Does it matter which country controls the banking cloud infrastructure? Chris Skinner thinks not.

I remember some years ago that French president Nicolas Sarkozy wanted to bring in a law that would force call centre operators to tell French citizens where they were located, due to the backlash over offshoring. I wonder what he would make of today’s world, in which most European banks have given all their data to the Americans?

This question cropped up when I stumbled across a survey of some of the largest European banks and their cloud usage by Bloomberg in March 2020. The survey found that two-thirds of these banks are actively using cloud services, and that these services are all controlled by large US providers. Microsoft is in first place, followed closely by Amazon, Google, IBM, Salesforce and NetApp.

The issue is that these are US operators and not European. Under Donald Trump’s Cloud Act of 2018, US companies providing cloud computing can be ordered to provide US authorities with the information held on their servers, no matter where that data is physically located.


European concerns

But then, this isn’t going to change, is it?

Well, some think it might. German and French government officials are in talks with leaders in telecommunications, technology and finance to create a competitive continental cloud service run by local companies. Great idea, but seriously flawed.

This is a bit like the earlier idea of creating a European card scheme to rival Visa and Mastercard. In both cases, it is great in theory but flawed in practice. For example, putting it in perspective, Microsoft spends more than $1bn a year just on its global cloud network security. Therefore, creating a major European cloud provider for banking is going to be a challenge when most European banks are struggling with declining revenue and profit.

The final word is summarised quite well in the Prudential Regulation Authority’s (PRA's) consultation paper on outsourcing and cloud usage, published in December 2019 and closing for comments in April 2020.

The paper summarises the implications of the European Banking Authority’s (EBA's) ‘Guidelines on Outsourcing Arrangements’ and draft European Insurance and Occupational Pensions Authority’s ‘Guidelines on Outsourcing to Cloud Service Providers’. This makes clear that the concerns are not so much based around the fact that the cloud providers are from the US, but more with the concentration risk of data and the possibility of a systemic failure.

This is clearly illustrated in paragraph 2.51 of the report: "The EBA outsourcing guidelines likewise note that ‘competent authorities need to identify the concentrations of outsourcing arrangements at service providers’ and note that ‘if service providers, for example in the area of IT or fintech, fail or are no longer able to provide their services, including in the case of severe business disruption caused by external events, this may cause systemic risks to the financial market’."

This is followed up in section 10 with a specific item related to business continuity: "In material cloud outsourcing arrangements, the PRA expects firms to assess the resilience requirements of the service and data that is being outsourced and, with a risk-based approach, decide on one or more available cloud resiliency option."

That should cover the systemically important aspects of using cloud providers. From a data perspective, there is then a specific definition around data security in what is termed the 'shared responsibility model'.

The shared responsibility model states that:

• the (financial services) firm is responsible for what is in the cloud and the cloud service provider is responsible for the provision of the cloud;

• firms remain responsible for correctly identifying and classifying data in line with their legal and regulatory obligations; and for determining which jurisdictions certain data can be stored in or routed through (data location). They also remain responsible for configuration and monitoring of their data in the cloud to reduce security and compliance incidents;

• cloud service providers assume responsibility for the infrastructure running the outsourced service, for example data centres, hardware, software, and so on; and

• firms and service providers share other responsibilities depending on the service model, for example, infrastructure-as-a-service, platform-as-a-service, software-as-a-service, and so on.


A pragmatic approach

In summary, I don’t think it matters much where the company is headquartered so much as how it is managed and structured. As long as the data is secured and resilience is covered, then being in the US, China or Timbuktu shouldn’t really matter. But, of course, it does.

All in all, I don’t expect things to change much in the structure of cloud. It is here to stay, and the fact that most banks have bet the farm on the likes of IBM and Microsoft in the past means they’re not going to change this much in the future.

Chris Skinner is an independent financial commentator and chairman of the London-based Financial Services Club.


All fields are mandatory

The Banker is a service from the Financial Times. The Financial Times Ltd takes your privacy seriously.

Choose how you want us to contact you.

Invites and Offers from The Banker

Receive exclusive personalised event invitations, carefully curated offers and promotions from The Banker

For more information about how we use your data, please refer to our privacy and cookie policies.

Terms and conditions

Top 1000 2023

Request a demonstration to The Banker Database

Join our community

The Banker on Twitter