BNP Paribas and IBM are expanding their cloud computing partnership, the companies said Tuesday. The French bank, which has been working with IBM since 2018, plans to move nearly half its applications to a dedicated IBM Cloud environment within the bank's data centers by December 2026. The two companies did not disclose terms of the deal.
Under the expanded partnership, BNP Paribas will use an IBM Cloud zone as a disaster recovery site to which some of its most critical applications can be switched in times of emergency. These applications, which include payment systems, have higher service level agreements, according to Christophe Boulangé, chief technology officer, cloud at BNP Paribas.
BNP Paribas's choice of IBM Cloud was driven largely by its need for security and compliance, he said.
"The ask from BNP Paribas has been to get the best of the both worlds – I mean, something that would be secure enough to look like a private cloud, while still benefiting from public cloud technology," Boulangé told American Banker.
IBM's "keep your own key" approach to encryption was a factor, he said. Encryption keys for applications in the cloud are owned and operated by the client, so that IBM cannot access data that is client owned.
"At any point of time, we can ask to rotate the encryption key and to keep the data only for us," Boulangé said. "That was the baseline of the deal with IBM, and the intent for us was to strategically move a large part of our information system onto this cloud." By the end of next year, BNP Paribas will move several thousand applications into the cloud, he said.
The broadening of the use of IBM cloud will also help the bank meet European Digital Operational Resilience Act (DORA) requirements, Boulangé said.
The announcement comes at a time when banks and the American Bankers Association have been asking cloud vendors to provide stronger security, privacy and compliance controls, especially since
"My biggest fear is that the technology gets out of control, that you don't have adequate risk management in place, and you don't have responsible, accountable parties that are in the mix and have skin in the game," said John Carlson, senior vice president, cybersecurity regulation and resilience at the American Bankers Association, in an earlier interview. Carlson leads meetings between bankers and cloud vendors about mitigating cloud computing risks.
Executives at BNP Paribas and Bank of America are members of the IBM Financial Services Cloud Council, which helps design what former Bank of America CIO Catherine Bessant once called a
While generally speaking, running cloud-like technology on premises is more expensive than using a public cloud, European companies have to maintain sovereignty over their data, because of European Union data privacy rules and DORA, a regulation that came into effect this year. "As part of that, we need to prove that we are totally in control of how we are bringing resilience to the application, and in particular to critical applications," Boulangé said.
DORA focuses on third- and fourth-party dependency on security and resiliency, according to Aly Farooqui, chief risk officer and industry executive, IBM Cloud for Financial Services. "If you think about a payment solution that BNP would be utilizing, it's not just IBM and BNP, there are other fintechs and software providers that are part of that stack," Farooqui told American Banker. "So DORA's focus is, how do you de-risk that full stack?"
Farooqui said IBM Cloud can de-risk other vendors' software and infrastructure as well as IBM tech.
In addition to "keep your own key" encryption, IBM cloud provides data encryption in transit, logging and monitoring, he said. "We've automated the deployment of the controls, hence creating a level of guardrails for developers, whether they're working at BNP Paribas, at IBM, or at a SaaS provider or third-party SaaS provider, that when they provision services, those controls come embedded," Farooqui said. An example of that is Cloud Object Storage, which automatically encrypts sensitive data, he said.
BNP Paribas also works with other cloud providers. In January it announced that it will integrate the Oracle Exadata Cloud Customer solution in its cloud systems by hosting it in BNP Paribas data centers.
The need for strong cloud security, privacy and compliance will only get stronger as new security threats emerge, experts agree.
Steve Rubinow, a professor at the Illinois Institute of Technology and former chief information officer at the New York Stock Exchange, recalled giving a talk at a conference and telling people that cloud providers do a good job with security and have many security experts on staff.
"But that does not allow you to advocate your responsibility, because at the end of the day, it's your data," he told the group. "They're your applications. Nobody knows it better than you. The cloud providers don't know your data and applications. You need to secure them. They're not going to secure them for you." One attendee, the CIO of a large bank, walked out of the room. Rubinow assumed she had to take a call.
"When I caught up with her afterwards I said, I couldn't help but notice that you left in the middle of my talk," Rubinow told American Banker. "She said, 'I wasn't trying to be impolite, but when you said that we have responsibility, that we can't just outsource everything in security to the cloud vendor, I called my people and I said, are we on top of this? I did not like the answers I got.'"
