Technological innovations based on digital data promise to push the boundaries of financial inclusion. For example, financial institutions are offering digital credit and mobile insurance to people who have never used financial services by analyzing social media, mobile phone and other alternative data. What does cloud computing have to do with this? A lot, actually, as it is a technological solution that supports the collection, analysis and storage of data needed for such financial innovations. With financial regulators under pressure to set the rules for cloud computing, they should aim to better understand, and react proportionally to, the benefits and risks posed by the cloud.
What is cloud computing and why is it important for financial inclusion?
The European Banking Authority defines cloud computing as “a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.” Cloud infrastructure is thus offered by third parties and may be available for the public to use (public cloud). Alternatively, it may be limited to a group of institutions (community cloud) or a single institution (private cloud). Or it may be some combination of these uses (hybrid cloud).
By pooling resources, cloud providers allow financial institutions to avoid heavy investments that would otherwise be needed to store, manage and process data. Instead, the cloud provider does that for them over the internet. This can benefit even small companies, given the minimum costs and managerial efforts involved. Cloud computing also offers mobility, flexibility and scalability that impacts product design and delivery, and ultimately lowers entry barriers for new financial institutions and creates opportunities for incumbents. It can also improve financial institutions’ ability to identify, assess and mitigate risks. These are important benefits for any financial institution aiming to offer innovative, cost-effective and customer-centric products and services to unserved and underserved consumers. Not allowing cloud computing or overly restricting its use may keep the market from enjoying such benefits.
But the cloud also comes with risks. Notably, there are data security and privacy risks. As with any kind of outsourcing, compliance risks are present too because the financial institution loses some control over and visibility into risk management. The risk level depends on the cloud services contracted. For instance, a private cloud may mitigate risks but can be more expensive than a public cloud. There is also fear that the cloud might reduce a financial supervisor’s ability to access data or inspect the cloud provider’s facilities. Furthermore, there are concerns that personal data could be accessed by the foreign governments of the countries where the cloud provider is based.
How should financial regulators respond to the risks and benefits of cloud computing in emerging markets?
Regulators should balance these benefits and risks and respond proportionally. On the one hand, a number of regulators and supervisors are taking an over-zealous approach that could stymie innovation, including by imposing one or a combination of the following measures:
- Data localization rules that restrict transnational data flows
- Prohibition from using the cloud even for noncritical data or functions
- A requirement to replicate all cloud data on in-country infrastructure
- Detailed system, infrastructure or encryption specifications that may quickly become outdated
- Regulatory authorization prior to any cloud outsourcing, regardless of its materiality (i.e., how critical the outsourced activities or functions are); for instance, using the cloud for communications tools such as emails may not require prior authorization
- Local staffing and data center requirements on the cloud provider
Some of these limitations may end up increasing risks. For example, requiring financial institutions to use the same few domestic cloud providers leads to a concentration of risks. Even when regulations do not explicitly limit the use of cloud services, limitations may be imposed through supervision.
On the other hand, some developed jurisdictions like the United Kingdom and emerging economies like Brazil are evolving to balance the risks and benefits of cloud services. Balanced approaches focus on setting general requirements for material cloud outsourcing — that is, outsourcing the execution of critical services or functions that, if disrupted, would threaten an institution’s ability to meet obligations and continue operations. These approaches may include mandating regulatory authorizations prior to material cloud outsourcing and regulatory requirements regarding:
- The integrity, traceability and security of data at rest, in transit and in memory or use
- Data protection and privacy (e.g., requiring providers to be based in jurisdictions with strong privacy and confidentiality rules and to follow general encryption standards)
- Performance levels, liabilities and other aspects of cloud contracts
- The supervisor’s right to audit cloud providers’ premises and data
- Due diligence of cloud providers
- The financial institution’s responsibility for regulatory compliance
- Contingency plans, business continuity and exit strategy
- Subcontracting by the cloud provider (chain outsourcing)
- Reporting obligations
The European Banking Authority’s guidelines illustrate a risk-based approach that allows regulated financial institutions to use different cloud arrangements while adhering to specific requirements for material cloud outsourcing. A sign of the impact of this approach is that some large banks are moving even their core banking systems to the cloud, something that regulation did not allow previously. Some of the requirements placed on financial institutions, such as giving financial supervisors access and auditing rights, may prove challenging for financial institutions to meet and for authorities to enforce when large, non-European cloud providers are used. Authorities may need to actively engage in interinstitutional collaboration arrangements that facilitate cross-border sharing of regulatory or supervisory information, auditing of foreign cloud providers or indirect access to cloud providers’ data.
The Australian Prudential Regulation Authority (APRA) is another example of a risk-based approach. It has gone from having reservations about cloud computing in 2015 to having a balanced stance in 2018, even recognizing that some companies may adopt a “cloud-first” model in which cloud solutions are prioritized over or replace traditional approaches to acquiring IT infrastructure. Another example is the Central Bank of the Philippines, which issued proportionate cloud outsourcing guidelines in 2013 and then applied a risk-based approach to allow the first rural bank to use community cloud services for its core banking platform in January 2019, following an 18-month pilot exercise.
What should financial regulators do when laws are not cloud friendly?
Naturally, cloud use is affected by rules outside the financial regulator’s remit, such as general data privacy laws. Emerging economies vary widely in their level of preparedness for cloud services based on their overall legal and regulatory framework. When a country’s nonfinancial regulations, laws or policies are unfriendly toward cloud use, financial regulators should include reform in national financial inclusion strategies, financial sector development policies or other interinstitutional efforts, and play an active role in their implementation by coordinating efforts, promoting public-private sector dialogue and championing legal reforms.
2018 BSA Global Cloud Computing Scorecard: Results for Emerging Economies
The status quo isn’t risk-free either
Financial regulators and supervisors should not hinder or stop innovation. They first need to adapt and improve their ability to monitor and understand risks associated with innovation. Then, they should ensure that regulated entities adequately manage such risks, using a proportionate regulatory and supervisory approach, following the example set by the European Banking Authority and others. The members of the Alliance for Financial Inclusion have already committed to reviewing their regulations to allow inclusive fintech, so now is an opportune time to assess whether they are imposing undue obstacles to safe cloud computing.
As APRA chairman Wayne Byres has noted, “cloud usage is not without risk – but nor is the status quo.”