Banking On Cloud - BBA The Voice Of Banking
Banking on CloudA discussion paper by the BBA and Pinsent Masons
About the BBA CloudComputing Working GroupIn collaboration with Pinsent Masons, in early 2016 the BBAcreated a Cloud Computing Working Group for BBA members withthe objective of identifying regulatory and commercial challengesthat are holding banks back from adopting cloud solutions to agreater extent than that which to date has taken place.This discussion paper represents the first output of the CloudComputing Working Group and sets up a work-stream for futurecollaboration amongst BBA members and with stakeholders moregenerally, including cloud service providers. It also sets out a directionfor future engagement with regulators in relation to regulatory issueswhich remain causes for concern for both banks and cloud serviceproviders, while not setting out specific requests for clarification.While this discussion paper focuses on public cloud deploymentmodels, it is also relevant to hybrid cloud models.Methodology P insent Masons produced an initial report and detailedroadmap agenda for the BBA Cloud Working Group to consider. F ive BBA Cloud Working Group sessions were held where theroadmap prepared by Pinsent Masons was considered and debated. R equests for clarification of specific issues were made during BBA CloudWorking Group sessions and taken on by specific members. A questionnaire was sent out to members following on from the discussionsundertaken during the BBA Cloud Working Group sessions which tested thecollective view of key challenges that arose from the BBA Cloud WorkingGroup discussions. R esponses to the questionnaire, minutes from the BBA Cloud WorkingGroup sessions and outputs prepared by specific BBA Cloud Working Groupmembers were reviewed by Pinsent Masons and the BBA. A draft discussion paper was prepared on the basis of that review. F urther input was sought from the BBA membership. F inal publication took place on 5 December 2016.02
Banking on Cloud A discussion paper by the BBA and Pinsent MasonsIntroductionOutside of banking, public cloud computing has proven to be a driver of innovation,enabling new competitors, products and more flexible business models. By comparison,banks have been understandably slower in migrating products and services andleveraging the benefits of the public cloud, taking time first to focus on assessing riskand the necessary controls that need to be put in place. However, this trend is changing,as cloud computing is increasingly seen as a reliable, and cost-effective, opportunity andsolution for banks.One of the key drivers of this change is the digitaleconomy. The proliferation of data and emergingdemand for innovative digital products and servicesthat meet customer needs, introduce new challengeson banks’ IT infrastructure. These challenges includea pressing need to deploy cloud-enabled services andmaintain capacity to process large volumes of data,combined with secure and economical storage. Manylong-established, challengers and new digital banksare therefore seeking to leverage cloud in order toaccelerate innovation, mitigate IT risks, and introducecost efficiencies.Public Cloud: Key Drivers for Adoption1. Agile innovationThe ability to access a shared pool of configurable computing resources canincrease a bank’s ability to innovate by enhancing agility, efficiency, andproductivity. Public cloud deployments can enable banks to direct internalresources, previously focused on the administration of IT infrastructure, towardsinnovating and delivering new products and services to market more quickly.2. Risk mitigationPublic cloud can provide efficient solutions to mitigate traditional technologyrisks, such as capacity, redundancy, and resiliency concerns. The scalable nature ofpublic cloud computing can provide banks with greater control in the managementof variable IT demands, while offering new commercially viable methods toimplement enhanced security controls.3. Cost benefitsCost efficiencies can be derived from reducing the initial capital expenditureinvestment required for traditional IT infrastructure, and through providing moreefficient means for banks to manage computing capacity necessary to satisfycustomer demand across peak periods. In addition to these direct cost benefits, newbusiness efficiencies gained from public cloud deployments within bank innovationand risk mitigation processes can also deliver associated cost efficiencies.03
Introduction (continued)As banks continue to utilise cloud computing with itsmany new benefits to clients, customers and banksthemselves, consideration needs to be given to riskmitigation and regulatory compliance issues. As partof this process, banks must identify new risks uniqueto the public cloud and understand how responsibilityfor risk controls are managed in this new environment.This includes reassessing internal controls and ensuringappropriate arrangements are in place with cloud serviceproviders, and third parties which exercise control overaspects of the technology stack. New challenges alsoarise as banks apply IT and operational risk policiesto technologies that challenge traditional notions inoutsourcing arrangements or concerning access to, andlocation of, data.That is not to suggest that banks are generally all at thebeginning of this journey. Many banks are establishingwell-developed positions on the challenges in whichuse of public cloud can result and entering into termswith public cloud service providers in relation to somefunctions. Others are actively working with majorcloud service providers to ensure that proper controls,governance and compliance processes can be formed.The benefits of public cloud computing are optimised forbanks and their clients and customers when leveragedacross jurisdictions. Internationally, regulators haveacknowledged the potential of cloud computing to effectpositive change in financial services. For example, theMonetary Authority of Singapore, the UK’s FinancialConduct Authority (FCA) and the Australian PrudentialRegulation Authority, have introduced guidance andchecklists in an attempt to clarify the requirements foroutsourcing to the cloud or using other third party ITservices. However, inconsistent regulatory approachesacross jurisdictions continue, and uncertainty around theinterpretation of certain regulatory requirements remain,causing friction both within banks, and between banksand cloud service providers.There are several steps that banks, cloud service providersand regulators can take to reduce these frictionsand enable the responsible adoption of public cloudcomputing as part of the wider sustainable digitalisationof financial services.Working together, banks, cloud service providers,regulators and policy makers can understand howbest to meet the policy objectives of the regulatoryregime while also minimising frictions to innovationand competition. There is no simple answer. However, aprinciple-based approach to regulation that enables banksto develop bespoke and efficient approaches to regulatorycompliance and risk management is fundamental. Specificsolutions should include joint industry advice on bestpractice, refined regulatory guidance, and risk and controlframeworks to support industry benchmarking andproportionate decision making.The way forwardBanks, cloud service providers, regulators, and policy makers shouldwork together to: prioritise activities that clarify ways to meet the objectives of theregulatory regime in a public cloud computing context; and create a more harmonised international regulatory frameworkfor the adoption of public cloud computing in banking.04
Banking on Cloud A discussion paper by the BBA and Pinsent MasonsSeven hurdles to cloud adoptionThe BBA Cloud Working Group hasidentified a number of hurdles that impacton the extent to which banks can adoptpublic cloud solutions efficiently, withconfidence, and without creating exposureto levels of regulatory compliance riskwhich they consider unacceptable.While these hurdles exist as real and practical frictionsthat hold many banks back from using public cloudsolutions, not all are regulatory. Many of them arise fromthe challenge of understanding how to meet regulatoryrequirements using systems, controls, processesand procedures designed for traditional outsourcingarrangements. These frictions can result in protractednegotiations of cloud contracts and also internalchallenges within a bank’s own risk and control function.The seven hurdlesThe hurdles are: difficulties in understanding whether the useof a specific public cloud technology enablesa “critical” or “important” operationalfunction of a bank; uncertainty as to what amounts to effectivesupervision and oversight of a public cloudservice provider, and its supply chain; practical constraints in enabling regulators tohave effective oversight of regulated activitiesdependent on public cloud technology; adapting internal risk frameworks to a newtechnology environment that accounts foradditional risks that may arise in a publiccloud context; issues concerning the location of dataincluding transferring data outside the EuropeanEconomic Area (EEA) and access to data by lawenforcement authorities; issues concerning the management of dataincluding security, data breach reporting andensuring that new obligations soon to come intoeffect such as privacy by design and default can beeffectively met in a public cloud environment; and difficulties in establishing a compliant terminationand exit regime in a public cloud context.05
Hurdle 1: Clarifying the contextComments from BBA members:“ The current guidance regulates cloud technologies under thecloak of outsourcing. However, there is no direct equivalence inthe equation between cloud services and outsourcing.”“ Not all banking activities are critical or important in the contextof regulated operations (for example customer relationshipmanagement and enterprise resource planning, or customeroperations that are not time critical) and not all regulatedoperations may be critical or important.”“ A lack of clarity for certain aspects of outsourcing guidancehampers risk assessments related to using public cloud forcritical and material functions. This limits the innovation andavailability of new banking services as, going forward, these canonly realistically be delivered through public cloud.”“ The benefits that flow from enabling a proportionate approachto criticality and importance should not be underestimated.”The hurdleCurrent guidance does not enable banks to determinewith certainty when the use of public cloud technologywill take place within the context of a ‘critical’ or‘important’ banking function. This uncertainty oftenresults in a disproportionately risk-adverse approach toassessing technology risk.Overcoming the hurdleBanks work collectively, together with cloud serviceproviders, to develop detailed criteria which can be used todetermine with nearer-certainty whether a specific publiccloud service involves a critical or important function.This output would benefit from regulatory endorsement.The rulesIf a cloud environment is used for critical or important operationslinked to financial products or core activities a bank should expectthat activity to be subject to stricter regulation. European legislationwhich applies to the outsourcing of technology and services bybanks, UK secondary legislation and industry-specific guidanceapply specifically to “the performance of operational functionswhich are critical for the performance of regulated activities, listedactivities or ancillary services.”1Operational functions will be considered ‘critical’ or ‘important’“if a defect or failure in its performance would materially impairthe continuing compliance” of a bank with the “conditions andobligations of its authorisation”2 or other obligations under theregulatory system, its financial performance, or the soundness orcontinuity of its relevant services and activities.Examples of non-critical functions are given3 to includeadvisory services and other services not regarded as coreservices and activities of a bank, including, amongst others,legal advice, the training of staff, billing services and thesecurity of a bank’s premises and personnel. The purchase ofstandardised services, such as market information servicesand the provision of price feeds are also listed as examples ofnon-critical or important services as is certain “recording andretention of relevant telephone conversations or electroniccommunications” required by law.GuidanceThe FCA’s cloud guidance4 refers to the general definition ofa ‘critical and important’ function defined with reference to adefect or failure in performance which would materially impairthe continuing compliance of a bank with the conditions andobligations of its authorisation, its other obligations underthe regulatory system, its financial performance, or thesoundness or continuity of its relevant services and activities.It also references a ‘material outsourcing’ which it definesas “outsourcing services of such importance that weaknessor failure of the services would cast serious doubt upon [abank’s] continuing satisfaction of the threshold conditions orcompliance with the FCA’s Principles for Businesses.”Beyond reference to these rules, the UK regulators have notprovided any guidance which could be used to determinewhether specific technology services can be considered tofall within the criteria of a critical or important operationalfunction, or be the subject matter of a material outsourcing.In other contexts, the FCA has endorsed the views set out inMiFID Connect, an industry source of guidance, which lists theprovision of the following as ‘critical’ or ‘important’: data storage (physical and electronic); ongoing, day-to-day systems maintenance/support; and o ngoing, day-to-day software/systems management(e.g. where a third party carries out day-to-day functionalityand/or runs software or processes on its own systems).1S YSC rule 8.1.1(1). For banks the rules on “critical and important” outsourcing in SYSC 8 are now found 2 SYSC rule 8.1.4.in the Outsourcing Part of the Prudential Regulation Authority’s Rulebook. The wording of the rules3 SYSC rule 8.1.5.in the Outsourcing Part is identical to that in SYSC 8 (and is taken directly from the Implementing4 F G16/5: Guidance for firms outsourcing to the ‘cloud’ and other third-party ITDirective (2006/73/EC) of the Markets in Financial Instruments irective (MiFID) (2004/39/EC)).services: nce/fg16-5.pdf.06
Banking on Cloud A discussion paper by the BBA and Pinsent MasonsThe hurdle in more detailCurrent guidance does not enable banks to determine with certainty when the useof public cloud technology will be considered as taking place within the context ofa ‘critical’ or ‘important’ banking function and therefore subject to more stringentfinancial outsourcing regulation. The BBA Cloud Working Group are minded that theMiFID Connect guidance conflates core operations with non-production or businessas-usual activities and is insufficient to clarify which cloud arrangements will fall withinthe financial regulation’s outsourcing requirements and which ones will not.As a consequence, banks often conclude that they have no option other than to decidethat all or the majority of public cloud technology will be for enabling a ‘critical’ or‘important’ function. This uncertainty prevents them from assessing technology risk ina proportionate manner and has a detrimental impact on the ability of banks to use thepublic cloud or leverage shared third party infrastructures to innovate and reduce cost.The way forwardBanks work collectively and together with cloud service providersto develop criteria against which the materiality of a specificpublic cloud technology or service can be considered to helpdetermine when outsourcing rules will apply. In endorsing thisapproach, the BBA Cloud Working Group acknowledge the workalready undertaken in this regard by the Association of Banks inSingapore in its ABS Cloud Computing Implementation Guide 1.1for the Financial Industry in Singapore published in August 2016.Potential criteria raised by some participants in the BBA CloudComputing Working Group for consideration include: the impact of the technology or service on ‘critical economicfunctions’ that the bank carries out – whether the technologyor service relates to a ‘core financial production activity’ orconversely, an ‘ordinary business activity’ that can be replacedwithout significantly impacting regulated activities; the market share size and geographical coverage impactedby use of the public cloud technology or service; the impact of the technology or service on the bank’sinterconnectedness, both in terms of its ability to performinternally, and external risk factors that arise due tointerconnectivity issues with external systems;It is important that a robust discussion is undertaken to agreecommon criteria to empower banks to take a proportionateapproach to evaluating the relevance of individual criterionto the criticality and materiality of specific public cloudarrangements. This approach would enable banks to exercisegreater flexibility in deploying technology for functions deemednot to be critical or important, opening the way for greateruse of cloud solutions and innovation in areas where the morestringent outsourcing rules are deemed unnecessary.Safeguards are currently in place that are sufficient to ensurethat banks take a proportionate risk-based approach tomanaging risk in the context of non-critical or importantfunctions. For one, banks are expected to observe, thoughin a more flexible manner, the principles behind Europeanoutsourcing rules. Further, FCA guidance on its rulesprovides that even where an outsourcing is not related to theperformance of a critical function, a bank should take its rulesinto account “in a manner that is proportionate given thenature, scale and complexity of the outsourcing”5. Obligationsto comply with data protection laws also continue to apply ina non-critical or important function context including thosewhich relate to privacy, data security and the transfer of data tolocations outside the EEA to all uses of personal data. the substitutability of the technology or service; and the complexity of the technology or service, in termsof supply chain, number of services, jurisdictions andother considerations.5 SYSC rule 8.1.3.07
Hurdle 2: Ensuring effectivesupervision and oversightComments from BBA members:The rules“ While we can outsource a capability, the responsibilityfor failures resides with the bank. Effective supervisionis vital to manage this responsibility, in effect to act as acompensation to the fact that internal controls that arepresently in force will potentially not be applied by thecloud service provider’’.Banks are required to have internal controls in placewhich achieve effective identification, monitoring andreporting of risk.6 Senior personnel cannot delegateresponsibility7 for the effectiveness of these controlsand must take steps to demonstrate that they areproperly supervising cloud service providers.8“ Due diligence is an issue of IaaS, because on-premisesinfrastructure pieces usually have little to do withsubcontractors.”“ SaaS providers leverage multi-tenancy and other cloudservice providers, ‘beneath’ them in the technology stack.”“ Even when identification is achieved, determining therelevance to the primary service being provided in order totake a proportionate approach can also cause challenges.”“ Guidance does not provide sufficient detail into whichservice layers, and to what level, due diligence onsubcontractors is required. For instance, is it requiredto review the underlying data centre provider whenusing an IaaS service? Is due diligence required forinfrastructure providers used by a SaaS provid
Banking on Cloud A discussion paper by the BBA and Pinsent Masons Outside of banking, public cloud computing has proven to be a driver of innovation, enabling new competitors, products and more flexible business models. By comparison, banks have been understandably slower in migrating products and services and leveraging the benefits of the public cloud, taking time first to focus on assessing .
BBA-506:Elective Paper M-2 / F-2 75 25 100 BBA-507:Summer Training Project Report based 100 Viva- Voce Note: Paper code BBA-501, BBA-502, BBA-503 and BBA-504 will be of multiple-choice objective type questions. SEMESTER – VI BBA-601:Strategic Management & Business Policy 75 25 100
May 02, 2018 · D. Program Evaluation ͟The organization has provided a description of the framework for how each program will be evaluated. The framework should include all the elements below: ͟The evaluation methods are cost-effective for the organization ͟Quantitative and qualitative data is being collected (at Basics tier, data collection must have begun)
Silat is a combative art of self-defense and survival rooted from Matay archipelago. It was traced at thé early of Langkasuka Kingdom (2nd century CE) till thé reign of Melaka (Malaysia) Sultanate era (13th century). Silat has now evolved to become part of social culture and tradition with thé appearance of a fine physical and spiritual .
BBA-507:Summer Training Project Report based Viva- Voce 100 Note: Paper code BBA-501, BBA-502, BBA-503 and BBA-504 will be of multiple-choice objective type questions. SEMESTER – VI BBA-601:Strategic Management & Business Policy 75 25 100 BBA -602:Operation Research 75 25 100
On an exceptional basis, Member States may request UNESCO to provide thé candidates with access to thé platform so they can complète thé form by themselves. Thèse requests must be addressed to esd rize unesco. or by 15 A ril 2021 UNESCO will provide thé nomineewith accessto thé platform via their émail address.
̶The leading indicator of employee engagement is based on the quality of the relationship between employee and supervisor Empower your managers! ̶Help them understand the impact on the organization ̶Share important changes, plan options, tasks, and deadlines ̶Provide key messages and talking points ̶Prepare them to answer employee questions
Dr. Sunita Bharatwal** Dr. Pawan Garga*** Abstract Customer satisfaction is derived from thè functionalities and values, a product or Service can provide. The current study aims to segregate thè dimensions of ordine Service quality and gather insights on its impact on web shopping. The trends of purchases have
Suyash Jain Anand BBA Open Vaishnavi Patrikar Prakash BBA Open Vanshika Chourasia Sandeep BBA Open Vedika Kawthalkar Nitin BBA Open Karishma Tharwani Gurmukh BBA Open
