In order to keep up with the regulatory framework, in a time of technology paradigm shift, regulated entities are moving away from traditional compliance methods to consider newer, more innovative technology also to assist in managing compliance requirements. This applies especially in relation to data storage.
Cloud services allow regulated entities to swap fixed capital expenses for variable expenses that are tied to additional revenue. The on-demand structure encourages new development – be that new services or meeting regulatory requests – as the running costs are directly proportional to the usage.
Current models require firms to anticipate demand and dimension their environment accordingly, covering the range from hardware and operating systems to staffing for operation and maintenance. One area that has seen a significant increase in adoption by financial institutions in recent years is cloud-based services. However, regulators have remained concerned, particularly with regard to data security.
The UKs Information Commissioners Office defines a cloud service as providing access to computing resources, on demand, via a network. These services are typically the product of a large pool of IT resources provided to numerous users via the Internet. The cost and quality implications of the resulting economies of scale have resulted in cloud services being a viable, and often beneficial, IT option for sophisticated corporates and financial services institutions.
The cloud services market is generally comprised of three broad categories:
- Software as a Service (SaaS) – This is the provision of services such as email, office applications and customer relationship management systems, via the Internet.
- Platform as a Service (PaaS) – This is the delivery of an IT environment via the Internet, which can be used to run applications.
- Infrastructure as a Service (IaaS) – This is the provision of IT resources such as storage or processing. Usually this is in the form of a virtualised environment, which gives users access to part of a pool of computer services.
Alongside the benefits of the cloud come particular risks, which differ from those associated with traditional outsourcing arrangements. These risks primarily affect the degree of control over the service enjoyed by the user. As a result, proposals for cloud services need to be analysed to ascertain their compliance with outsourcing and data security rules issued by financial services regulators as well as data protection requirements.
Financial institutions have been subject to regulation for many decades, but in recent years – particularly following the 2008 financial crisis – the number of regulatory obligations placed on firms has increased not least in relation to data and information. Now more than ever, firms are required to record, report and retain more and more data in order to comply with prescriptive rules.
The upcoming Markets in Financial Instruments Directive and Regulation (MiFID II and MiFIR) and the established European Markets Infrastructure Regulation (EMIR) provide a good illustration of the challenges firms are facing in meeting, in particular, data gathering and reporting obligations.
MiFID II contains a vast number of detailed record-keeping requirements. For example, under MiFID II, firms must record any communications intended to result in a transaction, including both verbal and electronic communications. Other requirements include retaining records of software changes in algorithmic trading; keeping order records in high-frequency trading; and keeping records of compliance self-assessments at trading venues. In all cases, the institutions are required to keep the records for five years.
EMIR requires, amongst other obligations, that derivative counterparties and central counterparties (CCPs) report details of concluded transactions to a registered trade repository and keep a record of such a derivative contract for at least five years following the contracts termination. For CCPs, such as Nasdaq Clearing, this is just one of a number of record-keeping requirements that require retaining huge numbers of reports for a substantial period of time
Using the Cloud – Regulatory considerations
In order to help meet these new regulatory requirements, firms are turning to cloud services. As with any new development, understanding any direct or indirect legal implications is important. With respect to utilising cloud technology, there are a number of legal considerations including, but not limited to, data protection and regulatory considerations.
Data protection considerations
Adequate data protection is undoubtedly of paramount importance to an institution considering cloud services. That said, its risk profile in the eyes of regulators has decreased, as the understanding of the technology has increased, over the last five years in some key markets such as the UK.
The Information Commissioners Office and the Financial Conduct Authority have both published guidance on cloud computing during this time. Both encourage innovation heralded by the provision of cloud services and conclude that, provided that institutions implement the necessary risk-management measures, there should be no reason why cloud computing should impose a prohibitive data protection risk. The European Banking Association has also consulted on recommendations on outsourcing to cloud. As the use continue it could be envisaged that also regulators want to use cloud for storing information.
These measures should include carefully considering the terms and conditions imposed by the cloud provider, conducting a thorough risk analysis prior to the use of cloud services, identifying exactly what personal data will be transferred to the cloud, and ensuring the cloud providers data security provisions are adequate.
Many firms look to third parties to provide services to manage information. When doing so, it is important that firms consider any prescribed outsourcing rules and guidance – both EU-wide and national – and any other rules that detail standards firms should set with respect to service providers.
Utilising a third-party cloud storage offering is likely to amount to outsourcing, as least if it is close to the regulated services, in the eyes of regulators and therefore firms need to consider outsourcing rules. Generally, these rules require firms to have a well-documented agreement in place, have adequate oversight of and access to the service provider, and have contingency and business continuity plans in place.
It is of the utmost importance to remember that firms cannot outsource their regulatory obligations and will still be responsible for compliance. Firms must therefore ensure that a third-party cloud service not only meets outsourcing requirements, but also meets regulatory requirements on an on-going basis.
The rights of a regulator should also not be forgotten. Many regulators possess rights of audit with respect of compliance arrangements and may request to see, understand and ensure a firms compliance with rules and regulations.
The use of cloud-based services by the financial sector is likely only to increase in pace, as service standards increase and regulators become more comfortable with these arrangements. However, there remains a regulatory burden and firms will need to determine how to comply with long-established regulatory requirements based on the analogue era.
Andreas Gustafsson is Chief Counsel Europe, Nasdaq & Jimmy Kvarnstrm is Deputy Chief Counsel Europe, Nasdaq