Can banks use cloud services?

The Australian banking regulator (APRA) just released an information paper on 'shared computing services', including cloud computing. Can banks still use cloud services?

laptop

Photo: jseliger2 (Some rights reserved)

1. The banking regulator (APRA) has just released an information paper that deals with this question

Can Australian banks (and other APRA regulated Authorised Deposit-taking Institutions (ADIs))[1] use cloud services?

APRA has just released a new information paper (Outsourcing Involving Shared Computing Services (including Cloud)) regarding what is required of banks.

The use and processing of data by banks is actually very complicated once we get into the weeds. Particularly when we are dealing with global banks that must satisfy all of the applicable regulators in every country where we operate.

And while the information paper is not all that long, it provides quite detailed advice. Even the footnotes have interesting implications for banks. I am just scratching the surface here.

2. Banks must impose protections on suppliers as soon as data leaves bank-run data centres

That being said, APRA's new information paper (Outsourcing Involving Shared Computing Services (including Cloud)) succinctly clarifies that it is important that banks implement appropriate measures to ensure that data hosted and/or processed outside of the bank's internally controlled data centres must be appropriately protected.

The information paper clarifies APRA's view of when banks must impose the full weight of protections (both technical and legal) in relation to external hosting arrangements. For example, APRA previously stated that banks must closely monitor the implementation and use of any 'cloud' arrangements. But there seems to have been some confusion, because there is no globally accepted meaning for the word 'cloud'.

3. APRA is now avoiding imposing 'cloud' rules because 'cloud' is a marketing term not a technical term

In the information paper, APRA refers to bank obligations in relation to 'shared computing services' rather than 'cloud' services. As APRA says in the information paper:

The term ‘cloud computing’ is used to describe a broad variety of arrangements.

Some people may think that 'cloud' arrangements include all external hosting arrangements. Others may think that 'cloud' arrangements are arrangements where customers sign up with suppliers that have inadequate legal protections, and/or reserve the right to send (or process) customer data anywhere in the world.

APRA deliberately avoids this problem by stating that it is important that all 'shared computing services' be appropriately protected. APRA explicitly states that it is important that banks impose appropriate protections in relation to all external hosting services, including where entire data centres are shared with third parties. APRA is advising banks to protect this data, and implement appropriate security protections, no matter how or where this data is stored and processed. Even if each bank merely operates their own computer hardware within data centres that are only shared with other financial institutions (that are also regulated by APRA).

4. More critical bank data requires more robust bank and supplier protections

The information paper sensibly states that high risk arrangements require more protections than low risk arrangements. For example, APRA states that 'un-trusted' environments (where an APRA-regulated institution is unable to enforce its IT security policy) may have 'heightened inherent risk'.

At the extreme end, APRA refers to 'systems of record' that hold information 'essential to determining obligations to customers (such as customer identity, current balance/benefits and transaction history)'.

But APRA worries that:

In light of weaknesses in arrangements observed by APRA, it is not readily evident that risk management and mitigation techniques for public cloud arrangements have reached a level of maturity commensurate with usages having an extreme impact if disrupted. Extreme impacts can be financial and/or reputational, potentially threatening the ongoing ability of the APRA-regulated entity to meet its obligations.

And APRA then states that:

APRA’s stance aligns with the position of other international financial regulators who also question the appropriateness of transitioning systems of record to a public cloud environment.

5. Has APRA clarified or changed the rules?

APRA seems to be of the view that this information paper is a lot like the last round of clarifications to the privacy laws in Australia. Organisations that construed their privacy law obligations as narrowly as possible needed to scramble to 'uplift' their privacy compliance regimes when the privacy laws were 'clarified'. But organisations that took into account the original intent of the privacy laws, and built their processes conservatively, did not need to change their processes much at all.

This is a similar situation. APRA seems to be of the view that APRA hasn't imposed new obligations on the banks. But has instead clarified the scope of existing bank obligations (in line with other regulators such as the Singapore banking regulator, that has recently clarified some of their rules in relation to the use of 'cloud' services by Singapore banks).

6. What happens now?

In the information paper, APRA goes into great detail regarding how some financial institutions may have (in APRA's view), failed to implement appropriate external hosting protections. For example, APRA lists the following 'observed weaknesses' in existing bank processes:

  • high-level risk descriptions that lack clarity or are documented as statements of control weaknesses;
  • lack of consideration of critical and/or sensitive IT assets which are accessible from the shared computing service;
  • inadequate consideration of the sensitivity of data (collectively and at the individual field level) when considering implementation solution options for shared computing services;
  • cursory risk assessments which fail to consider specific risks and any changes to the risk profile; and
  • limited due diligence and assurance activities undertaken, with heavy reliance placed on provider attestations and/or usage by other organisations.

There will be much parsing of this information paper over the next few months by the banks. And APRA will almost certainly closely scrutinise what constitutes low risk arrangements, and what constitutes high risk arrangements, to confirm that banks have adequate protections in place for both types of arrangements.

APRA may also scrutinise how robust banks' internal processes, and supplier agreements, are when banks use 'shared computing services' to store and process different types of bank data. Particularly given that APRA states in the information paper that:

APRA’s review of these arrangements has identified some areas of weakness, reflecting risk management and mitigation techniques that are yet to fully mature in this area.


Footnotes:

[1] In the interests of brevity, in this article I refer only to banks. But this article and APRA's comments also apply in relation to other APRA regulated Authorised Deposit-taking Institutions (ADIs).

This post originally appeared at iainmclaren.com. These opinions are mine. They are not necessarily those of my employer. And this is not legal advice. Please seek it if you need it.