“Innovation and regulatory responsibility are inseparable” 

The Swiss Bankers Association has revised its Cloud Guidelines. What are these exactly, and who are they aimed at? 

The Cloud Guidelines are intended primarily for banks and securities firms in Switzerland. They serve as a practically oriented aid to using cloud services in compliance with the law and regulations. The regulatory landscape has evolved since they were first published in 2019, particularly as regards regulations on operational risks. The updated version of the guidelines reflects these developments and outlines how institutions can translate the applicable legal requirements into appropriate technical and organisational measures.

Why is the cloud so important for banks? 

Cloud technology is a central pillar of the digital transformation. It allows for efficiency gains, faster innovation cycles and greater scalability. Many banks are already using cloud services for office applications or data analysis and increasingly for more complex processes as well. Access to artificial intelligence and machine learning without substantial investments in proprietary infrastructure is especially appealing. It allows institutions to develop new services and automate regulatory processes, for example in risk management or compliance.

What about the risks? We keep hearing about dependencies on large providers, most of which are in the US. 

This discussion is justified. It’s important to note that banking is a heavily regulated industry with established procedures for handling sensitive and confidential data securely. These also apply to the cloud. When using cloud services, banks still have to look closely at which data they’re outsourcing under what conditions and which security mechanisms are in place. Dependence on large multinational providers is real, but it can be controlled. What matters most is a good understanding of the legal framework and technical possibilities.

How do banks actually ensure this?   

The security of customer data is paramount for banks, regardless of whether processing happens locally or in the cloud. Banks are subject to very strict regulatory requirements and have to provide proof of extensive technical and organisational protection measures, including encrypted data transfer and storage, multi-stage access controls and regular audits. 

It’s vital for institutions to understand exactly where their data are kept, who has access to them and which legal requirements apply. The cloud doesn’t change this responsibility – in fact, it demands even more precise control. Our guidelines show banks how they can live up to this responsibility without missing out on the opportunities presented by modern technology.

Digital sovereignty is currently a hot topic in political circles. How do you view the situation in Switzerland? 

It’s an increasingly important topic. There are various parliamentary initiatives aimed at strengthening digital sovereignty, in other words making Switzerland more independent in its use of digital infrastructures. This doesn’t mean distancing Switzerland and its financial centre from international providers, it means proactively controlling risks while promoting homegrown skills and solutions. We need to strike a balance between openness and control.

What specific actions would you advise institutions to take next? 

The cloud is here to stay. Our 2024 survey revealed that around 80% of banks expect cloud services to become an industry standard in the next three to five years. It’s vital to address the subject strategically with a clear governance framework, strong partners and an open-minded but realistic view of the risks. The cloud isn’t an end in itself but a tool for ensuring that the Swiss financial centre remains innovative, stable and competitive.