31. July 2019

“The law doesn’t distinguish between domestic and foreign clouds”


Many banks have only just begun to take a closer interest in the cloud. They continue to have reservations, first and foremost about the compatibility of the cloud with banking secrecy. Martin Hess, Head of Digitalization and Economic Policy and Board Member of the Swiss Bankers Association, has the answers.

ti&m: How has the issue of cloud computing evolved for banks in recent years? 
Martin Hess: I am pleased that there has been a significant increase in awareness in recent years of what the cloud is capable of and how it can empower banks. This includes enabling banks to offer better, more customer‑friendly and innovative products, which, in turn, enables them to achieve significant increases in efficiency. At the Swiss Bankers Association, we have produced a set of cloud guidelines that aims to make it easier for banks to procure cloud services. Smaller and less technology‑savvy banks will find them especially helpful.

So do banks still need a lot of information?
Many banks want to use the cloud, but for various reasons, they aren’t using it for customer data. We want the guidelines to bridge the gap between wanting to use the cloud and actually doing so. The guidelines cover about fifty pages. Each bank will need to conduct its own evaluation and risk assessment. There’s still a great need for information.

What are the key concerns that are holding banks back from using the cloud?
The biggest concern is customer data – there’s no doubt about that. We are seeing the first banks starting to use the cloud for internal, non‑business‑critical data or anonymized test data. But the sticking point is customer data. This is where we win or lose our customers’ trust. At the same time, however, it is the area where the greatest efficiency gains can be made and where innovation can deliver the greatest benefits. In the longer term, there’s a good prospect that certain software will only be available via the cloud. 

In its 2018/3 bulletin, the Swiss Financial Market Supervisory Authority (FINMA) permitted customer data to be held abroad. What does that mean in concrete terms for the banks?
The Swiss Banking Act doesn’t distinguish between domestic and foreign. However, up to now banks have always stored data domestically and prevented it from being accessed from abroad, following the principle “over the border, out of control.” It was 
assumed that the moment data are processed or accessed from abroad, banking secrecy would automatically be compromised. We take a different view in our guidelines. In principle, the only issue is ensuring that data cannot be accessed by unauthorized parties. This doesn’t depend on where they are stored; it was merely a practice that established itself. There are also legal opinions that state explicitly that data can be stored and pro­cessed abroad provided appropriate safeguards are adopted. 

The law doesn’t distinguish between domestic and foreign. However, Swiss banks continue to favor Swiss providers, or those with data centers in Switzerland. Why is that? 
The question will be irrelevant to banks when they feel confident that storing data abroad does not carry any greater risk. In our guidelines, we argue that banks have to be able to prove that they have not negligently disclosed secret information, regardless of where it is located. We cannot absolve banks from this responsibility. The guidelines set out technical, contractual and organizational elements that can ensure that they meet it. The elements must be combined in such a way that data cannot be accessed with reasonable effort. 

The new CLOUD Act requires US firms to enable US authorities to access their data centers, including those located overseas. What is your assessment of this law?
We are looking closely at the CLOUD Act right now and examin­ing the possibility of a bilateral executive agreement such as the USA already has with Great Britain and similar to the agreement that it is aiming to conclude with the EU. Since the CLOUD Act has extraterritorial effect, it can come into conflict with local 
legislation. An executive agreement would allow us to resolve such conflicts bilaterally. We are currently devoting some thought to whether this would be a solution that would work for Switzerland. I think it’s realistic to assume that some day there will be a network of executive agreements between the key countries. The US Department of Justice has found that the CLOUD Act has triggered a great deal of anxiety and uncertainty. They have 
therefore published a white paper aimed at addressing the 
outstanding issues. We are in the process of studying this 
information and will draw up appropriate recommendations. In my view, the legal and political considerations are paramount.

How long can Swiss banks afford to wait and see with the cloud?
I can only speak from my own personal experience. Banks have different customer bases, business models and appetites for risk. I think we will see the first banks making a move very soon. Other banks, however, will continue to make do with their current IT systems for longer because they are working well. The issue is often where banks are in their internal innovation cycles. This is what will determine how fast the cloud is adopted. It is difficult to give a general answer, but there will be a couple of front runners and others that hang back. It shouldn’t be assumed that everything has to be migrated all at once. Every bank will start with something different. For the most part, something less business‑critical. Many banks will certainly have the strategic goal of migrating to the cloud in a specific number of years.  

Martin  Hess
Martin Hess

Martin Hess has been Chief Economist and Board Member of the Swiss Bankers Association and a member of the European Banking Federation’s Chief Economists’ Group since 2010. He previously held various positions in the Federal Department of Finance and the State Secretariat for International Financial Matters (SIF). 

Weitere Beiträge

Blog 4_Titelbild
«Zürich bietet den idealen Nährboden für die Entwicklung von neuen AI-Technologien»

Akteure aus Wirtschaft, Wissenschaft und Politik haben sich zusammengetan, um den Grossraum Zürich zu einem weltweit führenden AI Hub aufzubauen. Carmen Walker Späh, Regierungspräsidentin und Volkswirtschaftsdirektorin des Kantons Zürich, gibt im Gespräch Einblick in die Ziele der Initiative rund um die Stiftung Mindfire.

find more information
Trust 750x410
Assurance nach ISAE 3000 für das ti&m Hosting

ti&m hat das Hosting nach dem ISAE 3000 Standard auf Wirksamkeit der FINMA Rundschreiben RS 2018/3 RS 2008/21 prüfen lassen. Im Interview erklärt Karsten Burger, und Head Innovation Hosting & Application Management bei ti&m, die Hintergründe und welche Vorteile ti&m-Kunden davon bekommen. Zudem gibt er einen Einblick in die Erfolgsgeheimnisse des Hostings von ti&m.

find more information
Grafik-Multi-authentifizierung-en_EN Pfade
Passwords are ripe for retirement

Security // Password-based authentication is one of the biggest threats to cyber security, and accounts for over 80 per cent of all data protection breaches. Abolishing passwords not only increases security, but can also make users’ lives easier when making use of digital services. But what would the future look like without passwords? And how do we get there?

find more information
Digitale Identität 750x410
Unsere Digitale Identität – Wege aus dem Einheitsbrei

find more information
Helsana+ App
Ab in die Cloud – wie ti&m Helsana+ in die Cloud brachte

Das App-basierte Bonusprogramm Helsana+ belohnt gesundes Verhalten und Treue der Nutzer. Mit ti&m und der Cloud machte Helsana dieses fit für die Zukunft. Dazu haben wir das bestehende Back-end komplett neu als cloud-native Applikation geschrieben.

find more information