The financial services sector throughout the EU wants an answer to the question when and to what extent can we enter the cloud?
A major hold-up however continues to be a dispute over the correct interpretation to be given to the provisions of the EU Markets in Financial Instruments Directive (MiFID) which require regulators to be given ‘effective access’ to ‘data’ and ‘premises’ in many instances where data processing is outsourced.
Initially, regulators expressed caution and proposed that effective access to premises equates only to physical access to all data centres upon which cloud processing takes place. Recently though, there has been some suggestion that there may be another way forward.
Earlier this year Out-Law.com reported on an ‘understanding’ or ‘agreement’ reportedly reached between cloud provider Microsoft and the Dutch Central Bank. The agreement had been described as “setting a precedent” and suggestions were made that the agreement might benefit not only the Dutch regulator but other regulators as well.
Out-Law.com was interested to know what this meant in practice and what the agreement looks like on paper. We asked a representative of the Dutch Central Bank for a copy of the agreement between it and Microsoft but were told that one could not be provided to us.
A spokesman for the Bank confirmed though, that there is no ‘template’ clause agreed between the Bank and Microsoft setting out audit rights in favour of the Bank which may be inserted into Microsoft’s contracts with regulated
Dutch financial services firms. But he also confirmed that Microsoft has agreed that the Bank can “visit Microsoft at any moment” in order to check the data belonging to financial services companies under the terms of specific contracts. How that agreement is precisely termed was not shared with us, but the spokesman said that it allows Dutch firms to meet their requirements set out in regulations under the Financial Services Act in the Netherlands – the legislation that transposes the MiFID rules into Dutch national law.
According to Microsoft, this development demonstrates that not all clouds are equal. “There is a misconception that cloud solutions create insurmountable challenges to maintaining regulatory compliance, this misconception is prevalent in the financial services sector and other regulated sectors,” according to Dervish Tayyip, EMEA Legal Director for Microsoft.
“We think the opposite can be true, if customers choose their cloud vendor carefully. The cloud can provide all organisations the economic and technical benefits of cloud services while maintaining compliance with regulations”, he said.
While the agreement is a step forward for Microsoft, suppliers having to negotiate a right for every regulator in every jurisdiction to access every premise upon which every cloud provider processes data does not seem to us to be the most effective way forward. In our view more discussion and debate is needed over the correct interpretation to be given to the provisions of MiFID and implementing laws which require ‘effective access’ to premises.
Do on-site audits really give regulators more visibility over the quality of processing activities undertaken by an outsourcing provider? Even if in a perfect world they may, do regulators really have the resources to enable them to effectively inspect cloud resources located outside of their own jurisdiction?
The best way forward may not be at the negotiating table but through a robust legal discussion which backs the idea that effective access to premises may mean digital and not physical access.
We are interested to hear your thoughts.