Banks need clearer guidance on the level of cloud supply chain oversight they should have, says expert

Out-Law Analysis | 13 Feb 2017 | 9:00 am | 4 min. read

ANALYSIS: Banks need clearer guidance on the level of oversight they need to have over their cloud provider's supply chain if their take-up of cloud services is to rise.

Current guidelines on the issue are unclear, so banks should work to develop a best practice approach to cloud supply chain oversight, and engage with the Financial Conduct Authority (FCA) on that initiative to get a better understanding of the regulator's expectations.

Cloud providers' supply chains can be long and complex. Sub-contractors can perform a range of functions to enhance the service offered by cloud providers banks engage with, and can be based all over the world. These supply chain arrangements can regularly evolve.

Sub-contracting arrangements of this nature help cloud providers to offer the flexible, scalable IT resources organisations seek when adopting cloud-based services. However, for banks, such arrangements present a potential compliance issue.

How banks can navigate cloud supply chain complexity

Fintech experts Yvonne Dunn and Luke Scanlon of Pinsent Masons discuss the problems posed by the need for oversight of cloud supply chains and some of the approaches banks can take.

The challenge facing banks

In the UK, banks that enter into outsourcing agreements, where "related to the regulated activity being provided", should "identify all the service providers in the supply chain and ensure that the requirements on the bank can be complied with throughout the supply chain". That obligation is set out in FCA guidance.

There are many requirements on banks. They include a duty to have internal controls in place which achieve effective identification, monitoring and reporting of risk. They must also be able to demonstrate that they are properly supervising service providers.

Banks, however, have expressed concern that the FCA's guidance is not sufficiently clear on what would be considered to constitute effective supervision and oversight of a public cloud service provider, and its supply chain. Nor, they say, is it clear what outsourcing arrangements the regulator would consider to be 'related to the regulated activity'.

As a result of the uncertainty, banks often conclude that they have no option other than to require a complete review of cloud providers' sub-contracting arrangements. This may be disproportionate to the level of risk introduced by the cloud solution being procured.

The issue has been identified as one of seven main hurdles that banks must overcome when seeking to adopt cloud-based services. Those issues are explained in detail in a new report by the British Bankers' Association, which was produced in partnership with Pinsent Masons, the law firm behind Out-Law.com.

Further red-tape to overcome under the GDPR

Beyond the financial services regulatory framework, banks, like other data controllers, will also face an additional compliance risk in relation to their cloud provider's supply chain under forthcoming new EU data protection laws.

The General Data Protection Regulation (GDPR), which will take effect on 25 May 2018, requires data controllers that outsource the processing of personal data to give their prior

"specific or general written authorisation" to the data processors' sub-contracting arrangements. It means banks will need to be consulted on the use of the sub-contractors a cloud provider wishes to engage where the arrangements concern the processing of personal data for which the bank is responsible.

In addition, the GDPR requires contract terms that must be put in place between data controllers and data processors governing those data processing arrangements, to be applied throughout the supply chain where sub-contractors are involved.

In a cloud context, where sub-contracting arrangements can run into multiple layers and change regularly, the prior authorisation obligation and mandatory flow-down of contract terms presents a major contract management challenge for banks and the cloud providers they engage.

Changes cloud providers could make to help

The GDPR requirements will further complicate the existing obligations banks wishing to take advantage of cloud-based services face under the FCA's rules and guidance.

Cloud providers could do more to recognise and accommodate the regulatory obligations banks face. Those that take on that challenge stand to gain a significant part of what is still a relatively immature market. This is particularly so at a time when banks are under pressure to upgrade legacy IT systems and to capitalise on the broader trend of digitisation within financial services. Cloud providers who offer FS-friendly solutions stand to gain market share.

One way cloud providers could become more attractive to banks is if they streamlined their supply chains so as to use fewer sub-contractors, and committed to reducing the number of updates to the supply chain than happens at the moment.

Dealing with a smaller number of sub-contractors and changing arrangements less frequently would make it easier for banks to maintain oversight of a cloud provider's supply chain, in line with the FCA's requirements. It would also make GDPR compliance easier for banks and the cloud providers.

This approach would naturally involve cloud providers losing an element of flexibility, and it may come at an additional cost to banks to procure. However, the trade off is that it could potentially spur greater take-up of cloud services by banks. It may be that cloud providers operate a general supply chain for some customers and a more restricted supply chain for financial services customers.

A role for banks to help clarify their own obligations too

Whilst more streamlined and consistent cloud supply chains would help banks meet their regulatory requirements, it would not address the perceived lack of clarity over what outsourcing arrangements the FCA would consider to be 'related to the regulated activity'.

The FCA's guidance does not help explain matters. It means that where banks are in doubt about a particular sub-contracting operation, they treat it as if they require oversight of that activity.

This approach is an understandable, yet it is needlessly inefficient and overly burdensome.

Banks should lobby the FCA to clarify where they would draw the line on activities being outsourced that require oversight. To help their cause, the banks should collate their own thoughts on the types of regulated activities that they carry out and, with the help of cloud providers, seek to understand how outsourcing arrangements impact on those activities.

If the banks work together, they could produce a detailed document on an issue that is a major hurdle to their cloud adoption. However, for this to truly work, the banks and cloud providers should seek to work with the FCA on the guidance. Only by getting comfort that the guidance aligns with FCA thinking will the banks be able to derive any comfort from it. Although the FCA might be unwilling to change its formal guidance on the issue, its participation in the discussion and development of industry guidance would contribute to this comfort.

Such guidance, if it has at least been partly shaped by the regulator's involvement, could flesh out a best practice approach to the issue of cloud supply chain oversight which is more proportionate than currently adopted.

Yvonne Dunn is an expert in financial services cloud contracts at Pinsent Masons, the law firm behind Out-Law.com.