Blockchain and outsourcing
The Polish regulations directly
referring to blockchain will be joined on 19 September 2020 by the Regulation of the Council of Ministers of
9 March 2020 on Documents Connected with Banking Activities on IT Data
Carriers. It expressly permits banks to store documents connected with
banking activities on blockchain.
Under §5(2) of the new regulation, “A document may be stored in the form of a distributed and decentralised database. The bank shall operate the database in a manner ensuring the security and integrity of the documents contained in the database.” The phrase “distributed and decentralised database” used in this provision refers to blockchain, as is expressly stated in the justification to the draft of the regulation. Moreover, the identical phrase is used in other legal acts to refer to blockchain technology (e.g. in the provisions of the Commercial Companies Code devoted to the ledger of stockholders).
Inclusion in the
regulation of an express reference to blockchain technology is an important
step toward increased acceptance of this technology by the traditional
financial sector. So far, some financial institutions have had doubts whether
use of the technology was legal at all. The new regulation makes it clear that
going forward, banks can use distributed ledger technology in their operations.
But the practical use of
DLT will be possible only after a number of regulatory challenges connected
with the technology are overcome.
Is blockchain outsourcing?
Here I would like to
signal one of these challenges which I believe has not been fully appreciated. This
is the application of outsourcing regulations to solutions involving the use of
blockchain.
A financial institution deciding to use blockchain to store information or documents must determine to what extent it regards this as outsourcing. According to the European Banking Authority’s Guidelines on outsourcing arrangements, outsourcing means an arrangement between a financial institution and a service provider by which the service provider performs a process, service or activity that would otherwise be undertaken by the financial institution itself. In typical instances, where a bank uses the resources of an external supplier to store electronic documents (e.g. on external servers), it seems clear that this relationship can be regarded with high probability as outsourcing. This instance fundamentally differs from the use of blockchain only in the type and architecture of the technology used. Functionally, in both cases there is a situation where the bank uses resources external to its own for the purpose of storing documents. The bank has access to certain content, but the content is stored on infrastructure not found under the bank’s complete control.
Is blockchain cloud computing?
Another challenge is to determine whether the solutions used in blockchain will be covered by the Communication from the Office of the Polish Financial Supervision Authority (UKNF) on processing by supervised entities of information in cloud or hybrid computing. One of the conditions for applying this communication is the processing of information in cloud computing by KNF-supervised institutions. Cloud computing is defined in the communication as “a pool of shared, configurable computing resources (e.g. networks, servers, mass memory, applications, services), accessible ‘on demand’ by IT networks, which can be dynamically delivered or released with minimal inputs of administrative work and minimal involvement of their supplier.” This definition was probably not drafted with blockchain in mind, but it may aptly be asked whether blockchain can be understood as “cloud computing.” A “distributed and decentralised database,” as blockchain is defined by Polish regulations, is also in some sense “a computing resource available on demand.” This resource is maintained by nodes that are often also used for this purpose by cloud solutions.
If so, then what?
Treating the use of blockchain
by financial institutions as regulated outsourcing would result in a practical
inability to use many blockchain solutions, in particular so-called public
blockchains. Applying the outsourcing regulations and the UKNF’s cloud
computing communication to such solutions is by assumption impossible. First
and foremost, the basis for the outsourcing must be a contract between the
financial institution and the provider of outsourcing services. In the case of
public blockchain, the supplier with whom such a contract should be concluded
cannot be identified. Blockchain solutions are created on the basis of entirely
different paradigms than traditional IT solutions. The outsourcing regulations
are not adapted to them at all.
Faced with this, the
inclusion in further regulations of express authorisation for financial
institutions to use blockchain technology may prove entirely inadequate. Full
exploitation of these technologies will not be possible until fundamental
changes are made in the outsourcing regulations.
In seeking potential directions for these changes, we should note the approach presented in the EBA Guidelines on outsourcing arrangements. The guidelines state that as a general principle, the use of “global network infrastructures” should not be considered outsourcing. It seems to me it is time to start a discussion on whether at least some types of blockchains should be regarded as elements of “global network infrastructures.” As in the case of the internet, there are certain base layers of functioning of the network that we treat as a given, and do not apply the outsourcing regulations to them. (For example, we do not require banks to conclude outsourcing agreements with global points for exchange of internet traffic, even though the operators of these points participate to some degree in execution of the bank’s communications.) Similarly, in the case of public blockchains we could consider distinguishing base layers of technology whose use would not result in the need to apply the outsourcing regulations.
Krzysztof Wojdyło