REGULATORY IMPLICATIONS OF CLOUD COMPUTING. Stephen B. Kerr Partner Financial Institutions Group

Transcription

1 REGULATORY IMPLICATIONS OF CLOUD COMPUTING Stephen B. Kerr Partner Financial Institutions Group

2 1

3 Outline Outsourcing history of Canadian regulatory guidance with respect to outsourcing generally Recent guidance and views regarding cloud computing from the Office of the Superintendent of Financial Institutions ( OSFI ) (i.e. OSFI s perspective) How to address OSFI s concerns and requirements when considering a material cloud computing arrangement 2

4 Canadian Regulatory History Evolution of a regulatory philosophy From rules-based to principles-based regulation OSFI supervisory framework introduced (August, 1999) Risk-based approach to assessing a federally regulated entity s ( FRE s ) safety and soundness Evolution of Guideline B-10 Three iterations FRE s remain accountable for all outsourced activities Most recent changes (March, 2009) dealt with, among other things, acquired outsourcing agreements, advance notice by OSFI if audit rights are to be invoked, suggested changes to agreements regarding the testing of business recovery systems, assessing materiality in the content of multiple outsourcing arrangements with only one service provider, and conducting due diligence at the time of a substantial amendment to the outsourcing agreement Data processing outside of Canada Elimination of regulatory approval (April, 2007) However, OSFI may direct the FRE to not maintain or process information or data in another country, or (put another way), to maintain or process information or data in Canada, if it believes that the maintenance or processing of the information or data outside Canada is incompatible with the fulfilment of OSFI s responsibilities FRE s must maintain in Canada certain corporate, accounting and customer records 3

5 OSFI and Cloud Computing February 29, 2012 OSFI Memorandum (the OSFI Memorandum ) Not just cloud computing but all new technology-based outsourcing arrangements Only applies to material (which is both a quantitative as well as a qualitative analysis) cloud computing arrangements Emphasis on: Confidentiality, security and separation of property Contingency planning Location of records Access and audit rights Subcontracting Monitoring the material outsourcing arrangements Unusual for OSFI to issue such a memorandum and therefore underscores a significant regulatory concern with respect to the risks associated with cloud computing 4

6 OSFI and Cloud Computing (continued ) OSFI s approach and philosophy: Benefits and risks for FRE s with respect to cloud computing Still at the relatively embryonic stage for FRE s but growing in use more generally Potentially very significant cost savings for FRE s which by their very nature operate data-intensive, not to mention date-sensitive, businesses Huge systemic risk (e.g. reputational, financial, loss of data, counter-party, etc.) in the context of material cloud computing arrangements (particularly the case for smaller FRE s) Engenders significant third party dependency Process leading up to the OSFI Memorandum Reluctant to open up Guideline B-10 (i.e. it is expected that Guideline B-10 can still work in a cloud computing environment) The result of extensive industry consultation (i.e. both FRE s and service providers) OSFI looked to foreign regulatory approaches and philosophies for guidance 5

7 OSFI and Cloud Computing (continued ) Benefits of the OSFI Memorandum Gives contractual ammunition to FRE s when negotiating with IT service providers Not prescriptive (i.e. still flexible reflecting principles-based approach) Acknowledges the benefits of cloud computing to FRE s (i.e. not an outright prohibition in concept) Gives direction to the IT service provider industry to allow it to develop a cloud computing model which is regulatorily compliant Draw-backs of the OSFI Memorandum Curtails/limits the benefits of cloud computing in that it is arguably difficult, if not impossible, to satisfy all criteria in the context of a true cloud computing arrangement (e.g. location of data, access and audit rights for both the FRE and OSFI, etc.) thereby necessitating changes to the model Perhaps not prescriptive enough 6

8 OSFI and Cloud Computing (continued ) OSFI disputes the claim made by IT service providers that FRE s will lag their competitors because of excessive regulation in the area In comparison to other regulators (e.g. Australia, Singapore, United States and Germany) OSFI is generally more supportive of cloud computing OSFI does not manage risk it merely provides guidance and therefore will not opine on any outsourcing arrangements (including with respect to material cloud computing arrangements) because OSFI does not: Know your business as well as you do Want to be pulled into contractual negotiations Want its supervisory staff to be held hostage to prior regulatory views or comfort Cloud computing emphasizes geographic and political risk for FRE s (i.e. OSFI prefers localized cloud computing) FRE s should move slowly and cautiously with a view to managing risk, engaging risk management protocols, and involving internal audit and legal at the very early stage of any material cloud computing arrangement (i.e. don t cut corners) The IT service provider industry should develop bespoke products and services which complies with regulatory expectations as there is the perception that those cloud computing products and services currently available may not be necessarily compliant 7

9 OSFI and Cloud Computing (continued ) Consequences to FRE s for implementing a cloud computing arrangement which does not comply with Guideline B-10 or the OSFI Memorandum: Deficiency letters Unwinding contractual arrangements Negative impact on supervisory ratings (and if serious enough, will impact capital requirements) Exercise by OSFI of its residual authority to mandate that services be provided in Canada 8

10 Addressing OSFI s Concerns Detailed negotiations should be anticipated by IT service providers when they are negotiating cloud computing arrangements with FRE s Proposed contract should include (among other things): Regular updates re: location of data Detailed provisions regarding access and audit rights (for both the FRE as well as OSFI) and monitoring generally Access to all necessary records so business will not be interrupted (i.e. business continuity) Provisions dealing with how service providers can segregate data Provisions addressing recourse in the event of sub-standard (or discontinuation of) service Understand where your data may reside and those jurisdictions rules regarding search and seizure Ask yourself whether a public or even a community cloud is even appropriate for certain data Do not expect OSFI to materially deviate from its expectations Maintain control and do not outsource management over very sensitive data Relying on hard-boiled precedent outsourcing agreements will not be necessarily responsive to regulatory concerns 9

11 Addressing OSFI s Concerns (continued ) Consult regulatory counsel prior to consummating a material cloud computing arrangement: A legal opinion could provide FRE s (or their counterparties) with some insurance that could be relied upon in the event a regulator expressed concern (and therefore could also be a condition or a requirement of such an agreement) Conduct no-names conversations with OSFI for purposes of obtaining regulatory guidance (OSFI will not opine but will give guidance) Recognize that there may be other regulatory regimes to consider in addition to those of OSFI (e.g. privacy) 10

12 Conclusion Cloud computing has turned outsourcing (which has evolved from a regulatory to a contractual to an operational matter) back to being more a regulatory matter in light of the systemic commercial and reputational risks which a material cloud computing arrangement poses for an FRE 11

13 12