For some time now the EU’s financial services sector has sought clarification upon when and to what extent it may use public cloud computing. Recent developments in the Netherlands and the UK may shed a little light on the issue.
In recent years many organisations have been transitioning from the private cloud (residing within the confines of an organisation’s own firewall or security parameter and only accessed by authorised personnel) to the public cloud. Such a transition has meant shifting to an outsourced cloud managed by a third-party service provider who typically also offers infrastructure such as hosted storage at its data centre. Such cloud services are publicly available to everyone (individuals as well as organisations) via the Web.
For EU financial services organisations there has been some uncertainty about using the public cloud. In large part that has been caused by uncertainty about regulatory obligations. The EU Markets in Financial Instruments Directive (the “MiFID”) requires regulators throughout the EU to be given “effective access” to “data” and “premises”. In addition, the outsourcing regulations of many European financial regulators also require access for auditors to those outsourced activities. Whether the meaning of “effective access” is restricted to physical access only has been a question of great importance. Such a restricted definition excludes digital access and is particularly significant in the many instances where data processing has been outsourced to the public cloud.
Regulators throughout the EU have typically taken a conservative interpretation of “effective access”, particularly concerning financial services organisations, and so have viewed it to mean only physical access to all data centres within which public cloud processing takes place. Generally there has not been much guidance for financial institutions to rely upon.
Recent developments in the Netherlands and the UK may shed some light on aspects of this issue.
Two reported developments in the Netherlands indicate there may be a little more clarity for financial institutions around the nature of “effective access”.
The first development concerns Microsoft’s Office 365 cloud services in the Netherlands. The Dutch Central Bank (“the Bank”) regulates Dutch financial institutions and requires financial institutions to agree audit rights with outsourcing services providers. Until recently those businesses have found it difficult to negotiate such auditing rights on an individual basis. One particular contractual obstacle has concerned the number of visits the regulator would be allowed to make to the cloud services provider’s premises. An agreement has been made between the Bank and Microsoft in which Microsoft includes an audit right in its Office 365 cloud service contracts.
As reported, the substantive detail of the actual agreement between the Bank and Microsoft is not available. There appears to be no “standard” clause, setting out audit rights in favour of the Bank, which may be inserted into Microsoft's contracts with regulated Dutch financial services firms. Apparently Microsoft has agreed that the Bank can "visit Microsoft at any moment" to check the data belonging to financial services companies under the terms of specific contracts.
The second, and subsequent, reported development concerns Amazon’s Web Services (“AWS”) in the Netherlands. The Bank has cleared AWS for use in the country’s financial sector, clarifying key supervision criteria for Dutch organisations looking to move infrastructure or services to the AWS cloud.
The Dutch regulator’s approval means Dutch banks and other financial institutions may use AWS for a range of services including websites, mobile applications, retail banking platforms, high performance computing and credit risk analysis solutions. The approval extends not just to data hosted directly in AWS datacentres, but also includes applications and services built and delivered by third party vendors on the AWS platform.
Seeing two cloud service providers the size of Microsoft and Amazon compete on the issue of regulatory compliance is welcome news for customers. No doubt both hope to distinguish their cloud offering services by such agreements with the Bank and certainly both have sought to generate publicity (and so gain new customers) as a result.
The little light these reported developments shed on the meaning of “effective access” is also welcome. However the Bank has taken a rather tight-lipped approach when asked about these developments. It has discussed little about what these developments mean in practice for financial institutions. The Bank has reminded all financial institutions any such move to the cloud should be: preceded by a risk analysis; ensuring all of the financial institution’s duties should be included in the contract with the cloud provider, particularly the exit clause; and the Bank should be informed of the plans to move to the cloud in advance.
Meanwhile a recent development, potentially affecting two UK banks, highlights that regulatory concerns are not the only limitations for financial services organisations when considering the transition to the public cloud.
In early October 2013, the National Bank of Australia, which is the parent company of the UK’s Clydesdale Bank and Yorkshire Bank, was reported to have moved all information on its website (except that which requires a logon) to AWS for hosting.
This cloud development in Australia’s financial services sector is not seen as altering the cautious approach taken up till now by the UK’s financial services organisations. That conservative approach is not only due to regulatory concerns about the audit and access obligations of EU legislative frameworks (such as the MiFID and the EU’s Capital Requirements Directive).
The sector’s cautiousness is also due to practical concerns about banks’ own security and control needs and managing the complexity of existing and legacy software systems and interfaces. One commentator has noted some UK banks have been prepared to use the public cloud for lower risk activities like software development and, more recently, email services. But the core banking services have remained in the private cloud.
This development concerning the UK is a reminder that even if there is increased certainty about the meaning of “effective access”, that clarity will not automatically mean organisations in the EU financial services sector will rapidly shift to using the public cloud.
Edwin Jacobs comments:
Financial institutions must of course still make a risk analysis and comply with outsourcing regulations when they want to outsource in the public or private cloud.
For further information on this legal development please contact Edwin Jacobs at (email@example.com).
This publication does not necessarily deal with every important topic or cover every aspect of the topics with which it deals and is not designed to provide legal or other advice.