How Can FinTech Companies Gain Agility by Setting a Cloud Strategy

October 31, 2016

Financial Services Overview: A challenging landscape

The banking industry is facing unprecedented challenges since the financial crisis of 2008.

In the wake of the 2008 financial collapse, financial institutions participated in significant mergers and acquisitions which left them with a mix of data center assets that must now be consolidated into a cohesive whole (Courbe, 2013, p. 3). Outdated legacy systems and integration problems make it difficult for banks to create and launch new services, provide access to a mobile workforce and accommodate geographically dispersed customers and partners (Cofran, 2011, p. 2).

In a challenging recovery, financial institutions are under pressure to grow their top lines and reduce their costs (Cofran, 2011, p. 1). Customers are now in control of their use of technology and changes in social dynamics is met by a wave of new entrants that are going after the incumbents by offering more choices to customers (IBM, 2013, p.3).

As the business environment continues to change, financial institutions need to be more flexible, innovate at a higher standard, more frequently, across new channels and platforms (Courbe, 2013, p. 3). According to Courbe (2013) and IBM (2013), the following factors are driving the need for business agility:

  • Accelerated product rollouts drove by channel innovation
  • Rapidly changing product portfolios
  • Aggressive time-to-market objectives
  • Fierce competition for customers has spawned industry consolidation and the entrance of nontraditional firms
  • Changing business models have shifted from product-centric to customer-centric
  • Capital inadequacy that depresses profit margins
  • Enhanced regulation increases government oversight and intervention
  • Alignment of IT strategies and goals with the overall purposes of the business

This need for business agility means that IT managers need to find more cost-effective IT delivery methods that can help banks with innovation, business models, and operations (Cofran, 2011, p. 1). In the last couple of years, cloud technology transformed how software is developed and delivered to organizations across multiple industries. The financial sector can benefit from cloud technology by having access to modern software and ongoing access upgrades without incurring significant upfront capital expenditures, helping them increase their ability to deploy new services.

In this article, we will look at what is cloud technology, what are the current usage of cloud technology in the financial industry, what are the key challenges of using cloud technology and how they can deal with these challenges. We will also develop a framework that can be used for IT selection and to create a strategic vision on cloud technology.

What is cloud computing?

According to the U.S National Institute of Standards and Technology (NIST) cloud computing is “a pay-per-use model for enabling available, convenient, on-demand network access to a shared pool of configurable computing resources (network, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction” (Garg, 2011, p. 4).

What are the key characteristics of cloud computing?

Cloud computing is comprised of five key components:

  1. On-demand self-service
    Provisioning of computing resources without requiring human interaction with service providers.
  2. Broad network access
    Access to systems regardless of user location or device.
  3. Resource Pooling
    Sharing of pooled resources and costs across some users, with different physical and virtual resources dynamically assigned according to user demand.
  4. Rapid Elasticity
    Scale up or scale down of resources through provisioning in near real time.
  5. Pay per use
    The client is charged only for the time when the resources are used.

What are the types of cloud computing service model?

Cloud computing is comprised of five service model:

  1. Infrastructure as a Service (IaaS)
    Rather than purchasing servers, software, data-center space or network equipment, this cloud model allows businesses to buy those resources as a fully outsourced service (Sriram, 2011, p. 5).
  2. Platform as a Service (PaaS)
    A cloud service provider offers a complete platform for application, interface, and database development, storage, and testing (Sriram, 2011, p. 5).
  3. Software as a Service (SaaS)
    A cloud service provider houses the business software and related data, and users access the software and data via their web browser (Sriram, 2011, p. 5).
  4. Business Process as a Service (BPaaS)
    The cloud is used for standard business processes such as billing, payroll, or human resources. BPaaS combines all the other service models with process expertise (Sriram, 2011, p. 5).
  5. Data as a Service (DaaS)
    The cloud is used as an information provision and distribution model where the customers can access data files of many types (text, images, sounds, videos, raw data).

What are the types of cloud computing deployment model?

Cloud computing is comprised of three deployment model:

  1. Public Cloud
    The infrastructure in a public cloud is owned and managed by an organization selling cloud computing services and is made available over the internet to everyone. The cloud provider manages and owns everything from operations and facilities to computing resources (IBM, 2013, p.8). The most popular public clouds are Amazon EC2, Google App Engine and Microsoft Azure (Garg, 2011, p. 5)
  2. Private Cloud
    The infrastructure in a private cloud is operated and available only to trusted users of an organization or group. The organization can own the private cloud, or they can engage a third party to host it, either on site or off site (IBM, 2013, p.8). This is the most secure of all cloud options as the private cloud provides restricted access to the computing capabilities and resources for a particular group (Garg, 2011, p. 5).
  3. Hybrid Cloud
    The infrastructure in a hybrid cloud consists of a mix of multiple public and private clouds that remain unique entities but are linked to provide services. In the hybrid cloud model, computing capabilities and resources are owned and maintained by both the organization and the cloud provider. The group will use public cloud computing capabilities and services for general computing but will store sensitive data like customers data in its private cloud to ensure security (IBM, 2013, p.8).

Why should financial institutions use cloud computing?

We highlighted some of the benefits of the cloud in the sections above. We will dig deeper and see why financials systems should use cloud computing. According to Cofran (2011) cloud computing can offer these advantages to financial institutions:

  • Costs Savings: Pay only for what is used
    Financial institutions can turn up-front capital expenditure into ongoing operational expense. There is no need for substantial investments in hardware and software. This can free capital for banks to put up more money in strategic investments (Sriram, 2011, p. 4).
  • Business Continuity
    The provider of cloud services is responsible for managing the technology including maintenance and on-going upgrade. This improves system availability and reliability for financial institutions because the vendor can provide a higher level of data protection, disaster recovery and a high degree of redundancy at a lower price than if they had to manage it by themselves (Sriram, 2011, p. 4).
  • Business Agility and Focus
    Cloud computing allows financial institutions to optimize IT resources and remove development constraints based on IT’s capacity to deliver (Cofran, 2011, p. 1). Financial institutions can respond faster to needs of customers by reducing development cycles for new products and scale products as needed because of the flexibility of the cloud (Sriram, 2011, p. 4).
    Furthermore, cloud computing helps financial institutions standardize applications and infrastructures which simplify the overall enterprise architecture. According to Courbe (2013), having a common infrastructure already in place worldwide enables a system to serve customers more efficiently and effectively globally.

What are the current usage of cloud computing by financial institutions?

Current cloud strategy of financial institutions

According to a survey by the Cloud Security Alliance (2015), the financial industry is in the early stages of cloud adoption. 61% of financial institutions are developing a cloud strategy. The most common mix is the one with the private and public cloud as seen in the figure below. 70% of the companies with existing cloud strategies have moved from hybrid clouds to a mix of private and public cloud or mostly public cloud.


Figure 1 — Cloud Security Alliance (2015)

Top cloud applications adopted

The most used cloud applications are noncore business applications as seen below. Not a single cloud application category has been selected by a majority of financial institutions which might suggest further growth ahead as more financial institutions migrate applications to the cloud.


Figure 2 — Cloud Security Alliance (2015)

What are the current challenges of cloud computing in the context of the financial services industry?

While bringing many benefits, cloud computing comes with its share of difficulties. The challenges of security, data privacy, compliance, the absence of standards are particularly highlighted in the regulated and security-sensitive environment of financial services.


IT managers are worried about the availability of applications deployed on a cloud. A strong service level agreement can help financial institutions enforce availability with their vendors. However, news headline of the occasional downtime of large cloud providers like Amazon is not helping cloud vendor’s reputation.

Vendor Lock-in

Most cloud providers provide access to their resources through proprietary APIs, web interfaces or command line tools and migrations might be hard to achieve (Garg, 2011, p. 7).

Security and Data Privacy

Banks cannot afford the risk of a security breach.The confidentiality and security of financial and personal data applications are critical for banks (Sriram, 2011, p. 8). With an internal cloud, financials institutions have complete visibility and control over the security of information. However, with an external cloud, financials institutions must rely on the cloud provider for security measures. Public cloud is particularly problematic due to their distributed structure. Data may be stored and moved around among data centers located all over the world and firms are apprehensive about their data being compromised or monetized by the cloud vendors. (Garg, 2011, p. 7)

The Cloud Security Alliance (2015) asked to rank the cloud computing security concerns in their survey. Each participant rated the item on a scale of one to five with five being the greatest concern. 60% of financial institutions ranked data confidentiality as their highest security concern, while the loss of control of data was at 57% and data breaches at 55%.


Figure 3 — Cloud Security Alliance (2015)

Regulatory Compliance

Compliance is a significant element as 71% of financial companies consider it to be a reason to keep controls in-house and not migrate data to public cloud services.

Many financial regulators require that financial data for financial institutions customers stay in their home country. Certain regulations require that data are not intermixed with other data (Sriram, 2011, p. 8). Regulations force financial institutions to implement specific security measures to consider migrating to cloud services (Cloud Security Alliance, 2015, p. 4). Financial institutions need to have a clear understanding of where their data resides in the cloud (Sriram, 2011, p. 10). The figure below illustrates the regulations that financial institutions must consider before moving to the cloud.


Figure 4 — Cloud Security Alliance (2015)

What are the success factors for cloud implementation?

Organizational considerations

According to Courbe (2013) and Sriram (2011), when considering cloud solutions, financials institutions should consider the following on the corporate side:

  • Do they have a clearly defined cloud strategy that aligns technology goals with overall business objectives?
  • Do they have a solid business case, based on the primary drivers and with a demonstrable return on investment?
  • Do they have a program that brings together business and IT as partners, to derive more benefits from the cloud?
  • Have they done a careful up-front planning and do they have an organizational maturity, characterized by strong standards and controls?

Vendor considerations

According to Cofran (2011), when considering cloud solutions, financials institutions should make sure that the vendor has proven cloud service delivery capabilities and should consider vendors that have the following:

  • Experience in managing data and systems for financials institutions
  • Follow best practices for data security and privacy
  • Focus on operational excellence
  • Continually invest in developing industry-leading innovations
  • Provide outcomes-based Service Level Agreements
  • Offer pricing models that align with enterprise procurement models
  • Offer additional IT and business services or have a strong network of partners to provide systems integration, transition planning, and change management

How can financial institutions define their cloud strategy?

To develop a successful cloud strategy, financials institutions can use the Gartner Cloud Approach presented below.


Figure 5 — Columbus (2012)

Phase I — Prework

The Cloud Computing Core Team should be composed of a mix of top managers, business unit leaders and IT leaders across the organization.

This group should state what are the business goals along with the IT objectives of the organization to have a higher level vision on the scope of effort that will be required and to provide a baseline to establish the cloud adoption principles. When setting the cloud adoption policies, the group should make sure that they keep a fit between the business and the IT. For example, in the case of financial institutions, security will be an important element to consider.

Phase 2 — Business and Application Assessment

The organization should do an extensive evaluation of current business processes and applications to identify those that can be moved to the cloud and how they can be transferred to the cloud. The group can see the significance of their IT applications by identifying them in an IT portfolio.


Figure 6 — Lapointe (2015, September 14)

After having identified the applications in the portfolio, the organization should evaluate further the propensity to migrate to the cloud using a balanced scorecard with parameters such as strategic importance, privacy requirements, peak load hours, architecture constraints. The organization should also consider legal requirements like the physical location of hardware, legal jurisdiction and laws of the country where the hardware is hosted. According to Sriram (2011), the applications propensity to move to the cloud should look like the figure below.


Figure 7 — Sriram (2011)

Finally, before proceeding to the Vendor Selection Process, financial institutions should remember that for some cloud deployment model and services such as SaaS, it can be considered as a form of outsourcing. A third party is providing the IT as well as the intellectual property. Organizations can use the framework below to decide which direction they want to take and what level of control they want. This direction will impact the type of deployment model:

  • High Organizational expertise/High Value to the organization
    Build on the Private cloud
    Build on the financial institutions own infrastructure
  • High Organizational expertise/Low Value to the organization
    Host third party solutions on Hybrid or Private Cloud
    Build on the Private cloud
    Build on the financial institutions own infrastructure
  • Low Organizational expertise/Low Value to the organization
    Buy SaaS solutions from a third party vendor
    Use a third party integrator
  • Low Organizational expertise/High Value to the organization
    Buy SaaS solutions from a third party vendor
    Host third party solutions on Hybrid or Private Cloud
    Use a third party integrator


Figure 8 — Lapointe (2015, September 28)

Phase 3 — Vendor Selection Approach

This step includes the evaluation of cloud vendors based on Application and Business Requirements (Garg, 2011, p. 12). An assessment based on security, data confidentiality, and availability need to be completed. To examine how the provider addresses security, compliance, and governance, financial institutions should look at external data from organizations like Gartner, IDC, Forrester and the Cloud Security Alliance. Comparing vendors offerings are challenging, these organizations are providing audit data and vendors rankings that help to assess vendors’ strengths against the financial institution’s current and future needs.

Furthermore, at each step of the vendor selection process, financial institutions need to understand what each vendor can bring and how their offerings align with the firm’s requirements and strategy.


Figure 9 — Lapointe (2015, September 23)

Phase 4 — Implement & Mitigate Risk

Once the vendors are chosen, applications are deployed on the cloud, or the infrastructure is being built. Organizations should keep in mind migration and cutover planning as well as adoption, change and operational management of the new processes.

In terms of risk mitigation and to make sure financial institutions achieve compliance while moving to the cloud, financial institutions should use preemptive actions such as:

  • Implementation of basic software security measures (malware detection and removal, forensic readiness)
  • Implementation of basic human security measures (right access to the right people, single sign-on, communication of a security plan)
  • Specific contract clause like Penalty clauses for incidents or Service Level Agreements
  • Audits through tools like the Cloud Security Alliance Cloud Controls Matrix
  • Encryption and tokenization of data
  • No customer client data in the cloud

Phase 5 — Steady State

In the Steady State phase, there’s a need to manage the applications deployed and to spend time measuring the ROI achieved. ROI should be measured considering the objectives stated in Phase 1, but feedback should also come from end users. Feedback should be used to fine-tune the adoption process and the next roll-out of a cloud system (Garg, 2011, p. 12).


In conclusion, there are countless opportunities for financial services to leverage the benefits of cloud computing while reducing the risks by migrating a variety of applications to the cloud. A more conservative and gradual approach towards cloud computing should be used by evaluating each services migration on the type of applications and nature of the data.

In the short term (1–3 years), lower risk projects such as non-core applications like customer relationship management (CRM), recruiting, billing and enterprise content management should be considered (Garg, 2011, p. 11).

In the medium term (3–5 years), we should expect to see tools for data auditing and data protection to become more mainstream. With better tools for decision making and better visibility on security and compliance, companies should feel more comfortable moving critical data to the cloud. After an extensive evaluation of vendors offerings and after reviewing vendors contracts flexibility, financial institutions should consider moving to the cloud some of their infrastructure operations like data center management, data storage, and disaster recovery. Financial institutions should also start to consider higher risk projects involving core business functional systems like wealth management or core banking by looking at different hosting architectures provided by IaaS, hybrid and private cloud vendors (Garg, 2011, p. 11).

In the long-term (5 years +), we should expect financial institutions to have an application portfolio with a mix of both on-premise and cloud-based services delivered across a combination of a private, hybrid and public cloud. The share of cloud services should be gradually increasing in the service mix. Private clouds are expected to increasingly become the deployment model for cloud services in this industry, giving financial institutions more control through ownership and operations of their cloud systems (Sriram, 2011, p. 8).


  1. Maawad Marcos, M., Leichter, W., & Losa, J. (2015, March 1). How Cloud is Being Used in the Financial Sector [PDF File]. Cloud Security Alliance Survey Report. Retrieved December 8, 2015, from
  2. Sriram, S. (2011). Cloud Computing in Banking [PDF File]. Capgemini: Financial Services; The way we see it. Retrieved December 8, 2015, from
  3. Cofran, J. (2011). SaaS Cloud Computing: A fast track to application modernization for banks [PDF File]. CGI Viewpoint Paper. Retrieved December 8, 2015, from
  4. Garg, A. (2011). Cloud Computing for the Financial Services Industry [PDF File]. Sapient Global Markets. Retrieved December 8, 2015, from
  5. Cloud Computing for banking: Driving business model transformation [PDF File]. (2013). IBM Thought Leadership White Paper Retrieved December 8, 2015, from
  6. Bockrath, M. (2012). The future of finance lies in cloud computing [PDF File]. Kelly Services Inc. Retrieved December 8, 2015, from Future of Finance Lies in Cloud Computing.pdf
  7. Courbe, J. (2013, July 1). Clouds in the forecast: Cloud — a necessary component of data center consolidation and IT agility [PDF File]. PwC FS Viewpoint. Retrieved December 8, 2015, from
  8. Lapointe, L. (2015, September 14). IT implementation challenges and impacts. Lecture presented at IT Implementation Management (INSY 431), McGill University.
  9. Lapointe, L. (2015, September 28). Options: buy, build, outsource?. Lecture presented at IT Implementation Management (INSY 431), McGill University.
  10. Lapointe, L. (2015, September 23). Strategic Alignment. Lecture presented at IT Implementation Management (INSY 431), McGill University.
  11. Columbus, L. (2012, December 18). First Steps to Creating a Cloud Computing Strategy for 2013. Retrieved December 9, 2015, from