– Verity Gibbons, Marketing Director at FinTech Connect, says:
When talking about cloud and regulation in financial services, it is important to approach it with a clear understanding of the typical policies that your national regulator will require you to adhere to.
Let’s start with outsourcing policy. Cloud mode provides us with a way of outsourcing data centre environments, applications, and services while enabling financial institution’s to leverage managed services. So complying with the outsourcing policies of a country regulator is critical.
Secondly we will need to look at data security policy. When infrastructure is “outsourced” (IaaS) it is important to ensure the right security levels are being applied to all of our data to guarantee it will still comply with the data security policies imposed by the nation’s regulator.
Next we need to look in detail at the data sovereignty policy because when selecting the cloud provider we normally need to understand not only the security which needs to be applied but also where our data will be stored since the data location is inherently critical and must comply with regulations.
Now that we have an understanding of the 3 fundamental elements that ensure regulatory compliance we will take a deeper dive into each.
Normally every company that uses some kind of external provider already has a third-party policy in place. This is even more important when we talk about cloud, as control over data centres and data security is limited, meaning that managing our third-party suppliers appropriately is a huge priority. This means that we should have the right policies and procedures in place for managing relationships with the cloud provider in terms of all data security related aspects but also in terms of the data sovereignty.
This is not something which the Cloud vendor can help with since it’s really about how we provide GOVERNANCE throughout the process.
Data Security Policy
As outsourcing policy does not define any specific limitation for cloud providers, (apart from imposing governance related to data security) infrastructure and data being provided as a managed service by a 3rd party becomes an even more thought provoking topic as one needs to ensure that providers comply with the same compliances as we do.
As an example if we look into the data security section of the FCA’s “Financial crime: a guide for firms, Part 2, section 6”, we believe that the elements which are of the highest important are:
Governance: The creation of internal rules and processes to keep the cloud vendor compliant with our needs. The critical element here is to understand if the cloud vendor already has a complete governance group on data security; what their existing policies and procedures are, what type of risk assessment they have carried out, and how we will get notified about data loss (since we are required to inform the customer in case that happens). This is fundamental because it will enable us to perform a gap analysis between their governance and what we require and only focus on those. It is also very important that there is a written definition of all the data security policies and procedures since that will be required by the national regulator when we are being audited. Finally it is essential to establish a clear, open and on-going dialogue with our cloud vendor since without that this will definitely fail.
Staff recruitment and vetting is one of the most important controls that firms can put in place to prevent data theft and other type of crimes. But in the cloud, since we don’t control the cloud vendor’s team, it is even more important to be clear on what their standards are and how we can go about vetting staff from our data. It is really about understanding if there is any way we can enforce a security process since some cloud vendors already provide information about their own staff recruitment process (some of the cloud vendor’s answers can be found on the Cloud Security Alliance website). Also we don’t need to use only one cloud vendor and so we can place all the sensitive/secure data into a private cloud or even on-premises and use a public cloud for doing the rest.
Having the right controls in place is also extremely important because we need to know at any given point in time what is happening with our data, who is accessing it, what are the current user access policies, what happens when an employee from our cloud vendor leaves the company, how and when is our customer data being backed up and how are key-logging devices avoided in the cloud vendor. This will give us the right level of trust in our cloud vendor to be able to answer any questions from the national authorities and (most importantly) from our Customers.
Physical security suddenly gets a much higher importance since now we are not in control of the physical infrastructure. So we will need to be sure on what is happening on the physical location in terms of who has access to the data center premises and what type of security systems are currently used to control that access. Normally the biggest cloud vendors already have these policies and procedures in place but requesting that information as well as compliances like ISO 27001 is extremely important. We just need to remember that because we have a data center close to us it does not make it safer. So applying the same policies and checks we have for on-premises data centers is crucial.
Disposing of customer data is another key component of data security since we will need to align both the policies and procedures from the cloud vender with our own to make sure everything is placed in the right way. Understanding the way confidential information is wiped, stored and archived makes the process smoother.
Finally internal audit and compliance monitoring will make us successful or not because even with all the right policies and procedures in place, without a way to audit and monitor there is no way to prove compliance to the regulator. So it is critical to understand if the cloud vendor provides us with a way to perform our own audits to their policies and processes. If they don’t allow us it does not mean we can’t use their offerings because normally they have external certified companies which perform those audits and as long as they provide us those reports it will be enough to audit and monitor the compliance. As best practice, we should always request one of those reports before we make any type of agreement with the Cloud vendor since that will allow us to understand if the data provided is enough and covers all our current internal audit and compliance monitoring process or not. In case it does not we will always have the ability to request the inclusion of those new elements and avoid surprises later.
Now that we understand that neither the outsourcing policy or the data security policy have anything which really makes the cloud unusable for financial institutions it is time to check if the sovereignty of the data can create a barrier for cloud adoption.
Data sovereignty has to do with the jurisdiction the data is under, which will define where the data should be located, what type of data security policies and processes will need to be enforced and which legal jurisdiction will handle any issues related to these matters. When we look at cloud vendors, since most of the public cloud vendors are US companies, there is a misconception that it means the data will be floating and accessible in the US also. This is not actually true and the EU Model Clauses were created to enforce some of those rules. This doesn’t mean everything is done and we can use them freely, it just means that when in the process of choosing a cloud vendor we will need to understand if they will provide us with locations and processes and rules which allow us to be able to leverage their offers.
But when we look at some of the regulators’ data security and sovereignty documentation we find some interesting statements like this:
“This is misconceived: skilled fraudsters can supplement a small core of data by accessing several different public sources – telephone directories, the electoral roll and other public records, many of which are available on the internet. They also use impersonation, for instance during phone calls or in emails, to encourage the victim to reveal more. Ultimately, they build up enough information to pose as their victim and obtain credit and other advantages in the victim’s name. In this way, a firm’s
customer data might complete a set of data extensive enough to commit fraud.” (Data Security in Financial Services from the Financial Services Authority which was split into FCA and PRA having maintained this document active)
What this creates is misconceptions and to prove it I spoke with other people from the industry and, after reading this statement, they immediately told me that cloud would not be an option. In reality this is not true at all, since there are multiple cloud options, like public, private, hybrid and community, because if one cloud type or one vendor does not comply with what we need it does not mean that we should not use or enquire any other type or vendor. Every vendor is different with different locations, policies and processes and ways of looking at data sovereignty. Now if you ask me if it is possible for a complete public cloud option I will probably say it is very unlikely to happen in Europe at this stage, which does not mean we cannot take advantage of it anyway, because we need to look at the “data at rest”, “data in use” and “data in motion” aspects and most likely opt into a hybrid cloud option where we have a combination of private and public cloud vendors to provide our overall solution in a more effective way.
So in summary there is not really anything in the Financial Services Regulations which states that the cloud is not a viable possibility. The only thing we need to be sure of is that all the same levels of data security and sovereignty are maintained and that our cloud vendors are chosen and managed correctly. Because apart from that, like any other option, the cloud has pros and cons and it is really up to every single one of us to implement the right strategies and choices to help drive our organizations in the right direction.
To finalize, we should always remember that “new” does not mean “bad or unusable”. It really is always about tackling new “threats” and maximising new “opportunities”. It is up to us to analyse the risks and decide upon our approach based on these perceived threats and opportunities. If you ask me, I think there some threats like new businesses being built, data security and so on but these are far outweighed by a HUGE OPPORTUNITY for us to be able to optimize the way we support business, increase business agility and most of all provide a better end-to-end service for our customers. That for me means we should definitely invest time in understanding and investing in the cloud and I really hope this article helps you consider doing the same