Closer to clouds: A new position of the Office of the Financial Supervision Authority on cloud solutions for the financial services sector

Today, i.e. 24.01.2020, the Financial Supervision Authority published their long-awaited position on the processing of data by supervised entities in public or hybrid cloud computing. Its assumptions are in line with the standards under development by a Polish Bank Association working group, with Kochański & Partners as the main legal counsel. The project is managed by Accenture and led by Grzegorz Pędzisz, CIO at Idea Bank.

The new position will replace that published on 23.10.2017 on “the use of cloud computing services by supervised entities”.

In particular, it introduces changes to requirements for outsourcing agreements and guidelines for cloud service providers, and the obligation to comply with the ISO/IEC 27017 standard regarding data security in cloud computing.

The new position also provides information on risk assessment in accordance with the current requirements of PN-ISO 27005 or its equivalent in the European standardization system, or other, structured approaches.

The position further presents a necessary terminological framework together with a previously unknown definition of specific outsourcing, and provides useful guidelines for its application as well as data re-classification and assessment.

The new position of the Office of the Financial Supervision Authority also sets out detailed rules and deadlines for cloud implementation, including an application form for data processing in cloud computing.

Its publication may significantly accelerate full transition to cloud computing by Polish banks. As predicted by Agnieszka Serzysko, PhD (Attorney at Law, Partner, Head of Financial Services at Kochański & Partners) in a December interview with Forbes magazine, it is probably only a matter of 2-3 years.

“Banks will not only have to sign relevant agreements, but also update their infrastructure, and create or adapt their internal procedures which – of course – our law firm and Financial Services Practice would be delighted to help with. The sooner they get into cloud computing, the better. Optimistically speaking, it is a matter of 1-2 years,” explains Agnieszka Serzysko, PhD.