Embed Size (px)
Citation preview
CLOUD COMPUTING
Legal, Regulatory & Compliance Concerns
ON HUNGARIAN FINANCIAL MARKET
2013
Executive Summary
This review is to outline the key legal, regulatory and compliance concerns to be taken care of in course of making business decisions on the subject matter.
As starting point, it is acknowledged that there is an extremely strong business potential of applying cloud computing solutions (also) in the financial industry.
All the three areas, namely legal, regulatory and compliance have their authorities regarding the question.
As per the details, services (contracts) are to be analyzed from the points of view of (i) general commercial contracting, (ii) regulatory compliance and (iii) data protection compliance.
When aiming to explore and to mitigate various risks and so to drive the project towards legal feasibility, the following findings has been found as key ones. On Cloud Computing as such there is no Hungarian (or European) legislation in force (or even in the tube). Furthermore, while (since (only) July, 2012) there is a basic guidance of the EU on Cloud Computing, there is no effective guidance or even orientation from the respective Hungarian authorities (the HFSA and the DPA).
As a conclusion, we may state that from legal, regulatory and compliance point of view, banks, along moderate risks, may (target to) enter into an Cloud Computing contract, but only subject to several key assumptions and conditions.
Top strategic technology
Cloud Computinghas been identified as one the top strategic technology which is going to re-shape the world in this decade.
(Gartner*)
*http://www.gartner.com/it/page.jsp?id=1454221
The issue
Technology of Cloud Computing is a forerunner being also (recently) ahead of legal regulations.
In the EU/EEA law is more stringent (restrictive) in the field of personal data protection than in the US.
The Pro and the Cons
The Pro
Cloud Computing offers enormous space (in double sense) that supports companies overall workflow and management with state of the art, secure and cost effective hosted services.
The Cons
Decision on introduction of Cloud Computing solutions shall necessary be backed by answers to several concerns – besides the IT/bank security ones, also from legal, regulatory and compliance point of view.
legal EU and Hungarian personal data protection requirementsbasic contractual issuesspecial issues raised by E-Discovery (regarding any litigation in the US)
regulatorywhether cloud computing qualifies and therefore controlled by HFSA as outsourcing
compliancealignment with bank’s internal / Group corporate governanceensuring control of Cloud Computing services by Compliance Department as well as by internal and external auditors
The issues – Data protection (i)
Asynchrony of technological and legal developments
Technology of Cloud Computing is predominantly provided by US service providers whose homeland law is far less restrictive in the field of personal data protection than EU/EEA law. In both jurisdictions there is a lack of definite legislation on Cloud Computing (so far) that, while seems not to be a burden in the US, raises concerns in the EU. This way, besides being a forerunner in technology, Cloud Computing is also well ahead of legal and regulatory developments.
Self-regulatory efforts
The industry itself is fairly proactive in self-regulatory. Their organization, the Cloud Security Alliance admits* that „specialized compliance requirements for highly regulated industries should be considered and must address during requirements identification stage. Some regulatory requirements specify controls that are difficult or impossible to achieve in certain cloud services types.”
* https://cloudsecurityalliance.org/guidance/csaguide.v3.0.pdf (pp48)
The issues – Data protection (ii)
Developing EU regulatory environment
While the EU is recently working on the unified European data protection legislation (that will be a form of a regulation, i.e. automatically compulsory for the member states), the legislation in force is the so called Data Protection Directive 95/46/EC (the „Data Protection Directive”). This, firstly does not cover cloud computing and, secondly, being a directive, allows national legislations to defer.
Despite of lack of legislation in force, the EU actively deals with the issue, albeit still in regulatory drafting phase. Further to the Commission Decision of 5 February 2010 on the standard contractual clauses for the transfer of personal data to processors established in third countries*(the „EU Model Clauses”), on the cloud computing itself the EU has issued so far only an opinion: Article 29 Data Protection Working Party Opinion 05/2012 on Cloud Computing** (the „EU Opinion”) on July 1st 2012 (!). Clearly, the three month old opinion has no practice yet. However since being welcome by the industry, following its „rules” may result a kind of a compliance regarding the area of protection of customer personal data.
One striking requirement of the EU Opinion that it refers to and reinforces Article 4 of Data Protection Directive stating that applicable law of such contracts shall be thereof the country in which the data controller (in our case the Banks) is established (i.e. Hungary).
* http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2010:039:0005:0018:EN:PDF
**http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion- recommendation/files/2012/wp196_en.pdf
The issues – Data protection (iii)
Uncertain Hungarian regulatory environment
This above highlighted European regulatory background results, that
(i) due to the option of deferring, Hungarian national legislation (in force) is, in theory, stricter than the average European member state regulations, and
(ii) that is more problematic, the Hungarian Data Protection Authority (DPA) strikingly avoids the subject of cloud computing. No precedent decisions, no guidance, even no participation in the public debate, if there were no question at all.
Due to this evident retreat, even industry players, being active in dialogue on European level, do not approach the Hungarian authorities for guidance, whatsoever. As we have been advised, unlike doing it regarding other national data protection authorities where they acquired positive feedbacks*, Supplier has not approached the Hungarian DPA yet.
Best practice
Irrespectively from the non-existence of definite legal requirements, Banks, as market leading in Hungary shall take into consideration that „front-runner companies are highly committed to protecting data, particularly customer information.” (PWC 2012 Global State of Information Security Survey)**
* Supplier provided us with these confirmatory letters of several national data protection authorities * * http://www.pwc.com/gx/en/information-security-survey (pp13)
The issues – Regulatory (i)
Cloud computing is a way of outsourcing
Applying cloud computing services, unquestionably qualifies as outsourcing. Accordingly, Cloud Computing service contract shall comply with the respective requirements of the Hungarian Banking Act.
HFSA (Hungarian Financial Supervisory Authority) Approach
HFSA, unlike the DPA, already did, although a very minor step towards guiding and orienting the market in this respect. On July 18, 2012 it issued the 4/2012 HFSA Management Circular* (the HFSA Circular”). Unfortunately, HFSA commitment to regulate and so to promote the financial industry in this respect seems to be apparent, since the paper is simply the translation of communication of US Federal Financial Institutions Examination Council (the „FFIEC”) on Outsourced Cloud Computing* (the „FFIEC Statement”). The FFIEC Statement and the HFSA Circular instead of aligning better the regulatory landscape with the nature of cloud based solutions, disappointingly, advocate application of current regulations in their existing form and imply that the cloud vendors will have to adapt and align their solutions to the legacy regulatory environment. This basically means that authorities identify cloud computing as an outsourced activity.
* http://www.pszaf.hu/akadalymentes/data/cms2364896/vezkorlev_4_2012.pdf ** http://ithandbook.ffiec.gov/ITBooklets/FFIEC_ITBooklet_OutsourcingTechnologyServices.pdf
The issues – Regulatory (ii)
One of the key questions: can on spot regulatory audit be redeemed?
Hungarian Banking Act requires that outsourced services be, subject to a respective request or general need, audited on spot by the HFSA (and also by the company and its auditors). A par excellence key question of outsourcing (that HFSA does not address) is the on spot audit. Due to the nature of the technology this cannot be ensured. Accordingly, cloud service contracts cannot be in full compliance with the letter of the law of the current legislation in force.
The Statement/Circular call financial institutions to run a due diligence prior to contracting to ensure that the provider will meet all the requirements. Once this due diligence is performed by an independent third party, further to their initial audit they, from time to time, could be engaged with operation audit as well. The report thereon, subject to the willingness of HFSA, could redeem the on spot audit. However, recently, we are not aware of (we have not been advised either by Supplier on) the existence of such third parties whom report could be used as kind of a certification, whatsoever for this purposes.
HFSA surely will scrutinize the proposed cloud computing contracts as outsourced services and banks will have to have robust arguments to make HFSA to buy in. Here we have to note that Supplier has not yet approached HFSA (like they have not accomplished it regarding DPA) to seek any preliminary guidance, opinion, whatsoever.
The issues – Other legal questions
Basic contractual issues
At early stage of the projects, prior having the strategic decision (based upon the IT/bank security and legal concerns) drafts of multiple contracts being provided with by Supplier are regularly not analyzed in their details .
However, we shall refer to that, due to the basic requirement of the EU, all contracts should be governed by laws of Hungary.
Contracts governed by non-Hungarian laws shall be checked and confirmed by lawyers of the respective jurisdiction(s).
Potential special requirements regarding E-discovery
If the bank is involved in litigations in the US, and would like to apply Cloud Computing services regarding any banking system, it may raise questions regarding the so called E-discovery in US court procedures. Any special obligations of the bank thereupon shall be checked and confirmed by US litigation lawyers.
Conclusions
It is our conclusion that Banks, still taking moderate legal and regulatory risks, may (target to) enter into an „Cloud Contract” subject to the key assumptions and conditions as follows:
contracts be governed by laws of Hungary Supplier to represent and warrant that the service complies with the Hungarian data
protection legislation and complies with the requirements of Section 3.4 of EU Opinion each sub-service provider of Supplier shall be contracted under EU Model Clauses or in Safe
Harbor (certified by independent auditor); Supplier shall ensure that Banks be entitled to instruct sub-service providers directly, should it be the case
Supplier to deliver independent certification or the Bank and the Supplier mutually to approach HFSA for preliminary guidance/clearance stating that Supplier/the services comply with the requirements of Hungarian Banking Act regarding outsourcing (apart form on spot audit)
Supplier to undertake to indemnify the Bank should it suffer any damages due to non-compliance and the Bank shall be entitled to terminate with immediate effect the entire agreement, should Banks/Supplier fail to obtain clearance from HFSA and DPA
The bank is to consider to engage external legal advisers for counseling regarding contracts governed non-Hungarian law(s) and, subject to developments on the above conditions, for providing the bank with a double check regarding regulatory compliance of the services
Dr. Igor Máté Head of Business Legal Services
MKB Bankhttps://www.linkedin.com/in/igormate
