The cloud is not the future or an emerging trend any more: it is the present and is a critical tool for financial institutions if they are to stay competitive in today’s challenging business environment. In our recent published global paper “Getting Cloud Right – How can banks stay ahead of the curve?” we explained the key components of a successful ‘cloud journey’ and the major steps that need to be undertaken.
In this blog we give some deeper insights into Swiss banking-related regulations on banking secrecy and the supervision of outsourcing.
The diligence of Swiss banks with regard to the privacy of customers is one of the most renowned features of the Swiss economy. Violation of banking secrecy is a crime in Switzerland; therefore Swiss banks must consider carefully potential threats to secrecy from the use of cloud services.
The most relevant regulations outlining a bank’s duties in the area of banking secrecy are:
- 47 of the Banking Act, which states in principle that the disclosure of a secret by directors, employees or other entrusted persons is a crime;
- 398 para 1 in connection with Art. 321a para 4 of the Code of Obligations, which requires banks in a contractual relationship with a customer to treat any secrets as confidential;
- 7 of the Data Protection Act, setting the standards for the protection of personal data;
- Annex 3 to FINMA Circular 2008/21 outlining FINMA’s expectations regarding the protection of customer identification data by Swiss banks.
The essence of these regulations is that the use of cloud services by a bank can comply with Swiss banking secrecy, provided that the bank assesses carefully the technical, organisational and contractual framework put in place before using cloud services for the storage and processing of customer data. In particular, as explained in detail by the SBA Cloud Guidelines, there is no need to ask the client for a waiver of the banking secrecy rules as these will be maintained – in some cases possibly even more so than before – when a bank sets up an appropriate security framework for the use of cloud services.
According to the FINMA Outsourcing Circular (in particular Notes 24 and 25) a bank must continuously monitor and assess the services of an outsourcing provider, and for this purpose must establish contractual terms for the necessary inspection, instruction and control rights.
Considering the size and complexity of a hyper-scale cloud provider, a typical Swiss bank cannot perform this duty of supervision without professional support from a trusted third party that has the global presence, expert skills and capacity to perform such a task. In order to establish an economically feasible assurance framework, a trusted third party will itself rely largely on assurance work that has been performed by equally-qualified independent advisers of the outsourcing service providerThe SBA Cloud Guidelines support this approach of ‘pool audits’ or ‘indirect audits’ and express the view that the need for on-site audits performed by the bank itself is limited to the inspection of physical security measures.
Providers of hyper-scale cloud services are fully aware of the expectations of clients with a (Swiss) banking licence and will offer proactive support to a prospective client in establishing such a regulatory compliant framework. The same applies to assurance providers with the necessary global scale and experience to offer trusted third-party services to banks.
The rightful concerns of Swiss banks that face the challenge of putting appropriate supervision in place when outsourcing their business processes to global hyper-scale cloud providers can therefore be mitigated by relying on a qualified trusted third party that has the skills and capacity to provide the necessary level of assurance.
From a legal perspective a transfer of banking activities to the cloud is generally acceptable. In order to launch your ‘cloud journey’, however, it is advisable to consider further aspects. In our next blog we shall provide insights into the two globally-driven regulatory aspects of GDPR and the US Cloud Act.