FCA cloud guidance has helped banks discuss regulatory challenges with providers, but more work is needed, says HSBC's Pickersgill

Mark Pickersgill, who is head of IT legal for infrastructure delivery at HSBC, told Out-Law.com that cloud contracting presents different challenges to traditional IT outsourcing from a bank's perspective. He said banks can at times be asked to accept standard contract terms offered by a cloud provider for use of its services, and that greater engagement, outside of the negotiating context, on why changes are necessary to some provisions to accommodate regulatory duties would benefit both banks and cloud providers.

"The vendors generally are at different levels of expectation in terms of what they can offer and understanding as to what we are likely to require within the regulatory environment that we operate in," Pickersgill said. "It does take an element of discussion and cooperation between the parties pre-contract to understand both sides' approach."

Guidance on cloud outsourcing, published by the UK's Financial Conduct Authority (FCA) last year, has helped to raise cloud providers' awareness of the regulatory barriers banks must overcome if they wish to use their cloud services, Pickersgill said. However, further work should be carried out across the banking and cloud industries to help make it easier for banks to adopt cloud solutions, he said.

"[The FCA's guidance] has helped in that we have been able to bring the guidance to discussions with vendors," Pickersgill said. "It gives both parties an understanding at a glance of the kind of challenges that we might face. It also leaves some questions open in terms of obligations around sub-contracting, obligations around exit planning and testing exit plans, for example."

Pickersgill said he hoped the British Bankers' Association (BBA), together with the FCA and cloud computing industry could work together to "see whether there are ways in which the vendors can offer solutions to the banking industry as a whole" that address the regulatory issues banks must account for when outsourcing critical or important business functions to the cloud.

Pickersgill said discussions could focus on developing "a shared approach in terms of audit rights" and to cloud security, and potentially an industry-standard approach to "exit and migration and disaster recovery".

"It is obviously a lot of work to get to that point but something in that direction in terms of collaboration would be helpful," Pickersgill said. "Understanding that what we are doing is something that the FCA is comfortable with and that the rest of the market is adopting the same approach helps I think in terms of making the most of these services and enhancing our offering to customers."

The regulatory obligations banks face in relation to exit planning and ensuring continuity of services through service migration is one of the issues that HSBC has had to consider closely, Pickersgill said. The issue is one of seven main hurdles to banks' adoption of cloud-based services identified in a new report by the BBA, which was produced in partnership with Pinsent Masons, the law firm behind Out-Law.com.

As well as having an exit plan in place, banks need to ensure those plans are tested and that they have secured "a level of cooperation between the current vendor and the potential new vendor" to assist with the transitioning of services between the rival providers, Pickersgill said.

"In terms of exiting in the cloud context, we have to think and focus more on how we can get the data out – it is not on our environment – [and] how we can do that quickly, at pace and have something else ready to migrate to either back internally within our own infrastructure or having another vendor ready to ensure we have continuity of service between the two solutions," Pickersgill said.

"From our perspective [it is about] understanding the challenges the vendor might face in allowing us to have that same assistance [for transitioning to a new service] that we would expect in a traditional technology contract and, from the vendors' perspective, understanding some of the challenges that we would face in terms of making sure we have the right level of control over the service to move it across and that they can understand that we might need something slightly more nuanced to address the regulatory environment than some of the other customers that they are used to providing these services to," he said.

"Our view would be that we would look to test the environment, the exit strategy periodically, firstly making sure that you have got a proper exit plan in place, which is sometimes something that gets missed as you move beyond signature and into use of the service in place not just in a cloud context but more broadly, and testing that once you have that in place, making sure that you can get the data out, understanding what the solution might be if the cloud service provider failed and we had to do something to maintain continuity of service as quickly as possible," Pickersgill said.

Exiting from a cloud contract and moving to alternative IT infrastructure may be more challenging for banks if they have taken advantage of "proprietary tools" offered by cloud providers, he said.

"In some cases the vendors are not just offering the hosting capability, the infrastructure, they are also incorporating that with some tools that they provide as part of their service, proprietary tools that they own and offer to us," Pickersgill said. "In many cases these tools are part of the reason for taking that particular service because it is something that would either cost us significant investment to develop and time to develop internally or that we don't potentially have the capability to develop internally."

"It might be the case that moving to another vendor they don't quite offer the same service in that particular area so we have to think about how we can access another solution that does the same job for us either by doing some internal development or asking someone else to do some development for us," he said.

Pickersgill said he would welcome "more commonality" across cloud platforms to help make "migration smoother", and address the current need for "reengineering" of applications banks use in the cloud.

Pickersgill also outlined the internal procedures and controls HSBC has introduced to govern its use of cloud services once cloud contracts have been agreed.

"With these types of service more often the model is once you've agreed terms with the vendor for the use of the platform you can use it for whatever you want to use it for, in terms of what type of data you put on it, what services you use, and so we have had to work on how we develop our understanding of how we might use that service and work with the IT function and the business to get a better understanding of what we might use it for," Pickersgill said. "That then allows us to understand better what risks might be presented by the provisions in the contract in the context of the provision of that particular service."

"It is often not the case that we can simply agree to those terms and those terms are made available throughout the bank for wider use for anything – it has to be quite tightly controlled internally and the IT function is very aware of that and does a lot of work in terms of internal controls to make sure we only access these services in the right way, when we have been through the right internal processes and the correct governance and compliance, so that we are only using them for things that we are comfortable are appropriate for use in that environment," he said.