We are a Swiss law firm, dedicated to providing legal solutions to business, tax and regulatory matters.
Life Sciences, Pharma, Biotech
Litigation and Arbitration
Our knowledge, expertise & publications
9 September 2021
Can a Swiss bank put its client identifying data (CID) in the cloud, even if access to it from outside Switzerland is not ruled out? While this was unthinkable a few years ago, the answer today is a resounding yes. Many Swiss banks do want to move into the cloud. We are currently involved in more than half a dozen such projects, some of them with well-known institutions, and the question is not "if", but "how".
It often begins with the replacement of Skype for Business as an "on-premise" solution with Teams. This is followed by M365 with the various Office applications, Exchange Online, Sharepoint Online and OneDrive for Business and, in a third step, bank-owned applications on Azure. These are all applications from Microsoft, which we perceive as currently dominating the market for such products among professions subject to professional secrecy; their early decision for data centres in Switzerland has undoubtedly paid off.
We see few applications from Swiss banks with CID based on AWS, which is currently also building a data centre in Switzerland, and we encounter solutions based on other foreign cloud providers even more rarely in this environment (we do not address purely Swiss solutions such as those from Swisscom here). AWS is likely to gain ground when banks will start moving bank-specific applications to the cloud and not "just" run their mail server or file shares online. Swiss insurance companies are somewhat ahead of Swiss banks, as they are often not subject to professional secrecy like banks and could therefore migrate to the cloud more quickly. The use of M365 is already more widespread in this industry sector.
The path to the cloud was paved for the banks in 2019. That spring, the Swiss Bankers Association published its Cloud Guidelines, which, based on two legal opinions, came to the conclusion that, with appropriate risk assessments and security measures, the use of the cloud is possible - even with the involvement of foreign service providers. This "marketing" initiative made the cloud acceptable in the Swiss banking world.
The question remained unanswered as to which security measures would suffice so that offers such as those from Microsoft could also be used if access from abroad to CID, in plain text, could not be completely ruled out. If such access were to be gained by a foreign authority, this would generally constitute a breach of banking secrecy due to customers not having waived their right to banking secrecy. The solution came in autumn 2019 with a method developed by the author of this article for a major Swiss bank to statistically calculate the probability of access by foreign authorities, taking into account the specific technical and organisational security measures taken.
The method made it possible for the first time to objectify the risk, which was previously incomprehensible to many and only assessed subjectively. It was refined in various projects over nearly a year and finally published in August 2020 in Excel format as "open source". Since then, it has been regularly used by banks, insurance companies and other professions subject to professional secrecy as well as their advisors and lawyers to assess and document the lawful access risk in cloud projects. Since September 2021, the International Association of Privacy Professionals (IAPP), the largest global information privacy community and resource, is offering it as one of its tools.
If a bank (or another regulated financial institution) wants to use a cloud-based solution, a whole series of requirements must still be met. On the one hand, they result from data protection and banking secrecy (or other professional secrecy), but also from regulatory requirements such as the FINMA Outsourcing Circular. For those who are not well acquainted with such projects, the situation becomes confusing. We have therefore compiled these requirements in the form of a freely available Checklist for cloud solutions for Swiss banks. Like this blog post, it is available in German and in English.
In practice, we have noticed in projects that some of the FINMA and other requirements are not being applied correctly by cloud providers, financial institutions and their advisors. Also, some Swiss audit firms repeatedly do not check compliance in enough detail or do not comply with the requirements. This is critical insofar as FINMA relies on audits by audit firms in the area of bank outsourcing. In the insurance sector, FINMA itself validates whether the conditions are met. In a recent case, it even revoked an already granted authorisation when it became aware of a significant "defect" in the contractual arrangements of a well-known cloud provider. Even though the defect has been remedied in the meantime, it is likely to still exist in a number of contracts. To our knowledge, no one else had identified it before.
In our experience, three of the five most common stumbling blocks in cloud projects relate to the requirements of FINMA, including its Outsourcing Circular. Some of the Circular's requirements may appear questionable, but the Circular reflects FINMA's current view of the specific requirements for material outsourcings and are therefore de facto binding:
One side-note concerning the provider’s use of data: Provisions that permit the provider to use the customer's personal data for its own business purposes – Microsoft refers to "Legitimate Business Operations" (LBOs) – are not at all inappropriate in the right "dose". It is normal for a provider to process personal data of the customer also as a controller and not only as a processor. The invoicing of its services, the provision of support services, but also the administration of the users of an online service are such cases. The provider's interest in evaluating the use of its service for non-personal purposes is also legitimate, provided it takes place within certain limits. The fact is, however, that many providers do not even mention this kind processing in their contracts – often because it just does not come to their mind from a data protection point of view. The customer, in turn, must consider under which conditions set forth by data protection law it can permit such use (e.g. by informing employees).
The question of whether there is an essential outsourcing is also a recurring topic of discussion, because only then does the outsourcing circular apply. Most of the insurers whose projects we are aware of and who have already taken the step have assumed that the outsourcing of mere office application services (e.g. M365 including Exchange Online and Sharepoint Online) does not constitute an essential outsourcing because it does not affect the core business applications. It appears that FINMA has accepted this so far, but probably rather subconsciously. As a rule, in this sector, an outsourcing becomes essential when insurers move into the cloud with insurance-specific applications, which the first institutions are now doing in Switzerland. However, we would not be surprised if FINMA will take a stricter view and in the future also classifies the outsourcing of office applications as being an essential outsourcing with the argument that these systems are also becoming increasingly business-critical. In any case, there are already signs of a tightening of the practice.
Banks must expect a stricter standard to apply to them anyway, because in their case CID is also involved. It was already the case that where the processing of a larger amount of CID is outsourced, this generally speaks in favour of an outsourcing being essential. If a bank outsources the operation of its mail server to a hyperscaler through which it regularly exchanges e-mails with bank clients or with CID, which will often be the case, one will often consider this an essential outsourcing. Here, however, we have also gained the impression that audit firms tend not to be strict in their assumption of an essential outsourcing. In any case, we recommend assuming an essential outsourcing for the contract either way. This avoids "emergency" exercises in adjusting the contract at a later date, and the additional effort is typically low on the part of the contract.
How should the contracts of the successful hyperscalers be assessed from the perspective of a Swiss bank?
Microsoft's contracts, for example, even with the standard extensions for financial institutions (M453), Swiss data protection law (M329) and Swiss professional secrecy (M744) are not sufficient for a Swiss bank with CID. So far, however, we have been able to find solutions in all cases with corresponding contract negotiations through customer-specific contract adjustments, so that the Swiss banks in question can also use the Microsoft cloud with CID. However, this again presupposes that the banks use certain forms of contract (e.g. Enterprise Agreement), as Microsoft is very inflexible with certain other forms of contract. Customers who buy through resellers such as SoftwareOne, the industry leader, are therefore in part incomprehensibly worse served by Microsoft today. Due to the lack of standard amendments, they have only been able to obtain the necessary contract adjustments through workarounds, if at all. Hence, if a Swiss bank (or other professional secrecy organization) is too small, there so far may be no solution at the contractual level. Such customers would have to take a risk-based decision or wait until Microsoft – hopefully – provides a standard "professional secrecy" amendment that really lives up the promise; the current such standard amendment M744 is clearly insufficient, despite some outside counsel (with close ties to Microsoft) pretending otherwise. Further changes are ahead when Microsoft will present its new Data Protection Addendum (DPA), to be introduced in September to reflect the revised EU Standard Contractual Clauses (EU SCC); the customer will no longer enter into the EU SCC directly with Microsoft Corporation, as in the past. Hopefully Microsoft will use the opportunity of the revised DPA to improve it and correct some of the aspects that are not yet in compliance with Swiss data protection law.
In our experience, AWS's standard agreement, including the addendum for financial institutions, has also not yet met the requirements and in particular the Outsourcing Circular. AWS will have to significantly improve for Swiss banks.
In this context, the hyperscalers often point to the confirmations and reports from auditing companies. However, these reports have to be examined closely: They sometimes give the impression that the requirements of FINMA or the Outsourcing Circular are fulfilled when a hyperscaler's solution is used, but a closer look reveals that the review does not address the contract, but only the structure of the service itself (e.g. whether it allows the client to make backups or establish encrypted connections to the cloud) and the internal organisation of the hyperscaler (i.e. whether it provides for audit reports to be made accessible to the client, for example). This is, of course, not sufficient.
This highlights a fundamental problem for Swiss banks, for regulated financial institutions in general and also for other professions subject to professional secrecy in dealing with international cloud providers. The latter often offer a high level of data security, a high quality of service and it may be assumed that they basically behave as required in their day-to-day business but their contracts still too often do not reflect this. On the contrary, their contracts are often unclear, inconsistent, ambiguous, too open or simply poorly drafted.
This makes corresponding improvements necessary, which in turn are very time-consuming and laborious to achieve, because the providers try to defend their contractual standard to the extent possible, often simply claiming that the demands of the customers (or even the regulator) are not justified. This is a pity, but it is a problem that should be solved over time. The contracts of large cloud providers such as Microsoft have become better and better in recent years under constant pressure from numerous clients and regulators. For Swiss banks, too, the time will come when we will no longer have to press for customer-specific amendments of the contracts for our clients, but will be able to use the right standard amendments to the contracts to cover sector-specific requirements.
Our checklist of requirements can also help a bank to prepare the risk assessment that FINMA expects from supervised institutions in documented form. After all, moving to the cloud, like any other IT project, is fraught with risks that a bank's management must not only be aware of but also assume before the project can be given the green light. Our experience in numerous cloud projects shows that such a risk assessment rarely results in high risks and in many cases the management even actively pushes the move to the cloud because they see no alternative in the medium and especially in the long term. Interestingly, they are now being supported in this by data security specialists: While some were still sceptical a few years ago, in our experience the majority are now convinced that their data is better protected in the hands of the large hyperscalers than in their own data centres. This is a remarkable development.
That leaves one question that we come across again and again in our consultations: Does a Swiss bank necessarily have to use "bring-your-own-key" (BYOK)? At Microsoft, this refers to the service option of the "customer managed key", which describes the situation much better: The key is stored in the hardware or software key vault at Microsoft, but the key management is the responsibility of the customer – and the customer may also generate the "private key" to its data itself on its own systems and import it into the provider's key vault. Those who do the key management themselves have the option of revoking the key (or triggering the revocation – this is carried out by the hardware or software at Microsoft). Revocation renders all stored data unusable. However, this also applies to the bank's ability to use the data. Hence, BYOK provides the customers with the "red self-destruct button" for their data in the cloud. This can be useful when leaving the cloud, but also in the case of threatened access by foreign authorities. Whether the latter can really be prevented is, of course, doubtful if, contrary to expectations, a foreign lawful access should actually happen.
We believe that the BYOK option is not required from a legal point of view – incidentally, not even according to the specifications of the Cloud Guidelines of the Swiss Bankers Association. They allow the key to be stored with the provider, but require that access to the key remains under the "control" of the bank. Without going into details here, we are of the opinion that this is sufficiently ensured in Microsoft's classical setup via the interaction between the master copy of the Active Directory maintained at the customer and the Azure Active Directory, which determines which user or which resource can access the key. After all, if Microsoft cannot be trusted to comply with Azure Active Directory access control, then it is hard to see why it can be trusted that the key vault it provides (and the software running it) has not been tampered with, is operated without intervention by Microsoft, and has no backdoor for Microsoft. Without a basic trust that the provider will abide by the contracts and not manipulate its own systems to the detriment of its clients, outsourcing is not possible in the first place.
In our opinion, the risk assessment ultimately requires a consideration of the entire package, consisting of technical measures (such as Active Directory at Microsoft), organisational measures (such as contracts and audits) and legal barriers (such as the fact that not everything is permitted under the US CLOUD Act). Nevertheless, we assume that most Swiss banks will use the BYOK option, that it will be subjectively considered at least necessary as an additional security measure, and that it will thus become the industry standard. For the question about the need of BYOK, too, it must be understood that the answer can be relied on many different factors.
Author: David Rosenthal
Categories: Banking & Finance, Data & Privacy
Date: Wednesday, October 4, 2023 at 2.00pm (MESZ) Speakers: David Rosenthal, Joyce Ackerbaum...
Opt-in for our regular updates, news, views, insights and more.