For a long time, there were a lot of misconceptions about how to use the cloud safely and securely as well as how to protect customer data. Now that the uncertainty has been cleared, there should be more financial institutions looking to migrate their legacy systems to a cloud computing infrastructure, making way for further innovation. - Hosford
Bank Negara Malaysia’s Risk Management in Technology (RMiT) guidelines — which will come into effect on Jan 1, 2020 — may drive innovation and help address misconceptions about cloud computing for financial institutions, says Myles Hosford, Asean head of security architecture at Amazon Web Services (AWS).
According to the guidelines, released in June, financial institutions such as banks and insurance companies can adopt cloud services if they conduct a comprehensive risk assessment prior to the adoption.
Hosford says financial institutions in the country were in a grey area when it came to their abilities and limitations in terms of using cloud computing for banking and asset management services. The uncertainty and hesitation to use cloud services were finally put to rest when Bank Negara came up with the guidelines to express how financial institutions could use the cloud successfully.
“For a long time, there were a lot of misconceptions about how to use the cloud safely and securely as well as how to protect customer data. Now that the uncertainty has been cleared, there should be more financial institutions looking to migrate their legacy systems to a cloud computing infrastructure, making way for further innovation,” says Hosford.
Migrating to a cloud environment helps financial institutions streamline their back-end operations. This means a cost reduction in the development and support of their products and services.
Hosford says traditionally, financial institutions would need to plan ahead — at least a few years — to obtain the IT resources that they had to pay a hefty upfront fee for. Today, however, they are able to use services such as AWS, which uses a utility-based pricing model. Customers are charged a monthly bill based on usage, allowing them to avoid an expensive initial investment.
In addition to passing the cost savings to their customers, some companies can choose to reinvest the money in new, innovative products, says Hosford. “This may not necessarily result in cheaper product offerings, but it allows the products to mature at a pace they were not able to before.”
Other benefits that financial institutions get for using cloud computing is agility, he adds. “Previously, if you were a capital markets company in Malaysia and you wanted to build a new application to service your customers, you would have to procure the hardware, lease the data centre space and so on. With the cloud computing environment, companies have access to IT on-demand. If a financial institution here uses AWS, it can simply click on a button via a web console to have access to things such as databases, servers, advanced capabilities around big data and artificial intelligence without having to build it themselves.”
AmInvest is one of the local players that started using cloud computing well before the RMiT was published. Hosford says the firm has been running risk modelling simulations on AWS for some time now and this has allowed it to implement investment strategies and remodel or recalculate risk positions on behalf of its clients in a shorter period of time.
“It has allowed the firm to identify opportunities to move in and out of different equities in a short period of time. Before this, its risk or investment strategy modeling took two days [before it made a move]. While sometimes that was fine, it also meant that the firm missed out [on taking advantage of] market events by the time it got back to its clients,” he adds.
“Many things can happen in two days. With AWS, it could shrink that time down to minutes and seconds. An activity that traditionally took two days can now be done in hours or minutes.”
With the RMiT guidelines, cloud services can be hosted overseas. This allows financial institutions to be more resilient and cost-efficient, says Hosford.
With access to a global network, if there is a natural disaster in Singapore, for example, that causes the services of an AWS host to be taken offline, financial institutions have the ability to distribute web traffic to AWS hosts in other locations such as Hong Kong, Tokyo, Europe and the US. “Financial services can lower their operational risk by moving where the cloud is hosted because of the resilience and security that it provides rather than having a single data centre in Kuala Lumpur,” he says.
Ensuring the cloud’s security
Cloud computing enables companies to store their data in third-party data centres through a cloud provider. As a result, there have been concerns about the security of the data, especially since the companies’ data are not stored on systems they control. This is a common misconception, says Hosford.
“Data location should not be the focus. Strong controls need to be put around data regardless of where it is stored. One of the controls to secure data is encryption. Unfortunately, most financial institutions in Malaysia currently do not encrypt all of their data on premises because it is difficult and expensive,” he points out.
Encryption is one of the services provided by AWS. As it was set up more than a decade ago in 2006, its security model has matured. The company has also made significant investments in cybersecurity and detecting cyber issues.
One of the more prominent features used by financial institutions is AWS Shield, which protects banking institutions from cyberattacks for free. Another service is Amazon GuardDuty, a cyberthreat intelligence platform. If an institution is attacked by criminals on the internet, it detects this in real time and notifies the institution of the attack.
Hosford is positive that financial institutions will gradually migrate to cloud computing from their legacy systems. “We are seeing Malaysian players take the opportunity to retire some technical debts. Servers or applications that have been running for more than 10 or 20 years, for example, have become difficult to maintain because the programme is out of date or there is no institutional knowledge on how to run the specific system. They have taken the decision to retire these and migrate to the cloud,” he says.
Another trend that Hosford sees in the industry is the emergence of new applications designed with a “cloud-native” view in mind. Cloud natives are applications and companies that have always been in the cloud, as opposed to being re-architected to run in the cloud.
“There are some really good examples of use cases around that. For example, deploying technologies such as artificial intelligence and machine learning (ML) into their operations. In Malaysia and the region at large, we see banks particularly interested in using these technologies around know-your-customer and anti-money laundering applications,” he says.
Most regulators in the region require banks to screen all transactions for suspicious activities. In many cases, these are done manually, says Hosford. Technologies such as ML can help make the process easier. “The machine deployed can help analyse the data and identify anomalies, which can then be directed to human analysts or compliance financial crimes officers. This allows the identification of financial crimes to be much quicker across a broader and deeper data set,” he adds.
Anticipating virtual banks
In March, Bank Negara announced that it would come out with the requirements for virtual bank licences by the year end. Virtual banks provide their services exclusively on digital platforms such as mobile and internet banking. These digital banks offer greater convenience and more personalised services with the use of electronic documentation, real-time data and automated processes.
Hosford thinks that existing start-ups that have never had any financial services offerings are expected to apply for the virtual banking licence. “This is because [start-ups] have such a strong user base with brand loyalty. For example, when I pull out my phone, there are a couple of applications that I use more than the rest. And if it has financial products, would I use them? Probably yes. As I have already done everything on this app, I may as well add financial services to it too,” he says.
Hosford looks forward to seeing new players in the market challenge the incumbents to create a more competitive landscape. “It will be very interesting to see how things play out — start-ups versus the older providers,” he says.
“What we are also seeing is a collaboration between the two parties. It is still early days, but I think there will definitely be an area for collaboration between the two parties. It will be very powerful when the two sides get married.”
Hosford is confident that when Bank Negara finalises the framework for the virtual banking licences, the country will see a lot of new market entrants and innovative products. “For the end consumer, hopefully, it will result in a more competitive market in terms of product innovation,” he says.
“If I were a traditional bank, I would start seeing the new products and innovations coming out of fintech firms and start-ups, which will make me start engineering more. Hopefully, this will lead to lower fees.”
He adds that competition will also overflow to mobile banking, where financial institutions want to create an enjoyable customer experience. This is something already seen in countries such as Singapore and Australia. In doing so, traditional providers would then come out with more customised, user-friendly interfaces for their mobile applications.