ASIFMA (Asia Securities Industry and Financial Markets Association) released a new paper on public cloud regulation, putting forward principles that aim to promote discussion between financial institutions, cloud service providers, and regulators. This paper was written by ASIFMA’s cloud taskforce with input from public cloud providers and focuses on regulation where the cloud infrastructure is provisioned for open use by multiple organizations.
“Cloud computing is rapidly becoming the norm for IT processing and data storage solutions as it is an adaptable and versatile way to consume a range of IT services,” says Laurence Van der Loo, executive director of Technology & Operations at ASIFMA, in a statement. “The use of public cloud brings significant benefits to the financial services industry in the areas of risk mitigation, innovation, cost savings and productivity gains- although it has also been of particular interest and regulatory scrutiny due to the differences associated with public cloud versus other models.”
The adoption and implementation of public cloud by financial institutions can be complex due to conflicting regulatory requirements across jurisdictions. Therefore, ASIFMA argues the importance for regulators to promote a consistent and globally aligned framework for public cloud regulation. Regional approaches still pose significant challenges to financial institutions trying to implement the public cloud as part of their global strategy. For example, limitations in one region may make the deployment of a global process to a certain service provider impossible. As well as these regulations defeating the business case for such activities, it could increase cybersecurity risks by creating a more decentralized environment that needs to be safeguarded, which inhibits central oversight and information sharing across borders.
Whilst authorities and regulators acknowledge the advantages public cloud can bring, they are also concerned with concentration risk, data access, cybersecurity and resilience. ASIFMA argues that the most effective way for regulators to address these concerns is by adopting a technology-agnostic, risk-based and principle-based approach when implementing public cloud regulation.
“Since we expect cloud technology to become the norm in the future, it is essential that regulators do not stifle technological innovation so that the financial services industry can maintain a competitive edge. Therefore, using a technology-agnostic, principles-based approach will prevent regulation becoming stale as technology changes and avoids the need to finetune/ add on adjuncts which can lead to overly complex regimes,” said Van der Loo.
In a public model, cloud infrastructure is provisioned for open use by multiple organizations. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the Cloud Service Provider (CSP). Whilst all cloud models and services are important for financial institutions (FIs), the use of public cloud is of greater interest and scrutiny within the industry today largely because of the increasing adoption of public cloud within the industry (both by FIs and their third-party providers), and the differentiators associated with public cloud versus other models (private cloud or traditional on-premises IT).
Shared responsibility model
Public cloud has different implications for the responsibilities of FIs and CSPs, for areas such as management of data centres and infrastructure (e.g., servers), security (e.g., data access), and risk and compliance (e.g., the applicability of regulatory requirements). Known as the ‘shared responsibility model’, both the FI and the CSP take responsibility for activities, such as security and compliance, that are required for running a public cloud service.
The CSP manages elements such as the provision of servers, networking, and data centre facilities, whilst the FI is responsible for aspects such as customer data, security, application management and user access. This model can also extend to sharing responsibilities for IT controls and risk management requirements (for example, both parties owning and managing access controls for areas which they are responsible for). Nevertheless, this shared responsibility model does not mean that FIs discharge their ultimate accountability on CSPs, as the ultimate liability for any FI activity will always be held by the FI.