Revised Banking Supervision Guidelines on Cloud Computing
Supervisor of Banks Dr. Hedva Ber said, “This draft directive is a continuation of the Banking Supervision Department’s activity to advance the implementation of new technologies in Israeli banking. The draft directive contains leniencies for banks which, from now on, will be able to implement many more cloud applications without first obtaining a permit from the Banking Supervision Department, but with proper risk management within the organization according to principles set out on the Supervisory Directives. The use of cloud computing will help the banks advance and shorten the implementation of innovative applications, which will enable the improvement of service to customers and cost savings.”
This draft directive is the result of a comprehensive work process conducted by the Banking Supervision Department on the issue of cloud computing, which included, among other things, consulting with professional experts and supervisory authorities abroad, mapping the cloud applications that have been installed in financial organizations abroad, and joint examinations conducted with the banking corporations.
There are many advantages to the use of cloud computing technology in the banking system, such as the development and application of innovative technologies in a short timeframe, and savings in computer and energy resources, that will lead to improvements in the streamlining of the banking corporations and even to improved competition. Alongside the advantages, these technologies also present operational risks and cyber and information security risks such as the leaking of customer data, dependence on outside suppliers, the potential of compromising the corporation’s command and control, interruption of the business continuity of services, and more.
The draft directive sets out guidelines for banking corporations planning to use cloud computing technologies, principally:
- For low-risk applications (such as a marketing website with no sensitive information, analytics applications, etc.), the draft directive provides a leniency for the banking corporations, exempting them from the requirement of obtaining a permit from the Banking Supervision Department that was required until now, thereby advancing the use of cloud computing with its many advantages;
- Applications that are not defined as having a low risk (such as applications that include sensitive information such as customer data) will require a permit from the Banking Supervision Department.
- The draft directive does not enable the use of cloud computing technologies for the banking corporation’s core activities and systems.
- The draft directive also deals with aspects of corporate governance, including Board of Directors and senior management involvement, risk management, and contracts with cloud service providers.
This draft directive replaces the Supervisor’s Letter published on June 29, 2015. The banking corporations began using cloud computing immediately following publication of the Supervisor’s Letter on the matter. Since that time, the number of cloud applications has increased significantly. The Banking Supervision Department has granted 37 permits to 10 banking corporations during this period. 24 of the permits were issued in a rapid process for applications that, according to the language of the draft directive, will not require a permit in the future, which will make the process of adopting the technologies easier. The types of use of cloud computing for which the banking corporations obtained permits are varied, and include, among other things, analysis applications, marketing websites, CRM systems, managing tenders, training programs, marketing management, and more.