Cookies on Pinsent Masons website

Our website uses cookies and similar technologies to allow us to promote our services and enhance your browsing experience. If you continue to use our website you agree to our use of cookies.

To understand more about how we use cookies, or for information on how to change your cookie settings, please see our Cookie Policy.

Cloud compliance uncertainty persist for banks, says Scanlon

There remains a lack of clarity in the banking sector over the steps institutions must take to comply with regulations when adopting cloud-based services, an expert in financial services and technology law has said.30 Apr 2018

Luke Scanlon of Pinsent Masons, the law firm behind Out-Law.com, said the uncertainty persists despite the fact authorities in the EU have issued guidance to industry on the use of cloud services.

Scanlon was commenting after the Financial Times reported that there has been increased scrutiny of banks' cloud arrangements in recent times from regulators in both Europe and the US.

The regulators are particularly interested in whether banks can continue providing services should cloud services fail, and whether the institutions can move data back from cloud-based servers to their own databases, according to the report. It said EU authorities have asked to see banks' cloud contracts in recent weeks and that the Office of the Comptroller of the Currency in the US is reviewing banks' relationships with third party providers.

In September 2017, the European Central Bank (ECB) called on fintechs to think more seriously about the risk of using cloud computing when applying for banking licences. The ECB identified risks around supplier dependencies and lock-in.

The ECB's guide was followed in December by new cloud guidance for banks from the European Banking Authority (EBA). The EBA's guide built on the existing Committee of European Banking Supervisors (CEBS) guidelines on outsourcing and will apply from 1 July this year. The EBA has also outlined plans to update the CEBS guidance, which has been in place since 2006.

Earlier this year Scanlon said that the EBA's cloud guidance left banks looking for more detailed direction, and further identified a lack of clarity over the extent of banks' obligations to notify regulators of their cloud arrangements.

"Despite the efforts of key supervisory authorities in Europe including the EBA and ECB, significant uncertainty continues to surround the question of whether and to what extent financial institutions can enter into public cloud arrangements," Scanlon said. "Given the overwhelming evidence which connects the benefits for and speed to innovate with cloud adoption, it is concerning that these issues continue to persist."

"The EBA has promised to provide in Q&A form further guidance and it is hoped that this further guidance together with the upcoming revision of the broader CEBS outsourcing guidance will remove some of these hurdles. It is also hoped that, in the UK, the Prudential Regulation Authority (PRA) will publish guidance that clarifies its position in more certainty as the Financial Conduct Authority (FCA) did in 2016," he said.