They are not required from a privacy perspective, as long as the financial institution has explained to the data subjects (including its employees, if relevant) — in any relevant personal information collection statement or privacy policy provided on or before collection of their personal data — the purpose for which the cloud service providers will process their data and that their data will be transferred to a class of transferee that covers the cloud service provider. However, to the extent that a cloud service provider will process data for a "new purpose" not previously notified to the data subjects, under Data Protection Principle 3 of the Hong Kong Personal Data (Privacy) Ordinance (Chapter 486 of the Laws of Hong Kong), the financial institution (as the data user) will need to obtain the data subjects' express consent.

As a matter of general customer confidentiality law, an authorized institution will generally need to obtain the customer's consent before it can disclose confidential customer information to another party (including a cloud service provider).