In March 2017, the European Commission (EC) issued a public consultation document on Fintech. Cloud computing is a major area covered by the EC request for comment and requires delicate balancing between innovation and risk minimization. On one hand, cloud is an easily scalable and cost effective way for financial institutions to manage their data storage and processing. However, cloud also presents major banks with increased cybersecurity and compliance risk. The topic of cloud is particularly relevant because certain Fintech enterprises may not be subject to the same regulatory constraints as major financial institutions.
The European Banking Authority (EBA) published its response to the public consultation in June 2017.
The EBA notes that there is widespread uncertainty among major banks about how regulators approach outsourcing to cloud providers. In May 2017, the EBA released draft Recommendations on cloud for credit institutions and investment firms. The Recommendations cover “the security of data and systems, the location of data and data processing, access and audit rights, chain outsourcing and contingency plans and exit strategies.” The new Recommendations update the 2006 Committee of European Banking Supervisors (CEBS) Guidelines on Outsourcing. While maintaining the CEBS Guidelines emphasis on the ultimate accountability of senior management for orderly management and monitoring of the outsourced service, the new Recommendations add several significant points.
- Security of Data and Systems – Institutions should conduct a thorough risk assessment prior to outsourcing to cloud based providers and should ensure that the confidentiality of the information is protected, including by having appropriate levels of encryption for data in transit, in memory and at rest.
- Location of Data and Processing – The draft Recommendations suggest outsourcing institutions should inform regulators of the country where the service is to be performed “including the location of data” for material outsourcings and adopt a risk based approach towards outsourcing, including reviewing laws on data protection laws in the host jurisdiction. Institutions are suggested to “take special care” with respect to outsourcing outside the European Economic Area.
- Access and Audit Rights – Outsourcing institutions should ensure cloud service providers allow the institution and their regulator “full access to its business premises, including the full range of devices, systems, networks and data used for providing the services outsourced.” Financial institutions should also ensure they have full confidence in the qualifications of their ability to effectively audit a service provider and full rights to do so.
- Chain Outsourcing – Outsourcing Institutions should require subcontractors to fully comply with all existing requirements for the main cloud service provider. Notification periods for changes to subcontractor responsibilities should be contractually pre-agreed and the outsourcing institution should have right to terminate the relationship if the cloud service provider makes changes to subcontracted services which increase the risk of the outsourced services.
- Contingency Planning – Financial Institutions should have comprehensive well tested exit plans and ensure the cloud service provider is obligated to conduct an orderly transfer of the service so as to maintain business continuity.
In Canada, the Office of the Superintendent of Financial Institutions’ (OSFI) Guideline B-10 Outsourcing of Business Activities, Functions and Processes (Guideline B-10) applies to ‘Federally Regulated Entities’ (as defined under Guideline B-10) material outsourcing arrangements (including cloud outsourcing arrangements), and addresses some subject topics similar to the Recommendations, such as location of records, audit rights and business continuity plans. For example, under Guideline B-10, FREs are expected to maintain material records in Canada. Service providers are expected to keep financial institution data logically isolated “at all times, including under adverse conditions.” OSFI also expects FREs to obtain contractual provisions allowing OSFI to accompany the outsourcing FRE or independent auditor in the exercise of contractual audit rights. FREs are expected to maintain a Business Continuity Plan and back-up systems “commensurate with the risk of service disruption” and a centralized list of material outsourcing arrangements and advise OSFI about potential service interruptions. However, Guideline B-10 is broadly drafted and predates the use of cloud, and does not specifically address the use of cloud to the degree and detail set out in the Recommendations. For context within this posting, the term “FRE” includes, amongst other entities, banks (listed in Schedule I or II) to which the Bank Act (Canada) applies.
The EBA draft Recommendations and response to the EC request for comment on Fintech raise the possibility that European regulators may impose more detailed requirements with respect to outsourcing to the cloud for the foreseeable future. Financial institutions in other jurisdictions such as Canada may also find some benefit in tracking these developments in Europe, particularly if they have European operations.