Why banks can trust the cloud and how fintechs can be trusted by deploying bank grade security
Although the cloud has certainly been around longer than any of us – and I enjoy a glimpse into infinity every time I fly - when we use the word these days in a business setting, we do refer to a real – yet intangible – environment where we host and share technology and data. As early as 1989 Apple set up a project to look into the next generation of computing whereby consumer electronics companies, computer and telecommunications companies had to collaborate. This resulted in a spin-off in which Andy Hertzfeldplayed a huge part and a few years later he wrote the now famous words on his invention Telescript:“The beauty is that now instead of just having a device to program, we now have the entire Cloud out there, where a single program can go and travel to many different sources of information and create sort of a virtual service.”
Fast forward to the early years of 2000 when large enterprises started to explore cloud benefits. Needless to say, banks were not amongst the first movers. Risk averse and tightly regulated by parties, who for many good reasons are not normally known for breaking frontiers either, we cannot blame them. Yet, soon we saw banks starting to move non-customer centric or lower risk functions to various forms of private, hybrid and later public cloud.
In 2013 the Global Lead for APIs, Platforms and Cloud for Payments and Banking at Celent,Gareth Lodge, wrote a paper on Thinking the Unthinkable – banks relinquishing control and some of my BankiFi colleagues, then working at Clear2Pay, contributed their views. It was all about the underlying and core strategic question whether the delivery and distribution model of banking (here payments) services is a key strategic asset that must be harnessed inside the organisation or whether it should be adaptable to changing market situations and customer demands? And thus, he touched on the unthinkable … would using the cloud make the bank more competitive rather than more exposed?
Research today shows that the cloud is here to stay. 2019 surveys from Flexeraand Divvycloudclearly indicate strong growth rates across large enterprises and SME in equal progress and interestingly even a clear increase in trust in the public cloud over private or hybrid models. The ‘25 must known cloud computing statistics of Hostingtribunal even speak of 90% of companies being ‘on the cloud’, with AWS, and Azure clearly leading over Google Cloud.
The conditions are now right for banks too
There are many reasons why banks too are now looking to the cloud, but they all circle around two important banking paradigms: trust and regulation.
Cloud security has improved in leaps and bounds over the past three years. Also banks realise that keeping onsite infrastructures safe, not to speak of data that sits on staff devices, is a near impossible task and the investments in research and money that public providers such as Amazon, Microsoft, Google and other bigtechs such as Oracle allocate to the cloud cannot be matched. Furthermore, collective and shared security measures are gaining momentum too: “let’s team up to keep them out.”
This increasing trust in cloud service providers is matched in terms of confidence by the arrival of PSD2 and GDPR, to which the core principle of cloud (instant sharing and access) applies. Banks wanting to be ‘the platform not the pipe’will have to move as fast as their fintech counterparts, when it comes to offering relevant new services. Fast delivery means running projects whereby minimal viable products (MVP) are launched and tested with live customers, often in cooperation with fintech partners such as ourselves.
In fairness, any standalone product that sits outside the core banking legacy can be lifted to the cloud, integration secured via APIs. The key is the understanding that data is the most valuable asset of a bank and that as such, fast and secure access to relevant data is key not only for the banks’ customers, but also for the banks’ and its fintech partners developers’ teams. Orchestrating and management of these extensive and decentral environments is key.
A case study of data privacy and security from the front
When we moved the BankiFi initial business idea into a profound business and technology architecture we realised that when being cloud-native, and targeted at financial institutions, we needed to be trusted. Simply put, security is a design idea at the forefront, rather than an afterthought. To do this we have to embrace the aspects of typical bank-grade security tech and apply them in practice, and in the cloud.
One of the key goals of the new open financial data regulations has been that the control over data storage and use stays firmly in the consumer's hands. With this in mind, the BankiFi platform does not access, store, aggregate or modify any part of customer data without their explicit consent. Gathering, storing, validating and auditing consent for data access are some of the key pillars of the platform. The challenge with consent data for a cloud-based SaaS platform has been how to ensure security, privacy and control for all data coming through the system.Specific microservices do just that: managing consent of customer owned data on two levels. And because this is such a vital, and often misunderstood element of open banking, a little deep dive:
Consent to access customer data held by data custodians or to send data to data custodians on customer behalf (bank APIs, accounting package APIs, government APIs, and APIs from other information providers). This master record for this type of consent is actually stored with the institution that holds the customer data. BankiFi platform will hold an immutable copy of the customer consent, which can be used to verify the consent information or to request additional consent near expiry if required.
Extended consent to combine customer data from different data custodians and store it within BankiFi for further processing (data analytics, machine learning, including identifiable and anonymized data) - with Bankifi you’re getting enterprise ready consent enabled platform which you can tailor to your own customers, or regulatory requirements
This fine-grained consent is the key differentiator for us, going beyond current regulatory framework of taking care of privacy and control of individual pieces of customer data. This is another design purpose as we feel that in the view of today’s increased public unease around privacy and data use, the European GDPR is merely a first beginning of a host of global regulation to come.
And one more FAQ – what about data storage?
Banks’ reputations come by foot and go on horseback. And customer trust equals privacy of customer data and as such is often the lever on which this happens. Platforms like ours, that power vital business micro services – read functions - must be designed to be able to store sensitive data within a highly regulated environment. All data stored on our database servers in the cloud and processed by BankiFi platform is encrypted both in flight(using TLS storing encryption) andat rest(using strong disk encryption features provided by the cloud providers). In addition, every piece of sensitive data (consents, tokens, customer bank and accounting data) is encrypted with a private key on the application level - where each BankiFi bank customer has its own encryption key per deployment, not shared with anyone else.
Most importantly, core BankiFi APIs do not actually require many of the customer-identifiable sensitive information, so names, addresses, dates of birth can all be owned by the bank. and stored with their own on-premise environment. Access to such data is designed in a restricted manner in those use cases that would require it.
Private – hybrid – public – cloud is bank friendly today
Having worked at a bank, in bigtech and now in a fintech environment, one thing is clear, the cloud is ready for banks, banks are getting ready for the cloud. At no time did we have this serendipity that what the market requires banks to do: be more open, transparent, nimble and market facing, can be delivered today. The technology and processes we have now, do not compare to ten years ago. Banks now create very viable hybrid structures whereby they meet both the regulatory models and central banks and other parties’ oversight plus the market’s call.
Aleksa Vukotic heads up the BankiFi technology team and is responsible for the overall technology vision and design of the core platform and value add solutions. With a very relevant background in designing and building micro services over the past ten years, most recently at a large UK bank, where he helped deliver Open Banking APIs. He is a published author (Neo 4j) in Action, Manning; Pro Spring 2.5 and Apache Tomcat 7, in addition to regularly speaking at technology meetups.