Cloud and regulation
Overcoming the barriers
Cost pressures and the need for flexibility and scalability are increasingly driving financial services (FS) firms to use third party Cloud service providers (CSPs) for hosting data and providing IT and software services. Many firms already use the Cloud for a range of data storage and application solutions: about a quarter of global banks’ activities are already supported by the public Cloud, or use software hosted on the Cloud1, and over 40% of FS may be Cloud-hosted in a decade2.
FS firms have been using outsourcing for many years and FS regulators are very familiar with it. However, in the regulators’ eyes, the inherent characteristics of the Cloud outsourcing market, and the way the technology is used by FS firms, pose new and different challenges to more traditional outsourcing:
- Systemically-important firms are increasingly considering migrating the entirety of their activities, including critical functions, to public Cloud platforms shared between multiple FS firms. The scale and scope of such migrations present significant operational resilience risks, and also test the maturity of firms’ security, governance and risk and controls frameworks.
- Cloud services are concentrated in the hands of a few large CSPs, which currently sit outside the FS regulatory perimeter. If a CSP were to fall victim to a disabling IT outage or cyber-attack, it would act as a single point of failure, with potentially significant domino effects on firms, customers and the financial system more broadly. The concentration of the CSP market also raises issues about the imbalance of market power between CSPs and the individual firms that use them.
- The Cloud outsourcing contractual model relies on the concept of “shared responsibility”, whereby the CSP is responsible for, at a minimum, the security of the lower-level infrastructure layers, while outsourcing firms are responsible for the data stored and processed in the Cloud, as well as the overall security of the Cloud-based solutions they use3. In regulatory terms, however, outsourcing firms retain full accountability for the security and governance of the overall process, given that even an incident at the lower-level layers of infrastructure could hinder their entire business continuity and operational resilience. The mismatch between regulatory and commercial responsibilities is therefore a key issue that firms need to address.
- While CSPs operate globally, regulators’ and supervisors’ remits are typically national and are increasingly fragmented/divergent in their approaches. The difficulty in understanding where sensitive data is hosted and how it is protected by market participants operating outside the regulatory perimeter is therefore a major regulatory sticking point.
To respond to these concerns, regulators have produced detailed guidance around expectations of FS firms moving to, or using, CSPs. Aside from the regulatory framework itself, some firms face their own internal, business and operational challenges, hindering their readiness to adopt the Cloud.
In this series of three blogs, we explore: (i) the overarching regulatory approach to regulated FS firms using CSPs, (ii) some of the real and perceived barriers to CSP adoption in the FS sector, and (iii) the key considerations for firms preparing for, or transitioning to, using CSPs.
1 Refer to Huw Van Steenis’ “Future of Finance” Report, June 2019.
3 Refer to Deloitte’s reports on: “Cloud computing: more than just a CIO conversation” and on “Getting Cloud right: how can banks stay ahead of the curve?”.
About the Centre for Regulatory Strategy, EMEA
The Deloitte Centre for Regulatory Strategy is a powerful resource of information and insight, designed to assist financial institutions manage the complexity and convergence of rapidly increasing new regulation.
With regional hubs in the Americas, Asia Pacific and EMEA, the Centre combines the strength of Deloitte’s regional and international network of experienced risk, regulatory, and industry professionals – including a deep roster of former regulators, industry specialists, and business advisers – with a rich understanding of the impact of regulations on business models and strategy.