Varying regulatory approaches across jurisdictions pose significant challenges to FIs trying to implement the public cloud as part of their global strategy.
ASIFMA has published a new report providing recommendations for a technology-neutral and activity-based approach to public cloud regulation.
The paper puts forward principles that aim to promote discussion between financial institutions, cloud service providers, and regulators about the most effective way to regulate public cloud services.
“Cloud computing is rapidly becoming the norm for IT processing and data storage solutions as it is an adaptable and versatile way to consume a range of IT services,” says Laurence Van der Loo, Executive Director of Technology & Operations at ASIFMA.
“In this paper, we focus our attention on the regulation of the public cloud, where the cloud infrastructure is provisioned for open use by multiple organisations.”
The use of public cloud brings significant benefits to the financial services industry in the areas of risk mitigation, innovation, cost savings and productivity gains, the paper says. However, it has also been of under regulatory scrutiny due to the differences associated with public cloud versus other models.
Varying regional approaches to regulation pose significant challenges to financial institutions trying to implement the public cloud as part of their global strategy, in some cases making the deployment of a global process to a certain service provider impossible.
This can result in heightened cybersecurity risks as it creates a more decentralised environment that inhibits central oversight and information sharing across borders.
To avoid the complexities that can arise from conflicting regulatory requirements across jurisdictions, ASIFMA recommends that regulators to promote a consistent and globally aligned framework for public cloud regulation.
In addition, given regulatory concerns in relation to concentration risk, data access, cybersecurity and resilience, ASIFMA argues that the most effective way to address these concerns is for regulators to adopt a technology-agnostic, risk-based and principle-based approach when implementing public cloud regulation.
This approach will prevent regulation becoming stale as technology changes and avoids the need to finetune or add on adjuncts which can lead to overly complex regimes.
“Since we expect cloud technology to become the norm in the future, it is essential that regulators do not stifle technological innovation so that the financial services industry can maintain a competitive edge,” said Van der Loo.
The paper, available here, proposes nine high-level principles for public cloud regulation.