Cloud-Based Computing: Risks and opportunities for financial services providers

This blog post was written by Bryan Barnett, Independent Consultant and Maria Stephens, Senior Technical Adviser at USAID following the Mobile Financial Services Seminar, "Cloud Computing and Financial Services for The Poor: Promise and Perils of a New Computing Paradigm."

Accessing software applications over the Internet is now widespread and familiar. Search engines, auction sites, and a variety of business applications are widely known and used. For microfinance institutions, Internet-based portfolio management and accounting applications are now available. Mobile money platforms are appearing that offer an outsourced service over the Internet to mobile network operators (MNOs) and banks, eliminating the need for those institutions to host or operate the platforms themselves. “Cloud-based” services offer substantial economic benefits, but donors supporting projects and development programs that rely on these services should be certain that implementation partners are informed consumers of these services. A basic understanding of cloud computing and its risks and benefits is therefore important both to donors and their partners.

What is commonly known as 'Saas' (or “Software-as-a-Service”) is the familiar face of cloud computing. However, behind this exterior is a dramatic change in the way in which computing resources are managed. In the data centers where SaaS applications are hosted, what genuinely distinguishes a true cloud infrastructure is that resources are pooled. This means that instead of a group of individual computers each dedicated to a particular set of applications or tasks, all processor capacity, storage capacity and network bandwidth are combined into fungible pools of computing resources. From these pools processing power, data storage or network bandwidth can be accessed in any desired quantity, and combined in a flexible manner to meet any specific need, rapidly assigned to any task or application then released from those tasks when no longer needed. This service flexibility yields tremendous efficiency for the providers of SaaS applications, and therefore results in greater economic benefits for end users. This increased efficiency is, to a very great extent, driving the increasing demand for outsourced cloud-based services from a variety of end-users, including service providers in the mobile financial services supply chain.

Where previously an end user might have purchased their own hardware, licensed software, and maintained their own information technology staff to support their back office systems, now they can simply access and use software provided to them over the Internet by a cloud-hosted service wherein they pay only for the volume and type of service which they actually utilize. For the service provider, relying on a true cloud infrastructure in the data center translates into not having to make up-front capital investments in expensive hardware or software, which allows for freeing up additional resources as the business expands.

For donors and project staff, cloud-based services will play an increasingly important role in a wide range of development initiatives, offering to microfinance institutions, microenteprises, civil society programs and others critical access to information technology that would otherwise be out of their financial reach or too complex to manage. Cloud-hosted services already play a significant role in many mobile money schemes, where the mobile money platform is hosted by a third party at a remote location, and is accessed by the MNO or the bank through the Internet. While the advantages of adopting an outsourced cloud-based component are both obvious and compelling, donors and project staff still need to be better informed about the various aspects of cloud computing if they and their implementing partners are to avoid the risks that accompany the benefits.

A key distinguishing feature of cloud-hosted services is that end users are entrusting physical custody of their data and control of mission-critical applications to a third party, while relying on the Internet for access to the applications and data. Broadly speaking, there are five types of risk associated with cloud computing:

1. Internet outage or slow connections may degrade the quality of service for end-users.
2. The physical security of the data center may be compromised (including both unauthorized access, loss of power, natural disasters, etc.) causing a loss of service or loss of data.
3. Privacy may be compromised or applications may be misused if data is accessed by unauthorized users.
4. Software employed to manage data center resources can malfunction, causing interruption in services.
5. A SaaS provider may go out of business, leaving customers without access to their data or critical software applications.

Of all of these risks, the first risk is the most commonly found and the least consequential in that it does not result in any loss, theft, or misuse of proprietary data. At the other extreme of the spectrum, failure of a SaaS provider's business is quite possible, particularly in those cases in which the businesses are small start-up enterprises.

The risks associated with cloud services can, and should be mitigated. Just how, and by whom this due diligence should be undertaken varies significantly from one context to another. In cases where the customer of a cloud service is a sole institution, such as a microfinance institution, risks will normally be addressed through the contract between the customer and service provider. However, in those cases in which a cloud-hosted service forms the backbone of a large component of the financial system, as would be the case if the customer were a national central bank, there is clearly a role for financial regulators in this discussion since a significant disruption in the underlying cloud service may pose a system risk to the financial system at both a national, and potentially even a global level. At present, it appears that many regulators hold banks or mobile operators accountable for the integrity of the mobile money system without appreciating the fact that the core platform is not operated by either an MNO or a bank, but has instead been outsourced to a third party that may be beyond the reach of local regulators.^[1] At a minimum, regulators would want to ensure that those whom they elect to hold responsible (MNOs or banks) themselves have adequate expertise and appropriate standards in place for assessing the outsourcing providers on whom they will rely. In addition, regulators should ensure that appropriate controls are addressed explicitly within any Service Level Agreement that binds the parties in a cloud outsourced configuration.

Footnotes

[1] This is particularly important within an AML-CFT context since any US-based entity or individual that provides an outsourced cloud-based service that is shown to facilitate the flow of illicit financing can be held both to global AML-CFT compliance standards, and to the U.S. Treasury Department's specific FinCEN and OFAC regulations. The federal Financial Action Task Force (FATF), Treasury FinCEN, and Treasury Office o Foreign Assets Control (OFAC) provide anti-money laundering and terrorist financing guidelines within which US companies and individuals must remain complaint, including within a third-party outsource structured partnership arrangement that could expose parties to direct and contingent liabilities brought on by illicit financial flows.