Is The Cloud Worth The Risk?
Few innovations in financial services are as heavily dependent on technology as mobile financial services. There is the phone itself, of course, and the infrastructure of the mobile network operator (MNO) that transmits SMS messages. But there is also a complex software platform that manages the 'money' side of mobile money. That software maintains customer account records, processes transactions, and provides data to banks holding trust accounts.
But who operates the software platform? Increasingly, it is not the MNO, or a bank, but an independent service provider delivering software as a service over the Internet. As such the platform provider is seldom within the regulatory jurisdiction of the countries where its service is delivered. Its obligations are only those contained in its contract with an MNO or a bank (the 'service level agreement or SLA). This is the emerging reality of 'mobile money in the cloud'.
Cloud services offer compelling economic benefits, whether supporting mobile money for individual customers or providing MFIs with access to MIS software. But there are risks when mission critical data and operations are entrusted to the custody of third parties. How to balance the risks and benefits, how to anticipate and mitigate the risks, are questions every cloud customer (and many regulators) must now consider.
In today's discussion let's consider the risks and benefits from the diverse perspectives of customers, end-users, regulators, and IT professionals.
To start, consider this scenario: a mobile network operator (MNO) launches a mobile money product. They cannot support the required software platform so they contract with another company in a different country that operates a mobile money platform accessed over the Internet. The platform partner operates on a different continent. Soon the mobile money service has several million customers and more than a million transactions a day are being processed over the Internet. Then there is a prolonged interruption in the service, or worse, the mobile platform provider runs into financial difficulty and goes out of business. The trust account behind the mobile money service holds currency worth millions of dollars but the only record of individual customers' mobile accounts is held by the now-collapsed mobile money platform provider.
How likely is such a scenario? What are the consequences if it happens? Is a private contract enough protection for cloud customers or mobile money customers? If you were a financial regulator reviewing a proposal for this type of arrangement what is your reaction? If you are a regulator, is this the scenario that should worry you most? A lot turns on the answers to such questions, so join the debate now...
There is a familiar paradigm in the world of technology in which new innovations are first championed by a few individuals with a high tolerance for risk and change, followed only later by the broader market when experience has shown the innovations to be safe and fruitful. Cloud computing is early in that paradigm now, as a few providers and customers are now opening a path that many will later take. Though we've focused here more on the risks than the benefits of cloud offerings, we are reminded that the alternatives to cloud services are far from risk free. As Antonio suggests, the important thing is to be ready to ask the right questions and accept reasonable answers. And as Joel pointed out, no service is perfect and every interruption does not result in serious loss. It is this kind of practical experience, sometimes hard won, that once begins to dispel concern and ultimately gives rise to best practices. In the end what will insure the quality and safety of cloud based financial services offerings is well-informed consumers that seek out and reward quality providers.
Tomorrow we turn our attention to a less obvious but equally important set of concerns. Mobile money, though a tremendous asset to people in developing countries and a remarkable tool for extending the reach of financial services for the poor, is also a system that can be used for illicit purposes. While the designers and operators of these systems don't plan for this illicit use, they must be prepared to deal with regulators who will not allow the problem to be ignored. As with cloud computing, there is a balance to be struck between costs and benefits, between risks and rewards. One of the very important questions facing the future of mobile money (and ultimately all payment systems) is how to make them as easy and accessible for legitimate purposes, while making it possible to detect and prevent illicit uses. Join us tomorrow for a lively discussion of these issues.
Dear Participants,
When you are copying and pasting your text from word, you need to copy in it in a notepad or texteditor in order to strip off the code. You can then copy and paste from notepad to the site.
Thank you!
Back to the scenario with a sustained outage/permanent disappearence of a mobile money service, I’ll offer a these thoughts.
One is that not much more than a day’s activity will likely be affected as studies indicate that most recipients cash-out on the same day as senders put cash-in; the float is not enormous.
Second is that although the affected subscribers with money in the system must feel they cannot wait for cross-jurisdictional legal action to gain access to their funds at least they are comforted by the fact that their funds are still there.
Third if a service were to go out of business, in all likelihood it would do so in an orderly fashion and not burn the books and have the management disappear. Where is the incentive?
A number of services have experienced temporary outages – Safaricom’s been imperfect in Kenya and MTN in Uganda had troubles just the other day. Risk, like fraud, cannot be eliminated, but it can be managed and good customer service can repair the reputational damage.
I am reminded of a comment I heard in response to the issue of service interruptions for mobile money. Referring to banks (in Latin America) the commentor said "how often do people wait in line at the bank for half an hour only to reach the teller window and be told that there is no more cash available to dispense that day"? The point was that people in many developing countries have much lower expectations and a much higher tolerance for service interruptions (whether with the bank or the electricity) than people in industrialized countries. What might inspire panic in Europe or North America might easily pass virtually unnoticed elsewhere. Indeed this context needs to be kept in mind.
I am noticing something interesting here. There are a lot of people following this discussion, but very few contributing. That's not necessarily a bad thing, but it's curious. Clearly many are interested. After all, the cloud is becoming so pervasive that many people will soon encounter the issues we're raising if they haven't already. On the other hand, the issues raised here are probably new to many. I would be very interested to know from others if they have yet had any experience with cloud services and what issues or concerns, if any, have come up.
Hi Bryan, all:
So far, this has been an interesting discussion to follow. I have a few reflections and questions to share, that may be of interest and/or help stimulate additional contributions from others. I apologize in advance if they do not fit precisely into one particular topic. Thanks for the opportunity to contribute.
From a microfinance practitioner's perspective, with experience managing smaller/medium sized microfinance organizations, we recognize the potential and see the benefits of well designed, developed, implemented and managed core banking/MIS and mobile solutions, yet we are also challenged by the sheer magnitude of considerations involved. While we are attracted to the mobile payments/mobile financial services space and intrigued by cloud based MIS solutions, the breadth and depth of issues to research, understand and make appropriate decisions on can be beyond the capability and capacity of our organizations. The degree of confidence and technical savy necessary to not only arrive at sound conclusions, but also make reasonable estimates of ROI, justify needed investments, and undertake the requisite shifts in strategic direction that will accompany the changes are elusive.
Some questions that I am considering and wonder whether you or the others may have feedback:
1) Should a microfinance organization first focus on strengthening and/or investing in its core banking system/MIS (cloud or not cloud based), before considering how to provide or join up with providers of mobile financial services?
2) Is a solid ERP system (cloud or not cloud) perhaps a good option to build upon, given that other applications can be linked into them? Or would the amount of customization needed to make these types of platforms suitable for the core banking/MIS needs of microfinance organizations make ERP systems prohibitive? Would an ERP system link more easily to the systems of mobile solution providers, than the common core banking systems/MIS of microfinance organizations?
3) Do current cloud based offerings such as the one Jiten has described for microfinance organizations offer inherent linkages or the capability to link to other useful applications, as well as those that would support mobile financial services?
4) With the rapid pace of development of mobile solutions, and in some cases lagging development of regulatory frameworks that underpin the market for these solutions, should microfinance organizations focus on strengthening their core banking system/MIS until the environment becomes clearer, or by doing so will we miss out on the first mover advantage (if that still exists)?
Thanks again for conducting this event. As a disclaimer, I am writing these as an independent contributor, no longer directly supporting USAID's MD office through the KDMD Project.
Sincerely,
Cristian Shoemaker
-----Original Message-----
Hello Christian ... Agree with Bryan's comments and offer my perspective.
It is imperative that MFI's first focus on two items, operational process management (to ensure that there is consistency across the organization in how policies, especially credit policies, are implemented) and strengthening of their MIS before they embark on a path towards the use of mobile for their loan officers, use of mobile payments and subsequently mobile banking for their clients.
MFIs must first make an investment in ensuring a strong on-going focus on operational process management, including maintaining policies and guidelines and regular staff training, before investing in a MIS software.
Regarding starting with an ERP system, and making customizations, my two cents would be to recommend to the MFIs to wisely invest their precious funds, and to not pay for costly customizations when they have good choices for MIS software, or as I refer to it as "core banking" software, which as the name suggests offers a broad range of capabilities; and as a result the MFI would not have to incur heavy customization costs, if any. With very good SaaS offerings in the marketplace, e.g. from MicroPlanet Technologies, where MFIs "rent" the services (not just the software but also the use of hardware, technical expertise, and daily management of End of Day and Start of Day operational processes, backups, monitoring, etc) and thus avoid heavy up-front costs.
With respect to "linkages" or interface to other applications that MFIs need in their ecosystem, good core banking (MIS) software offers such capability for interoperability with other apps.
With respect to point #4, it behooves MFIs to first understand their own internal challenges before jumping on a bandwagon. Just because someone down the road is doing it does not mean that they simply jump into the fray. MFIs must absolutely assess the competitive landscape for practices, products, pricing and services. Perform good due diligene, analyse, prioritize, pilot, revise and implement.
One of the risks associated with outsourcing data storage facilities (and other key compoents of an MFS business model apparatus) to geographic locales outside of those of the core ownership structure relates to the ability of enforcement authorities to access data within the context of a cross-jurisdictional investigation. How can this issue be addressed within and outside of any SLA or other agreement structure binding all parties to an outsource structure? A second issue related to outsourcing in general concerns the contingent liability which the core business owner still bears for any illicit funds that are found to be flowing through the "pipes" of the overall business model operation, including through any of its outsourced components. How might this issue be addressed within and outside of any SLA or other agreement structure binding all parties to an outsource structure?
Any time there is a contract between parties in different jurisdictions (i.e. countries in the SaaS context) there is a question of whose law will govern the contract and any disputes. Normally the parties can stipulate which jurisdiction's law will control the agreement (and this is often the subject of intense negotiation). Such an agreement cannot, however, alter the authority of government agents in any jurisdiction. So while any SLA should address the issue of what law will affect arrangements between the parties, no one should overlook the fact that the reach of law enforcement or judicial authorities in any jurisdiction won't be affected by a private agreement.
So here's the problem. If I host my data with a provider who keeps that data in one or more data centers in another country, what is the law in those places concerning access by local authorities to my data (i.e. data owned by a non-resident, non-citizen)?
I'm not an expert, but my bet is that this is still an unsettled issue in most places.
Hi Bryan,
thanks for opening the debate. I would like to review the scenario you mentioned specifically about trust of the provider and what if they go out of business. This problem is true for any provider be they on the same continent, same country or even down the street. All business (even countries) are constantly having to perform to survive, so I think this point can be closed as being equal to any business, be it SaaS or traditional. I would also add that with any business going out of business there would be a natural transition period which would allow the provider and their clients to transition to another services: be it SaaS or offline.
The issue of trust – Again, all business is based on trust, including the business of credit, but there are different levels of trust. As a provider I would like to look at the level of trust between in-house vs. outsourced.
If an MFI has outsourced its MIS to a provider it entrusts the MIS provider with its data as well the assurance that the provided service will be delivered. From the provider’s perspective, this trust is their business; their livelihood depends on this trust and the business (income and reputation). Looking at internal/in-house resources - it is more likely as has been the case recently in many high profile banks across Europe and the US that tampering of the database has lead to internal fraud or abuse of trust. So there is a strong argument that outsourcing certain parts of a business offers more trust.
I would like to push this one step further and compare trust of a local provider vs. a SaaS and global provider. Service providers grow their business on reputation which trust is a major part of. The more exposed a provider is to a larger segment of the market the more it needs to protect the "trust" relationship with its clients hence there is more at stake because of the brand exposure.
In the case of a global SaaS provider there is the additional value of offering their clients the experienced gained from the variety and broad base of client exposure. This value is passed on to clients without additional costs. This is the value of SaaS that no national provider, who is locked in a specific geography, can offer.
Back to your scenario, you discuss the case for rapid growth (success of an idea). I believe the questions that should be asked of a SaaS provider:
- How are problems addressed when they arise
- What are the short term and long term benefits
- How can growth be sustained and managed
- How is infrastructure supported and what are contingency plans
- What impact is there to operations should there a major issue
Thanks Antonio for some great insights. Two thoughts occur to me.
First, we should draw a distinction here between a cloud based MIS service for individual MFIs and a cloud based mobile money service. A mobile money service at scale has potentially great risks for the financial system that invites scrutiny by regulators.
Second, I agree that trust is crucial and that any business can run into trouble and in this respect SaaS providers are no different. What is different is that if my supplier of printer cartriges runs into trouble my business doesn't suffer much, but if my MIS provider runs into trouble its more like losing my bank. The consequences are greater. So, as a potential customer, I must be more concerned. The issues you list are many of the right ones to ask about. But should a customer be satisfied with mere assurances, or should they require firm commitments in a written contract (before they decide to entrust their data)? Do customers actually ask for such a contract? What has your experience been?
Bryan ... Would agree with you on your first comment;
However with respect to the second comment, there are two aspects to this. First if the software provider runs into trouble then one obvious remedy, though not the only one, is to ensure at the time of the contract signing that the source code is required to be held in escrow and that the source code in escrow is updated every 6 months; second if the SAAS provider runs into trouble then the client must ensure that there is tri-party agreement between the software provider, SaaS provider (and the hosting provider) and the client on ensuring that the client continues to have access to the software and the service.
With respect to an earlier comment about addressing regulator's concerns over ready access to customer data, MicroPlanet's SaaS solution offers the MFI an option to have a "local" server at the MFI's HQ for backup purposes and/or having a "local" reporting" server at the MFI's HQ location. By taking these steps one can readily address the concerns of the regulators especially where the MFI is a regulated deposit taking institution.
There is a greater likelihood of encountering problems with the use of MIS software hosted and managed in-house by small and medium sized MFIs, i.e. tier 2, 3 & 4 MFIs, then with an outsourced model, whether it be a SaaS or a managed services model. The problems that I refer to are lack of redundancy if a component fails, lack of technical expertise, high staff turnover, etc. My point being that the MFIs stand to benefit with the use of an outsourced model.
What this shows is that any business decision has risks but most risks can be reduced or eliminated if they are anticipated and planned for. My hope is not that anyone will avoid cloud-based services, but only that they will be informed consumers. As Jiten and Antonio suggest, the best vendors will welcome informed customers with good questions because they are prepared with informed answers.
Today we will focus on cloud-based outsourcing risks in mobile financial services. Please leave your questions and comments to help us shape today's discussion.
