Navigating data residency and privacy compliance in the cloud

By Niall Twomey | 8 February 2018

Security and data security concerns have traditionally dominated the list of reasons for lack of cloud technology adoption by banks.

In a survey conducted by Forrester Research a few years ago, it found that the top five reasons why US banks were avoiding cloud technology included:

1) Security (73%)

2) Privacy (63%)

3) Risk (59%)

4) Regulation (56%)

5) Technology maturity (43%)

These factors have prevented financial services organisations from embracing the cloud, while their fintech and regtech peers have taken advantage of this agile technology and outpaced them in terms of bringing innovations to market.

The security tools and solutions used in an on-premise world simply do not apply in the same way in a cloud-environment. On-premise solutions have a defined perimeter to protect, however, cloud has no such perimeter, making threats appear unbounded.

In order for financial institutions to adopt the cloud, they must take appropriate measures to address security concerns. To do this, they need to deploy continuous security monitoring to their cloud environment to ensure that all threats are recognised and acted upon immediately at any given time.

Managing data privacy issues

While cloud opens up the world of data for banks, its global accessibility also increases the risk of violating data privacy rules. It is very important to get clarity on data residency, as it has implications in terms of both international and local data protections laws, such as the forthcoming General Data Protection Regulation (GDPR) in Europe.

In a Client Lifecycle Management scenario, this means that banks will need to incorporate provisions that ensure data privacy. One way to do this is through the implementation of a robust authorisation framework. This framework should ensure that a set of rules are applied automatically to data being accessed, viewed or shared by an entity in a different jurisdiction. The rules should govern the following examples:

a) For jurisdictions that absolutely prohibit the sharing of client data outside of their borders, the solution should not grant access to or sharing of client data outside the domestic country;

b) For jurisdictions where sharing of data outside the jurisdiction is permitted by client consent, the solution should be capable of collecting, collating and reporting of consent on entity and jurisdictional attributes on the client profile.

c) Where jurisdictions grant the sharing of some data but not others outside of the country, the solution should be capable of masking the data prohibited to be viewed using implementations of defined interface, based on a user's confidentially level and sensitive data permissions.

d) Where data cannot be shared with select countries, the solution should be capable of ensuring this through jurisdictional attributes on the profile.

Solving data residency in cloud client lifecycle management

By its very nature, cloud gives the impression of full accessibility and flexibility of services and data. However, handled properly, data can be managed securely and efficiently, even in a cloud environment. To do this, certain protocols and rules need to be put in place to ensure good governance over this process. For example, by implementing a clear separation of data in separate databases, banks can ensure that data is not inadvertently accessed, viewed or shared with any prohibited user or jurisdiction. Similarly, the rules should ensure that data initially available in a more restrictive jurisdiction is never shared with a less restrictive one. This ensures the standards of data privacy remains at its highest. Conversely, the solution should be capable of controlling duplication of data to more restrictive jurisdictions, e.g. where initial data is available in a less restrictive jurisdiction, controlled updates of duplicated data or notifications of data changes should be sent from less restrictive to more restrictive jurisdictional instances.


The financial services industry is still in the early stages of cloud adoption and experimentation. Over the last two years especially, the cloud has transformed from being perhaps the most frowned upon technology in the banking industry due to security and regulatory concerns to an area of growth, opportunity and better client experience.

In the next five years, the financial services industry will look very different than it does today. Cloud adoption will be very much innovation as usual enabling all banks to become cloud-first firms that prize speed, innovation and accessibility. 

Become a bobsguide member to access the following

1. Unrestricted access to bobsguide
2. Send a proposal request
3. Insights delivered daily to your inbox
4. Career development