UAE banks brace for regulation change on use of public cloud

In the wake of billions of dollars spent on regional data centres by U.S. tech giants, it’s only a matter of time before United Arab Emirates regulatory authorities allow banks to use public cloud services, industry insiders say.  As a result, bank technology leaders will have to make big changes in their strategy, and lead a shift that is bound to happen in other Middle Eastern countries.

Due to Central Bank of the United Arab Emirates (CBUAE) regulations mainly related to security, CIOs in the banking sector of the United Arab Emirates are currently operating on a private cloud model, which means that they work with on-premise solutions. This hampers their ability to compete internationally.

“Banks in the UAE are competing in the tech-driven innovation space, but their cloud adoption strategy has yet to gain maturity,” said Ali Khan, a Senior Director at PwC Middle East.

Even those banks known for adopting leading-edge software are running on private clouds.

For instance, Emirates NBD has a cloud strategy based on the private cloud wherein the cloud software is deployed on an in-house data center. The bank has gained attention for innovative tech initiatives. But both Liv, an app for retail customers, and E20 — a digital bank for SMEs — run on on-premise data centers, with the former running on VMWare powered by Red Hat OpenShift.

Public cloud to enable greater bank agility

The ability to use public cloud services would bring enormous benefits to banks, industry analysts say.

“Apart from the benefit of cost savings, greater agility, and higher efficiencies which public cloud services offer, banks would be able to create the real omnichannel experience for its customers,” said Eric Samuel, a senior analyst at IDC for the Middle East and Africa. “They will also be able to launch new products and services for their customers real fast, which would eventually differentiate one bank from the other.”

The CBUAE issued the Regulatory Framework for Stored Values and Electronic Payment Systems in January 2017, placing data transfer restrictions on payment systems providers. Due to this, all user and transaction data must be stored and retained exclusively within the borders of the UAE — excluding financial Free Zones — for a period of five years from the date of the original transaction.

A study by Deloitte suggested that this is why cloud adoption in the UAE, despite government efforts to embrace emerging technology, is between 15% to 20% — in a region where 18% is the average.

Otherwise, the good news for enterprise CIOs is that the government is serious about emerging tech.

UAE gov’t suports digital transformation

“[The UAE government] are running like hell into digital transformation,” said Nader Ghazal, a Partner at i-DOT, a digital transformation consultancy in the UAE. “The Dubai government already decided that by the mid-2020, all of their governmental transactions will be on the blockchain platform, which is – by nature – public cloud.”

Meanwhile, since Microsoft, Google, and Amazon have spent billions of dollars on data centers in the Gulf Cooperation Council, it is no longer a matter of whether the CBUAE will give the go-ahead for public cloud, but when, industry sources said.

 “These investments are definitely happening in discussions with government authorities,” noted IDC’s Samuel. “These invests in local data centers, which are in line with the discussion with government agencies, will help formalize cloud regulations and subsequently refinement of the same. That will bring clarity on data storage and will demystify the ambiguity surrounding usage of public cloud services.”

A decision on rules change is likely months away, though, since the CBUAE doesn’t even have a document on what the rules would be, giving CIOs in banking plenty of time to invest in platform and service engineering, sources said.

“The regulator has always been very forward-looking in terms of introducing new concepts,” said Khan. “They have a unique ability to time the market correctly and release guidelines right on the cusp of when there is a burgeoning need. We see that with many inflight initiatives that are being planned now for a rollout next year. The cloud, however, potentially is of a 12- to 18-month horizon away from being given the go-ahead.”

Bank CIOs need to prepare for public cloud

In the lead-up to a CBUAE decision opening the gates for a cloud-first strategy, tech leaders at UAE banks need to carry out cloud engineering work. This is so that the cloud-platform choice — be it Azure, Amazon Web Services, Oracle Cloud, Google Cloud — is ready for enterprise consumption. Signing up for a service is not enough. Bankers need to ensure that DevOps services, network services, access authentication authorization, core services, application services, and financial services interoperate and comply with security services and regulations.

The first step would be to understand the government and sector-specific regulations, Samuel said.

“Based on the data governance policies, banks would have to engage in (a) data classification exercise to identify the data which can migrate to the public cloud environment,” Samuel said. “Streamlining of processes and information capture whilst investing in the right security tools would help banks to migrate their workloads to public cloud services with ease. Ensuring business continuity and data integrity during the ‘lift and shift’ exercise will be crucial.”

Once the needed system tweaks are done and the CBUAE offers a go-ahead, banks will have the ability to turn on cloud-first offerings instead of spending 15 to 24 months on platform engineering and service engineering in order to roll out new services. In a 5G ecosystem, speed to market is the name of the game.

A cloud-first strategy replaces capital expenditures with operational expenditures and reduces time to market for software releases.

Industry experts told CIO Middle East that the bigger banks in the UAE may struggle with this change, with layers of bureaucracy holding back bank technology due to internal politics, whereas small or privately owned banks will have a competitive advantage if the CEO or CTO understands the value of cloud.

In Europe and the U.S., large corporations have adopted a multicloud strategy wherein all eggs are not in one basket. Depending on the application — such as Know Your Customer — the platform that gives the best performance is selected. Banking CIOs in the UAE would need to think the same way, adopting a cloud-agnostic view, and partnering with platforms that offer beneficial terms and licenses.

“Cloud-based practices and efficiency measures are limited in discussion and need to be significantly enhanced in the next three years,” said Khan. “Financial services will need the cloud if they are to effectively move towards the use of AI (in automating processes and decision sciences), becoming a platform (for Fintech partnerships), and reduce IT costs.”