The European Banking Authority (EBA) has issued final recommendations on the use of cloud service providers by financial institutions.
These recommendations provide guidance and further clarification to credit institutions and investment firms outsourcing to cloud service providers and will apply from 1 July 2018.
The recommendations address five key areas: ‘the security of data and systems, the location of data and data processing, access and audit rights, chain outsourcing, and contingency plans and exit strategies’. These are detailed further below.
The EBA recommendations follow Financial Conduct Authority (FCA) guidance which was issued in November 2015 for firms outsourcing to cloud providers.
How do they differ?
A number of the EBA recommendations mirror the FCA guidance in relation to risk management, data security and processing, access to data, sub-contractor relationships, continuity and business planning and exit strategies.
However, even the EBA acknowledged in its guidance that ‘there is a high level of uncertainty regarding the supervisory expectations that apply to outsourcing to cloud service providers and this uncertainty forms a barrier to institutions using cloud services’ suggesting that the FCA recommendations failed to give certainty to those firms outsourcing to the cloud.
Substantially, the EBA recommendations do not differ from the FCA’s. However, the EBA recommendations have provided further detail as to what is specifically required in cloud outsourcing contracts which should provide greater clarification and reassurance to financial institutions who are considering a move to cloud based services.
There are seven EBA recommendations:
Outsourcing institutions should assess which activities are material activities prior to outsourcing. The EBA gives clarity as to the factors that should be taken into account including the risk profile of the activities to be outsources, the operational impact of outages, the impact that any disruption of the activity could have and the potential impact of a confidentiality breach.
Where any activities which are deemed material following an assessment, institutions should inform authorities and maintain a register of all information on both material and non-material activities.
Access and Audit Rights
Institutions should ensure that the cloud service provider undertakes an obligation to provide access and unrestricted rights of inspection.
Security of data and systems
There should be an obligation on the outsourcing service provider to protect the confidentiality of the information transmitted by the financial institution.
Location of data and data processing
Institutions should take care entering into agreements outside the EEA and make risk assessments to address potential risk impacts relating to locations where the outsourced activities are provided or data is stored.
Institutions should take account of the risks associated with ‘chain’ outsourcing where outsourcing service provider subcontracts elements of the service to other providers. The EBA gives further detail as to the steps that should be taken:
- Outsourcing agreements should only agree to chain outsourcing if the subcontractor will also fully comply with the obligations.
- The outsourcing institution to take steps to address risk of weaknesses or failure in the provision of sub contracted activities.
- Outsourcing agreements should specify any activities that are excluded from sub- contracting to indicate that the service provider retains full responsibility.
- The outsourcing agreement should also include an obligation for the cloud service provider to inform the outsourcing institution of any planned significant changes.
Contingency plans and exit strategies
Outsourcing institutions should plan and implement arrangements to maintain business continuity in the event provision of service fails or deteriorates.
- Develop and implement exit plans that are comprehensive, documented and sufficiently tested where appropriate.
- Identify alternative solutions and develop transition plans to enable it to remove and transfer existing activities and data.
- Ensure that the outsourcing agreement includes an obligation on the cloud service provider to sufficiently support the outsourcing institution in the orderly transfer of the activity.
Whilst the FCA have yet to respond, we would expect them to update their guidance in line with the EBA recommendations.