Skip To Content

OSFI Guideline B-10 and Cloud Computing: An Update from OSFI - Reading their Message Between the Lines

Author(s): Stephen D.A. Clark, Kashif Zaman

Mar 2, 2012

It would not be an exaggeration to say that a number of technology companies (and their customers) see Cloud Computing as an important development on the question of how to store ever increasing amounts of data at a reasonable price and at the same time permit the accessing of that data in an efficient manner. Not only will Cloud Computing affect consumers (witness the number of consumers who already use Apple’s recently introduced iCloud to store and access their music, videos and pictures) but Cloud Computing is also very attractive to large financial institutions which have significant storage and access issues associated with running such large businesses and therefore routinely outsource these technology services to third parties.

Perhaps in recognition of the growing importance of Cloud Computing and other similar technologies, the Office of the Superintendent of Financial Institutions (OSFI) released a memorandum on February 29, 2012, in which it reminded the financial institutions it regulates that, notwithstanding the benefits that technology-based services such as Cloud Computing can bring, such financial institutions should recognize that when considering the unique features of such services, they should also consider the associated risks and keep in mind their obligations under OSFI’s Guideline B-10 (Outsourcing of Business Activities, Functions and Processes) (Guideline B-10). For OSFI to issue such a memorandum/guidance is unusual and indicates the importance of this area to financial institutions but also OSFI’s concern as to the risks financial institutions should consider in relation to Cloud Computing and the applicability of Guideline B-10.

Cloud Computing refers to computing in which infrastructure services traditionally accessed using software deployed on a customer’s premises are instead accessed through the Internet. Common characteristics of Cloud Computing include: delivery of services through shared, “multitenant” data centres; pay as you need pricing (similar to a utility); and rapid elasticity through which additional processing power and storage can be added quickly.

Some of the well recognized benefits of Cloud Computing are: reducing capital expenditures and operational overhead; greater business flexibility (through access to hardware, software and storage capacity that can grow or contract with an organization’s needs); easier access to new technologies; and cost savings.  All of these are very attractive to financial institutions.

In issuing Guideline B-10 in the first place back in 2001, OSFI recognized that financial institutions outsource business activities, functions and processes to meet the challenges of technological innovation, increased specialization, cost control, and heightened competition. However, OSFI also cautioned that outsourcing can also increase a financial institution’s dependence on third parties, which may increase its risk profile.  In this most recent memorandum, OSFI has indicated that financial institutions should, in relation to Cloud Computing, consider their ability to meet the expectations contained in Guideline B-10 in respect of a material outsourcing arrangement to which Guideline B-10 applies, with a particular emphasis on certain concerns it has in relation to Cloud Computing and Guideline B-10, namely: (i) confidentiality, security and separation of property: (ii) contingency planning; (iii) location of records; (iv) access and audit rights; (v) subcontracting; and (vi) monitoring the material outsourcing arrangements.

Some financial institutions may find it hard to comply with a number of the obligations imposed under Guideline B-10 in the context of Cloud Computing and, therefore, advance planning and detailed dialogue with the technology service provider at the outset would be recommended. For example, Guideline B-10 requires financial institutions to obtain audit and access rights from the proposed service provider in respect of an outsourcing arrangement which comes under Guideline B-10. These audit rights are meant to enable the financial institution to evaluate the nature of the services provided to it both on an ongoing basis but also surface any concerns about the delivery of service by the service provider to other customers – in effect, an early warning system. In addition, the financial institution is also required to obtain audit and access rights from their service providers in favour of OSFI. Given that Cloud Computing could involve delivery of services through shared, “multitenant” data centres, some service providers may hesitate to grant such audit and access rights in deference to their obligations to their other customers. Guideline B-10 also requires that the outsourcing agreement should detail the physical location where the service provider will provide the services. Cloud Computing services may be provided from a number of different data centres located all over the world. It may not be possible for the service provider to disclose the exact location at the outset with a certainty that such location will not change on an ongoing basis. Secondly, a service provider may, for competitive or other reasons, not want to disclose such location.

Through its memorandum, OSFI has signalled that it is not prepared to back away from these requirements under Guideline B-10 no matter how attractive and beneficial Cloud Computing may seem to be to the financial institution. Before engaging any service provider for the provision of Cloud Computing, financial institutions should carefully assess their obligations under Guideline B-10 to ensure that such service providers are able to comply with such obligations.