The Dutch Central Bank (DNB) announced that AWS is a suitable platform for financial services companies in the Netherlands because the cloud provider enables the regulator to supervise the activities of those companies using AWS, according to an Amazon statement. "The DNB has now clarified that the requirement for supervision is met by institutions using Amazon Web Services (AWS)," Amazon said. "Financial institutions must still meet other requirements, such as carrying out standard risk analysis for their solution, however this announcement clears the key criteria for Dutch organisations looking to move to AWS."
"The announcement covers the use of AWS in all facets of Dutch financial operations, such as websites, mobile applications, retail banking platforms, high performance computing and credit risk analysis solutions. Additionally, the storage and management of all levels of data on the AWS Cloud, as well as the use of technology that runs on top of AWS and is provided by third party vendors, are also included," it said.
Under the EU Markets in Financial Instruments Directive (MiFID), financial services companies that outsource data processing activities are generally required to ensure that regulators have 'effective access' to 'data' and 'premises'.
Neither the DNB nor Amazon responded to Out-Law.com's request for more details on how the regulator would be able to fulfil its data audit rights in relation to data stored by Dutch financial services companies on the AWS platform.
However, the DNB previously published information that explains in general terms what Dutch financial services companies must obtain from their cloud provider in relation to data audit rights. "Cloud computing is regarded as a form of outsourcing and is therefore covered by the same requirements," according to information published on the DNB's website. "These include the requirement to compile a risk analysis. Your bank must also conclude agreements about who has access to the data and where it is physically stored. Finally, your bank must contractually specify that no data is left with the provider once the contract ends or is terminated."
"DNB must be granted the 'right to audit'. Outsourcing, including in the form of cloud computing, may not prevent DNB from carrying out its supervisory duties. This means banks must afford the supervisory authority access to a provider. This will enable the supervisory authority to check and evaluate certain processes and the way data is handled," the information states," it said.
The DNB previously concluded an agreement with Microsoft in relation to data audit rights for businesses in the Netherlands that use the technology giant's Office 365 cloud platform.
A spokesman for the DNB told Out-Law.com that the agreement did not extend to forming a 'template' clause on data audit rights that would apply to contracts formed between Dutch financial services companies and Microsoft in relation to the use of Office 365. However, the spokesman did confirm that Microsoft has agreed that the Bank can "visit Microsoft at any moment" in order to check the data belonging to financial services companies under the terms of specific contracts.
The agreement allows Dutch firms to meet their requirements set out in regulations under the Financial Services Act in the Netherlands – the legislation that transposes the MiFID rules into Dutch national law, the spokesman said.
Financial services law expert John Salmon of Pinsent Masons, the law firm behind Out-Law.com, said that it was not "the most effective way forward" for cloud providers to have to negotiate data audit rights with every regulator in each jurisdiction across the EU.
"More discussion and debate is needed over the correct interpretation to be given to the provisions of MiFID and implementing laws which require 'effective access' to premises," Salmon said in a recent Out-Law.com article. "Do on-site audits really give regulators more visibility over the quality of processing activities undertaken by an outsourcing provider? Even if in a perfect world they may, do regulators really have the resources to enable them to effectively inspect cloud resources located outside of their own jurisdiction?"
"The best way forward may not be at the negotiating table but through a robust legal discussion which backs the idea that effective access to premises may mean digital and not physical access," he said.