To cloud or not to cloud?

Published October 12, 2020
— File photo
— File photo

It takes one visit to a bank, especially government-owned, to get a sense of how things used to be done in the days of ancestors. Just waiting in a 15-person queue to deposit your cash is a needlessly lengthy process. And, God forbid, if you actually want anything more demanding than that then you are in for the long haul.

Be it submitting every single document in your possession to just open an account or waiting for weeks for a credit card, Pakistani banking makes you wonder how an entity can still operate like this in the modern age despite every technological sophistication at disposal. The banks often attribute this experience to the regulatory framework, which limits their room for digital transformation.

What that largely means is that in the age of software and cloud solutions, banks are still required to do things the old way: get systems deployed on their own servers, thus limiting their access to the best products available in the market.

A change to this end was initiated by the State Bank of Pakistan (SBP) on Sept 28, allowing financial institutions to undertake cloud-based outsourcing arrangements for non-core operations and business support processes such as HR modules, procurement functions etc.

The cloud industry is not too excited about the SBP’s latest announcement. It believes the decision discriminates between local and global service providers

“However, all other banking applications and allied infrastructure, which are used to store and process customers’ information relating to deposits, loans and credits and details of balances and transactions in ledger accounts of customers/borrowers, shall not be placed under cloud-based outsourcing arrangements,” the circular stated.

The move greenlights the financial institutions’ use of third-party software for a range of functions, such as Zendesk for customer service or Slack for communication. Unsurprisingly, the banks received this news well, hoping this would truly spur the transformation they had been speaking about at conferences for so long.

“This is the result of two to three years of engagement with the SBP and would help reduce the costs incurred because of on-premises deployment, which requires infrastructure, licensing, backup environment etc,” says the head of digital banking operations at a small commercial bank. “Cloud can bring that original bill down to 60-70 per cent of the level,” he adds.

It also potentially paves the way for local cloud service providers who until now had limited access to financial institutions. Given the general lack of regulatory framework with respect to data storage and security in the country, some other industries also follow banking, which is overseen by the SBP. In that sense, the latest circular could proliferate beyond as well.

However, the cloud industry itself is not too excited about the SBP’s fresh stance. The primary reason for that is the circular lays out differing treatments for local and global service providers, they say.

“(Financial institutions) shall ensure that their internal/external auditors and (the) SBP have (the) right to conduct audit and on-site inspection of the CSP or its subcontractor. Further, there should be no restriction or prohibition on visit by audit or SBP staff or such visits are otherwise not impractical. In case where audit cannot be conducted for a valid reason(s), (financial institutions) may rely on internationally recognised third-party certifications and reports made available by CSP,” the document reads.

The key word here is “impracticality” which ‘practically’ rules out the audit of global CSPs considering their servers are in lands far away while the domestic providers can be subject to it whenever required. “It lets the international players avoid audits by producing compliance certificates but that same liberty is not afforded to us even though we too obtain those same licences (since no local standards exist),” says the head of a local cloud company on the condition of anonymity.

“How would they verify the segregation of critical and non-critical as the circular directs? What’s the methodology here?

“It would also render law bodies dealing with financial crime (Federal Investigation Agency, National Accountability Bureau and Inter-Services Intelligence, depending on the nature and severity) unable to get that data as there is no way the global CSPs will cooperate,” they add.

In banking, too, it might trigger a race to rush for international software products, making things even difficult for the locally available options that already struggle to get a share of the domestic market. However, the former secretary general of the Pakistan Software House Association, Shehryar Hydri, believes the SBP’s decision will be a net positive over the next five years.

“The issue is bigger than banking or the SBP: once the financial institutions move to the cloud, there will be spill-over effects and other industries will follow,” he says, adding, “You can only temporarily block global CSPs… the local options don’t have the same features.”

“In the short term, they might lose banking customers but the move will put Pakistan on the radar of international players who until now haven’t taken any interest due to thin volumes. Not only that, the local talent will also learn the global cloud tools, making them better equipped to compete in the international market,” Mr Hydri adds.

We can probably make an argument that in order to drive IT exports, there needs to be first local consumption of domestic products. Grow the home market at the same time as marketing yourself as an outsourcing hub, like India did. But then, insulating ourselves from the global technology — which in one way or the other transcends borders — will only hurt us and render our firms completely uncompetitive. Whatever policy we adopt in the end, it has to consider these factors in a more nuanced manner than simply going for blanket protection or libertarian-style openness.

Published in Dawn, The Business and Finance Weekly, October 12th, 2020

Opinion

Editorial

Judiciary’s SOS
Updated 28 Mar, 2024

Judiciary’s SOS

The ball is now in CJP Isa’s court, and he will feel pressure to take action.
Data protection
28 Mar, 2024

Data protection

WHAT do we want? Data protection laws. When do we want them? Immediately. Without delay, if we are to prevent ...
Selling humans
28 Mar, 2024

Selling humans

HUMAN traders feed off economic distress; they peddle promises of a better life to the impoverished who, mired in...
New terror wave
Updated 27 Mar, 2024

New terror wave

The time has come for decisive government action against militancy.
Development costs
27 Mar, 2024

Development costs

A HEFTY escalation of 30pc in the cost of ongoing federal development schemes is one of the many decisions where the...
Aitchison controversy
Updated 27 Mar, 2024

Aitchison controversy

It is hoped that higher authorities realise that politics and nepotism have no place in schools.