12 minute read
2.3.2 Financial data, particularly data which is subject to supervision by national regulators
2.3.2 Financial data, particularly data which is subject to supervision by national regulators
Overview and subtypes of data
Advertisement
While financial data is of course a relatively broad concept, several smaller subcategories of financial data (notably tax records and accounting data) were split off for the purposes of this study into separate data types and therefore addressed by separate reports, which are discussed in the sections below. Therefore, this section of the report relates mainly to a residual category of financial records being kept or otherwise processed by banks, insurance companies and other supervised service providers from the financial industry (e.g. mainly rules on (cross-border) outsourcing of financial data and services by financial institutions, the access to financial data which falls under the banking secrecy act).
The barriers were also highly uniform in nature: in all 7 reported cases, the reported barriers were indirect.
Scope of the barrier
There was more diversity in the way the barriers were phrased and approached. Looking at the breakdown, the following barriers can be distinguished:
Figure 5 – Types of barrier observed (Financial)
Country Source
Austria Bundesgesetz über die Beaufsichtigung von Wertpapierdienstleistungen, BGBl. I Nr. 60/2007 Latest amendment: BGBl. I Nr. 117/2015
(Federal Act on the Supervision of Securities), Art. 25, 26
Specified by the Austrian national regulation Auslagerungsverordnung, BGBl. II Nr. 215/2007, latest amendment: BGBl. II Nr. 272/2011 Belgium Circulaire PPB 2004/5 over gezonde beheerspraktijken bij uitbesteding door kredietinstellingen en beleggingsondernemingen / Circulaire PPB 2004/5 sur les saines pratiques de gestion en matière de sous-traitance par des établissements de crédit et des entreprises d’investissement (Circular PPB 2004/5 on healthy management practices in outsourcing by credit institutions and investment companies) Issued by the Belgian Banking, Finance and Insurance Commission on 22 June 2004
Restriction imposed on providers / users / data
Companies in Austria that are authorized to provide financial services (securities/bonds/instrum ents/stocks/etc)
Credit institutions, banks and insurance companies
Direct or indirect Summary of obligation / restriction
Indirect Article 25 of the Federal act on supervision of securities stipulates that special attention has to be paid when using third-party subcontractors for providing financial services in order to minimize business risks. When outsourcing tasks, it has to be ensured that the control mechanisms by the Austrian financial market supervision authority (Finanzmarktaufsicht, FMA) are not hindered. Due diligence has to be applied when outsourcing. Written contracts with the subcontractor have to be in place. Article 26 specifically deals with outsourcing to a foreign country (‘Drittland’)7 . In addition to Article 25, the subcontractor has to be officially registered for the financial activities in the foreign country (1), and there has to be a cooperation agreement between the FMA and the foreign country.
Indirect The Circular permits cross border outsourcing of financial data and services, but requires that it remains subject to effective supervision. It notes that this is not problematic in the EEA as the regulator will be able to work with other regulators in other countries. Outside the EEA, the same applies in principle, but only if comparable supervision exists, and if there are no restrictions for the regulator to engage in information exchange and cooperation with competent authorities. The regulator will assess these conditions on a case by case basis, implying that cross-border outsourcing requires a direct dialogue with the regulator. Finally, for outsourcing to a service provider who is not subject to any supervision, the outsourcing institution must first consult and confer with the regulator.
Czech 1. Act No. 21/1992 Sb. (Banking Act), § 37 para 2, 38 All banks Indirect The Banking Act lays down basic rules of bank secrecy. It is not specifically focused on data storage, but it gives an exhaustive list of cases when banking
7 It is difficult to trace whether the definition of 'foreign country or ‘third country’ is meant to be ‘each country, which is not part of the European Economic Area’, as a trail of steps needs to be followed, via the Wertpapieraufsichtgesetz (WAG 2007), which refers to the BörseGesetz, which in turn refers to § 2 Bankwesengesetz (BWG; Banking Act). This may contribute to legal uncertainty.
Republic 2. Decree No. 163/2014 (due diligence in banking and other financial services), especially its Annex No. 7 (specific requirements for risk management in case of outsourcing), §37(k), 47-52 data falling within the scope of banking secrecy (i.e. client data) can be made available to third parties. A contrario it implies that any other form of use of such data is prohibited. Decree No. 163/2014 Sb. contains set of particular compliance provisions for banks and other financial institutions. Its Annex 7 is focused on risk management in case of outsourcing. It contains general risk management requirements for all kinds of outsourcing, so it is not specifically targeted at ICT or data processing. There are particular limitations and duties as to the content of outsourcing agreements for data processing, but they only contain a requirement for the inclusion of stipulations regarding data security. Paragraphs 47-52 include only general security requirements without mentioning any particular rules.
Ireland Chapter 2 of the Central Bank (Supervision and Enforcement) Act 2013 (Section 48(1))(Investment Firms) Regulations 2017 [‘the Central Bank Investment Firms Regulations]
Luxembour g
Circular CSSF 12/552 on central administration, internal governance and risk management, as amended by Circulars CSSF 13/563 and CSSF 14/59, issued by the Luxembourg Supervisory Commission of the Financial Sector (Commission de Surveillance du Secteur Financier - CSSF), Section 5.2.3, Sub-section 7.4.2.1, Sub-section 7.4.2.3 Credit institutions, banks and insurance companies
Netherland s
Circulaire cloud computing 2011/643815 van de Nederlandsche Bank Collective Investment Undertakings
Credit institutions, investment companies, banks and insurance companies Indirect The Circular permits cross border use of cloud computing for banking data which is subject to prudential supervision, but requires that it remains subject to effective supervision. This requires a risk based assessment from the outsourcing party, and the conclusion of a contract that allows the supervisor to conduct local audits (or to have these conducted by a third party), an
Indirect The restriction permits outsourcing of certain activities only under strict conditions. For example, the Central Bank needs to be able to conduct inspections at the outsourcing service provider’s premises. There is no specification on the need for inspections to be “on-site”.
The Central Bank Investment Firms Regulations are issued by the Central Bank under the powers granted by the Central Bank (Supervision and Enforcement) Act 2013. Indirect The Circular does not require all infrastructure and all data to be stored in Luxembourg, but rather emphasizes that that the IT functions of institutions must be effectively protected, which can best be done “in premises at its disposal in Luxembourg”. This is however not a requirement that impedes delocalized storage; storage outside Luxembourg is permitted under strict safeguards and preconditions that protect the confidentiality of banking data.
Broadly summarizing the provisions above, outsourcing of IT infrastructure is permitted, but should either be to a party (a PFS) licensed in Luxembourg, or to an internal entity of the outsourcing party’s group after prior informed consent is obtained.
31
Circular cloud computing 2011/643815 from the Nederlandsche Bank Issued by the Dutch financial supervisor (Nederlandsche Bank) on 6 December 2011 See http://www.toezicht.dnb.nl/binaries/50224828.pdf
Portugal Aviso do Banco de Portugal n. 5/2013
(Regulation of the Bank of Portugal implementing Article 39(1) of Law No 25/2008 of 5 June concerning the required conditions, mechanisms and procedures of compliance with obligations preventing money laundering and terrorism funding related to the provision of financial services submitted to the supervision of the Bank of Portugal), Art. 5 Law No 25/2008 of 5 June as last amended by Law No 118/2015 of 31 august (this Act also applies to companies which deal with hedge funds, pension funds, securitization, investment consulting, investment in tangible property, certain insurance companies) Credit institutions (banks), investment and other financial companies, payment institutions and institutions of electronic money with headquarters in Portugal; branches located in Portuguese territory of said institutions headquartered in foreign countries, including external financial branches; post services providers in as much as they provide to the public financial services related with matters under the supervision of the Bank of Portugal. obligation for the cloud provider to provide information to the supervisor upon request, and the right of the outsourcing bank to implement changes in the execution of the services agreement with the cloud provider, including appropriate termination clauses.
8 A subsequent circular has been issued on the right to examine, indicating a series of cloud providers with whom the supervisor has been able to determine that it will have appropriate examination rights. The list is accessible online. Indirect The Bank of Portugal has competence to do inspections in any premises of financial institutions or of third parties being used to the exercise of the activity of financial institutions, with the power to demand the presentation of any information or clarifications which it may deem relevant, including the local examination of information elements, the extracting of copies of all pertinent documentation, and the call of any person to hear her and gather that information.
8. The Circular addresses the risk that financial enterprises are unaware of where the data has been stored and how it is processed in relation to oversight and enforcement.). The Dutch Central bank has reported that in terms of effective oversight and enforcement the DNB does not differentiate between data stored within or outside the Netherlands.
32
Figure 6 – Nature and scope of barrier observed (Financial)
Nature of the barrier
Application of specific risk management schemes to subcontractors Observed in which countries?
AT, BE, CZ, NL Risk management requirements are defined at the national level by the financial regulators, and may be hard to know / observe by foreign providers.
Why is this (potentially) a restriction to the free flow of data within the European Union?
Control mechanisms (including audits) from the national supervisors may not be hindered
AT, BE, IE, NL, PT IT systems established abroad may be more difficult to control by the regulators.
Subcontractors have to be officially recognised / authorised as acceptable service providers for this type of data.
AT, LU National whitelists can be hard to adhere to for service providers working in multiple jurisdictions, since they need to undertake efforts to become listed on a country-by-country basis (compliance cost and efforts).
Comparable supervision must exist in the country of establishment of the service provider
Case by case dialogue with the regulator is required before initiating a cross border flow to unknown service providers
Imposing a choice of law clause in favour of the regulator’s country of operation
BE
BE
CZ Implies that service providers must align with multiple national laws if they wish to operate at the EU level.
Service provider must operate only from countries where such supervision exists.
Imposes a potentially cumbersome requirement on service providers abroad.
As already noted earlier, the barriers reported by the correspondents were all indirect in nature and none of them explicitly prohibits data storage outside of the country, although many of them contain relatively strong encouragements to restrict oneself to national infrastructures. This is however partially born out of necessity, since regulators must indeed have the competence and practical ability to conduct audits on the infrastructure being used; this requirement is significantly harder to meet when exercising this power would require cross-border travel to potentially multiple locations in different Member States.
It is also worth stressing that some regulators have shown their willingness to be pragmatic in applying this rule, by only requiring that audits by a competent equivalent regulator are possible. The Austrian and Belgian reports explicitly mention the role of cooperation agreements between regulators as a valid way of meeting this requirement, and the Dutch regulator publishes and maintains a ‘whitelist’ of service providers which have been found on the basis of prior examination and dialogue to be permissible for financial data, due to their ability to satisfy audit requirements.
Thus, solutions are possible. The fact that the approach to these issues varies from country–tocountry can result in needless duplication of effort for service providers, thus serving as a disincentive for cross border data flows even for specialised service providers that could conceivably meet local requirements.
Drivers behind the barriers and potential solutions
The overview above showed that the barriers in relation to financial data are indirect, and relatively universally serve to benefit the confidentiality and security of financial data, which is seen to be at least partially dependent on the regulator’s ability to access and audit the data and the
infrastructure where it is located. Nevertheless, good practices exist in some Member States. The table below illustrates how these drivers (security – confidentiality – accountability) could be supported at EU level without needlessly impairing the free flow of data.
Figure 7 – Drivers behind the barrier observed and potential solution (Financial)
Nature of the barrier Objective / driver behind the barrier
Application of specific risk management schemes to subcontractors
Ensuring sufficient security/confidentiality
Control mechanisms (including audits) from the national supervisors may not be hindered
Subcontractors have to be officially recognised / authorised as acceptable service providers for this type of data.
Ensuring security/confidentiality, and supporting accountability and supervision EU level cooperation between regulators and / or establishing third party auditing arrangements for third countries
Ensuring sufficient security/confidentiality If authorisation is deemed a requirement, at the EU level there should be mutual recognition of such authorisation by individual Member States so that authorisations in one Member State is not mutually exclusive or with possibly contradictory requirements from an authorisation in another Member State. EU level whitelisting of acceptable service providers can similarly be considered.
Comparable supervision must exist in the country of establishment of the service provider
Case by case dialogue with the regulator is required before initiating a cross border flow to unknown service providers
Imposing a choice of law clause in favour of the regulator’s country of
Ensuring security/confidentiality, and supporting accountability and supervision EU level cooperation between regulators and / or establishing third party auditing arrangements for third countries
Ensuring sufficient security/confidentiality If authorisation is deemed a requirement, there should be EU level recognition so that country-to-country authorisations with possibly contradictory requirements are avoided. EU level whitelisting of acceptable service providers can similarly be considered.
Maintaining national control over financial systems and services Substantive obligations of service providers should be sufficiently aligned considering freedom of contracts, obligations and cooperation mechanisms with national
Potential solution?
EU level alignment on such requirements
