Risk & Regulatory Academy 2020 - Deloitte US...problems implementing SAP ^ By the time Lunar was...
Transcript of Risk & Regulatory Academy 2020 - Deloitte US...problems implementing SAP ^ By the time Lunar was...
Risk & Regulatory Academy 2020
© 2020 Deloitte Central Europe 1© 2020 Deloitte
DAY 5
NON-FINANCIAL RISK
1Risk & Regulatory Academy
© 2020 Deloitte 2
Agenda
Digitize Finance
Approaches and technological enablement in the CFO domain
Sustainable Finance
A practitioner’s perspective
AML and financial crime
New directives facing a new reality
Cloud
Services in the cloud Dr. Sven KleinknechtRisk & Regulatory Senior Managerat Deloitte Germany
Odilon AudouinRisk & Regulatory Leaderat Deloitte France
Dr. Stefan EbenfeldRisk & Regulatory Directorat Deloitte Germany
Thomas WenzelRisk & Regulatory Partnerat Deloitte Germany
Georg VetterRisk & Regulatory Senior Managerat Deloitte Germany
Digitize FinanceApproaches and technological enablement in the CFO domain
4
“The biggest opportunity for big companies has come far in the digitization of internal processes.”
Risk & Regulatory Academy
Jack Welch | GE
© 2020. For information, contact Deloitte Central Europe 5
Need for finance digitalization
Digitalization of the entire finance function is mandatory and inevitable in order to create sustainable, rapidly adaptable structures that ensure the long-term competitiveness of the traditional banking industry
Growth Costs
Compliance
Digitalization
Costs
Digitalization creates a sustainable low cost basis for the operation of the finance function. Adjustments to processes and the organization can be made much more quickly and efficiently.
Compliance
In order to meet the constantly growing regulatory requirements, it is necessary to design processes digitally and efficiently.
Growth
Digitalization of finance processes supports the market areas with controlling-relevant live KPIs, enables fast and efficient product development to secure growth.
© 2020. For information, contact Deloitte Central Europe 6
Challenges from an outside in perspective
In practice, projects with the goal of digitalizing business processes are often complex, expensive and not necessarily efficient
„KfW: IT costs get out of hand“
„Almost two years after its launch, Deutsche Bank pulls the plug on its digital project Yunar.“
„Too complex – now decentralizationOtto tilts SAP giant project“
„Digitalization project Magellan failed“
„The sales of Gold Bears aredeclining because the Hariboconfectionery group is having problems implementing SAP“
By the time Lunar was completed in 2012, Edeka had invested a total of 350 million euros – and Reinhard Schütte, Edeka’s IT Director at the time, openly described the project as “one of the world’s most complicated SAP installations in recent years.“
Challenges
CostsThe costs associated with digitalization are often underestimated
SkepticismEmployees and managers are skeptical about the plans
E2EDependencies are often underestimated which is why processes cannot be conclusively digitized
Missing strategy with vision and objectivesClearly defined strategy incl. goals of such projects which are based on the vision of the company are often missing
Technology & CompetenceInternal and external competences and technological possibilities are overestimated
© 2020. For information, contact Deloitte Central Europe 7
Key questionsPhase Dimension
Scoping
Preparation
Evaluation
Targeting
Roadmap
Derive a clear digitalization roadmap
To develop a bank specific, feasible digitalization roadmap it is necessary to focus on more than primarily on IT questions. The transformation plan should consider the key Dimensions of the scoped finance organization.
• Are you limited about the question which units should be
considered?
• Which scope is required to reorganize the target Finance area
• What corporate structure is envisaged
• Have you already modern working methods rolled out
• What kind of communication can be used in the transformation
• Who will act as model and stands positive to the topic
• Who has the required skills in the new finance world
• Can you bring IT, Finance & Risk together and make them work
as a team
• Have you a clear vision about your expectations on the IT
• What are the technical restrictions?
• Are there specifications from a group?
• Are there long-term IT cooperation's?
• Are critical processes already known?
• How would you prioritize the different processes?
• Which tasks should be digitized and which owned by humans?
• Where is change particularly critical in terms of processes?
• Which run activities can be optimized and further automated?
Organization
„Integration of the units relevant for achieving the CFO goal, and lay foundations
People
„Convince your staff about need and advantages and opportunities of digitization. Understand concerns and take away the fear
IT Architecture & Systems
„Develop the Finance IT target architecture in compliance with the CFO vision”
Processes
„Design digital processes completely E2E without exemptions and make them scalebale”
2
3
4
5
1
© 2020. For information, contact Deloitte Central Europe 8
Result of our approach is a digital finance blueprint
The individual digitalization blueprint will be the basis for upcoming measures and projects to became a reporting factory which ensures compliance and delivers real impact by supporting the business units with relevant information in a timely manner
Organization
• CFO / CRO has developed a future of finance target vision which contributes to the overall bank strategy
• Key competences of Accounting, Regulatory, Risk Controlling, Controlling and Tax has been analyzed and reorganized
• New working models have been designed• Organizational requirements are known• Processes to manage the transformation are in place• High level target organizational structure is developed• Decision making process has evaluated and optimized
People
• Existing staff and management is convinced about the need for more digital in the finance area
• Top management has accepted that mindset change is a journey and not a switch
• Transparency of change in capacity or level of employees is highly recommended
• Skills of employees are transparent and consistently recorded to identy gaps and hire new staff
IT Architecture & Systems
• Expectations of the stakeholders are recorded and priorized• CFO IT target infrastructure has been developed state of the art• Avoiding manual procedures and adjustments E2E – no exemptions• High impact measures has been clearly identified as well as smart
measures with impact on a short notice • Softwarerelease and upcoming change has to be considerd
regarding deployment and test
Processes
• Existing processes are recorded and designed E2E• Manual tasks are centralized for the entire CFO / CRO area• Effective controls has to be considered at the beginning of the
process redesign • New processes are supported by new technologies like Data
Visualization and RPA
9
Illustrative example of digitalization in
accounting
© 2020. For information, contact Deloitte Central Europe 10
Open items
handling
Challenges within the Record-to-Report Process
Selected components of this process generate significant manual work for Accounting
Record Entity Close Group CloseFinancial Reporting
Validation at source
Intercompany
transactions
Journal Entry
Intercompany
reconciliation
Next generation statutory reporting
From KPI to line item Embedded consolidation Integrated information
Intelligent RPA
Transaction
matching
Automated
operation
Account
reconciliation
© 2020. For information, contact Deloitte Central Europe 11
Focus: Account Reconciliation
The closing process is often slowed down not only by limited IT support, but also due to the setup of processes, structures and governance
Challenges
Technology Enablement
• Business units or geographies utilize numerous, disparate ERPs and/or subsystems
• Inability to easily collect and review reconciliations and exception items
• Homegrown tools developed to manage reconciliations become dated / unsupported
Governance & Compliance
• Limited ability to apply risk factors to rationalize reconciliation frequency, threshold, and risk ratings
• Policies do not define clear ownership and hand-off points in reconciliation process
• Limited transparency into the accuracy and completeness of reconciliations
Data &Analytics
• No single dashboard to review account reconciliation completeness or exceptions
• Limited visibility to reconciliation volumes, aging of out of balance items, and other KPI’s
• No easy dashboard access for senior executives, Accounting needs to prepare separate Powerpoint slides
Delivery Model
• Decentralized / disparate teams performing reconciliations in various templates / formats
• Resource assignments not aligned with account risk / complexity
• Numerous resources responsible for reconciliations as limited part of job responsibility
Collect data and identify items
Validate and substantiate items
Sign-off / ApprovalsDocumentation and
controlsAudit
© 2020. For information, contact Deloitte Central Europe 12
Focus: Intercompany transactions
Automating processes for intercompany reconciliation does not solve the root causes of the problem
Common Intercompany Process
Jane Doe
Division B
London
John Smith
Division A
Los Angeles
Challenges
Technology Enablement
• No centralized system to track all intercompany transactions
• Limited use of sub-ledger to track detailed intercompany transactions
• Manual intercompany process (including transaction booking, settlement, reconciliation and
elimination) have the potential for human error
Governance & Compliance
• No enterprise-wide intercompany policy in place to guide intercompany operations
• Manual maintenance of intercompany agreements via emails
• Business segments/units working in silos with disparate systems reduces the transparency of
end-to- end intercompany process
Data &Analytics
• Manual and time-consuming process to report and consolidate transactions
• Lack of reporting capabilities to support ad hoc and local regulatory requirements
• No global standardized chart of accounts
• Limited controls to manage master data changes
Delivery Model
• Non-standardized reconciliation templates
• Delay in intercompany reconciliation process due to inefficient tracking of end-to-end
intercompany transactions
• Large volume of manual top-side elimination entries during close with limited validation
© BlackLine
© 2020. For information, contact Deloitte Central Europe 13
Solution example: R2R Automation with BlackLine
The cloud-based platform and SAP solution extension BlackLine is a mature solution, being in the market 20 years, to automate accounting processes
At Deloitte, hundreds of consultants are certified in BlackLine modules. But a “pure plug & play” implementation is not sufficient to achieve the desired results. Deloitte can help to really transform accounting processes and controls, complying with all regulatory and audit requirements.
In more than 150 BlackLine projects globally, we helped our clients to achieve better quality of their accounting, to better manage related risks and to reduce costs.
© BlackLine
Sustainable FinanceA practitioner’s perspective
© 2020. For information, contact Deloitte Central Europe 15
From a practitioner’s perspective, regulatory initiatives on Sustainable Finance put forward expectations that require the development of new qualitative as well as quantitative and data-driven approaches for ESG & climate risks management.
Overview
Fields of action
1. Risk identification & Risk inventory
• ESG Taxonomy: Risk factors, transmission channels and mitigation
• Methodology: (1) Climate risk heatmap & PACTA (2) ESG scoring
2. Loan origination & Credit ratings
• Loan origination: See Risk identification & Risk inventory
• Rating methodology: (1) Override/notching based on ESG score(2) UNEP FI methodology for credit risk
• Data management: (1) ESG data providers (large corporates vs. SMEs)(2) Portfolio-extension of ESG scores (shadow rating)
3. ICAAP & Climate stress testing (30y time horizon)
• Climate risk: UNEP FI methodology for credit risk
• S- and G-risks: Operational and non-financial risks
• Regulatory climate ST: (1) DNB (2018) – scenario analysis(2) PRA (2021) – fully integrated / 30y time horizon
• ICAAP: Shock scenarios for ESG & Climate risk (economic perspective)
• Climate ST (30y): (1) Forecast of PD, LGD & EAD similar to IFRS 9 LECL(2) Extension of IPCC climate scenarios (macrofinancial)(3) Enhancement of UNEP FI approach
Regulatory initiatives
TCFD Recommendations (2017) – Climate risk disclosure
• Change of paradigm: Climate risk = Financial risk
• Scope: Governance, Strategy, Risk Mgt., Disclosure (metrics/targets)
UNEP FI Methodology (2018) – Climate risk measurement
• Transition risk: Fundamental analysis of balance sheet impact
• Physical risk: LTV (mortgage) or PD (energy/agriculture) impact
EBA Guide on Loan Origination and Monitoring (2020)
• Incorporation of ESG in risk appetite, policies & procedures
• Incorporation of ESG & climate risk factors in credit ratings
ECB Guide on Climate-related and Environmental Risk (2020)
• Integration of climate (ESG) risk into existing risk categories
• Extension of ICAAP time horizon for material climate risks
EBA DP on Management and Supervision of ESG Risks (2020)
• Portfolio Alignment Method: Alignment with sustainability targets
• Risk Framework Method: Impact on portfolio and standard KRIs
• Exposure Method: Impact on individual clients & exposures
© 2020. For information, contact Deloitte Central Europe 16
From a practitioner’s perspective, a roadmap to holistic ESG implementation should cover all aspects of the TCFD Recommendations(i.e. Governance, Strategy, Risk Management and Disclosure) with work streams aligned to the bank’s organizational chart.
A holistic approach to implementing regulatory expectations regarding ESG risks
ESG Regulatory aspects
ESG Strategy and Conceptual Design
ESG Governance
ESG Products/Services and Customers/Suppliers
ESG Risk Management Cycle: Financial and Non-Financial Risks
ESG Accounting and Disclosure
ESG Operations and IT
1
2
3
4
5
7
6
Step 1
Identify climate risks in portfolios, and assess the organizations capacity to identify, measure and manage them• Develop specific climate risk heatmap for the organization• Leverage outside sources such as PSI heatmaps, EU taxonomy, PRI risk indicators, etc.
Step 2 Identify climate-related opportunities, and assess the organizations capability to exploit them
Step 3
Establish overall responsibility of board and senior management regarding climate risks• Risk strategy and risk appetite• Roles and responsibilities• Policies and processes• Management reports
Step 4
Set up organization-wide strategic approach – implementation plan• Understand impact of climate change on the organizations risk profile• Identify need to adapt strategy and governance• Set clear targets, planning and budget• Assign responsibilities and reporting lines for the project• Ultimately, implement amendments to policies and processes
Step 5
Establish risk management cycleRisk identification• Use heatmaps to identify climate risk concentrations• Perform scenario-based sensitivity analysesRisk assessment• Consider ESG risks in credit decisions, e.g. by extending internal ratings with ESG risk factors• Perform dedicated climate risk scenario analysis/ stress tests for credit portfolios• Perform dedicated climate risk performance analysis for investment portfoliosRisk avoidance/mitigation and risk monitoring• Amend risk appetite statement with dedicated climate risk limits• Amend credit and collateral policies with dedicated climate risk rules• Amend client and transaction acceptance with dedicated climate risk rules• Encourage clients to transfer risk (e.g. by taking climate risk insurances)• Mitigate impact of physical climate risks on the organization’s operations
Step 6Set up climate risk disclosure reports• Scope: Carbon footprinting, green/brown exposure, company engagement, ratings and research, scenario
analysis, impact metrics
Roadmap Work streams
© 2020. For information, contact Deloitte Central Europe 17
From a practitioner’s perspective, ESG scoring on the one hand and assessment of climate impact on borrower KPIs on the other are at the core of integrating ESG and climate related risks into credit ratings.
Credit Ratings
UNEP FI methodology for transitionalclimate risks
Climate scenarios
• Output of Integrated Assessment Models, e.g. IPCC climate scenario data
Top-down module (borrower level)
• Fundamental analysis – calculate impact ofscenario variables on individual balancesheet & income statement
• Calculate scenario PD based on scenariobalance sheet & income statement usingrating system (scorecard approach)
Bottom-up module (portfolio level)
• Extrapolation of results to portfolio levelbased on clustering
Industry-standard implementation
• Use of scientific climate scenariosas is (IPCC data base)
• Carbon price is essential risk driver
• Impact of carbon price on BS/IS asof today (static BS/IS assumption)
• Calculate scenario-PD based onrating systems
Benchmarking of ESG scoring providers
Lessons Learned
• ESG scores are determined by aggregatingpartial scores and detail variables
• The sub-scores are defined by rank orderingaccording to certain ESG criteria
• ESG topics are assessed on the basis oftwo dimensions:(a) Risk exposition(b) ESG management quality
MSCIScorecard
© 2020. For information, contact Deloitte Central Europe 18
Showcase 1: Enhancement of (IPCC) Climate Scenarios
• Expansion of (IPCC) climate scenarios combining regression and auto-regression methods with expert judgement (Error Correction Model)
• Integration of incremental physical climate risks in the scenario forecasts (e.g. temparature and rainfall)
Showcase 2: Enhancement of the Credit Module
• Lifetime ECL approach (Vasicek model) is suitable for long time horizons
• Stable calibration of PD portfolio average thanks to single-factor model
• Additional borrower-level module based on UNEP FI methodology
Showcase 3: Integration of Asset Carbon Sensitivity
• Similar to scenario generation with extended scope of market variables
• Parametric representation of curves/surfaces & dimensionality reduction
• Use of advanced algorithms, esp. Big Data Analysis & Machine Learning
Milestones
• Workshop with PIK (Potsdam Institute for Climate-related Research) on 19/11/2020
• FBDC project (400 man days Sustainable Finance, thereof 100 man days ClimateScenario Extension) starting January 2021
• ClimWISE pilot project – to be started
From a practitioner’s perspective, the focus regarding climate risks is on stress testing where the UNEP FI methodology leaves room for improvement, especially in view of scenario expansion to regulatory scope, portfolio-level calibration of PD forecasts and assessment of climate risk on fair value assets.
Climate Stress Testing (30y time horizon)
IPCC database: Forecasts of climate-related variables until 2100 combined with historical data
Forecasts of macrofinancial variables until 2100 combined with historical data
Portfolio data: Annual default rates & calibrated Vasicek parameters Result: Forecasted scenario PDs
AML and financial crimeNew directives facing a new reality
© 2020. For information, contact Deloitte Central Europe 20
Fraud
• International sanctions cover freezing of assets and embargo. They can be linked to political sanctions against a country or region or the fight against terrorism
• Historic example of success of international sanctions: Sanctions against South Africa that led to the end of Apartheid, imposed between 1977 and 1989
Market abuse and conflict of interests
International sanctions: Freezing of assets and embargo
Tax evasion and due diligence
Anti-money laundering and counter terrorism financing AML/CTF
Anti-bribery and corruption - ABC
• The goal of ABC is to combat any “offer, promise, gift, acceptance or solicitation of an undue advantage of any value, in violation of applicable laws, to induce or reward a person to act or not to act within the scope of his or her duties”(Definition taken from the ISO 37001 Standard)
• AML/CTF designates legal, regulatory and operational measures for combating money laundering and terrorist financing:
• Money laundering is the processing of criminal proceeds to disguise their illegal origin.
• Terrorism Financing is the use of licit or illicit proceeds to finance organizations or acts of terrorism.
• Market abuse encompasses unlawful behaviour in the financial markets and consists typically consists of:
• Insider dealing • Unlawful disclosure of inside information• Market manipulation
• Tax evasion generally includes the deliberate concealment or misrepresentation of beneficial ownership of assets, income and gains, or otherwise fraudulent conduct, designed to divert money from the public revenue
• Several regulations and directives have recently been put in place to increase tax transparency: FATCA, CRS, DAC 6
• Fraud can be defined as an intentionally deceptive action designed to provide the perpetrator with an unlawful gain or to deny a right to a victim.
• One famous type of fraud is the “Ponzi Scheme”. The original Ponzi Scheme was organized by Charles Ponzi and dates back to the 1920s (linked to investments in postal coupons).
Setting the scene - key financial crime themes
Financial Crime Overview
$715bn - $1.87tnestimated to be laundered
globally each year
(2-5% of GDP)1$180bn Spent by FSI entities globally
to prevent criminal intrusion2 <1% of illicit financial flows
are intercepted3 CxOs concerns
1. United Nations Office on Drugs and Crime (“UNDOC”): https://www.unodc. org/unodc/en/money-laundering/globalization.html ; 2. LexisNexis (March 2020) The True Cost of Financial Crime Compliance Report, p.8 ; 3. Europol (2017) ‘From Suspicion to Action: Converting financial intelligence into greater operational impact’ p. 4
© 2020. For information, contact Deloitte Central Europe 21
The EU regulatory journey
Financial Crime Regulation
Dec. 2001
June 1991 Oct. 2005
May 2015 Nov 2018
1st AML Directive
91/308/CEE
• First rules for the financial sector to
combat criminal money
laundering
2nd AML Directive
2001/97/CE
• extended scope of vigilance and the
obligations to report to
non-financial activities• customer identification,
record keeping• suspicious transaction
reporting.
3rd AML Directive
2005/60/CE
• Incorporates many of the FATF Forty
Recommendations
• Introduction of a risk-based approach
• Extension of ID&V• UBOs
4th AML Directive
2015/849
• Wider regulatory scope• Beneficial ownership
(UBO) information in
centralized registers• Expansion of the risk-
based approach:• Tax crimes
• Domestic PEPs.
5th AML Directive
2018/843
• Cryptocurrency• Prepaid cards
• High value goods
• EDD for High-risk countries
“6th AML Directive”
Directive (EU) 2018/1673
• harmonized definition of
money laundering
across all EU• Additional offenses:
• Extension of criminal liability
• Tougher punishment
7th AML Directive ?
• New authority – see
next slide
© 2020. For information, contact Deloitte Central Europe 22
• On November 4th, Finance ministers from European Union member states have agreed to establish an EU body to fight money laundering across the bloc.
The European Commission unveils an ambitious Action Plan on which it intends to deliver by early 2021.
Financial Crime Regulation
Synthesis and perspective on the EC’s proposed measures with some actionable takeaways for obligated entities (June 2020)
1
3
4
5
6
2
Effective implementation of the existing AML/CFT framework
A single EU AML/CFT rulebook
EU-level AML/CFT supervision
Coordination and support for EU FIUs
Enforcing EU-level criminal law provisions and information exchange
A stronger EU in the world
Growing momentum behind a clear—and increasingly vocal—multi-stakeholder consensus for change.
© 2020. For information, contact Deloitte Central Europe 23
Current & future Challenges
Financial Crime challenges
Digital disruption
Regulatory pressure
Pressure from civil society
Rapidly evolving threats & risks
Global complexity
Cost pressure
How do we
proactively and
intelligently prevent
financial crime?
How do we stay
ahead and protect
against new and
evolving threats?
How do we best
adopt tech-enabled
approaches
enterprise wide?
Take into account impact of COVID 19
Secure & get the basics rights
Scale
Optimize
Establish core controls to ensure regulatory and policy compliance in all FC activities
Evolve to incorporate broader proposition features and increase throughput via automation and standardisation
Adopt a more intelligent-led approach, leveraging insight gained over time making use of resources and technology without compromising FC risk management practices
Typical Financial Crime Client Journey
• More mature institutions and jurisdictions are at an inflection point and require transformative
FinCrime management approaches (moving from Secure and Resolve to more pro-active solutions)
• Demand is accelerating for next generation approaches relying on tech solutions, innovation and
optimization of the Target Operating Model
New FinCrime Approaches
Required 1
2
3
© 2020. For information, contact Deloitte Central Europe 24
Illustration – focus on processes
Financial Crime & tech
KYC Monitoring Special Analysis
Collect Client & Transaction
Data
Scenario Development and Management
Generation and Selection of Alerts
Analysis and Investigation Process
SAR Non-communication report
Verification process
Identification of additional
scenarios
Collect data on customers and
operationsGeneration of Alerts Initial search for information Descriptive of the File
Transactional operational
verification
Scenario Tuning Digital Onboarding Alert Risk Scoring Initial reviewSAR/Non-communication
report
Support documentation
verification
Gather relevant transaction
informationAdditional searches
Attach information and
support documentationReport verification
Gather relevant KYC
informationAutomated Narrative Drafts
Alert Assignment
B
C
D
E
F
G
H
Potential – Robotics
Potential – Cognitive Intelligence
Leverage disposition data for
stratification, smart routing, specialized
procedures
Alert Triage, Stratification & Smart Case Routing
D
Collection and aggregation of
information for investigation purposes
Alert Review PreprocessingC
Automate drafting of initial case
investigation summary narratives
Automated Narrative DraftsE
Leverage cognitive to support and
augment investigator judgement with
anomaly detection
Anomaly Detection / Investigator Guidance
F
Automate population of SAR form and supporting material for review
SAR Form PackagingG
Extract check data from images for
filtering and review
Check Image RecognitionH
Natural and Legal Persons. Self
Sovereign Wallet. Blockchain
Digital OnboardingA
A
Leverage historical alert and case
information to more effectively triage
alerts for investigation
Alert Risk ScoringB
Anti-money launderingCounter terrorist financing Economic Sanctions Know Your Customer - KYC
Cloudservices in the cloud
© 2020. For information, contact Deloitte Central Europe 26
on-demand self-service
A consumer can unilaterally
provision computing capabilities,
such as server time and network
storage, as needed automatically
without requiring human
interaction with each service
provider.
broad net-work access
Capabilities are available over the
network and accessed through
standard mechanisms that
promote use by heterogeneous
thin or thick client platforms (e.g.,
mobile phones, tablets, laptops,
and workstations).
resource pooling
The provider’s computing
resources are pooled to serve
multiple consumers, with
resources (e.g. storage,
processing, memory,
bandwidth) dynamically
assigned and reassigned
according to consumer demand.
The customer generally has no
control or knowledge over the
exact location of the provided
resources but may be able to
specify location at a higher level
of abstraction (e.g., country or
datacenter).
rapid elasticity
Capabilities can be elastically
provisioned and released, in
some cases automatically, to
scale rapidly outward and
inward commensurate with
demand. To the consumer, the
capabilities available for
provisioning often appear to be
unlimited and can be
appropriated in any quantity at
any time.
measured service
Cloud systems automatically
control and optimize resource
use by leveraging a metering
capability1 at some level of
abstraction appropriate to the
type of service (e.g., storage,
processing, bandwidth, and
active user accounts). Resource
usage can be monitored,
controlled, and reported,
providing transparency for both
the provider and consumer of
the utilized service.
Essential Characteristics of Cloud Computing
© 2020. For information, contact Deloitte Central Europe 27
Facilities
Organization
Hypervisor
Application Server
Application
Virtual Machine
OS
Application
Application
Client Client
Infrastructure-as-a-Service (IaaS) Platform-as-a-ServicePaaS
Software-as-a-ServiceSaaS
Clo
ud
Se
rvic
e P
rovi
de
rP
urc
has
ing
ban
k
Clo
ud
Sta
ck
Data
Client
IaaS Computing infrastructure (virtualized processing, storage and network environment) as scalable and elastic service
• HPC / Grid, Analytics• Web apps and services• Scenario analyses (e.g. Monte
Carlo simulation)• Storage services
PaaS Design, development and implementation of applications and services on the Web; computing platform and solution package as a service
• Application design, development and test environments
• Data storage and access services• Web service integration• Integration of database systems
SaaS Provider licenses application for the customer to use as service-on-demand
• Non-core applications like HR and CRM
• Office Productivity / Support Applications
• Email, document management, collaboration and workflow
Typ Definition Examples Provider
Cloud computing offerings can be assigned to specific service models depending on their type
© 2020. For information, contact Deloitte Central Europe 28
• More than 35% of IaaS revenue worldwide is estimated to be earned by Virtual Private Server (VPS)
• There are regional, small providers who do not directly compete with hyperscale providers such as AWS, Microsoft
• Small players are confined to local markets, with limited capabilities and no supporting ecosystems
• The markets considered under SaaS include offerings like ERP, CRM, content Services, Collaboration Services, Office Suites and Supply Chain Management Solutions
• The individual growth rates across applications is remarkably high, making ERP, CRM, Office Suites to reach $10Bn mark.
• Business Process as a Service (BPaaS) is emerging lately and is occupying major chunk is the PaaS market share.
• The market size for BPaaS are 61.3B (2018), with projected market size of about 100B by 2023, growing at CAGR of 10.37%
• Cloud Payments, Customer Management, Human Resources are some of the major subsegments growing at ~10% CAGR under BPaaS
PaaS [w/o BPaaS]
FY18: $16BFY23: $35.72BCAGR: 17.41%
IaaS
FY18: $39.5BFY23: $119.77BCAGR: 24.84%
Source: Gartner 2018/2019 Data Packs and Press Release
SaaS
FY18: $80BFY23: $158.4BCAGR: 14.64%
PaaS: Integration middleware & Database
PaaS: Application
Key:
SaaS: CRM
SaaS: Productivity Applications (Office, Content Mgt., Collaboration)
SaaS: ERP
SaaS: Business Process as a Service
% Percent of Market Share
Others1
45.2%Amazon19.8%
Salesforce15.1%
Microsoft6.4%
IBM4.5%
Atl
assi
an2
.4%
Oracle2.0%
SAP1.9%
Go
ogl
e2
.3%
Alibaba1.8%
Informatica1.9%
Others1
44.4%Microsoft
18%Salesforce
12.5%
SAP6.3%
Oracle6.9%
Google3.2%
Adobe2.4%
Wo
rkd
ay2
.8%
IBM
1.1%
Dro
pb
ox
1.1%
Ultimate Software1.3%
Private IaaS2
24%1
AWS39.7%1
Others1
45.7%1
Microsoft7.1%
Alib
aba
3%
Google2.3%
Rackspace2.2%
Public IaaS 76%1Includes cross industry SaaS Players (Ultimate Software, Dropbox); Cross Industry PaaS Players (Alibaba, Informatica); Cross Industry IaaS Players (NTT Communications, Fujitsu, Dimension Data) in the others
quadrants for aforementioned market shares2IaaS Market share numbers are divided among Public and Private Cloud Vendors. Private IaaS Market numbers are arrived at by calculating difference between Total IaaS Market numbers and Public IaaS Market numbers.
Top Tier Market Players
Mid Tier Market Players
Other Market Players
Providers in each area remain fragmented, but thereis a consensus emerging around certain leading vendors
Market Analysis – Provider Market Share
© 2020. For information, contact Deloitte Central Europe 29
Ab
ility
to
Exe
cute
Completeness of VisionLow High
Low
High Leaders
Capabilities of CSP Behavior in the initiation phase
Niche Players Visionaries
Challengers Vertrags-
gestaltung
Service Reports
Reaktions-
geschwindigkeit
Betreuungs-
kapazitäten
Regulatorisches
Verständnis
AWS Azure GCP
• AWS, Azure and GCP operate with a good understanding of the requirements, access to the appropriate resources is not always easy
• Fundamental difference compared to conventional IT service providers in contract negotiations and reaction to customer needs
• Even small differences can exclude certain use cases due to regulatory requirements
• The field of relevant Cloud Service Providers is clearing up, as only a small number of competitors have the necessary performance
• AWS and Microsoft dominate when it comes to applications that are more than a pure IaaS use case - especially in the PaaS environment.
• Cloud IaaS and PaaS are neither a commodity service nor a hardware rental - it is more and more about the ecosystem around the providers (service providers, expertise of employees, tools, ...).
• Regulatory issues are similarly well handled by the major cloud providers
Qu
elle
: G
art
ner
Ma
y 20
18
AWS, Azure and GCP are the "secure" choice for public cloud providers
Evaluation of Cloud Service Providers
© 2020. For information, contact Deloitte Central Europe 30
C Special financial institution Universal bank Captive major development bankCaptiveUniversal bankKey
Ove
rall
Mat
uri
ty
AdoptionLoB Enterprise
Low
High
Operating
Innovating
ProactiveReactive
Cloud Security Proactive implementation of controls to address regulatory requirements
Centralized and automated management of cloud security
Cloud Operating Model Introduction of cross-functional teams for design, build and operate to avoid silos (product, platform and service teams)
Use in small and agile "Tiger Teams”
Cloud Technology Infrastructure modernization (virtualized, containerized and focus on reusable resources)
"Full Stack" Automation
New development is "cloud first", partly with "born in the cloud" cloud-native technologies
C
C
C
C
Advanced / Automated
Basic / Manual
Invested in Innovation
Invested in Running
Deloitte perspective (January 2020)
Deployment of 300 releases per day
using public cloud tools
Global examples (not shown in the peer group)
Use of cloud tools and automation - Disruption of
direct credit and process speedUse of "pre-built" solutions to improve
time-to-market by 66%
GlobalBank
Positioning Examples for Cloud Capabilities
Cloud deployment leaves the pilot phase, often driven by external pressure
Development of the cloud computing usage
© 2020. For information, contact Deloitte Central Europe 31
Category EBA EIOPA ESMA BaFin
Regulation• Guidelines on Outsourcing Arrangements
• 02/2019
• Guidelines on outsourcing to cloud service providers
• 01/2020
• Consultation Paper: Draft Guidelines on Outsourcing to Cloud Service Providers
• 06/2020
• Guidance on outsourcing to cloud service providers
• 11/2018
Objectives• harmonized framework for all financial institutions within
EBA’s mandate
• cloud as outsourcing with special requirements
• harmonized framework for cloud outsourcing in line with EBA guidelines
• clarification and transparency to avoiding potential regulatory arbitrage
• purpose of the consultation is to gather evidence on the operations of the ESAs
• strengthening and improvement of effectiveness and efficiency of the ESAs
• guidance as a orientation aid for outsourcing of cloud services
Applicable for• credit institutions and investment firms subject to the CRD
• payment and electronic money institutions.• insurance and occupational pensions authorities
• ESA, financial institutions and other market participants, national supervisors/ ministries, NGOs and EU institutions
• credit institutions, financial services institutions,
• insurance companies, pension funds
• investment services companies, capital management companies
• payment institutions and e-money institutions
Risk Analysis
• scenarios of possible risk events, quantitative analysis for large or complex institutions
• concentration risks and aggregated outsourcing risks, for significant institutions step-in risks
• mitigating measures
• sub-outsourcing, long/complex outsourcing chains
• sensitivity of data and systems
• applicable law and political stability
• legal, ICT, compliance and reputational risks
• expected benefits and costs
• legal, ICT, compliance and reputational risks
• service and deployment model, migration
• sensitivity of data and systems
• applicable law and political stability
• sub-outsourcing and concentration risks
• information and communication technology, information security, business continuity, legal and compliance, reputational risks, operational risks, oversight limitations
• service and deployment model, migration
• sensitivity of data and systems
• interoperability and portability
• applicable law and political stability
• concentration risks
• privacy, service support and BCM
• The risk analysis is to take account of all aspects that are relevant for the supervised company in connection with outsourcing to cloud service providers, with the extent of the analysis depending on the type, scope, complexity and risk content of the outsourced items.
Contract Requirements
• clear description of the outsourced function, start date and end date, financial obligations, insurance
• conditions for sub-outsourcing
• information security and privacy
• data location, applicable law, data recovery
• monitoring, SLAs, reporting of CSP, BCM
• audit rights and cooperation with resolution authorities
• termination rights
• clear description of the outsourced function, start date and end date, financial obligations, insurance
• conditions for sub-outsourcing
• information security and privacy
• data location, applicable law, data recovery
• monitoring, SLAs, reporting of CSP, BCM
• audit rights
• clear description of the outsourced function, start date and end date, financial obligations, insurance
• conditions for sub-outsourcing
• information security and privacy
• data location, applicable law, data recovery
• monitoring, SLAs, reporting of CSP, BCM, incident management
• audit rights
• scope of performance
• information and audit rights
• rights to issue instructions
• data security/protection
• location of data storage
• termination provisions
• chain outsourcing
• information duties
• notice of applicable law
Details vary, but general thrust of regulation is very similar
European Regulation on Cloud Overview
© 2020. For information, contact Deloitte Central Europe 32
Our Cloud Computing Risk Intelligence Map
provides a holistic view of cloud-specific risks that
financial institutions need to address.
Cloud Risks
Deloitte Cloud Computing Risk Intelligence Map
© 2020. For information, contact Deloitte Central Europe 33
Management of the cloud at financial institutions, including staffing and qualifications must be in line withcloud usage.
Requirements for the ICS environment for use at financial institutions often
exceed the capabilities of the service provider and may not be compatible with
the business model.
Physical location of the data or access abroad may pose a
risk.
Security, privacy, monitoring, service support and BCM in line
with data processed and processes supported
For the financial institution, the financial sector as a whole
and excessive outsourcing – including sub-outsourcing
Granting individual inspection rights can be
difficult with certain providers.
Audit rights
Cloud Governance
ICS at the cloud provider – information security and privacy
Concentration Risk & Sub-Outsourcing
Location, applicable law and political stability
Sensitivity of data and systems
Usage of cloud solutions leads to additional operational risks, which are the focus of supervision
© 2020. For information, contact Deloitte Central Europe 34
Controls in the shared responsibility model
Cloud service providers provide so-called third-party assurance as proof of their internal control system. These reports represent the CSP's ICS. In addition, the adequacy and functionality of the controls is confirmed by an audit certificate from auditors. The coverage of this Third-Party-Assurance is limited to the controls that are solely the responsibility of the CSP. Facilities
Organization
Hypervisor
Application Server
Application
Virtual Machine Data Client
OS
Application
Application
Client Client
Infrastructure-as-a-ServiceIaaS
Platform-as-a-ServicePaaS
Software-as-a-ServiceSaaS
Clo
ud
Se
rvic
e P
rovi
de
rP
urc
has
ing
ban
k
Clo
ud
Sta
ck
Control
Control
Control
Control
Control
Control
Control
Control Control
Control Control
Control Control
Control
Control
Control
Control
Control
© 2020. For information, contact Deloitte Central Europe 35
Cloud Governance Cloud ICS CSP Compliance Platform Monitoring
Phase 1: Define Cloud Strategy
Cloud governance and cloud ICS build on each other
Qu
alit
y G
ate
& A
pp
rova
ls
Phase 3: Define Cloud ICS
Qu
alit
y G
ate
& A
pp
rova
ls
Qu
alit
y G
ate
& A
pp
rova
ls
Phase 5: Continuous
monitoring &
improvement
Cloud Compliance introduction Further development
Phase 2: Establishing of Cloud Governance
Amazon Microsoft Google
Co
mm
on
Clo
ud
Co
ntr
ols
CSP
Sp
eci
fic
Co
ntr
ols
Complementary User Entity
Controls
Complementary User Entity
Controls
Complementary User Entity
Controls
Cloud Strategy
Shared responsibility model
Fixed written order
Approvals and resolutions
Deployment Modell
Ou
tso
urc
ing
con
tro
l
Ris
km
anag
em
ent
Dat
ap
rote
ctio
n
ISM
S
Cloud Governance
GL
TOM
2nd
Lin
e
Phase 4: Parameterization of the CSP
ASSET BCM COMSEC
DP OS CRYPT
IAM MDM OPS
IS ORG HR
SEC INC …
Cloud Computing Risk Intelligence Map
Ris
ks
Compliance "Guardrails" in the parameterization of the CSP, so
that measures are obligatorily kept.
The aim is to use a compliance platform to restrict the degree of
freedom of the users (e.g. developers) so that use is only possible
within the defined cloud controls.
ASSET BCM COMSEC
DP OS CRYPT
IAM MDM OPS
IS ORG HR
SEC INC …
Securing the cloud in the cloud via configuration of preventive and detective controls in the code
Cyber Threat Intelligence
Adapt compliance platform to requirements
Cloud Governance development
CSP Monitoring
Audits
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited (“DTTL”), its global network of member firms, and their related entities (collectively, the “Deloitte organization”). DTTL (also referred to as “Deloitte Global”) and each of its member firms and related entities are legally separate and independent entities, which cannot obligate or bind each other in respect of third parties. DTTL and each DTTL member firm and related entity is liable only for its own acts and omissions, and not those of each other. DTTL does not provide services to clients. Please see www.deloitte.com/about to learn more.
Deloitte Central Europe is a regional organization of entities organized under the umbrella of Deloitte Central Europe Holdings Limited, the member firm in Central Europe of Deloitte Touche Tohmatsu Limited. Services are provided by the subsidiaries and affiliates of, and firms associated with Deloitte Central Europe Holdings Limited, which are separate and independent legal entities. The subsidiaries and affiliates of, and firms associated with Deloitte Central Europe Holdings Limited are among the region’s leading professional services firms, providing services through nearly 7,000 people in 44 offices in 18 countries.
This communication contains general information only, and none of Deloitte Touche Tohmatsu Limited („DTTL“), its global network of member firms or their related entities (collectively, the “Deloitte organization”) is, by means of this communication, rendering professional advice or services. Before making any decision or taking any action that may affect your finances or your business, you should consult a qualified professional adviser.
No representations, warranties or undertakings (express or implied) are given as to the accuracy or completeness of the information in this communication, and none of DTTL, its member firms, related entities, employees or agents shall be liable or responsible for any loss or damage whatsoever arising directly or indirectly in connection with any person relying on this communication. DTTL and each of its member firms, and their related entities, are legally separate and independent entities.
© 2020. For information, contact Deloitte Central Europe
Risk & Regulatory Academy