Part two – regulation and compliance
In the first of this series, I outlined the key challenges and opportunities presented to financial services (FS) organisations adopting public cloud technology. In this second article, I continue by discussing some of the specifics around the regulatory and compliance aspects.
FS firms have cited regulation and compliance as the biggest challenges to overcome in cloud migration. In a paper published in February 2017¹, the BBA identified seven barriers to cloud adoption:
- 1. Approach to ‘important’ and ‘critical’ functions
- 2. Supervision and oversight
- 3. Regulatory authority access
- 4. Risk framework
- 5. Location of data
- 6. Data breaches and monitoring
- 7. Termination
Approach to ‘important’ and ‘critical’ functions
The essence of this concern is the difficulty in appropriately identifying what may be deemed as ‘important’ or ‘critical’ functions. This is because such functions are subject to greater regulatory oversight in the context of outsourcing. The lack of clarity means that FS firms may therefore take an overly cautious approach in deciding what to move to the cloud.
The key here is not that these functions cannot be migrated, but that they are subject to greater scrutiny. In deciding what can move to the cloud, FS firms will be obliged to ensure that they provide continuity of key services in much the same way as they do with their on premise solutions (e.g. adopting multi-site redundancy coupled with business continuity processes, managing security and maintaining the currency and integrity of all components in the service stack). The additional risks come from relinquishing some elements of control and oversight, and the introduction of vendor concentration risk.
Supervision and oversight
FS firms retain full accountability for any services they outsource and so must have in place the structure and expertise to supervise and monitor those activities being provided on public cloud. Furthermore, they are required to have oversight of the value-chain, which requires an understanding of the cloud providers subcontracting arrangements.
The key to the first element is having both contractual and organisational constructs in place that ensure clarity of accountability and responsibility is well defined and can be continually exercised and demonstrated. The value-chain element requires a proportionate response balancing detail with materiality.
Regulatory authority access
Since FS firms are required to provide regulatory access (physical and remote) to their systems, premises and data, this becomes a contractual negotiating point with cloud providers, who are naturally reluctant to grant access to what amounts to shared facilities.
This issue can be addressed through carefully constructed contracts that specify the exceptional circumstances and means by which access can be granted. Perhaps a more relevant consideration arises around key management. Access on many levels is managed in the cloud through encryption. The default generation and management of encryption keys is often provided by the cloud supplier. However, this approach needs to be evaluated in light of regulatory access requirements.
Moving to public cloud alters the risk profile of an organisation – adding some risks and arguably reducing others. Moreover, this risk profile will continue to change as service offerings mature and the degree of migration continues. Therefore FS firms need to adjust and maintain their risk frameworks accordingly and, in doing so, fully consider all aspects of operational risk that may have changed. Each firm will have developed an internal risk framework based on regulation and risk appetite. Adapting these for the cloud will require extensive changes, but there are standards and frameworks that can greatly assist, possibly the most appropriate of which is the COBIT 5 guidance for controls and assurance in the cloud.
Location of data
The location and transfer of data is subject to various international regulatory bodies, and concerns have been raised regarding exactly where data is located and processed. However, the major cloud providers are increasingly able to address this issue, with the provision of regional data centres, with strong controls over data access, transfer and encryption.
Data breaches and monitoring
Unauthorised access to data, and in particular the management of private data stored in the cloud has been raised as a concern, particularly with the introduction of the new European general data protection regulation (GDPR) planned for May 2018. It is worth noting however, that cloud service providers such as Amazon Web Services (AWS) and Google Cloud Platform (GCP) provide extensive controls through identity & access management (IAM), role profiles and access control lists, in flight and at rest encryption, and access motoring. Both these vendors will be fully compliant with GDPR before the regulation is enforced.
FS firms need to ensure that that they can migrate away from an existing provider in a controlled way. This requires that such a move is supported by a contractual component, and that a viable alternative exists. Much of the technology and tools provided by the major cloud vendors is transferable, but remains proprietary. The use of any proprietary technology must therefore be considered within the overall risk appetite and vendor concentration risk for each individual firm.
The burden of ensuring that the growing use of public cloud falls within an acceptable risk appetite and satisfies all regulatory requirement requires significant investment, from organisation change through to complex contractual negotiation. However, there are many positive improvements from a risk perspective, and the financial and agility benefits of moving to the cloud will continue to outweigh the costs.
¹ Banking on Cloud: A discussion paper by the BBA and Pinsent Masons, May 2017