09 December 2025

Cloud services for banks and securities firms (Part 2)

  • Articles
  • Banking / Insurance
  • Data / Technology / IP

The increasing use of cloud services by banks and securities firms boosts efficiency and reduces costs, but at the same time poses significant risks for the institutions.

  • Tanja Steiner-Müller

    Senior Legal Associate

A trend toward increasing use of cloud services can also be seen at banks and securities firms. Despite the potential for increased efficiency and cost advantages, the use of cloud services also entails risks for banks and securities firms.

Following Part 1, here is Part 2 of our series. 

Part 2: Interpretation guide for the use of cloud services

The Swiss Bankers Association (hereinafter "SBA") has drawn up (legally non-binding) cloud guidelines as an interpretation aid for the use of cloud services by banks and securities firms and updated this guide in November 2025 in its third edition. According to the SBA, the cloud guidelines were updated in response to regulatory developments, such as in the area of operational risk regulation.

Overview of the Swiss Bankers Association's Cloud Guidelines

The Cloud Guidelines 2025 state that banks and securities firms (hereinafter referred to as "institutions") must not only have a clear understanding of the legal and regulatory requirements (which apply regardless of the technology used), but should also have the ability to specify and operationalize these requirements by means of appropriate technical and organizational measures. It also clarifies that cloud providers must comply with the same obligations and framework conditions as the institution itself. In other words, the institution must transfer the obligations to the cloud provider accordingly.

The Cloud Guidelines 2025 focus on four topics (which are essentially identical to the previous version).

1. Governance including risk management

The first key topic concerns requirements relating to the selection and change of cloud providers and their suppliers/subcontractors (as well as approval for a change of subcontractors) at institutions. For example, when selecting/changing a cloud provider or its subcontractors, an institution must clarify (in advance) whether the cloud provider is capable of contractually assuming the relevant obligations under applicable financial market and data protection regulations in addition to the performance-related criteria, and of ensuring compliance with these obligations by means of technical and organizational measures. In particular, data must also be taken into account as an integral part of the underlying due diligence process when selecting a cloud provider (in addition to the opportunities and risks associated with the procurement of cloud services and the significance of cloud services within the meaning of FINMA Circular 2018/3 "Outsourcing"). Any change of cloud provider must be subject to the prior written (or otherwise verifiable) consent of the institution. The same applies to the engagement or change of subcontractors. The cloud provider must inform the institution of the engagement or change of a subcontractor. The institution must also have the option of terminating the cloud provider's services in an orderly manner (see also FINMA Circular 2018/03 "Outsourcing," margin no. 33). Under similar conditions, a relocation to another jurisdiction by the cloud provider (and/or significant subcontractors) during the term of the contract should be regulated by contract (e.g., contractual amendment procedure, prior consent of the institution, etc.).

2. Data processing

The second focus topic deals with the processing of bank client data and data relevant to banking secrecy. Compliance with regulatory and legal requirements regarding banking secrecy must also be ensured at all times in the cloud through appropriate technical and organizational measures. In particular, this involves protecting data protected by banking secrecy from access by unauthorized persons and ensuring the confidentiality of bank client data. In doing so, the institution must also take into account the requirements of FINMA Circular 2023/1 (in particular with regard to critical data). The classification of outsourced bank client data may also change during the term of the contract with the cloud provider, which should be covered contractually with the cloud provider (including appropriate measures prior to implementation). If the cloud provider is located abroad, additional questions or requirements may arise for the institution in order to prevent (for example) foreign authorities from gaining access to bank client data or the cloud provider from being requested by foreign authorities to disclose bank client data ("foreign lawful access" as a keyword). Anonymizing data can be a possible technical measure to protect bank client data in the cloud from access by unauthorized third parties. In addition to technical measures, there are also possible organizational and contractual measures that can be taken or implemented by an institution to protect bank client data in the cloud.

In connection with the outsourcing of bank client data to a cloud provider in Switzerland or abroad, the institution must first consider whether and to what extent bank clients have been informed about this and, if necessary, whether they have consented to such outsourcing or whether a banking secrecy waiver by the bank client is necessary.

In addition to the location where bank client data is processed, the associated transparency towards bank clients, and data flows (including those at the cloud provider and subcontractors), the institution must also implement an access concept or require the cloud provider to do so, (in particular) if the cloud provider (and, where applicable, its subcontractors) has access to bank client data.

In addition, the institution must (with regard to the ability to access Swiss bank client data at any time) consider the necessary steps in connection with the recovery or resolution of the institution and with ensuring the general availability and return of bank client data to the institution and/or a successor or rescue company. The cloud provider must be contractually obliged to continue to provide cloud services to the institution, FINMA, and any successor or rescue company in the event of the institution's recovery or resolution, and to provide appropriate termination support (including the return/transfer of bank client data) to the institution, a successor provider, and/or a successor or rescue company.

3. Authorities and proceedings

The third focus topic deals with transparency and cooperation between institutions and cloud providers in the area of regulatory and judicial measures. It presents possible solutions for a coordinated approach between cloud providers and institutions when dealing with requests from authorities for the disclosure or transfer of bank client data ("lawful access" and "foreign lawful access"). The regulatory section of the cloud guidelines contain various recommendations for technical and organizational measures that should be contractually imposed on or transferred to the cloud provider (in the sense of obligations).

4. Audit

The final focus topic deals with the auditing of cloud services and the cloud infrastructure used to provide the services. In particular, it is important to ensure that access to data in the cloud is guaranteed at all times for auditing purposes. Institutions must ensure and regularly verify that the cloud provider and its subcontractors comply with the applicable legal, regulatory, and contractual requirements (e.g., regarding outsourcing). Audits of the cloud provider should be carried out and initiated by the institution itself, its audit firm, or FINMA. The audit of subcontractors can generally be carried out indirectly via the cloud provider. However, the institution must contractually reserve the right to conduct its own direct audit of key subcontractors. Guidance on the subject of auditing can also be found in Appendix I to the SBA's Cloud Guidelines (2nd edition, November 2025).

Conclusion

The use of cloud services by banks and securities firms brings with it great opportunities but also great risks for banks and securities firms. Before engaging a cloud service provider, banks and securities firms must perform appropriate due diligence and ensure that the financial market law, organizational, and technical requirements and any other (contractual and data protection) requirements are complied with and implemented by the cloud service providers (and any subcontractors) at all times. Institutions must identify, assess, limit, and monitor risks, such as operational risks, associated with engaging a cloud provider or outsourcing functions to a cloud or cloud provider. In addition to regulatory requirements, the contract with the cloud service provider must also be reviewed and, if necessary, supplemented with the necessary requirements from an IT/technical, data protection, and any other perspectives.

If you have any questions regarding the use of cloud services, please do not hesitate to contact us.

 

Click here to learn more about our expertise:
Back