ABA Banking Journal
No Result
View All Result
  • Topics
    • Ag Banking
    • Commercial Lending
    • Community Banking
    • Compliance and Risk
    • Cybersecurity
    • Economy
    • Human Resources
    • Insurance
    • Legal
    • Mortgage
    • Mutual Funds
    • Payments
    • Policy
    • Retail and Marketing
    • Tax and Accounting
    • Technology
    • Wealth Management
  • Newsbytes
  • Podcasts
  • Magazine
    • Subscribe
    • Advertise
    • Magazine Archive
    • Newsletter Archive
    • Podcast Archive
    • Sponsored Content Archive
SUBSCRIBE
ABA Banking Journal
  • Topics
    • Ag Banking
    • Commercial Lending
    • Community Banking
    • Compliance and Risk
    • Cybersecurity
    • Economy
    • Human Resources
    • Insurance
    • Legal
    • Mortgage
    • Mutual Funds
    • Payments
    • Policy
    • Retail and Marketing
    • Tax and Accounting
    • Technology
    • Wealth Management
  • Newsbytes
  • Podcasts
  • Magazine
    • Subscribe
    • Advertise
    • Magazine Archive
    • Newsletter Archive
    • Podcast Archive
    • Sponsored Content Archive
No Result
View All Result
No Result
View All Result
ADVERTISEMENT
Home Compliance and Risk

What Risk Managers Need to Know about Cloud Migration

January 3, 2020
Reading Time: 6 mins read
What Risk Managers Need to Know about Cloud Migration

Greg Hayes (holding shovel, right) breaks ground on the Kish Innovation Center.

By Craig Colgan

The day before Kish Bank in central Pennsylvania planned to break ground in October on a $10 million building it calls an innovation center, the bank’s president and COO reflected on all that went into what is an enormous project.

And on all that lies ahead.

“It’s been a long process to this point,” says Greg Hayes, president and COO of the $850 million bank, headquartered in Belleville with executive offices in State College. And the building may not even be the major piece.

“Once this is built, then it’s on to more planning and to implementing,” he adds. “It’s a big change. Team members who work out of this facility are going to support a more digital but still very physical and very relationship-based local experience.” Hayes talks frequently about finding better ways to serve his customers, and about refining “digital but physical” branch-of-the-future models.

Kish Bank is making a major commitment to next-generation banking. To fuel these changes, the bank is migrating multiple systems to cloud-based solutions. These include hardware infrastructure, productivity software, core platform, even a phone system. Those main cloud providers for the new Kish Bank include Amazon Web Services, Microsoft Teams and Office 365, data backup and recovery solutions, and for its core banking CSI.

“This enables our employees to meet the needs of our clients basically from anywhere at any time through faster, more reliable technology that is easier to get to and more intuitive to use,” Hayes says.

Bankers from across the country reach out to him and to his team regularly, inquiring about how all these changes are progressing. The topic of many of the questions: risk. Hayes’ starts his answer by pointing to his bank’s DNA and then to the perpetual monitoring culture that has become second nature.

“We’ve been strategic planning for 38 years,” Hayes says. “Our cloud journey is actually part of a much larger strategy that reimagines our entire technology approach. Every year we are identifying these threats and these opportunities. It will be great when this part of it all comes to fruition. But really, it’s never going to stop.”

Partnering to solve the culture clash

Economist Tyler Cowen says the U.S. is on the verge of “a golden age of financial innovation.” Increasingly for many banks, of just about all sizes, that golden path forward means committing valuable resources—such as time, dollars, and personnel—to cloud.

Cloud services providers offer outsourcing of computing infrastructure and data storage, but also convenience, expertise, specialized personnel, flexibility and what IT experts call “resilience.” Moreover, cloud services increasingly promise to execute and deliver quickly on a host of needs and applications and enhancements requested by banks. Other advantages: greater access to advanced analytics and artificial intelligence tools.

So what’s the holdup? One problem is that only one in four banks has a defined cloud strategy in place, according to Accenture research. Another problem is that the banking industry, while a leader in cybersecurity, faces distinctive risk across additional zones when it comes to cloud banking. And the CSPs are finding themselves on the hot seat in Washington, learning to interact with regulators in a way that is much more familiar to the supervised financial sector.

In April, Federal Reserve examiners surprised staff at an Amazon Web Services facility in Richmond, Va., the Wall Street Journal reported. The examiners were allowed to review certain documents but did not remove any. The episode “points to a culture clash between government and big tech,” which has been far less regulated than the financial sector, the paper reported.

Other culture clashes are not uncommon as cloud banking arrangements expand. For smaller banks in particular. Paul Benda, ABA’s SVP for risk and cybersecurity policy, worked with a small bank recently that told him about the problem it was having getting a major cloud provider to provide information for some basic regulatory filings.

“It’s a formal document the bank needs to present to the regulators to show they are doing due diligence with third-party providers,” Benda says. “The attitude from the cloud provider was: ‘Why do I have to fill out this thing for you?’ From the bank’s perspective the feeling was, we don’t need you. Especially since you are a small bank.” The bank got the information it needed eventually, but it took several months, Benda says.

Firms called shared assessment providers, recently started by banks, aim to solve some of this confusion, by providing processes to simplify regulator-required vendor reporting, assessment and validation.

ABA SVP Paul Benda (right) testifies before the House Financial Services Committee’s Task Force on AI. Photo by Karen Martin.

Benda recently testified before the House Financial Services Committee and offered hope for a positive way all parties can better address risk issues in cloud banking. “We believe there is potential for financial institutions, CSPs and regulators to collaborate on a best practices model to provide standardized terms and conditions that provide financial institutions access to required audit and control data,” he told the panel. “The challenges in this space are complex, and we believe that every stakeholder wants to ensure that the security of these critical systems is maintained and at the same time innovation is not hindered.”

Ben Wallace—a former banker and partner at Summit Technology Group, a firm assisting banks on their cloud projects, including Kish Bank—says he is seeing more meeting of the minds from implementation to regulatory awareness to risk management at all levels between cloud service providers and banks. One motivator for CSPs: reputation risk exposure from news coverage of major data breaches.

“While they have no responsibility or obligation, [major CSPs are] now beginning themselves right on their own accord to look at your infrastructure” and offer advice on ways to mitigate risk and maximize performance, Wallace says. “I think what we are starting to see is they are trying to help these customers. Because these cloud providers are seeing best practices, for all concerned, and even though there is no legal obligation, they are more and more trying to be good stewards.”

ADVERTISEMENT

Congress is beginning to notice as well. Two House members recently requested that the three leading CSPs—Amazon Web Services, Microsoft and Google Cloud—be designated as systematically important financial market utilities, so they could be regulated under Title VII of the Dodd-Frank Act. How this all could affect banks themselves remains unclear.

The monitor culture has arrived

Bank leaders and decision makers may have to occasionally cut through some lingo to figure this out.

The thing to avoid: “Disparate risk methodologies across multiple traditionally siloed risk functions.”

The thing you want: “A robust risk governance framework.”

These are the very specific words of Paul Sussex, digital and financial services cloud leader at EY Americas. Having worked with financial services clients for a quarter century, Sussex says banks must first broaden the way they think of risk when considering cloud services. “As banks start to enable more critical business use cases with cloud technologies, they need to refine their risk management capabilities across multiple fronts,” Sussex explains.

“Monitor the service provider,” adds Scott Sargent, an attorney in the financial services group for the law firm Baker Donelson, which advises banks on major cloud contracts. “This is where banks are the most vulnerable. If the service provider is providing a crucial component, many banks think that they monitor the service provider every day by just seeing the process work as expected. It is important to monitor contract performance and service level agreement, but not looking beyond that is a dangerous trap and it can cost the bank.”

Sargent suggests asking: What if a disaster struck the service provider? Does the provider have adequate insurance coverage? How does the provider audit itself? For high-risk or critical vendors, visit the provider’s facilities, he suggests. Finally, contracts should be evaluated by a lawyer who is familiar with applicable vendor management rules and guidance.

One of Kish Bank’s largest risk hedges is simply how his bank’s entire upgrade project is conceived and then executed.

Hayes calls his bank’s new cloud arrangement “hybrid,” in that it is composed of both on-premises versions of virtual servers and desktops, as well as a hosted public cloud-based version. “So if the future of cloud does not play out or we have unforeseen risks, we can migrate easily back to an on-premises solution,” Hayes said. “Or if we find that cloud is much easier to manage, much more effective and efficient, we can utilize the on-premise solution as a backup and go full cloud solution.”

Other risk mitigating steps Kish Bank has taken include shorter-term contracts with providers. This might mean higher costs in the short term, he admits, against the upside of the flexibility to get out or move to another provider. Staffing is a risk too, as decisions about just which tasks and responsibilities are to be outsourced will become a continual challenge.

Kish Bank’s cyber and information security program also gets a complete refresh through the use of real-time automated reporting and alerts to ensure that threats to customer information and systems are identified and eliminated.

“It’s that technology sophistication that’s driving a more mature cybersecurity program,” Hayes says. “You can’t do one without the other.”

Tags: Cloud computingCloud migrationCybersecurityRisk managementThird-party risk
ShareTweetPin

Author

Craig Colgan

Craig Colgan

Craig Colgan is digital editor of the ABA Banking Journal.

Related Posts

OCC to merge community bank, large bank supervision departments

OCC removes disparate impact from bank examinations

Compliance and Risk
July 14, 2025

The OCC has removed references to disparate impact liability in its documentation and directed examiners to no longer look for it in their bank exams.

Nearly $500B sent through Zelle in first half of 2024

Zelle grows to more than 2,300 financial institutions

Newsbytes
July 14, 2025

The total number of institutions on Zelle is now more than 2,300, with 95% institutions either community banks or credit unions.

ABA donates to Texas flood relief efforts, urges bankers to contribute

FDIC issues regulatory relief guidance for Texas

Compliance and Risk
July 11, 2025

The FDIC released guidance with steps intended to provide regulatory relief to financial institutions and facilitate recovery in areas of Texas recently affected by severe storms and flooding.

BIS drafts guidance for central banks on AI adoption

BIS releases report on connections between banks and nonbanks

Compliance and Risk
July 11, 2025

Differences between regulations for banks and those for nonbank financial intermediaries may have created incentives to shift business activities to the NBFI sector, so bank supervisors should apply “close scrutiny” to such interactions, according to the report.

Regulators take issue with discrimination definition in proposed appraisal standards

HUD reverses Biden-era policies on appraisal review

Compliance and Risk
July 11, 2025

HUD eliminated several of the core policies adopted by the Property Appraisal and Valuation Equity task force, an interagency group of 13 federal agencies formed during the Biden administration to address alleged discrimination in the appraisal process.

Fed releases agenda for upcoming conference on large bank capital requirements

Fed seeks public input on large bank rating system revision

Compliance and Risk
July 10, 2025

The Federal Reserve requested comment on a proposal to revise its supervisory rating framework for large bank holding companies to address the "well managed" status of the firms.

NEWSBYTES

OCC removes disparate impact from bank examinations

July 14, 2025

Zelle grows to more than 2,300 financial institutions

July 14, 2025

ABA, associations seek clarity about Fannie, Freddie credit scoring change

July 11, 2025

SPONSORED CONTENT

Navigating Disruption in Ag Lending – Why Tariffs Are Just the Tip of the Iceberg

Navigating Disruption in Ag Lending – Why Tariffs Are Just the Tip of the Iceberg

July 1, 2025
AI Compliance and Regulation: What Financial Institutions Need to Know

Unlocking Deposit Growth: How Financial Institutions Can Activate Data for Precision Cross-Sell

June 1, 2025
Choosing the Right Account Opening Platform: 10 Key Considerations for Long-Term Success

Choosing the Right Account Opening Platform: 10 Key Considerations for Long-Term Success

April 25, 2025
Outsourcing: Getting to Go/No-Go

Outsourcing: Getting to Go/No-Go

April 5, 2025

PODCASTS

Breaking down the bank-related provisions in the big budget bill

July 10, 2025

Podcast: Inside ABA’s new Treasury Check Verification System API

June 25, 2025

Podcast: Staying close to clients amid tariff-driven volatility

June 18, 2025
ADVERTISEMENT

American Bankers Association
1333 New Hampshire Ave NW
Washington, DC 20036
1-800-BANKERS (800-226-5377)
www.aba.com
About ABA
Privacy Policy
Contact ABA

ABA Banking Journal
About ABA Banking Journal
Media Kit
Advertising
Subscribe

© 2025 American Bankers Association. All rights reserved.

No Result
View All Result
  • Topics
    • Ag Banking
    • Commercial Lending
    • Community Banking
    • Compliance and Risk
    • Cybersecurity
    • Economy
    • Human Resources
    • Insurance
    • Legal
    • Mortgage
    • Mutual Funds
    • Payments
    • Policy
    • Retail and Marketing
    • Tax and Accounting
    • Technology
    • Wealth Management
  • Newsbytes
  • Podcasts
  • Magazine
    • Subscribe
    • Advertise
    • Magazine Archive
    • Newsletter Archive
    • Podcast Archive
    • Sponsored Content Archive

© 2025 American Bankers Association. All rights reserved.