In recognition of the growing trend of financial institutions outsourcing to the cloud, the European Banking Authority (EBA) released its final recommendations on outsourcing to cloud service providers in December 2017.
The recommendations, which took effect on 1 July 2018, have expanded the compliance requirements for financial institutions. Furthermore, cloud service providers have started to acknowledge their responsibilities to customers to comply with the recommendations, in the context of increased pressure from both regulators and customers.
The EBA recommendations build upon the existing regulatory regime, in the form of the 2006 Committee of European Banking Supervisors (CEBS) guidelines and the Financial Conduct Authority (FCA) guidelines. The recommendations seek to harmonise the two and complement the recent Markets in Financial Instruments Directive (MIFID II) in order to collate the regulatory principles on cloud outsourcing.
However, the recommendations introduce some additional requirements, which financial institutions must be aware of and take practical steps to ensure.
1. Understand the risks - This might sound obvious, but the recommendations emphasise the need for financial institutions to understand the risks involved in outsourcing services to the cloud. Financial institutions are now required to assess materially the risks involved in outsourcing, including the impact of outages and the risk of data loss. Outsourcing data involves an inherent loss of control by customers, and the EBA is keen to ensure that the consequential risks are mitigated.
2. Make information available to regulators - The information that financial institutions must make available to regulators now involves particular information about outsourcing. Authorities may also ask for additional information about risk analysis, business continuity, exit strategies and internal assessments. In addition, the recommendations have addressed the issues involved in granting regulators audit rights. The EBA has considered the benefits of pooled audits to prevent cloud service providers from objecting to audits on the basis that they put one customer’s data security above others’. Also addressed in the recommendations is the option to use third party experts to conduct audits to prevent customers from being able to access each other’s data, and to ensure that audits are conducted effectively. Cloud service providers have shown some support for these suggestions, recognising that there is a need for regulators to access data centres for the purpose of audits.
3. Have a business contingency and exit plan in place - The recommendations also focus on financial institutions having their own business contingency and exit plans in place. This is to offset the risks created by the lack of guidance from cloud service providers on these issues. In the context of large cloud service providers such as Amazon, the recommendations have emphasised the need for financial institutions to have a structured plan for exiting the agreement, allowing for instant termination. Financial institutions should also be mindful that regulators may ask them to hand over the details of such plans.
Legacy infrastructure has become less prominent as a result of its flaws, which have been exposed in several high profile cases in the media. As the use of cloud services becomes more prevalent in the customer's mind, as a result of services such as iCloud, the cloud has become increasingly fundamental to the way that financial institutions and customers interact. This has created a tension between the need to regulate how services are run and the drive towards innovation.
The EBA goes some way to addressing this tension; its guidelines provide mechanisms for regulation that place slightly stricter responsibilities on financial institutions and that are sensitive to the need for cloud service providers to have more freedom, while continuing to meet customer demand for flexibility.
There are some important practical steps that financial institutions should take to ensure that they are compliant with the recommendations:
1. Pick the right cloud service provider - Financial institutions must carefully select the cloud service provider that is suitable for them. This will depend on the project in question, the financial institution's overall strategy and the regulatory requirements. They must also consider what data it is appropriate and necessary to send to the cloud; financial institutions do not need to take an ‘all or nothing’ approach to cloud services.
2. Document due diligence - In all aspects of compliance, it is important to show that a judgment call has been made. This involves documenting the reasonable action that has been taken to prevent or mitigate data breach or loss, creating an ‘audit trail’ and evidence of the company's compliance.
3. Consider having an internal cloud governance function - Financial institutions may benefit from setting up cloud governance functions to risk assess the technical set-up.
In addition to such practical measures, there are more complex issues that the recommendations have raised for financial institutions. Financial institutions will have to decide how much responsibility they wish to and will be able to place on cloud service providers for the overall service they are consuming, taking into account that cloud service providers are increasingly pushing back against such risk allocation.
Financial institutions must also have regard to risks involved in chain outsourcing, as many cloud service providers sub-contract parts of their service infrastructure to third parties. Again, it seems that informing the customer of the sub-contractor and publishing online a list of relevant sub-contractors will be sufficient for compliance.
The final risk is the inadvertent use of cloud services where a financial institution is outsourcing a service to a third party who is turn is relying on cloud hosting to deliver that service. In this instance, the financial institution should take steps to ensure that its service provider is paying for the hosting and using required contract terms (or that the financial institution is contracting directly for the hosting) to ensure that the hosting is appropriate and properly maintained.
It is also important to recognise the impact of the EBA recommendations on the behaviour of cloud service providers. Such providers often view themselves as utility suppliers rather than IT service providers, and are therefore unwilling to accept bespoke requirements from their customers. Cloud service providers such as Amazon have opted instead for ‘add-ons’ that customers can use to enhance the basic delivery of services.
However, there has been a recent shift in the way that cloud service providers view risk allocation. Effort has been made, notably by Amazon and Microsoft, to recognise that their financial services customers have regulatory obligations that cannot be ignored. They now offer specific financial services addendums as part of their contract suite in recognition that standard terms will not suffice for customers who are subject to regulatory controls.
There is however still room for cloud service providers to recognise, understand and support financial services customers in satisfying their regulatory obligations, by making their contracts more compliant up-front and therefore reducing the cost and length of sale.
As cloud services become more integral to the whole financial system, cloud service providers are going to quickly become part of the financial infrastructure. The risks involved in outsourcing data to the cloud therefore carry wider potential consequences for the financial system as a whole. It is of paramount importance that regulatory bodies are able to respond to changes in the use of cloud storage (as the EBA recommendations have done) and continue to place strict compliance requirements on financial institutions. Cloud service providers have come some way in accepting part of that responsibility too, but while this shift continues, financial institutions will need to carefully plan for and monitor their compliance.
This article first appeared on FinTech Futures.
This publication is intended for general guidance and represents our understanding of the relevant law and practice as at July 2018. Specific advice should be sought for specific cases. For more information see our terms & conditions.
The FCA has set out how it proposes to replace the Approved Persons Regime by extending the SM&CR to the whole financial services sector by 9 December 2019. Almost every FCA regulated firm is affected, in particular any...