Banking in the cloud: Part 2 – regulation of cloud as ‘outsourcing’

https://doi.org/10.1016/j.clsr.2017.11.006Get rights and content

Abstract

This paper looks at EU banks' use of public cloud computing services. It is based primarily on anonymised interviews with banks, cloud providers, advisers, and financial services regulators. The findings are presented in three parts. Part 1 explored the extent to which banks operating in the EU, including global banks, use public cloud computing services.

Part 2 of this paper covers the main legal and regulatory issues that may affect banks' use of cloud services. It sets out how EU banking regulators have approached banks' use of cloud services and considers regulators' lack of cloud computing knowledge. The paper further considers how the regulation of outsourcing applies to banks' use of cloud services, including whether cloud computing constitutes “outsourcing”. It analyses the contentious issue of contractual audit rights for regulators as well as legal and practical issues around risk assessments, security, business continuity, concentration risk, bank resolution, and banking secrecy laws.

Part 3 looks at the key contractual issues that arise between banks and cloud service providers, including data protection requirements, termination, service changes, and liability.

All three parts of the paper can be accessed via Computer Law and Security Review's page on ScienceDirect at: http://www.sciencedirect.com/science/journal/02673649?sdc=2. The full list of sources is available via the same link and will be printed alongside the third part of the article.

Introduction

This paper considers legal and regulatory issues that may affect banks' use of cloud computing. It first sets out how EU banking regulators have approached banks' use of cloud services, including issues posed by regulators' limited knowledge of cloud computing and regulatory fragmentation.

Second, the paper considers how rules developed by financial services regulators in relation to outsourcing apply to banks' use of cloud services. In this respect, it considers the extent to which use of cloud computing constitutes “outsourcing” by the bank, and if it does, whether it involves outsourcing of “critical or important” operational functions, or “material outsourcing”. The article then analyses the contentious issue of contractual audit rights for regulators as well as legal and practical issues raised by regulatory requirements such as risk assessments, security, business continuity including exit plans, concentration risk and bank resolution, continuing regulatory oversight and banking secrecy laws.

Section snippets

EU FS regulators' approach to cloud

The EU seems relatively “late to the party” in providing specific rules or guidance on cloud use by FS institutions. Other jurisdictions' FS regulators have previously issued such rulings or guidance, e.g. the US (FFIEC 2012). They are even updating them, e.g. Australia's APRA (APRA 2015 replacing APRA 2010), although APRA has tightened its approach, having observed “weaknesses” in Australian banks' approach to cloud risk management, and now it questions “the appropriateness of transitioning

Key issues

Initially, the main uncertainty was whether cloud could ever be acceptable to regulators in terms of compliance, i.e. whether banks could use cloud at all. That is changing. Now, at least in Member States like the UK, the issue is how to ensure the regulators' issues are dealt with adequately in the cloud solution. Understandably, providers increase their pricing for the risks and extra requirements involved in working with FS customers.

Below, we first address an issue that was consistently

Concluding remarks

Our interviews with banks, cloud providers, advisers and regulators have highlighted the main legal and regulatory issues that affect EU banks' use of cloud services. An initial stumbling block is regulators' poor understanding of how cloud services work. In this respect, EU regulators could look to the US, where banking regulators are provided with training on cloud.

A second problem is regulatory fragmentation. Contending with 28 different national interpretations of EU regulations creates

Acknowledgements

This paper forms part of the QMUL Cloud Legal Project http://www.cloudlegal.ccls.qmul.ac.uk/, Centre for Commercial Law Studies, Queen Mary University of London. The authors are grateful to Microsoft for generous financial support that has made this project possible and also to David Michels and Beata Sobkow for assistance with editing this paper for publication. The views presented herein are, however, the authors' alone.

W Kuan Hon: Director in the Privacy, Security and Information group at Fieldfisher and formerly Senior Researcher, Cloud Legal Project and Microsoft Cloud Computing Research Centre, both at the Centre for Commercial Law Studies, Queen Mary University of London.

References (0)

Cited by (5)

  • Outsourcing life cycle model for financial services in the fintech era

    2021, Proceedings of the International Conference on Industrial Engineering and Operations Management
  • A Review of General Data Protection Regulation for Supply Chain Ecosystem

    2020, Advances in Intelligent Systems and Computing

W Kuan Hon: Director in the Privacy, Security and Information group at Fieldfisher and formerly Senior Researcher, Cloud Legal Project and Microsoft Cloud Computing Research Centre, both at the Centre for Commercial Law Studies, Queen Mary University of London.

Christopher Millard: Professor of Privacy and Information Law and Project Leader, Cloud Legal Project, Centre for Commercial Law Studies, Queen Mary University of London and Senior Counsel, Bristows LLP. Joint Director of the Microsoft Cloud Computing Research Centre.

View full text