Financial services sector head John Salmon and the Pinsent Masons financial services sector team bring you insight and analysis on what really matters in the world of financial services.
Whether the use of cloud technology by banks should be treated as normal outsourcing or as a special case and how to keep control of assets and data were the two issues that most concerned those attending FinTech Connect's first Cloud Banking Conference last week.
Outsourcing rules and the cloud
Should a cloud solution or service be treated in a regulatory sense as equivalent to a traditional outsourcing arrangement? This was a topic for debate during a regulatory panel session that I participated in at the Conference.
While a number of valid reasons were put forward in favour of continuing to rely on outsourcing rules in assessing cloud arrangements, my view, that it would be better for banks to have cloud-specific guidance, was not shaken.
It was suggested that general outsourcing principles are sufficient for the cloud, as many of the challenges are the same – data security and dealing with cyber issues, dependence on third parties and retrieving data on termination of the relationship. While this is no doubt true, what concerns me are not the similarities, but the differences between cloud arrangements and traditional outsourcings.
This is a classic case of the law failing to keep up with technology. Outsourcing regulation and guidance were designed for another age, one which had its own set of challenges. In the era in which these rules were drafted, it made sense to centre regulatory questions around the physical outsourcing of the IT function, the location of assets and people.
But in a cloud context, it makes less sense to talk about 'exporting data', the 'business premises' on which data are processed or even the criticality of an 'IT function'. What is more important is establishing rules that focus on the criticality of the data itself.
It is worth acknowledging though that the use of the term 'cloud' is a convenient bucket in which to throw a range of technology solutions and services. Grouping them all under the same heading to provide specific regulatory guidance will have its own challenges. But as banks and other financial services organisations look for more certainty, publishing specific-guidance highlighting the differences between traditional outsourcings and cloud arrangements can only be a good thing.
Control in the cloud
Whether viewed as a traditional outsourcing or a distinct form of arrangement, many of the discussions around the cloud are progressing beyond the most obvious regulatory questions of data security, auditing rights and data sovereignty. They are now focusing more on governance and how to match the requirements of the Financial Conduct Authority's systems and controls (SYSC) handbook against the reality of what a cloud arrangement will entail.
The fear of loss of control however remains, and the suppliers are looking to address it largely by promoting hybrid cloud models. A multiple cloud strategy could allay much of an organisation's fear over control, but managing multiple clouds alongside existing IT brings its own set of fears. Complexity arises at every turn – integrating infrastructure, applications and platforms calls for effective management, control and oversight.
The challenge is now for cloud providers to demonstrate to customers and regulators that this complexity can be overcome and that these 'new' fears are unfounded or at least overstated.
Control over who procures cloud within the business is a separate matter that banks need to quickly address. 'Shadow IT' continues to be an issue for many organisations with employees using corporate credit cards to purchase cloud services without necessarily thinking about the consequences.