Digital sovereignty in the banking industry

A decade ago, neither nations nor financial institutions considered digital sovereignty a top priority, nor was it even relevant enough for a coffee discussion in most cases. Supply chain globalization was the mainstream for most procurement categories, and where and what to outsource was simply a matter of buying the best possible product or service at the best possible price, shaped only by existing sanctions, regulations, and other operational risks, such as having a backup vendor ready for critical supplies. 

But the world has since changed, with supply chain disruption during COVID and new dynamics on the geopolitical stage. Now, many banks, insurers, and financial institutions want to develop more—if not full—autonomous control of their technology and operations. Sometimes this is driven by the organization's strategy, but in other cases it’s enforced by regulators, as banks’ role in the economy and society raise their criticality beyond their individual business performance.

As a consequence, the industry’s mindset has shifted from "globalization by default" to "regionalization or localization when possible." This is a transformational shift for banking that will likely take years to execute, as technology vendors are everywhere along banks’ value chain and across the entire financial ecosystem, with technology connectivity and interdependence among vendors, partners, and customers.

What is digital sovereignty?

According to the World Economic Forum, countries’ digital sovereignty refers to their ability to control their own digital destiny—the data, hardware, and software they rely on and create. By exclusion, it also means that nobody outside the country’s governance can have control over its data, hardware, and software, no one can access its technology or shut down any of its systems without consent, and no one can work around its regulations. This means the country is not reliant on any third party's willingness to follow its rules, as it’s not technically possible for anyone to take over (or shut down) any critical part of its technology, operations, or data. 

Applying this at the banking organization level, it’s worth highlighting that sovereignty is not just about data residency (as this has been around for years). It also encompasses the hardware, software, and operations that banks are reliant on and even the governance of those vendors that are critical for a bank’s activity. The end objective is to mitigate, or at least better understand, risks potentially provoked by others’ decisions—such as with a vendor headquartered or running operations in a country with different regulations—or even by systemic or repetitive outages originating in other countries. For instance, an offshore outsourcing entity running a core banking system, or infrastructure provided by a domestic subsidiary of a foreign company, will likely be flagged as needing sovereignty attention.

There are 4 levels of digital sovereignty:

• Data sovereignty: Data centers located in the country or region (e.g. EU)
• Technical sovereignty: Using open standards and open source
• Operational sovereignty: Red Hat Confirmed Sovereign Support for European Union, for both EU customers and anyone who prefers this choice
• Assurance sovereignty: Verifiable open source software, software bills of material (SBOMs), and reproducible builds

The role of open source in supporting digital sovereignty 

Proprietary software is controlled by the companies that develop and distribute it, and customers have very limited control over the software products they use. For example, users of proprietary software might be able to influence the software’s behavior through configuration options, but are not able to change the software’s functionality by modifying the code. They also won't be able to understand the software's functionality (and potential bugs or other issues) by reading the source code.

Even though many proprietary software companies operate internationally and fully in compliance with local regulations through subsidiaries, their internal governance often compels them to adhere to the regulation and governance of their holding parent company. A prime example of the implications of this structure is the U.S. Cloud Act (Clarifying Lawful Overseas Use of Data Act), passed in 2018, which has significant implications on banks' data residency and transit. This U.S. federal law allows U.S. law enforcement to compel U.S.-based technology companies to disclose electronic data even if the data is stored outside the United States. As a consequence, many banks had to revisit their customer data storage and transit strategies in accordance with their specific data protection regulations, for example, the EU's General Data Protection Regulation (GDPR) or India's Digital Personal Data Protection Act (DPDP Act).

In contrast, open source software is created by global communities, and developed by individuals and companies who can be located anywhere in the world. 

No government or regulation can force these communities to insert a backdoor, kill switch, geofence, or other undesired mechanism  that is able to bypass the user’s controls, or in any way influence or restrict the use of the code, because the source code is available for examination by anyone at any time. 

There are 2 intrinsic characteristics of open source software that are particularly suitable for digital sovereignty:

• Autonomy: Open source software is built by developers, who can be anywhere in the world,  contributing to collaborative community projects. Also, there is no country or organization entitled to claim open source’s intellectual property or governance, or who can shut down applications that are using  open source software.
• Transparency: Open source offers the transparency that proprietary solutions lack. Every line of open source code can be inspected and audited, not only by the organization using the software, but also by developer communities. The distributed source code management systems most commonly used in open source projects, such as Git (and GitHub, GitLab, etc.) provide changelogs, and all changes are digitally signed. This inherent transparency and traceability cultivates robust security practices, facilitates regulatory compliance, builds trust, and streamlines audit processes. 

Hybrid multicloud for flexibility and resilience 

One of the major sovereignty concerns is reliance on a short list of infrastructure vendors, many headquartered in a single country. This is particularly true in the cloud service providers landscape, where 3 vendors control nearly 65% of the market share globally. Even before the rise of digital sovereignty, this concentration of risk was already in the spotlight for some regulations, like the EU’s Digital Operational Resilience Act (DORA) and the UK's Prudential Regulation Authority (PRA) operational resilience policy SS1/21.

Many banks have opted for a hybrid multicloud platform, enabling control and choice with a flexible and open approach. This allows them to keep their options open as to which cloud services they use, as well as take advantage of the innovation, speed and flexibility that cloud native services have to offer. 

Red Hat: Your cloud, your rules

With Red Hat enterprise open source technologies, customers can continue to use the software if their legal and commercial relationship with Red Hat ends. Red Hat is increasing its support to banks looking for sovereign options, helping mitigate risk and eliminate the burden of switching vendors. Red Hat has published our commitment for sovereign cloud principles, and introduced Red Hat Confirmed Sovereign Support for the European Union, with EU staff working under the EU’s regulations and expanding the local ecosystem.

Red Hat also provides a trusted and clearly documented software supply chain, uses secure development practices, and has strong build processes, robust packaging, and transparent distribution. Complemented by continuous monitoring and verification, all of this helps prevent non-sovereign components from being introduced and potentially disrupting service.

Red Hat’s platforms are also architected for multicloud deployments, addressing critical operational and data residency requirements. Our open hybrid cloud platform offers workload portability, so organizations can migrate workloads across different cloud providers or to their own on-premises environments. This allows them to react quickly to evolving sovereign requirements and helps improve operational resilience.

Unlocking the future with sovereign AI

There are already many model choices in the AI landscape—from the predictive models that have been around for years, to dynamic generative AI large language models (LLMs) that have popped up more recently—and there are announcements of new innovations or improvements almost every week. 

Generative AI (gen AI) models have a variety of sizes, hosting options, degrees of openness, and other factors, each with pros and cons depending on the use case. This is particularly important for banking, since customer data must be protected and regulations shape the use of available technologies. There are 3 dimensions that determine if an AI is fit-for-purpose. 

• Transparency: For banking use cases that will make decisions or engage with customers at inference time, it’s critical to understand how the model works and what data has been used for training. This is vital because AI hallucinations can have significant regulatory, business, and reputational implications.
• Technology and operational sovereignty: Nobody outside the bank or its supervisor governance should be able to shut down critical services at inference time. This requirement means that models cannot be hosted outside banks’ technological control.
• Customer data: Regulations make banks wholly accountable for customer data confidentiality, so they must be able to guarantee that customer data is protected and kept private. Even though some AI models contractually claim that they won't use or see customer data, the possibility of potential breach means that—for some use cases—it is preferable to use models that are closer to the customer data.  

At Red Hat we believe that banks will use different AI models, infrastructure, and hardware accelerators for different use cases. We also believe that this AI platform will be closely integrated with their application platforms, live on the hybrid cloud, and share processes and tools in order to more efficiently run banks’ technology services and operations. This integrated hybrid cloud architecture will help banks keep their options open and remain future-ready as digital sovereignty requirements expand and evolve.

Learn more about what Red Hat has to offer the financial services industry.