Financial regulators are increasingly recognizing the power of new technologies such as cloud computing to create new opportunities for improving and accelerating innovation in banking systems.

In the Philippines, for example, Bangko Sentral ng Pilipinas (BSP), the central bank, supported a partnership between the Asian Development Bank (ADB) and Cantilan Bank Inc to pilot a study on cloud-based core banking technology. It placed the project in a “regulatory sandbox” while it processed and updated related regulations. And in January 2019, Cantilan Bank became the first BSP-regulated bank in the Philippines to fully rely on a cloud-based “software as a service” system as their core banking system.

The shift to cloud computing technologies has increased Cantilan Bank’s flexibility and given it a more accurate banking system. It has raised operational efficiency and enabled the bank to respond faster than other financial institutions to customer needs, particularly as the coronavirus disease has caused economic lockdowns across the country.

As a result of the pilot, financial institutions’ trust in cloud technology has increased and the regulator has strengthened innovation-enabling regulations and adopted an effective supervisory approach that fosters innovations such as cloud computing services for core and non-core banking systems and activities. Indeed, the BSP has since approved over 40 other financial institutions to migrate their core banking to the cloud.

Yet, some regulators may still have questions about how to transition from a pre-cloud to a cloud-first regulatory framework. Questions around data governance frameworks to be put in place, managing security standards, conducting audits and inspections, assessing risk management approaches, business continuity and incident responses, and so on, often arise when regulating financial institutions look to move to the cloud.

This paper addresses the questions regulators may have, particularly common issues surrounding mechanisms for oversight, monitoring, and control of cloud technology in the financial sector.

The Cloud Audit Toolkit for Financial Regulators is a two-part paper which aims to assist and accelerate opportunities to cloud computing technologies and digital tools to improve the efficiency and efficacy of financial regulators’ work processes. It addresses the question: “What do regulators need to know when regulating and/or supervising the adoption of cloud computing services in the financial services sector?”

Using existing practices observed by leading regulators globally, such as the BSP, and the Monetary Authority of Singapore’s (MAS) Guidelines on Technology Risk Practices,¹ this regulatory toolkit comprises two components:

This toolkit was piloted as a half-day capacity-building training program organized with the BSP on 24 May 2021 for about 50 staff. Due to coronavirus disease travel restrictions, in lieu of an in-person workshop, this was held as a virtual training session.

Use of cloud computing in financial services has been growing and financial regulators have been regularly updating regulations and guidelines to allow better oversight and risk management of the technologies their regulated entities are using.

Regulation of cloud computing has evolved differently in each financial market, but financial regulators have generally considered cloud computing a risk-based outsourcing arrangement, ensuring that regulated entities are identifying the relevant risks and managing them effectively. This technology-neutral approach is preferred over making new regulations specific to cloud computing technologies, which may become outdated as technology and its applications develop. Examples of this arrangement include the following:

This regulatory toolkit therefore recommends checklist items under cloud computing regulated as risk-based, outsourcing arrangement in the Appendix (1.1.1 to 1.1.3).

The management and control of outsourcing arrangements of a financial institution or regulated entity are based on the nature and extent of risks in the outsourcing arrangements. The regulated entity itself is best placed to determine the specific monitoring and control measures to be instituted for oversight of outsourcing agreements. Financial regulators should allow regulated entities the flexibility to customize their outsourcing arrangement through a risk-based approach, possibly augmented with suggestions for baseline standards or guidelines which advise how regulated entities can exercise their oversight responsibilities.

Though the basic rationale behind oversight in the cloud is the same as in other forms of outsourcing, the cloud presents unique challenges and advantages. Importantly, regulators should bear in mind that some cases may need regulated entities to maintain more mechanisms for oversight, monitoring, and control when using the cloud. The increasing sophistication of cloud technology has revealed that traditional oversight mechanisms which do not incorporate information technology (IT) expertise may insufficiently address these risks.¹⁰ It has also demanded that regulated entities and the financial regulator have strong technical knowledge to understand and address the risks arising from technology usage.

One benefit of cloud technology is that the standards for oversight are well-established and being kept up–to–date, and moving financial services into the cloud can in fact facilitate and improve oversight functions. For example, major cloud providers are certified in international standards such as the ISO/IEC 27000 series and conduct regular third-party audits, which automatically raises a regulated entity’s oversight and standard of outsourcing arrangements.

Among the new technologies and cloud computing useful in financial services are data analytics and artificial intelligence to assist regulators with supervisory and regulatory monitoring mechanisms, i.e., “regtech” and “suptech.” Efforts could range from ensuring the entire process of regulatory review and supervision is available in digital formats (moving from analog reporting to digital), to developing sophisticated methods for real-time monitoring of regulated entities. For example:

The Singapore Fintech Association has published a list of the various types of regtech which have been developed, and the companies which have solutions (Figure 1.)

A final note on regtech and suptech—in some instances, it has been useful for the public sector to work with the private sector to develop these solutions together, to ensure that regulatory reporting is fully compliant and interoperable with a country’s financial regulatory submissions. Austrian Reporting Services, for example, Europe’s largest regulatory reporting utility and reporting hub,¹⁵ was established through partnership between the Austrian National Bank (the central bank) and the country’s banks. The regtech speeds up regulatory reporting, including standard template reporting, and ad hoc requests from regulators.

As a starting point for ensuring effective oversight and monitoring, financial institutions should keep adequate records on outsourcing arrangements, particularly those critical or material. Definitions of what constitutes material or critical may differ slightly from regulator to regulator, but the concept generally encompasses agreements that if not performed or that otherwise suffer a service failure or data breach, would have a material or severe impact on the regulated entity’s core operations (see page...