Over a year into the pandemic one thing is certain, as Satya Nadella said in our third-quarter earnings call, “Digital adoption curves aren’t slowing down. They’re accelerating, and it’s just the beginning.” This is especially true in the financial services industry, which unlike in 2008, not only weathered the external economic shock of the pandemic but performed quite well under particularly challenging circumstances throughout the past year. Due to business necessity, we are seeing financial institutions rapidly adopt cloud technology to enable greater agility, resiliency, and speed to market in innovation—all the while doing so in a manner that is consistent in meeting regulatory expectations from an outsourcing perspective.
In its discussion paper on Regulatory and Supervisory Issues Relating to Outsourcing and Third-Party Relationships, the Financial Stability Board recognized that the pandemic, “may have accelerated the trend towards greater reliance on certain third-party technologies” and, in particular, cloud computing. As cloud adoption increases in the financial services sector, financial institutions are moving to put critical and important business functions in the cloud, especially to facilitate remote working and remote customer engagements through productivity platforms like Microsoft Teams. Whether it is customers like BlackRock, UBS, or AXA using the Microsoft Cloud for major business functions, it puts a spotlight on the important role Microsoft has in the industry to keep business operations thriving. This has spurred action by regulators to place more emphasis on the need to treat such outsourcing arrangements as critical infrastructure, with a greater role for regulators to play in more direct oversight of critical infrastructure providers.
Most recently, the European Commission drafted legislation to provide for a regulatory regime that would “promote convergence on supervisory approaches to the ICT third party risk,” including by conferring direct oversight of critical ICT service providers by a lead overseer. While the legislation has not yet passed, it lays the groundwork to facilitate a regulatory regime that provides for direct oversight of critical infrastructure—including potential cloud service providers like Microsoft.
Steps to provide similar oversight for digital infrastructure are underway in other markets, such as Korea, with similar frameworks in mind. At Microsoft, we think that this is a natural evolution of regulatory oversight—whether through new legislation or based on existing legislation, such as under the U.S. Bank Service Company Act, which confers U.S. bank regulators’ authority to examine third-party outsourcing providers. With the opportunity to serve the industry at scale for key business functions comes the responsibility to provide for the level of assurance and oversight that customers and regulators will expect under this new paradigm.
Consequently, we moved to establish an Office of Critical Infrastructure to address these issues, not just for financial services, but across industries supporting critical infrastructure (e.g., health, retail, energy, manufacturing, etc.). Equally, for nearly a decade, we have committed in our contracts rights of regulatory examination, and similar audit rights to customers, given we understand that these requirements are sacrosanct when it comes to having the level of assurance required for critical and important functions operating in our cloud environment. This is not merely a contractual right—we have experience in supporting our customers in exercising direct rights of audit and, equally, regulatory examinations as well.
We continue to make investments in providing assurance and transparency to our customers by helping them:
- Manage the cloud services used through tools and dashboards we provide, including Azure Security Center, Microsoft 365 Service Health Dashboard, and Microsoft Secure Score.
- Assess and manage the controls of the cloud environment and identify the functions that must be managed by the financial institution through tools like Compliance Manager.
- Access evidence and third-party audit reports through our Service Trust Portal.
- Manage data classification and multi-sourced environments, so customers have a 360-degree view of data sets, including through Azure Arc and Azure Purview.
- Transparency of Microsoft Compliance resources for customers to assess our cloud services from a regulatory compliance perspective.
As we look to the future, we think it is important that regulators and customers be equally innovative in employing new models of assurance to adapt to the hyper-scale nature of cloud computing, which is standardized and thus employs a consistent set of controls wherever our cloud services operate. Thus, when customers or regulators seek to examine our cloud services, including our data centers, replication of audits is duplication. The resources devoted to an audit can be applied equally and alike for customers and regulators to benefit from such audits. One approach we think is useful to scale includes the use of independent third-party firms like TruSight, which can provide the same level of assurance to customers through one standardized assessment of controls. But we know more can be done here, and we welcome input from the industry to help drive synergies and assurance equally.
In addition, under new regulatory regimes like DORA, the draft legislation contemplates that European Supervisory Authorities, “should be encouraged to conclude cooperation arrangements” with other third-country regulators. And the Financial Stability Board also noted that “cross-border regulatory and supervisory dialogue and cooperation in this area is becoming increasingly important.” Given the concept of “pooled audits” is built into regulatory guidance issued by the European Supervisory Authorities and, more recently, by the Bank of England, we would encourage that regulatory bodies by extension consider regulatory cooperation to harness resources together and avoid unnecessary and duplicative examinations when they can be accomplished more efficiently together. Indeed, at its essence, this is what DORA is designed to do within the European framework among member states.
As we move forward, we acknowledge the important role regulators have in the industry and our support to continue to foster innovation responsibly, including under new regulatory mechanisms that place emphasis on critical infrastructure. We will support our customers as a key partner in helping them meet their regulatory compliance needs and continue to innovate with enhanced assurance. This includes, by way of example, our innovative Financial Services Compliance Program, which provides for deeper engagement on risk assessments and assistance on assurance and regulatory compliance reviews. As a new dawn rises, we expect continued acceleration in the adoption of cloud. We are ready to serve the industry and regulators alike.
Meeting compliance obligations in a dynamic regulatory environment is complex. We are here to help you navigate this ever-changing landscape. Learn how we help customers manage compliance in the cloud. To continue your digital transformation journey:
- Read about 4 measures to counteract risk in financial services and the role of open dialogue in financial services compliance.
- Learn about Microsoft Cloud for Financial Services, bringing together capabilities with multilayered security and comprehensive compliance coverage to deliver differentiated customer experiences, improve employee collaboration and productivity, manage risk, and modernize core systems.
- Visit our banking, capital markets, and insurance pages to learn more about our financial services solutions and partners.