Amongst the hype of artificial intelligence or blockchain, cloud computing has quietly continued to provide the foundation for a number of digital transformation projects over recent years. 

Most of our clients are adopting cloud full-scale now and some are unpicking the issues that doing this without governance is causing, as shifting to 'cloud-first' isn't as easy as lifting and shifting an application from an on-premise datacentre into AWS, Google Cloud, Azure or similar. Cloud computing is in fact at the forefront of the minds of risk, audit and compliance executives according to Gartner's latest Emerging Risks report, with cyber security and GDPR compounding those concerns.

Recently, we have seen that regulatory risk is a cloud risk vector which is playing on the minds of financial services institutions. There has been a flurry of recent activity from the European Banking Authority (EBA) such as the introduction of Recommendations on outsourcing to cloud service providers and the forthcoming overhaul of 2006 CEBS Guidelines on outsourcing (EBA Draft Guidelines on Outsourcing arrangements). In addition, the UK's Financial Conduct Authority (FCA) has updated their 2016 outsourcing guidance to adopt these EBA changes (in short their FG 16/5 guidance 'does not apply to a bank, building society, designated investment firm or IFPRU investment firm').

The pace of this regulatory change suggests that the regulators themselves are concerned with the risks which cloud computing implementations present. For established financial service institutions with the experience of strict governance procedures, these increasingly instructional rules will provide further clarity of expectations upon them. For less mature banks, these rules will necessitate significant remedial effort; the EBA's extension of their draft guidelines to e-money institutions could bring considerable challenge to the cloud-first (and sometimes cloud-only) operating model.

In order to mitigate against the risks facing institutions adopting cloud, it is important that effective governance is in place to identify and manage different risk factors which arise alongside the benefits of cloud. Institutions need to ensure they understand their regulatory landscape, how it will develop going forward and how they can best comply.