back to article Euro bank regulator: Don't follow the crowd. Stay off the cloud

An EU financial regulator has warned that banks moving to the cloud are at risk of vendor lock-in as well as transferring IT jobs to "subcontractors from high-risk areas". The EU Banking Authority, which regulates the financial regulators of member states, has issued a report looking at the risks of "fintech", the fashionable …

  1. Blockchain commentard Silver badge

    "potentially fungible data centres"- now they sound like fun places to work!!!!!

    1. Anonymous Coward
      Anonymous Coward

      Someting from "Aliens" I think?

      "Easy in - Easy Out!"

    2. Ken 16 Silver badge
      Trollface

      It means you may be able to grow mushrooms in them

    3. Chronos Silver badge

      How do you funge something, anyway? What manner of thing readily lends itself to a damned good funging?

      1. Rich 11 Silver badge

        What manner of thing readily lends itself to a damned good funging?

        I expect that would be a fungi.

      2. Fungus Bob Silver badge

        "How do you funge something, anyway?"

        With a hot funge sundae (?)

  2. Duncan Macdonald Silver badge

    They won't care

    Customer security versus a 1% bonus rise for top management - the bonus wins every time.

    The report would only have an effect if it was a mandatory ruling that all EU financial institutions must not use the cloud with big penalties for infringement.

  3. Anonymous Coward
    Anonymous Coward

    I wonder?

    Quote:-

    An EU financial regulator has warned that banks moving to the cloud are at risk of vendor lock-in as well as transferring IT jobs to "subcontractors from high-risk areas".

    I wonder if they include India in their High Risk Areas?

    With the current speed of 'off shoring' to improve the bottom line (as long as nowt goes wrong that is...) it won't be long before all the UK banks IT will be totally offshored. Then the Indian contractors will move the whole thing to the cloud and before you know it, even the systems will be located in some backstreet of Mumbai, Kolkata or Pune.

    Never mind, we have the EU to stop it... Oh Wait we don't. so much for being in control!

    1. Teiwaz Silver badge

      Re: I wonder?

      Oh Wait we don't. so much for being in control!

      Wrestling control away from the corrupt oligarchs in Europe just means handing it to a smaller, more amateurish group of corrupt oligarchs in Westminster.

      It's amazing though, that Banks need to be told what seems like the obvious to anyone with even half a grasp of IT.

      Kind of like don't hand your lifesavings to someone who's likely to leave them on the bus and just shrug and deny any culpability when confronted.....

      wait, sub-prime? - perhaps Banks do need to be told how (and probably have their laces tied by a responsible adult).

    2. naive

      Re: I wonder?

      Your remarks apply to the UK, European banks did not outsource their system operations to former colonies.

      Due to Brexit, the EU won't stop British managers outsourcing jobs to 1 dollar/hour countries.

      1. Gordon 10 Silver badge

        Re: I wonder?

        @Naive - I think your handle is dead on. Unless you are trolling you are very very naive.

        ALL Banks offshore everything they can get their hands on but especially Ops. The only difference is the locations to which they offshore. But India is always high up the list because they all use the 4-5 big Indian IT outsourcers. The Philippines or Indonesia are other favourites due to the large proportion of staff who speak English, and whether you like it or not the international language of banking is English.

    3. Tom Paine Silver badge

      Re: I wonder?

      I wonder if they include India in their High Risk Areas?

      I imagine they're using the same list as for AML purposes. See e.g.

      https://aml-cft.net/high-risk-countries/

    4. Anonymous Coward
      Anonymous Coward

      How can I break this to you?

      The UK is going to be a High Risk Area after next March.

  4. Anonymous Coward
    Anonymous Coward

    That's an interesting piece of reading for other Orgs

    Not us! Now back to running everything on a skeleton crew basis TSB style, so the senior execs can get generous bonuses... Where there's doubt, there is no doubt... The lack of actual legislation means cutting corners every time!

    1. Dan 55 Silver badge

      Re: That's an interesting piece of reading for other Orgs

      TSB (or Sabadell) also had the great idea of cloud-based banking.

  5. herman Silver badge

    I think Sir Mick said it best: "Hey! You! Get offa my cloud!"

  6. Mr Dogshit

    Well who'd have thought it

    Next week: How to suck eggs

  7. PowerBenny
    Flame

    It's just somebody else's computer

    You can do things terribly on-premise or in the cloud. Just as you could, theoretically speaking of course, fund things properly and do them well either on-premise or in the cloud.

    It doesn't matter where you do it, it is how you do it that counts.

    1. Anonymous Coward
      Anonymous Coward

      Re: It's just somebody else's computer

      That is true, but moving to a cloud (outsourcing 1) puts your data on someone else's hardware, which is a loss of control, and then underfunding your IT department while paying a separate company to takeover IT (outsourcing 2), is another loss of control. At what point does the board simply move all operations, including accounting to the lowest cost centre (outsourcing 3)? What shocks me is that companies that earn their predominant income in an area like a particular country are allowed to outsource any jobs to separate companies or even worse out of that country. All this brought to you by Globalization and the greed of the already obscenely wealthy.

  8. Sir Runcible Spoon Silver badge
    Flame

    When will they learn? (Beancounters)

    Outsourcing something doesn't magically make it cheaper, it just hides the costs.

    If you want to know how much something costs, work out how much it would be to set up a team with the requisite skills (assuming you don't have them) plus the hardware and the time required, you can save support costs by retaining some of the people that build the thing if you like, or just get in drones and let them call the vendor. That's probably going to be the cheapest model in the long run, although it is a lot more hassle to manage and you can't blame someone else if it goes Pete-Tong.

    If another company offers to do it for significantly less, you have to start looking at where they are going to hide the charges. A company that does this well and protects themselves from hidden costs can look forward to being sacked as a customer as the outsourcer will likely be losing money on you hand over fist.

    Get the right people and you can half development time, remove expensive support contracts and create a lot of good will with your customers, leading to repeat business and continuity. That is a *lot* cheaper in the long run than the scenario's I see playing out every day, where the external supplier provides sub-par developers who do a crap job, then you have to get contractors in at 3* the price *in addition* to sort out the mess, then hand it all back to the people who fucked it up in the first place. Oh, and you can at least double the development time too.

    They (beancounters) really need to learn how to count properly, but that would require a level of trust in your IT specialists - I don't see that happening any time soon. I often get the feeling that cost is the last thing they are actually worried about, no matter what they might say.

    1. Mark 65

      Re: When will they learn? (Beancounters)

      As the saying goes, "accountants know the price of everything and the value of nothing".

  9. Martin M

    Lock-in?

    Regardless of the rest of the arguments - and I agree there lots of things that need to be thought about carefully before putting mission-critical workloads on the cloud - I just don't understand the lock-in point. Do you have more vendor lock-in with your core banking system being:

    a/ Crufty CICS code that few people understand on an IBM mainframe with infrastructure and operations outsourced to IBM, as is currently the case at many banks.

    b/ A modern banking application on a commodity OS hosted using cloud IaaS services, which could (at least in theory) be hosted pretty much anywhere.

    You have to understand how you would migrate data out again if you needed to - although if you're sensible you do this continuously anyway to an independent location. You need to be careful to minimise your use of cloud-specific services - if you use AWS Dynamo all bets are off (in all sorts of ways).

    Migrating will still be a pain as you will have to do massive amounts of testing, but frankly that will apply if you upgrade the OS on a server in your data centre, so you need to be able to do that quickly and efficiently in any case.

    1. This post has been deleted by its author

      1. Martin M

        Re: Crufty CICS?

        Presumably the people who could definitively tell him it is not supported would be either retired or dead?

        1. Sir Runcible Spoon Silver badge
          Mushroom

          Re: Crufty CICS?

          Get them to upgrade to Microsoft Access, it's da bomb!

  10. steelpillow Silver badge
    Facepalm

    What could possibly go wrong?

    You'd have thought that the disaster of outsourcing customer support to "high-risk areas" would have taught them something. But no, provided there is a contractor between us and the high-risk area, it'll be fine.

    Vendor lock-in? Shit, if they cause trouble we'll just buy 'em up and dump on 'em good and proper. Surely they can never grow bigger than us.

  11. Chronos Silver badge
    Facepalm

    They catch on fast, don't they?

    Most of us have only been saying this since the idea of "cloud computing" (someone else has all your valuable data and your virtual testes in a hydraulic press) came along which was, what, ten years ago at least?

    Very unusual for a monolithic, stagnant, stuffed-shirt sector to wise up so quickly. What's next? The government doing shit itself rather than handing it all to Crapita to underestimate, overspend and miss the deadline on?

    Nah, too far fetched.

    1. Sir Runcible Spoon Silver badge
      Windows

      Re: They catch on fast, don't they?

      Shit now I feel old, because I've been telling people that for 20 now :(

  12. Anonymous Coward
    Trollface

    EU Banks

    calling anyone "High Risk"

  13. John Smith 19 Gold badge
    Holmes

    "There may be uncertainty over the jurisdiction where the data is held"

    Unless of course it's America.

    In which it's simple.

    The USG "All your data belong to us."

    1. sabroni Silver badge

      Re: Unless of course it's America.

      The American's don't care if the data is in America or not. The issues MS have had over their Irish data centre make that crystal clear.

  14. razorfishsl

    Even microsoft is bumming out its cloud infrastructure to 3rd parties.

    The thought that banks are running all that info thru 3rd party systems , really is not a restful thought.

  15. imanidiot Silver badge
    Facepalm

    Gee, putting important stuff on somebody else's computer... what could possibly go wrong?

  16. Paul 195
    Holmes

    Just be sensible

    Keep your crown jewels locked up in your own data-centre/private cloud, but take advantage of public cloud for scaling for your public facing web services etc. And be aware that vendor lock in is definitely a thing with public clouds. Your code running on commodity hardware is easily portable, but all the metadata and scripts that keep your service elastic and fault tolerant are not.

  17. Potemkine! Silver badge

    All of your data are belong to us

    Muhahahaha

  18. Claptrap314 Silver badge

    Cloudy clouds

    As I keep saying, cloud providers can provide resiliency that is entirely beyond the reach of SMB, and for a reasonable price.

    But my immediate question for banks, is: what exactly are your uptime requirements? It's not at all clear to me that they even need three nines. As others have mentioned, the web front end might be nice and cloudy, but the core business operates off a distinctly 18th-century model of availability. Unless and until I can have final clearance of a check from a major bank in seconds, the banking system is not the least bit interested in five- or six-nines of resiliency.

    If some bank(s) WERE attempting to bring banking into a modern era, then some sort of cloud-based solution would be required. See previous discussion regarding the necessary issues, but suffice it to say that the EU is almost big enough to set up a complete system. (FTR, I say the same thing about the US--you really want to span eight or nine time zones minimum.)

  19. Dave 13
    Facepalm

    Reward vs risk calculation

    It's human nature to value reward over risk and our financial institutions seem more in tune with that than ever. The real problem with reports like this is that those who ignore the stated risks and get caught with their knickers down never seem to get any real punishment. Stupid pointy-haired-boss decisions mainly affect customers and low-level employees - otherwise known as scapegoats.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019