The attractions are obvious: in today’s data-saturated world, cloud computing allows large institutions to rapidly expand their IT capacity, boost efficiency and slash infrastructure costs. The downside? New security threats, amplified by stricter rules on protecting customer data, and a dependence on third-party providers for potentially vital services.
It is with an eye on the downside that banks have been slow in adopting cloud computing, which involves on-demand access to a shared pool of computing resources, such as servers and applications.
Earlier this year, the European Banking Authority (EBA) set out to change this in Europe, publishing draft recommendations for firms to enable them to “reap the benefits of cloud computing, while ensuring that risks are appropriately identified and managed”. The second objective is to harmonise, across the European Union, supervisors’ expectations of banks using the cloud. The EBA tells Risk.net it plans to publish final guidance in the fourth quarter of this year.
Cloud enthusiasts say such measures – as well as ongoing work by cloud providers to meet banks’ unique needs – are all steps in the right direction.
“There is light at the end of the tunnel, and this [EBA] consultation will help a lot,” says Luke Scanlon, who advises clients at law firm Pinsent Masons on new technologies.
The proverbial tunnel is long.
Take cyber security. On the one hand, cloud providers – such as the leader of the pack, Amazon Web Services – are likely to have security processes and technology that are at least as advanced as those of their banking clients, thanks to their technical expertise and economies of scale. On the other hand, providers can pass on a bank’s data or system management to yet another contractor, increasing security risks present in traditional outsourcing.
The EU’s General Data Protection Regulation, coming into force next year, will up the ante on data security. The new rules require, among other things, that bank customers are able to request that their personal data held is deleted. One practical outcome, say lawyers, is that banks will have to clarify to cloud providers exactly how they should handle and categorise data to ensure it can be easily isolated and deleted if required.
Of more concern are potentially punitive fines – up to 4% of annual global turnover – for firms found guilty of data breaches caused by neglect. “The size of the potential fines is attracting a lot of attention from both clients and cloud service providers,” says Peter George, partner at law firm Baker McKenzie, and responsible for the firm’s annual cloud computing survey. “There will be contractual disagreements over where liability lies.”
One way to spot and mitigate such outsourcing risks is to undertake regular audits of third-party providers, as banks in most EU countries are already required to do. The EBA’s consultation – now closed – sets out similar guidance with a specific focus on cloud suppliers, and Scanlon at Pinsent Masons welcomes what he sees as a flexible approach to a difficult task.
Cloud computing involves distributing data across any number of physical locations. Scanlon says that, given the largest cloud providers host services for thousands of banks, regular physical audits “would be inefficient, costly and would create risks for other banking clients”, related to the security of their data.
Rahul Prabhakar, in charge of regulatory compliance for financial services in Europe, Middle East and Africa at Amazon Web Services, puts it another way: “A constant stream of people walking through our premises presents security risks.”
The EBA recognises these challenges in its document and endorses alternative options “where an outsourcing institution does not employ its own audit resources”. These options are pooled audits, performed jointly with other banking clients, and third-party certifications or audits, provided they conform to widely recognised standards and meet the needs of the outsourcing bank.
“This is a really positive step,” Scanlon says.
Prabhakar also welcomes the EBA’s stance on audits but says the order of preference should be reversed. “The EBA and other regulators should consider clearly stating that, one, logical [de-facto] access is more appropriate than physical access and, two, that third-party reports and certifications or pooled audits are more preferable than individual audits.”
Some regulators have been more prescriptive. Canada’s Office of the Superintendent of Financial Institutions insists on being able to audit banks across their functions, says Robert Paolino, the former chief risk officer for Canada at Japanese bank MUFG. “This effectively requires that data is stored within the country – especially data considered as sensitive under Canada’s Privacy Act.”
Chain of events
Oversight of cloud providers is even harder if they employ subcontractors. This may keep costs low but banking clients may not have a direct relationship with the provider of significant parts of the cloud service as a result. “It’s been a struggle to square that circle,” says Jonathan Kirsop, partner at law firm Stephenson Harwood in London.
One solution has been for cloud providers to give notice that they are appointing a subcontractor and give clients the right to terminate that particular service. “This does provide theoretical control over the supply chain,” says Kirsop.
The EBA’s draft advice on what it calls “chain outsourcing” says banks don’t need to pre-approve every subcontractor, and providers can simply give clients notice of any subcontractor changes rather than require each change to be approved by all clients.
The EBA also proposes that the outsourcing institution should carefully delineate which activities can be subcontracted, and that any subcontractors fully comply with the obligations placed on the original cloud provider. The outsourcing agreement should also require the cloud provider to notify any changes to subcontracting arrangements in time for its clients to carry out a risk assessment.
A strategy for severing the relationship with a provider is another hurdle banks have to clear before cloud computing can properly take off in the industry.
“How do you extricate yourself from a cloud computing contract when you’re dependent on the provider?” asks George at Baker McKenzie.
Guidance on outsourcing to the cloud released by the UK’s Financial Conduct Authority (FCA) last year suggests that banks should ensure exit plans are documented, understood by appropriate staff and fully tested. It says banks should monitor “concentration risk” and consider how they would respond if a service provider were to fail.
How do you extricate yourself from a cloud computing contract when you’re dependent on the provider?
Peter George, Baker McKenzie
However, the details remain largely untested. “No bank has ever exited from a significant public cloud technology arrangement,” the BBA, a UK banking trade body, and Pinsent Masons wrote in a January discussion paper. The report focuses on the cloud model that is available to the general public, with Amazon Web Services the best-known example.
“As a result, frictions arise as to the contractual terms between banks and cloud service providers and other third parties leveraging public cloud. … There is added pressure as parties do not have the benefit of experience to call upon,” the paper continues. The BBA is therefore calling on the FCA to work with the banking industry to produce a due diligence checklist for banks migrating from cloud contracts.
The draft EBA guidance also acknowledges concentration risk inherent in cloud computing, “not only from the point of view of individual institution but also at industry level where large suppliers of cloud services can become a single point of failure when many institutions rely on them”.
Among other recommendations, the EBA advises banks to develop key risk indicators to spot deterioration in the cloud service to unacceptable levels, and to prepare alternative solutions and plans for transitioning to them from the out-of-favour cloud provider.
Not only will a smooth transition to another provider ensure the bank’s services are unaffected, but it will also spare the bank reputational damage from a failure by a third party.
Terms and conditions
Neither the EBA nor the FCA guidance contains tips on negotiating contracts with cloud providers, which comes with its own unique challenges.
“In traditional bespoke outsourcing, financial services clients tend to have a lot of bargaining power … and are able to use their own master services agreements,” says Kirsop at Stephenson Harwood. “With a cloud service, it’s a one-to-many solution. Suppliers can’t have lots of different terms or policies for different clients. Clients have to get comfortable with standard terms, with limited ability to negotiate around them. That’s the fundamental difference.”
Finally, as with most banking activities in the post-financial crisis era, regulation can be a key determinant of the spread of innovative practices.
The EBA wrote in its draft guidance that uncertainty among banks about how supervisors expect them to handle cloud computing poses a barrier to its adoption.
In Indonesia, banks are blocked outright from migrating to the cloud due to their regulator’s requirement that all critical services be hosted within the country’s borders. “For banks, who could they find in Indonesia that could host those services? The big [cloud] providers don’t want to set up data centres in Indonesia; it’s not viable for them right now,” says Manish Chawda, partner at Singapore consulting firm Pragma, which specialises in cyber and technology risks.
Differences in rules between jurisdictions present another headache for banks.
Standard Chartered, for example, has operations in 68 emerging markets. As the bank is ramping up its use of cloud computing, the answer is not – as might be assumed – to take a “highest common denominator” approach, says Jonathan Scott-Lee, who leads the compliance teams for data, technology, operations and outsourcing at Standard Chartered.
For a start, a ‘gold-plated’ cloud strategy would eliminate most if not all of the cost efficiencies of the cloud. Second, even the highest specifications can fall foul of some regulatory environments: China, for example, mandates specific regulatory standards on the commercial use of encryption.
“I advise our digital teams to develop technology as globally as possible but that is flexible enough to allow software to be deployed in local environments,” Scott-Lee says. For example, a cloud-based system could be linked to a locally housed database for client information for jurisdictions where the regulator requires data on clients to be held locally.
However, the trend is now towards ironing out regulatory differences around cloud computing, as illustrated by the EBA initiative.
Jeroen Prins, a London-based financial services technology risk expert at PwC, sums up: “For key jurisdictions we believe that similar principles apply and it is now feasible for the larger banks to adopt cloud services globally.”
Update, August 31, 2017: The story has been updated to clarify the role of Jonathan Scott-Lee at Standard Chartered.
The week on Risk.net, April 7–13, 2018Receive this by email