Banking in the cloud: Part 2 – regulation of cloud as ‘outsourcing’
Introduction
This paper considers legal and regulatory issues that may affect banks' use of cloud computing. It first sets out how EU banking regulators have approached banks' use of cloud services, including issues posed by regulators' limited knowledge of cloud computing and regulatory fragmentation.
Second, the paper considers how rules developed by financial services regulators in relation to outsourcing apply to banks' use of cloud services. In this respect, it considers the extent to which use of cloud computing constitutes “outsourcing” by the bank, and if it does, whether it involves outsourcing of “critical or important” operational functions, or “material outsourcing”. The article then analyses the contentious issue of contractual audit rights for regulators as well as legal and practical issues raised by regulatory requirements such as risk assessments, security, business continuity including exit plans, concentration risk and bank resolution, continuing regulatory oversight and banking secrecy laws.
Section snippets
EU FS regulators' approach to cloud
The EU seems relatively “late to the party” in providing specific rules or guidance on cloud use by FS institutions. Other jurisdictions' FS regulators have previously issued such rulings or guidance, e.g. the US (FFIEC 2012). They are even updating them, e.g. Australia's APRA (APRA 2015 replacing APRA 2010), although APRA has tightened its approach, having observed “weaknesses” in Australian banks' approach to cloud risk management, and now it questions “the appropriateness of transitioning
Key issues
Initially, the main uncertainty was whether cloud could ever be acceptable to regulators in terms of compliance, i.e. whether banks could use cloud at all. That is changing. Now, at least in Member States like the UK, the issue is how to ensure the regulators' issues are dealt with adequately in the cloud solution. Understandably, providers increase their pricing for the risks and extra requirements involved in working with FS customers.
Below, we first address an issue that was consistently
Concluding remarks
Our interviews with banks, cloud providers, advisers and regulators have highlighted the main legal and regulatory issues that affect EU banks' use of cloud services. An initial stumbling block is regulators' poor understanding of how cloud services work. In this respect, EU regulators could look to the US, where banking regulators are provided with training on cloud.
A second problem is regulatory fragmentation. Contending with 28 different national interpretations of EU regulations creates
Acknowledgements
This paper forms part of the QMUL Cloud Legal Project http://www.cloudlegal.ccls.qmul.ac.uk/, Centre for Commercial Law Studies, Queen Mary University of London. The authors are grateful to Microsoft for generous financial support that has made this project possible and also to David Michels and Beata Sobkow for assistance with editing this paper for publication. The views presented herein are, however, the authors' alone.
W Kuan Hon: Director in the Privacy, Security and Information group at Fieldfisher and formerly Senior Researcher, Cloud Legal Project and Microsoft Cloud Computing Research Centre, both at the Centre for Commercial Law Studies, Queen Mary University of London.
References (0)
Cited by (5)
Outsourcing life cycle model for financial services in the fintech era
2021, Proceedings of the International Conference on Industrial Engineering and Operations ManagementA Review of General Data Protection Regulation for Supply Chain Ecosystem
2020, Advances in Intelligent Systems and Computing
W Kuan Hon: Director in the Privacy, Security and Information group at Fieldfisher and formerly Senior Researcher, Cloud Legal Project and Microsoft Cloud Computing Research Centre, both at the Centre for Commercial Law Studies, Queen Mary University of London.
Christopher Millard: Professor of Privacy and Information Law and Project Leader, Cloud Legal Project, Centre for Commercial Law Studies, Queen Mary University of London and Senior Counsel, Bristows LLP. Joint Director of the Microsoft Cloud Computing Research Centre.