image description

Navigating Data Residency & Privacy Compliance in the Cloud

Manual post section

Navigating Data Residency & Privacy Compliance in the Cloud

November 2017
Niall Twomey
Chief Technology Officer

Security and data security concerns have traditionally topped the list of issues for lack of adoption of cloud technologies by banks.

Security and data security concerns have traditionally topped the list of issues for lack of adoption of cloud technologies by banks.

In a survey conducted by Forrester Research a few years ago, it found that the top five reasons why US banks were avoiding cloud technology included.  

  1. Security (73%)
  2. Privacy (63%)
  3. Risk (59%)
  4. Regulation (56%)
  5. Technology Maturity (43%)

This has prevented financial services organizations from embracing the cloud, while their fintech and regtech peers embraced the technology and outpaced them in terms of bringing innovations to market.

The security tools and solutions used in an on-premise world just don’t apply in the same way in a cloud-environment. On-premise solutions have a defined perimeter to protect, however, cloud has no such perimeter, making threats appear unbounded.

For financial institutions to embrace the cloud, they must take appropriate measures to address security concerns. To do this, they need to deploy continuous security monitoring to their cloud environment to ensure that all threats are recognized and acted upon immediately at any time.

Managing Data Privacy Issues

While cloud opens up the world of data for banks, its global accessibility also increases the risk of violating data privacy rules. It is very important to get clarity on data residency, as it has implications in terms of both international and local data protections laws, such as the forthcoming General Data Protection Regulation (GDPR) in Europe.

In a Client Lifecycle Management scenario, this means that banks will need to incorporate provisions that ensure data privacy. One way to do this is through the implementation of a robust authorization framework. This framework should ensure that a set of rules are applied automatically to data being accessed, viewed or shared by an entity in a different jurisdiction. The rules should govern the following examples:

  • For jurisdictions that absolutely prohibit the sharing of client data outside of their borders, the solution should not grant access to or sharing of client data outside the domestic country;
  • For jurisdictions where sharing of data outside the jurisdiction is permitted by client consent, the solution should be capable of collecting, collating and reporting of consent on entity and jurisdictional attributes on the client profile.
  • Where jurisdictions grant the sharing of some data but not others outside of the country, the solution should be capable of masking the data prohibited to be viewed using implementations of defined interface, based on a user's confidentially level and sensitive data permissions.
  • Where data cannot be shared with select countries, the solution should be capable of ensuring this through jurisdictional attributes on the profile.

Solving Data Residency in Cloud Client Lifecycle Management

By its very nature, cloud gives the impression of full accessibility and flexibility of services and data. However, managed properly, data can be managed securely and efficiently, even in a cloud environment. To do this, certain protocols and rules need to be put in place to ensure good governance over this process. For example, by implementing a clear separation of data in separate databases, banks can ensure that data is not inadvertently accessed, viewed or shared with any prohibited user or jurisdiction. Similarly, the rules should ensure that data initially available in a more restrictive jurisdiction is never shared with a less restrictive one. This ensures the standards of data privacy remains at its highest. Conversely, the solution should be capable of controlling duplication of data to more restrictive jurisdictions e.g. where initial data is available in a less restrictive jurisdiction, controlled updates of duplicated data or notifications of data changes should be sent from less restrictive to more restrictive jurisdictional instances.

Below is an example of cross-jurisdictional access with data residency restrictions. In this scenario, a Mexican user can access LE1 and LE2, however, the US user can only access LE2.

LEI jurisdiction


The financial services industry is still in the early stages of cloud adoption and experimentation. Over the last two years especially, the cloud has transformed from being perhaps the most frowned upon technology in the banking industry due to security and regulatory concerns to an area of growth, opportunity and better client experience.

In the next five years, the financial services industry will look very different than it does today. Cloud adoption will be very much innovation as usual enabling all banks to become cloud-first firms that prize speed, innovation and accessibility. 


Download our whitepaper on Banking on the Cloud for Client Lifecycle Management

CLM in the Cloud whitepaper preview

In this paper, we explore we explore the world of cloud-centric banking, including: the benefits it can deliver to banks spanning the commercial, business, investment, corporate, private and retail banking divides; the potential of cloud for Client Lifecycle Management (including data management, compliance and client onboarding operations and the key considerations to be borne in mind when migrating from on-premise to cloud.

Click here to download the paper




Please complete the form below to download this blog.

previous blog

Cloud Adoption: A Quiet Revolution in Financial Services

next blog

8 Major Benefits of Cloud Technology for Client Lifecycle Management