A significant shift is occurring as firms are moving away from enterprise deployments which take too long where the time to production is peppered with delay, undetermined cost and an unpredictable outcome. Radar explores the race to adapt internal systems and thinking, in an industry that has previously been a relatively slow adopter, to take advantage of the move to Software-as-a-Service (SaaS).
The migration of core systems to SaaS, a cloud computing environment where third-party providers manage applications which are entirely accessible online, was first driven by technology giants such as Google, Amazon, Salesforce and Alibaba.
They developed proprietary cloud assets, with database, infrastructure and application offerings available on an “as-a-service” basis, which remove the need for organizations to install and run applications on often slow office computers or in costly data centers. Service level agreements covering availability/performance for these cloud-based offerings now rival those available for on-premise solutions.
There are speculative reasons why it has taken financial services so long to gravitate towards SaaS, but cost and security are usually mentioned, albeit without foundation.
“Most financial services firms have been slow adopters of the cloud primarily due to data security and privacy concerns which are mostly unwarranted”, said Harshad Pitkar, CEO and founder of RegEdge. “Until recently it was widely believed that the firms’ compliance and legal teams would never bless adoption of the cloud for any critical solutions that deal with critical or sensitive information.”
This has led to the rise of “on-premise cloud instances”, he said, where firms have invested in building their own private cloud infrastructures within the larger public cloud networks (such as AWS and Azure).
“These instances now routinely host critical compliance and risk management solutions,” he said. “We are seeing a similar pattern with the adoption of pure SaaS-based cloud applications. After realizing tremendous infrastructure-related cost savings, CIOs have started exploring opportunities for additional efficiencies associated with pure SaaS-based cloud applications.”
Security, which is essential in building and maintaining client trust, tends to be stronger within SaaS because of alternative data center capability, and the sheer extent of investment made here by the main cloud providers.
The drive to remain competitive and improve margins in financial services is possibly greater than any other sector, and a better understanding of what SaaS can deliver is starting to take hold. The most progressive banks, hedge funds, insurance firms and asset managers are all entering a new innovation phase and embracing the potential risks inherent in this new approach to enable agility and flexibility, and the rewards are becoming evident.
Based on the deployment model, the SaaS market can be segmented into three limbs: public cloud, private cloud and hybrid cloud. Public cloud involves resources owned by a third-party and made available to the public via the internet; private cloud is a model that offers a distinct and secure cloud-based environment, which only the specified client can operate. Hybrid cloud combines a mixture of private and public, with orchestration between the two.
The private and public cloud models have already shown a positive trend in the market, but many firms are now leaning towards the hybrid cloud model.
“While most Chief Information Officers understand the benefits of adopting SaaS, the biggest barrier to adoption until now is the lack of comfort level around who will have access to the data, how will access be controlled, and an unclear definition of the operating model,” said Pitkar.
There are often questions over how will it be supported, who is responsible, who controls it and how cybersecurity is managed, he said.
“To address these concerns, vendors are exploring a hybrid-SaaS model as a middle ground, where firms leverage benefits associated with SaaS and share responsibilities and control,” Pitkar said. “Many are now testing this model for implementations, treating these as a proof of concept to pave the way for a full-blown cloud-based SaaS adoption if successful.”
Reliance on the perpetual “model license plus maintenance” deal is being shunned; no longer do clients buy a software instance in perpetuity with all the maintenance and technical support required to use the latest version. Much of the burden, cost and worry gets passed from the underlying client to the vendor who manages the storage, bandwidth, required processing power, and the need to run a 24/7 cloud ops team.
What are the key benefits of Saas?
The market is clear on what SaaS offers: flexibility, agility, reduced total cost of ownership and time-to-value. Computing infrastructure for capital markets is a utility, and many now see the sense in outsourcing this to an expert with this as their core business. Managing proprietary internal data centers requires keeping ahead on hardware refreshes, power density, disaster recovery and capacity planning.
“Any review of under-utilized hardware in the estates of the big banks reveals huge wastage because project scope changes, gets delayed or killed completely,” the CTO of a large investment bank told Radar on condition of anonymity. “There is a big push to consolidate hardware resources and make this modular so other internal businesses can share the cost.”
Maintenance burdens are also lowered, said the CTO of a large UK hedge fund. “If it is hosted, owned and managed by the vendor, you get updates for free and the product really lives, it’s immediately fresh,” they said. “If you host in your own environment there tends to be a lag with the feature set, there’s no automation.”
Most internal data centers are either capacity-constrained or suffer from low utilization as markets evolve. New initiatives driven by market or regulation face significant delays and upfront capital investments for acquiring hardware, for which lead times of three to six months are typical.
“With exposure to enterprise computing, people don’t know how much hardware they will need, how much data will be involved,” said the head of procurement at a European investment bank. “Everyone underestimates budgets and the time-to-value in implementation. If you can design something that is immediately scalable, you eliminate all those costs and unknowns.”
Disaster recovery planning often requires the provision of large idle capacity. The internal data-centric approach has led to the design of applications for co-location, which means global firms end up with many small data centers scattered around the world. SaaS optimizes cloud data centers’ economies of scale and diversity of workloads. Most finance workloads are “bursty” which makes them ideal for cloud, where computing resources can be shifted to different regions based on demand. A well designed cloud architecture can provide safe experimentation. Containerization, encryption at rest, virtual private cloud, granular firewalls, and the ability to redirect traffic and compute instantly, all help make the cloud more secure than internal data centers.
Combined with a high level of automation, users can achieve things on a scale that is impossible internally; the user can rent and test “always available” services offering artificial intelligence (AI) and machine learning. Pay-as-you-go has considerable appeal. “If you have no expertise you get to play and see features and see your data without making any real commitment,” said a bank CTO with considerable experience in SaaS. “On the same theme, you can test easily and spin up a new VM and keep all of this segregated from your other corporate resources. The other great thing about SaaS is that if you want a big complex set-up like a huge Hadoop cluster, you don’t have to worry about installing it or managing it, it simplifies everything.”
AI and machine learning systems can be incredibly costly. It takes time to develop these tools and software applications, including various testing and revision periods. An AI system cannot be turn-key in any accurate, reliable state. Algorithms, foundations, and machine learning techniques must be deployed to help the system be customer-calibrated and optimized.
“The advantages for vendors are clear; they can scale easily plus the automation and standardization reduces the support burden,” said the CTO of a large European asset manager. “This works both ways as it means the product can be offered at a lower price and passed on to the client. You cannot underestimate the opex to capex consideration – the opex model means you don’t have to invest in a risky way.”
The challenges of SaaS
The biggest concern, especially for financial services firms, remains security in a cloud environment. But this issue is exaggerated as in reality many of these businesses, and their enterprise vendors, have now matured significantly in terms of their approach to security off-premise. There has been so much regulatory and commercial pressure to review and improve cyber security in the last three years that only a few exceptions are not able to evaluate SaaS vendors comprehensively.
“However you put your data into the cloud, you do need to do more due diligence upfront than when you host remotely,” said a UK investment bank CTO. “You need to be careful with any loss of control to the vendor in terms of your own data when you go off-premise. It changes the commercial and contractual issues that require extra care, such as disclosure of breaches and attestation for patches.”
Tools that enable the orchestration of single-client dedicated environments in the cloud have also been developed, and these have reduced the cost of providing an exclusive and secure environment for an individual client. Some vendors can now offer a dedicated environment for each client, which is ring-fenced from any external environment and is only accessible and controlled by that client. That access can be via their own physical premises or by proxy (remote access in the client environment and through the cloud).
Data protection and data residency also ring alarm bells and require consideration of the laws and data retention requirements of each country in which they operate, and wherever their data is stored and/or processed. These risks can be mitigated with a comprehensive data mapping exercise and collaboration between vendor and institution to fully understand the data protection environment for each relevant data center.
Adopting SaaS does require a different operating model and a healthy dose of cultural change: the move results in new internal IT processes and a different set of skills to manage these processes.
“There are many building blocks involved – there are some big risk management systems that have been embedded for ten years in some cases with literally thousands of developers working on a specific platform. This makes it tremendously hard to just pick up and transition to a SaaS model. There are so many intermediate steps that need to be taken first; one element might be resilience, another could be containerization, another is security.”
Oleg Tishkevich, CEO at INVENT.us said firms most constantly think as far ahead as possible. “When considering a move to cloud and SaaS, we see firms adopt a “lift and shift” approach where they take their on-premise systems and deploy them in a cloud-based hosted environment without any improvements to their systems architecture,” he said. “Although this approach offers improvements in systems and hardware management, it does not take advantage of the true cloud-native capabilities.”
The compliance angle
On-premise deployment is dying a slow but certain death in the compliance arena in financial services as it exposes banks and other highly-regulated capital markets players to real risk and an inability to ensure effective, continuous compliance monitoring. Buying and deploying a traditional enterprise system on-premise can often involve a two-year implementation; in that time the institution remains dangerously unprotected. Compliance technologists and leaders want to be in production much faster.
But more importantly, it is increasingly about affordability. Compliance is still viewed purely as a cost so any opportunity to reduce spend here is being seized immediately. The difference between on-premise and SaaS is substantial; on-premise spend is at least 3x when accounting for hardware, maintenance, machine replacement, personnel, and the delivery of necessary IT services.
What does SaaS offer vendors?
Implementation efficiency for SaaS is very high, which makes it more sustainable as a business undertaking. It also means that the vendor can develop and iterate their product very quickly; rolling out product updates on-premise is clunky and takes considerable time. SaaS means the product can stay current, remain best-in-class, and evolve seamlessly.
From a scale point of view, on-premise limits the amount of work that can be undertaken at any given point in time. This cannot be automated as the vendor does not control the environment or the timeframe, and is unable to guarantee a great client experience. With SaaS, the software is delivered to the client on an automated basis so the vendor could complete multiple implementations rather than a finite amount with on-premise.
The institution receives a far superior service with a SaaS application. There are no limitations to time invested into the application, experimentation and testing on real data.
What is required for a vendor to offer SaaS?
The vendor must have a vertically integrated solution that it can maintain end-to-end. This means that the vendor can support the product fully, which takes significant burden off the customer. There is no doubt that the demands placed on the vendor and the restrictions in terms of product support markedly reduces the field of vendors that can actually offer fully-featured SaaS and all the benefit it brings.
Is everyone getting “religion” with the move to SaaS?
“It is an industry movement – we are designing product and platform for our clients to allow them to send RFQs to multiple market players,” said the CTO of a large US investment bank. “This creates a direct link to a suite of services between us and our clients; this change allows us to offer different product and functionality. It reduces the barrier to entry for smaller players giving them access to very high quality tech for a fraction of the current cost. The technology teams are becoming closely aligned with the digital strategy. This is a massive initiative; no longer a moonshot that requires hiring a vast amount of developers.”