A digital transformation doesn’t mean simply adding a web interface to existing back-end components. It means moving from legacy software and infrastructure to modern cloud-based ecosystems. This simultaneously erases hardware, software and networking maintenance debt, while increasing agility, resilience and security, says Robert O’Connor, chief information security officer at Neocova, a St. Louis-based technology provider.

“How do you protect systems that are 20, 30 or 40 years old against new threats that are evolving every day?” he says. “[Moving to the cloud] enables you to put more resources into new features that solve customers’ security and business needs rather than maintaining aging systems.”

There are a number of benefits to moving to a cloud-based system, according to the community banks and experts we spoke to. One is an increase in business resiliency, says Lee Wetherington, senior director of strategy at Jack Henry & Associates Inc. in Monett, Mo. Cloud service providers typically invest substantially in robust disaster recovery and business continuity processes that protect bank services—“more than any single financial institution could achieve or afford on its own,” he says.

“Moving a solution to the cloud requires establishing connectivity between the core and the service in the cloud.”
—Keith Fulton, Fiserv

Outsourcing to the cloud also relieves the pressure to recruit and retain IT talent—a particular challenge for community banks in small towns and rural areas. That said, not just any cloud provider will do.

“Community banks should vet their choice of cloud providers against the talent that builds, runs and secures those cloud environments respectively,” Wetherington says. “That talent should also understand the unique regulatory requirements of our industry and have a proven track record of compliance.”

Perhaps most importantly, migrating to the cloud enables a community bank to further focus on “the business of banking,” says Ryan James, president and CEO of $170 million-asset Surety Bank in DeLand, Fla.

For example, James says, using a cloud-based solutions provider may mean that a community bank doesn’t have to be involved with the continuous management of climate-controlled server rooms or server operating system life cycles.

Defining the cloud

Terms community banks should know

Public cloud: Computing services offered by third-party providers over the internet. The cloud service provider manages and maintains the system. The public cloud can be as secure as a private cloud offering if the provider uses effective security methods.

Private cloud: Also called an internal or corporate cloud, private cloud computing gives companies additional control and customization options, but the company is responsible for staffing, management and maintenance expenses, rather than the cloud service provider.

Cloud service models:

  • Software-as-a-service (SaaS) includes licensing software to customers, traditionally through a pay-as-you-go or an on-demand model. This type can be found in Microsoft Office’s 365.

  • Infrastructure-as-a-Service (IaaS) involves delivering operating systems, storage, etc., through IP-based connectivity as part of an on-demand service. With IaaS, community banks may avoid purchasing software or servers. Examples include IBM Cloud and Microsoft Azure.

  • Platform-as-a-Service (PaaS) is like SaaS, but instead of software, it’s a platform for creating software delivered over the web. Examples include platforms like Salesforce.

Easing into the cloud

Many community banks may be hesitant to migrate applications to the cloud, particularly their core systems, simply because they lack familiarity with cloud-based core systems. They may be unsure how they work, how secure they are or how flexible they are, says Larry McClanahan, chief product officer at Nymbus, a banking technology solutions provider based in Miami.

“Typically, the biggest challenge is the education process,” he adds.

Bankers may assume that they have to move all of their applications at once, says Shawn Eftink, product manager of managed services at Computer Services, Inc. in Fort Collins, Colo., but banks can migrate in phases.

Most institutions start by adding some cloud-based analytics, data integrity and cleanup capabilities to their existing core processing environment, O’Connor says. “This is low cost, low risk and adds much-needed functionality and efficiency,” he adds. “Later, when they are more familiar with the cloud computing approach, they can easily migrate their core. The added benefit here is that they do not have to undergo the typical 18- to 24-month transition. Once their data is in the analytics engine, they have a smooth migration. Doing it in one fell swoop is painful, risky and expensive.”

Keith Fulton, senior vice president, CIO account processing at Fiserv in Brookfield, Wis., concurs that banks can move any individual solution to the cloud and keep their core platform in a data center. In his experience, many banks start with a customer relationship management (CRM) platform or online banking technology.

“Moving a solution to the cloud requires establishing connectivity between the core and the service in the cloud,” Fulton says. “If taking a piece-by-piece approach, the configuration will have to be changed each time a new capability moves into the cloud. Moving many solutions [at once] allows an institution to avoid rework between each stage but is higher risk and should be carefully managed.”

Future-proofing the bank

Scalability is a chief reason why First Foundation Bank in Irvine, Calif., moved many of its systems to the cloud, says Ashot Hareyan, the community bank’s vice president, solutions architect manager.

“We needed a way to be able to scale up and down resources as needed,” Hareyan says. “We went through a number of acquisitions, and any time we acquired another bank, we had a big influx of new employees and customers. So, having the ability to scale up when that occurs allows us to maintain that baseline performance that our employees and clients need.”

According to Hareyan, the necessary resources are now always available and just need to be provisioned. There is no hardware involved from the IT department’s side. The only task bank staff need to do is log in and decide how much more computer power needs to be added.

Compare this with an on-premise data center that has limits. Once that limit is hit, a community bank must buy new hardware and new servers to continue scaling up or down.

“You would have to then sell those new servers you bought, but you’re not going to get full value for them,” Hareyan says. “But if you keep servers you no longer need, you then have higher maintenance costs and other expenses that aren’t necessary.”

Developing a cloud strategy

Community bankers say a well-developed cloud strategy can translate into a successful migration process.

James says community banks should first assess potential risks during the migration process and how the bank plans to mitigate these risks. Banks should then develop a project plan that identifies all the key players, equipment, software, connections and backups. It should also identify the migration time frame and possible downtimes.

Surety Bank conducted its migration mostly over one weekend, so that all new connections and security were in place before the bank migrated one section at a time, including its Exchange Server, database servers, monitoring tools and phones.

McClanahan notes that community banks should also understand how to map data, how to map customer journeys and how each channel will be affected. The Nymbus team walks its bank clients through each of these issues and also works with bank employees to help them explain the process to customers during the migration.

“When putting together and working toward one source of truth and doing it in the cloud, you find that disconnecting and connecting different data flows is much more complex than what you might first expect.”
—Curt Queyrouze, TAB Bank

When $6.9 billion-asset First Foundation Bank in Irvine, Calif., developed its cloud strategy, vice president, solutions architect manager Ashot Hareyan says it considered applications that needed to be readily available for either customers or employees to prevent significant disruption. The team also chose applications that could be more easily integrated with other applications that were also being migrated to the cloud.

“We chose to migrate our Sharepoint system, where most employees have a number of workflow service requirements that they use daily,” Hareyan says. “We also migrated our customer relationship management system, enabling our sales teams and other external-facing teams to log in remotely more easily.”

He adds that First Foundation Bank initially did a test move within each application to make sure the applications functioned correctly. “As each application was migrated to the cloud, we also migrated the interdependencies with other applications,” Hareyan says. “That way, if two applications needed to communicate shared data with one another, we wouldn’t have to build any new networking paths between applications.”

First Foundation Bank’s data warehouse system and its client-facing loan origination system are also now cloud-based. The systems that remain on-site include its archiving system for several applications that don’t need real-time access, which are “too expensive to put on the cloud,” Hareyan says. Also not migrated were applications used by very small groups of staff based in specific regions. The bank’s core is a hosted solution from Fiserv that is based in a data center.

Data governance considerations

TAB Bank in Ogden, Utah, started its cloud migration process with the migration of online banking platforms. Its consumer version was moved first and its platform for commercial customers will be completed later in 2021.

During the migration planning process, banks should keep in mind data responsibility and data management, says Curt Queyrouze, president of TAB Bank in Ogden, Utah. The community bank formed a data governance committee to better manage the process.

“When putting together and working toward one source of truth and doing it in the cloud, you find that disconnecting and connecting different data flows is much more complex than what you might first expect,” Queyrouze says. “The best thing is to bring in the right kinds of partners to help you manage this complexity, including your core provider, as well as other vendors.”

Initially, TAB Bank underestimated the complexity and the challenges of migration, says chief technology officer Nilendu Saha. Fortunately, the community bank “took it slowly” and didn’t put a hard deadline to complete the migration.

Eventually, the majority of the $959 million-asset community bank’s applications will be on the cloud, “but we’re doing it thoughtfully over time and in stages,” Queyrouze says.

“To move volumes of data from many applications in an effort to develop one ‘source of truth’ to better serve customers, you really need to be in the cloud,” he adds. “That’s where the value comes.”

And when it comes to value, it pays to think in the long term. Saha says community banks considering migrating to the cloud should first take the time to map out, quantify efficiencies and determine three to five years of cost of ownership.

“They should have a clear business case and a clear ROI mindset,” he says, “so that it can be a win-win situation.”

Keeping compliant in the cloud

Security and compliance for cloud-based solutions is a common concern among community banks, but properly vetting providers can alleviate that, says Shawn Eftink, product manager, managed services at Computer Services, Inc. in Fort Collins, Colo.

Eftink strongly recommends that community banks work with vendors that are used to working with banks, whose experts understand how to deal with compliance and know how much due diligence is necessary. Such vendors will already be aware of security challenges and compliance issues, will be able to provide reporting and can simplify the entire process on the bank’s end.

Cloud compliance begins with best-practice frameworks for information security and cloud computing, such as the National Institute of Standards and Technology Cyber Security Framework or the NIST Zero Trust Architecture, among others, says Robert O’Connor, chief information security officer at Neocova, a cloud-based software company in St. Louis.

“Banks should look for service providers that build on these foundational frameworks by taking a holistic approach to protecting sensitive client and employee information,” O’Connor says.

A comprehensive security program begins with applying measures balanced across five mitigation groups: identify, protect, detect, respond and recover, he says. A service provider should be able to demonstrate how they have designed and implemented these mitigations.

“Regulators are looking for your service providers to demonstrate due diligence in protecting your data,” O’Connor says. “Identifying a framework, providing a threat assessment and walking them through the consistent application of mitigations against those threats covering people, process
and technology will go a long way to satisfying their concerns.”