Financial services sector head John Salmon brings you insight and analysis on what really matters in the world of financial services.
The European Commission has not helped the financial services sector this week, avoiding key issues that are holding back the take up of cloud solutions, while new research highlights how many organisations are still failing to take control over the technology at the heart of their business.
EU cloud plans – no solution for regulated industries
This week the European Commission unveiled its cloud computing strategy. Neelie Kroes got us thinking, indicating to German news outlet Deutsche Welle that "the main thing is the economy", that "there is nothing wrong with business" and that savings to be made from following a strategy towards greater take up of cloud solutions in Europe are "no coffee money."
While the Commission's 'Unleashing the Potential of Cloud Computing in Europe' communication sets out more detail, it provides no immediate solutions for regulated industries.
The communication mentions the word 'audit' only once and while the issue of data location is raised as an area of concern for which "actions are needed", it is not otherwise commented on.
Applicable law is referred to in passing but no mention is made of what an organisation should do when faced with conflicting demands from EU and foreign regulators in respect of the same data.
This is not great news for the financial services sector. With reports of Martin Wheatley stating almost every other day that the FSA is, and the FCA will be, 'targeting' some practices, while 'cracking down' on others, hope of the UK regulators interpreting auditing obligations broadly in order to enable full cloud take up remains unlikely.
It seems that the consensus among financial regulators across Europe is that the Markets in Financial Instruments Directive (as amended) (MiFID) ties their hands in respect of cloud auditing requirements, at least for organisations bound by its requirements. As a consequence, the FSA in its interpretation of the Senior Management, Systems and Controls sourcebook must follow suit.
MiFID states that investment firms must
in respect of the outsourcing "of critical or important operational functions or of any investment services or activities ... take the necessary steps to ensure that ... the investment firm, its auditors and the relevant competent authorities must have effective access to data related to the outsourced activities, as well as to the business premises of the service provider; and the competent authorities must be able to exercise those rights of access."
The EU's strategy could have stated that 'effective access to data' may not in all circumstances be taken to mean that a customer must be able to detail the exact location of data at all times. It also could have questioned whether 'effective access to business premises' requires physical inspection. Had the Commission taken this approach, it could have gone a long way to achieving its stated purpose of moving European markets, especially financial ones, toward becoming "cloud-active" as the communication put it.
Interestingly, on the same day in which the Commission brought out its content-light communication, the ICO made specific comments in relation to independent third party certification regimes and cloud services in a new guidance note.
The ICO reminded cloud customers to be strategic in their decision making and think about which categories of data can migrate to the cloud now and over which categories question marks still remain.
The ICO also acknowledged that "one of the most effective ways to assess the security measures used by a data processor would be to inspect their premises" but also that "this is unlikely to be practicable for various logistical reasons."
In endorsing a solution, the ICO stated that "One way for cloud providers to deal with this problem would be for them to arrange for an independent audit of its service and to provide a copy of the assessment to prospective cloud customers."
While this does not overcome the difficulties financial institutions face in respect of data processing activities subject to MiFID and SYSC, it is a definite step in the right direction.
While the EU sought to talk cloud, late last week it was reported that boards are still failing to talk IT regularly enough and even when they make the time to do so, they are talking about the wrong things.
Pointing to a McKinsey survey it was reported that more than half of those surveyed indicated that their boards "had one technology-related discussion a year or none at all."
With continuing examples of technology failures having a major impact on financial services organisations' operations, reputation and share price, better technology awareness is a must.