REGULATORY IMPLICATIONS OF CLOUD COMPUTING. Stephen B. Kerr Partner Financial Institutions Group



Similar documents
Guideline. Outsourcing of Business Activities, Functions and Processes. Category: Sound Business and Financial Practices

Cloud Computing: Legal Risks and Best Practices

Managing Outsourcing Arrangements

Guidelines for Financial Institutions Outsourcing of Business Activities, Functions, and Processes Date: July 2004

Guide to Intervention for Federally Regulated Life Insurance Companies

APES GN 30 Outsourced Services

Any business relationship between a bank and another entity, by contract or otherwise

PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES

White Paper on Financial Institution Vendor Management

GUIDANCE FOR MANAGING THIRD-PARTY RISK

When does an Insurer or Reinsurer Need to be Licensed in Canada?

Regulatory Compliance Management (RCM) (formerly Legislative Compliance Management (LCM))

SUPERVISORY AND REGULATORY GUIDELINES: PU GUIDELINES ON MINIMUM STANDARDS FOR THE OUTSOURCING OF MATERIAL FUNCTIONS

Anatomy of an IT Outsourcing Deal. Bruce Laco Deloitte John Pickett IT World Canada Barry Sookman McCarthy Tetrault

Financial Services Guidance Note Outsourcing

Information Sheet: Cloud Computing

Privacy and Cloud Computing for Australian Government Agencies

VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium

Mapping of outsourcing requirements

Vendor Management Compliance Top 10 Things Regulators Expect

GUIDELINE ON THE APPLICATION OF THE OUTSOURCING REQUIREMENTS UNDER THE FSA RULES IMPLEMENTING MIFID AND THE CRD IN THE UK

Supervisory Policy Manual

OUTSOURCING GUIDELINES FOR BANKS AND FINANCIAL INSTITUTIONS, 2008

Cloud Computing and Privacy Toolkit. Protecting Privacy Online. May 2016 CLOUD COMPUTING AND PRIVACY TOOLKIT 1

Outsourcing Risk Guidance Note for Banks

Managing General Agents (MGAs) Guideline

GUIDANCE NOTE ON OUTSOURCING

OCC 98-3 OCC BULLETIN

Cloud computing. A practical guide to legal risks and issues

insurance bulletin unlicensed insurance in Canada

GUIDANCE NOTE OUTSOURCING OF FUNCTIONS BY ENTITIES LICENSED UNDER THE PROTECTION OF INVESTORS (BAILIWICK OF GUERNSEY) LAW, 1987

Vendor Management Compliance Top 10 Things Regulators Expect

The Use of Cloud Computing for the Storing and Accessing of Client Information: Some Practical and Ethical Considerations

OUTSOURCING REGULATIONS IN THE BANKING AND INSURANCE INDUSTRIES IN ASIA PACIFIC

Objective and key requirements of this Prudential Standard

Cloud Computing in a Government Context

Outsourcing arrangements. Notice of issuance of final guidance note and summary response to comments received

Data Management: Considerations for Integrating Compliance Requirements At Home and Abroad. Toronto, Ontario June 14, 2005

Guidance Note on Outsourcing/Delegation of Functions

Credit Union Liability with Third-Party Processors

14 December 2006 GUIDELINES ON OUTSOURCING

DEVELOPING AN AML (ANTI-MONEY LAUNDERING) PROGRAM:

The New Third-Party Oversight Framework: Trust but Verify kpmg.com

12 Considerations for Managing Foreign Supplier Risk

MEMORANDUM. Date: October 28, Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance

GUIDELINES ON OUTSOURCING ARRANGEMENTS

Guideline. Large Exposure Limits. Category: Prudential Limits and Restrictions. No: B-2 Date: August I. Introduction

Risk Management of Outsourced Technology Services. November 28, 2000

Inter-Segment Notes for Life Insurance Companies. Sound Business and Financial Practices

CONSULTATION PAPER ON HIGH LEVEL PRINCIPLES ON OUTSOURCING COVER NOTE

Principles on Outsourcing by Markets

Basel Committee on Banking Supervision. Consolidated KYC Risk Management

OUTSOURCING POLICY

Office of the Superintendent of Financial Institutions. Internal Audit Report on Regulation Sector: Private Pension Plans Division

BANKING UNIT BANKING RULES OUTSOURCING BY CREDIT INSTITUTIONS AUTHORISED UNDER THE BANKING ACT 1994

Memorandum. Independent Amount Segregation: Summary of ISDA s Sample Tri-Party IA Provisions

PROPERTY OF THE SECURITIES COMMISSION OF THE BAHAMAS

VII 4.1. VII. Unfair and Deceptive Practices Third Party Risk. Third Party Risk. Introduction. Background

Proposed guidance for firms outsourcing to the cloud and other third-party IT services

IOPS GOOD PRACTICES IN RISK MANAGEMENT OF ALTERNATIVE INVESTMENTS BY PENSION FUNDS

The HR Skinny: Effectively managing international employee data flows

Cloud Computing Contracts. October 11, 2012

for Fund Management Companies and Exempt Financial Intermediaries

Annex B. The Proposed Amendments AMENDMENTS TO NATIONAL INSTRUMENT MARKETPLACE OPERATION

Structuring Multinational Insurance Programs: The Emerging Regulatory Challenge to Non-admitted Insurance. Suresh Krishnan Tracey Discepolo

EGUIDE BRIDGING THE GAP BETWEEN HEALTHCARE & HIPAA COMPLIANT CLOUD TECHNOLOGY

Due Diligence Process

MISSION VALUES. The guide has been printed by:

Guideline. Commercial Lending Criteria. No: E-2 Date: June 1992

STRUCTURING MULTINATIONAL INSURANCE PROGRAMS: THE EMERGING REGULATORY CHALLENGE TO NON-ADMITTED INSURANCE Suresh Krishnan

Statement of Guidance: Outsourcing All Regulated Entities

The Cloud and Cross-Border Risks - Singapore

Solvency Assessment and Management: Pillar II Sub Committee Governance Task Group Discussion Document 81 (v 3)

Cloud Computing: Privacy and Other Risks

Framework for Cooperative Market Conduct Supervision in Canada

COMMISSION DELEGATED DECISION (EU) / of

Personal data and cloud computing, the cloud now has a standard. by Luca Bolognini

Timeliness of Business Intelligence Data

Managing Risk at Bank of America Corporation. Overview

1.0 Structure of the Investment. Financial Services Commission of Ontario Commission des services financiers de l Ontario. Investment Guidance Notes

NOTICE ON OUTSOURCING

How to ensure control and security when moving to SaaS/cloud applications

Contracting with a Cloud Service Provider DATA PROTECTION WORKSHOP NJERI OLWENY, MICROSOFT

Transcription:

REGULATORY IMPLICATIONS OF CLOUD COMPUTING Stephen B. Kerr Partner Financial Institutions Group

1

Outline Outsourcing history of Canadian regulatory guidance with respect to outsourcing generally Recent guidance and views regarding cloud computing from the Office of the Superintendent of Financial Institutions ( OSFI ) (i.e. OSFI s perspective) How to address OSFI s concerns and requirements when considering a material cloud computing arrangement 2

Canadian Regulatory History Evolution of a regulatory philosophy From rules-based to principles-based regulation OSFI supervisory framework introduced (August, 1999) Risk-based approach to assessing a federally regulated entity s ( FRE s ) safety and soundness Evolution of Guideline B-10 Three iterations FRE s remain accountable for all outsourced activities Most recent changes (March, 2009) dealt with, among other things, acquired outsourcing agreements, advance notice by OSFI if audit rights are to be invoked, suggested changes to agreements regarding the testing of business recovery systems, assessing materiality in the content of multiple outsourcing arrangements with only one service provider, and conducting due diligence at the time of a substantial amendment to the outsourcing agreement Data processing outside of Canada Elimination of regulatory approval (April, 2007) However, OSFI may direct the FRE to not maintain or process information or data in another country, or (put another way), to maintain or process information or data in Canada, if it believes that the maintenance or processing of the information or data outside Canada is incompatible with the fulfilment of OSFI s responsibilities FRE s must maintain in Canada certain corporate, accounting and customer records 3

OSFI and Cloud Computing February 29, 2012 OSFI Memorandum (the OSFI Memorandum ) Not just cloud computing but all new technology-based outsourcing arrangements Only applies to material (which is both a quantitative as well as a qualitative analysis) cloud computing arrangements Emphasis on: Confidentiality, security and separation of property Contingency planning Location of records Access and audit rights Subcontracting Monitoring the material outsourcing arrangements Unusual for OSFI to issue such a memorandum and therefore underscores a significant regulatory concern with respect to the risks associated with cloud computing 4

OSFI and Cloud Computing (continued ) OSFI s approach and philosophy: Benefits and risks for FRE s with respect to cloud computing Still at the relatively embryonic stage for FRE s but growing in use more generally Potentially very significant cost savings for FRE s which by their very nature operate data-intensive, not to mention date-sensitive, businesses Huge systemic risk (e.g. reputational, financial, loss of data, counter-party, etc.) in the context of material cloud computing arrangements (particularly the case for smaller FRE s) Engenders significant third party dependency Process leading up to the OSFI Memorandum Reluctant to open up Guideline B-10 (i.e. it is expected that Guideline B-10 can still work in a cloud computing environment) The result of extensive industry consultation (i.e. both FRE s and service providers) OSFI looked to foreign regulatory approaches and philosophies for guidance 5

OSFI and Cloud Computing (continued ) Benefits of the OSFI Memorandum Gives contractual ammunition to FRE s when negotiating with IT service providers Not prescriptive (i.e. still flexible reflecting principles-based approach) Acknowledges the benefits of cloud computing to FRE s (i.e. not an outright prohibition in concept) Gives direction to the IT service provider industry to allow it to develop a cloud computing model which is regulatorily compliant Draw-backs of the OSFI Memorandum Curtails/limits the benefits of cloud computing in that it is arguably difficult, if not impossible, to satisfy all criteria in the context of a true cloud computing arrangement (e.g. location of data, access and audit rights for both the FRE and OSFI, etc.) thereby necessitating changes to the model Perhaps not prescriptive enough 6

OSFI and Cloud Computing (continued ) OSFI disputes the claim made by IT service providers that FRE s will lag their competitors because of excessive regulation in the area In comparison to other regulators (e.g. Australia, Singapore, United States and Germany) OSFI is generally more supportive of cloud computing OSFI does not manage risk it merely provides guidance and therefore will not opine on any outsourcing arrangements (including with respect to material cloud computing arrangements) because OSFI does not: Know your business as well as you do Want to be pulled into contractual negotiations Want its supervisory staff to be held hostage to prior regulatory views or comfort Cloud computing emphasizes geographic and political risk for FRE s (i.e. OSFI prefers localized cloud computing) FRE s should move slowly and cautiously with a view to managing risk, engaging risk management protocols, and involving internal audit and legal at the very early stage of any material cloud computing arrangement (i.e. don t cut corners) The IT service provider industry should develop bespoke products and services which complies with regulatory expectations as there is the perception that those cloud computing products and services currently available may not be necessarily compliant 7

OSFI and Cloud Computing (continued ) Consequences to FRE s for implementing a cloud computing arrangement which does not comply with Guideline B-10 or the OSFI Memorandum: Deficiency letters Unwinding contractual arrangements Negative impact on supervisory ratings (and if serious enough, will impact capital requirements) Exercise by OSFI of its residual authority to mandate that services be provided in Canada 8

Addressing OSFI s Concerns Detailed negotiations should be anticipated by IT service providers when they are negotiating cloud computing arrangements with FRE s Proposed contract should include (among other things): Regular updates re: location of data Detailed provisions regarding access and audit rights (for both the FRE as well as OSFI) and monitoring generally Access to all necessary records so business will not be interrupted (i.e. business continuity) Provisions dealing with how service providers can segregate data Provisions addressing recourse in the event of sub-standard (or discontinuation of) service Understand where your data may reside and those jurisdictions rules regarding search and seizure Ask yourself whether a public or even a community cloud is even appropriate for certain data Do not expect OSFI to materially deviate from its expectations Maintain control and do not outsource management over very sensitive data Relying on hard-boiled precedent outsourcing agreements will not be necessarily responsive to regulatory concerns 9

Addressing OSFI s Concerns (continued ) Consult regulatory counsel prior to consummating a material cloud computing arrangement: A legal opinion could provide FRE s (or their counterparties) with some insurance that could be relied upon in the event a regulator expressed concern (and therefore could also be a condition or a requirement of such an agreement) Conduct no-names conversations with OSFI for purposes of obtaining regulatory guidance (OSFI will not opine but will give guidance) Recognize that there may be other regulatory regimes to consider in addition to those of OSFI (e.g. privacy) 10

Conclusion Cloud computing has turned outsourcing (which has evolved from a regulatory to a contractual to an operational matter) back to being more a regulatory matter in light of the systemic commercial and reputational risks which a material cloud computing arrangement poses for an FRE 11

12

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information