On 26 March 2019, the Swiss Bankers Association (SBA) published its guidelines for the secure use of cloud services in banking. The SBA asserts that cloud banking provides numerous advantages to its users, such as a high innovation potential due to the use of artificial intelligence, but also an opportunity to save costs, which benefits smaller banks in particular. However, legal and regulatory uncertainties have so far prevented Swiss banks from unlocking this potential.
The SBA has identified four critical fields regarding the implementation of cloud banking and sets out its recommendations on how to manage these fields in the guidelines. These recommendations are not legally binding, but they shall be applied by banks as “best practice”, taking into account their size and the complexity of their business model.
- Governance: When choosing a cloud provider, a bank shall particularly take into consideration if the provider is able to fulfil its contractual obligations, if it is financially stable and if it is from an adequate home jurisdiction. In addition, the bank shall clarify if the provider is willing and able to fulfil its duties under Swiss financial market laws and data protection laws. The cloud provider shall inform the bank in advance if it intends to replace any of its significant subcontractors. Lastly, the bank shall ensure that the services outsourced to the cloud provider could be continued without this specific provider.
- Data and data security: The guidelines define technical, contractual and organizational measures for the protection of client data subjected to Swiss banking secrecy provisions. Recommended measures include: anonymization, pseudonymization and encryption of data; appropriate supervision of cloud providers and their significant subcontractors; and a binding declaration by the cloud provider that it will protect the confidentiality of client identifying data. In addition to this, the guidelines set out several further recommendations, for example regarding the creation of an access concept or the measures to secure the availability and return of information.
- Authorities and proceedings: The cloud provider and the bank shall develop a coordinated response circuit to handle inquiries from authorities on the release or delivery of protected information. The guidelines recommend that cloud providers enter into certain contractual obligations, for example to inform the bank in a timely manner if a foreign authority makes a request for the delivery of protected data. Generally, the delivery of protected information to a foreign authority shall only occur upon approval by the bank or based on the judgement of a Swiss court or, alternatively, with the permission of a Swiss authority.
- Audit of the cloud services and means used: The cloud provider’s compliance with the relevant legal, regulatory and contractual requirements shall be audited on a regular basis. The bank itself, its internal and external auditors, or the Swiss Financial Market Authority shall be authorized to initiate and conduct the audits.
Henceforward, the SBA’s cloud guidelines will be updated and amended in accordance with technical and legal developments. PwC will keep track of this development process and can facilitate the implementation of cloud banking at your firm.