Out-Law News 1 min. read

Financial regulators should have access to encryption keys when firms store data in the cloud, says ESMA


Regulators should have access to any 'keys' necessary to decrypt data that financial firms store in the cloud, the European Securities and Markets Authority (ESMA) has said.

ESMA said the measure is necessary to allow regulators to perform their supervisory duties.

In a response it has published to a European Commission consultation on financial technology (fintech), ESMA warned that outsourcing "certain functions" performed by financial firms can introduce "unacceptable operational risks" to the "functioning of the firm" and to the ability of regulators to "effectively supervise the provision of financial services".

It said those risks particularly arise "when the service provider is located outside the EU".

ESMA said that firms' use of cloud computing "should in no way restrict the ability of financial regulators to pursue their supervision mission and should guarantee full compliance with the European legal requirements applicable in terms of consumer protection, data protection and market integrity".

"ESMA believes that a high level of clarity on the terms, nature and scope of outsourcing arrangements should be guaranteed," it said. "Moreover, ESMA would like to mention that while the use of cryptography may be a secure and reliable method of storing and sharing information, any encryption keys should be made accessible to the supervisor, upon request, to allow them to perform their supervisory roles."

In its consultation response, ESMA also stressed the need for firms' use of cloud-based solutions to adhere to EU rules on data protection and data security.

"The technology used should not alter the regulatory obligations imposed on firms in order to aim for a level of security, compliance, and data protection equal to the one applicable to IT systems not based on cloud computing," ESMA said.

ESMA also used its consultation response to share views on topics such as artificial intelligence and big data analytics for automated advice and businesses, crowdfunding, regtech, distributed ledger technology, the role of regulation and supervisors; and the role of industry in developing standards and enabling interoperability.

Last month, the European Banking Authority (EBA) issued new draft guidelines for banks on outsourcing to the cloud. The draft guidance addressed topics including banks' obligations regarding the location of data, data and systems security, sub-contracting, contingency planning and exit strategies, as well as on audit and access rights that banks must provide for in their cloud contracts. 

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.