Banking on the cloud
04 December 2018
The financial industry has been cautious when moving functionality to the cloud, despite the obvious benefits. This is not surprising given how sensitive the industry is when it comes to privacy and security and the potential overheads this can generate. We take a look at what the regulators are saying, how banks and providers are responding and what to expect next.
The many facets of moving business functionality and capabilities to the cloud have been widely discussed in forums for a number of years. James Clash takes a brief look at various aspects of this – from the regulator’s views to the providers, the issues for banks and where cloud computing is headed.
The regulator's view
All regulators accept that cloud services can offer advantages to financial service providers, such as economies of scale, flexibility, operational efficiencies and cost-effectiveness.
Yet they also raise challenges in terms of data protection, the location of data, security issues and concentration risk. This is not only from the point of view of individual institutions, but also at the industry level – as large suppliers of cloud services can become a single point of failure when many institutions rely on them.
To avoid such issues, regulators, banks and cloud providers need to understand the implications of the variations in regulatory requirements for each region and jurisdiction in detail.
The view from Brussels
The following themes span the areas of interest to European regulators:
Security of data and systems
Prior to any cloud outsourcing, institutions should define and decide on an appropriate level of protection of data confidentiality, continuity of activities outsourced, and integrity and traceability of data and systems in the context of the intended cloud outsourcing.
Institutions should also consider specific measures where necessary for data in transit (e.g. implement proprietary encryption of all data held outside the organisation, regardless of cloud-provided security, to stop the cloud providers staff having access to sensitive data), data in memory and data at rest – such as the use of encryption technologies in combination with an appropriate key management architecture.
Location of data and data processing
Institutions that are outsourcing must take special care when entering into and executing an outsource agreement where the data is hosted outside of EU jurisdiction. In the context of the cloud, the regulators require institutions to adopt a risk-based approach. It should consider what impact data loss or tampering would have on the organisation when deciding the approach to a third-party cloud environment.
Adequate controls and measures, such as the use of encryption technologies for data in transit, data in memory and data at rest should also be implemented. The major players in cloud provision are well aware of these challenges and generally offer such encryption by default.
Access and audit rights
The right to privacy and the provision of access to inspect and audit personal data are key principles in Europe and are now enshrined in the GDPR regulations for personal data.
Those embarking on implementations in the cloud should verify their obligations under GDPR through careful analysis of the data to be held in the cloud. They must carry out their own checks of the chosen platform through real tests of the provider’s capabilities to protect, delete and provide access to personal data.
Cloud contracts must secure both the right to audit for institutions (including the third parties they appoint for these purposes and their statutory auditors) and the right of physical access to the business premises of cloud service providers. The exercise of these rights should not be impeded or limited by the contract’s terms.
If the performance of audits or the use of certain audit techniques might create a risk for another client’s environment (i.e. in a multi-tenant environment), alternative ways to provide a similar level of assurance should be agreed and set out in the contract. These alternatives include the use of third-party certifications and audit reports; the contract must also provide unrestricted rights of access and audit for the competent authority supervising the outsourcing institution.
To view the full article, please click the link below.