This is Part 6 of our ten-legged journey to explore how the Cloud can enable productivity, innovation, and scalability in financial services.
Each of my ten blogs over the eighty days will echo the themes discussed in Reply’s ten-part webinar series, Cloud in Financial Services, in which we’ll highlight some of the key points offered by our presenters and panel members.
In the fifth webinar, we benefited from a panel of senior leaders from the European Banking Federation and Google as well as some of Reply Cloud experts (Luca Mayer and Julien Recan). They shared their ideas on Cloud Security. If you haven’t yet read the write up for part five, you can do so here.
Now more than halfway through our journey around the cloud in 80 days, it’s time to look at things from a regulatory perspective. That’s why, in this blog relating to the sixth leg of the journey, I’ve invited experts on the topic including Ksenia Duxfield-Karyakina, Public Policy Manager, Google Cloud; Slavka Eley, Head of Banking, Markets, Innovation, and Products at European Banking Authority (EBA); Patrick Armstrong, Member of Secretariat at Financial Stability Board (FSB); and Karine Marechal, Associate Partner, e*finance consulting Reply UK.
What follows is my summary of their expertise from the webinar. Slavka Eley kicked us off with the approach that the EBA is taking with regards to cloud regulation and coming trends and developments.
European regulators are generally supportive of Cloud adoption and keen to respond with regulations and supervisory approaches that are technologically neutral and supportive of innovation. One important trend that they see from large institutions is the overwhelming implementation of Cloud solutions already. More than 90% at this stage are already using the Cloud in some capacity.
The benefits of Cloud are well-known; we discussed many of these benefits in the webinar series. However, regulators recognise certain risks of the Cloud, particularly for regulated entities like financial institutions. Based on the current regulatory stance, the use of Cloud services falls under the regulatory framework of outsourcing, meaning ‘an arrangement of any form between an institution, payment institution, or electronic money institution and a service provider by which that service provider performs a process, service or activity that would otherwise be undertaken by the institution, the payment institution or the electronic money institution itself.’
This is key: If a financial institution uses the Cloud, it qualifies – generally speaking – as outsourcing and is as such subject to outsourcing regulatory requirements.
Within the banking sector, for example the EBA has developed Guidelines on outsourcing arrangements; they entail six major points.
The first point is the definition of critical and non-critical functions. It’s very different if support functions are held in the Cloud compared to core banking functions, for example. Secondly, the Guidelines define specific documentation requirements, which should be adhered to by the institution moving into the Cloud including contract clauses etc.
Thirdly, it is the institution’s responsibility to ensure the security of data and systems — particularly important as security has already been heavily covered throughout this series. Sub-outsourcing guidelines come next. Since it’s common practice that third-party providers use additional service providers and so on, institutions are expected to ensure obligations down the chain of outsourcing entities.
It is also the institution’s responsibility to ensure access rights and audit rights for auditors and supervisory authorities, including premises and systems of third-party service providers. The final issue relates to contingency planning and exit strategies to cover risk related to the ability to provide services without interruptions. What happens if one provider disappears and you have to quickly move?
Following on from Slavka we heard from Karine Marechal, a colleague of mine and Associate Partner at e*finance consulting Reply.
Karine echoed Slavka in that it is the responsibility of the Board and Senior Management to manage risk when outsourcing to the Cloud. Drawing on her experience, Karine stressed that it’s important also to elect someone with the right skill set to oversee, manage, and challenge your Cloud providers; easier said than done in light of the scarcity of resources who span the regulatory and technology domains.
Karine highlighted ongoing regulatory initiatives in the EU by ESMA (capital markets) and EIOPIA (insurance) that mirror the work done by the EBA in banking. She also drew our attention to the Prudential Regulation Authority’s (PRA) work on operational resilience, which extensively covers the Cloud. Interestingly, Karine also reminded us all that Brexit will influence the way regulatory landscape in this domain, illustrating her point with the recent announcement by the UK Financial Conduct Authority, which indicated that EIOPIA’s Guidelines will not apply to regulated activities in the UK.
Following Karine UK and EU-centric look at regulations, I asked Patrick Armstrong, Member of Secretariat at the FSB, for his global view on what the FSB is working on.
The FSB, in December of last year, published two reports concerning financial stability considerations from the increased presence of Big Tech and the adoption of Cloud computing in financial services
Given the resources and reach of Big Tech, the FSB is equally interested and concerned with what will happen next and the potential risks of cloud and customer data. Third-party service providers in financial services are nothing new, and many jurisdictions have supervisory policies in place around such services. The rise of Cloud and the level of third-party services provided exacerbates risk.
Going forward, a discussion among supervisory and regulatory authorities on current approaches to current issues around risk and regulation would be constructive. For example, we may wish to define:
***
If you have any questions about any of the above, please feel free to reach out to us at Reply at