Are you Banking on the Cloud?
Mark Weston, Partner and Head of Information Technology, Intellectual Property and Commercial at Hill Dickinson, discusses the risks and legal concerns inherent in the financial industry's use of cloud services
You have some family jewels that you want to keep secure - but you have no safe at home in which to keep them.
So you give those jewels to a local safe deposit registry on your (upmarket!) high street to keep them in a safety deposit box. What you don't know is that that local safe deposit registry outsources its operations to Unknown-Security Ltd. So all the premises and boxes and access rules are actually run by Unknown-Security Ltd - but you don't know that because, as far as you are concerned, you are dealing with your local trustworthy local safe deposit registry.
But what if the local safe deposit registry goes bust? Can you get your jewels back easily from Unknown-Security Ltd with whom you do not have a contractual relationship? What if your local safe deposit registry is fine but Unknown-Security Ltd goes bust or gets broken into? What has happened to your jewels? Or what happens if Unknown-Security Ltd goes into business on its own account, competing with your local safe deposit registry? What happens to the service (and safety) you were expecting to receive?
That's the fiction. Now the facts.
Your family jewels are your personal data and financial information about you - including your bank details, amounts in your accounts and details of your take-home pay. Your local safe deposit registry is in fact your high street bank. And Unknown-Security Ltd is in fact a cloud provider used by your high street bank. Now go back and re-read the opening paragraphs of this article - and you immediately see the problem.
The increasing use of cloud providers by banks has attracted the attention of regulators, particularly in a market where those cloud providers (such as Amazon or Google) are increasingly looking to offer banking and quasi-banking services such as payment services.
For reasons of expediency, efficiency and costs-saving, many banks and payment providers are increasingly using, and have for some time been increasingly using, third party cloud services to host and process financial and banking information and data. Those third parties are often major players like Amazon, Google and Microsoft.
And, like banks, those third parties are increasingly being subjected to hacking attacks, denial-of-service attacks, fraudulent attempts to obtain data and many other data-related attacks. Yet they are not banks and are not regulated in the same way as banks, particularly in terms of customer protection and security. Even regulators of banks are increasingly using the cloud; for example Amazon's impressive client roster includes the US Financial Regulatory Authority!
Furthermore, the EU recently introduced "open banking" regulation - which makes lenders provide access to a customer's account if a customer allows this - despite the concern that cloud operators who start to offer payment services will simply sweep up the best parts of a bank's business. Those tech operators are light years ahead in terms of using AI and machine learning to deal with a lot of this data - and are unregulated by financial services law.
Perhaps Data Protection Law can help manage some of this risk. The new General Data Protection Regulation (GDPR), in force as of 25 May 2018, was passed for many reasons, one of which is to regulate the exponential growth in data passed around and resolve questions of who is doing what, to, and with, it - and to let customers know.
A bank is a "data controller" because it deals with the financial information about people and determines how and why it does this. A cloud provider to a bank is a "data processor" because it deals with that information on behalf of the bank but cannot (or by law should not) do anything with that information on its own account.
One of the main protections in the GDPR is that it makes a data controller (the bank here) responsible for the activities of any data processors (the cloud provider here). Any contract with a cloud provider needs to contain certain protections for the individual whose data is being processed - and those are set down by law. Also, if the cloud provider is out of the EU, there are usually further direct legal rights a customer will have against the cloud provider.
Banks need to check out who they are using to process data for them and to get this right because breaching the GDPR carries a new maximum fine of the greater of €20 million or 4 per cent of annual global GROUP turnover. That's serious cash - even for a bank.
Perhaps data law will bring back home the responsibility of banks for cloud providers. Let's see how it works in practice, particularly as we increasingly bank on the cloud.
Mark Weston is Partner and Head of Information Technology, Intellectual Property and Commercial at Hill Dickinson