EXECUTIVE SUMMARY
In an increasingly interconnected world, the ability of financial institutions to move data across borders is critical to their success and ability to serve their customers. Yet, a grow-ing number of jurisdictions are imposing “data localization” requirements that restrict or even prohibit the transfer of data outside their borders. This report examines how these requirements affect the financial sector in light of the growing adoption of cloud computing technology. Data localization requirements, while often motivated by legitimate policy concerns, impose significant costs on financial institutions and their customers, including by preventing financial institutions from harnessing the full potential of cloud computing. Regulators can address those concerns without impeding the free flow of data that is essential to realizing the benefits of cloud adoption in the financial sector.
The Promise of Cloud Technology for the Financial Sector
The COVID-19 pandemic accelerated a trend that was already well underway: the adoption of cloud computing by financial institutions. Cloud technology offers significant ben-efits, including cost efficiency, enhanced cybersecurity, and operational resilience. By allowing financial institutions to automatically scale up their computing resources, cloud technology enables them to handle market stress events, such as unexpected surges in trading volumes or cyberattacks, that might overwhelm traditional information technology (IT) infrastructure. Moreover, the extensive computing resources available in the cloud facilitate access to cutting-edge technologies like data analytics and artificial intelligence (AI), which promise to transform how financial institutions meet their customers’ needs and manage risk.
The Critical Role of Cross-Border Data Flows in Finance
Cross-border data transfers are essential to the global financial sector. They are necessary for processing international payments, providing financial services to customers who live or do business in multiple jurisdictions, and facilitating regulatory oversight. Even local financial institutions rely on cross-border data flows when they connect their customers to global financial networks. By impeding these flows, data localization requirements limit the ability of financial institutions to meet their customers’ needs and even the ability of financial regulators to engage in effective oversight.
Data Localization Requirements and Cloud Adoption
Proponents of data localization often argue that it enhances data privacy, ensures data availability in the event of a disruption, and facilitates regulatory oversight and law en-forcement. However, these arguments are misguided. The physical location of data is neither necessary nor sufficient for its security; data that is not managed securely can be compromised regardless of where it is stored. Moreover, the major cloud providers, due to economies of scale, can invest far more in cybersecurity and resilience than local technology providers. And local data storage does not guarantee regulatory access; regulators can ensure access to data stored abroad through bilateral or multilateral agreements. Data localization requirements also threaten to cut financial institutions off from the benefits of cloud adoption, which depend critically on the ability to move data across borders.
The major cloud providers do not maintain data centers in every jurisdiction. Instead, they leverage economies of scale by operating a global network of data centers. This distributed infrastructure is key to the cloud’s resilience and cybersecurity advantages: data and processes can be spread across different data centers, making them less vulnerable to localized disruptions or attacks. That distributed infrastructure also provides the massive computing resources that enable cutting-edge analytics and AI.
Policy Recommendations for Financial Regulators
To balance legitimate policy concerns with the imperative of facilitating cross-border data flows to enable cloud adoption, the report recommends that financial regulators:
- Adopt a principles-based approach to data protection that focuses on ensuring that data is stored securely, rather than where it is stored.
- Work together with regulated entities and cloud service providers to leverage global, out-of-jurisdiction cloud infrastructure in a manner that enhances cybersecurity and operational resilience.
- Ensure access to data for regulatory supervision and law enforcement through agreements with other jurisdictions, not through data localization.
- Increase coordination with other local authorities and foreign counterparts to develop consistent policies for data transfer.
Conclusion
Data localization requirements, while often based on legitimate concerns, impose significant costs on financial institutions and their customers. They inhibit the ability of financial institutions to leverage cloud technology for enhanced security, resilience, and innova-tion. By adopting policies that facilitate secure cross-border data flows, financial regulators can address their legitimate concerns without hampering the global financial sector. In an increasingly interconnected world, the free flow of data is not just beneficial; it is essential.
INTRODUCTION
The financial sector runs on information: the success of financial institutions depends on their ability to obtain, protect, and use information for their benefit and the benefit of their customers. Financial data includes information about customers such as their name and account number and information about companies and their key employees. The increasing reliance by financial institutions on cloud services to securely and efficiently store, process, and transmit information has raised challenges for how jurisdictions regulate financial data.
In a global market, like the market for financial services, the free flow of data across borders generates significant value. The cross-border movement of data is essential to processing international payments, providing financial services to individual and business customers, and improving risk management at the financial institution level. Yet recent years have seen the imposition of “data localization” requirements: restrictions which directly require, or have, as a consequence, that data originating in a jurisdiction remain in that jurisdiction.
This report analyzes data localization requirements and their impact on the financial sector. Part I of the report provides background on cloud adoption in the financial sector and the critical role of cross-border data flows to the financial sector. Part II takes a deeper dive into the different kinds of data localization requirements, the stated motivations for adopting data localization requirements, and their potential drawbacks. Part III focuses on how data localization requirements affect financial institutions and their ability to benefit from cloud adoption.
Part IV concludes with policy recommendations for financial regulators regarding cross-border data transfer in the context of cloud adoption that address the concerns that national governments and financial regulators have used to justify data localization requirements. Regulators should take a principles-based approach to data protection that allows secure data transfer to other jurisdictions, as long as they afford sufficient levels of protection to private data. They must also recognize that global, out-of-jurisdiction technology infrastructure can enhance cybersecurity and operational resilience. Rather than focusing on the location of data, regulators can address concerns about regulatory oversight and law enforcement by ensuring access to data. In addition, they should work to align data transfer policies with other local authorities and regulators in other jurisdictions.
PART I: CLOUD ADOPTION AND INTERNATIONAL DATA TRANSFERS IN THE FINANCIAL SECTOR
Cloud computing allows data to be stored on remote servers maintained by a third-party provider and retrieved over a network, such as the internet, rather than on proprietary, on-premises infrastructure. Although cloud computing is not new to the financial sector, the COVID-19 pandemic accelerated cloud adoption by financial institutions. Cloud adoption holds significant promise for cost efficiency, operational resiliency, cybersecurity, and innovation by financial institutions. It also helps facilitate secure cross-border data flows, which play a critical role in the global financial services market. However, data localization requirements impair the ability of financial institutions to leverage cloud technology for their benefits and the benefit of their customers.
a. Cloud adoption in the financial sector
Financial institutions have been using cloud technology, in one form or another, for almost two decades. The adoption of cloud services in the financial sector was thus already underway before the COVID-19 pandemic. The pandemic accelerated the demand for cloud services, as financial institutions were forced to move away from in-person customer service and support a remote workforce. Cloud adoption enabled financial institutions to scale up remote services in a matter of days.
According to a recent survey of global financial institutions, 98 percent of respondents maintained at least some data, applications, or operations in the cloud. Banco Santander, one of the world’s largest banks, plans to migrate most of its core banking services to the cloud by the end of 2024. Latin America’s largest bank, Itau Unibanco, will move a majority of its systems to the cloud over a ten-year period. Some banks have gone even further: Capital One, one of the largest banks in the United States, announced in 2021 that it had shuttered its private data centers and had transitioned all of its core services to the cloud. Other financial institutions—including investment companies, broker-dealers, investment advisors, and insurance companies—have also migrated some operations to the cloud. And several financial market utilities, including clearinghouses and exchanges, have transitioned to the cloud in some capacity.
Although financial institutions like Banco Santander and Capital One have gone all-in (or close to it) on cloud computing, adoption in the financial sector is still in its early stages. The same industry survey that reported 98 percent cloud adoption also reported that nearly half of respondents maintain less than ten percent of their business-critical work-loads in the cloud. Similarly, almost half of the respondents report that less than ten percent of their regulated workloads have been migrated to public cloud environments. Financial institutions have mostly used the cloud for enterprise applications like human resources and collaboration tools. Most core operations are still mostly conducted using legacy IT systems.
b. The benefits of cloud technology for financial institutions—and their customers
Still, cloud adoption in the financial sector—including for core operations—is expected to increase in the coming years. The cloud model, which makes computing resources available on demand and allows customers to only pay for resources they actually use, allows financial institutions to turn large, up-front IT expenditures into smaller, ongoing operational costs. According to some estimates, cloud adoption can reduce IT costs by between 20 and 50 percent, amounting to hundreds of millions of dollars of cost savings economy-wide. Transforming large capital expenditures into ongoing operational costs also makes financial institutions more technologically agile: they can test new scenarios, software tools and alternative configurations without a lengthy purchasing and provisioning process. Lower costs and greater technological agility translate into better products and services for customers, especially digital financial products with robust features and data. Cloud computing also levels the technological playing field between financial institutions of different sizes, by giving smaller institutions and fintech startups access to computing resources that were previously only available to larger institutions with the ability to devote significant resources to technology infrastructure.
By facilitating low-cost innovation and increased competition, cloud migration helps expand financial access and inclusion, particularly for customers in developing or under-served markets. At the global level, the share of adults with an account at a financial institution or mobile money service increased from 51 to 76 percent over the decade spanning 2011 to 2021. Cloud-based financial platforms have played a critical role in reaching previously underserved businesses and individuals. In China, for example, WeBank’s cloud-native approach has allowed its lending platform to reach millions of individ-uals and businesses with little to no credit history. Nubank, a Brazilian mobile-only bank, uses cloud-based infrastructure to offer credit cards and personal loans to customers who could not get loans from traditional banks due to their lack of credit history. In Southeast Asia, ride-hailing apps such as Grab and Go-Jek (now GoTo) have leveraged cloud infrastructure to provide payments and other financial services to retail users. Mercado Libre, the largest online commerce and payments provider in Latin America, offers cloud-based payment and credit services to customers who would otherwise lack access to them.
Cloud computing can also be more secure and resilient than traditional infrastructure. Unlike all but the largest financial institutions, the major cloud providers are at the forefront of security research and implementation. The platforms of the major cloud providers are also built to give customers tools to implement stringent security requirements, such as monitoring and logging for all activities and built-in data encryption. The scalability of cloud services allows financial institutions to handle unexpected capacity requirements—whether due to an unanticipated surge in market activity or a malicious cyberattack—that might overwhelm a financial institution’s own IT infrastructure. Moreover, since cloud infrastructure is more geographically distributed across data centers and regions than traditional IT infrastructure, cloud adoption facilitates greater resiliency in the event of a local outage.
The extensive computing resources and automatic scalability of the cloud also makes it uniquely suited to transforming how financial institutions handle data. Cloud-based environments enable financial institutions to ingest data at far greater speeds than are avail-able with traditional IT infrastructure. They also facilitate unprecedented analysis and manipulation of data once they are ingested. That sophisticated level of data analysis can help financial institutions gain competitive advantages, improve their risk management, and enhance existing functions such as fraud and money laundering detection. Recent breakthroughs in the training and deployment of large language models and other machine learning and AI tools would have been impossible without the massive computing resources available in cloud environments. Any financial institution that seeks to leverage machine learning or AI in the future will need to rely on cloud infrastructure.
c. The importance of cross-border data flows in the global financial services sector
In the financial sector, data is an essential asset that facilitates informed financial decisions. In an increasingly globalized financial services market, the secure flow of data across borders is critical for financial institutions to succeed. For example, a financial institution that operates branches or affiliates in multiple jurisdictions might want to share information regarding its customers in one jurisdiction with an affiliate in another jurisdiction in order to serve a client that has moved from one jurisdiction to another. Financial institutions benefit from market analysis or due diligence activities in which the transfer of data across borders is of material importance. And financial institutions may rely on the international transfer of consumer or business credit data for creditworthiness determinations.
More fundamentally, transactions that are vital to the international financial system, including cross-border payment systems, rely on the international flow of data. As international mobility in goods, services, capital and people has increased over time, the importance of the cross-border transactions has grown in both volume and value. In 2022, annual cross-border payments reached approximately $150 trillion. And over the course of 2023, outstanding cross-border financial claims increased by more than $2 trillion.
The advent and widespread adoption of cloud technology has created new opportunities for financial institutions to benefit from cross-border data flows. Although the major cloud providers’ infrastructure is widely distributed across geographic regions, they do not maintain data centers in every jurisdiction. To exploit the benefits of cloud technology, financial institutions may have to transfer data to another jurisdiction. For example, recent high-profile advances in the fields of data analytics and AI hold out significant promise for the financial sector. Multinational banks collect detailed information about how their customers behave, and use big data analytics or AI to develop tailored services such as personalized alerts and better fraud detection. These fields depend on processing massive volumes of data for training and producing useful insights, which requires access to com-puting resources which are only available from the largest cloud providers, and which may not be located in a financial institution’s home jurisdiction.
Restrictions on cross-border data transfers, which have increased significantly in recent years, therefore hamper financial institutions’ capacity to compete in, and take advantage of, the global financial services market. Data localization requirements limit their ability to best serve their customers. And if they limit their opportunities to leverage cloud technology, those requirements impede their access to technologies—like data analysis and AI—that promise to transform the financial sector. It is therefore critical that regulators, including financial regulators, weigh the justifications for restrictions on the cross-border transfer of financial data against their significant costs.
PART II: UNDERSTANDING DATA LOCALIZATION REQUIREMENTS
For as long as firms have used technology to transfer data across borders, regulators have imposed rules governing how they can do so. As the international flow of data has increased, so have efforts to regulate it. Restrictions on the transfer of data out of the originating jurisdiction take different forms, ranging from rules that require that data be physically located where it originates to “de facto” local storage requirements that impose stringent conditions on transferring data out of jurisdiction. Regulators have cited several grounds for imposing data localization requirements, including privacy, economic development, regulatory enforcement, and geopolitical concerns. Data localization requirements, however, have significant conceptual and practical drawbacks, underscoring the importance of achieving these goals in other ways.
a. Different kinds of data localization requirements
Data localization requirements long predate the cloud. The first national data protection laws, introduced in the late 1970s and early 1980s, required either the localization of data processing operations or prior authorization for the export of sensitive data. Over the past decade, however, as technologies like cloud computing have transformed how data is stored, processed, and shared, restrictions on the cross-border transfer of data have proliferated. According to one study, the number of countries imposing restrictions on the cross-border flow of data almost doubled between 2017 and 2021.
These restrictions vary by country in terms of both their scope and how they limit cross-border data transfers. Some restrictions apply to any data that has been generated within a country; and others apply only to certain categories of data, like financial data, or specific economic sectors or entities. In some jurisdictions, for instance, financial regulators have imposed data localization requirements on financial institutions in the absence of any general restrictions on data transfer in those jurisdictions.
With respect to content, data localization requirements can be divided into three broad categories: (1) explicit local data storage or processing rules, which mandate that data originating in a country be stored or processed in that jurisdiction; (2) “data mirroring” rules, which allow data to be transferred abroad as long as a copy of that data is stored locally; and (3) rules that place conditional restrictions on the transfer of data abroad. Depending on the stringency of those conditions, when the cost of compliance is prohibitive, they amount to de facto local storage requirements.
Local-only data storage or processing rules are the most stringent form of data localization requirement. The People’s Republic of China, for example, requires that “critical information infrastructure operators” must store locally in Mainland China such personal information and other “important data” that are collected and generated in China (although data can be transferred abroad under some circumstances). More stringent restrictions apply to financial data: the People’s Bank of China mandates that virtually all personal data collected as part of the provision of financial services be stored, processed and analyzed in Mainland China. Turkey mandates that a wide variety of firms and organizations—including publicly traded companies, pension funds, banks, and financial market regulators and infrastructures—locate their live and backup IT systems within the country. Other jurisdictions impose data localization requirements on specific types of entities or infrastructure: Venezuela, for example, requires that technology infrastructure for payment processing be located domestically. And the Central Bank of Nigeria requires that domestic payment transactions, including point-of-sale and ATM transactions, be routed domestically for switching between Nigerian issuers and acquirers.
“Data mirroring” requirements are less restrictive than local-only data storage rules, since they only mandate that a copy of data be kept on local servers or data centers, to ensure operational resilience in case of an outage or other disruption. That means that data can be transferred and processed abroad, as long as a copy of the data is kept locally. However, the requirement that a redundant copy of data be kept locally raises the relative cost of storing data abroad, and thus in practice may have the same effect as local-only storage rules. Mexico requires certain financial institutions, such as banks and fintech firms, that store data in data centers located outside of Mexico to maintain copies of accounting and transactional records locally to ensure operational continuity. Likewise, Chile mandates that banks that outsource critical workloads abroad, including through the use of cloud services, maintain a local data processing center for contingency purposes.
Other jurisdictions impose conditional restrictions on international data transfers. These conditional restrictions take on a variety of different forms. Some countries mandate that data only be transferred to another jurisdiction that has in place equivalent data protection rules or data protection is ensured by contract. For example, Brazil’s data protection law only allows international transfers of personal data where the recipient country provides an “adequate” level of data protection or where certain contractual provisions are in place. Other jurisdictions require that companies obtain the consent of regulators or customers before transferring data abroad. Saudi Arabia, for example, requires that per-sonal data be stored and processed locally unless written approval has been obtained from the relevant regulatory authority. Panama’s bank and capital markets regulators, for example, requires that regulated entities obtain prior approval for the use of foreign cloud services provided by a third party Mexican financial institutions are subject to similar requirements.
b. Reasons for data localization requirements
There are a wide variety of motivations for data localization policies. One commonly stated concern is that data transferred abroad, especially sensitive personal data like financial data, is not adequately safeguarded against potential security breaches or foreign government access. Alternatively, regulators worry that data stored abroad will not be available in the event of a disruption. Local data storage, the argument goes, is necessary to protect data against unwanted intrusions and unanticipated disruptions.
In addition to purported privacy and availability concerns, countries connect data localization requirements with the broad concept of “digital sovereignty.” In the European con-text, digital sovereignty has been defined as the “ability to act independently in the digital world,” in relation to “both protective mechanisms and offensive tools to foster digital innovation.”
Accordingly, some countries have justified data localization requirements on the ground that direct access to companies can facilitate the enforcement of laws, such as tax and anti-money laundering statutes. When data is located abroad, legal authorities worry that their ability to access data may be hampered. This argument is particularly relevant for sectors, like the financial services sector, that are subject to disclosure requirements and maintain data that is highly sought after by law enforcement authorities. Local storage of data might facilitate surveillance and other involuntary disclosures of information by regulated entities. However, this rationale arguably undercuts the privacy rationale for data localization.
Countries also introduce data localization requirements with the goal of incentivizing in-vestment in their local information technology sectors, another aim connected with the notion of digital sovereignty. If companies are required to store and process data locally, they will be forced to invest in local servers and data centers. That investment, in theory, could create spillover benefits for the local high-tech sector. Beyond the economic benefits of domestic investment in technology infrastructure like data centers, some governments view local data processing centers as critical infrastructure necessary to their national security and sovereignty. In addition, the disruption of certain critical services, like financial services, could severely impair the country’s basic functioning, which warrants special requirements to ensure the resilience and availability of those services.
c. Costs of data localization generally
While these policy aims are legitimate (if potentially contradictory), the use of data locali-zation requirements to achieve them is likely to be ineffective. The physical location of data may be one factor in its privacy, but it is not the most important. From a technical perspective, physical access to a server or other data storage device is neither necessary nor sufficient for access to the information stored on it. Data that is not managed securely can be accessed even if a user lacks physical access to a server. And if data are securely encrypted, physical access alone won’t make it accessible in an intelligible form. Moreover, if data are securely encrypted, physical access to data will not give rise to privacy risks regardless of where they are physically stored.
Local data storage does not necessarily improve the security or availability of data. Storage of data using the foreign infrastructure of a major cloud provider can offer improved security and availability. Economies of scale allow major cloud providers make investments in resilience and cybersecurity capabilities that far exceed those available with local technology infrastructure alone. In addition, the major cloud providers ensure data security and availability by distributing data and processes among multiple systems and locations, making them less vulnerable to a breach or disruption. By mandating that data remain in a particular jurisdiction, localization requirements inhibit the use of that distributed infrastructure. Moreover, by increasing the number and locations of data centers that must be staffed and maintained by companies that operate in different jurisdictions, data localization requirements also add risk and complexity to their cybersecurity operations. Requiring any multinational company to create and defend multiple versions of its systems across different locales means more hardware, more employees, and more vendors, increasing the surface area for potential disruptions or cyberattacks.
Mandating local data storage also does not eliminate the risk of foreign government access. U.S. law, for example, provides that cloud service providers subject to U.S. jurisdiction cannot avoid compliance with an access request from law enforcement authorities simply because data is located in a non-U.S. jurisdiction. Nor does local data storage ensure local regulatory supervision or access for local law enforcement. U.S.-based cloud service providers, for instance, are generally barred from sharing data with foreign governments, regardless of where the data is located. From the perspective of U.S. law, it does not matter whether the data is stored in a U.S. data center or one located in another country. The best way for regulators and enforcement authorities to ensure access to data is not localization, but through bilateral or multilateral data sharing agreements. Some jurisdictions have worked with foreign governments to facilitate access to their own citizens’ data stored abroad. Several countries, for instance, have entered into bilateral agreements with the United States so that U.S. cloud providers can comply with lawful requests for electronic data issued by the other country without a warrant directly to the cloud provider.
Even if data localization may offer some direct economic benefits, those benefits are limited. Although data localization can attract investment in domestic technology infrastructure, such as data centers, the spillover benefits are minimal because data centers are highly automated and have relatively few permanent employees. More fundamentally, competition over the location of the major cloud providers’ infrastructure is a zero-sum game: it is not economically feasible for cloud providers to build data centers, costing hundreds of millions of dollars or more, in every jurisdiction. Major cloud providers may choose instead not to build out local infrastructure. In that case, data localization requirements will harm the local economy, by cutting domestic businesses off from the benefits offered by major cloud providers’ best-in-class technology infrastructure. That translates into higher technology costs: according to one study, data localization requirements can increase the costs of data hosting by 30-60 percent. Increased costs mean reducing local companies’ ability to compete on a global scale and less innovation for local customers. Moreover, increases in the restrictiveness of a country’s data transfer rules have been linked to meaningful decreases in productivity and increases in price in affected industries.
Some jurisdictions have recognized that the confidentiality, integrity and availability of data can best be achieved through the use of cloud servers located abroad. Estonia, for example, has established a virtual “data embassy” using foreign cloud services to ensure the continuity of data that is deemed critical to the functioning of the state. Other governments have revised existing data localization requirements in light of the costs associated with them. Indonesia, for example, narrowed its strict data localization requirements, which previously applied to any provider of electronic “public services,” to only apply to government entities. And Ukraine lifted data localization requirements in order to transfer critical government and private sector data, including the data at its largest private bank, to secure foreign cloud servers before Russia’s invasion.
D. How do financial institutions and cloud providers mitigate concentration risk?
FIs and cloud providers currently take several measures to mitigate concentration risk that arises in connection with cloud adoption. This subsection outlines different steps that cloud providers and FIs can and do take to limit their exposure to concentration risk. In order to understand the different measures that can be taken by FIs and cloud providers to mitigate concentration risk, it is important to first explain the “shared responsibility” model developed by cloud providers to allocate responsibility for different aspects of cloud security and resiliency.
The “shared responsibility” model
Generally, large cloud providers rely on a “shared responsibility” model of cloud security and resiliency that defines the responsibilities of cloud providers and their customers for various aspects of the cloud environment. Although the particular shared responsibility models formulated by the major cloud providers have some differences, they share the same basic approach: cloud providers are responsible for the security and resiliency of the tools that they build (security and resiliency “of” the cloud), while users are responsible for how they use those tools (security and resiliency “in” the cloud).
In practice, that means that cloud providers operate, manage and control the components from the host operating system and virtualization layer down to the physical security of the facilities in which the service operates. The FI customer assumes responsibility and management of the guest operating system (including updates and security patches), other associated application software as well as the configuration of the environment and security. The shared responsibility model enables FIs to decide where they put their data, as a way to mitigate determining their own political or regulatory or risk. This shared responsibility model for the IT environment also extends to IT controls and security.
Under the shared responsibility model, cloud providers and users never share responsibility for the same aspect of cloud security or resiliency. A user’s areas of responsibility are specific to their own environment and configuration, and cloud providers have little insight or control over how users operate in those areas. By the same token, users do not dictate how cloud providers secure their portion of the cloud. The shared responsibility model can help shed light on how cloud providers and FIs limit their exposure to concentration risk.
Measures taken by cloud providers
The major cloud providers take several measures to mitigate the possibility of any single point of failure in their own infrastructure. Two key elements of their strategy are spread-ing infrastructure across different “availability zones” and regions.
Availability zones are physically separate locations within a specific region that are iso-lated from each other using redundant networking, connectivity, and power. By compartmentalizing their own infrastructure and services into redundant, isolated availability zones, major cloud providers reduce the impact that a failure at one location will have on the capacity and availability of their services. If one availability zone is affected, the cloud provider’s services, capacity and availability can be supported by remaining availability zones. FIs, or third parties that offer cloud-based services to FIs, can design and operate their cloud-based applications to run synchronously across availability zones without interruption.
In addition to the use of availability zones, which are located in the same region, major cloud providers also locate data centers in different regions, which provides even greater physical isolation from one region to another. This geographic diversity ensures that even major physical catastrophes, like flooding and earthquakes, can be weathered by cloud users without significant disruption. For critical functions that require high levels of avail-ability and resiliency, FIs can take advantage of a cloud provider’s distributed regional architecture to ensure that applications or data are consistently available by configuring those functions so that they are spread across the cloud provider’s different regions.
Measures taken by financial institutions
FIs also take different approaches to mitigating the risk of disruption and ensure business continuity. As noted above, FIs can distribute processes and data across a cloud provider’s different availability zones or regions, allowing them to build applications that can be online even if a particular data center or region experiences a disruption.
To protect themselves against lock-in, FIs should consider what impediments may exist which limit their ability to move applications and data off of a cloud provider’s infrastructure without unreasonable cost or difficulty. This needs to be considered at both the level of an individual application or workload, as well as the overall relationship with a cloud provider. In general, major cloud providers offer the functionality necessary to move applications and data from one cloud provider to another, or to an on-premises environment at the discretion of the FI. However, factors such as contractual terms, commercial commitments, or the lack of comparable services or features at an alternative provider, may increase the switching cost – expense, time, and effort – of moving between providers. Increasingly, FIs are developing “exit strategies,” which outline the different impediments that exist to seamlessly moving applications and data off of a particular cloud service provider, and the steps they will take – both proactive and reactive – to mitigate the impact of those impediments should the FI choose or need to migrate away from the cloud provider. One example of a proactive measure is mandating the use of open-source and open standards to avoid getting locked-in to a particular vendor’s proprietary format. The exit strategy also typically defines how the FI will monitor certain key risk indicators (e.g., performance against service level agreements, their commercial relationship with the cloud provider, reputational risks) and what might trigger the FI to initiate the exit plan for moving applications or data off of the cloud provider.
Another strategy that some FIs have employed to mitigate concentration risk is the use of hybrid cloud—migrating applications suited for the cloud while keeping other components in on-premises data centers—so that on-premises infrastructure is used for critical infrastructure or as backup in the event of disruption. Other FIs take a multi-cloud approach, using different cloud providers for different types of workloads, or architecting workloads to be portable between cloud platforms (e.g., through the use of containers). However, the use of a multi-cloud strategy is not without its challenges. To implement a multi-cloud configuration, an FI must build (or rely on another third party to build) a solution for managing applications and data in multiple clouds. This does not eliminate risk; it just transfers it from an individual cloud provider to the FI or a different third-party pro-vider. The use of multiple cloud providers also requires an FI to train staff and implement controls for different cloud environments. A multi-cloud strategy can also potentially introduce additional points of failure that need to be continuously managed and tested to ensure they work when needed (e.g., in the event of an outage). An unintended consequence of a multi-cloud strategy is the standardization on the “lowest common denominator” of capabilities across different clouds, resulting in less-than-optimal cloud usage.
Multi-cloud strategies have also been suggested as a way of increasing FIs’ operational resiliency, by enabling them to move processes and data from one cloud provider to another in the event of a disruption. While “multi-cloud failover” may be possible in theory, it is likely to be difficult to implement in practice given the level of complexity as well as factors such as contractual commitments, licensing, and data portability. As a result, leading analysts recommend against such an approach for increasing operational resiliency.
Regarding multi-cloud, the recent US Treasury report refers to the financial sector feed-back that multi-cloud (called ‘multi-vendor, single use-case deployment in the report), is too technically complex and resulting operational risk was too high. MAS also caution FIs about the added complexity of operating in a multi-cloud environment.
PART III: DATA LOCALIZATION REQUIREMENTS AND THE FINANCIAL SECTOR
The proliferation of data localization requirements, which impede the flow of data across borders, raises particular issues for financial services. The cross-border transfer of data within multinational entities, and between entities in different jurisdictions, is critical to the operation of the global financial sector. The largest financial institutions rely on the free flow of data to operate seamlessly in different jurisdictions across the globe. And smaller, local financial institutions rely on those larger institutions to provide international services to their own clients, who—in a world where global commerce is the norm—can require financial services where the local institution does not operate.
A French citizen vacationing in the Dominican Republic may need to take out money using a local ATM machine; or a Peruvian vendor selling goods in the Japan over the internet may want to receive payment in a foreign currency. In either case, the transaction can only be processed, and the money transferred, if data moves across international borders. Authorization for the ATM withdrawal must come from a computer system in France, which requires transfer of the customer’s data abroad. The online sale involves the transfer of both the customer’s and vendor’s data between banks and payment processors located in both jurisdictions.
These are only a couple of the ways in which cross-border data flows are critical to the operation of the financial sector. Data localization requirements limit the ability of financial institutions to operate across borders, inhibiting their ability to meet the needs of their customers and even the ability of financial regulators to engage in oversight. They also prevent financial institutions from taking advantage of new opportunities, such as large-scale data analysis and AI, afforded by cloud technology.
a. Complex data regulations increase costs and stifle competition
In addition to their substantive restrictions on cross-border data transfer, data localization rules can also be difficult to implement and comply with. For one, there can be considerable uncertainty about the scope of data privacy rules. It can be unclear which entities are subject to them and to what data they apply. Although data localization rules often distinguish between personal and non-personal data, the line between them is not always clear. Information about particular individuals like key employees (personal data) is sometimes embedded in information about companies (non-personal data). In addition, sophisticated data analysis tools make it easier than ever to infer personal information from purportedly non-personal data. As a result, localization requirements that ostensibly apply only to personal data can in practice limit the transfer of all data, whether personal or not. Another source of complexity is that financial institutions may be subject to specific data localization rules that supplement general data protection laws in a particular jurisdiction. The combination of general data protection rules with specific rules applicable to financial services can give rise to significant compliance costs.
Consider a global financial institution that is weighing the question of whether to open a branch or affiliate in a jurisdiction that requires local storage (or copies) of certain data. In order to open the branch, the financial institution would have to implement an operational workaround, such as the use of a local software provider or data center for processing and storing data in that jurisdiction. Establishing and maintaining this local solution will require time and money, both operationally and in terms of ensuring compliance with applicable data localization requirements. Those additional costs will be passed on to the financial institution’s local customers, leaving them worse off than its customers in other jurisdictions.
Alternatively, the financial institution may decide that the cost of establishing a local work-around is prohibitive and forego the branch or affiliate entirely. Even if the cost of the local solution does not rule it out, the financial institution may find that there is no local solution that meets its own standards—or standards imposed by its home country—for data security or resiliency. Or the financial institution may decide that it is too complicated to develop compliance and risk management policies that are tailored to the specific requirements of that jurisdictions. For any of these reasons, data localization requirements may effectively exclude the financial institutions from the local market, stifling competition and depriving residents of that jurisdiction from access to important services.
Data localization requirements may also inhibit the ability of local financial institutions to serve customers that travel or live abroad. Restrictions on the cross-border transfer of data can make it more difficult to consolidate and analyze customer data from different locations, which is critical for risk management, fraud detection, and customer analytics. If customer data cannot be easily shared or integrated across borders, local financial institutions will face challenges serving their customers in other jurisdictions. Localization requirements can also prevent financial institutions from leveraging global technology infrastructure, limiting their ability to offer consistent and efficient services to customers abroad.
b. Data localization can compromise cybersecurity and resilience
Proponents of data localization requirements frequently appeal to the purported enhancement of cybersecurity and operational resilience. These arguments in favor of data localization are misguided. As noted above, global cloud providers benefit from economies of scale that enable them to make substantially larger investments in data security and availability compared to local or regional infrastructure providers.
The distributed nature of storage and processing in the cloud, as well as the greater computing resources available to the major cloud providers compared to individual financial institutions or local technology providers, translate to greater operational resilience. Cloud providers allow a financial institution to automatically scale up and maintain availability in the face of a cyberattack that would overwhelm locally available technology infrastruc-ture. Likewise, by enabling financial institutions to distribute processes and data across different data centers, the cloud enable them to build applications that are online constantly, even if a particular data center—or an entire region—experiences disruption.
Local technology companies may lack resources that compare with the major cloud providers, whose infrastructure is built to the highest cybersecurity standards0 Even localization requirements that mandate that financial institutions keep a local copy of data can compromise its security, by increasing the number of access points to the data and therefore the likelihood of a cybersecurity breach. Data localization requirements can also make it more difficult for financial institutions to identify, prevent, and mitigate cyber threats, by limiting their ability to share information from one jurisdiction with regulators in other jurisdiction.
c. Data localization can inhibit financial regulatory oversight
Facilitating regulatory oversight and law enforcement is another commonly invoked justification for data localization requirements. Many financial regulators express concern that once data leaves the borders of their jurisdiction, they will no longer be able to access it. As noted above, data localization does not necessarily solve the problem of law enforcement or regulatory access to data. Moreover, the opposite is just as likely to be true: data localization requirements can make oversight by financial regulators more difficult.
Data localization requirements are likely to provoke, or encourage, reciprocal requirements in other jurisdictions. Thus, even if localization requirements in a regulator’s own jurisdiction did facilitate their access to some financial data, similar requirements in another jurisdiction would impede their access to other important data. Where an international transaction involves two jurisdictions that impose data localization requirements, financial regulators in each jurisdiction would only have a view of half the transaction. This would inhibit the exercise of basic financial surveillance functions like anti-money laundering and fraud detection, as well as broader mandates such as financial stability over-sight.
d. Benefits of data transfer for financial institutions
In the absence of data localization requirements, financial institutions are able to leverage out-of-jurisdiction cloud technology infrastructure to lower costs, increase data security and operational resilience, and offer better services to customers. This is true whether the financial institution is a global financial institution looking to enter a new local market, or a local financial institution attempting to gain access to better technology infrastructure or expand globally.
Although many financial services customers still rely on an in-office workforce and in-person services, there is increasing demand for remote work and services, driven in part by the COVID-19 pandemic. Cloud technology facilitates remote work and the provision of digital and other remote services. Financial institutions like Societe Generale, for example, relied on cloud-based device management solutions to support thousands of remote workers through COVID-19-related lockdowns. One Europe-based multinational bank relied on its cloud infrastructure to continue to serve customers in Brazil during the pandemic, which was only possible due to the absence of data localization requirements. Beyond pandemic-driven changes to the workforce and customer service, financial institutions have continued to rely on cloud technology to offer innovative digital services to customers. For example, Itau Unibanco, the largest banking institution in Latin America, leveraged cloud technology to implement Pix, the digital instant payment service mandated by Brazil’s central bank. Likewise, BBVA relied on cloud-based technology to securely enable contactless payments while complying with country-specific regulations—making it the first financial institution to offer contactless payments in Peru, Argentina, and Colombia.
Financial institutions can also use offshore cloud infrastructure to deal with financial market disruptions that might otherwise overwhelm their technology infrastructure. Cloud computing allows users to scale up automatically without any physical on-site presence. That can help financial institutions react to market stress events, such as unexpected surges in trading volumes or market volatility. The cloud’s automatic scalability, as well as greater processing power compared to traditional technology infrastructure, also enables financial institutions to ingest and analyze data in real-time. For example, cloud solutions make it possible for financial institutions to calculate their liquidity position several times a day, even in during periods of significant market volatility.
In addition, cloud technology facilitates access to frontier technologies like big data analysis and AI, which rely on the vast computing resources available in the cloud. Financial institutions throughout the world already use cloud-based AI tools for basic functions like customer support. As machine learning and AI capabilities develop, it will be used for data analysis and other, more critical functions such as risk management. HSBC, for example, uses cloud-based risk modelling tools to manage risk and inform trading and credit activity. Itau Unibanco moved its machine learning infrastructure from on-premises data centers to the cloud in order to accelerate model deployment and analysis. These sophisticated capabilities, however, will only be available to financial institutions that are permitted to access cloud-based services that, in many cases, will rely on out-of-jurisdiction technology infrastructure and require international data transfer.
PART IV: POLICY RECOMMENDATIONS FOR FINANCIAL REGULATORS
Data localization requirements impose significant costs on financial institutions and the customers they serve. Although they are often motivated by legitimate policy aims, such as protecting sensitive data and ensuring data access for regulatory supervision and enforcement, those aims would be better served through policies that avoid those costs. Financial regulators must strike a balance between the policy concerns underlying data localization requirements and the imperative of facilitating cross-border data flow in the financial sector, including the use of out-of-jurisdiction cloud infrastructure. That balance would be better achieved by rules that: (1) focus on realizing policy objectives directly, rather than indirectly through data localization requirements; and (2) address policy aims through coordination and cooperation with other local regulators and regulators in other jurisdictions.
a. Adopt a principles-based approach to data protection
Mandating that data remains in a particular jurisdiction is neither necessary nor sufficient to maintain its security. Sensitive data that is not managed securely can be compromised by someone who lacks physical access to it. Accordingly, data localization does little to ensure that private data remains private. In order to protect private data, financial regulators should focus on ensuring that data is stored securely—whether it is stored locally or abroad. As noted above, the platforms of the major cloud providers are built to give financial institutions tools to implement stringent security requirements, including built-in data encryption.
To alleviate concerns that financial institutions may transfer sensitive data to jurisdictions that do not protect data privacy, regulators might require that data is only stored in a jurisdiction that affords sufficient legal protections to personal data. The approach of the OECD Privacy Guidelines to personal data transfer is instructive. Those guidelines, which were adopted in 1980 and revised in 2013, emphasize that legal responsibility for personal data applies without regard to the location of the data—whether it is stored locally or abroad. They also stipulate that countries should refrain from restricting the cross-border flow of data where sufficient safeguards exist to ensure that personal data is protected. In addition, they provide that restricts on the cross-border flow of personal data should be proportionate to the risks presented.
Brazil’s data protection regulation adopts a similar approach. The regulation allows the transfer of data to countries with an “adequate level of protection” for personal data and guarantees of compliance with the data protection rights and principles provided by Brazil’s data protection regulation. Importantly, those standards are not rigid, but can be satisfied in several different ways, including through specific contractual provisions or general codes of conduct. That allows financial institutions flexibility to determine how best to protect sensitive data that is transferred out-of-jurisdiction, as long as sufficient privacy safeguards are in place.
b. Focus on the quality of technology infrastructure, not its location
Data localization is often justified based on the notion that local data storage means that the data is more readily available and more resilient to disruption. But the location of data is just one factor that might affect availability and operational resilience. An approach that prioritized availability operational resilience should take into account the many factors that might affect the integrity and availability of data. In many cases, relying on a major cloud provider—including its out-of-jurisdiction infrastructure—will provide financial institutions with a greater degree of availability and resilience than local infrastructure. Regulators should give financial institutions more latitude to make their own assessment regarding the resilience of their data storage and processing solutions to disruption, taking into account the nature and importance of the process and the potential for disruption.
c. Ensure access to data for regulatory supervision and law enforcement
Effective oversight of financial institutions can be achieved without requiring local storage of data. Financial regulators and law enforcement authorities can ensure access to rele-vant data whether it is stored locally or in a different jurisdiction. Access to data stored abroad can be achieved through agreements with financial regulators in other jurisdictions. Several financial regulators have worked with their foreign counterparts to develop bilateral legal frameworks and mechanisms for cross-border cooperation, which are aimed at enabling cross-border data flows while ensuring access to data for purposes of supervision. The Central Bank of Brazil, for example, has agreements, aimed at facilitating supervisory information flows, with supervisory authorities where Brazilian financial institutions have foreign operations and those where foreign financial institutions have operations in Brazil. Similarly, the Monetary of Singapore has entered into agreements with U.S. and U.K. financial regulators that allow financial institutions to transfer financial data, including personal information, across border as long as financial regulators have full and timely access to that data. On the multilateral level, the updated Multilateral Memorandum of Understanding developed by the International organization of Securities Commissions (IOSCO) requires signatories to share certain information with regulatory counterparts.
Access to relevant data can also be ensured through financial institutions’ contractual arrangements with technology service providers. Several jurisdictions, for example, require that a financial institution’s contractual arrangements with its service providers ensure that financial regulators have sufficient data access to supervise the financial institution. These contractual provisions typically include access to the financial institutions’ data as well as the cooperation of the service provider with the regulator in relation to information requests and rights of access for audits of the service provider.
d. Increase coordination at the local and international level
The complex patchwork of data localization requirements both within jurisdictions and across different jurisdictions increases costs for financial institutions and stifles competition that would otherwise benefit their customers. To minimize uncertainty and achieve regulatory coherence, financial regulators should work together with local authorities (such as privacy authorities and regulators in other sectors) as well as foreign counter-parts to develop broadly consistent approaches to data transfer that would allow for cross-border data transfer while also addressing perceived reasons for data localization. Doing so minimizes unnecessary barriers to data transfer, allowing financial institutions to benefit from out-of-jurisdiction technology infrastructure, including cloud computing.
International coordination can occur at the bilateral level. For example, Australia and Singapore entered into a “digital economy agreement” which allows businesses, including in the financial sector, to transfer data across borders without being required to build or use data centers in either jurisdiction. Importantly, the agreement ensures that privacy rules applicable to personal information continue to apply whether data is stored locally or in the other jurisdiction. Singapore has entered into similar agreements with Korea and the United Kingdom.
At the multilateral level, Japan has proposed the concept of “data free flow with trust,” which has been endorsed by both the G7 and G20. The aim of the concept, which articulates principles for data governance that would inform global standards, is to promote the free flow of data while protecting the privacy and security of data. In the Indo-Pacific, the Asia Pacific Economic Cooperation (APEC) forum developed a Cross-Border Privacy Rules (CBPR) system, a government-backed privacy framework that establishes a certification mechanism for private companies that agree to implement internationally recognized data privacy protections. Certified companies, whose compliance is assessed by designated accountability agents and is enforcement by law, can freely transfer data between participating countries, allowing them to bridge differences between the privacy laws of participating countries. Several APEC members, including the United States and Japan, have promoted a global CBPR system to expand on the APEC model. Currently, however, financial institutions generally cannot be certified because of financial regulators do not participate in the system.
In the financial sector, the Financial Stability Board (FSB) has identified cross-border data exchange and message standards as a priority for enhancing cross-border payments. As part of this process, the FSB plans to develop recommendations for promoting alignment and interoperability across different data frameworks that apply to cross-border payments, including data privacy, operational resilience, AML/CFT compliance, and regulatory and supervisory access requirement. Those recommendations, in turn, will serve as the basis for national authorities to reevaluate their own data frameworks. Consistency between jurisdictions on the transfer of financial data, and the elimination of barriers to cross-border data transfers, will allow financial institutions to realize the benefits that cloud technology has to offer.