By Fiona Maclean, Stuart Davis and Charlotte Collins
Cloud services come with the promise of many benefits for the financial services sector. Cloud computing offers large-scale and cost-effective solutions for data storage and efficient processing and is also the underlying technology for many FinTech platforms. As with a lot of new technology, however, financial institutions are struggling to see how they can embrace cloud services fully in the context of the current regulatory landscape. This is particularly so given that use of cloud services is often considered a material outsourcing, meaning that banks and investment firms must follow strict rules in order to ensure that the risks posed by migrating data to the cloud are mitigated appropriately.
Cloud Regulatory Guidance: Clear Skies?
Current guidance on outsourcing for banks and investment firms is from the Committee of European Banking Supervisors (CEBS) and dates from 2006 (the CEBS Outsourcing Guidelines), so is overdue for review. The European Banking Authority (EBA) has recognised this and, amidst concerns that firms simply may not use cloud service providers because they cannot reconcile how to do this in line with the regulatory requirements, published some new draft guidelines on outsourcing to cloud services (Draft Cloud Guidelines) for consultation on 17 May 2017.
The final guidance resulting from the public consultation (the Final Cloud Guidelines) will supplement, rather than replace, the existing CEBS Outsourcing Guidelines, so both will need to be read in parallel. Essentially, as the CEBS Outsourcing Guidelines are short and principles-based, the new guidelines seek to add more detail as to how a firm’s regulatory obligations may be met in the specific context of outsourcing to a cloud service provider, based upon discussions the EBA has had with firms and their regulators.