Walker Morris LLP

Legal News

Use of cloud technology in streamlining processes and enhancing the customer journey in the sale and maintenance of financial services products offers businesses obvious benefits, with the Bank of England (BoE) stating that “using the cloud allows businesses to work in a more agile way…from file sharing to managing fraud”.

However, a changing regulatory compliance landscape, as well as cybersecurity and data privacy concerns, represent major hurdles for large-scale cloud technology adoption in the financial services sector. There has been widely reported examples of large financial services companies experiencing significant delays in adopting cloud technology transformation projects because of concerns related to managing customer information and operational resilience.

At the heart of the challenge here is that, although technology and software companies offering cloud based solutions generally offer high degrees of resilience for services, such resilience is premised on a clear distinction of ‘provider versus customer responsibility’; customers bearing the responsibility for taking appropriate security measures with regards to data and system security obligations. In addition, when engaging with providers it can often feel like customers are “pushing uphill” when seeking to negotiate away from key risk positions in the provider’s “standard terms”; liability limits, service levels regimes and remedies for breach can often appear “set in stone”, and there is a resistance from providers to offer bespoke regulatory compliance warranties, audit rights or information security standards, arguing that their “hands are tied” because of the standardised nature of the services they provide in a multi-tenanted environment.

From a wider market perspective, regulators have noted the significant concentration in the market for cloud providers, with only a handful of providers able to offer suitably scalable and efficient solutions for many financial service companies. Consequently, there is concern that should any of these providers fail, financial stability of financial institutions and service firms could be put at risk. Additionally, the ever present concern of management, maintenance and security of customer data continues to represent a key focus for regulators (and customers) in the financial services sector, with regulators grappling with the challenge of customer retention being based upon the level of customer data controlled by a firm.

It is in this context that we can expect to see further developments in the move to adopt further regulation on the use of cloud service providers by financial services firms. Consistent with its previous initiatives on operational resilience, we eagerly await the release of the Financial Policy Committee (FPC), the BoE Prudential Regulatory Authority (PRA) and Financial Conduct Authority’s (FCA) joint discussion paper later this year, which will outline suggested plans on how to mitigate the impact of over reliance on cloud service providers for the performance of critical functions.

So what does that mean for financial services firms in the meantime, especially when adoption of cloud technologies is almost a necessity in retaining efficiency of service? When using or moving to cloud based solutions here are a few issues to bear in mind:

  • Undertake your own due diligence on data security, control and exit. What is the data set and in what form do you need it on exit? When it comes to termination, it pays to agree that post- termination support will be provided (if even there is an agreed cost for it);
  • Standard does not necessarily mean “fixed”. When it comes to negotiation, although expectations need to be realistic (services are largely standardised and, as such, providers need to maintain a consistent risk profile across their platform), providers will countenance movement of termination rights for default, enhanced service credit regimes and increased caps for data breaches, especially where customers are paying for an enhanced/”premium” service package or paying for additional levels of support;
  • Obtain commitments on information security standards and document them. A key selling point for providers is the operational security their system offers; that being the case, ask for it to be warranted; and
  • Test and document operational resilience plans, outlining the steps your business has taken to ensure security of the data that is being processed by the cloud provider, the alternative providers in event of failure and the steps that would need to be taken on termination of the arrangement.

Whilst we can look forward to further details from the FPC, the BoE, PRA and FCA on the regulation of use of cloud providers, it is clear that the regulators will expect firms to adopt best practice when outsourcing functions to cloud based service providers. Ensuring you properly engage in the process of on boarding such solutions should be high on the risk management agenda.