'Use by Banks of Cloud Computing: An Empirical Study' (Queen Mary School of Law Legal Studies Research Paper No. 245/2016) by W Kuan Hon and Christopher Millard
explores
the extent to which public cloud computing is in fact being used in practice by banks operating in the EU, including global banks. It is based primarily on anonymised interviews with banks, cloud providers, advisers, and financial services regulators. This paper describes how banks are using cloud computing and their key drivers (such as time to market), as well as real and perceived barriers (such as misconceptions about cloud, and financial services regulation), including cultural and technical/commercial as well as legal/regulatory aspects. It summarises how banks and regulators have approached the cloud, as well as how cloud providers have approached the banking sector.
Specific consideration is given to barriers arising from banking regulatory rules on outsourcing, critical or material, and the contentious issue of contractual audit rights for regulators. The paper also analyses legal and practical issues such as risk assessments, security, business continuity including exit plans, concentration risk and bank resolution, continuing regulatory oversight, banking secrecy laws, barriers under data protection law including personal data export restrictions, problems arising from layered service models where SaaS services are built on another provider’s IaaS/PaaS service, and commonly-negotiated contractual provisions regarding termination, service changes and liability.
The paper concludes that, while some barriers are internal and some external, cloud is still misunderstood, and further educational efforts are needed to ensure regulatory approaches and guidance are sufficiently cloud-aware to strike the appropriate balance between risk management and efficiency/innovation across the European Economic Area.