Cloud computing in the banking sector - How compliance requirements can be implemented

It is undisputed that the banking sector also benefits from outsourcing services to the cloud through greater agility and cost advantages. It also gives banks access to expertise that would otherwise have to be built up or expanded internally, for example in the area of security.

So what's holding back migration? Uncertainty about compliance requirements at financial institutions, according to a PwC study. That's because a multitude of standards take effect at the European and German levels, often subject to a great deal of interpretation. In this article, Thomas Bachmann, CISO and Data Protection Officer at Mambu, provides an overview of organizational and technical solutions that banks, cloud providers and IT service providers can take together to ensure compliance.

Regulatory requirements for banks

Ensuring data security and the protection of personal data as well as business continuity - the requirements for banks during a cloud migration are high. At country and EU level, financial institutions are subject to a complex web of guidelines that must be observed when outsourcing services to the cloud. In principle, no data may be stored in countries outside the EU. Services such as support, which must also access this data, can also be provided by countries outside the EU. However, this process must then be secured by technical measures such as encryption and contractual precautions such as the EU standard contractual clauses.

Banks are required to carefully select their SaaS service providers. Despite the migration of services to cloud environments, the responsibility for these services remains with the financial institution - because risks cannot be delegated. However, the SaaS solution provider can support the bank in risk assessment and management. To effectively manage the risks of outsourced services, banks have an obligation to monitor their SaaS provider. To do this, both the bank and its regulator need audit rights and effective access to all data at all times. To grant this, some SaaS providers, as well as underlying infrastructure providers, offer extensions to standard contracts that give banks these special rights.

The quality of the outsourced services must remain the same for the end customer - whether the service is delivered in the cloud or on-premise."

The outsourcer also has some responsibilities. For example, he is responsible for risk management of the outsourced services - about which he must keep the financial institution informed at all times. In addition, it is his duty to protect the entrusted information. Together, SaaS service provider and bank must develop a business continuity plan that is periodically tested.

All these requirements stem from the EU Markets in Financial Instruments Directive 2014/65/EU (MiFID II), the 2006 CEBS harmonized guidelines on outsourcing, and EBA/REC/2017/03 (recommendations on outsourcing to cloud service providers from 2018). Other countries within and outside the EU are subject to similar regulations.

Technical and organizational solutions: The shared responsibility model

One organizational solution for ensuring compliance when outsourcing financial services is a so-called shared responsibility model. This clearly defines which of the three parties (bank, SaaS provider and cloud provider) has which responsibilities in the process. But even beyond this, outsourcers and cloud providers can reduce existing concerns of the banks by seeing themselves as partners of the financial institutions and supporting them with their expertise. Only if they take their concerns seriously and provide them with the necessary resources to ensure compliance will banks be convinced to adopt public cloud and SaaS solutions.

Role of the financial institutions

The implementation of compliance policies already starts with the careful selection of the IT service provider.

If a cloud-agnostic solution is chosen, the cloud provider can be changed if there are security concerns. In addition, selecting a platform with effective audit and control capabilities and visibility into which processes are outsourced to whom makes it easier to meet regulatory requirements."

In the shared responsibility model, ensuring end-to-end compliance, ultimately the responsibility for the secure and appropriate use of outsourced services, lies with the financial institution itself. An overview must be maintained at all times of which services have been outsourced and what risks they entail. Best practices for this are risk management (e.g., according to ISO/IEC 27005), choosing an integrated, tool-based approach with a real-time overview of the effectiveness of existing measures and the live status of planned measures, and mapping measures to industry standards such as ISO/IEC 27001. In addition, there should be an annual risk reassessment, regular internal and external audits and tests of the effectiveness of measures, and the integration of risk management into the development process of new services (security by design).

Banks are also responsible for change control and monitoring the performance of outsourced services. The entire company must be involved in cloud migration - which makes regular staff training all the more important in order to anchor security awareness in the organization and adapt processes accordingly.

Banks can ensure a secure configuration by implementing single sign-on (SSO), password policies, multi-factor authentication, access permissions and two-step verification procedures for specific processes.

Role of the SaaS provider

In this model, the banking platform provider must already focus on the security of the data when developing the SaaS solution.

With a multi-cloud strategy that allows banks to switch cloud providers in the same or other regions without service issues, the greatest possible flexibility is created for banks. It also reduces the risk of concentration on one cloud provider."

To best protect financial institutions' data, a number of security measures can be implemented - for example, in the area of encryption and key management. Customer data transmitted over public networks must always be encrypted in transit. All customer data is also stored in encrypted form. Keys must be stored securely and should only be accessible to services that require access. They should also be rotated on a regular basis.

In addition, measures can be taken in the area of access control. Access for support and technical teams should be highly restricted technically and logged. Customer access can be restricted based on IP address ranges or to VPN/VPC peering connections if the bank opts for dedicated instances. Customer sessions can be secured with MFA or controlled by external identity providers.

Automated regression and migration testing ensures consistent processing when changes are made to the solution, ensuring data integrity. Financial data is stored in relational databases that allow financial transactions to be fully processed and reconciled across two servers to ensure their integrity. Backups must be available and tested regularly to restore data if problems remain.

Part of a risk management framework should be regular and ad hoc risk assessments that examine security issues such as confidentiality, integrity and availability of processed data, as well as the availability of internal processes, systems, people and third parties."

In addition, ensuring business continuity is essential. This is done by conducting regular end-to-end tests to test whether guaranteed recovery time and recovery point objectives (RTO/RPO) are met. In addition, in emergency situations, it must be ensured that banks themselves can bridge the incident. To this end, some IT service providers offer a source code escrow service through which customers can access resources such as the source code of the deployed solution and critical documentation, as well as a verification report. This third-party report provides step-by-step instructions on how to rebuild the solution using the escrowed material alone to ensure business continuity. Backup APIs for effective access to data enable the backup and subsequent import of an up-to-date data status.

In addition, the outsourcer has the responsibility to effectively isolate customer environments and enforce customer-configured security controls. Engaging the cloud provider is also the responsibility of the outsourcer. Security practices to be followed, including business continuity and disaster recovery, are governed by the ISO/IEC 27001 standard.

Since the quality of the outsourced services must continue to be ensured, the SaaS provider is also subject to a service level agreement (SLA) here. To fulfill this agreement, the outsourcer is obliged to monitor the service continuously and immediately correct any errors or failures. It also falls to the outsourcer to explain to the customer, i.e., the financial institution, its own responsibilities and the cloud provider's obligations."

In addition, the IT service provider can help banks meet compliance requirements by facilitating effective access to data and business premises, which is required by regulation. They can further facilitate the process with pre-written order processing contracts that specify that SaaS providers are order processors, not controllers. By providing outsourcers with access to documented information on internal processes and policies, contract templates, external security certifications and audit reports, service performance metrics and external assurances on disaster recovery testing, they can help banks assess risk.

Role of the cloud provider

The cloud provider, as the third party in the shared responsibility model, must configure the infrastructure so that the outsourcer can use it to ensure business continuity and disaster recovery. With a large number of data centers across different regions, it ensures the high availability of its services and reduces the risk of downtime. The cloud provider is also subject to the SLA and must ensure high performance.

According to the ISO/IEC 27001, SOC 1/2/3 standard, it must also ensure the security of its data center and services. Some providers also offer pre-integrated security solutions that can be enabled with minor configuration changes. To facilitate migration, vendors can develop checklist-based frameworks to help banks meet all requirements.

No migration without cooperation

Despite the complex legalities of migrating banking services, financial institutions can also reap the benefits of a cloud solution.

The key is close cooperation between the bank, SaaS provider and cloud provider, as well as the precise assignment of responsibilities - only then is it possible to remain compliant even when new regulations are issued or risks change."