Cloud Computing: Challenge For Financial Firms?

Posted: March 27, 2013

How does cloud computing fare in the financial industry? What are the concerns?

According to Forbes: Cloud computing is not as disruptive as many organizations feared. Using a cloud provider has come as naturally to most organizations as using webmail.  But for the financial sector, international laws make life—shall we say—challenging. Here’s why.

Behind the scenes, there are heavyweight struggles taking place that center around the “sovereignty” of data. If data are stored across international borders, how can your customers be sure that their sensitive personal information is safe? More importantly—at least from the lawyers’ perspective—who can be sued if it isn’t safe?

For organizations in the financial sector, the picture can be murky.

Safe Harbor And BCR Found Wanting?
The last disruption of financial service delivery on this scale took place in the 1990s, when the Internet became a tool for international business. In order to deal with the European Union’s stringent data protection laws, many U.S. businesses entered into Safe Harbor Agreements.

These gave the legal protection necessary when processing personal data belonging to EU citizens: A prerequisite when providing Web-based services to the European market.

However, these agreements were only available to businesses covered by the Federal Trade Commission or the Department of Transportation. Banks and other financial institutions don’t fall under these jurisdictions, so this mechanism was denied to them. For many years, this hampered the financial sector’s ability to compete internationally.

All that changed when the European Union introduced Binding Corporate Rules (BCRs). These agreements allow financial institutions like Citigroup and JPMorgan Chase to enter into contractual arrangements binding them to the safe processing of EU citizens’ data.

Frustratingly, these instruments were drawn up at a time when computing power was owned and managed by the corporation using it, so neither Safe Harbor nor BCR agreements will stand up to a fully distributed cloud. This leaves American businesses exposed to legal difficulties.

Kristen J. Matthews, head of the privacy and data security group at law firm Proskauer, explains:

“The use of Binding Corporate Rules…may be insufficient because, in cloud computing, personal data will be transferred outside of the [group] bound by the corporate rules. …the very qualities of cloud computing that make it so intriguing and useful as an alternative to standard computing configurations are also the same aspects that raise…concerns."

Given the enormous potential and benefits of…the cloud, it seems that, once again, the law needs to catch up to technology.
Lawyers and legislators are pressing to bring international law in line with the realities of cloud computing. For example, Microsoft’s General Counsel, Brad Smith, has for some time been lobbying the EU to harmonize data retention requirements and further extend the flexibility that allows for international processing of EU data. He’s also been lobbying Congress at home to bring privacy and trade laws into line with today’s technology.

Learn how iNSOL has helped several clients in the financial industry.  Contact us at