Use of Public Cloud Services by Russian Financial Services Institutions
This article outlines the regulatory landscape of cloud computing in Russia, with a particular focus on the use of public cloud services by Russian financial institutions (FSI). The term “FSI” as used in this article means: (a) credit institutions – banks and non-baking credit organizations; and (b) non-credit financial institutions (NFIs) – insurance companies, micro-financial organizations, pawnshops and other institutions specified by Russian laws.
1. Regulation of cloud services in general
A) Current regulation of cloud computing services in Russia
While currently there is no comprehensive, universal statute or other normative act regulating cloud services in the Russian Federation, the storage of data in cloud per se is not prohibited and thus permissible under Russian laws, subject to observance of certain legal requirements and restrictions, arising from both generally applicable legislation as well as sector-specific regulations. Although significant statutory amendments have been recently introduced that are aimed specifically at granting greater control to regulators over content distributed via the Internet and that impose obligations to retain data in the territory of the Russian Federation, these amendments are, under the prevailing view, not interpreted as explicitly prohibiting the transfer of content to foreign cloud providers and the storage of such content in data processing centers situated outside of Russia.
The Government was expected to draft specific laws and regulations that would facilitate the deployment of cloud computing by the end of 2015. However so far no such laws or regulations has been adopted. Some draft laws that sought to regulate cloud computing have been conceived in 2016 and 2017, respectively. These draft laws sought to create the state infrastructure of cloud computing and regulate primarily the use of cloud computing services by the public central and local authorities as well as state and municipal enterprisers and institutions. The fate of these cloud regulation initiatives is currently unclear.
B) Storing personal data in a foreign cloud
The Personal Data Law anticipates cross-border data flows, i.e. transfer and storage of personal data (hereinafter “PD”) of Russian citizens abroad; this may, in practice, include the storage and processing of the data in data hosting centers located outside of Russia. Such transfer and storage is, however, subject to certain requirements and restrictions that must be observed, notably the newly introduced data retention obligation, pursuant to which at the time of collection of PD, inter alia over the Internet, the operator must ensure that the PD of Russian citizens is recorded, systematized, accumulated, stored, specified (updated or modified) and retrieved in the databases located in the Russian Federation, except for the cases listed in the Personal Data Law. The above mentioned amendments have been sometimes interpreted as a ban on any transfers and storage of Russian PD abroad. Such views can be challenged on the following grounds: Firstly, the Personal Data Law (as amended) still contains the entire section dedicated to cross-border transfer of PD. The fact that the given section has not been repealed with the introduction of the new amendment to the Personal Data Law suggests that it was not the intention of the legislator to completely ban the transfer of the Russian citizens’ PD outside of Russia. While the new provisions require that the PD are initially recorded and processed in databases located in Russia, the law does not prohibit the duplication of collected and recorded data (i.e. creation of backup copies) and its further processing outside of Russia. The same applies to updating of the stored data: firstly, the data recorded in the Russian database should be updated and only afterwards the foreign database may be updated accordingly. The Russian database shall be regarded as primary and the foreign one as secondary. This interpretation has been confirmed by the regulator, the Ministry of Telecoms and Mass Communications, in its clarifications. One can only presume that providers of public cloud services must have implemented measures to meet this retention obligation in its cloud offerings targeted to its general customer base since the amendments to the Personal Data Law became effective in 2015, to be able to continue to legally provide their services; this article does not purport to address the technical and practical feasibility of the such measures.
The Personal Data Law requires that the personal data operator (i.e. the customer) and the cloud provider enter into agreement which will specify all the security measures that are to be undertaken by the cloud provider and the confidentiality obligations assumed by the cloud provider. Such measures will be set contractually and may include, in particular, data encryption and data anonymization.
It is also recommended that personal data operators and/or customers are given the option to select the location of the data center where PD is intended to be stored and processed; this will in effect allow the personal data operator to select countries that are deemed to provide adequate protection of PD.
C) Storing confidential information (information containing commercial secrets) in a foreign cloud
In general, confidential information (i.e. information containing commercial secrets) may be stored in a foreign cloud subject to the requirements and restrictions provided for by the applicable laws and the information owners’ internal commercial secrecy regulations.
An indicative list of sensitive/confidential information includes financial information, technical information, security information, certain internal corporate documents, bank secrecy information, personal data, credit history information, certain tax information, certain insurance secrecy and pawnshops secrecy data and other information marked by an organization as “confidential”. Nonsensitive information (publicly available information) includes all information which does not qualify as confidential information.
When storing confidential information, the cloud provider must take certain security measures to protect the information entrusted to it. The general security measures and sector-specific security measures applicable to the storage of sensitive information in cloud are specified in various normative acts.
2. Regulation of cloud services in the banking sector
A) Localization of electronic data bases of Russian banks
One of the primary constraints on the use of cloud services in the banking sector is set forth in Regulation 397-P pursuant to which a credit institution shall ensure that its electronic databases are located in the territory of the Russian Federation (clause 1.2.). This provision is often interpreted strictly as prohibiting the storage of information by a credit institution in electronic databases located abroad. However, neither Regulation 397-P or any other related laws and regulations elaborate on this further. In the absence of a straightforward prohibition of data transfers and storage abroad, one could thus argue for a less restrictive interpretation of this provision, under which credit institutions may store their data in a foreign cloud as long as (i) such data is initially recorded in Russia and (ii) the foreign cloud provider fulfills the security measures prescribed by Regulation 397-P (i.e. the database is up to date, the information contained in the database is recoverable, measures are taken to prevent damage, loss, malware infection, etc). This less restrictive interpretation can be supported by the fact that the above mentioned amendment was introduced in connection with the amendments to the Personal Data Law which, as mentioned earlier, provides for the storage of Russian citizen’s PD in the Russian databases while not prohibiting the storage of backup copies outside Russia as long as such data is initially recorded in the Russian databases. If the amendment to Regulation 397-P is interpreted analogically, a subsequent (back-up) transfer and storage of credit institutions’ data in databases located outside of Russia should generally be permissible, too. Whether such subsequent storage of data would not, in fact, undermine the very substance of cloud solutions, would warrant a separate discussion.
B) Licensing and certification requirements
Further, the storage and processing of certain data of credit institutions by cloud providers may trigger licensing and certification requirements (licensing of activities relating to protection of confidential information, as well encryption licenses, and certification of the information systems used for the storing and processing the data). In practice, only Russian entities can satisfy these requirements, so they would present a practical obstacle for a foreign cloud provider. An example of such encryption requirements are the measures required by the Government Decree No 1119 in instances where certain level of security threats are identified, which in turn require the implementation of specific security levels (likely to apply to some types of data processed by credit institutions), or the FSB Guidelines No. 149/7/2 / 6-432.
However, it could be argued that the encryption certification requirements by their very nature can only apply to Russian entities since the FSB is not empowered to certify encryption means of entities operating outside of Russia. Secondly, if a foreign cloud provider deploys, in the frame of rendering cloud services, such information system and information protection measures that provide for the same (or higher) level of protection as the relevant information systems and information protection measures prescribed by Russian law, it could be argued that the provider’s information systems and information protection measure do technically meet the general requirements of the applicable Russian laws and regulations. This finding is supported by some normative acts, such as FSTEC Order No 21, according to which, if it is technically impossible to implement the measures for the provision of PD security stipulated by Government Decree No 1119, the operator may deploy other (“compensatory”) measures for the neutralization of PD security threats. Deployment of such compensatory measures shall be duly substantiated (clause 10). Based on the given provisions, the operator shall ensure that foreign cloud provider takes all organizational and technical measures as required by Government Decree No 1119 and FSTEC Order No 21 with regard to proper protection of the data entrusted to it.
Sector-specific (payment) regulations impose certain territorial restrictions on money transfer operations and thus on storage of information processed as part of such money transfers. These restrictions, however, should not impact standard cloud (SaaS) offerings that are not used for money transfer operations, such as Microsoft Office 365.
Finally, the Bank of Russia has issued recommendations, such as Recommendations RS BR IBBS-2.22009 and Recommendations RS BR IBBS-2.9-2016, which, albeit not normative acts and thus not binding, are authoritative and FSIs are likely to adhere to them. These Recommendations imply that FSIs should store certain sensitive (confidential) data (the scope of which is defined very broadly and would include, inter alia, any PD) in Russia. This may prove to be, in the absence of an explicit statutory prohibition to store data with a foreign cloud provider, the most significant deterrent for FSIs to entrust their data to a foreign cloud provider.
3. Regulation of cloud services in non-credit financial institutions (NFIs)
Russian laws regulating various types of NFIs (insurance companies, micro-financial organizations, pawnshops, etc.) do not contain any provisions that would either permit or prohibit the relevant NFIs to use public clouds services (including those that are provided outside of Russia). Primarily, the laws concerning various types of NFIs concentrate on various formal and operational requirements, such as documentation required for NFIs to enter into appropriate contracts; defining the forms in which an NFI may sign and exchange contracts with their counterparties (a handwritten signature or an analog thereof); and requirements on compliance with applicable personal data laws and confidentiality/professional secrecy obligations.
The absence in Russian laws of express prohibition of the use of public cloud solutions by NFIs suggests that NFIs may use public cloud services, including those provided by foreign providers (subject to certain requirements and restrictions).
The guidelines of the Bank of Russia do not prohibit FNIs to use foreign cloud services provided that the foreign cloud service operators can guarantee the continuity of their services and/or provided that their services can be promptly replaced by the services of other providers in case of an emergency. Thus, under Guidelines No 28-MP, all NFIs are recommended to ensure the continuity of operations, i.e. ensure the functioning of the systematically important processes in NFIs on the daily basis. These obligations entail, in particular: identification of information systems and information used for servicing the systematically important processes; deployment of software and hardware that would provide the information systems’ security; development of information security policy; conducting monitoring of the information systems and its software/hardware; taking corrective measures.
Unlike in the case of credit institutions, the regulator, the Bank of Russia, has not yet introduced the standards and recommendations regarding the information security of NFIs (except for the guidelines for ensuring the continuity of operations). It is expected that information security documents will become applicable to all financial market participants (i.e. both credit institutions and NFIs). The standards and recommendations applicable to banking organizations are likely to apply by analogy to NFIs pending specific regulations to be introduced for NFIs in that field. Already published draft standards and recommendations of the Bank of Russia evidence its intention to make the current banking sector information security standards applicable to NFIs.
Vladimir Kanashevsky, of counsel of Pierstone firstname.lastname@example.org
 Art. 76.1 of the Federal Law On the Central Bank of the Russian Federation (the Bank of Russia) No 86-FZ dated July 10, 2002 (as amended on March 28, 2017)
 Please see Action Plan (“Road Map”) on “Development of Information Technology Industry”(approved by Government Decree No 2602-p dated December 30, 2013, as amended on December 5,2014)
 See the draft on the Federal Portal of Draft Laws and Regulations http://regulation.gov.ru/projects#npa=59054
 See the draft on the Federal Portal of Draft Laws and Regulations //http://regulation.gov.ru/projects#npa=67812
 Federal Law On Personal Data No 52-FZ dated July 27, 2006 (as amended February 22, 2017)
 These amendments to the Personal Data Law came into force on September 1, 2015
 Please see official site of Minkomsvyaz’ RF // http://minsvyaz.ru/ru/personaldata/
 See: the Roskomnadzor Order On the Requirements and Methods of Personal Data Anonymization No 996 dated September 5, 2013; Guidelines on the Application of the Roskomnadzor Order No 996 (approved by Roscomnadzor on December 13, 2013)
 Please see the indicative list of confidential information in Annex A (informative) to the Bank ofRussia Recommendations in the Field of Standardization RS BR IBBS-2.9-2016 “Ensuring of Information Security of Organizations of the Russian Banking System. Preventing the Data Leaks”.
 E.g.: Government Decree No. 584 dated June 13, 2012; the Bank of Russia Regulation No 382-Pdated June 9, 2012 (as amended); the Bank of Russia Regulation No 2831-U dated June 9, 2013 (as amended); the Standards of the Bank of Russia related to Information Security (STO BR IBBS-1.0-2014; STO BR IBBS-1.2-2014); the Recommendations of the Bank of Russia (RS BR IBBS-2.5-2014; RS BR IBBS-2.2-2009; RS BR IBBS-2.7-2015; RS BR IBBS-2.8-2015; RS BR IBBS -2.9-2016)
 The Bank of Russia Regulations on the Procedure of Creation, Maintenance and Database Storageon Electronic Media No. 397-P dated February 21, 2013 (as amended on September 14, 2016).
 This provision has been added to clause 1.2. of the Regulation in August 2015
 Decree of the Russian Government On Requirements to the Protection of Personal Data while its Processing in Informational Systems of Personal Data No. 1119 dated November 1, 2012
 FSB Guidelines for the development of normative acts assessing the personal data security threatsin processing personal data in information systems and in the course of conducting relevant activities No. 149/7/2 / 6-432 dated March 31, 2015
 FSTEC Order On the Organizational and Technical Measures for the Provision of Personal DataSecurity at the time of its Processing in the Personal Data Information Systems of Personal Data No 21, dated February 18, 2013
 The Bank of Russia Guidelines On Ensuring of the Continuity of the Non-Credit Financial Institutions Activity No 28-MP, dated August 18, 2016
 To date some of such drafts standards have been published by Rosstandard (Technical committee# 122). Please see: http://tk122.ru/ (http://tk122.ru/)