While they've been hesitant (and discouraged by their bank examiners) to go all-in on cloud computing, community banks have been experimenting with cloud-like options for increasingly important pieces of software.

In so doing, they are reaping some of the cost savings and convenience gains of cloud computing while navigating the compliance rules and security and privacy expectations put on banks.

The trend is partly an acknowledgement that unlike large banks, community banks lack the staff or budget to provide state-of-the-art security on par with big cloud providers like Amazon or Google.

"The idea that a small bank would have more sophisticated data management controls and capabilities than Salesforce or Amazon is simply not a realistic view," said Peter Cherpack, senior vice president of Ardmore Banking Advisors. "As always, a balanced approach, looking at risk, reward and cost, is the way to look at the cloud opportunity."

Alex Johnson, a senior analyst in the credit advisory service of Mercator Advisory Group, also sees a small bank/large bank divide.

"A Citi or Capital One will probably feel pretty confident that they can do a better job of managing data security and complying with specific financial industry regulations than Amazon," he said. "But if I'm a small credit union, I might very well realize that if I tried to do this myself, not only would it be cost prohibitive, but I wouldn't be able to do as good of a job with security as someone like Amazon."

In one model, a vendor that writes and maintains banking software, delivers it in a hybrid arrangement — some combination of an on-premise and third-party cloud environment the vendor at least partly builds itself.CSI and Zoot are examples of vendors taking this approach. They're building a multitenant environment that they control.

"That's giving institutions in this segment a little more comfort — 'this cloud provider is the same one who's providing our software, their environment is tuned to meet all of the specific regulations we have to meet,'" Johnson said. "That's where I see movement coming in and hurdles being knocked down, that space where the software provider is also provider of the hosted environment."

Independence Bancshares in Greenville, S.C., uses Temenos's T24 core processing system. But rather than use the public cloud model the company typically offers with partner cloud providers (and which is used by Metro Bank in London), Independence runs the software on a combination of on-premise, private and hybrid cloud configurations.

"We currently don't run any of our primary systems in a public cloud environment," said Gordon Baird, CEO of the $97 million-asset bank, which is building a state-of-the-art payments system it plans to share with other banks.

Baird said the Temenos system has worked well in terms of scalability, security, and performance. "There are a number of developments that we are working on in partnership with them … in the U.S. market including [electronic funds transfer] services and mobile applications," he said.

He would consider the public cloud for some things, Baird said.

"Public cloud environments can be great solutions for non-financial businesses. There is also potential for some retail activities," he said. "But the public cloud isn't quite there yet to support enterprise financial transactions. On-prem[ises], private cloud or hybrid solutions are currently more appropriate for low latency and high security financial activities."

Cloud Partners

In another quasi-cloud scenario, an established core banking software vendor partners with a cloud provider like Microsoft, Amazon, Google, IBM, Verizon or Salesforce. Core provider Infosys inked a deal with Verizon recently to deliver its software on Verizon's enterprise cloud. Small business loan software maker nCino uses Salesforce's cloud.

This setup lets each vendor focus on what it does best.

"The owner of a public cloud environment will have to be responsible for the safety and soundness of the environment," said Don Free, a research vice president at Gartner. "Core banking providers should not own that. That's why you see more partnerships with these broader-based vendors that provide a specific capability and skill set in that environment."

United Community Bank in Blairsville, Ga., with $7.4 billion in assets, uses Small Business Administration lending software from nCino, a tech spinoff of Live Oak Bank, which itself was founded by the people who started the first online bank in the U.S. nCino refers to its Salesforce-hosted solution as cloud computing; the bank describes it as running on a private cloud. (This is almost the reverse of a scenario playing out more commonly in the industry: vendors who have full-fledged cloud offerings calling them hosted or application service provider solutions, to avoid the stigma associated with cloud computing.)

Annemarie Murphy, SBA chief operations officer at United Community Bank, was familiar with the software when she joined the bank, having been one of the original employees of Live Oak.

When looking at this type of "modified cloud" product, she said, she looks for extra security, especially at login. nCino requires two-factor authentication every time a user logs in from a different terminal.

"Our customers' privacy is still protected, as is the bank's privacy," Murphy said.

The bank does not run any core software in the cloud and Murphy said it never will; its core processing vendor is Fiserv. Loans are booked into the Fiserv system, which pushes information about them to nCino every night at midnight. The nCino software produces the loan documents.

One benefit of cloud delivery of the software is flexibility, Murphy said.

"If we buy Microsoft Word, everybody gets the exact same version," she said. "With nCino, we got to program our own processes into the system."

Examiners have complimented the software when they visit the bank, Murphy said. "Everything is electronically date-stamped, approved or not approved and you can't go back and change records," she said. "So it shows everybody what we did and when and why we did it." Examiners are set up with computers to view requested documents, whereas in the past they would have to dig through paper files in a conference room.

When vetting cloud and hybrid cloud providers, banks should verify independent audits and certifications of their hosted environments, said Johnson at Mercator.

"Every bank, depending on its size, will have different certifications it wants to see out of the hosted environment it's working with," he said. "If it in any way relates to card data, they need to be PCI certified" as being in compliance with the Payment Card Industry security standards.

Larger banks should do their own, independent security audits in which auditors go to the vendor's hosted environment, walk through the site, ask questions, and do what they need to do to certify it.

Another focus area is service level agreements. Verizon, Amazon and Microsoft all have standard SLAs worked out that offer different levels of service according to price. For bank software vendors building their own cloud environment, there will probably be a negotiation over the SLA.

"This could be a good thing if the vendor is used to guaranteeing service levels that are higher than a cloud provider like Amazon Cloud," Johnson said. "But it could also be a disadvantage if the vendor lacks experience managing a cloud environment and delivering on predetermined service levels."