SlideShare a Scribd company logo

Cloud computing in Hungarian financial industry 2013

Download as PPT, PDF
I
IgorMate
1 of 13
CLOUD COMPUTING Legal, Regulatory & Compliance Concerns ON HUNGARIAN FINANCIAL MARKET 2013
Executive Summary This review is to outline the key legal, regulatory and compliance concerns to be taken care of in course of making business decisions on the subject matter. As starting point, it is acknowledged that there is an extremely strong business potential of applying cloud computing solutions (also) in the financial industry. All the three areas, namely legal, regulatory and compliance have their authorities regarding the question. As per the details, services (contracts) are to be analyzed from the points of view of (i) general commercial contracting, (ii) regulatory compliance and (iii) data protection compliance. When aiming to explore and to mitigate various risks and so to drive the project towards legal feasibility, the following findings has been found as key ones. On Cloud Computing as such there is no Hungarian (or European) legislation in force (or even in the tube). Furthermore, while (since (only) July, 2012) there is a basic guidance of the EU on Cloud Computing, there is no effective guidance or even orientation from the respective Hungarian authorities (the HFSA and the DPA). As a conclusion, we may state that from legal, regulatory and compliance point of view, banks, along moderate risks, may (target to) enter into an Cloud Computing contract, but only subject to several key assumptions and conditions.
Top strategic technology Cloud Computing has been identified as one the top strategic technology which is going to re-shape the world in this decade. (Gartner*) *http://www.gartner.com/it/page.jsp?id=1454221
The issue  Technology of Cloud Computing is a forerunner being also (recently) ahead of legal regulations.  In the EU/EEA law is more stringent (restrictive) in the field of personal data protection than in the US.
The Pro and the Cons The Pro Cloud Computing offers enormous space (in double sense) that supports companies overall workflow and management with state of the art, secure and cost effective hosted services. The Cons Decision on introduction of Cloud Computing solutions shall necessary be backed by answers to several concerns – besides the IT/bank security ones, also from legal, regulatory and compliance point of view.  legal EU and Hungarian personal data protection requirements basic contractual issues special issues raised by E-Discovery (regarding any litigation in the US)  regulatory whether cloud computing qualifies and therefore controlled by HFSA as outsourcing  compliance alignment with bank’s internal / Group corporate governance ensuring control of Cloud Computing services by Compliance Department as well as by internal and external auditors
The issues – Data protection (i) Asynchrony of technological and legal developments Technology of Cloud Computing is predominantly provided by US service providers whose homeland law is far less restrictive in the field of personal data protection than EU/EEA law. In both jurisdictions there is a lack of definite legislation on Cloud Computing (so far) that, while seems not to be a burden in the US, raises concerns in the EU. This way, besides being a forerunner in technology, Cloud Computing is also well ahead of legal and regulatory developments. Self-regulatory efforts The industry itself is fairly proactive in self-regulatory. Their organization, the Cloud Security Alliance admits* that „specialized compliance requirements for highly regulated industries should be considered and must address during requirements identification stage. Some regulatory requirements specify controls that are difficult or impossible to achieve in certain cloud services types.” * https://cloudsecurityalliance.org/guidance/csaguide.v3.0.pdf (pp48)
The issues – Data protection (ii) Developing EU regulatory environment While the EU is recently working on the unified European data protection legislation (that will be a form of a regulation, i.e. automatically compulsory for the member states), the legislation in force is the so called Data Protection Directive 95/46/EC (the „Data Protection Directive”). This, firstly does not cover cloud computing and, secondly, being a directive, allows national legislations to defer. Despite of lack of legislation in force, the EU actively deals with the issue, albeit still in regulatory drafting phase. Further to the Commission Decision of 5 February 2010 on the standard contractual clauses for the transfer of personal data to processors established in third countries*(the „EU Model Clauses”), on the cloud computing itself the EU has issued so far only an opinion: Article 29 Data Protection Working Party Opinion 05/2012 on Cloud Computing** (the „EU Opinion”) on July 1st 2012 (!). Clearly, the three month old opinion has no practice yet. However since being welcome by the industry, following its „rules” may result a kind of a compliance regarding the area of protection of customer personal data. One striking requirement of the EU Opinion that it refers to and reinforces Article 4 of Data Protection Directive stating that applicable law of such contracts shall be thereof the country in which the data controller (in our case the Banks) is established (i.e. Hungary). * http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2010:039:0005:0018:EN:PDF **http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion- recommendation/files/2012/wp196_en.pdf
The issues – Data protection (iii) Uncertain Hungarian regulatory environment This above highlighted European regulatory background results, that (i) due to the option of deferring, Hungarian national legislation (in force) is, in theory, stricter than the average European member state regulations, and (ii) that is more problematic, the Hungarian Data Protection Authority (DPA) strikingly avoids the subject of cloud computing. No precedent decisions, no guidance, even no participation in the public debate, if there were no question at all. Due to this evident retreat, even industry players, being active in dialogue on European level, do not approach the Hungarian authorities for guidance, whatsoever. As we have been advised, unlike doing it regarding other national data protection authorities where they acquired positive feedbacks*, Supplier has not approached the Hungarian DPA yet. Best practice Irrespectively from the non-existence of definite legal requirements, Banks, as market leading in Hungary shall take into consideration that „front-runner companies are highly committed to protecting data, particularly customer information.” (PWC 2012 Global State of Information Security Survey)** * Supplier provided us with these confirmatory letters of several national data protection authorities * * http://www.pwc.com/gx/en/information-security-survey (pp13)
The issues – Regulatory (i) Cloud computing is a way of outsourcing Applying cloud computing services, unquestionably qualifies as outsourcing. Accordingly, Cloud Computing service contract shall comply with the respective requirements of the Hungarian Banking Act. HFSA (Hungarian Financial Supervisory Authority) Approach HFSA, unlike the DPA, already did, although a very minor step towards guiding and orienting the market in this respect. On July 18, 2012 it issued the 4/2012 HFSA Management Circular* (the HFSA Circular”). Unfortunately, HFSA commitment to regulate and so to promote the financial industry in this respect seems to be apparent, since the paper is simply the translation of communication of US Federal Financial Institutions Examination Council (the „FFIEC”) on Outsourced Cloud Computing* (the „FFIEC Statement”). The FFIEC Statement and the HFSA Circular instead of aligning better the regulatory landscape with the nature of cloud based solutions, disappointingly, advocate application of current regulations in their existing form and imply that the cloud vendors will have to adapt and align their solutions to the legacy regulatory environment. This basically means that authorities identify cloud computing as an outsourced activity. * http://www.pszaf.hu/akadalymentes/data/cms2364896/vezkorlev_4_2012.pdf ** http://ithandbook.ffiec.gov/ITBooklets/FFIEC_ITBooklet_OutsourcingTechnologyServices.pdf
The issues – Regulatory (ii) One of the key questions: can on spot regulatory audit be redeemed? Hungarian Banking Act requires that outsourced services be, subject to a respective request or general need, audited on spot by the HFSA (and also by the company and its auditors). A par excellence key question of outsourcing (that HFSA does not address) is the on spot audit. Due to the nature of the technology this cannot be ensured. Accordingly, cloud service contracts cannot be in full compliance with the letter of the law of the current legislation in force. The Statement/Circular call financial institutions to run a due diligence prior to contracting to ensure that the provider will meet all the requirements. Once this due diligence is performed by an independent third party, further to their initial audit they, from time to time, could be engaged with operation audit as well. The report thereon, subject to the willingness of HFSA, could redeem the on spot audit. However, recently, we are not aware of (we have not been advised either by Supplier on) the existence of such third parties whom report could be used as kind of a certification, whatsoever for this purposes. HFSA surely will scrutinize the proposed cloud computing contracts as outsourced services and banks will have to have robust arguments to make HFSA to buy in. Here we have to note that Supplier has not yet approached HFSA (like they have not accomplished it regarding DPA) to seek any preliminary guidance, opinion, whatsoever.
The issues – Other legal questions Basic contractual issues At early stage of the projects, prior having the strategic decision (based upon the IT/bank security and legal concerns) drafts of multiple contracts being provided with by Supplier are regularly not analyzed in their details . However, we shall refer to that, due to the basic requirement of the EU, all contracts should be governed by laws of Hungary. Contracts governed by non-Hungarian laws shall be checked and confirmed by lawyers of the respective jurisdiction(s). Potential special requirements regarding E-discovery If the bank is involved in litigations in the US, and would like to apply Cloud Computing services regarding any banking system, it may raise questions regarding the so called E-discovery in US court procedures. Any special obligations of the bank thereupon shall be checked and confirmed by US litigation lawyers.
Conclusions It is our conclusion that Banks, still taking moderate legal and regulatory risks, may (target to) enter into an „Cloud Contract” subject to the key assumptions and conditions as follows:  contracts be governed by laws of Hungary  Supplier to represent and warrant that the service complies with the Hungarian data protection legislation and complies with the requirements of Section 3.4 of EU Opinion  each sub-service provider of Supplier shall be contracted under EU Model Clauses or in Safe Harbor (certified by independent auditor); Supplier shall ensure that Banks be entitled to instruct sub-service providers directly, should it be the case  Supplier to deliver independent certification or the Bank and the Supplier mutually to approach HFSA for preliminary guidance/clearance stating that Supplier/the services comply with the requirements of Hungarian Banking Act regarding outsourcing (apart form on spot audit)  Supplier to undertake to indemnify the Bank should it suffer any damages due to non- compliance and the Bank shall be entitled to terminate with immediate effect the entire agreement, should Banks/Supplier fail to obtain clearance from HFSA and DPA  The bank is to consider to engage external legal advisers for counseling regarding contracts governed non-Hungarian law(s) and, subject to developments on the above conditions, for providing the bank with a double check regarding regulatory compliance of the services
Dr. Igor Máté Head of Business Legal Services MKB Bank https://www.linkedin.com/in/igormate

Recommended

scce-cep-2015-06-Dhont-1-04
scce-cep-2015-06-Dhont-1-04scce-cep-2015-06-Dhont-1-04
scce-cep-2015-06-Dhont-1-04Jan Dhont
 
DMA Legal update winter 2013 - 17 december
DMA Legal update winter 2013 - 17 decemberDMA Legal update winter 2013 - 17 december
DMA Legal update winter 2013 - 17 decemberRachel Aldighieri
 
"The EU General Data Protection Regulation: GDPR" - TRA Annual Meeting 2018
"The EU General Data Protection Regulation: GDPR" - TRA Annual Meeting 2018"The EU General Data Protection Regulation: GDPR" - TRA Annual Meeting 2018
"The EU General Data Protection Regulation: GDPR" - TRA Annual Meeting 2018TRA - Tax Representative Alliance
 
GDPR - a view for the non experts
GDPR - a view for the non expertsGDPR - a view for the non experts
GDPR - a view for the non expertsClaudio Bolla, CISM
 
PSI in Europe – The Road(s) Ahead! Action plan 3: Legal, business and other i...
PSI in Europe – The Road(s) Ahead! Action plan 3: Legal, business and other i...PSI in Europe – The Road(s) Ahead! Action plan 3: Legal, business and other i...
PSI in Europe – The Road(s) Ahead! Action plan 3: Legal, business and other i...Michael Fanning
 
2018 - CertiFUNcation - Fabian vor dem Esche: GDPR updated
2018 - CertiFUNcation - Fabian vor dem Esche: GDPR updated2018 - CertiFUNcation - Fabian vor dem Esche: GDPR updated
2018 - CertiFUNcation - Fabian vor dem Esche: GDPR updatedTYPO3 CertiFUNcation
 
Is Poland Ready for GDPR?
Is Poland Ready for GDPR? Is Poland Ready for GDPR?
Is Poland Ready for GDPR? GKR Legal Gołębiowska Krawczyk Roszkowski & Partners
 
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...John Nas
 

Recommended

scce-cep-2015-06-Dhont-1-04
scce-cep-2015-06-Dhont-1-04scce-cep-2015-06-Dhont-1-04
scce-cep-2015-06-Dhont-1-04Jan Dhont
 
DMA Legal update winter 2013 - 17 december
DMA Legal update winter 2013 - 17 decemberDMA Legal update winter 2013 - 17 december
DMA Legal update winter 2013 - 17 decemberRachel Aldighieri
 
"The EU General Data Protection Regulation: GDPR" - TRA Annual Meeting 2018
"The EU General Data Protection Regulation: GDPR" - TRA Annual Meeting 2018"The EU General Data Protection Regulation: GDPR" - TRA Annual Meeting 2018
"The EU General Data Protection Regulation: GDPR" - TRA Annual Meeting 2018TRA - Tax Representative Alliance
 
GDPR - a view for the non experts
GDPR - a view for the non expertsGDPR - a view for the non experts
GDPR - a view for the non expertsClaudio Bolla, CISM
 
PSI in Europe – The Road(s) Ahead! Action plan 3: Legal, business and other i...
PSI in Europe – The Road(s) Ahead! Action plan 3: Legal, business and other i...PSI in Europe – The Road(s) Ahead! Action plan 3: Legal, business and other i...
PSI in Europe – The Road(s) Ahead! Action plan 3: Legal, business and other i...Michael Fanning
 
2018 - CertiFUNcation - Fabian vor dem Esche: GDPR updated
2018 - CertiFUNcation - Fabian vor dem Esche: GDPR updated2018 - CertiFUNcation - Fabian vor dem Esche: GDPR updated
2018 - CertiFUNcation - Fabian vor dem Esche: GDPR updatedTYPO3 CertiFUNcation
 
Is Poland Ready for GDPR?
Is Poland Ready for GDPR? Is Poland Ready for GDPR?
Is Poland Ready for GDPR? GKR Legal Gołębiowska Krawczyk Roszkowski & Partners
 
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...John Nas
 
Companies, digital transformation and information privacy: the next steps
Companies, digital transformation and information privacy: the next stepsCompanies, digital transformation and information privacy: the next steps
Companies, digital transformation and information privacy: the next stepsThe Economist Media Businesses
 
DMA Legal update: autumn 2013 - Tuesday 1 October
DMA Legal update: autumn 2013 - Tuesday 1 OctoberDMA Legal update: autumn 2013 - Tuesday 1 October
DMA Legal update: autumn 2013 - Tuesday 1 OctoberRachel Aldighieri
 
Data Protection and Comnpliance with the GDPR Event 22 september 2016
Data Protection and Comnpliance with the GDPR Event 22 september 2016 Data Protection and Comnpliance with the GDPR Event 22 september 2016
Data Protection and Comnpliance with the GDPR Event 22 september 2016 Dr. Donald Macfarlane
 
EU General Data Protection: Implications for Smart Metering
EU General Data Protection: Implications for Smart MeteringEU General Data Protection: Implications for Smart Metering
EU General Data Protection: Implications for Smart Meteringnuances
 
Look Before You Leap: Unauthorized Practice of the Law, Supervision of Non-La...
Look Before You Leap: Unauthorized Practice of the Law, Supervision of Non-La...Look Before You Leap: Unauthorized Practice of the Law, Supervision of Non-La...
Look Before You Leap: Unauthorized Practice of the Law, Supervision of Non-La...Kevin O'Shea
 
Data_Privacy_Protection_brochure_UK
Data_Privacy_Protection_brochure_UKData_Privacy_Protection_brochure_UK
Data_Privacy_Protection_brochure_UKSally Hunt
 
Lightning Talk: Regulation (EU) 2018/1724 "Single Digital Gateway" & the "You...
Lightning Talk: Regulation (EU) 2018/1724 "Single Digital Gateway" & the "You...Lightning Talk: Regulation (EU) 2018/1724 "Single Digital Gateway" & the "You...
Lightning Talk: Regulation (EU) 2018/1724 "Single Digital Gateway" & the "You...Alexander Loechel
 
GIG Working Paper 02/2017 - The Definition of Personal Data
GIG Working Paper 02/2017 - The Definition of Personal DataGIG Working Paper 02/2017 - The Definition of Personal Data
GIG Working Paper 02/2017 - The Definition of Personal DataIAB Europe
 
General Data Protection Regulation: what do you need to do to get prepared? -...
General Data Protection Regulation: what do you need to do to get prepared? -...General Data Protection Regulation: what do you need to do to get prepared? -...
General Data Protection Regulation: what do you need to do to get prepared? -...IISPEastMids
 
Technology’s role in data protection – the missing link in GDPR transformation
Technology’s role in data protection – the missing link in GDPR transformationTechnology’s role in data protection – the missing link in GDPR transformation
Technology’s role in data protection – the missing link in GDPR transformationat MicroFocus Italy ❖✔
 
Replacement standard contractual clauses
Replacement standard contractual clausesReplacement standard contractual clauses
Replacement standard contractual clausesBrian Miller, Solicitor
 
Data theft rules and regulations things you should know (pt.1)
Data theft rules and regulations things you should know (pt.1)Data theft rules and regulations things you should know (pt.1)
Data theft rules and regulations things you should know (pt.1)Faidepro
 
2015-0318 GAC Presentation - BCR - 05052015
2015-0318 GAC Presentation - BCR - 050520152015-0318 GAC Presentation - BCR - 05052015
2015-0318 GAC Presentation - BCR - 05052015Jan Dhont
 
GDPR: the legal aspects. By Matthias of theJurists Europe.
GDPR: the legal aspects. By Matthias of theJurists Europe.GDPR: the legal aspects. By Matthias of theJurists Europe.
GDPR: the legal aspects. By Matthias of theJurists Europe.Matthias Dobbelaere-Welvaert
 
Board Priorities for GDPR Implementation
Board Priorities for GDPR ImplementationBoard Priorities for GDPR Implementation
Board Priorities for GDPR ImplementationJoseph V. Moreno
 
Eversheds Safe Harbor Developments Webinar
Eversheds Safe Harbor Developments WebinarEversheds Safe Harbor Developments Webinar
Eversheds Safe Harbor Developments WebinarEversheds Sutherland
 
GDPR: A Threat or Opportunity? www.normanbroadbent.
GDPR: A Threat or Opportunity? www.normanbroadbent.GDPR: A Threat or Opportunity? www.normanbroadbent.
GDPR: A Threat or Opportunity? www.normanbroadbent.Steven Salter
 
No Man is an Island: The Battle for Data Privacy
No Man is an Island: The Battle for Data PrivacyNo Man is an Island: The Battle for Data Privacy
No Man is an Island: The Battle for Data PrivacyKate Chan
 
Copyright law revision on both sides of the Atlantic
Copyright law revision on both sides of the AtlanticCopyright law revision on both sides of the Atlantic
Copyright law revision on both sides of the AtlanticMark Seeley
 
UK GDPR: What New Direction?
UK GDPR: What New Direction?UK GDPR: What New Direction?
UK GDPR: What New Direction?David Erdos
 
KYS - Instead of surprises know your suppliers (Compliance Series)
KYS - Instead of surprises know your suppliers (Compliance Series)KYS - Instead of surprises know your suppliers (Compliance Series)
KYS - Instead of surprises know your suppliers (Compliance Series)IgorMate
 
Building a bridge to CPA firm of the future
Building a bridge to CPA firm of the futureBuilding a bridge to CPA firm of the future
Building a bridge to CPA firm of the futureCPA.com
 

More Related Content

What's hot

Companies, digital transformation and information privacy: the next steps
Companies, digital transformation and information privacy: the next stepsCompanies, digital transformation and information privacy: the next steps
Companies, digital transformation and information privacy: the next stepsThe Economist Media Businesses
 
DMA Legal update: autumn 2013 - Tuesday 1 October
DMA Legal update: autumn 2013 - Tuesday 1 OctoberDMA Legal update: autumn 2013 - Tuesday 1 October
DMA Legal update: autumn 2013 - Tuesday 1 OctoberRachel Aldighieri
 
Data Protection and Comnpliance with the GDPR Event 22 september 2016
Data Protection and Comnpliance with the GDPR Event 22 september 2016 Data Protection and Comnpliance with the GDPR Event 22 september 2016
Data Protection and Comnpliance with the GDPR Event 22 september 2016 Dr. Donald Macfarlane
 
EU General Data Protection: Implications for Smart Metering
EU General Data Protection: Implications for Smart MeteringEU General Data Protection: Implications for Smart Metering
EU General Data Protection: Implications for Smart Meteringnuances
 
Look Before You Leap: Unauthorized Practice of the Law, Supervision of Non-La...
Look Before You Leap: Unauthorized Practice of the Law, Supervision of Non-La...Look Before You Leap: Unauthorized Practice of the Law, Supervision of Non-La...
Look Before You Leap: Unauthorized Practice of the Law, Supervision of Non-La...Kevin O'Shea
 
Data_Privacy_Protection_brochure_UK
Data_Privacy_Protection_brochure_UKData_Privacy_Protection_brochure_UK
Data_Privacy_Protection_brochure_UKSally Hunt
 
Lightning Talk: Regulation (EU) 2018/1724 "Single Digital Gateway" & the "You...
Lightning Talk: Regulation (EU) 2018/1724 "Single Digital Gateway" & the "You...Lightning Talk: Regulation (EU) 2018/1724 "Single Digital Gateway" & the "You...
Lightning Talk: Regulation (EU) 2018/1724 "Single Digital Gateway" & the "You...Alexander Loechel
 
GIG Working Paper 02/2017 - The Definition of Personal Data
GIG Working Paper 02/2017 - The Definition of Personal DataGIG Working Paper 02/2017 - The Definition of Personal Data
GIG Working Paper 02/2017 - The Definition of Personal DataIAB Europe
 
General Data Protection Regulation: what do you need to do to get prepared? -...
General Data Protection Regulation: what do you need to do to get prepared? -...General Data Protection Regulation: what do you need to do to get prepared? -...
General Data Protection Regulation: what do you need to do to get prepared? -...IISPEastMids
 
Technology’s role in data protection – the missing link in GDPR transformation
Technology’s role in data protection – the missing link in GDPR transformationTechnology’s role in data protection – the missing link in GDPR transformation
Technology’s role in data protection – the missing link in GDPR transformationat MicroFocus Italy ❖✔
 
Replacement standard contractual clauses
Replacement standard contractual clausesReplacement standard contractual clauses
Replacement standard contractual clausesBrian Miller, Solicitor
 
Data theft rules and regulations things you should know (pt.1)
Data theft rules and regulations things you should know (pt.1)Data theft rules and regulations things you should know (pt.1)
Data theft rules and regulations things you should know (pt.1)Faidepro
 
2015-0318 GAC Presentation - BCR - 05052015
2015-0318 GAC Presentation - BCR - 050520152015-0318 GAC Presentation - BCR - 05052015
2015-0318 GAC Presentation - BCR - 05052015Jan Dhont
 
GDPR: the legal aspects. By Matthias of theJurists Europe.
GDPR: the legal aspects. By Matthias of theJurists Europe.GDPR: the legal aspects. By Matthias of theJurists Europe.
GDPR: the legal aspects. By Matthias of theJurists Europe.Matthias Dobbelaere-Welvaert
 
Board Priorities for GDPR Implementation
Board Priorities for GDPR ImplementationBoard Priorities for GDPR Implementation
Board Priorities for GDPR ImplementationJoseph V. Moreno
 
Eversheds Safe Harbor Developments Webinar
Eversheds Safe Harbor Developments WebinarEversheds Safe Harbor Developments Webinar
Eversheds Safe Harbor Developments WebinarEversheds Sutherland
 
GDPR: A Threat or Opportunity? www.normanbroadbent.
GDPR: A Threat or Opportunity? www.normanbroadbent.GDPR: A Threat or Opportunity? www.normanbroadbent.
GDPR: A Threat or Opportunity? www.normanbroadbent.Steven Salter
 
No Man is an Island: The Battle for Data Privacy
No Man is an Island: The Battle for Data PrivacyNo Man is an Island: The Battle for Data Privacy
No Man is an Island: The Battle for Data PrivacyKate Chan
 
Copyright law revision on both sides of the Atlantic
Copyright law revision on both sides of the AtlanticCopyright law revision on both sides of the Atlantic
Copyright law revision on both sides of the AtlanticMark Seeley
 
UK GDPR: What New Direction?
UK GDPR: What New Direction?UK GDPR: What New Direction?
UK GDPR: What New Direction?David Erdos
 

What's hot (20)

Companies, digital transformation and information privacy: the next steps
Companies, digital transformation and information privacy: the next stepsCompanies, digital transformation and information privacy: the next steps
Companies, digital transformation and information privacy: the next steps
 
DMA Legal update: autumn 2013 - Tuesday 1 October
DMA Legal update: autumn 2013 - Tuesday 1 OctoberDMA Legal update: autumn 2013 - Tuesday 1 October
DMA Legal update: autumn 2013 - Tuesday 1 October
 
Data Protection and Comnpliance with the GDPR Event 22 september 2016
Data Protection and Comnpliance with the GDPR Event 22 september 2016 Data Protection and Comnpliance with the GDPR Event 22 september 2016
Data Protection and Comnpliance with the GDPR Event 22 september 2016
 
EU General Data Protection: Implications for Smart Metering
EU General Data Protection: Implications for Smart MeteringEU General Data Protection: Implications for Smart Metering
EU General Data Protection: Implications for Smart Metering
 
Look Before You Leap: Unauthorized Practice of the Law, Supervision of Non-La...
Look Before You Leap: Unauthorized Practice of the Law, Supervision of Non-La...Look Before You Leap: Unauthorized Practice of the Law, Supervision of Non-La...
Look Before You Leap: Unauthorized Practice of the Law, Supervision of Non-La...
 
Data_Privacy_Protection_brochure_UK
Data_Privacy_Protection_brochure_UKData_Privacy_Protection_brochure_UK
Data_Privacy_Protection_brochure_UK
 
Lightning Talk: Regulation (EU) 2018/1724 "Single Digital Gateway" & the "You...
Lightning Talk: Regulation (EU) 2018/1724 "Single Digital Gateway" & the "You...Lightning Talk: Regulation (EU) 2018/1724 "Single Digital Gateway" & the "You...
Lightning Talk: Regulation (EU) 2018/1724 "Single Digital Gateway" & the "You...
 
GIG Working Paper 02/2017 - The Definition of Personal Data
GIG Working Paper 02/2017 - The Definition of Personal DataGIG Working Paper 02/2017 - The Definition of Personal Data
GIG Working Paper 02/2017 - The Definition of Personal Data
 
General Data Protection Regulation: what do you need to do to get prepared? -...
General Data Protection Regulation: what do you need to do to get prepared? -...General Data Protection Regulation: what do you need to do to get prepared? -...
General Data Protection Regulation: what do you need to do to get prepared? -...
 
Technology’s role in data protection – the missing link in GDPR transformation
Technology’s role in data protection – the missing link in GDPR transformationTechnology’s role in data protection – the missing link in GDPR transformation
Technology’s role in data protection – the missing link in GDPR transformation
 
Replacement standard contractual clauses
Replacement standard contractual clausesReplacement standard contractual clauses
Replacement standard contractual clauses
 
Data theft rules and regulations things you should know (pt.1)
Data theft rules and regulations things you should know (pt.1)Data theft rules and regulations things you should know (pt.1)
Data theft rules and regulations things you should know (pt.1)
 
2015-0318 GAC Presentation - BCR - 05052015
2015-0318 GAC Presentation - BCR - 050520152015-0318 GAC Presentation - BCR - 05052015
2015-0318 GAC Presentation - BCR - 05052015
 
GDPR: the legal aspects. By Matthias of theJurists Europe.
GDPR: the legal aspects. By Matthias of theJurists Europe.GDPR: the legal aspects. By Matthias of theJurists Europe.
GDPR: the legal aspects. By Matthias of theJurists Europe.
 
Board Priorities for GDPR Implementation
Board Priorities for GDPR ImplementationBoard Priorities for GDPR Implementation
Board Priorities for GDPR Implementation
 
Eversheds Safe Harbor Developments Webinar
Eversheds Safe Harbor Developments WebinarEversheds Safe Harbor Developments Webinar
Eversheds Safe Harbor Developments Webinar
 
GDPR: A Threat or Opportunity? www.normanbroadbent.
GDPR: A Threat or Opportunity? www.normanbroadbent.GDPR: A Threat or Opportunity? www.normanbroadbent.
GDPR: A Threat or Opportunity? www.normanbroadbent.
 
No Man is an Island: The Battle for Data Privacy
No Man is an Island: The Battle for Data PrivacyNo Man is an Island: The Battle for Data Privacy
No Man is an Island: The Battle for Data Privacy
 
Copyright law revision on both sides of the Atlantic
Copyright law revision on both sides of the AtlanticCopyright law revision on both sides of the Atlantic
Copyright law revision on both sides of the Atlantic
 
UK GDPR: What New Direction?
UK GDPR: What New Direction?UK GDPR: What New Direction?
UK GDPR: What New Direction?
 

Viewers also liked

KYS - Instead of surprises know your suppliers (Compliance Series)
KYS - Instead of surprises know your suppliers (Compliance Series)KYS - Instead of surprises know your suppliers (Compliance Series)
KYS - Instead of surprises know your suppliers (Compliance Series)IgorMate
 
Building a bridge to CPA firm of the future
Building a bridge to CPA firm of the futureBuilding a bridge to CPA firm of the future
Building a bridge to CPA firm of the futureCPA.com
 
Folder louis delhaize 06-2014
Folder louis delhaize 06-2014Folder louis delhaize 06-2014
Folder louis delhaize 06-2014pcurias
 
Smart care på vei til u.s.a, slideshow
Smart care på vei til u.s.a, slideshowSmart care på vei til u.s.a, slideshow
Smart care på vei til u.s.a, slideshowSæbø Kari
 
Chart your course d1 - final submission
Chart your course d1 - final submissionChart your course d1 - final submission
Chart your course d1 - final submissionCPA.com
 
Smart care på vei til u.s.a, slideshow
Smart care på vei til u.s.a, slideshowSmart care på vei til u.s.a, slideshow
Smart care på vei til u.s.a, slideshowSæbø Kari
 
Becoming a Digital CPA
Becoming a Digital CPABecoming a Digital CPA
Becoming a Digital CPACPA.com
 
Smart care på vei til u.s.a, slideshow
Smart care på vei til u.s.a, slideshowSmart care på vei til u.s.a, slideshow
Smart care på vei til u.s.a, slideshowSæbø Kari
 
The future ready cpa are you ready for the challenge - PICPA Leadership Con...
The future ready cpa are you ready for the challenge - PICPA Leadership Con...The future ready cpa are you ready for the challenge - PICPA Leadership Con...
The future ready cpa are you ready for the challenge - PICPA Leadership Con...CPA.com
 

Viewers also liked (10)

KYS - Instead of surprises know your suppliers (Compliance Series)
KYS - Instead of surprises know your suppliers (Compliance Series)KYS - Instead of surprises know your suppliers (Compliance Series)
KYS - Instead of surprises know your suppliers (Compliance Series)
 
Building a bridge to CPA firm of the future
Building a bridge to CPA firm of the futureBuilding a bridge to CPA firm of the future
Building a bridge to CPA firm of the future
 
Folder louis delhaize 06-2014
Folder louis delhaize 06-2014Folder louis delhaize 06-2014
Folder louis delhaize 06-2014
 
Smart care på vei til u.s.a, slideshow
Smart care på vei til u.s.a, slideshowSmart care på vei til u.s.a, slideshow
Smart care på vei til u.s.a, slideshow
 
Chart your course d1 - final submission
Chart your course d1 - final submissionChart your course d1 - final submission
Chart your course d1 - final submission
 
Smart care på vei til u.s.a, slideshow
Smart care på vei til u.s.a, slideshowSmart care på vei til u.s.a, slideshow
Smart care på vei til u.s.a, slideshow
 
Becoming a Digital CPA
Becoming a Digital CPABecoming a Digital CPA
Becoming a Digital CPA
 
Smart care på vei til u.s.a, slideshow
Smart care på vei til u.s.a, slideshowSmart care på vei til u.s.a, slideshow
Smart care på vei til u.s.a, slideshow
 
file1
file1file1
file1
 
The future ready cpa are you ready for the challenge - PICPA Leadership Con...
The future ready cpa are you ready for the challenge - PICPA Leadership Con...The future ready cpa are you ready for the challenge - PICPA Leadership Con...
The future ready cpa are you ready for the challenge - PICPA Leadership Con...
 

Similar to Cloud computing in Hungarian financial industry 2013

Securing data in the cloud: A challenge for UK Law Firms
Securing data in the cloud: A challenge for UK Law FirmsSecuring data in the cloud: A challenge for UK Law Firms
Securing data in the cloud: A challenge for UK Law FirmsCloudMask inc.
 
How IBM Supports Clients around GDPR and Cybersecurity Legislation
How IBM Supports Clients around GDPR and Cybersecurity LegislationHow IBM Supports Clients around GDPR and Cybersecurity Legislation
How IBM Supports Clients around GDPR and Cybersecurity LegislationIBM Security
 
Cloud Computing: legal issues
Cloud Computing: legal issuesCloud Computing: legal issues
Cloud Computing: legal issuesISPABelgium
 
Cybersecurity and Data Privacy Update
Cybersecurity and Data Privacy UpdateCybersecurity and Data Privacy Update
Cybersecurity and Data Privacy UpdateWilmerHale
 
Practical Guide to GDPR 2017
Practical Guide to GDPR 2017Practical Guide to GDPR 2017
Practical Guide to GDPR 2017Dryden Geary
 
Data Protection in the EU | babelforce Insight
Data Protection in the EU | babelforce InsightData Protection in the EU | babelforce Insight
Data Protection in the EU | babelforce Insightbabelforce
 
TRUST. IP and Technology Update - IT Audit Toolkit for CIOs and General Couns...
TRUST. IP and Technology Update - IT Audit Toolkit for CIOs and General Couns...TRUST. IP and Technology Update - IT Audit Toolkit for CIOs and General Couns...
TRUST. IP and Technology Update - IT Audit Toolkit for CIOs and General Couns...Jan Lindberg
 
Clouds and Chains
Clouds and ChainsClouds and Chains
Clouds and ChainsTim Swanson
 
Cloud computing : legal , privacy and contract issues
Cloud computing : legal , privacy and contract issuesCloud computing : legal , privacy and contract issues
Cloud computing : legal , privacy and contract issuesLilian Edwards
 
Misa cloud computing workshop lhm final
Misa cloud computing workshop lhm finalMisa cloud computing workshop lhm final
Misa cloud computing workshop lhm finalLou Milrad
 
Legal Challenges in Contracting for Cloud Services
Legal Challenges in Contracting for Cloud ServicesLegal Challenges in Contracting for Cloud Services
Legal Challenges in Contracting for Cloud ServicesLou Milrad
 
20150630_D6 1_Legal and EthicalFrameworkand Privacy and Security Principles
20150630_D6 1_Legal and EthicalFrameworkand Privacy and Security Principles20150630_D6 1_Legal and EthicalFrameworkand Privacy and Security Principles
20150630_D6 1_Legal and EthicalFrameworkand Privacy and Security PrinciplesLisa Catanzaro
 
Impact of GDPR on the pre dominant business model for digital economies
Impact of GDPR on the pre dominant business model for digital economiesImpact of GDPR on the pre dominant business model for digital economies
Impact of GDPR on the pre dominant business model for digital economiesEquiGov Institute
 
How Does the ePrivacy Regulation and General Data Protection
How Does the ePrivacy Regulation and General Data ProtectionHow Does the ePrivacy Regulation and General Data Protection
How Does the ePrivacy Regulation and General Data ProtectionShield
 

Similar to Cloud computing in Hungarian financial industry 2013 (20)

EU Data Protection Regulation Skyhigh Networks
EU Data Protection Regulation Skyhigh NetworksEU Data Protection Regulation Skyhigh Networks
EU Data Protection Regulation Skyhigh Networks
 
Securing data in the cloud: A challenge for UK Law Firms
Securing data in the cloud: A challenge for UK Law FirmsSecuring data in the cloud: A challenge for UK Law Firms
Securing data in the cloud: A challenge for UK Law Firms
 
How IBM Supports Clients around GDPR and Cybersecurity Legislation
How IBM Supports Clients around GDPR and Cybersecurity LegislationHow IBM Supports Clients around GDPR and Cybersecurity Legislation
How IBM Supports Clients around GDPR and Cybersecurity Legislation
 
Cloud Computing: legal issues
Cloud Computing: legal issuesCloud Computing: legal issues
Cloud Computing: legal issues
 
Case by case - moving data centres to Romania
Case by case - moving data centres to RomaniaCase by case - moving data centres to Romania
Case by case - moving data centres to Romania
 
Cybersecurity and Data Privacy Update
Cybersecurity and Data Privacy UpdateCybersecurity and Data Privacy Update
Cybersecurity and Data Privacy Update
 
Are you compliant?
Are you compliant?Are you compliant?
Are you compliant?
 
Practical Guide to GDPR 2017
Practical Guide to GDPR 2017Practical Guide to GDPR 2017
Practical Guide to GDPR 2017
 
Judicial Frameworks and Privacy Issues of Cloud Computing
Judicial Frameworks and Privacy Issues of Cloud ComputingJudicial Frameworks and Privacy Issues of Cloud Computing
Judicial Frameworks and Privacy Issues of Cloud Computing
 
Data Protection in the EU | babelforce Insight
Data Protection in the EU | babelforce InsightData Protection in the EU | babelforce Insight
Data Protection in the EU | babelforce Insight
 
IDC on 10 myths regarding GDPR
IDC on 10 myths regarding GDPRIDC on 10 myths regarding GDPR
IDC on 10 myths regarding GDPR
 
TRUST. IP and Technology Update - IT Audit Toolkit for CIOs and General Couns...
TRUST. IP and Technology Update - IT Audit Toolkit for CIOs and General Couns...TRUST. IP and Technology Update - IT Audit Toolkit for CIOs and General Couns...
TRUST. IP and Technology Update - IT Audit Toolkit for CIOs and General Couns...
 
Clouds and Chains
Clouds and ChainsClouds and Chains
Clouds and Chains
 
Cloud computing : legal , privacy and contract issues
Cloud computing : legal , privacy and contract issuesCloud computing : legal , privacy and contract issues
Cloud computing : legal , privacy and contract issues
 
Misa cloud computing workshop lhm final
Misa cloud computing workshop lhm finalMisa cloud computing workshop lhm final
Misa cloud computing workshop lhm final
 
Legal Challenges in Contracting for Cloud Services
Legal Challenges in Contracting for Cloud ServicesLegal Challenges in Contracting for Cloud Services
Legal Challenges in Contracting for Cloud Services
 
20150630_D6 1_Legal and EthicalFrameworkand Privacy and Security Principles
20150630_D6 1_Legal and EthicalFrameworkand Privacy and Security Principles20150630_D6 1_Legal and EthicalFrameworkand Privacy and Security Principles
20150630_D6 1_Legal and EthicalFrameworkand Privacy and Security Principles
 
Impact of GDPR on the pre dominant business model for digital economies
Impact of GDPR on the pre dominant business model for digital economiesImpact of GDPR on the pre dominant business model for digital economies
Impact of GDPR on the pre dominant business model for digital economies
 
How Does the ePrivacy Regulation and General Data Protection
How Does the ePrivacy Regulation and General Data ProtectionHow Does the ePrivacy Regulation and General Data Protection
How Does the ePrivacy Regulation and General Data Protection
 
The cloud: financial, legal and technical
The cloud: financial, legal and technicalThe cloud: financial, legal and technical
The cloud: financial, legal and technical
 

Cloud computing in Hungarian financial industry 2013

  • 1. CLOUD COMPUTING Legal, Regulatory & Compliance Concerns ON HUNGARIAN FINANCIAL MARKET 2013
  • 2. Executive Summary This review is to outline the key legal, regulatory and compliance concerns to be taken care of in course of making business decisions on the subject matter. As starting point, it is acknowledged that there is an extremely strong business potential of applying cloud computing solutions (also) in the financial industry. All the three areas, namely legal, regulatory and compliance have their authorities regarding the question. As per the details, services (contracts) are to be analyzed from the points of view of (i) general commercial contracting, (ii) regulatory compliance and (iii) data protection compliance. When aiming to explore and to mitigate various risks and so to drive the project towards legal feasibility, the following findings has been found as key ones. On Cloud Computing as such there is no Hungarian (or European) legislation in force (or even in the tube). Furthermore, while (since (only) July, 2012) there is a basic guidance of the EU on Cloud Computing, there is no effective guidance or even orientation from the respective Hungarian authorities (the HFSA and the DPA). As a conclusion, we may state that from legal, regulatory and compliance point of view, banks, along moderate risks, may (target to) enter into an Cloud Computing contract, but only subject to several key assumptions and conditions.
  • 3. Top strategic technology Cloud Computing has been identified as one the top strategic technology which is going to re-shape the world in this decade. (Gartner*) *http://www.gartner.com/it/page.jsp?id=1454221
  • 4. The issue  Technology of Cloud Computing is a forerunner being also (recently) ahead of legal regulations.  In the EU/EEA law is more stringent (restrictive) in the field of personal data protection than in the US.
  • 5. The Pro and the Cons The Pro Cloud Computing offers enormous space (in double sense) that supports companies overall workflow and management with state of the art, secure and cost effective hosted services. The Cons Decision on introduction of Cloud Computing solutions shall necessary be backed by answers to several concerns – besides the IT/bank security ones, also from legal, regulatory and compliance point of view.  legal EU and Hungarian personal data protection requirements basic contractual issues special issues raised by E-Discovery (regarding any litigation in the US)  regulatory whether cloud computing qualifies and therefore controlled by HFSA as outsourcing  compliance alignment with bank’s internal / Group corporate governance ensuring control of Cloud Computing services by Compliance Department as well as by internal and external auditors
  • 6. The issues – Data protection (i) Asynchrony of technological and legal developments Technology of Cloud Computing is predominantly provided by US service providers whose homeland law is far less restrictive in the field of personal data protection than EU/EEA law. In both jurisdictions there is a lack of definite legislation on Cloud Computing (so far) that, while seems not to be a burden in the US, raises concerns in the EU. This way, besides being a forerunner in technology, Cloud Computing is also well ahead of legal and regulatory developments. Self-regulatory efforts The industry itself is fairly proactive in self-regulatory. Their organization, the Cloud Security Alliance admits* that „specialized compliance requirements for highly regulated industries should be considered and must address during requirements identification stage. Some regulatory requirements specify controls that are difficult or impossible to achieve in certain cloud services types.” * https://cloudsecurityalliance.org/guidance/csaguide.v3.0.pdf (pp48)
  • 7. The issues – Data protection (ii) Developing EU regulatory environment While the EU is recently working on the unified European data protection legislation (that will be a form of a regulation, i.e. automatically compulsory for the member states), the legislation in force is the so called Data Protection Directive 95/46/EC (the „Data Protection Directive”). This, firstly does not cover cloud computing and, secondly, being a directive, allows national legislations to defer. Despite of lack of legislation in force, the EU actively deals with the issue, albeit still in regulatory drafting phase. Further to the Commission Decision of 5 February 2010 on the standard contractual clauses for the transfer of personal data to processors established in third countries*(the „EU Model Clauses”), on the cloud computing itself the EU has issued so far only an opinion: Article 29 Data Protection Working Party Opinion 05/2012 on Cloud Computing** (the „EU Opinion”) on July 1st 2012 (!). Clearly, the three month old opinion has no practice yet. However since being welcome by the industry, following its „rules” may result a kind of a compliance regarding the area of protection of customer personal data. One striking requirement of the EU Opinion that it refers to and reinforces Article 4 of Data Protection Directive stating that applicable law of such contracts shall be thereof the country in which the data controller (in our case the Banks) is established (i.e. Hungary). * http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2010:039:0005:0018:EN:PDF **http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion- recommendation/files/2012/wp196_en.pdf
  • 8. The issues – Data protection (iii) Uncertain Hungarian regulatory environment This above highlighted European regulatory background results, that (i) due to the option of deferring, Hungarian national legislation (in force) is, in theory, stricter than the average European member state regulations, and (ii) that is more problematic, the Hungarian Data Protection Authority (DPA) strikingly avoids the subject of cloud computing. No precedent decisions, no guidance, even no participation in the public debate, if there were no question at all. Due to this evident retreat, even industry players, being active in dialogue on European level, do not approach the Hungarian authorities for guidance, whatsoever. As we have been advised, unlike doing it regarding other national data protection authorities where they acquired positive feedbacks*, Supplier has not approached the Hungarian DPA yet. Best practice Irrespectively from the non-existence of definite legal requirements, Banks, as market leading in Hungary shall take into consideration that „front-runner companies are highly committed to protecting data, particularly customer information.” (PWC 2012 Global State of Information Security Survey)** * Supplier provided us with these confirmatory letters of several national data protection authorities * * http://www.pwc.com/gx/en/information-security-survey (pp13)
  • 9. The issues – Regulatory (i) Cloud computing is a way of outsourcing Applying cloud computing services, unquestionably qualifies as outsourcing. Accordingly, Cloud Computing service contract shall comply with the respective requirements of the Hungarian Banking Act. HFSA (Hungarian Financial Supervisory Authority) Approach HFSA, unlike the DPA, already did, although a very minor step towards guiding and orienting the market in this respect. On July 18, 2012 it issued the 4/2012 HFSA Management Circular* (the HFSA Circular”). Unfortunately, HFSA commitment to regulate and so to promote the financial industry in this respect seems to be apparent, since the paper is simply the translation of communication of US Federal Financial Institutions Examination Council (the „FFIEC”) on Outsourced Cloud Computing* (the „FFIEC Statement”). The FFIEC Statement and the HFSA Circular instead of aligning better the regulatory landscape with the nature of cloud based solutions, disappointingly, advocate application of current regulations in their existing form and imply that the cloud vendors will have to adapt and align their solutions to the legacy regulatory environment. This basically means that authorities identify cloud computing as an outsourced activity. * http://www.pszaf.hu/akadalymentes/data/cms2364896/vezkorlev_4_2012.pdf ** http://ithandbook.ffiec.gov/ITBooklets/FFIEC_ITBooklet_OutsourcingTechnologyServices.pdf
  • 10. The issues – Regulatory (ii) One of the key questions: can on spot regulatory audit be redeemed? Hungarian Banking Act requires that outsourced services be, subject to a respective request or general need, audited on spot by the HFSA (and also by the company and its auditors). A par excellence key question of outsourcing (that HFSA does not address) is the on spot audit. Due to the nature of the technology this cannot be ensured. Accordingly, cloud service contracts cannot be in full compliance with the letter of the law of the current legislation in force. The Statement/Circular call financial institutions to run a due diligence prior to contracting to ensure that the provider will meet all the requirements. Once this due diligence is performed by an independent third party, further to their initial audit they, from time to time, could be engaged with operation audit as well. The report thereon, subject to the willingness of HFSA, could redeem the on spot audit. However, recently, we are not aware of (we have not been advised either by Supplier on) the existence of such third parties whom report could be used as kind of a certification, whatsoever for this purposes. HFSA surely will scrutinize the proposed cloud computing contracts as outsourced services and banks will have to have robust arguments to make HFSA to buy in. Here we have to note that Supplier has not yet approached HFSA (like they have not accomplished it regarding DPA) to seek any preliminary guidance, opinion, whatsoever.
  • 11. The issues – Other legal questions Basic contractual issues At early stage of the projects, prior having the strategic decision (based upon the IT/bank security and legal concerns) drafts of multiple contracts being provided with by Supplier are regularly not analyzed in their details . However, we shall refer to that, due to the basic requirement of the EU, all contracts should be governed by laws of Hungary. Contracts governed by non-Hungarian laws shall be checked and confirmed by lawyers of the respective jurisdiction(s). Potential special requirements regarding E-discovery If the bank is involved in litigations in the US, and would like to apply Cloud Computing services regarding any banking system, it may raise questions regarding the so called E-discovery in US court procedures. Any special obligations of the bank thereupon shall be checked and confirmed by US litigation lawyers.
  • 12. Conclusions It is our conclusion that Banks, still taking moderate legal and regulatory risks, may (target to) enter into an „Cloud Contract” subject to the key assumptions and conditions as follows:  contracts be governed by laws of Hungary  Supplier to represent and warrant that the service complies with the Hungarian data protection legislation and complies with the requirements of Section 3.4 of EU Opinion  each sub-service provider of Supplier shall be contracted under EU Model Clauses or in Safe Harbor (certified by independent auditor); Supplier shall ensure that Banks be entitled to instruct sub-service providers directly, should it be the case  Supplier to deliver independent certification or the Bank and the Supplier mutually to approach HFSA for preliminary guidance/clearance stating that Supplier/the services comply with the requirements of Hungarian Banking Act regarding outsourcing (apart form on spot audit)  Supplier to undertake to indemnify the Bank should it suffer any damages due to non- compliance and the Bank shall be entitled to terminate with immediate effect the entire agreement, should Banks/Supplier fail to obtain clearance from HFSA and DPA  The bank is to consider to engage external legal advisers for counseling regarding contracts governed non-Hungarian law(s) and, subject to developments on the above conditions, for providing the bank with a double check regarding regulatory compliance of the services
  • 13. Dr. Igor Máté Head of Business Legal Services MKB Bank https://www.linkedin.com/in/igormate