The online magazine of the Swiss Bankers Association
2019/04/04 01:40:00 GMT+2


A guide to secure cloud banking

A guide to secure cloud banking

On 26 March 2019 the Swiss Bankers Association (SBA) published a set of guidelines on cloud banking. They contain legal and regulatory recommendations designed to increase legal certainty and help Swiss banks make more extensive use of cloud services.

Migrating infrastructure and processes to a cloud can drastically reduce the time it takes for banks to bring innovative products and services to the market and thus significantly increase their competitiveness.

Democratising technology access

Cloud services offer numerous benefits, especially for smaller banks who are finding it increasingly difficult to meet the growing demands placed on IT operations (IT security, keeping up to date with patches, managing the IT infrastructure lifecycle, improving the user experience and expanding the product range). Using the cloud reduces the need to build up or buy in skills and resources for in-house IT infrastructure. It also makes certain technologies that were previously restricted to large banks and companies accessible to smaller banks as well.

The cloud enables banks to exploit new technologies such as artificial intelligence without making substantial investments in their own hardware and software. Access to a large pool of data and the corresponding computing power allows large data volumes to be analysed in real time, enabling banks to offer innovative, tailor-made advisory services to individual clients or automate complex compliance and risk processes.

Owing to their specific needs, until now banks have not been able to make full use of these services for client data.

Cloud guidelines address uncertainties in four areas

Under the aegis of the SBA, a working group has drawn up a set of legal and regulatory Guidelines for the use of cloud services by banks and securities dealers. Leading national and international cloud providers and audit firms were also involved. The guidelines address uncertainties in four areas that the banks identified as particularly relevant.

  • Governance: Banks need to know who they are working with at all times. A cloud provider uses many subcontractors to deliver certain services, such as maintenance. If the bank does not agree to the use of a subcontractor or no longer wishes to work with the cloud provider, it should be able to remove its data from the cloud at any time. Therefore, the aim of the recommendations contained in the guidelines is for the bank always to have the information it needs to make a risk-based assessment of a cloud provider, taking account of the most important subcontractors.


  • Data processing: Data are not just stored in the cloud (as with Dropbox): they are also processed and analysed in various applications, for example to identify broader interconnections as part of complex risk and compliance processes. Data protection is always a top priority. The aim of the recommendations in the guidelines is to ensure that data are protected at all times in the cloud by means of various technical, organisational and contractual measures.


  • Requests from foreign authorities: Since automatic exchange of information (AEOI) came into force at the start of 2017, the exchange of data with foreign authorities has been clearly regulated. Independently of AEOI, certain foreign authorities can demand the handover of data that are stored and processed in a cloud without submitting an official request to the Swiss authorities. The guidelines therefore contain recommendations for a coordinated procedure agreed by banks and cloud providers regarding the handover of protected information to foreign authorities.


  • Auditing: Cloud providers’ processes, structures and services must be reviewed regularly to ensure they comply with legal, regulatory and contractual requirements. This is most often done by external audit firms. The aim of the recommendations in the guidelines is to ensure that the cloud services and cloud infrastructure are correctly audited.


The cloud is taking shape, but the journey has only just begun

First and foremost, the guidelines help to enhance legal certainty. The SBA’ recommendations in the four areas are intended to offer banks a solid foundation on which to ensure compliance in cloud banking. But it is up to the banks themselves to put them into practice. Each institution must decide for itself how far it wants to go in employing cloud solutions.

The increasing use of cloud services will further increase the diversity of Switzerland’s banking sector, and so reinforce the country’s financial centre and financial ecosystem in the years ahead. Banks will benefit, but so too will their clients. The banks’ journey into the cloud is just beginning.