What can we build on a foundation of openness and trust?

Today marks exactly 18 months since I joined IBM! As many of you know, in my prior role as CTO at Bank of America, I led our digital transformation and cloud adoption. Through that experience, I saw the need for an industry platform that financial services and SaaS providers alike could operate in that meets the high standards and controls necessary for the financial services market. I knew IBM was the right partner for the job, so we partnered on the development of the world’s first industry-specific, financial services-ready cloud, which we jointly announced in November 2019 as IBM Cloud for Financial Services. The offering enabled financial institutions to confidently host key applications and mission critical workloads on the cloud, a key moment for the industry.

Fast forward to today, November 1, 2021. As I write this blog from my desk in Armonk, New York as an IBMer, it’s?so awe-inspiring to see the tremendous progress we have made in this space over the past two years and the demand for industry-specific clouds across the highly regulated industries. In fact, a?recent study?revealed that nearly 70% of the C-suite respondents in the government and financial services sectors cited regulatory compliance as a major barrier to the business performance of their cloud estate. It’s clear that cloud adoption is moving towards industry-specific clouds.??

IBM Cloud for Financial Services now has a growing ecosystem of more than 100 financial services institution technology partners and banking clients, including four of the world’s largest banks - Bank of America, BNP Paribas, CaixaBank, and MUFG in Japan, that are modernizing on our secure and compliant financial services cloud with built-in controls. We’ve also established councils for Chief Information Officers and Chief Technology Officers, Security Officers, Risk Officers and regulators from some of the world’s largest financial institutions to understand and strategically build industry-based security standards and solutions in an effort to help de-risk the industry. Together, we discuss the regulatory, compliance, and operational challenges that financial institutions are currently facing, so that we can continuously improve IBM Cloud for Financial Services and prepare for the future together.

I’m proud of the work the team has done to push this critical effort forward.?We’ve learned so much during this co-creation process. Based on my experience, here are three key things that are top of mind for financial institutions as they embark on their digital transformation journey.

1. Trust is the fundamental element for the financial services industry.?

In financial services, it’s critical to build an environment where you can be trusted as an institution, by both your customer base and by regulators. The partners that you work with are a huge part of that environment and they must implicitly understand the nuances as to what it is to work within financial services. Which is why while I was at Bank of America, my belief was (and still is) that taking a general-purpose approach in terms of general-purpose technologies will not serve you well.

You have to work with companies that have the character and the heritage to be able to understand the business problems that you face and translate the technology components they have to meet your needs. As both a client and then employee, that’s what drew me to IBM. IBM has the assets and the storied history of delivering mission critical business processes for the financial services industries and many other regulated industries over the passage of time.

2.?The controls can’t be IBM’s controls; they?must?be the industry’s controls.?

The controls we have built into IBM Cloud for Financial Services are not actually controls that IBM has come up with in a silo. We have an ever-expanding number of financial institutions across all geographical jurisdictions that are providing their control frameworks to the platform so that it is an industry platform built by the industry.?

We worked with Bank of America and Promontory to establish a set of?cloud security and compliance control requirements as the basis of the IBM Cloud Policy Framework for Financial Services, which allows financial institutions to confidently host key applications and workloads. It’s a set of polices meant to deliver the industry-informed IBM Cloud controls required to operate securely with bank-sensitive data in the cloud. We continue to work with our advisory council to assure that the framework is up to date to address the latest industry regulations.

We believe that's the right way to actually protect the industry from the systemic risk that could be introduced from the use of cloud based technologies and also allows you to actually accelerate your ability to undertake digital innovation and transformation, because the element that typically proves to be an impediment and slows down any company's ability to??quickly harness their digital transformation is the need for them to independently develop the compliance controls into any platform they use.

3. There’s both risk and opportunity with third- and fourth- party providers.?

There are many things that you have to consider when building your cloud architecture, not least of which is third- and fourth-party supply chain risk. Sometimes the smallest gap in your supply chain management can become your weakest link.??It’s an area and a risk aperture that regulators are focusing on even more now too, as I’ve found out from many conversations with the regulators around the world.?

Financial institutions are increasingly using SaaS providers within their core business processes and seeing many benefits with the agility and innovation of FinTechs embedded in their processes. But when you do that, you are always asking yourself, is their software secure??

Most of the software that is written is actually built upon open-source software, which leaves any institution open to risk where embedded computer programs or commands can cause problems and security vulnerabilities. You also have to be wary of the platforms on which they sit upon and if they have the right level of IT operational performance and the cybersecurity controls. That was a problem that I saw from the vantage point that I had when I was in the industry; and therefore, the platform that I had the opportunity to build with IBMers.?

It can typically take months to onboard a new technology vendor into any institution, but the idea with the IBM Cloud for Financial Services with the compliance controls built in from the outset, is that any vendor that sits on that platform can onboard quickly and get to that point of innovation far faster, in a secure, compliant fashion.

And we take the responsibility to ensure the compliance is built in on a month-by-month basis essentially taking the laws, rules and regulations that exist, across geographies, and change on a frequent basis and turning them into code and built in a place where you can get continuous monitoring to assure the risk is mitigated.

When I first started working on IBM Cloud for Financial Services, I never would have foreseen the massive digital transformation that was to come, driven by the pandemic. The rate of cloud adoption has been unprecedented – in every industry – over the past 18 months. I believe we'll look back at this passage of time and the end of “chapter one of cloud,” as I call it, as a kind of archaic period where everybody is generating their own version of electricity, so to speak. As we move into “chapter two of cloud,” we should be working on standards for compliance and controls. It’s a time to be open and build. Together.

Imagine what we can build together over the next 18 months on a foundation of openness and trust.