CLOUD COMPUTING AND REGULATION IN BANKING:UNCLEAR GUIDANCE FROM REGULATORS INHIBITS ADOPTION


03-2015

"THE MIGRATION OF MANY OF BANKS' DATA AND PROCESSES TO PUBLIC AND PRIVATE CLOUDS IS SET TO TRANSFORM THE INDUSTRY IN A FEW YEARS."

Abstract

This IDC Financial Insights Perspective believes the outlook for cloud computing in the banking industry is positive, and the migration of many of banks’ data and processes to public and private clouds is set to transform the industry in a few years. As a relatively new phenomenon, there is still plenty of low-hanging fruit for banks to move to the cloud in terms of non-core activities.

However, an uncertain regulatory picture still looks likely to hinder the uptake of cloud for banks’ most critical lines of business (LOBs). The relevant section of MiFID, which is included in national rulebooks such as the U.K. regulators’ Senior Management Arrangements, Systems and Controls (SYSC) handbook, has the following to say about “critical or important” operational functions:

“… the investment firm, its auditors and the relevant competent authorities must have effective access to data related to the outsourced activities, as well as to the business premises of the service provider; and the competent authorities must be able to exercise those rights of access.”

It felt that this directive, which was written before 2004 and came into force in 2007, required interpretation because a literal reading would necessitate that data be stored in a particular place, undermining the existence of a cloud.

In a traditional outsourcing environment, there could well be a physical cage around the servers of a particular company, with those servers also labeled. This means that the customer in question and the regulators could carry out a physical audit. The issue is not as clear-cut in a cloud environment.

An alternative interpretation of MiFID is that digital, rather than physical access to data, would be sufficient, meaning that the financial institution would not need to be able to specify where exactly the data was being held at any given moment. However, the position of regulators across Europe so far is that access to data must be physical.

The regulator that has been the most responsive to the subject of cloud computing is De Nederlandsche Bank (the Dutch Central Bank), partly in response to the fact that new supplier Ohpen came to market a few years ago with a cloud-based core banking solution hosted by Amazon Web Services (AWS) in Ireland. This meant that Ohpen was able to guarantee the location of the data, the data would not leave the EU, and more importantly the Dutch Central Bank would have the right and ability to audit. When Ohpen proposed its solution to a new client, a large asset manager, the different parties — the Dutch Central Bank, the client, Ohpen, and AWS — started negotiations to see how the regulators could be satisfied. It is understood that these negotiations were initiated by Ohpen.

The Central Bank was determined it needed access to all parties in the chain and the right to audit and examine data with no limitations. In practice, this meant the right to visit the datacenter. In this case, AWS had its own security concerns and required that the Central Bank could only send certified individuals and give a certain number of hours of warning before a visit. This would allow the cloud provider to prepare resources for the visit in advance. Once this was agreed, AWS announced that it had been cleared by use as a cloud provider by the Dutch Central Bank in 2013. The Dutch Central Bank in turn made announcements to the same effect for other cloud providers including Microsoft and Salesforce.com.

The understanding is that for other Dutch banks moving to Amazon’s cloud in Ireland, the negotiations will not have to happen again as long as a risk assessment is executed and the contracts contain the clauses that ensure the regulator’s rights of access and auditability. Since the agreement in 2013, the regulator is not thought to have actually visited Amazon’s datacenter in Ireland. Ohpen has since signed a second customer for its cloud-based core offering, which will go live soon.

This paper was written by Lawrence Freeborn for IDC. Please click here for the complete paper and article.

About IDC

International Data Corporation (IDC) is the premier global provider of market intelligence, advisory services, and events for the information technology, telecommunications and consumer technology markets. IDC helps IT professionals, business executives, and the investment community make fact-based decisions on technology purchases and business strategy. More than 1,100 IDC analysts provide global, regional, and local expertise on technology and industry opportunities and trends in over 110 countries worldwide. For 50 years, IDC has provided strategic insights to help our clients achieve their key business objectives. IDC is a subsidiary of IDG, the world’s leading technology media, research, and events company.

About the Author

Lawrence Freeborn is senior research analyst at IDC Financial Insights, where he covers the technological landscape of the European banking industry with a particular focus on technology and its impact, as well as emerging trends and technologies in the financial services sector. Freeborn is an experienced journalist in all areas of banking technology with specialization in core banking replacement and renovation, payment systems, branch automation, and channel strategies.