Banks can help bridge the gap between regulatory requirements and best practice risk management for cloud computing, says expert

Out-Law Analysis | 13 Feb 2017 | 9:00 am | 1 min. read

ANALYSIS: Banks have an opportunity to help recalibrate thinking on the use of the latest digital technologies, including cloud-based services.

Currently, one challenge to cloud adoption by banks is a lack of understanding of what can be 'put into the cloud' in terms of data, functions and technology. For many within banks, questions remain around whether specific uses of public cloud technology would be considered as enabling 'critical' or 'important' operational functions within their organisation. Generally, whenever they do, the use case will be subject to stricter regulation than it would be where the technology is not enabling a critical or important function.

The issue is one of seven hurdles to banks' cloud adoption that is highlighted in a new report by the British Bankers' Association, which was produced in partnership with Pinsent Masons, the law firm behind Out-Law.com.

The report has pointed out that a lack of clarity with existing EU law and UK regulation, including cloud outsourcing guidance produced by the Financial Conduct Authority (FCA), on the issue of 'critical' or 'important' functions' often results in a disproportionately risk-adverse approach to assessing technology risk".

Additional guidance from the FCA might help address the issue but there are also practical steps that can be taken to help reduce the uncertainty.

For example, banks together with cloud providers can work towards standardising, at an industry level, frameworks for identifying, measuring and mitigating the risks involved in the use of new technologies in the contexts of how those technologies relate to specific functions performed by banks. Such work could build on efforts made in other parts of the world and lead to the development of an industry-led approach to help banks assess the risks involved in using new technology.

With endorsement of this approach by the regulator, banks could have greater scope to utilise cloud-based technologies. No longer would the question be muddied by the need to determine whether the technology supports a function that is of a critical or important nature. Instead more focus would be give to the more important question of whether sufficient safeguards are in place to mitigate risks that can arise from the technology solution in question.

Luke Scanlon is an expert in financial services and technology at Pinsent Masons, the law firm behind Out-Law.com.