Sign in Subscribe

Learning About Cloud Security for Swiss Private Banks

Andrea Pancrazi

6 min read
Learning About Cloud Security for Swiss Private Banks
Photo by Samuel Ferrara / Unsplash

It has been 3 months since I moved from the tech industry to the banking sector, and here is my take on Swiss private banking cloud security. This article condenses what I have learned so far about the various regulations that apply to the Swiss private banking sector and its challenges around data confidentiality. Transitioning from a software company, where the main risk was supply chain attack, to a private bank, where client data confidentiality is the main concern, has been an eye-opening experience.

When you think of Swiss private banking, you likely imagine vaults, discretion, perhaps even spy movies, and a tradition of keeping client information sealed tighter than Fort Knox. Moving such an old deeply rooted and cautious sector to the cloud is not exactly straightforward. The Swiss take data security very seriously because what works in other countries can violate the laws in Switzerland. This blend of high stakes and strict regulations makes the cloud journey quite a unique puzzle, especially for information security professionals.

Overview of Regulations: Data Protection and Banking Secrecy

Swiss banks operate under complex European and Swiss regulations, all of which play a major role in cloud adoption, especially when it comes to managing client information.

nFADP and GDPR

Switzerland's new Federal Act on Data Protection (nFADP) and the European Union's General Data Protection Regulation (GDPR) are two regulations about protecting personal data and ensuring privacy. However, here are the key differences:

  • Scope and Applicability: GDPR applies to any organization processing personal data of EU citizens, regardless of where the organization is located in the world. The nFADP, while similar, specifically applies to Swiss citizens and organizations within Switzerland.
  • Fines and Penalties: GDPR is notorious for its severe fines, which can reach up to € 20 million or 4% of global revenues for a company. The nFADP imposes fines as well, but they are generally lower and capped at CHF 250k for both companies and individuals.
  • Consent and Rights: While GDPR demands explicit consent for data processing, nFADP only requires to inform individuals. Both regulations grant individuals rights over their data (access, correction, deletion), though GDPR is often seen as more constraining in its consent requirements and more exhaustive in the rights it grants.

Banking Secrecy, FINMA, and the Cloud Act

Swiss banking secrecy has been the cornerstone of the country's financial system for almost a century now, ensuring that client information is kept confidential. However, as the global regulatory environment has evolved, so too has the scrutiny on these practices.

  • Banking Secrecy: Swiss law protects client identities and account information, referred to as Client Identifying Data (CID), making it a crime to disclose client data without consent. CID must remain in Switzerland, with very restricted access, ensuring it stays under the bank's control. This secrecy is one reason Swiss banks have historically been hesitant about adopting cloud solutions, particularly those involving foreign providers, and even more U.S.!
Source: Swiss Bankers Association (SBA) 2019
  • FINMA: The Swiss Financial Market Supervisory Authority (FINMA) is the regulator overseeing the financial sector in Switzerland. It enforces banking secrecy but also provides guidelines for outsourcing to the cloud. FINMA’s Circular 18/3, for example, allows data to be stored abroad under specific conditions.
    • 1. Third-party service providers must ensure data protection equivalent to Swiss standards.
    • 2. Swiss banks must retain the ability to access and control their data, even if stored outside Switzerland.
    • 3. Data transfer and storage must comply with banking secrecy principles and, where necessary, obtain client consent.
  • Cloud Act: The U.S. Clarifying Lawful Overseas Use of Data (Cloud) Act allows U.S. authorities to access data stored by U.S. companies, even if the data is held outside the U.S. For Swiss banks, this raises concerns about client data being accessed by foreign governments if stored with a U.S. based cloud provider.
Source: Swiss Bankers Association (SBA) 2019
  • Digital Operational Resilience Act (DORA): DORA, adopted by the EU, is designed to ensure that financial institutions within the EU can withstand, respond to, and recover from all types of ICT-related disruptions and threats. While it is EU-focused, Swiss banks with operations in the EU need to consider its implications, particularly around cybersecurity and operational resilience.

Why Moving to the Cloud?

Let’s talk about why Swiss banks are even considering the cloud. The shift is not just about cost savings, it is about staying competitive. Modernizing IT infrastructure and core banking systems is crucial to meet the demands of today's fast-paced financial sector, especially in wealth and asset management.

The cloud is particularly attractive for small banks which lack of skills and resources to operate an in-house IT infrastructure, where big banks can afford to stay on-premise.

But not every bank will take the same path. Some may move partially operations such as email, HR systems, and video conference to the cloud, while keeping their core banking systems on-premises for tighter control. For others, this may be going full cloud using data anonymization, tokenization, or bringing their own encryption keys (BYOK).

The cloud is a way to leverage advanced technologies without the heavy lifting. Scaling up operations, getting powerful analytics, and deploying new services quickly. Vendors like Avaloq and Temenos offer cloud-based core banking solutions, akin to AWS services for banks, allowing to focus on the core business without reinventing the wheel.

Cyber Security Challenges for Private Banks with the Cloud

With the regulatory framework in mind, the challenges of moving to the cloud become clearer. Here are the main challenges to consider in my opinion:

  1. CID Protection (Banking Secrecy): CIDs demand the highest level of security, they are the crown jewels and can hardly be moved to the cloud. Their access must be very restricted and forbidden to the cloud provider and anybody outside of the bank, data must be encrypted, anonymized or tokenized and stored securely.
  2. Regulatory Compliance: The regulatory landscape is a minefield. Banks must manage ongoing audits and maintain strict security policies which takes a lot of time and requires dedicated resources.
  3. Third-Party Risk / Vendor Due Diligence: Just because a cloud technology provider promises something does not mean you should take them at their word. Look at their security statement and audit reports, and, most importantly, ensure their infrastructure meets Swiss regulations. Remember, a global giant like Microsoft or AWS might have all the certifications of the world, but if their cloud services do not meet Swiss standards, they are a no-go, and also do know that those are not flexible on making modifications to the terms and conditions of contracts.
  4. Legacy Systems and Cultural Resistance: One of the biggest challenges in moving to the cloud lies in the traditional mindset and culture within banks. Many professionals have spent 15, 20 years, or more in the industry, relying on tried-and-true methods that have seen them through numerous challenges. These are the gatekeepers of Swiss private banking, and their cautious approach is grounded in deep experience. They have witnessed how things can go wrong and understand the immense responsibility they carry. However, this caution can sometimes translate into skepticism, or even resistance, when it comes to adopting new technologies like the cloud. This resistance often stems from a combination of valid concerns and a natural unfamiliarity with the cloud's potential. The banking sector is inherently conservative, and cutting-edge technology is not always the first choice. For example, there are worries that moving to the cloud could lead to security breaches or loss of control over critical data. While these concerns are understandable, they can be addressed with the right education and careful planning. Adapting to these changes is a shared responsibility, with IT leadership driving modernization and security ensuring that these changes are implemented safely. It is about demonstrating that the cloud is not a threat but a powerful tool that, when used properly, can enhance both the security and efficiency of banking operations.

Final Thoughts

In my view, the shift to the cloud is inevitable for Swiss private banks. As these institutions modernize and enhance their service offering to remain competitive, they must define a strategy that upholds their core values of security, confidentiality, and trust. For security engineers like me, it requires understanding that solutions effective elsewhere may not apply. Swiss private banking has its unique set of challenges, from ensuring that virtual meeting platforms do not expose sensitive information to preventing EDR solutions from inadvertently logging CIDs on endpoints.

References

[1]: PwC. (2018). Taking Swiss Private Banking to the Cloud. Retrieved from PwC Publication

[2]: Vischer AG. (2021). Key Considerations for Cloud Solutions in Swiss Banking. Retrieved from Lexology

[3]: SwissBanking. (2020). SBA Cloud Guidelines. Retrieved from SwissBanking

[4]: Rosenthal AG. (2022). Swiss Banks and Cloud Solutions: Legal and Security Aspects. Retrieved from Rosenthal AG

[5]: FINMA. (2023). FINMA Circular 2023/1 - Operational Risks and Outsourcing. Retrieved from FINMA