"Regulatory concerns" likely to delay further use of cloud providers by UK banks for core systems, says expert

Out-Law News | 04 Oct 2013 | 8:42 am | 2 min. read

The combination of regulatory uncertainty and complex internal systems means that major UK banks will be unlikely to adopt cloud computing platforms for their core functions in the near future, an expert has said.

Technology and payments expert Angus McFadyen of Pinsent Masons, the law firm behind Out-Law.com, was commenting following press reports that National Australia Bank (NAB) had moved hosting of its nab.com.au website to public cloud provider Amazon Web Services (AWS). The Australian bank is the parent company of the UK's Clydesdale Bank and Yorkshire Bank.

McFadyen said that rights of access and audit assigned to national regulators by EU legislative frameworks, including the Markets in Financial Instruments Directive (MiFID) and Capital Requirements Directive (CRD), coupled with "security and control issues", had led to the "conservative adoption" of cloud technologies by the UK banking sector.

"Typically, adopting has been reserved to lower risk areas like software development, but more recently we have seen e-mail and other key systems going into the cloud, which suggests growing confidence," he said. "What we haven't seen is a major UK bank placing its core banking system into the cloud like NAB seems to have done."

"This is likely to be as much a result of regulatory concerns as it is practical limitations - the complexity of the core systems of any major UK bank, contributed to by past (de-)mergers and the multiplicity of internal and external interfaces, presents a high barrier to clear for any proposal to send them to the cloud," he said.

According to a report in The Australian, NAB's arrangement with AWS could ultimately save the bank "millions of dollars". Under the terms of the deal, all information on nab.com.au except that which requires a logon will be hosted by AWS at its Sydney data centre. Customer account details would continue to be held behind NAB's own firewalls at its local data centres, according to the article.

The article said that NAB also plans to use AWS to host applications and provide services to other parts of the business. It quoted the bank's enterprise delivery manager, Thor Essman, as saying that the new setup made it faster and more efficient for staff to update the website and for customers to access it.

"We have plans to bring on most of the other flagship assets into the same setup and leverage [AWS] for additional capability for applications instead of just information," Essman told The Australian. "We don't have the schedule of which one is next... but we will be looking at making this an enterprise platform."

In the EU, MiFID generally requires financial services companies that outsource data processing activities to ensure that regulators have "effective access" to "data" and "premises". Interpreted strictly, this can present problems for the use of cloud services where information is stored all over the world.

However, recent developments in the Netherlands have indicated that AWS could be a suitable platform for regulated financial services firms. In August, the Dutch Central Bank (DNB) announced that AWS "met" its supervisory requirements; although regulated firms would still have to meet risk and security requirements before moving their services to the platform. The DNB previously concluded an agreement with Microsoft in relation to data audit rights for businesses in the Netherlands that use its Office 365 platform.