Author(s):
Stephen D.A. Clark, Kashif Zaman
Mar 2, 2012
It
would not be an exaggeration to say that a number of technology companies (and
their customers) see Cloud Computing as an important development on the
question of how to store ever increasing amounts of data at a reasonable price
and at the same time permit the accessing of that data in an efficient manner. Not
only will Cloud Computing affect consumers (witness the number of consumers who
already use Apple’s recently introduced iCloud to store and access their music,
videos and pictures) but Cloud Computing is also very attractive to large
financial institutions which have significant storage and access issues
associated with running such large businesses and therefore routinely outsource
these technology services to third parties.
Perhaps
in recognition of the growing importance of Cloud Computing and other similar
technologies, the Office of the Superintendent of Financial Institutions (OSFI)
released a memorandum on February 29, 2012, in which it reminded the financial
institutions it regulates that, notwithstanding the benefits that
technology-based services such as Cloud Computing can bring, such financial
institutions should recognize that when considering the unique features of such
services, they should also consider the associated risks and keep in mind their
obligations under OSFI’s Guideline B-10 (Outsourcing of Business Activities,
Functions and Processes) (Guideline B-10). For OSFI to issue such a
memorandum/guidance is unusual and indicates the importance of this area to
financial institutions but also OSFI’s concern as to the risks financial
institutions should consider in relation to Cloud Computing and the
applicability of Guideline B-10.
Cloud
Computing refers to computing in which infrastructure services traditionally
accessed using software deployed on a customer’s premises are instead accessed
through the Internet. Common characteristics of Cloud Computing include:
delivery of services through shared, “multitenant” data centres; pay as you
need pricing (similar to a utility); and rapid elasticity through which
additional processing power and storage can be added quickly.
Some
of the well recognized benefits of Cloud Computing are: reducing capital
expenditures and operational overhead; greater business flexibility (through
access to hardware, software and storage capacity that can grow or contract
with an organization’s needs); easier access to new technologies; and cost
savings. All of these are very
attractive to financial institutions.
In
issuing Guideline B-10 in the first place back in 2001, OSFI recognized that
financial institutions outsource business activities, functions and processes
to meet the challenges of technological innovation, increased specialization,
cost control, and heightened competition. However, OSFI also cautioned that
outsourcing can also increase a financial institution’s dependence on third
parties, which may increase its risk profile.
In this most recent memorandum, OSFI has indicated that financial
institutions should, in relation to Cloud Computing, consider their ability to
meet the expectations contained in Guideline B-10 in respect of a material
outsourcing arrangement to which Guideline B-10 applies, with a particular
emphasis on certain concerns it has in relation to Cloud Computing and
Guideline B-10, namely: (i) confidentiality, security and separation of
property: (ii) contingency planning; (iii) location of records; (iv) access and
audit rights; (v) subcontracting; and (vi) monitoring the material outsourcing
arrangements.
Some
financial institutions may find it hard to comply with a number of the
obligations imposed under Guideline B-10 in the context of Cloud Computing and,
therefore, advance planning and detailed dialogue with the technology service
provider at the outset would be recommended. For example, Guideline B-10
requires financial institutions to obtain audit and access rights from the
proposed service provider in respect of an outsourcing arrangement which comes
under Guideline B-10. These audit rights are meant to enable the financial
institution to evaluate the nature of the services provided to it both on an
ongoing basis but also surface any concerns about the delivery of service by
the service provider to other customers – in effect, an early warning system. In
addition, the financial institution is also required to obtain audit and access
rights from their service providers in favour of OSFI. Given that Cloud
Computing could involve delivery of services through shared, “multitenant” data
centres, some service providers may hesitate to grant such audit and access
rights in deference to their obligations to their other customers. Guideline
B-10 also requires that the outsourcing agreement should detail the physical
location where the service provider will provide the services. Cloud Computing
services may be provided from a number of different data centres located all over
the world. It may not be possible for the service provider to disclose the
exact location at the outset with a certainty that such location will not change
on an ongoing basis. Secondly, a service provider may, for competitive or other
reasons, not want to disclose such location.
Through
its memorandum, OSFI has signalled that it is not prepared to back away from
these requirements under Guideline B-10 no matter how attractive and beneficial
Cloud Computing may seem to be to the financial institution. Before engaging
any service provider for the provision of Cloud Computing, financial
institutions should carefully assess their obligations under Guideline B-10 to
ensure that such service providers are able to comply with such obligations.