Since mainstream cloud computing services entered the financial sector several years ago, financial institutions (FIs) in Canada have viewed cloud computing as a tool to revolutionize the way they operate and do business. Many FIs have undergone cloud transformations in recent years as solutions on the market have reached new levels of maturity for the sector.
This enthusiasm has been tempered by efforts to satisfy ever-increasing regulatory scrutiny on FIs’ operations and outsourcing arrangements. Tensions remain between the use of cloud-based solutions and developing regulatory requirements, requiring those in the sector to think carefully about how to strike a balance between risk and reward, and how to stay adaptive to ongoing change from both regulators and the available technologies themselves (for more on regulatory developments in the financial services space, see “Financial institutions should expect more enforcement”). We expect these competing pressures will remain an ongoing focal point in the financial services sector in the years ahead.
Current trends in FI cloud services
As certain cloud providers have proactively embraced compliance with regulatory requirements, such as the B-10 Outsourcing Guidelines issued by OSFI, FIs have become more comfortable hosting important workloads on IaaS (infrastructure-as-a-service) and PaaS (platform-as-a-service) services, while also replacing local software installations with SaaS (software-as-a-service) platforms. These new products often: provide faster performance and sleeker user interfaces; come equipped with ready-made algorithms that analyze and report on data in new ways; and better position FIs to satisfy consumers who have come to expect the simplicity and ease of a wide variety of apps that leverage the “as-a-service” model which has been adopted from ride-sharing to grocery shopping to home maintenance.
Most cloud solutions offered to FIs have “out of the box” functionality, allowing an FI to select its configurations without making wholesale changes to the underlying technology itself. They are built on shared software, hardware and networks and use shared resources located at shared service locations. Cloud providers often will not allow any customers (even their largest ones) to have direct access to or approval rights over any of these solutions.
Financial institutions in Canada are working to make the most of what the cloud has to offer while mitigating regulatory risk at the same time.
There are upsides and downsides to these standardized offerings. The former includes a more stable technology base that is consistent for all of the cloud provider’s customers, lower capital and maintenance costs, and scalability to respond to changes in usage patterns. The latter include a lower degree of direct oversight and control over the product, its security and continuity, and the inability to approve (or prevent) changes.
Without sufficient oversight and control, an FI may put its operations at risk and run afoul of regulators’ guidance. The core principle of this regulatory guidance is that outsourcing an internal function (or procuring an important service) does not excuse the FI from a failure to perform that function or service. As the B-10 Outsourcing Guidelines state, federally-regulated entities “retain ultimate accountability for all outsourced activities”. So how does an FI address this risk while making the most of what the cloud as to offer? The key is to ask questions, demand answers and hold cloud providers accountable for them.
Important questions for cloud service providers
Below are some of the questions that FIs should ask about any potential cloud solution.
- How do the FI and its regulator exercise their rights to audit the services and the service provider when the service provider prohibits direct access to its shared environment?
- How does the FI ensure its data is:
- protected using industry leading security controls?
- appropriately segregated and accessible to the FI?
- not processed or accessed by the FI or its subcontractors except as necessary to provide the services?
- backed up with acceptable regularity?
- not accessed, processed or stored in jurisdictions that present unacceptable risks to the FI?
- How does the FI reconcile the differences between its incident management processes and those of the service provider?
- How does the FI ensure the FI has appropriate controls over its subcontractors?
- How does the FI understand whether the algorithms or machine learning that may be included in the cloud solution make calculations that are legally compliant and meet the FI’s business requirements?
Sometimes, the cloud provider’s response to many of these questions is: “trust us”, pointing to the hundreds or more sophisticated FIs who all receive the same services and have the same contract terms. This answer will not satisfy a financial regulator. While financial services are an industry built on trust, that trust must be earned through information and accountability.
Below are some strategies to help ensure an FI can satisfy its compliance obligations when contemplating a cloud-based opportunity:
- Ask for and review the service provider’s policies and standards carefully. They are often presented as a substitute for the FI’s standards (e.g., information and physical security, incident management, business continuity planning, personnel background checks), but they may be written more like aspirational or non-specific statements.
- To the extent the cloud provider cannot or will not permit the FI to directly access sensitive information or environments, utilize trusted third parties that both parties agree to in order to verify the service provider’s standards (i.e., independent auditors).
- If the service provider will not agree to be compliant with the FI’s standards, refer to acceptable industry standards (e.g., ISO or NIST for security).
- Carefully assess whether the FI needs to retain internal functions that are not captured by the cloud offering, which may affect the business case for outsourcing to the cloud in the first place.
Whatever information and answers are uncovered in this process, the cloud provider should make contractual commitments to the standards and processes it discloses to the FI. Ultimately, FIs that ask the right questions, perform appropriate diligence and prepare well for adapting to and integrating cloud-based services, will reap the benefits of their new capabilities faster and with greater ease.