Audit right challenges for banks in the cloud might be aided by data protection reforms, say experts

Out-Law Analysis | 13 Feb 2017 | 9:00 am | 6 min. read

ANALYSIS: EU data protection reforms may spur changes to cloud contracts that help banks facilitate effective oversight of their regulated activities by regulators in the public cloud.

At the moment banks face practical constraints in enabling such oversight in a cloud context.

Financial regulations, and guidance issued by the Financial Conduct Authority (FCA), require banks, when entering into outsourcing agreements which cover critical or important business functions, to ensure the FCA still has effective access to their data, and to ensure the regulator can also exercise a right of effective access to the business premises of that service provider.

However, cloud providers are sometimes unwilling or unable to offer such access.

Software-as-a-service (SaaS) providers, reliant on the infrastructure of another cloud provider to service banks, may not have the bargaining power to negotiate such access with the infrastructure (IaaS) provider on behalf of their bank customers. Where banks negotiate with an IaaS provider directly, they may have more clout, but IaaS providers are still keen to limit the number of people who have access to data centres and other premises, for reasons of data security and the minimisation of disruption to their daily business operations.

Ensuring effective regulatory oversight of the outsourced business function is an issue that has been identified as one of seven main barriers to banks' adoption of cloud-based services in a new report by the British Bankers' Association, which was produced in partnership with Pinsent Masons, the law firm behind Out-Law.com.

The anomaly between audit rights in financial services and under general data protection rules

Rules and regulations on outsourcing for banks set out more specific and robust requirements on the issue of data auditing than non-regulated organisations face when outsourcing data processing operations.

There are historical regulatory reasons why the audit rights required under the financial services outsourcing regime are more stringent than those connected only with data protection laws which govern the processing of personal data. A crucial point is that such rules were originally devised to capture those financial services entities looking to outsource a particular regulated function, business unit or service to a third party that such entities would normally carry on themselves at their own premises. The core of the definition of "outsourcing" under the FCA's and PRA's rules still reflects this. 

The requirements are primarily there to ensure that the outsourcing of the regulated activity, service or function does not lead to an outsourcing of responsibility by the entity in question, or pose a barrier to effective supervision of the specific entity by a regulator. It must not cause detriment to the entity's clients. 

To this end, the rules still require the entity outsourcing the particular activity, and/or its auditors, and the regulators to obtain physical rights of access to premises, so as to ensure that they may exercise the same level of supervision, access to data, access to relevant personnel and to service provider premises connected with the activity or business unit as they would were the regulated activity not outsourced.

Some within the banking industry have questioned why, in the new digital world, physical rights of audit have to be provided for in a cloud outsourcing contract. They see potential in remote access to data, which they say could satisfy regulators' need to monitor compliance and conduct investigations. Indeed, the most important information is located on servers and this can certainly be accessed remotely. However, the regulators are not simply interested in the data.    

The counterargument is that powers of physical access to premises and key personnel involved remain important supervisory tools for regulators and, whilst access to data centres might appear to be of little use, access to the offices where senior management and important business functions reside remain a high priority.

Yet, data processing arrangements in other sectors do not have to provide for the same level of access and oversight. Health bodies, for example, do not need to provide the Information Commissioner's Office (ICO) with a right to access patient medical records they might store in the cloud. Nor must they ensure in their cloud contracts that the ICO can access the premises of their cloud provider.

There are, however, changes coming under the General Data Protection Regulation (GDPR).

The GDPR and the new requirements around audit rights

The GDPR, which will apply from 25 May 2018, will force cloud providers to update their approach to auditing rights in relation to the processing of personal data.

The Regulation will apply familiar data protection principles, and a raft of new rules, to third party processors of personal data for the first time, including cloud service providers. However, under GDPR, data processors that process data in a way which does not conform to their contract terms will not just be exposed to potential claims of breach of contract, they will be potentially held in breach of the Regulation itself, and subject to the stiff sanctions regime it provides for.

The Regulation sets out a range of new obligations on data processors as well as specific contractual terms that data controllers and data processors will have to provide for in their data processing agreements, and the mandatory flow-down of those provisions to sub-contractors.

The new terms will require cloud providers to make available to banks "all information necessary" to demonstrate their own compliance with the new data processor requirements and "allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller".

It is open, under the GDPR, for the European Commission to draw up standard contractual clauses to address the issue, and for data protection authorities to adopt them.

At the moment, although data controllers must monitor data processors' activity, they have no rights of audit over them under EU data protection law. However, cloud computing guidance set out in 2012 by a committee made up of national data protection authorities from across the EU said cloud contracts should "provide for logging and auditing of relevant processing operations on personal data that are performed by the cloud provider or the subcontractors".

The Article 29 Working Party, though, gave its backing to third party data protection certifications as a mechanism to fulfil this auditing requirement. It said it would let cloud providers demonstrate compliant data protection practices to data controllers. Such certification schemes are now commonly provided for by the leading cloud providers in the market.

The Working Party went as far to suggest that, in a public cloud environment where data stored on servers pertains to multiple businesses, individual audits of data "may be impractical technically and can in some instances serve to increase risks to those physical and logical network security controls in place".

The GDPR, then, appears to move the data protection requirements for all customers of cloud providers further towards those set out for banks and other regulated financial entities under the FCA's rules and guidelines in relation to their critical outsourcing arrangements. This is perhaps understandable when the volume and scale of the data breaches reported in recent times is considered.

The cloud market's response

The market is yet to see definitely how cloud providers will account for these new obligations under the GDPR. Potential fines of up to €10 million, or 2% of annual global turnover, whichever is higher, could be imposed on cloud providers that breach the new data processor obligations, so it is an issue they must take seriously. It is also worth remembering that any fine under the GDPR would be separate to those levied in relation to the same breaches by the relevant financial services regulators.

The new requirements will prompt changes to cloud providers'  approach to contracting, and there is an opportunity for proactive cloud providers to ensure that changes introduced addressed the specific requirements banks face.

More IaaS providers may continue to advocate consolidated audits. These would be periodic assessments carried out by independent examiners who could verify, on behalf of all of a cloud provider's customers, that data processing and storage arrangements are in line with data protection obligations.

This would negate the need for IaaS providers to accommodate audits from each of its customers individually. As part of these consolidated audits, cloud providers could also invite FCA-endorsed auditors to participate in physical inspection of premises, such as data centres, to address the access rights banks must provide for in their cloud contracts.

Additional remote access tools could be developed by cloud providers to allow FCA officials to check system information and logs as part of any investigations into regulated firms that use their cloud services.

FCA guidance suggests that banks should discuss with the regulator what access might be required. There is therefore an opportunity for cloud providers to develop tools that banks can point to in those discussions to satisfy the FCA over its rights of access.

Ultimately, the FCA will see it as an absolute necessity to ensure that a robust regulatory supervisory framework is maintained. Banks and cloud providers should work with the FCA to help the regulator understand how that access can be provided for, and be accounted for in the regulations and guidance, to make the most of new technology and emerging best practice in the market.

William Maycock is a senior financial services regulatory lawyer and Craig Callery is an expert in cloud contracts in the financial services sector at Pinsent Masons, the law firm behind Out-Law.com.