On 26 March 2019, the Swiss Bankers Association (SBA) published guidelines for the use of cloud services in the banking sector (the Guidelines). The Guidelines aim to define the conditions under which banks can migrate from in-house, legacy IT systems to a cloud environment. In order to achieve this aim, the SBA provides its interpretation of certain relevant laws and regulations, in particular Art. 47 of the Banking Act (BA), FINMA Circular 2018/03 on outsourcing, FINMA Circular 2008/21 on operational risks and data protection laws.
Swiss banks may for various reasons (including because they may be part of an international group that uses the services of a global cloud provider) consider using the services offered by a foreign-based cloud provider. In the Guidelines, the SBA takes a relatively liberal position on the sensitive issue of the transmission of large quantities of client identifying data (CID) to service providers outside Switzerland. According to the Guidelines, a Swiss bank may transfer CID to a foreign-based cloud provider without requiring a waiver of banking secrecy from its clients, provided that appropriate technical and organizational measures have been taken. There are indeed no significant issues pertaining to Swiss bank secrecy in the situation where the data that are transmitted abroad are anonymized, pseudonymized or encrypted and the service provider and its subcontractors do not have unilateral access to the assignment rule (in case of pseudonymization) or the encryption key.
However, the SBA goes one step further and indicates that in its view, it should be permissible to allow the cloud provider and/or its subcontractors to process the CID in cleartext, i.e. neither encrypted nor anonymized/pseudonymized, provided that such processing is necessary for the secure and reliable operation of the cloud and is subject to strict conditions (e.g. in terms of frequency and duration of the processing, reasons for the processing, etc.). The position of the SBA is based on the view that the cloud provider and its subcontractors must be considered as agents (mandataires; Beauftragten) within the meaning of Art. 47 para 1 BA and are therefore bound by banking secrecy.
If the foreign-based cloud provider or its subcontractors can unilaterally access the CID in cleartext, the bank must take into account the risk that a foreign authority may issue a request for the transmission and delivery of the CID. In such case, the foreign-based service provider or subcontractor may not be able to invoke Swiss banking secrecy to oppose the authority's request.
In this respect, the Guidelines mention that it is the bank's responsibility to contractually provide in the agreement with the cloud provider for the procedure to be followed in the event of a request from an authority relating to the handover or transfer of protected information. Within the limits of applicable law, the cloud provider must undertake to inform the bank and only comply with the authority's request (i) if it has obtained the prior consent of the bank (ii) on the basis of a judgment of a competent Swiss court or (iii) on the basis of a decision of a competent Swiss authority (which may in particular follow a request from the bank based on Art. 271 of the Swiss Criminal Code).
It is however possible to imagine that the foreign authority will not allow the cloud provider or its subcontractor to inform the bank in advance, or will not want the transmission of the requested data to be delayed by proceedings before a Swiss court or Swiss authority. In such a case leading to a disclosure of CID to a foreign authority, one may ask whether there is a risk for the bank (or its employees) to be held criminally liable for violation of Art. 47 BA. The Guidelines do not contain an affirmative answer to this question. They however indicate that the question may arise as to whether the bank (or its employees) can in any way be held criminally liable if all appropriate technical, organizational and contractual measures have been taken.
With regard to the obligation of the bank to inform its clients under the applicable data protection laws, the SBA is of the opinion that informing the clients through the bank's general privacy statement would be sufficient. Other applicable data protection provisions must obviously be respected, in particular in the case of the transfer of personal data to countries that do not guarantee an adequate level of data protection.
Finally, the banks that wish to use cloud services will have to ensure strict compliance with the requirements of FINMA Circular 2018/03 (Outsourcing - Banks and insurers) and Annex 3 of FINMA Circular 2008/21 (Treatment of CID), provided of course that these circulars are applicable (this will be the case in particular if a large quantity of CID is transferred to the cloud provider). Without going into detail, it may be mentioned that the choice of the cloud provider can only be made on the basis of a detailed due diligence, relating in particular to the security measures put in place by the cloud provider, the identity and quality of the subcontractors, the location of the servers, etc. In addition, many issues need to be addressed in the agreement between the bank and the cloud provider (e.g. the obligation to preserve data confidentiality and to put in place adequate security measures, change of subcontractors subject to the bank's prior agreement, description of the location of the servers and prior agreement of the bank in the event of change of location, procedure in the event of a request from an authority, right of access by the bank, by its internal and external auditors and FINMA, the bank's right of information, the modalities of the audits to be performed by the bank, the measures to limit potential lock-in effects, the procedure to handover the data in the event of termination of the contract, etc.).
In our view, the SBA's initiative to reduce legal uncertainties regarding the use of cloud services is to be welcomed. Cloud computing indeed offers interesting opportunities to banks and can enable them to significantly reduce their IT costs, to further automate compliance and risk processes and to offer new products and/or services to their clients. The Guidelines also helps to reduce some regulatory risks for banks wishing to align their practice with other banks on the international scene, where regulatory initiatives have already been undertaken to regulate the use of cloud services (including in particular the European Banking Authority's recommendations on cloud outsourcing which have been applicable since 1 July 2018). However, the decision to use cloud services requires the bank to conduct a thorough risk analysis, particularly with regard to the possible transmission of CID abroad, for which there are still some legal uncertainties in our view.