• Sectors we work in banner(2)

    Quick Reads

PRA to further scrutinise cloud computing in 2022

The Financial Times reported that UK financial regulators are preparing to step up scrutiny of cloud computing providers “amid growing fears that an outage or hack of their services could severely disrupt a banking system increasingly reliant on them”. According to the article, the UK’s Prudential Regulation Authority (PRA), is considering a joint discussion paper with the FCA and Bank of England in 2022, a joint approach, which is consistent with its previous initiatives on operational resilience. The discussion paper would explore the operational risk consequences of UK regulated financial institutions increasingly relying on cloud-based services, particularly from a number of hyperscale cloud providers.

The risk of concentration of services in a handful of IT service providers has been well known for many years, and therefore there is no surprise that the regulators should look at this in more detail more specifically for cloud. Cloud operators, because of their scale and high technical proficiency generally offer very high degrees of resilience for services, distinguishing clearly between the areas for which they are responsible (so called according to Amazon “security of the cloud”) while leaving their customers to be responsible for taking appropriate security measures with regards to data and other security obligations “in” the cloud. However, as the Bank of England’s financial policy committee noted in in its minutes from September 2021 (referenced in the FT article) “additional policy measures, some requiring legislative change, are likely to be needed to mitigate the financial stability risks stemming from concentration in the provision of some third-party services. These policy measures should include: an appropriate framework to designate certain third-party service providers as critical; resilience standards; and resilience testing.”

Since the consolidation of the FCA outsourcing guidelines, where cloud computing was consolidated with other forms of outsourcing, most notably in the European Banking Association’s outsourcing guidelines issued in 2019, cloud has not been separately treated for outsourcing purposes. Other financial services sectors such as insurance are following suit. At the time of the consultation for the outsourcing rules, cloud providers in the responses to the draft guidelines (see in particular page 81 of the final guidance where the responses received are specifically analysed) cloud providers had originally suggested that a lighter framework be created for outsourcing to “multi-tenant service providers” given their standardised services. Operators argued that standardised services cannot comply with all regulatory requirements requiring therefore a proportionate approach to specific issues such as access and audit rights which could be managed on the basis of public certifications rather than detailed access rights. At this point, the EBA took a strict line, and stated clearly “institutions should comply with all regulatory requirements, including with regard to their outsourced functions, independent of the fact that they may be standardised or provided by monopolists”. As such, the obligation has been on financial institutions to ensure compliance with outsourcing regulations, and with recently introduced operational resilience requirements, but the scale and speed of the move to cloud and the subsequent focus on operational resilience has prompted further review.

Most hyperscale cloud providers have been less willing to provide specific individually tailored flow-down terms from the regulated firms’ legal contracts, instead relying on standardised agreements, and industry tailored contract addenda or “patches” which enable firms to assess compliance with regulatory requirements, in particular in relation to audit access to data and other regulatory obligations. It has been a more difficult job for firms to address legal limitations of liability and comprehensive service credit coverage, but arguably these are less important than fully worked operational resilience strategies with regular testing of individual services and on a more systemic basis. Firms have also had to determine whether they are able to require the cloud operators to comply with more individually tailored contract flow-down requirements and it will be interesting to see if this is addressed in the discussion paper.

On the basis of the current reporting, there is no indication that the cloud providers will be directly regulated, although the report will give an interesting insight in to the specific concerns of the UK regulators post-Brexit, and alignment with other regulators, particularly in the European Union and USA, where it is necessary for firms to ensure as standardised an approach to risk irrespective of jurisdiction.

The seven biggest banks in the UK are all heavily using cloud, and we are all invariably going to the same three or four suppliers that they don’t directly regulate.

Our thinking

  • Using Generative AI and staying on the right side of the law

    Rebecca Steer

    Insights

  • Amendments to the Swiss Civil Procedure Code: Enhancing International Litigation and Streamlining Processes

    Remo Wagner

    Quick Reads

  • Copyright in the Age of AI

    Mark Hill

    Quick Reads

  • FT Ignites Europe quotes Anne-Marie Balfour on working hours and potential disputes

    Anne-Marie Balfour

    In the Press

  • DIFC Courts Release 2023 Annual Report

    Peter Smith

    Quick Reads

  • Caroline Greenwell writes for The Law Society Gazette on the LIBOR scandal

    Caroline Greenwell

    In the Press

  • Digital Deception: The Rise of Deepfakes

    Mark Hill

    Quick Reads

  • Nvidia faces class-action lawsuit for training AI model on ‘shadow library’

    Mark Hill

    Quick Reads

  • Charles Russell Speechlys bolsters corporate and commercial offering with the appointment of Shirley Fu in Hong Kong

    Shirley Fu

    News

  • Cara Imbrailo and Ilona Bateson write for Fashion Capital on pop-up shops

    Cara Imbrailo

    In the Press

  • Portfolio Adviser quotes Richard Ellis on the FCA's first public findings against former fund manager Neil Woodford

    Richard Ellis

    In the Press

  • Daniel Sullivan writes for Law360 on hundreds of 'rogue filings' being lodged via Companies House and advice for affected banks

    Daniel Sullivan

    In the Press

  • Retail Week quotes Ilona Bateson on the CMA’s investigation into environmental claims in the fashion retail sector

    Ilona Bateson

    In the Press

  • Fashion and the Green Claims Code brought into focus by open letter from the CMA.

    Ilona Bateson

    Quick Reads

  • Charles Russell Speechlys grows its rankings in The Legal 500 EMEA directory

    Frédéric Jeannin

    News

  • There is a new tax law in town – but it’s probably not what you think

    Sarah Kadhum

    Quick Reads

  • Landmark European AI Act Passed By The European Parliament

    Louise Zafer

    Insights

  • Digital assets consultation by the Law Commission

    Cheryl Tham

    Insights

  • Charles Russell Speechlys continues to grow its Financial Services Regulation & Funds offering with the appointment of Jeremy Bell

    William Garner

    News

  • Expert Evidence - Avoiding fatal failure

    Claudine Morgan

    Insights

Back to top