Banking going to Cloud – International Regulations - Banking blog

Cloud part 2
In our recent published global paper “Getting Cloud Right – How can banks stay ahead of the curve?” we explained the key components of a successful cloud journey and the major steps that need to be undertaken.
In this blog we give some insights on international regulations that may impact the use of cloud services in Switzerland – the US CLOUD Act and the General Data Protection Regulation (GDPR).

Cloud regulatory part IIThe US CLOUD Act

The US has come up with a law called the CLOUD (Clarifying Lawful Overseas Use of Data) Act that requires US cloud storage providers to give government authorities access on request to stored data wherever in the world it is stored, even inside Switzerland. In theory, this would enable US authorities to request the extraction of data from the Swiss subsidiary of a US domiciled group, even if the data is stored in Switzerland. However a subsidiary of a US-based group that complies with such a request without regard to the local laws that prohibit the handover of data to foreign authorities without authorisation of a competent Swiss court or Swiss authority will most likely violate Swiss law. The data belongs to the bank, not to the cloud provider, and a legal entity domiciled in Switzerland must first and foremost comply with local law and not with orders issued by authorities with competence over a foreign parent entity.

It goes without saying that a Swiss bank can only rely on cloud service providers that adhere fully to the applicable Swiss laws (or the laws of the jurisdiction where the data is stored, in line with the contractual provisions). The SBA Cloud Guidelines therefore recommend to put in place a coordinated procedure agreed by the cloud provider and the bank in case of requests from foreign authorities.

To provide some needed clarification to the rationale behind the CLOUD Act, the US Department of Justice (DoJ) in April 2019 published a white paper “Promoting Public Safety, Privacy, and the Rule of Law Around the World: The Purpose and Impact of the CLOUD Act”. The white paper explains that the CLOUD Act was enacted to fix the conflict of laws that affect Mutual Legal Assistance Treaties and impede effective access to evidence hosted on the cloud in cases of serious crime, however while still respecting national sovereignty and personal data privacy.

In order to achieve this purpose, the CLOUD Act authorises the United States government to enter into so-called “CLOUD Act Executive Agreements” with foreign jurisdictions, under which each country removes barriers arising from a conflict of laws that would create an obstacle to compliance with foreign-issued court orders to obtain evidence from data hosted on the cloud. Of particular interest to Swiss and European companies is the explanation in the white paper about US jurisdiction over foreign companies. The white paper insists that US jurisdiction over foreign companies has not been extended by the CLOUD Act. “Whether a foreign company located outside the United States but providing services in the United States has sufficient contacts with the United States to be subject to U.S. jurisdiction is a fact-specific inquiry turning on the nature, quantity, and quality of the company’s contacts with the United States.”

The fact that the DoJ made a significant effort to explain the reasoning behind the CLOUD Act, and highlighting that US jurisdiction is by no means expanded by it, is an important signal. It shows that the opinion often expressed, that the CLOUD Act makes it impossible for banks to use the services of US-headquartered cloud provider, is not correct. While international legal assistance in cases of crime will most certainly be facilitated by the CLOUD Act, there is still the requirement for a suspicion of a serious crime and a judicial decision before US authorities can reach out for data under the CLOUD Act. This means that the area for legitimate concern about the CLOUD Act is rather narrow and should be considered like any other aspect in a proper cross-border risk assessment.

In any case, a bank is generally able to prevent unauthorized access to customer data by using technical measures such as anonymization, pseudonymisation or encryption of data. These measures, together with the legal and contractual framework mean that the risk from foreign authority data requests, e.g. based on the US CLOUD Act, can be mitigated. Furthermore, an official request for administrative assistance from the involved authorities is mandatory in any case.

Cloud regulatory part II a General Data Protection Regulation (GDPR)

The European Data Protection Board’s Guideline 3/2018 clarifies the scope of Article 3 of the GDPR by stating that if a data controller outside the territorial scope of the GDPR uses a data processor in the EU, the data controller does not come within the scope of the GDPR. The GDPR will however apply to the data processor to the extent that it is processing personal data as part of its services.

This means that the requirement to implement the GDPR does not extend to a Swiss bank (or any other non-EU resident bank) simply because it is using an EU-domiciled cloud services provider. On the other hand, many Swiss banks fall still within the scope of GDPR, because they serve customers resident in the EU.

In this context, it is worth mentioning that on 25 February 2019 the European Banking Authority (EBA) published its Revised Guidelines on Outsourcing Arrangements, with the aim of harmonising the outsourcing framework for all financial institutions within the scope of the EBA’s mandate. Affected banks will have to complete all outsourcing arrangements in line with these Revised Guidelines by 31 December 2021.

The EBA Guidelines state that outsourcing arrangements with cloud services providers must ensure that:

APersonal data are adequately protected and kept confidential, and that outsourced cloud infrastructures and services meet internationally-accepted security and data  protection standards;

B Business continuity and contingency plans have been devised. As consequence some cloud services providers might even be deemed critical or important in accordance with PSD2 or MiFID II;

CAppropriate traceability mechanisms are in place, aimed at recording technical and business operations. As the performance and quality of the outsourced cloud services, as well as the level of risk, depends largely on the ability of cloud services providers to protect the confidentiality, integrity and availability of data, and of their systems to process, transfer and store such data, tracing operations are also important for detecting and preventing cyber attacks;   and

DEU Directives, national laws, and contractual obligations are respected. Despite the Revised Guidelines, institutions should continue to respect local regulations in which the outsourced cloud infrastructure or service has a footprint, as well as the applicable law in the country of origin of the cloud service provider.

In addition cloud service providers must notify outsourcing institutions when sub-outsourcing critical or important function to third party providers. Furthermore, if this involves personal data, consent should be obtained before proceeding with sub-outsourcing, in line with GDPR rules.

Governance is a key point addressed by the Revised Guidelines. This should be structured so that bank have a holistic, institution-wide framework enabling them to make sound management decisions concerning risk management, including measures with respect to cyber risk. Such a risk management framework should include:

  1. Responsibility and accountability of management;
  2. Approved outsourcing policies in line with the EBA’s Guidelines on Internal Governance;
  3. Assessment, identification and management of conflicts of interest;
  4. Creation and adoption of business continuity plans;
  5. Internal auditing of outsourced functions; and
  6. An updated register of information on all outsourcing arrangements, which in the case of cloud arrangements should reflect the type of cloud service and deployment models (e.g. public, private, hybrid, community), as well as the specific nature and location of the data that will be processed and stored.

With the EBA’s Revised Guidelines on Outsourcing Arrangements, an important step has been taken by the European Banking Authority toward making it easier for financial institutions to conduct business in the European Union. Even if a Swiss bank comes to the conclusion that these Guidelines are not applicable for the time being, they may provide additional, helpful guidance and insights to what is already available in the Swiss regulatory framework.

In conclusion, compliance with the regulations outlined here means that, in general, a shift of banking services to the cloud is permitted and even supported by the controlling authorities.

In the next blog we will provide a framework of decision criteria when it comes to selecting the appropriate cloud service provider in Switzerland.



Ralph Wyss - Partner, Audit & Assurance

Ralph is a Swiss attorney at law and PhD (law) with more than 25 years of professional experience in the Swiss financial services industry and other industries. He is a well-known AML and compliance expert in the Swiss marketplace.

At Deloitte, he leads our Risk and Regulatory Assurance services. In addition he supports our Restructuring Services in the area of restructuring and liquidation of banks.



Jan Seffinga - Partner, Head Cloud Engineering

Jan is a partner at Deloitte in Financial Services Consulting in Switzerland. For over 20 years he has advised financial services institutions around the world. His focus is on projects for transformation and innovation in the banking sector for Swiss and global banks. Jan’s expertise encompasses the successful planning, management and execution of major transformation projects, the implementation of regulatory requirements and the definition and realisation of strategies for digitalisation.

In addition to his consulting work for financial services institutions, he leads the Cloud Engineering team, and manages and coordinates the blockchain activities of Deloitte Switzerland.



Alexander Eppenberger - Manager, Cloud Engineering

Alexander’s consulting experience is based on digital, regulatory and tax-driven initiatives in the financial industry within varied roles, as business project manager, business analyst, process engineer, and test and launch control manager.

With his in-depth knowledge in ecosystems, cloud services, banking and disruptive technology, Alexander advises leading financial institutions in transforming their business operating model.



Luigi Bruno - Senior Consultant, Cyber Risk

Luigi is a Senior Consultant in the Deloitte’s Cyber Risk practice within the Risk Advisory group.

He focuses on advising clients from various sectors in the areas of data protection, privacy, digital and cyber regulation, networks and information security, critical infrastructure protection, distributed ledger technologies and IT, where his legal background and pragmatic experience in data and technology management drive a hands-on approach to delivering exceptional results for Swiss organisations.



Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment

Comments are moderated, and will not appear until the author has approved them.