This post has been republished via RSS; it originally appeared at: Financial Services Blog articles.
In November 2012, Microsoft became the first cloud service provider to include explicit regulator examination rights in our contracts for financial services customers. Since then, we’ve continued our journey by working closely with customers and financial services regulators to deliver features to help financial services cloud customers meet their regulatory requirements. As a result, more than 30 Global Systemically Important Financial Institutions (GSIFIs) are on or committed to the Microsoft Cloud, and we have financial services cloud customers in more than 30 countries, including leading capital markets in Australia, Canada, France, Germany, Hong Kong, Japan, Singapore, the United Kingdom, and the United States.
As developments continue, we welcome the Final Report on Recommendations on Outsourcing to Cloud Service Providers (“Recommendations”) by the European Banking Authority (EBA). The EBA issued the Recommendations after a consulting period where it received feedback from Microsoft and other We believe this industry dialogue is a healthy way for customers, cloud service providers, financial institutions, and regulators to work together to find common ground and strive towards increasing innovation without compromising on risk assurance.
Microsoft welcomes the EBA’s recommendations because they accomplish two key things we believe are important for the industry because they:
- provide the necessary clarity for institutions should they wish to adopt and reap the benefits of cloud computing while ensuring that risks are appropriately identified and managed; and
- foster supervisory convergence regarding the expectations and processes applicable in relation to the cloud
Microsoft’s approach to regulatory compliance for financial services customers in our cloud directly aligns with the EBA’s underlying Recommendations, which should help financial services customers in the EU feel confident when moving to the Microsoft Cloud. Additionally, the Recommendations apply a very pragmatic approach, as they were designed to be “technology-neutral and future-proof as well as principled based.” This enables innovation to continue so regulators, customers and cloud vendors can be adaptive to these principles without needlessly adhering to prescriptive rules that force customers to locking-in on technologies that can become outdated as quickly as regulations are issued.
While the Recommendations keep certain requirements, such as audits, they also allow financial services institutions flexibility in how to approach them. For example, while audits are still required, financial institutions can leverage third-party audits, conduct group audits (with a consortium of banks), and apply a proportionate approach based on how they are using the cloud to support important banking related activities. Microsoft’s commercial commitments are fully in line with these audit requirements, by ensuring that customers may conduct audits as necessary through its industry leading Financial Services Compliance Program. This is not just a commitment on paper, as Microsoft has enabled financial institutions to conduct multiple audits of our services. We have the depth and experience to facilitate audits in those circumstances when warranted.
At the same time, we are finding innovative ways to scale information and enable ongoing supervision of our cloud services for our customers through digital transformation and automation, rather than analogue approaches that, at best, are suitable for old-school customer outsourcing environments. Tools and dashboards like Azure Security Center, Office 365 Service Health Dashboard, and Secure Score help customers manage and supervise our services, and other tools like the Service Trust Portal and Compliance Manager allow them to access underlying audit evidence and our control frameworks. We’ve also built these tools and provided access to a wealth of evidence based on direct feedback from regulators around providing transparency related to meeting risk assurance requirements.
Finally, we welcome the EBA’s recognition that in a global economy, restrictive measures precluding data transfer out of any one country do not benefit the industry or the customers it serves. As with other regulators, like the Monetary Authority of Singapore, the Hong Kong Monetary Authority, the UK FCA, and the FFIEC, the trend is clear: data residency requirements do not accomplish objectives of enhanced security, data resiliency, or privacy. Rather, what matters are the controls in place to protect data, including legal protections where data is stored. Applying more objective measures, enables financial institutions to be free to put data where it suits their business needs, so long as they are satisfied the cloud vendor has appropriate mechanisms to protect such data where it is located and that regulator’s rights to access data can be satisfied.
Microsoft remains committed to working with the financial services industry to meet our customers’ needs, to collaborate with regulators and foster further areas of improvement, and to maintain its leadership in regulatory compliance. The EBA’s Recommendations are clearly the right step to help our financial customers foster innovation while adhering to key principles of risk assurance.
Download this free whitepaper 'European Banking Authority Guidance Addresses Cloud Computing for the First Time' and learn more!
-Dave Dadoun (Assistant General Counsel, Microsoft)