2. Executive Summary
This review is to outline the key legal, regulatory and compliance concerns to be taken care of in
course of making business decisions on the subject matter.
As starting point, it is acknowledged that there is an extremely strong business potential of applying
cloud computing solutions (also) in the financial industry.
All the three areas, namely legal, regulatory and compliance have their authorities regarding the
question.
As per the details, services (contracts) are to be analyzed from the points of view of (i) general
commercial contracting, (ii) regulatory compliance and (iii) data protection compliance.
When aiming to explore and to mitigate various risks and so to drive the project towards legal
feasibility, the following findings has been found as key ones. On Cloud Computing as such there is no
Hungarian (or European) legislation in force (or even in the tube). Furthermore, while (since (only)
July, 2012) there is a basic guidance of the EU on Cloud Computing, there is no effective guidance or
even orientation from the respective Hungarian authorities (the HFSA and the DPA).
As a conclusion, we may state that from legal, regulatory and compliance point of view, banks, along
moderate risks, may (target to) enter into an Cloud Computing contract, but only subject to several
key assumptions and conditions.
3. Top strategic technology
Cloud Computing
has been identified
as one the top
strategic technology
which is going to
re-shape the world
in this decade.
(Gartner*)
*http://www.gartner.com/it/page.jsp?id=1454221
4. The issue
Technology of Cloud Computing is a forerunner being also (recently) ahead of legal
regulations.
In the EU/EEA law is more stringent (restrictive) in the field of personal data protection than
in the US.
5. The Pro and the Cons
The Pro
Cloud Computing offers enormous space (in double sense) that supports companies overall workflow
and management with state of the art, secure and cost effective hosted services.
The Cons
Decision on introduction of Cloud Computing solutions shall necessary be backed by answers to several
concerns – besides the IT/bank security ones, also from legal, regulatory and compliance point of view.
legal
EU and Hungarian personal data protection requirements
basic contractual issues
special issues raised by E-Discovery (regarding any litigation in the US)
regulatory
whether cloud computing qualifies and therefore controlled by HFSA as outsourcing
compliance
alignment with bank’s internal / Group corporate governance
ensuring control of Cloud Computing services by Compliance Department as well as by internal
and external auditors
6. The issues – Data protection (i)
Asynchrony of technological and legal developments
Technology of Cloud Computing is predominantly provided by US service providers whose homeland
law is far less restrictive in the field of personal data protection than EU/EEA law. In both jurisdictions
there is a lack of definite legislation on Cloud Computing (so far) that, while seems not to be a burden
in the US, raises concerns in the EU. This way, besides being a forerunner in technology, Cloud
Computing is also well ahead of legal and regulatory developments.
Self-regulatory efforts
The industry itself is fairly proactive in self-regulatory. Their organization, the Cloud Security Alliance
admits* that „specialized compliance requirements for highly regulated industries should be
considered and must address during requirements identification stage. Some regulatory requirements
specify controls that are difficult or impossible to achieve in certain cloud services types.”
* https://cloudsecurityalliance.org/guidance/csaguide.v3.0.pdf (pp48)
7. The issues – Data protection (ii)
Developing EU regulatory environment
While the EU is recently working on the unified European data protection legislation (that will be a
form of a regulation, i.e. automatically compulsory for the member states), the legislation in force is
the so called Data Protection Directive 95/46/EC (the „Data Protection Directive”). This, firstly does
not cover cloud computing and, secondly, being a directive, allows national legislations to defer.
Despite of lack of legislation in force, the EU actively deals with the issue, albeit still in regulatory
drafting phase. Further to the Commission Decision of 5 February 2010 on the standard contractual
clauses for the transfer of personal data to processors established in third countries*(the „EU Model
Clauses”), on the cloud computing itself the EU has issued so far only an opinion: Article 29 Data
Protection Working Party Opinion 05/2012 on Cloud Computing** (the „EU Opinion”) on July 1st 2012
(!). Clearly, the three month old opinion has no practice yet. However since being welcome by the
industry, following its „rules” may result a kind of a compliance regarding the area of protection of
customer personal data.
One striking requirement of the EU Opinion that it refers to and reinforces Article 4 of Data Protection
Directive stating that applicable law of such contracts shall be thereof the country in which the data
controller (in our case the Banks) is established (i.e. Hungary).
* http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2010:039:0005:0018:EN:PDF
**http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-
recommendation/files/2012/wp196_en.pdf
8. The issues – Data protection (iii)
Uncertain Hungarian regulatory environment
This above highlighted European regulatory background results, that
(i) due to the option of deferring, Hungarian national legislation (in force) is, in theory, stricter than the
average European member state regulations, and
(ii) that is more problematic, the Hungarian Data Protection Authority (DPA) strikingly avoids the
subject of cloud computing. No precedent decisions, no guidance, even no participation in the public
debate, if there were no question at all.
Due to this evident retreat, even industry players, being active in dialogue on European level, do not
approach the Hungarian authorities for guidance, whatsoever. As we have been advised, unlike doing
it regarding other national data protection authorities where they acquired positive feedbacks*,
Supplier has not approached the Hungarian DPA yet.
Best practice
Irrespectively from the non-existence of definite legal requirements, Banks, as market leading in
Hungary shall take into consideration that „front-runner companies are highly committed to
protecting data, particularly customer information.” (PWC 2012 Global State of Information Security
Survey)**
* Supplier provided us with these confirmatory letters of several national data protection authorities
* * http://www.pwc.com/gx/en/information-security-survey (pp13)
9. The issues – Regulatory (i)
Cloud computing is a way of outsourcing
Applying cloud computing services, unquestionably qualifies as outsourcing. Accordingly, Cloud
Computing service contract shall comply with the respective requirements of the Hungarian Banking
Act.
HFSA (Hungarian Financial Supervisory Authority) Approach
HFSA, unlike the DPA, already did, although a very minor step towards guiding and orienting the
market in this respect. On July 18, 2012 it issued the 4/2012 HFSA Management Circular* (the HFSA
Circular”). Unfortunately, HFSA commitment to regulate and so to promote the financial industry in
this respect seems to be apparent, since the paper is simply the translation of communication of US
Federal Financial Institutions Examination Council (the „FFIEC”) on Outsourced Cloud Computing*
(the „FFIEC Statement”).
The FFIEC Statement and the HFSA Circular instead of aligning better the regulatory landscape with
the nature of cloud based solutions, disappointingly, advocate application of current regulations in
their existing form and imply that the cloud vendors will have to adapt and align their solutions to the
legacy regulatory environment. This basically means that authorities identify cloud computing as an
outsourced activity.
* http://www.pszaf.hu/akadalymentes/data/cms2364896/vezkorlev_4_2012.pdf
** http://ithandbook.ffiec.gov/ITBooklets/FFIEC_ITBooklet_OutsourcingTechnologyServices.pdf
10. The issues – Regulatory (ii)
One of the key questions: can on spot regulatory audit be redeemed?
Hungarian Banking Act requires that outsourced services be, subject to a respective request or
general need, audited on spot by the HFSA (and also by the company and its auditors). A par
excellence key question of outsourcing (that HFSA does not address) is the on spot audit. Due to
the nature of the technology this cannot be ensured. Accordingly, cloud service contracts cannot be
in full compliance with the letter of the law of the current legislation in force.
The Statement/Circular call financial institutions to run a due diligence prior to contracting to ensure
that the provider will meet all the requirements. Once this due diligence is performed by an
independent third party, further to their initial audit they, from time to time, could be engaged with
operation audit as well. The report thereon, subject to the willingness of HFSA, could redeem the on
spot audit. However, recently, we are not aware of (we have not been advised either by Supplier on)
the existence of such third parties whom report could be used as kind of a certification, whatsoever
for this purposes.
HFSA surely will scrutinize the proposed cloud computing contracts as outsourced services and
banks will have to have robust arguments to make HFSA to buy in. Here we have to note that
Supplier has not yet approached HFSA (like they have not accomplished it regarding DPA) to seek
any preliminary guidance, opinion, whatsoever.
11. The issues – Other legal questions
Basic contractual issues
At early stage of the projects, prior having the strategic decision (based upon the IT/bank security and
legal concerns) drafts of multiple contracts being provided with by Supplier are regularly not analyzed
in their details .
However, we shall refer to that, due to the basic requirement of the EU, all contracts should be
governed by laws of Hungary.
Contracts governed by non-Hungarian laws shall be checked and confirmed by lawyers of the
respective jurisdiction(s).
Potential special requirements regarding E-discovery
If the bank is involved in litigations in the US, and would like to apply Cloud Computing services
regarding any banking system, it may raise questions regarding the so called E-discovery in US court
procedures. Any special obligations of the bank thereupon shall be checked and confirmed by US
litigation lawyers.
12. Conclusions
It is our conclusion that Banks, still taking moderate legal and regulatory risks, may (target to)
enter into an „Cloud Contract” subject to the key assumptions and conditions as follows:
contracts be governed by laws of Hungary
Supplier to represent and warrant that the service complies with the Hungarian data
protection legislation and complies with the requirements of Section 3.4 of EU Opinion
each sub-service provider of Supplier shall be contracted under EU Model Clauses or in Safe
Harbor (certified by independent auditor); Supplier shall ensure that Banks be entitled to
instruct sub-service providers directly, should it be the case
Supplier to deliver independent certification or the Bank and the Supplier mutually to
approach HFSA for preliminary guidance/clearance stating that Supplier/the services comply
with the requirements of Hungarian Banking Act regarding outsourcing (apart form on spot
audit)
Supplier to undertake to indemnify the Bank should it suffer any damages due to non-
compliance and the Bank shall be entitled to terminate with immediate effect the entire
agreement, should Banks/Supplier fail to obtain clearance from HFSA and DPA
The bank is to consider to engage external legal advisers for counseling regarding contracts
governed non-Hungarian law(s) and, subject to developments on the above conditions, for
providing the bank with a double check regarding regulatory compliance of the services
13. Dr. Igor Máté
Head of Business Legal Services
MKB Bank
https://www.linkedin.com/in/igormate