By Fiona Maclean, Stuart Davis, and Alistair Wye
In a bid to keep pace with rapid advances in cloud adoption across financial services, regulators have published a raft of new guidance in the past year. Most recently, the European Insurance and Occupational Pensions Authority launched guidelines for insurers and reinsurers on outsourcing to cloud providers in July 2019, while the European Banking Authority (EBA) published updated guidance on outsourcing that came into effect on 30 September 2019, covering both cloud and other outsourcings.
We discussed some of the challenges facing financial institutions in the evolving area of cloud compliance at our recent event entitled Balancing the Scales: Managing the Risk and Promise of Digitisation in Financial Services. One key issue highlighted in the discussion is that the new EBA guidelines do not contain an overarching split between cloud and non-cloud arrangements, and there are no general exclusions or exceptions for new entrants or FinTech providers. Entities subject to the EBA guidelines will therefore face additional administrative burdens that they must balance with the need to stay ahead of the competition.
As highlighted during the panel discussion at the event, regulators are increasingly focusing on concentration risk and concerns around systemic failure, which is particularly relevant for the major cloud providers. Banks will need to maintain strong channels of communication at group level and consider revising procurement practices so that outsourcing registers, and potentially regulators, are routinely consulted during decision-making processes.
Regulatory compliance is a major concern for institutions moving to the cloud, with agencies focusing not only on concentration risk, but also on areas like vendor lock-ins and data localisation requirements in certain jurisdictions.
A further compliance challenge arises when it comes to conflict of laws, with the US CLOUD Act of March 2018 often clashing with EU data protection rules. Balancing competing obligations regarding disclosure under the US CLOUD Act with protections afforded by the GDPR is an ongoing challenge for entities using US cloud providers. While the European Data Protection Board and European Data Protection Supervisor have started to intervene to provide greater clarity, the regulators and law enforcement agencies have not been forthcoming with practical solutions for handling this conflict.
Despite compliance concerns, regulators are broadly supportive of innovation within institutions, and cloud providers are increasingly engaging with regulators to support transparency in cloud systems. Regulators also recognise the power of the cloud as a compliance-enabler, and its suitability for the upcoming computational complexity around the Fundamental Review of the Trading Book, for example.
The benefits of the cloud for financial institutions are manifold, and industry-wide adoption shows no sign of slowing. Not only can the cloud deliver cost savings and operational flexibility, it also has a role to play in future-proofing, as a key contingent of the future of Open Banking initiatives. While cloud budgets currently focus on storage, networking, and database facilities, they will increasingly spread to management tools and APIs. In terms of scale, the public cloud computing market is predicted to grow from US$182 billion in 2018 to US$331 billion by 2022, according to Gartner.
Institutions looking to increase cloud adoption should carefully consider all of the internal teams that are going to need to weigh in, and be clear on the reporting lines and processes for obtaining consent, both internally and externally. The need to align internal processes with changing regulatory requirements will be critical, as will engagement and advocacy with supervisory authorities as their standpoints continue to evolve.
The clear direction of travel for the financial services industry means more and more core operations will transition to the cloud in the coming years, with regulators now working hard to implement the appropriate processes and controls to make that evolution both as robust and as smooth as possible.