FinTech and the cloud

Cloud computing offers many benefits to FinTech companies — such as improved scalability, efficiency and speed to the global market — but it is not without risk. Regulatory and compliance requirements concerning privacy and data protection are complex and continuously evolving. In today's on-demand economy, one data misstep can lead to a company's downfall. Whether starting fresh in the cloud or migrating from a legacy system, FinTech companies must be aware of the risks of cloud computing and have a measured plan for addressing them. We outline some of the key considerations below.

What is cloud computing?

In general terms, cloud computing refers to a range of information technology (IT) services made available through a network or across the internet by outsourcing providers. FinTech companies no longer need to purchase their own IT infrastructure. Cloud computing providers offer global and mobile access to software, web and data servers, storage and facilities. In some cases, they also provide support and other managed services. By outsourcing their IT infrastructure to cloud computing providers, FinTech companies can focus more of their efforts on delivering their core offering.

However, FinTech companies cannot outsource their risk vis-à-vis their customers' data. Therefore, they must be aware of their own privacy and data protection requirements and be comfortable that their cloud computing providers will enable them to meet these requirements.

Risks for FinTech

Most FinTech companies, by the nature of their financial services offerings, collect personal data — pieces of information about a person that taken individually or together enable that person to be identified, such as names, addresses, phone numbers, birth dates, occupations and bank account details. The UK Data Protection Act 1998 (DPA) requires that appropriate technical and organisational measures be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. The UK provisions are based on EU law,¹  and similar protections exist across the globe.

The key risks for FinTech companies relying on cloud computing relate to the (perceived) loss of control of their customers' personal data to the cloud computing provider (or, in some cases, their subcontractors). This loss of control may make potential unauthorised use or disclosure of, or permitting of access to, that data (whether or not intended) more likely. Cloud computing providers may fail to adequately protect data within their control, identify or prevent security breaches or remain in compliance with relevant privacy and data protection laws and regulations. Because the data is not wholly in the control of the FinTech company, it can be more difficult to prevent, respond to and manage these types of failures.

Cloud computing providers should be well aware of the relevant local laws relating to security and data protection and be able to work with FinTech companies to find an appropriate solution. However, cloud computing transcends jurisdictional borders. This can make compliance with various legal and regulatory requirements more complicated. In particular, if its customers' personal data is moved to an unknown jurisdiction, the FinTech company may be unable to assess its compliance.

Contracting with cloud computing providers

Before entering into any cloud computing services contract, FinTech companies should be clear on what their business and legal requirements are and work with their internal stakeholders to form a plan for identifying the key areas of risk for them and their positions on addressing these (whether contractually or otherwise). There is no one-size-fits-all solution and data protection should not be sacrificed for efficiencies and cost savings.

Key contractual provisions for FinTech companies to focus on include:

• data security;
• data export;
• service levels;
• indemnification;
• limitations on liability;
• termination/transition/exit services;
• governance/audits;
• insurance; and
• subcontractors.

FinTech companies' ability to negotiate cloud computing contracts can be limited. This may be the case particularly when dealing with larger providers who may be less willing to negotiate the terms of their services. Ultimately, transparency and collaboration will be essential to ensuring that the FinTech company is able to take advantage of the benefits of cloud computing while fulfilling its privacy and data protection obligations.

FCA guidance on cloud computing

In July 2016, the UK's Financial Conduct Authority (FCA) issued its "Guidance for firms outsourcing to the 'cloud' and other third-party IT services" (the FCA Guidance).² The FCA Guidance identifies 13 areas that FinTech companies regulated by the FCA should consider in outsourcing IT services, including how they should discharge their oversight obligations. These areas address the full IT outsourcing lifecycle, from evaluation and selection of a cloud computing provider, to oversight and change management, to exit planning. The FCA Guidance also includes specific recommended actions for regulated FinTech companies to take in relation to these areas to help ensure compliance with their regulatory obligations.

Key recommendations include:

• Identifying all providers in the supply chain to determine whether the regulatory requirements can be complied with throughout the supply chain;
• Agreeing a data residency policy with the cloud computing provider which sets out in which jurisdictions data can be stored, processed and managed;
• Promptly notifying the FCA of any data breaches or other relevant events, such as invocation of business recovery plans;
• Ensuring access to the cloud computing provider's business premises (which does not necessarily include data centres); and
• Forward and contingency planning and testing.

Complying with the FCA Guidance may prove problematic if the cloud computing provider is unwilling to negotiate its standard terms of business.

General outsourcing requirements for regulated FinTech companies are detailed in the FCA's Senior Management Arrangements, Systems and Controls Sourcebook (SYSC) and apply as rules to specific regulated entities, including banks, and as guidance to all other regulated entities. Fintech companies who are regulated by the Prudential Regulation Authority (PRA) must also ensure compliance with all relevant PRA requirements.
While the FCA Guidance is not binding and the SYSC only applies to regulated FinTech companies, they provide a useful framework for all FinTech companies using or considering using cloud computing.

Notes

1. Note that in the European Union, the General Data Protection Regulation (EU) 2016/679 will be applicable from 25 May 2018, replacing the DPA. For further details on the new legislation, please see our Quickguide to the General Data Protection Regulation.
2. The full FCA Guidance is available at https://www.fca.org.uk/publication/finalised-guidance/fg16-5.pdf.