The legal view on cloud is always fraught with complexity and can cause many to steer clear but, like most things, views are subject to interpretation. Yet, in our sector, the cloud has to happen if banks want to compete. The banks know that but, of course, there are issues to work through before they fully embrace it.
We discuss this subject in our recent paper Cloud banking: a question of collaboration: here follows an excerpt.
Legal considerations have led many banks to think twice before migrating to the cloud, but providers are rapidly addressing concerns over security, privacy and financial services regulation
Banking's biggest lenders know well the advantages that the cloud can confer on their businesses. It offers the chance to cut costs and boost processing power; it allows banks more easily to launch new products and win market share. It allows Experience-Driven Banking to come alive.
The alternative – a constant overhaul of legacy core systems to keep pace with the market – is monumentally complex. But banks have for the most part been hesitant to embrace such a large technological and organisational change that moving to the cloud would mean.
This hesitancy is being sustained by concerns in two main areas: security and privacy of data; and compliance with the requirements of financial services regulators.
There is no single body of cloud law. Each country has a different approach, with a myriad of rules and regulations relating both to privacy and financial services. In addition, there is much "guidance" issued by the regulators, setting out best practice and expected standards. Within the European Union, there will be local regulation from member states as well as regulations from the European Commission to comply with.
On a positive note, there are changes afoot. As Christian Bartsch, Partner and Head of Financial Services Sector Group at law firm Bird & Bird, puts it: "Many chief technology officers have completely bought into the value of cloud. As a result of this mindset, I am seeing a lot more interaction between technology, legal and compliance personnel in the financial services sector on this issue. Proactive collaboration between such personnel will greatly assist financial services organisations to unlock the benefits of cloud-based technology."
In Europe, many see the Netherlands financial services regulator as a trailblazer, with its agreement in 2013 to allow Amazon Web Services to offer credit and risk calculations.
Ruth Boardman, a London-based data protection partner at Bird & Bird, says large banks need the right preparation and systems in place. "Customers must choose a provider who can offer appropriate controls – over security, location of processing and use of sub-contractors. This will really help customers to meet their data protection requirements".
One of the hurdles to cloud adoption at large banks has been the perceived loss of control of data or perceived lack of governance over data that comes with a move to the cloud.
Customer data is no longer stored on servers owned by the bank but on the servers of the cloud service provider. It may often not be transparent to the client exactly where the data is stored.
Some financial services and privacy regulators have imposed requirements that customer data must be kept in the country where the banking services are provided. These data sovereignty laws mean a company is required to store data on servers in the home market, so enabling accessibility and audit by the regulator. That, in turn, has restricted providers of cloud services. A cloud provider might not have a data centre in that country.
In addition, cloud providers prefer for reasons of security to keep the location of their server farms secret, tightly controlling access to them and information concerning the processes protecting the data. A cloud provider considers the overall security of all its clients' data and not the specific audit requirements of a banking client.
The industry is finding ways of working through this complexity. The cloud providers are learning that one size does not fit all. Cloud companies can often provide a service from a defined geography so the data remains for example within the EU. For regulated clients, service providers can give additional comfort on the security of the data, providing audit reports drawn up by third parties that are sufficiently detailed to put regulators at ease.
Further, European financial service regulators in many cases are comfortable with data centres that are located in other parts of the European Economic Area or even elsewhere, as long as robust service contracts are in place. A suitable service contract will include the ability for the bank to monitor the supplier, commitments on the availability of the service and rights to access the data at all times. Importantly, the regulator has the right to examine the service provider or in extreme cases, order the termination of the contract.
In addition Amazon Web Services (AWS) and Microsoft have worked hard to tailor their contractual arrangements to maintain the privacy of data transferred outside the EEA to meet the demands of the EU data protection directive and the privacy regulators.
Security second to none
A myth appears to have grown up – perhaps driven by the media and fed by the complexity of cybercrime – that public and private clouds are a hacker's dream, and that security vulnerabilities are an inevitable by-product of cloud migration.
But the cloud, whether for storage or software, does not jeopardise security; the biggest providers offer best-in-class protection, and spend billions on it. Companies such as Microsoft, AWS and IBM are the experts in this field. Indeed, many observers believe that top-tier cloud computing systems can provide better security than banks' in-house applications.
Much is also being done by cloud providers to ensure that they retain best in class security and standardise multiple competing frameworks, especially via the Cloud Security Alliance and its Cloud Controls Matrix (CCM), which provides security principles to guide vendors and assist prospective customers in assessing security risk at cloud providers.
Another body that has helped to demystify the process in Europe is Confidential and Compliant Clouds (Coco Cloud), an EU-backed industry and academic collaboration that promotes secure cloud use.
Flexibility is key
In the past, cloud providers assumed that "one size fits all" would be a viable model for complex financial service companies. While that may be possible for smaller banks and niche services, it is clearly not viable for core banking and the largest lenders.
Some in the industry see collaboration as the next step. Alan Grogan, Chief Analytics Officer at RBS's customer services group, has called for industry and government to create a "UK financial services cloud" to ensure that banks can benefit from the cloud's advantages, while making it easier to mitigate any risks.
There are plenty of signs that providers are showing flexibility and a willingness to restructure terms and conditions to meet the needs of their regulated clients. Regulators are agreeing that cloud solutions can be used by banks provided that controls are in place and the bank retains overall responsibility for the service provider, which is carefully supervised.
It might seem like a complex legal and regulatory landscape, but lenders and IT providers have compelling reasons to make it happen. The cloud may come to pass for the biggest lenders' core banking efforts far sooner than has recently been assumed.