But as the government presses forward with its G-cloud initiative and organisations outside of the financial services context look at business-wide cloud solutions, the extent to which financial institutions can engage in cloud procurement activities remains uncertain, despite some positive developments. Below, after outlining some of the applicable rules, we consider a few of the most continued to be talked about concerns.
Relevant rules and constraints
The Financial Conduct Authority's (FCA) and the Prudential Regulation Authority's (PRA) Senior Management Arrangements, Systems and Controls (SYSC) sourcebook sets out rules on outsourcing. Rule 8 of the SYSC sourcebook requires firms to take reasonable steps to avoid "undue operational risk" when outsourcing "critical or important functions".
For sometime, 'critical or important functions' have generally been considered to include data storage and the day-to-day management, maintenance and support of information and communications technology. A number of regulators across Europe are now also taking the view that existing outsourcing rules apply to all functions performed through a cloud, whether those functions be the delivery of software, databases, platforms or infrastructure as a service.
For firms subject to the EU Markets in Financial Instruments Directive (MiFID) or the Capital Requirements Directive (CRD), SYSC Rule 8 applies as a rule, meaning that compliance is mandatory and non-compliance could result in sanctions. For other firms, SYSC Rule 8 must be observed as guidance (a 'should' obligation instead of a 'must' one).
Insurers, which observe Rule 8 as guidance, are also subject to further rules set out in SYSC 13 and 14. These further rules detail obligations which take effect in the event of a "material outsourcing" and provide that "particular care" should be taken in managing material outsourcing arrangements.
A material outsourcing is defined as one that is of "such importance that weakness, or failure, of the services would cast serious doubt" on the firm's ability to comply with certain 'threshold conditions' specified in Schedule 6 of the Financial Services and Markets Act 2000 (FSMA) (and further conditions set out in the Financial Services and Markets Act 2000 (Variation of Threshold Conditions) Order 2001). Beyond this definition, the Financial Services Authority took (and presumably now both the FCA and PRA take) the view that each firm is best placed to judge for itself what is 'material' in the context of its own particular business, although it also directed firms to enter into dialogues with its staff whenever the question of the materiality of an outsourcing arises.
Whether a firm chooses to enter into a dialogue with the regulators in order to determine if an outsourcing is material, it must provide notification once it has determined that it will be entering into a material outsourcing. A firm also "must take reasonable steps to ensure that each of its suppliers under material outsourcing arrangements deals in an open and cooperative way with [the regulators] in the discharge of its functions under the [FSMA] in relation to the firm."
Access and audit rights
Access and audit rights remain the principal concern. The rules specify that auditors and regulators must have effective access to outsourced data and to the business premises of service providers for material outsourcings, which causes complications in the cloud context. Regulators are likely not to look kindly on a response to the question 'where is the data located?' with the answer 'it is in the cloud.'
Although the regulators are unlikely to use their auditing powers in the normal course of business, they may choose to do so in response to a material outsourcing failure or in order to investigate a persistent or otherwise serious regulatory breach. For this reason, financial services firms need to consider how to enable effective access to data that is processed in a cloud.
Since reports of an agreement between Microsoft and the Dutch banking regulator surfaced late last year, there have been suggestions that contractual arrangements can be put in place with cloud suppliers to facilitate effective access to data. It remains to be seen how other regulators respond to this approach and how practical the reported agreed auditing arrangements will prove to be.
As an alternative to negotiating specific audit rights, some financial services firms may be tempted to rely on certifications of independent third party auditors recommended to them by cloud providers. While data protection regulators, such as the Information Commissioner's Office and the EU Article 29 Working Party, have suggested that third party certifications may be an effective solution for compliance with general data protection requirements, similar statements have not been made by financial services regulators. It is therefore not clear that a third party's certification of a cloud provider's activities will satisfy 'financial services specific' regulatory requirements.
Cloud security standards
Data security remains another key concern with potential cloud customers wanting assurance that the outsourcing of functions to a (in particular, public) cloud will not cause data security to fall below the required legal standard.
Cloud providers would argue that wherever data is stored it is vulnerable to attack, all outsourcing solutions carry security risks and that cloud services should not be held to a higher standard than that imposed on other outsourcing solutions. If a cloud provider can demonstrate that the security risks posed by its offerings, although different, are not materially more significant than those posed by traditional outsourcing arrangements, it may have good reason to believe that its services should not be subject to more onerous regulatory requirements than those that are imposed on other outsourcing providers.
Data sovereignty
A third concern often cited by financial services firms relates to the idea of 'data sovereignty' and intervention by foreign governments in processing activities that occur within the physical boundaries of foreign jurisdictions. Much is made of the US' Patriot Act and the US government's ability to access data stored on premises located within US sovereign territories. The realty though, is that most, if not all governments, will have powers to access data in some circumstances.
As far as the current EU regulatory framework stands, it is possible for requests to access data by foreign regulators to come into direct conflict with EU data protection requirements. Any contract for cloud services therefore which requires the storing of data outside of the European Economic Area would need to seek a variation to terms of service which allow for disclosure to a law enforcement agency 'whenever served with a legal request'. In order to avoid EU sanctions, precedence must be given to EU data protection requirements.
In addressing the issue of foreign regulator access to data, it may be best practice for cloud customers to seek to gain greater transparency by requiring providers to (1) give details of any security measures that may form part of the process of handing over data to a foreign regulator, (2) identify any supervisory arrangements to which the regulator seeking access may be subject and (3) identify avenues for redress in cases of unlawful or mistaken access.
