The devil is in the detail
Financial services organisations are warming to cloud computing, despite the regulatory hurdles. Lawyer Andrew Scott explains what to watch out for.
At the end of October 2007, amid a blaze of publicity, Microsoft launched Azure, its cloud computing service. It offers customers the ability to deploy applications across the internet - or 'the cloud' as it is has become known - or on servers located on the customer's site, or via a combination of the two.
In doing so Microsoft is responding to the competitive challenges put down by Amazon, Google and others who offer similar products.
The essence of cloud computing is the delivery of software as an on-demand service, which is available without the customer's involvement with or control over the underlying IT infrastructure.
Despite the idea being around for a while - software as a service goes back to application service providers and their numerous similarities with outsourcing - selling cloud computing to financial services firms could seem problematic. The sector is renowned for its reluctance to give up control over operations, which is exactly what is involved with the cloud. Added to this is a mountain of regulation.
However, early indications are that FS organisations are warming to cloud computing. The technique of converting remote servers into shared resources is being applied by Merrill Lynch to create an energy-saving risk management platform, and Wall Street's new hosted Electronic Settlement Network offers pay-as-you-go FX trade processing.
The question is whether - and if so, how - cloud services can be made compliant without losing their benefits: the speed of accessing applications and the ability to link cost to use.
Application of regulations
At the most basic level the procurement of a cloud service is like any other, and firms must assess the operational risk and compliance implications as they do any other product. Weaknesses that may be associated with a cloud service and which would warrant particular attention include security, restrictions on access to data (whether by the firm or regulators), connectivity and the firm's ability to retrieve data and transfer to an alternative solution at the end of the service.
This is not to say regulations will undermine cloud computing but rather firms will need to pay particular attention to the need for controls that will help to prevent system and process failures, or to implement measures that will enable prompt rectification of a problem and continuity of operations in the event of an outage.
The lack of transparency associated with the cloud poses a significant issue in terms of compliance with privacy and data protection requirements. It is not possible under European data protection rules for a firm that processes personal data in the cloud to give up all control over the processing by the service provider.
Although most of the processing will be carried out by the firm (i.e. where the applications within the cloud are used by the firm's end users), tasks such as hosting, storage and back-up are likely to be performed by the service provider, who (to that extent) will be considered a 'data processor' for data protection purposes.
Three areas need to be considered. First, the features of the service must enable the firm to comply with data protection regulations. For example, there may need to be access controls, data may need to be encrypted, and data fields restricted in order to minimise the capture and retention of data. In this context the UK Information Commissioner's Office has published a paper entitled Privacy by Design, which advises developers to specify privacy enhancing technologies in the design of off-the-shelf systems.
Secondly, the engagement of the cloud service provider must include terms requiring appropriate organisational and technical measures to be taken against unauthorised or illegal processing of, or the loss of or damage to, the personal data. In practice this means the firm must be satisfied with the service provider's standard offering - and reflect this in the contract - or agree specific arrangements (although where these are necessary they may well rule out the cloud as a service).
Thirdly, the firm must know where the data is processed in order to determine whether the rules on the adequacy of the data's protection abroad will apply, and if so, the way in which the firm will comply.
Due diligence and contractual protection
Although the usual forms of protection in IT service contracts are equally applicable to cloud services, developments are taking place in the cloud community which may assist firms meet these legal challenges.
A set of principles designed to protect customers is being promoted - the so-called 'Cloud Computing Bill of Rights'. This document provides a useful checklist of protection with which to benchmark a supplier's offering and to ensure what is provided in the contract. Relevant 'rights' in the present context include: the location of systems and data must be made available to users; the mandating of interfaces that ensure access to data; and access to systems must be available in a secure fashion.
Although care will be needed to ensure that the particular issues associated with the deployment of cloud computing are resolved, there is no reason to believe that regulations will pre-empt its use in the financial services sector.
Firms will need to select with caution the applications to be sourced through the cloud, conduct appropriate due diligence on the supplier's offering, and ensure the contract contains sufficient protection. However, as always, the devil lies in the detail.
Andrew Scott is a partner at law firm Dickinson Dees LLP