Challenges remain to use of public cloud by banks

Out-Law News | 08 Nov 2019 | 10:49 am | 2 min. read

Regulatory divergence is a hindrance to financial institutions' adoption of public cloud computing solutions, the Association for Financial Markets in Europe (AFME) has said.

The trade association said European financial regulators should look to more closely align the requirements they set financial firms when adopting public cloud-based services, and that further steps are necessary to eliminate differences in the way individual regulators supervise in practice.

In a new report, the AFME highlighted the different guidelines pan-European and national regulators within the EU have developed, or are developing, on the use of cloud services. These include recent guidelines proposed by the European Insurance and Occupational Pension Authority (EIOPA), and separate finalised guidance on outsourcing developed by the European Banking Authority (EBA), which banks, investment firms and payment institutions have until the end of 2021 to fully comply with.

Further examples include guidelines developed by Germany's financial services regulator BaFin, and the Financial Conduct Authority (FCA) in the UK.

The AFME said the various guidelines lack "a coordinated approach" and that this, coupled with "the constantly changing regulatory landscape, has had a limiting effect on the use of public cloud in the industry". This is particularly the case for "medium-sized organisations with more constrained IT, regulatory resources and budgets," it said.

The EBA's guidelines on outsourcing were singled out in the report as having helped to "harmonise the applicable regulatory framework", but the AFME said national regulators continue to interpret the requirements differently. This leads to "the fragmented application of some criteria", it said. As the guidelines are implemented across the EU, further variations in regulatory interpretations could emerge and cause "further challenge for banks", it said.

Pinsent Masons, the law firm behind Out-Law, recently urged EIOPA to make some changes to its draft cloud guidance to help insurers more practically achieve compliance. Financial services and technology law expert Luke Scanlon of Pinsent Masons urged EIOPA, among other things, to "ensure the language of their guidelines is aligned with that of the EBA's to give scope for the deployment of standardised approaches to compliance". 

In response to the AFME paper, Scanlon said: "The main challenges banks face to the adoption of cloud solutions have been recognised and accepted by institutions, cloud providers and regulators for some time. They include the difficulty in understanding whether use of a specific public cloud technology enables a 'critical' or 'important' operational function of a bank; uncertainty as to what amounts to effective supervision and oversight of a public cloud provider, and its supply chain; issues concerning the location of data held in the cloud, its transfer outside of the EU and access to it by law enforcement agencies; and further issues concerning the management of data, including requirements in relation to security and on data breach reporting."

"Given these challenges, and the others banks face in migrating functions to the cloud – not least in relation to overcoming the complexity of legacy IT systems – it is incumbent on regulators to do all they can to standardise regulatory requirements and promote standardised approaches to compliance to help banks to transition to cloud solutions which often provide them with a greater ability to provide innovative services to meet the needs of their customers," he said.