Are Amazon, Google and Microsoft too powerful in online cloud banking?

by James · February 13, 2023

banks’ approaches to cloud computing deployment, the challenges they face and the potential downsides of Amazon, Google and Microsoft dominating the market.

Getty Images

Table of Contents

OBSERVATIONS FROM THE FINTECH SNARK TANK

The U.S. Treasury Department released a report titled The Financial Services Sector’s Adoption of Cloud Services that identifies banks’ cloud computing deployment approaches, the challenges they face, and the potential downsides of having three cloud service providers (CSPs)—Amazon, Google, and Microsoft — dominate the market.

Tiptoe through tulip clouds?

A January 2022 New York Times article titled Tiptoeing towards its cloud-based future claimed:

“Banks have been slow to adopt cloud computing. Although Wall Street has long recognized the potential of cloud computing to cut costs, it has only allowed their firms to take halting steps. Some firms are held back by legacy computer systems that are difficult to renew or retire, which makes the transition even more difficult.”

Adoption is not the problem, and the banks are not “tiptoeing” anywhere.

Cornerstone Advisors’ 2023 What happens in banking study found that three-quarters of US banks and credit unions already have – or expect to have by the end of 2023 – apps running in the cloud. According to the report:

“The DevOps culture present around cloud computing brings together development and operations teams, paving the way for faster build, test and release cycles. Banks are optimistic about a cloud future as a means of moving from ‘legacy speed’ to ” speed of innovation.”

Challenges in Banking Cloud Adoption

However, Treasury identified challenges banks face with cloud computing:

Lack of transparency to support due diligence and monitoring. Information shared by CSPs is often insufficient for banks to identify risks such as: 1) internal software dependencies in the public cloud environment; 2) CSP protection against cyber risks; and 3) information about operational incidents, including real-time updates and after-action reports.
Lack of staff and inadequate tools. The report pointed out that many cloud-related security incidents are caused by user misconfiguration of cloud services, compounded by a lack of personnel with cloud service expertise. In addition, Treasury said tools provided by CSPs may not be “user-friendly” and may be inadequate for security configuration and monitoring.
Exposure to operational incidents arising from a CSP. Cloud services can improve resilience and security that reduce operational risk, but the services are still vulnerable to operational incidents. Resilience configuration options—relying on a single CSP, using separate CSPs for different applications, or combining public and private cloud with on-premises infrastructure—often incur additional costs.

Is Cloud Power in the hands of too few vendors?

Treasury also raised concerns about Big Tech’s cloud market share in the banking industry. While acknowledging the potential benefits of Big Tech’s scale – such as improving interoperability between banks and their suppliers – the Treasury warned:

“Concentration may expose many financial services customers to physical or cyber risks, and addressing such risks may necessitate action by each financial services customer. The key issue for policymakers and financial regulators is to understand the potential aggregate impacts on the functions of financial institutions and the services that financial institutions provide to consumers and businesses.”

Treasury also identified implications of the cloud service dominance of the Big Three on banks’ influence (or lack thereof) in contract negotiations, noting:

“Financial firms of all sizes find negotiating contracts with CSPs challenging. Smaller institutions noted their lack of bargaining power. Unbalanced contract terms can limit individual institutions’ ability to measure and mitigate risk from cloud services, which can result in unwarranted risk across the sector.”

What does Treasury intend to do about Big Tech CSP providers’ market concentration?

“Treasury will prioritize its focus on the concentration of cloud services that are most important for the functions of the financial sector. If Treasury considers that cloud services critical to the functioning of the financial sector do not have appropriate resilience and security, Treasury will take action that is appropriate and consistent with its authorities in consultation with relevant government agencies.”

Current regulations are harmful enough

For banks, dealing with banking regulations is like playing football with your hands tied behind your back. Treasury’s implied (or threatened) actions – ie to break up or limit the CSPs – would amount to turning the banks’ helmets backwards.

Treasury’s report reflects the current consensus in Washington that Big Tech firms have too much market power and should be dismantled. It is difficult to understand how this can lead improved resilience and security in the banking industry.

Many banks rely on Amazon, Google and Microsoft for cloud services, not just because they have to but because they wishes to – the Big Three have the resources and skills to provide cyber security capabilities that banks could never build on their own.

The Treasury report acknowledges that changes in the cloud service provider market will lead to higher costs for banks. But Washington never seems to admit that the higher costs will eventually find their way to consumers.

And when they do, politicians — especially two senators (you know who they are) — go ballistic, demanding more regulations and price controls.

How is the core market different from the cloud market?

Although the Treasury report was focused exclusively on the cloud services arena, it is puzzling to omit any mention of the core banking system market.

If the Treasury is concerned with smaller financial institutions’ contract negotiation power, they might want to start with the core bank – not the cloud market. The core banking market is dominated by three players – Fiserv, FIS and Jack Henry – which together have three-quarters of the market share.

Banks underestimate the cost of cloud migration

Banks can complain all they want about their lack of contract negotiation leverage with the big CSPs, but the first challenge they need to address is accurately estimating cloud migration costs.

A team of Dutch university professors identified nine cost categories related to cloud migrations and assessed their costs at 10 banks:

Cloud migration cost categories

Source: Kaya, van den Berg, Wieringa and Makkes

In five categories – dependencies, legislation, departmental support, re-architecture and external contractors – at least half of banks experienced cloud migration cost overruns (versus original estimates). Application dependencies were the most common form of budget overrun. A banker said:

“We had to decompose some applications because of dependencies. Cloud adoption in practice is much slower than expected because of this kind of complexity.”

Between a cloud and a hard room

Breaking up the Big Tech cloud service providers—or any other approach to “deconcentrating” the market—isn’t going to solve the costing problems, contract negotiation challenges, or operational issues identified in the report.

The policy solutions insinuated by raised by the Treasury would keep (or put) banks where they do not want to be – between a cloud and a hard area.

For a free copy of the Cornerstone Advisors report, Leverage the cloud to accelerate digital transformationClick here.

Follow me on Twitter or LinkedIn. check out my website.

Ron Shevlin is Chief Research Officer at Cornerstone Advisors, where his research on banking and fintech trends helps shape the strategic direction of financial institutions and fintech. Author of Fintech Snark Tank on Forbes, Ron is ranked among the top fintech influencers globally, and is a frequent keynote speaker at banking and fintech industry events. Want to talk more fintech? Connect Twitter or LinkedIn.