Liz Warner, Chief Technology Officer, Percona
Sovereignty is a term that is everywhere in tech circles today. From a digital perspective, it controls how much flexibility you have to run your technology and infrastructure and where those assets are located. On the data side, it controls how you store your data, where those storage locations are, and how that data can be used.
Traditionally, technology and sovereignty were an esoteric area that was concerned mainly with data privacy. Countries would require companies to have control over their customers’ data, but what they were allowed to do with that data would vary from country to country. Many countries – and many states in the US – were relaxed on data use, while those in Europe have had varying degrees of control and privacy restrictions in place. Germany typically required data on customers to be stored in the country, and very strict rules on privacy would have to be followed. The evolution of the EU’s General Data Protection Regulation (GDPR) helped to standardise things, leading to a rise in data control and privacy standards worldwide. Overall, standards improved, and sovereignty was not much of an issue.
Today, the picture is very different. Not only has the rise of AI led to more demand for data and increasingly complex questions around data use and ownership, but geopolitical shifts taking place have pushed sovereignty to the fore. Alongside control of data, countries are looking at how those sets of data are processed, where their processing takes place, and whether the processing systems are globally resilient. Cloud services have made it possible to build much larger and more flexible applications, but these same services are now under the microscope.
Today’s risk landscape has driven increased scrutiny into who owns the companies responsible for running and operating the digital systems which our economies rely on every day. Where those companies are located, and which legal systems they are governed by, is now an issue for everyone to consider.
The impact on finance and banking
For those responsible for managing risk in banks and fintech firms, resilience is essential. The economy is highly interconnected, and the flow of capital through the system has to be reliable. If one element of the system is not available for a period of time, the system itself should be able to carry on running. But if multiple elements are affected at the same time, or a big enough issue comes up, then the risk of contagion is very real.
Contagion refers to how companies involved in the system can be affected by outside issues. Even if their business is stable and running well, a lack of incoming capital or materials can force them to cease operations. This can cascade through the system, breaking the economy for everyone. We have seen this before in previous credit events, like those in 2008.
The economy is now increasingly digital. In order to make financial systems more resilient, we have to take those digital systems – and the companies that run them – into account. With multiple companies all using the same cloud service providers, a failure for one of them could affect all their customers at the same time, leading to market contagion and potential failure. The Digital Operational Resilience Act (DORA), codified this for companies in the banking and financial services industries and included IT and telecommunications companies as critical asset providers that had to be considered.
DORA enforces rules on preventing single points of failure, including cloud services providers. According to the regulation, “In order to maintain full control over ICT [information and communication technology] risk, financial entities need comprehensive capabilities to enable a strong and effective ICT risk management, as well as specific mechanisms and policies for handling all ICT-related incidents and for reporting major ICT-related incidents.” For banks, this could mean running services in multiple cloud availability zones from one service provider, using multiple cloud services providers or using more hybrid deployments across private and public cloud environments. From a technical perspective, these choices can improve resilience and reduce that potential systemic risk.
However, now sovereignty has to come into the equation as well. Should European banks rely on technology providers that are based in different locations and under different sovereign jurisdictions? With the changes taking place in geopolitics currently, and less certainty around how different countries will manage relations with their technology firms over time, banks and fintech firms based in Europe have to consider where their suppliers come from as well as the kind of services they deliver. In the words of the regulation, “Irrespective of the criticality or importance of the function supported by the ICT services, contractual arrangements should, in particular, provide for a specification of the complete descriptions of functions and services, of the locations where such functions are provided and where data is to be processed, as well as an indication of service level descriptions.”
The cloud providers themselves are already taking steps to reassure customers by launching businesses that are located in Europe and governed by European legislation. However, while these newly formed entities may be enough for some companies to consider this risk covered, others may feel that they have to use fully European providers to provide those services instead. However, this represents a different form of risk, as there are fewer European cloud providers and they currently do not offer the breadth and depth of cloud services that the US-based hyperscalers offer.
The role for open source
When it comes to preventing lock-in, open source software has been a significant factor for IT teams. Open source software licenses allow companies to run software without any restriction on who uses it or for what purpose. For those who want them, support and services offerings can ensure that open source software works as designed and is resilient. With this in mind, there are multiple options available for support around any specific project – for example, the open source database PostgreSQL has multiple versions available from specific providers as well as a range of different companies worldwide that can provide support as needed.
Lock-in has typically been thought of as when one company has a stranglehold on supplying and supporting any one technology. In this case, where sovereignty is concerned, open source software also helps protect against location risk. Some technology or software is only available from suppliers in a specific country or region. Open source software, in contrast, is open to anyone to use as they see fit.
At the same time, open source software is supported by a global community. By collaborating on these projects, companies and individuals can meet their own needs and provide those fixes back to the global community. The ultimate outcome of this collaboration is to speed up innovation and provide a stronger base for everyone to work from. By choosing open source software for key infrastructure like databases, banks and fintech companies can avoid being tied to specific suppliers while still benefiting from that global approach to innovation. Open source software by its nature also gets more people looking into potential security issues within code and digital supply chains, reducing the potential risk further.
The community around open source is not constrained by industry or geography. Banks can collaborate to support their own projects alongside institutions that they might consider competitors, and they can work with technology suppliers – both global and local – on the code itself. If a project is critical to them, they can even fund contributors to the project to help ensure its good health.
As the technology sector evolves, banks and fintech companies have taken advantage of new developments to deliver new services to customers. Yet those innovations can be dependent on market conditions and geopolitical changes. As sovereignty for technology suppliers becomes more of a requirement, banks will have to plan ahead to understand their ICT third party risk and any potential changes that they might have to implement. Using open source software helps to guard against undesirable outcomes, reducing long term risk and providing access to more innovation over time.