With Many Businesses Heading for the Cloud, Why do Regulators Still Have Their Feet on the Ground? | Wolters Kluwer
  • Insights

  • With Many Businesses Heading for the Cloud, Why do Regulators Still Have Their Feet on the Ground?

    By Martyn Oughton

    Published February 26, 2018

    Cloud computing has the potential to be the single biggest disruptor to traditional IT infrastructures in financial services businesses in living memory (no, that is not an exaggeration). The potential savings that moving the storage of data, the development of applications and the rehousing of software from physical locations to virtual ones are substantial enough to change entire business models. However, with great opportunities come great risks – especially with the loss of physical control over IT systems, and the passing of control to third parties.

    Which therefore leads to the expectation that financial services regulators would respond in line with this development, and make sure that firms are not creating risks to consumer outcomes, to business continuity, and ultimately to those regulators’ statutory objectives. So far, though, the response from regulators has been muted to say the least.

    So, are the regulators storing up problems for the future by taking this approach, or is it proportionate, given the way that cloud computing has developed in practice so far? This is something worthy of further investigation, especially for businesses, which operate on a cross-border basis.

    Heads in the clouds

    There is something of a mystery about cloud computing, with the myth that it is complicated and difficult to understand because of the amount of jargon involved around its processes. However, what it boils down to is this. Instead of holding data and applications in physical data centres with banks of servers to maintain, firms can effectively outsource these to a third-party provider who will host the data on servers located remotely, which can be accessed via the internet. This means vastly reduced costs for businesses, as they are paying for access to someone else’s servers as and when they need it, and they only pay for what they need. If they need more, they pay more, and if they need less, they pay less.

    It sounds like a win-win situation, and as a business, cloud computing has grown exponentially over the last few years, with big players such as Amazon and Microsoft achieving significant scale and market share.

    But of course, with shifts to virtual IT infrastructures come risks, in particular loss or compromise of data and concerns over continuity risks. Financial services businesses in particular have to be mindful of their regulatory obligations, both in terms of their customer relationships and the integrity of their operations.

    So, what have regulators done to respond to this growing trend?

    Muted response 

    It is fair to say the response so far from regulators has been relatively low-key, with a strong focus on guidance as opposed to rules.

    Starting in Europe, the FCA appeared to be relatively early out of the starting blocks with its Finalised Guidance for firms looking to outsource or to use third party IT services. Whilst this was only finalised in June 2016, the work can be traced back to a document called “‘Considerations for firms thinking of using third-party technology (off-the-shelf)” published in June 2014.

    In the EU, corresponding guidance took a little longer to finalise, with the European Banking Authority finalising its report setting out its recommendations on outsourcing to cloud providers at the end of December 2017.

    In both cases, the overall message to firms is similar. Yes, you can go ahead and enter into outsourcing arrangements with third party suppliers of IT services (including cloud services), but bear in mind both the existing regulatory requirements that apply to material outsourcing arrangements, as well as the security requirements that will apply under the General Data Protection Regulation (GDPR).

    In the U.S, the picture regarding regulatory requirements for cloud computing appears more fragmented, with specific requirements applying to particular sectors, as opposed to one regulator taking overall responsibility. Two of the main sources of regulatory requirements are the Payment Card Industry Data Security Standard (or PCI DSS) and the Federal Security Information Management Act (or FISMA).

    In the former instance, maintaining PCI DSS compliance in cloud operations requires following a set of guidance, which majors on the security of the physical infrastructure and the security of the data network. Some cloud providers, such as Amazon, have already attained PCI DSS compliance standards, although that is not to say that other providers and new entrants will not have to work hard to achieve compliance themselves.

    FISMA, on the other hand, is concerned solely with information held with government bodies, and in particular that this is kept safe and secure. To help achieve this state, Federal bodies need to consider guidance issued by the National Institute of Standards and Technology, which establishes the level of controls required around protection of data, as well as how to carry out risk assessments and to monitor the effectiveness of those controls.

    One common theme runs through all of this – guidance. Regulators on both sides of the Atlantic appear reluctant to directly legislate or make rules by which firms must run their outsourced cloud computing operations.

    At first glance, this looks like a disproportionate response – but is it really?

    Growth in the clouds

    Cloud computing as a concept is hardly new. Retail applications providing online storage and backup have been around for many years now, and cloud computing for businesses at its most basic level is a scaled-up version of retail offerings. The development of business cloud services ramped up in the early 2000s and since 2010 was boosted substantially with the offerings from Microsoft and Amazon, which currently dominate the market.

    But as far as financial services is concerned, so far, the take-up of cloud services appears to have been focused mainly on the shift in peripheral services, for example, human resources administration. The reticence is hard to explain for definite, but is likely to be borne of a fear of regulatory sanction when things go wrong, as well as the implications of data losses or security breaches, which also carry the risk of sanctions in a heavily regulated industry. Research carried out by the European Union Agency for Network and Information Security  seems to back up this theory, but also calls out what it refers to as, “…inconsistent regulatory guidelines on cloud deployment…” and calls for co-operation between firms, regulators and cloud service providers to come up with a consistent regulatory framework which would allow cloud computing services to be provided in accordance with good practice standards.

    As this research was published in 2015, the extent to which the guidance subsequently issued, particularly in Europe, has served to address these concerns is likely to be subject to debate.

    However, examples are now emerging of major banking organisations, which are taking advantage of the opportunities moving to the cloud, has to offer. One bank, has publicly declared a strong commitment to using a major cloud provider on a significant scale, and it is only a matter of time before other banking businesses follow suit. The emphasis here is not just on what are considered critical areas of workload, but also on future developments such as mobile banking.

    Not surprisingly, some of the newer entrants to the banking markets (known as “challenger banks”) have embraced cloud technology and infrastructure from the start of their operations. Competition from these market entrants could prove a further push factor for major banks to embrace cloud technology to retain their competitive position.

    In the investment management world, the opportunities that cloud computing brings run through all aspects of their operations. The management of portfolios, for example, could benefit from information management being run globally, whilst there are opportunities for cost savings and efficiencies in back office processes, such as fund administration and fund accounting. This sector has also started to demonstrate it is taking advantage of the agility that operating in the cloud can bring, particularly when integrating cloud applications into existing IT frameworks.

    So, with businesses beginning to adopt cloud services into their IT infrastructure, and the pace of this development accelerating, do regulators need to introduce further rules at all?

    Theory and practice

    Regulators are clearly trying to help firms to understand the types of controls they need to put in place to establish and manage cloud computing services – but many of these are just restated existing regulatory requirements, rather than being tailored for this type of scenario.

    Firstly, such arrangements are considered outsourcing – material outsourcing if they are significant enough. This is important because regulators need to be informed that such arrangements are to be entered into. Whether this then results in closer supervision is debatable and probably depends on the circumstances of the arrangement.

    The rest of the guidance stems from the existing controls that are expected to be applied to outsourcing arrangements of any type; for example, suitable due diligence, risk assessments, contractual agreements, continuous oversight and, of course, security of data.

    All of this sounds logical, but there are some specific challenges faced by cloud service arrangements.

    The first of these is the extent of the agreements and the balance of terms between the cloud service provider and the client firm. Whilst it is desirable to have core terms which are not unduly burdensome on the client, there is a risk that the power of the cloud provider to impose terms, such as for example, the ability to cancel or suspend services without any notice, may be something that some businesses may not have the power to negotiate on. In these circumstances, firms will need to ensure they have sufficient risk appetite for such arrangements and plan accordingly.

    Likewise, the physical location for data is not usually something in the client’s control. This is a concern from both a data security perspective and a barrier to audit rights operating fully, such as site visits. Cloud providers would argue that a key component of the service proposition they offer to clients is the ability to vary the locations of servers, and would argue against the value of site visits given the multiplicity of locations. Nevertheless, physical access appears to be an expectation of regulators so there is a potential cause for conflict.

    From a data security perspective, firms resident in European Economic Area (EEA) territories outsourcing to cloud providers will be concerned if data is transferred to servers outside of the EEA. An example of where this might be a concern is transfers to servers in the USA, a country which is not considered to have the appropriate data protection laws to allow transfers of data under GDPR. Under the Privacy Shield arrangements, US businesses need to go through a process of self-certification to demonstrate they comply with a number of key principles – but participation is not mandatory, and if service providers have not provided that certificate, then this could be a source of concern for firms. The major cloud service providers have already self-certified, but there is no guarantee that all providers will do so in future.

    These are just three examples where regulators’ expectations may not be exactly met; not for the want of trying, but the physical structure of cloud computing operations make them very difficult. Mismatches like this in the early stages of financial services participation are concerning, which is why regulators will need to make sure the application of guidance is proportionate.

    As the use of cloud computing in the sector continues to grow, it may be that the regulatory stance in both Europe and the USA shifts to a more rules-based approach, taking into account some of the emerging constraints that firms may find themselves having to declare. However, for now, at the point where cloud computing appears to be starting its penetration in the sector in earnest, regulation appears to be something of a lagging influence rather than a leading one.
    In all likelihood, though, this position is only likely to remain tenable for a short period.

    About the author: Martyn Oughton is a financial services professional with over 20 years’ experience in the industry. He has been a compliance professional since 2007. In 2009, he became a Professional Member of the International Compliance Association (ICA), and has recently been an examiner for the ICA, marking exam papers and assignments for their U.K. and International Compliance, Anti-Money Laundering and Financial Crime Diplomas. A regular contributor to Wolters Kluwer Compliance Resource Network, he also regularly writes for the ICA’s members’ journal “inCompliance”, and is also a freelance business-to-business copywriter and article writer.

    If this article was useful to you, we can assist with more in-depth analysis needed to understand the ever changing regulatory environment.  We’ve made OneSumX Compliance Resource Network an all-inclusive information solution. In a single, convenient location, you can quickly and accurately access all pertinent regulations, legislation and updated rulebooks. Sign up for your free trial today.

  • Please take a moment and tell us what you think of our content.