Compliance in the Cloud Raising the Bar in Financial Services Rod Nelsestuen, CEB TowerGroup Senior Research Director, Financial Services Patty Hines, GXS Director, Financial Services Industry Marketing
ROAD MAP FOR THE PRESENTATION Achieving High Performance in the Cloud Supply Chain Technology for Assurance, Insight & Compliance Creating Seamless Compliance in the Cloud Visibility & Reducing Operational Risk in the Cloud 2
The business problem: The cloud lacks transparency and threatens performance through a diverse business model FINANCIAL INSTITUTION International Payments B to Bank Transactions CRM B to B Transactions Sales Management HR and Accounting Business Intelligence Financial Applications AML Outsourced Back Office Mash-ups SaaS Fraud Source: TowerGroup Data quality, latency, security, and compliance at risk; financial institutions lack controls, information insight, and process transparency 3
And it s not just external: Virtualization and the rise of the private cloud creates data risk inside and outside the firewall Savings Hardware Network Desktop Power savings Cooling savings Hardware savings License savings Space savings People savings Benefits Resource flexibility Backup, failover Free up resources Computing speed Just-in-time IT Monitor, react, adjust Software Storage Operating System 4
Meanwhile the range of business needs for real time insight of indisputable quality has grown dramatically Analytical (identify and solve a point problem, change/improve a function, accelerate a line of business) Historical (sorting tribal knowledge from tribal myth) Predictive (It s about the future, stupid) Compliance (Basel, Solvency, MiFiD) Risk (market, credit, operational) Customer/Market (CRM with profit) Operational (process improvement, reengineering, cost reduction) Performance (benchmarking and best practice measurement) Enterprise (corporate performance management) 5
ROAD MAP FOR THE PRESENTATION Achieving High Performance in the Cloud Supply Chain Technology for Assurance, Insight & Compliance Creating Seamless Compliance in the Cloud Visibility & Reducing Operational Risk in the Cloud 6
Cloud computing expands sourcing for new IT products and services Evolution from discrete services and parts of processes to wholesale business operations results in new data management challenges Facilities and Data Center Management 1970 1985 2000 2004 2009 2015 Source: TowerGroup General Outsourcing Application Service Provider (ASP),Managed Services, BPO Expense Began Reports with reference data and market research Customer Relationship Management Software as a Service (SaaS) Sales Management HR and Accounting Platform and Infrastructure as a Service (P/IaaS) Financial Applications Business Intelligence Business Applications Business Technology as a Service (TaaS) Configure the Business? Mash-ups On demand Cloud Applications Variable Intelligence Social Intelligence 7
A strong business case for data assurance exists for strategic, customer, and transactional reasons Speed of decision is real time MNC has new bank product in Europe Global Fulfillment System Mails Bank Regional check Service Center Product Inquiry Malaysia based MNC Cross sell opportunity P Payment opportunity BI New business opportunity Vietnam based supplier Operational risk: at transaction, CRM, revenue, and business levels Source: CEB TowerGroup 8
And regulation is always key: July 2012 FFIEC guidance on data in the cloud (US institutions) Guidance without specifics (in itself, an operational risk) Data classification: How sensitive? Data segregation: Shared resources? Recoverability: DR/BCP? Audit: Transparency? Security: Human and IT elements? Compliance: Knowledgeable vendor? Source: FFIEC Information Technology Subcommittee, July 10, 2012 9
ROAD MAP FOR THE PRESENTATION Achieving High Performance in the Cloud Supply Chain Technology for Assurance, Insight & Compliance Creating Seamless Compliance in the Cloud Visibility & Reducing Operational Risk in the Cloud 10
Cloud business models evolve in step-and-halt fashion, increasing complexity and magnitude of operational risk Mainstream Model Continuous experimentation, analytics Stuff, services, data, space Data-driven business - Mixed with traditional approaches to business Space shuttle Future Model Clients develop product /service - Conceive, configure launch Virtual social segmentation Behavioral business model Transactions will still count Emerging Concepts Real-time products Crowd sourcing Crowd casting Cannibalism Time/mind shuttle Challenges Inertia Investment FUD Regulation Source: CEB TowerGroup 11
Solving the business problem of a diverse business model requires a central point of convergence FINANCIAL INSTITUTION Vendor-managed solution International Payments B to Bank Transactions CRM B to B Transactions Sales Management HR and Accounting Business Intelligence Financial Applications AML Outsourced Back Office Mash-ups SaaS Fraud Source: TowerGroup Technology that examines data, ensures quality, compliance, & security, reports thoroughly, and is completely transparent 12
ROAD MAP FOR THE PRESENTATION Achieving High Performance in the Cloud Supply Chain Technology for Assurance, Insight & Compliance Creating Seamless Compliance in the Cloud Visibility & Reducing Operational Risk in the Cloud 13
Operational risk is central to cloud business models Security is viewed holistically, addressing technical, policy, and human aspects. Regulation is viewed from an existing and anticipatory perspective. Assurance refers to the continuous availability of the cloud services provided. Performance entails meeting speed and latency demands, which vary greatly among industry segments. Liability is the potential to be held legally responsible for errors, omissions, or wrongdoing that results in monetary damages beyond actual losses. Operational risk overarches the other categories of risk. All risk is ultimately operational Operational Risk Security Regulation Liability Assurance Performance Source: TowerGroup 14
Operational risks and internal concerns over cloud computing: FSIs ask key questions Issue Cloud providers have people involved in technology support Governance changes when cloud computing mixes with traditional development Intellectual capital is hard-won in financial services FSIs have sunk costs in IT The cloud threatens internal IT Disintermediation of IT resources Understanding the business is important for IT today Question What is your approach to making sure that the operations, which I no longer see, are sound and that I can trust not only the IT, but your company in general? How can I bring your cloud service under my IT governance model? Or, how do I change the model? What can you do to assure me that my IP will not be compromised or shared? How can I leverage the existing investment in IT along side your IT services? How do I avoid disintermediation of my IT architecture? How do I manage business units that decide to use the cloud outside of IT? Will cloud computing ultimately replace me? Rather than an add-on, doesn t cloud computing just cannibalize my current IT environment? What level of domain expertise do you have and how can that help me serve my business units? 15
Evaluating and managing risks in cloud computing Cloud Computing Issue Implications Potential Actions Private clouds overcome some of the angst over security But still a concern given that some business units, lines of business, and even functions (asset/liability management vs FX services vs payments processing) must have separation Track data authorization, data movement, delivery, and deliver enterprise reporting Impact of new cross-industry consumer protection regulations Expanded consumer protections include the ability to know where information is, when it has been accessed, processed, or changed, and require increased security measures. Non-compliance fines are growing Consolidate the flow of data for better visibility, controls, and quality Lack of universal agreement on enterprise definition of cloud computing Separate instances for security versus multitenancy for efficiency High profile data loss events dampen enthusiasm for cloud computing Creates a challenge to cloud computing as a mainstream approach to IT and IT-enabled services Separate instances lose some of the cost efficiencies of the multitenancy approach, while new security standards for multitenancy technologies continue to emerge Need to address data losses and acknowledge problems, then solve them honesty is key Adopt standards-based definitions and demand the same of vendors Focus on control, customization, and optionality in deciding which approach to take, observe security model improvement Create layered security model with real time exception reporting 16
Cloud vendors are turning negatives to positives in managing transactional and data risk Leverage a single data assurance platform across all transactional areas to reduce risk Access continuous vendor upgrades to security and transaction assurance and visibility Pursue technology that adheres to global standards (and maybe participates in setting them) Vendors with domain expertise extend the value of data beyond its own worth to ease regulatory compliance (Patriot Act in the US, Data Protection rules in the EU) Backup, redundancy, recovery without dedicating internal resources State of the art, continuous improvement in performance All risk is ultimately operational Operational Risk Security Regulation Liability Assurance Performance 17
The endgame: Managing the value of data goes beyond basic infrastructure to knowing the data s function, and applying domain expertise to get it right Scalability Analytics Enterprise data Transaction data File transfer Data integration FROM ANY SOURCE Critical messages THROUGH ANY INTERFACE TO ANY USER FOR ANY PURPOSE Expansive coverage that is expected from today s business intelligence 18
Today s data management requires a layered approach, one that every vendor must demonstrate Domain level: business purpose, value, compliance Functional level: transaction, history, reporting Infrastructure level: network performance, assurance, security Vendor domain expertise Vendor technical expertise Vendor infrastructure reliability Source: CEB TowerGroup 19
Conclusion The cloud business model continues to grow and over time will become a mainstream element of most business operations As the cloud grows, so does business complexity and the challenge of managing more data from more sources for: Business value Regulatory compliance Transparency and visibility provide the proof of performance that is becoming ever more important The best technology providers will augment their solutions with business operational knowledge and domain area expertise 20
Visibility & Reducing Operational Risk in the Cloud Outsourcing, SaaS and Cloud Slide 21 2012 GXS, Inc.
FFIEC: Outsourced Cloud Computing July 10, 2012 When evaluating the feasibility of outsourcing to a cloud-computing service provider, it is important to look beyond potential benefits and to perform a thorough due diligence and risk assessment of elements specific to that service. Vendor management, information security, audits, legal and regulatory compliance, and business continuity planning are key elements of sound risk management and risk mitigation controls for cloud computing. Slide 22 2012 GXS, Inc.
Mitigating Operational Risk Market leading, experienced provider Backup, redundancy, recovery Controls and standardization Continuous improvement, agile development Cloud options private/hybrid cloud Free up internal IT resources Off-load complexity Experience with global standards Slide 23 2012 GXS, Inc.
FFIEC: Outsourced Cloud Computing July 10, 2012 Outsourcing to a cloud service provider can be advantageous to financial institutions because of potential benefits such as cost reduction, flexibility, scalability, improved load balancing, and speed. Slide 24 2012 GXS, Inc.
Benefits of Cloud-Based Corporate-to- Bank Integration Offers Scalability & Flexibility Simplifies Connectivity Provides End-to- End Visibility Improves Collaboration Simplifies Integration Increases Security Slide 25 2012 GXS, Inc.
Global Financial Services Outsourcing by Type of Service (2010 15P) (USD in Billions) $40 35 30 25 20 15 10 5 0 2010 2011 2012 2013 2014 2015 Cloud Services Managed Services Application (ADM) Business Process (BPO) Infrastructure 2010 15P compound annual growth rate for outsourcing nears 11% Total spending on outsourcing rises from $68 billion to $116 billion Outsourced cloud (public cloud) growth from $2.35 billion to $10.8 billion Managed services from $6 billion to $18.6 billion Infrastructure (ITO) from $19 billion to $27 billion ADM from $32 billion to $36 billion (cloud factor) BPO from $8 billion to $23 billion (IT integration, KPO impact) Source: TowerGroup, Sourcing, Resourcing, or Outsourcing: Globalizing Operations in Financial Services by 2015, Rodney Nelsestuen, #V68:02ALL, 07/18/11 Slide 26 2012 GXS, Inc.
TowerGroup: A Surge in Managed Services Larger FSIs will find this mode of outsourcing attractive to assure standardization of a service with SLAs that can be adjusted as business conditions change across the contract life cycle Managed services will grow from $6 billion in 2010 to more than $18.5 billion by 2015, a 25% CAGR The rapid growth rate will be driven in part by islands of expertise that vendors are developing that will offer state-of-the-art technology and industry-leading knowledge, coupled with expertise in compliance, which will be attractive to FSIs faced with higher costs for in-house services The rate of growth of managed services will depend on the vendors' ability to provide the transparency that FSIs need in the face of stiffer regulations Source: TowerGroup, Sourcing, Resourcing, or Outsourcing: Globalizing Operations in Financial Services by 2015, Rodney Nelsestuen, #V68:02ALL, 07/18/11 Slide 27 2012 GXS, Inc.
Visibility and Data Assurance in the Cloud FINANCIAL INSTITUTION GXS Managed Services Lifecycle Visibility Tracking / Monitoring Document Queries Global Support 24x7 Support Community Support Problem Tracking Issue Resolution Global Operations Mapping Translation TP Implementation Transaction Management Event Mgmt Business Rules Reporting Global Infrastructure Private Network Communications Message Brokering Secure Internet Communications Cash Management Payments Foreign Exchange Securities Commercial Finance Group Benefits Merchant Services Treasury Slide 28 2012 GXS, Inc.
Thank You and Q&A Rod Nelsestuen, CEB TowerGroup Senior Research Director, Financial Services E-mail: rnelsestuen@towergroup.com Patty Hines, CTP GXS Director, Financial Services Industry Marketing E-mail: patty.hines@gxs.com @gxsfs Slide 29 2012 GXS, Inc.
Thank You for Your Participation! For More Information GXS web sites Phones US: www.gxs.com US: 1-800-334-5669, option 3 EMEA: www.gxs.eu EMEA: +44 (0) 1932 776047 ASPAC: www.gxs.asia.com ASPAC: +852 2884 6088 Japan: www.gxs.co.jp Japan: +81-3-5574-7545 Slide 30 2012 GXS, Inc.