This post examines legal and regulatory issues facing the adoption of cloud computing in the financial services industry. While cloud computing has given the companies that use it the ability to operate more efficiently at reduced cost, the financial services industry has been slow to adopt this technology because of different state, federal, international, and industry regulations unique to this area. We begin with an overview of cloud computing, continue by focusing on specific hurdles preventing widespread adoption of this technology in the financial services industry, and conclude with recommendations for how to successfully integrate cloud computing into the industry
What is cloud computing?
Cloud computing is simply another name for a method of providing to clients convenient and on-demand access to a pool of virtualized resources such as servers, development platforms, or software programs. Cloud computing allows clients more efficient use of resources such as IT capital outlays through the use of the internet or other networks to adjust for demand in computing resources without the large expenditures associated with maintaining a large warehouse of servers.
Clouds can be classified as public, private, or hybrids. Public clouds are managed and owned by the Cloud Service Provider (“CSP”), while private clouds are managed and owned by the corporation utilizing the service, and hybrids are a mix between the two. Cloud s can also be classified as Infrastructure-as-a-Service (“IaaS”), Platform-as-a-Service (“PaaS”), or Software-as-a-Service (“SaaS”). IaaS models are essentially a replacement for internal data centers. PaaS models use a platform-based approach to developing or customizing business applications. Finally, SaaS models deliver applications through a client, such as a web browser.
Firms in the financial services industry have been slow to adopt cloud-computing technologies in core areas such as investment banking because of confidentiality, security, and regulatory compliance issues. Most of the adoption of cloud computing in the financial services industry has involved using IaaS models on non-critical services such as software patches, maintenance, and other IT services. Transitioning into higher value-added models such as PaaS and SaaS will require traversing the difficult legal, economic, and technical landscape of cloud computing.
What are some of the legal and regulatory issues facing firms in financial services who wish to take advantage of cloud computing?
The financial services industry is one of the most heavily regulated in the world. To effectively and economically service clients in the financial services industry, CSPs will have to navigate a patchwork of state, federal, industry, and international regulations dealing with data privacy and protection. In this post we classify legal issues into two broad categories: those dealing with data location and transfer, and those dealing with data accessibility.
- 1. Data Location and Transfer
Depending on the type of information being held in the cloud, regulations may prohibit where that data can be physically stored and how/where it may be transferred. For example, the use of a CSP to store customer data may trigger disclosure requirements by the client as part of the Gramm-Leach-Bliley Act, which requests that companies explain their information-sharing practices to their customers. Other regulations require that data not be intermixed with other types of data on shared servers or databases. A clear understanding of where client data resides physically in the cloud will be important to any successful CSP that hopes to successfully serve banks and other financial institutions.
Regulations will also impact how CSPs and clients can transfer data held in the cloud. EU Directive 95/46/EC, commonly known as the Data Protection Directive, addresses personal data or personally identifiable information and constricts how and where that information may be transferred. Personally identifiable information can only be transferred to those countries that are deemed to provide adequate security. Companies can utilize the Safe Harbor Agreement to transfer data from the EU to the US by following a set of Federal Trade Commission regulations, verifying compliance through self or third-party assessment, and registering with the Department of Commerce. Finally, other regulations may require that data be encrypted during storage as well as transmission.
- 2. Data Accessibility
Regulatory issues relating to data accessibility are another area of concern for financial institutions. Privacy regulations may restrict the users authorized to access certain kinds of data. These regulations will also require CSPs to be able to quickly de-provision or revoke access privileges and monitor use when employees leave or transfer.
In addition to restricting access to data because of privacy or security concerns, CSPs will need to deal with compliance in auditing and e-discovery. In the past, financial institutions have preferred to build private clouds because of the greater control those companies have over their own private clouds and because of the ability to perform SAS-70 audits more quickly. CSPs, since they are third parties to the financial institutions, will be utilizing public clouds. They will need to build SAS-70 compliant applications, and will also need to attain the appropriate security certifications such ISO 27001 and FIPS 140-2 for their clouds. These standards are part of a family of security compliance standards that will be sure to grow as the industry matures.
Furthermore, CSPs will need to deal with subpoenas and regulations such as the USA-PATRIOT Act and the UK Regulation of Investigatory Powers Act. Financial institutions are concerned about the possibility that third parties may gain access to financial data without the company’s knowledge if the CSP receives a subpoena, or is the subject of a criminal or national security investigation. If the data in the cloud is subject to e-discovery, financial institutions will also need to know how document holds are enforced, how metadata is protected, and how information is searched for and retrieved.
What are some possible solutions?
For the individual CSP, all of the preceding issues will need to be dealt with primarily via contract. Contracts will need to specify the physical location of the data, the other types of data that are stored on the server, how and where that data is transferred, how the CSP will respond to legal requests for information, how the CSP will respond to audit requests, who will be liable, and to what extent, in the event of a security breach or disaster, and so forth. Drafting strong contracts will require understanding the state, federal, international, and industry regulations that cover a typical financial services firm. While cloud computing has been around for a long time and provides the basis for many of the applications and platforms consumers and businesses use daily, the slow development of adequate contracts has hindered the growth of cloud computing in the financial services industry. Understanding these regulatory issues will be key for a successful CSP in the financial services industry.
From a broader perspective, it may be beneficial for regulators and lawmakers to partner with financial services firms and CSPs to draft new regulations that would allow the industry to take advantage of cloud computing technologies to reduce the cost of doing business.