Published legislation and draft legislation - European Union
Recommendations on outsourcing to cloud service providers
European Banking Authority Report
At the end of 2017, the European Banking Authority (EBA) published its final report, with a raft of recommendations about the outsourcing of cloud services by financial institutions, specifically, by credit institutions, investment companies and the corresponding authorities in the field.
The recommendations have been developed based on the Committee of European Banking Supervisors (CEBS)’s outsourcing* guidelines and endeavor to provide further steering for those institutions that outsource their activities to cloud service providers, so that they take reasonable measures to avoid undue operational risks.
They will be applied using the principle of proportionality, that is, commensurate with the size, structure and operational surroundings in which institutions work, and also with the nature, scale and complexity of their activities.
The report covers six key areas: i) access rights; ii) the security of data and systems; iii) the location of data and data processing; iv) audit rights; v) chain outsourcing, and vi) contingency plans and exit strategies. We highlight below the most important areas:
Before outsourcing activities, the European Authority recommends that institutions assess their importance, bearing in mind:
- Their risk profile (for example, whether they are critical for the institution’s continuity or viability and to fulfil its obligations with its customers)
- The operational impact of any interruption to the outsourcing, and the inherent legal and reputational risks
- The impact that any disruption to the activity could have on the institution’s revenue forecast
- The potential impact that a breach of confidentiality or lack of data integrity could have on the institution and its customers
Financial institutions will have to inform the supervisory body as to which material activities will be outsourced to cloud service providers, giving this body data on the supplier’s name and parent company, the activities that will be outsourced, when this will start and the applicable law, among other matters. The supervisor will be authorized to request any further information it may deem necessary.
They will also have to keep an updated record with information about all those material and non-material activities that have been outsourced to cloud service providers, both at a company and group level.
Rights of access and audit
The recommendations specify that the provisions in the contract between the financial institution and the cloud service provider must ensure full access, both for the competent authorities and for the entity itself and its auditors to their premises, devices, systems, networks and supplier data, as may be necessary to provide the subcontracted services (right of access).
They must also confer unrestricted rights of inspection and audit on matters relating to the services subcontracted (right of audit).
The effective enforcement of these rights should not be impeded or limited by contractual arrangements. If the performance of an audit might represent a risk for another client’s environment, alternative ways must be found to provide a similar level of assurance to that required by the institution.
Security of data and systems
The security measures that cloud service providers must adopt to protect the confidentiality of the information transmitted by the financial institution is an important issue, inasmuch as these are key in the management of operational risk. Thus, prior to outsourcing, institutions will have to:
- Identify and classify their activities, processes, data and systems by the level of protection needed;
- Carry out an exhaustive risk-based selection of the activities, processes, data and systems that they are planning to outsource;
- Define and decide the appropriate level of protection of data confidentiality, continuity of outsourced activities and the integrity and traceability of the data and systems in the context of the proposed outsourcing.
These measures must be set out in writing in an agreement with the service provider. They must monitor the performance of activities and security measures, of the incidents generated and, if applicable, of the corrective measures implemented.
Data location and processing
The EBA advises special care on the part of institutions when they enter into service outsourcing agreements outside the European Economic Area, because of possible data protection risks and risk to supervision.
The banking authority recommends that institutions should address the potential risk impacts, including legal risks and compliance issues, as well as oversight limitations related to the countries where the outsourced services are being provided and there the data are being stored. The assessment should also include considerations on the political and stability and security of the jurisdictions in question; and the laws in force (especially those on data protection); and, among other considerations, the legal provisions on insolvency that would apply in in the event of a cloud service provider’s failure. All these risks must be kept within acceptable limits commensurate with the materiality of the outsourced activity.
The guidelines include specific requirements to mitigate the risks associated with chain outsourcing, where the cloud services provider subcontracts elements of the service to other providers. This outsourcing will be permissible provided that the services are not affected, and that the obligations that the supplier agreed on at the outset with the financial institution are met.
In any event, the financial institution must review and monitor the performance of the overall service, regardless of whether it is provided by the cloud service provider or by a subcontractor.
Contingency plans and exit strategies
Finally, the EBA recommends that institutions plan and implement well-defined contingency plans and exit strategies to maintain the continuity of their businesses in the event that the provision of services by a supplier fails or deteriorates to an unacceptable degree.
The European authority also advises institutions on the contents of contractual and organizational agreements relating to these plans and strategies.
These recommendations apply from 1st July 2018.
* Any agreement between a financial institution and a service provider, whereby the provider carries out a process, service or activity that would otherwise be carried out by the financial institution itself.