cloud players access to the financial services value chain. Here’s why that’s a big deal.

Photo by Lucas Law.

Last month, Google Cloud announced it had received OSPAR attestation from the Association of Banks in Singapore (ABS) for 75 of its cloud products, which means those services can now be offered to financial institutions (FIs) in Singapore. That followed news in July that Amazon Web Services had received its OSPAR attestation for 64 services, while Alibaba Cloud received its OSPAR validation in June (although it didn’t specify how many services were covered).

While Google Cloud, AWS and Alibaba Cloud aren’t the first cloud service providers (CSPs) to receive OSPAR status in Singapore, they’re among the first public cloud providers to do so, which – surprisingly yet perhaps inevitably – highlights the growing role of public cloud services in the banking and finance industry.

Quick explainer: In 2015, the ABS released its first set of guidelines on “control objectives and procedures” for outsourced service providers (OSPs) who want to provide services to FIs in Singapore. These controls are grouped into three basic categories: (1) internal “entity level controls” to ensure implementation of management directives such as risk assessment, security policies and sub-contracting policies, (2) “general IT controls” (security, disaster recovery, incident management, etc) and (3) “service controls” to ensure proper monitoring and fulfilment of SLAs.

The overall objective is to ensure that OSP services meet the same levels of governance, rigor, and consistency as if the FIs were doing everything themselves.

OSPs who want the ABS stamp of approval to serve the FI segment need to undergo an audit process from a certified auditor [PDF] to ensure they meet the minimum/baseline controls laid out in the guidelines. Those who successfully pass the audit are issued an Outsourced Service Provider Audit Report (OSPAR) attestation, valid for 12 months, that assures FIs that OSP meets ABS guidelines.

Technically these aren’t legally binding regulations – they’re industry guidelines from Singapore’s banking sector. That said, ABS says its OSPAR guidelines closely mirror similar guidelines from the Monetary Authority of Singapore (MAS).

That said, attaining OSPAR attestation is a rigorous process that typically takes a minimum of six months to complete. For example, AWS’s audit period ran from the start of October 2018 to the end of May 2019, with the OSPAR attestation issued around two months later. By contrast, Google G Suite took a full year to complete its audit – and it still had to wait another six months before its OSPAR was officially issued. As of October 18, ABS has issued attestations for 88 OSPs.

What public cloud brings to the FI table

The term OSP covers a lot of different businesses in the financial services value chain, from payment services, payroll processing and tax compliance services to storage and records management, debt collectors and KYC as a service. As noted above, it also includes data center operators like Singtel, Equinix and 1-Net, and managed CSPs like BT, Dimension Data and CenturyLink.

The addition of public cloud services “enables FIs processing high impact workloads to adopt technology at a much higher velocity,” says Tim Synan, regional director of Southeast Asia at Google Cloud.

More than that, however, it illustrates how far the banking sector has come in its traditionally uneasy relationship with cloud services. Incumbent banks are naturally risk-averse when it comes to storing and moving data outside of their own hardware or private networks, and five years ago the idea of placing any of their data, business apps and processes on a public cloud was not only frightening — in many markets it was a potential violation of local banking regulations.

But attitudes have been changing over the last few years, thanks in part to the rise of FinTech start-ups leveraging the public cloud to launch competitive digital finance and payments services. Like many incumbent market leaders suddenly surrounded by more nimble competition, FIs have been forced to develop plans to digitally transform their creaky legacy architectures just to keep up with the market changes, and the cloud is an attractive (and fast) option to facilitate that transformation.

“FIs face several challenges when it comes to migrating from one environment to another,” says Synan of Google Cloud. “For example, many FIs have long histories with lots of M&As. They have a big legacy estate that they need to deal with. Addressing those and revamping them the cloud way is a major undertaking.”

Synan adds that many firms hesitate to move that infrastructure cost item from ‘capex’ to ‘opex’. “It can be intimidating, especially if there have been recent purchases of new software licenses to keep the legacy system going.”

There’s also the perennial problem of legacy mindsets in terms of both technology and corporate culture, he adds. “Few companies have the technical know-how to build what can often turn into a very complex platform, and re-educating the workforce and hiring people who understand the cloud – undertaking a cultural and technical transformation takes a while.”

Naturally, there’s also the security issue, which the financial industry cannot afford to take lightly, says Zheng Yuanbin, head of security compliance and privacy at Alibaba Cloud Intelligence.

“The security of data is especially critical for the financial services industry, given the sensitivity of information and the volume of data collected,” Zheng says. “It is important for external partners to be compliant with regulations and security guidelines either through external bodies like ABS, or through independent self-assessments and audits.”

Don’t fear the cloud

These are exactly the kinds of concerns that the OSPAR process addresses, which should give Singapore’s FIs relative peace of mind. So should the fact that public cloud providers have spent years going out of their way to prove that they’re safe for FI usage.

It also helps that Singapore isn’t the only market where they’ve been accredited for financial services. Zheng says Alibaba Cloud “has racked up more than 70 compliance accreditations worldwide. We are the first cloud provider to be attested the additional requirements of the Germany’s Cloud Computing Compliance Controls Catalogue (C5).”

Increasingly, confidence in the cloud is growing as FIs realize that the potential benefits outweigh the risks (and that their survival may hang in the balance). According to the Culture of Innovation Index released last month by ACI Worldwide and research consultancy Ovum, “74% of banks plan to move mission-critical workloads into public cloud infrastructure either this or next year and 89% either have already made significant use of cloud or are planning to make further investments in 2019/20.”

Perhaps the greatest vote of confidence in public cloud for financial services came at the end of last month when SWIFT – the network that provides financial messaging services to over 11,000 banking and securities firms – announced its new “Cloud Connect” initiative that aims to develop network architecture and automation templates that allow customers using hyperscale public cloud platforms like Microsoft Azure and Google Cloud to connect securely to the SWIFT network.

SWIFT said it already has a proof of concept in place with Microsoft, and plans to begin customer trials later this year, with community-wide service scheduled for the second half of next year.

SWIFT Chief Information Officer Craig Young said the initiative reflects the growing trend of banks and FinTech firms adopting cloud services to reduce costs, improve agility and resiliency, and streamline security and compliance burdens.

“Cloud computing is a key enabler of a faster, frictionless future and a powerful catalyst for innovative new services,” he said in a statement. “Our community is seizing its potential, and we are committed to supporting them with a range of connectivity options reflecting their diverse approaches and breadth of needs.”

Cloud implementation 2.0

Meanwhile, if FIs are still feeling a bit skittish about the cloud, the ABS is going out of its way to assuage their concerns. In August this year, ABS released the 2.0 version of its Cloud Computing Implementation Guide for FIs planning to adopt cloud services (as well as cloud service providers keen to serve FI customers). The guide – which was first published in mid-2016 – was updated to reflect the evolution of technology and market practices in the past three years

Generally speaking, the new guide – the result of 18 months of consultation between CSPs, FIs and MAS – provides (1) a detailed framework for governing, designing, securing and running the cloud, (2) in-depth guidance to ensure OSPAR-attested CSPs are upholding best practices regarding control objectives and procedures, and (3) clearer features for categorizing material and non-material cloud outsourcing arrangements (as well as updated regulations for securing material and non-material workloads).

ABS director Ong-Ang Ai Boon said the updated cloud guidelines reflected the growing importance of cloud in Singapore’s financial industry.

“As one of the top financial hubs in the region, it is crucial that [Singapore’s] financial industry seizes the cost and risk reduction opportunities offered by cloud computing services,” she said. “The partnership with CSPs would also strengthen the technology and operational resilience of individual institutions as cloud infrastructure scales on demand to support fluctuating workloads.”