Behavox’s Alex Viall explores differing views toward adopting cloud-hosted software by financial services companies in the U.S and EU. Alex examines regulatory and cultural differences, predicts consequences, and suggests an alternate path forward for an industry always striving to remain competitive.
Over the past decade, software-as-a-service (SaaS) solutions have become all the rage. Or so you would think. Closer scrutiny of the traditional financial services market, most notably in the E.U. when compared to the U.S., suggests a very cautious approach to adoption. As the pandemic ushers in a wave of economic challenges, European businesses should embrace SaaS as a more resilient infrastructure for both customers and employees alike.
SaaS is part of a subset of services that live in the cloud, which is used to enable ubiquitous, convenient and on-demand network access to a shared pool of configurable computing resources. This system allows for the swift building of an infrastructure to host numerous applications that can be quickly delivered to the customer. The cloud hosts service models including SaaS, platform-as-a-service (PaaS) and infrastructure-as-a-service (IaaS). SaaS, PaaS and IaaS are all subsets of cloud software similar to how cars, trucks and motorcycles are subsets of vehicles.
SaaS is not a new phenomenon. It is a modern, efficient method to supply online applications and services to customers. Retail consumers are regular beneficiaries of SaaS, but its adoption by the corporate customer is just barely becoming mainstream in some E.U. regions.
Salesforce Started the Gold Rush in California – the Rest of the U.S. Quickly Followed
Salesforce epitomizes the pioneering and disruptive approach U.S. corporations took in delivering cloud-hosted service applications, a movement that began 20 years ago and has taken hold at all levels of corporate life. SaaS provides several benefits, such as agility and lower infrastructure costs.
One of its most significant benefits is remote access to corporate environments, enabling speed, creativity, collaboration and continuous service. It obviates the extra burden of on-premise housing of applications and data that carry heavy hardware investment, installation and on-site maintenance, not to mention the limitations of fixed infrastructure that cannot be upgraded instantly like cloud-based provisioning.
The territorial battles between cloud computing giants demonstrate the value and potential of the cloud service opportunity across corporate America. Microsoft, Amazon Web Services (AWS) and Google are trading punches to control the top spot as this market continues to expand.
The most notable converts to cloud computing and the various service applications it enables have been regulators and associated government bodies, as well as some unlikely banking organizations with large retail customer bases. The best example of an early adopter is the Financial Industry Regulatory Authority (FINRA) in the U.S. An SEC-appointed agent, FINRA regulates and supervises all registered broker-dealers in the U.S. and has been a committed and vocal proponent of the cloud and the advantages it offers for some time.
There is no more powerful endorsement of trust in cloud-stored data than knowing your own regulator holds highly sensitive reports submitted by the firms that it regulates off-premise and in shared data locations around the country. The U.S. agent has set an example for the American financial services industry, validating the embrace of cloud-stored data systems, establishing a precedent that has been followed closely by many of the firms it regulates.
The European Laggards
Across the pond, the option to host data in the cloud continues to be met with serious reluctance. Though the most stringent, exacting regulator of the U.S. has publicly promoted using the cloud and its beneficial services, companies in the E.U. remain hesitant and slow to implement such solutions. It can be argued that European firms are preventing their own financial services industry from fully entering the modern era by impeding institutions from maximizing collaboration and efficiency and hesitating to embrace SaaS.
There are a variety of explanations for the differences between the two regions. One is purely cultural and historical, driven by the advanced foothold the technology industry has held in the U.S. For decades, the country has been a fertile ground for technology innovation and business startups. This pre-eminence rubs off on other industries that rely on technology to grow and compete.
The harsh reality is that E.U. firms’ willingness to incorporate SaaS solutions is not going to change overnight.
Where on Earth is my Data?
The General Data Protection Regulation (GDPR) became effective in May of 2018. It governs data protection and privacy for the E.U. and the European Economic Area. After an initial flurry of activity from businesses rushing to comply, industries entered a honeymoon period where they observed how their own “local = national” data protection authorities (DPAs) interpret and apply GDPR. As enforcement cases start to rise, businesses have begun to understand what sort of compliance breaches are deemed intolerable on a case-by-case basis, as well as the size of fines attached to these enforcements.
In some cases, penalties have been significant. The top six fines since 2018 total nearly €500 million.
- British Airways – €6 million
- Marriott International Hotels – €3 million
- Google Inc. – €50 million
- Austrian Post – €5 million
- Deutsche Wohnen SE – €5 million
- 1&1 Telecom GmbH – €5 million
This complex and considerably harsh regulation across the E.U. has instilled a sense of trepidation within financial services firms. It is likely that European institutions fear cloud-based solutions intruding into strict data sovereignty issues within GDPR.
Welcome to the Balkans
Complying with national data protection requirements adds new complexity to GDPR. Financial services businesses that have extensive branch and office networks across the E.U. must house and handle the data they capture with extraordinary care and also represent the individual identity and idiosyncrasy of the country from which it emerges (based on residency). In Poland, certain data held by financial institutions must only be viewed and handled by nationals of that country. Germany and France also have extremely stringent applications of the core tenets of GDPR, which makes it incredibly difficult for global businesses to adopt a centralized approach to the capture, storage, processing and handling of their data. The impact has led to a “balkanized” structure that has significantly obstructed the adoption of widespread cloud-based applications. The variation in national regulation makes it quite difficult for the E.U. to embrace technology in a streamlined, succinct manner.
History Plays its Part
There have been compounding factors fuelling the mistrust of cloud storage in Europe. First, providers were perhaps not as aware of the issue as they should have been. Second, the establishment of data centers in each national location was not a high priority.
Furthermore, regulators have not been as overt in promoting the use of the cloud and its flexible software service models as they have in the U.S., and some would argue they have discouraged it with excessive, indirect scrutiny of outside vendor relationships, slow reform of rulebooks to accommodate cloud provision and continued debate about the exposure to such a concentrated market structure that might be viewed as an oligopoly (e.g., AWS, Microsoft, Google) through the anti-competitive lens of the E.U.
While we are on the subject of competition, it is worth mentioning that many of the larger financial institutions one would expect to forge ahead – striving to improve margins and compete in their own space by utilizing the cloud and its services models – are paranoid of the cloud companies themselves, viewing them as future competitors in their own backyard. Amazon is, in this sense, a company some large European banks have actively avoided supporting.
Don’t Underestimate the Technology
The final driver in the disparity across regions is the talent, capability and experience required to work in remote, decentralized work environments due to COVID-19. Compliance and IT departments need to quickly become more comfortable with the sophistication required to properly handle and govern data in the cloud. What’s more, firms must be able to explain this swift transformation and demonstrate a full audit trail to regulators and other third parties. The U.S. simply has more experience and a deeper bench of knowledge when it comes to the technological talent required. Europeans are more comfortable knowing that their data is “in the building.” The past six months have exposed the limitations of this approach. It’s akin to wanting to keep all of your money under your mattress.
This gap in attitude and regulation will continue to shape a landscape where the European consumer can expect personal data to be protected to the highest possible standards, but this protection comes at the expense of the competitive capability of European enterprises, who will find it increasingly hard to contend with their counterparts in the U.S. (and indeed Asia).
The Answer? Run, Don’t Walk
While the E.U.’s careful navigation of the changing cloud technology landscape is understandable, its reliance on the status quo and playing regulatory defense will leave its financial institutions struggling to keep up with U.S. and Asian counterparts. In order for some of the world’s largest financial districts – London, Paris, Frankfurt, Copenhagen, Milan – to maintain cutting-edge currency and wade through the uncertainty of the pandemic (and subsequent remote work), the E.U. will have to work toward embracing the cloud and SaaS business models in the years to come.
Looking ahead, it will be extremely important to consider creative ways to promote the benefits of cloud applications and software service models to Europe. While the E.U. will always face specific cultural barriers when considering new technologies, one way to normalize cloud-hosted service models would be to have one of its main regulators or government bodies utilize cloud technologies, similar to that of FINRA in the U.S. If an entity with vast influence were to embrace these technologies, the entire continent should soon follow suit and normalize these agile advancements while witnessing its offerings first-hand. SaaS can alter an organization from the inside-out, which is why financial firms in the E.U. should run, not walk, to embrace such a flexible solution during this unprecedented time.
Alex Viall is Head of Regulatory Intelligence at 
