At recent analyst events I have been perplexed by the thinking of some industry colleagues on the issue of “regulating cloud computing services.” Cloud computing requires no specific financial regulatory oversight, but a legal framework for control and responsibility for data and standardization. Many confuse the overseeing of cloud computing services with the outsourcing of important functions, which may require specific financial regulatory oversight.
Strict and rigorous conditions are imposed on investment firms that wish to outsource “critical” and “important” functions; most importantly, outsourcing investment services and activities should be considered as capable of constituting a material change of the conditions of investment-firm authorization. Consequently, financial services firms must notify the relevant financial regulator of such changes. The U.K. financial regulator states that "operational risks posed by outsourcing could present a significant threat to the statutory objective of securing the appropriate degree of protection for customers, maintaining confidence in the financial system and reducing financial crime." Financial institutions must monitor and effectively manage and supervise the competence and performance of the outsourced service providers.
Cloud services, on the other hand, are essentially applications and services that are hosted and centralized on servers maintained by technology service providers (instead of in-house computers). As such, it is difficult to see why financial institutions should be subject to specific financial regulatory requirements over and beyond normal governance and service procurement oversight.
The European Commission (EC), in its customary response to innovation, has suggested that it has a role to play in cloud computing. The EC believes that legal framework, technical and commercial fundamentals, and the market have to be addressed through non-sector-specific regulation for cloud computing to prosper in Europe. According the EC, a clear legal framework must be established, stating where data can be stored and which organizations are responsible and liable for it. This framework would address concerns about data protection and privacy across international boundaries.
The EC wishes to play a stronger role in the standardization of application program interfaces (APIs), as well as the routines, protocols, and tools for building software applications and data formats associated with the cloud; they hope to improve the interoperability of cloud technologies and foster better competition between cloud vendors. It is certainly correct that international standardization could have a hugely efficient impact on cloud computing through providing interoperability at a technical and regional level. Standardization should commence immediately, or the growth of cloud computing -- and the disparities with which the different providers distribute it -- will have turned standardization into a typically large-scale project with slow delivery.