Heads in the cloud: banks inch closer to cloud take-up – Risk.net (subscription)

The attractions are obvious: in todays data-saturated world, cloud computing allows large institutions to rapidly expand their IT capacity, boost efficiency and slash infrastructure costs. The downside? New security threats, amplified by stricter rules on protecting customer data, and a dependence on third-party providers for potentially vitalservices.

It is with an eye on the downside that banks have been slow in adopting cloud computing, which involves on-demand access to a shared pool of computing resources, such as servers andapplications.

Earlier this year, the European Banking Authority (EBA) set out to change this in Europe, publishing draft recommendations for firms to enable them to reap the benefits of cloud computing, while ensuring that risks are appropriately identified and managed. The second objective is to harmonise, across the European Union, supervisors expectations of banks using the cloud. The EBA tells Risk.net it plans to publish final guidance in the fourth quarter of thisyear.

Cloud enthusiasts say such measures as well as ongoing work by cloud providers to meet banks unique needs are all steps in the rightdirection.

Luke Scanlon, Pinsent Masons

There is light at the end of the tunnel, and this [EBA] consultation will help a lot, says Luke Scanlon, who advises clients at law firm Pinsent Masons on newtechnologies.

The proverbial tunnel islong.

Take cyber security. On the one hand, cloud providers such as the leader of the pack, Amazon Web Services are likely to have security processes and technology that are at least as advanced as those of their banking clients, thanks to their technical expertise and economies of scale. On the other hand, providers can pass on a banks data or system management to yet another contractor, increasing security risks present in traditionaloutsourcing.

The EUs General Data Protection Regulation, coming into force next year, will up the ante on data security. The new rules require, among other things, that bank customers are able to request that their personal data held is deleted. One practical outcome, say lawyers, is that banks will have to clarify to cloud providers exactly how they should handle and categorise data to ensure it can be easily isolated and deleted ifrequired.

Of more concern are potentially punitive fines up to 4% of annual global turnover for firms found guilty of data breaches caused by neglect. The size of the potential fines is attracting a lot of attention from both clients and cloud service providers, says Peter George, partner at law firm Baker McKenzie, and responsible for the firms annual cloud computing survey. There will be contractual disagreements over where liabilitylies.

One way to spot and mitigate such outsourcing risks is to undertake regular audits of third-party providers, as banks in most EU countries are already required to do. The EBAs consultation now closed sets out similar guidance with a specific focus on cloud suppliers, and Scanlon at Pinsent Masons welcomes what he sees as a flexible approach to a difficulttask.

Cloud computing involves distributing data across any number of physical locations. Scanlon says that, given the largest cloud providers host services for thousands of banks, regular physical audits would be inefficient, costly and would create risks for other banking clients, related to the security of theirdata.

Rahul Prabhakar, in charge of regulatory compliance for financial services in Europe, Middle East and Africa at Amazon Web Services, puts it another way: A constant stream of people walking through our premises presents securityrisks.

Peter George, Baker McKenzie

The EBA recognises these challenges in its document and endorses alternative options where an outsourcing institution does not employ its own audit resources. These options are pooled audits, performed jointly with other banking clients, and third-party certifications or audits, provided they conform to widely recognised standards and meet the needs of the outsourcingbank.

This is a really positive step, Scanlonsays.

Prabhakar also welcomes the EBAs stance on audits but says the order of preference should be reversed. The EBA and other regulators should consider clearly stating that, one, logical [de-facto] access is more appropriate than physical access and, two, that third-party reports and certifications or pooled audits are more preferable than individualaudits.

Some regulators have been more prescriptive. Canadas Office of the Superintendent of Financial Institutions insists on being able to audit banks across their functions, says Robert Paolino, the former chief risk officer for Canada at Japanese bank MUFG. This effectively requires that data is stored within the country especially data considered as sensitive under Canadas PrivacyAct.

Oversight of cloud providers is even harder if they employ subcontractors. This may keep costs low but banking clients may not have a direct relationship with the provider of significant parts of the cloud service as a result. Its been a struggle to square that circle, says Jonathan Kirsop, partner at law firm Stephenson Harwood in London.

One solution has been for cloud providers to give notice that they are appointing a subcontractor and give clients the right to terminate that particular service. This does provide theoretical control over the supply chain, saysKirsop.

The EBAs draft advice on what it calls chain outsourcing says banks dont need to pre-approve every subcontractor, and providers can simply give clients notice of any subcontractor changes rather than require each change to be approved by all clients.

The EBA also proposes that the outsourcing institution should carefully delineate which activities can be subcontracted, and that any subcontractors fully comply with the obligations placed on the original cloud provider. The outsourcing agreement should also require the cloud provider to notify any changes to subcontracting arrangements in time for its clients to carry out a riskassessment.

A strategy for severing the relationship with a provider is another hurdle banks have to clear before cloud computing can properly take off in theindustry.

How do you extricate yourself from a cloud computing contract when youre dependent on the provider? asks George at BakerMcKenzie.

Guidance on outsourcing to the cloud released by the UKs Financial Conduct Authority (FCA) last year suggests that banks should ensure exit plans are documented, understood by appropriate staff and fully tested. It says banks should monitor concentration risk and consider how they would respond if a service provider were tofail.

Peter George, BakerMcKenzie

However, the details remain largely untested. No bank has ever exited from a significant public cloud technology arrangement, the BBA, a UK banking trade body, and Pinsent Masons wrote in a January discussion paper. The report focuses on the cloud model that is available to the general public, with Amazon Web Services the best-knownexample.

As a result, frictions arise as to the contractual terms between banks and cloud service providers and other third parties leveraging public cloud. There is added pressure as parties do not have the benefit of experience to call upon, the paper continues. The BBA is therefore calling on the FCA to work with the banking industry to produce a due diligence checklist for banks migrating from cloudcontracts.

The draft EBA guidance also acknowledges concentration risk inherent in cloud computing, not only from the point of view of individual institution but also at industry level where large suppliers of cloud services can become a single point of failure when many institutions rely onthem.

Among other recommendations, the EBA advises banks to develop key risk indicators to spot deterioration in the cloud service to unacceptable levels, and to prepare alternative solutions and plans for transitioning to them from the out-of-favour cloudprovider.

Not only will a smooth transition to another provider ensure the banks services are unaffected, but it will also spare the bank reputational damage from a failure by a thirdparty.

Neither the EBA nor the FCA guidance contains tips on negotiating contracts with cloud providers, which comes with its own unique challenges.

In traditional bespoke outsourcing, financial services clients tend to have a lot of bargaining power and are able to use their own master services agreements, says Kirsop at Stephenson Harwood. With a cloud service, its a one-to-many solution. Suppliers cant have lots of different terms or policies for different clients. Clients have to get comfortable with standard terms, with limited ability to negotiate around them. Thats the fundamentaldifference.

Finally, as with most banking activities in the post-financial crisis era, regulation can be a key determinant of the spread of innovativepractices.

The EBA wrote in its draft guidance that uncertainty among banks about how supervisors expect them to handle cloud computing poses a barrier to its adoption.

In Indonesia, banks are blocked outright from migrating to the cloud due to their regulators requirement that all critical services be hosted within the countrys borders. For banks, who could they find in Indonesia that could host those services? The big [cloud] providers dont want to set up data centres in Indonesia; its not viable for them right now, says Manish Chawda, partner at Singapore consulting firm Pragma, which specialises in cyber and technologyrisks.

Differences in rules between jurisdictions present another headache for banks.

Jonathan Scott-Lee, Standard Chartered

Standard Chartered, for example, has operations in 68 emerging markets. As the bank is ramping up its use of cloud computing, the answer is not as might be assumed to take a highest common denominator approach, says Jonathan Scott-Lee, the Singapore-based global head of compliance, data, technology, operations and outsourcing at StandardChartered.

For a start, a gold-plated cloud strategy would eliminate most if not all of the cost efficiencies of the cloud. Second, even the highest specifications can fall foul of some regulatory environments: China, for example, mandates specific regulatory standards on the commercial use ofencryption.

I advise our digital teams to develop technology as globally as possible but that is flexible enough to allow software to be deployed in local environments, Scott-Lee says. For example, a cloud-based system could be linked to a locally housed database for client information for jurisdictions where the regulator requires data on clients to be heldlocally.

However, the trend is now towards ironing out regulatory differences around cloud computing, as illustrated by the EBAinitiative.

Jeroen Prins, a London-based financial services technology risk expert at PwC, sums up: For key jurisdictions we believe that similar principles apply and it is now feasible for the larger banks to adopt cloud servicesglobally.

Continue reading here:
Heads in the cloud: banks inch closer to cloud take-up – Risk.net (subscription)

Related Post

Comments are closed.