Cloud banking: updated SBA Cloud Guidelines take account of legal and regulatory developments

Cloud services in practice: opportunities and challenges  

The digital transformation in the financial sector is moving forward inexorably, causing the importance of cloud services for the sector to grow. Depending on the situation, cloud services can bring benefits in terms of efficiency and costs for banks and securities firms (hereinafter referred to collectively as “institutions”). At the same time, they make it possible to develop innovative services and bring them to market quickly and flexibly. New technologies such as artificial intelligence can also be used via the cloud without making substantial investments in proprietary hardware and software. Access to a large pool of data and the corresponding computing power allows large data volumes to be analysed in real time, enabling institutions to offer innovative, tailor-made advisory services to individual customers or automate complex compliance and risk processes, for example. Specialised cloud providers additionally offer enhanced security for institutions’ infrastructure. As such, cloud services are a critical success factor for the Swiss financial centre. 

However, they also give rise to challenges and risks. In particular, when using the cloud, institutions must continue to observe professional confidentiality under the Banking Act or the Financial Institutions Act, comply with data protection law, guarantee data security and resilience, and actively manage dependencies on individual cloud providers in order to avoid any loss of control.   

Against this backdrop, institutions need to adapt their cloud strategy and architecture continually to changing external conditions as well as their own needs. 

Specifying and operationalising business policy as well as legal and regulatory requirements through technical and organisational measures 

“A clear understanding of the legal and regulatory requirements placed on institutions and the ability to specify and operationalise these by means of appropriate technical and organisational measures are essential,” says Dr August Benz, Head of International & Transformation and Deputy CEO of the SBA.  The Cloud Guidelines set out practicable ways to address the most important legal and regulatory requirements and can serve as a legally non-binding aid to interpretation for institutions procuring and using cloud services, especially in the following four areas:  

• Governance: choosing the cloud provider and its subcontractors, consenting to a change of subcontractor  
• Data processing: processing data on bank customers  
• Authorities and proceedings: transparency and collaboration between institutions and cloud providers with regard to measures ordered by the authorities and the courts  
• Audit: auditing the cloud services and the cloud infrastructure used to deliver them

The Cloud Guidelines have been updated to take account of the legal and regulatory developments that have occurred since they were first published in 2019, for example in the regulations on operational risks. The update has also addressed the legal bases and terminology, including a more precise definition of “foreign lawful access”, an explanation of the “risk-based approach” concept and fundamental considerations on the use of cloud services.  

In summary, institutions may adopt a risk-based and proportionate approach based on their size and the complexity of their business model when applying the guidelines. The vital aspect of assessing risks and deriving appropriate technical and organisational measures from them remains the individual institution’s responsibility.  

With the Cloud Guidelines, the SBA is making an important contribution to the secure and legally compliant use of cloud technology and helping institutions to seize the opportunities presented by the digital transformation in a responsible manner.