Draft (Hebrew)​


The
Banking Supervision Department today published a draft Proper Conduct of
Banking Business directive on cloud computing, which replaces the Supervisor’s
Letter published on June 29, 2015 regarding “Risk management in a cloud
computing environment”.

 

Supervisor
of Banks Dr. Hedva Ber said, “This draft directive is a continuation of the
Banking Supervision Department’s activity to advance the implementation of new
technologies in Israeli banking.  The draft
directive contains leniencies for banks which, from now on, will be able to
implement many more cloud applications without first obtaining a permit from
the Banking Supervision Department, but with proper risk management within the
organization according to principles set out on the Supervisory Directives.  The use of cloud computing will help the
banks advance and shorten the implementation of innovative applications, which
will enable the improvement of service to customers and cost savings.”

 

This
draft directive is the result of a comprehensive work process conducted by the
Banking Supervision Department on the issue of cloud computing, which included,
among other things, consulting with professional experts and supervisory
authorities abroad, mapping the cloud applications that have been installed in
financial organizations abroad, and joint examinations conducted with the
banking corporations.

 

There
are many advantages to the use of cloud computing technology in the banking
system, such as the development and application of innovative technologies in a
short timeframe, and savings in computer and energy resources, that will lead
to improvements in the streamlining of the banking corporations and even to
improved competition.  Alongside the
advantages, these technologies also present operational risks and cyber and
information security risks such as the leaking of customer data, dependence on
outside suppliers, the potential of compromising the corporation’s command and
control, interruption of the business continuity of services, and more.

 

The draft
directive sets out guidelines for banking corporations planning to use cloud
computing technologies, principally:

  • For low-risk applications (such as a marketing website with no sensitive
    information, analytics applications, etc.), the draft directive provides a
    leniency for the banking corporations, exempting them from the requirement of
    obtaining a permit from the Banking Supervision Department that was required
    until now, thereby advancing the use of cloud computing with its many
    advantages;
  • Applications that are not defined as having a low risk (such as
    applications that include sensitive information such as customer data) will
    require a permit from the Banking Supervision Department.
  • The draft directive does not enable the use of cloud computing technologies
    for the banking corporation’s core activities and systems.
  • The draft directive also deals with aspects of corporate governance, including
    Board of Directors and senior management involvement, risk management, and
    contracts with cloud service providers.

This
draft directive replaces the Supervisor’s Letter published on June 29,
2015.  The banking corporations began
using cloud computing immediately following publication of the Supervisor’s Letter
on the matter.  Since that time, the
number of cloud applications has increased significantly.  The Banking Supervision Department has
granted 37 permits to 10 banking corporations during this period.  24 of the permits were issued in a rapid
process for applications that, according to the language of the draft directive,
will not require a permit in the future, which will make the process of
adopting the technologies easier.  The
types of use of cloud computing for which the banking corporations obtained
permits are varied, and include, among other things, analysis applications,
marketing websites, CRM systems, managing tenders, training programs, marketing
management, and more.