Bank of America, IBM collaborating on a financial services cloud

Bank of America and IBM, along with IBM's regulatory compliance arm Promontory Financial Group, have partnered to build a cloud for banks that has security, privacy and bank-specific regulatory compliance built in.

The special-purpose cloud is designed to address challenges that hold banks back when they think about adopting cloud computing.

“We believe that the whole industry has some unique challenges with the public cloud around compliance, security and resiliency,” said Bridget van Kralingen, senior vice president for global industries, clients, platforms and blockchain at IBM. “Governance, risk and compliance consumes around 20% of the operations costs of most major banks.”

The requirements for security, data protection and regulation in general change continually, she said.

“Because of that, many banks have not moved their production workloads to public cloud providers," van Kralingen said. "There is not enough focus on those specific control requirements for the industry."

Bank of America and IBM executives, including van Kralingen and Cathy Bessant, BofA's chief technology officer, have collaborated since March on a set of controls that provide proactive and automated security and use the industry's highest level of encryption certification for this cloud, van Kralingen said.

The cloud is expected to run on IBM’s existing public cloud, which uses Red Hat OpenShift as its primary Kubernetes environment to manage containerized software across an enterprise, and includes more than 190 API-driven, cloud-native platform-as-a-service products to create new and enhanced cloud-native apps. Container software provides certain functions, like security, in a wrapper within which applications run and can be moved from one cloud to another.

Bank of America’s cloud journey

Bank of America has been on an internal cloud journey since 2013, two years before Microsoft Azure even existed.

“We started out focused on efficiency of utilization and expense efficiency,” said Bessant, who last month was named American Banker's Most Powerful Woman in Banking for the third year in a row.

Bessant said 80% of the bank’s workloads run in its private cloud. It does not run anything in a public cloud, other than in test mode. The private cloud has achieved the efficiencies Bessant sought. Where Bank of America once had 200,000 servers and 60 data centers, it's pared that down to 70,000 servers and 23 data centers.

Cathy Bessant AB.jpg

Through benchmarks, the bank has found that its private cloud is 29% cheaper than other service providers. It now spends $2.1 billion less per year on infrastructure than it did in 2012, due in large part to the private cloud.

But Bessant recognizes that eventually, public cloud computing is bound to become the most cost-efficient option.

“While the economics [of an internal cloud] are great today, they're not going to be great forever for us,” Bessant said.

At the same time, Bessant has said all along that Bank of America would not use a public cloud unless the cloud provider had a wealth of controls that match the “cocoon” of controls the bank has placed around its own internal cloud in the areas of security, privacy and compliance. And the economics would have to make sense. Resilience is also critical, she said.

“It’s a huge focus for financial institutions and our customers because our customers expect it, and regulators are growing their focus on this,” Bessant said.

The bank's work with IBM on a financial-services-ready public cloud is meant to ensure that the highest standards get incorporated into cloud technology, “to have the right home for our own workloads,” Bessant said.

It’s also intended to help the third parties with which Bank of America works use fourth-party cloud providers “to enable the creation of a stack that is compliant by design for them,” Bessant said.

Compliant by design is helpful for banks, too.

“Today some of the midsize and smaller financial institutions have a hard time putting together a compliant by design stack because they don't have the leverage individually,” Bessant said.

The IBM cloud is also designed to help the bank with burst-capacity needs. Currently, the bank has to maintain more servers than it needs for its day-to-day computing in order to accommodate spikes in activity, such as running a stress test or threat detection.

In a cloud shared with other banks, all would share the cost of that extra capacity. Another advantage is that IBM will vet third-party software providers before allowing them onto its cloud.

“If you're a big financial institution today, you can build custom controls and compliance,” van Kralingen said. “If you're small, not really.”

Being able to use software that’s already met the compliance, security and privacy requirements laid out by Bank of America and IBM “is game-changing for many players in the ecosystem,” van Kralingen said. IBM is also vowing that it will keep this cloud updated to meet changing compliance requirements.

Though IBM is not traditionally the lowest cost provider, this financial services cloud will be “priced competitively,” van Kralingen said. She declined to get more specific.

Promontory’s role

Promontory Financial Group, the consulting company founded by former Comptroller of the Currency Eugene Ludwig that IBM bought in 2016, has been part of this effort. For the past year, Ludwig and his experts have gone through hundreds of regulatory compliance rules to help build the controls banks need in place.

“This was an important project because it’s the first public cloud for banks with a regulatory backbone,” Ludwig said. “Making sure that it has the regulatory backbone appropriate for banks takes a lot because, appropriately, banks have quite a number of requirements relating to their technology infrastructure, and helping to marry those requirements with the technology behind public cloud takes a meticulous amount of review.”

Regulations that affect what banks do with cloud computing include federal regulators' vendor management and digital banking guidelines, the New York cybersecurity law and California’s data privacy law.

“This technology offers a speed and efficiency that's profound,” Ludwig said. “But this technology, like any technology for banks, is truly only accessible if it meets all the regulatory requirements for safety and soundness and other compliance obligations that banks have.”

Promontory is also building compliance with rules from other countries, such as Europe’s GeneraI Data Protection Regulation, into the cloud. So a bank that operates in other countries could use this cloud globally and not have to worry about violating other countries’ rules.

IBM will not only vet third parties that use this platform for compliance, security and privacy, it will maintain compliance on the cloud as regulations change.

“Promontory will play a key role in ensuring that the platform stays ahead of the changes in regulations,” Ludwig said.

This is a large responsibility for Promontory. But Ludwig pointed out that even with Promontory’s help, banks will have to make sure they’re in compliance, too.

Enabling fintech partnerships

Increasingly, banks’ software vendors and fintech partners want to do things in the cloud, van Kralingen said.

“Banks need to be very agile and work with fintechs and other providers, so they have a delicate balance in maximizing the promise of data, delivering better services, but also making sure that trust occurs,” she said.

Both teams have observed that banks vary widely in their ability to use third-party cloud services, Bessant said. Small banks often have to use an off-the-shelf product, whereas large banks create their own controls around cloud computing.

Bessant indicated that she sees this as a business and culture change.

“We have looked each other in the eye numerous times during all of this and said, this could revolutionize a lot of the way we think about technology that supports all of our development and our production,” she said. “I think of this a business strategy announcement more than a cool tech announcement, even though it is both.”

For reprint and licensing requests for this article, click here.