The European Banking Authority (EBA) has issued final recommendations on the use of cloud service providers by financial institutions.
These recommendations provide guidance and further clarification to credit institutions and investment firms outsourcing to cloud service providers and will apply from 1 July 2018.
The recommendations address five key areas: ‘the security of data and systems, the location of data and data processing, access and audit rights, chain outsourcing, and contingency plans and exit strategies’. These are detailed further below.
The EBA recommendations follow Financial Conduct Authority (FCA) guidance which was issued in November 2015 for firms outsourcing to cloud providers.
A number of the EBA recommendations mirror the FCA guidance in relation to risk management, data security and processing, access to data, sub-contractor relationships, continuity and business planning and exit strategies.
However, even the EBA acknowledged in its guidance that ‘there is a high level of uncertainty regarding the supervisory expectations that apply to outsourcing to cloud service providers and this uncertainty forms a barrier to institutions using cloud services’ suggesting that the FCA recommendations failed to give certainty to those firms outsourcing to the cloud.
Substantially, the EBA recommendations do not differ from the FCA’s. However, the EBA recommendations have provided further detail as to what is specifically required in cloud outsourcing contracts which should provide greater clarification and reassurance to financial institutions who are considering a move to cloud based services.
There are seven EBA recommendations:
Outsourcing institutions should assess which activities are material activities prior to outsourcing. The EBA gives clarity as to the factors that should be taken into account including the risk profile of the activities to be outsources, the operational impact of outages, the impact that any disruption of the activity could have and the potential impact of a confidentiality breach.
Where any activities which are deemed material following an assessment, institutions should inform authorities and maintain a register of all information on both material and non-material activities.
Access and Audit Rights
Institutions should ensure that the cloud service provider undertakes an obligation to provide access and unrestricted rights of inspection.
Security of data and systems
There should be an obligation on the outsourcing service provider to protect the confidentiality of the information transmitted by the financial institution.
Location of data and data processing
Institutions should take care entering into agreements outside the EEA and make risk assessments to address potential risk impacts relating to locations where the outsourced activities are provided or data is stored.
Institutions should take account of the risks associated with ‘chain’ outsourcing where outsourcing service provider subcontracts elements of the service to other providers. The EBA gives further detail as to the steps that should be taken:
Contingency plans and exit strategies
Outsourcing institutions should plan and implement arrangements to maintain business continuity in the event provision of service fails or deteriorates.
Whilst the FCA have yet to respond, we would expect them to update their guidance in line with the EBA recommendations.This publication is intended for general guidance and represents our understanding of the relevant law and practice as at March 2018. Specific advice should be sought for specific cases. For more information see our terms & conditions.