I remember some years ago that Nikolas Sarkozy wanted to bring in a law that would force call centre operators to tell French citizens where they were located, due to the backlash over offshore call centres. I wonder what he would make of today’s world, where most French and European banks have given all their data to the Americans?
This question cropped up when I stumbled over a special Bloomberg report:
In March, Bloomberg released results of a survey they performed of 22 of the largest European banks about their use of cloud computing, and found that two-thirds are actively using such services …
… and that Microsoft beats most companies to their data, closely followed by Amazon, Google, IBM, Salesforce and NetApp.
And there’s the rub. They’re all American companies. The issue is that, under President Trump’s Cloud Act of 2018, US companies providing cloud computing can be ordered to provide US authorities the information held on their servers, no matter where that data is physically located.
But then, this isn’t going to change, is it?
Well, some think it might. German and French government officials are in talks with leaders in telecommunications, technology, and finance to create a competitive continental cloud service run by local tech companies. Great idea … but seriulsy flawed.
I think this idea is a bit like the other idea of creating a European card scheme to rival Visa and MasterCard. In both cases, it’s great in theory but flawed in practice.
For example, putting it in perspective, Microsoft spends more than $1 billion a year just on its global cloud network’s security. Therefore, creating a major European cloud provider for banking is going to be a challenge when most European banks are struggling with declining revenue and profit.
Bloomberg quotes Bernard Gavgani, Chief Information Officer at French banking group BNP Paribas: “In 2020, waking up and saying that we want to build a European cloud, I’d say it may be too late.”
I guess the bottom-line is summarised quite well in the Prudential Regulatory Authority’s (PRA’s) consultation paper on outsourcing and cloud usage, that was published in December 2019 and closes for commentary in early April 2020.
In this case, it relates to the main text of the European Banking Authority (EBA) ‘Guidelines on Outsourcing Arrangements’ (EBA Outsourcing Guidelines) and draft European Insurance and Occupational Pensions Authority (EIOPA) ‘Guidelines on Outsourcing to Cloud Service Providers (EIOPA Cloud Guidelines’), the PRA states that the concern is less with the fact that the cloud providers are American and is more concerned with concentration risk of data and the possibility of a systemic failure.
“The EBA Outsourcing Guidelines likewise note that ‘competent authorities need to identify the concentrations of outsourcing arrangements at service providers’ and note that ‘if service providers, e.g. in the area of IT or fintech, fail or are no longer able to provide their services, including in the case of severe business disruption caused by external events, this may cause systemic risks to the financial market’.”
This is followed up in section 10 with a specific item related to business continuity:
“In material Cloud outsourcing arrangements, the PRA expects firms to assess the resilience requirements of the service and data that are being outsourced and, with a risk-based approach, decide on one or more available Cloud resiliency options.”
That should cover the systemically important aspects of using cloud providers. From the data perspective, there is then a specific definition around data security in what is termed the shared responsibility model. The shared responsibility model states that:
- the (financial services) firm is responsible for what’s in the Cloud and the Cloud service provider is responsible for the provision of the Cloud.
- firms remain responsible for correctly identifying and classifying data in line with their legal and regulatory obligations and determining which jurisdictions certain data can be stored in or routed through (data location). They also remain responsible for configuration and monitoring of their data in the Cloud to reduce security and compliance incidents;
- Cloud service providers assume responsibility for the infrastructure running the outsourced service, e.g. data centres, hardware, software etc.; and
- firms and service providers share other responsibilities depending on the service model, e.g. Infrastructure as a Service (IaaS), Platform as a Service (PaaS), Software as a Service (SaaS) etc.
In summary, I don’t think it matters so much where the company is headquartered, as to how it is managed and structured. As long as the data is secured and resilience is covered, then being in America, China or Timbuktu shouldn’t really matter. But of course it does.
All-in-all, I don’t expect things to change much in the structure of cloud however. It’s here and here to stay, and the fact that most banks have bet their farm on IBM and Microsoft in the past means they’re not going to change this by much in the future.