With major banks moving core operations to the cloud, how are they managing data sovereignty and regulatory compliance across different regions?
Dean Clark: Data sovereignty or data jurisdiction is a highly complex challenge in the cloud world. Working with many of the largest banks in the world, at GFT, we are yet to see any silver bullet that completely solves this challenge.
The prevailing strategies involve a mix of replicated infrastructure with locally hosted applications and data, as well as hybrid models that retain sensitive datasets on-premise in mandated jurisdictions.
Some institutions have tried complex cloud architectures, with a central cloud-hosted controlling application delegating functionality and queries down to child instances located where needed.
This approach has had mixed results, with the key challenges of continued maintenance and upgrades of the application meaning slower code releases and longer testing cycles.
Satya Samal: This is indeed a massive challenge and IBM Consulting is helping banks address these topics through multipronged approach.
Our hybrid cloud architecture helps by distributing data across on-premises and public cloud and making sure that PII data are transferred to the public cloud. We are working with hyperscalers to keep data inside the country based on regulatory requirements.
Data masking and tokenisation is another mechanism to ensure data is secured and not accessible without appropriate security clearance. Hyperscalers have also launched sovereign cloud solutions to address these issues.
Alasdair Anderson: Banks are leveraging multi-cloud and hybrid strategies to comply with jurisdictional regulations while maintaining operational efficiency.
Many adopt data tokenisation and privacy-enhancing technologies( PETs) to de-risk sensitive information before storing or processing it in the cloud.
Additionally, regulatory frameworks like GDPR, PSD2 and local banking laws are driving“ sovereign cloud” solutions, where cloud providers offer regionspecific compliance architectures.
These local clouds are becoming more readily available as different jurisdictions enforce data localisation.
94 April 2025