John Salmon explains that EU initiatives on cloud computing don’t really solve the problems with adoption by the financial services sector
The European Commission's recent unveiling of its cloud computing strategy has done little to help the financial services sector, having avoided the key issues that are holding back the take up of cloud solutions.
Neelie Kroes first got us thinking, indicating to German news outlet Deutsche Welle that 'the main thing is the economy', that 'there is nothing wrong with business' and that savings to be made from following a strategy towards greater take up of cloud solutions in Europe are 'no coffee money' (see http://www.dw.de/dw/article/0,,16269684,00.html).
While the Commission's 'Unleashing the Potential of Cloud Computing in Europe' communication sets out more detail, it provides no immediate solutions for regulated industries. The communication mentions the word 'audit' only once and while the issue of data location is raised as an area of concern for which 'actions are needed', it is not otherwise commented on. Applicable law is referred to in passing but no mention is made of what an organisation should do when faced with conflicting demands from EU and foreign regulators in respect of the same data.
This is not great news for the financial services sector. With recent reports of Martin Wheatley stating almost every other day that the Financial Services Authority is, and the Financial Conduct Authority will be, 'targeting' some practices, while 'cracking down' on others, hope of the UK regulators interpreting auditing obligations broadly in order to enable full cloud take up remains unlikely to be fulfilled.
It seems that the consensus among financial regulators across Europe is that the Markets in Financial Instruments Directive (as amended) (MiFID) ties their hands in respect of cloud auditing requirements, at least for organisations bound by its requirements. As a consequence, the FSA in its interpretation of the Senior Management, Systems and Controls sourcebook must follow suit.
MiFID states that investment firms must in respect of the outsourcing:
'of critical or important operational functions or of any investment services or activities ... take the necessary steps to ensure that ... the investment firm, its auditors and the relevant competent authorities must have effective access to data related to the outsourced activities, as well as to the business premises of the service provider; and the competent authorities must be able to exercise those rights of access.'
The EU's strategy could have stated that 'effective access to data' may not in all circumstances be taken to mean that a customer must be able to detail the exact location of data at all times. It also could have questioned whether 'effective access to business premises' requires physical inspection. Had the Commission taken this approach, it could have gone a long way to achieving its stated purpose of moving European markets, especially financial ones, towards becoming 'cloud-active' (as the communication put it).
Interestingly, on the same day on which the Commission brought out its content-light communication, the ICO made specific comments in relation to independent third-party certification regimes and cloud services in a new guidance note.
The ICO reminded cloud customers to be strategic in their decision-making and think about which categories of data can migrate to the cloud now and over which categories question marks still remain. The ICO also acknowledged that 'one of the most effective ways to assess the security measures used by a data processor would be to inspect their premises' but also that 'this is unlikely to be practicable for various logistical reasons'.
In endorsing a solution, the ICO stated that 'One way for cloud providers to deal with this problem would be for them to arrange for an independent audit of its service and to provide a copy of the assessment to prospective cloud customers'.
While this does not overcome the difficulties financial institutions face in respect of data processing activities subject to MiFID and SYSC, it is a definite step in the right direction.
This article was first published on Out-Law.com, the legal news and insights platform provided by Pinsent Masons.
John Salmon is a partner at Pinsent Masons and Sector Head of its financial services practice.