European financial institutions (competent authorities, credit institutions, and investment firms as defined in EU Regulation No. 575/2013, collectively Institutions) have been instructed to comply with the European Banking Authority’s (EBA’s) recommendations when outsourcing to cloud service providers (Recommendations) as of July 1, 2018.
With cloud-based solutions offering new products geared to potentially reduce infrastructure costs and improve services, outsourcing to cloud-based services providers is becoming progressively more popular by Institutions. This trend has prompted the EBA to issue the Recommendations, with the expectation that Institutions will use their best efforts to comply.
While some recommendations for outsourcing generally have been in place since 2006 (published by the Committee of European Banking Supervisors (CEBS)), these updated Recommendations are intended to provide more clarity and practical suggestions to Institutions in order to help them better leverage outsourcing for technology.
What Are These Recommendations?
Institutions should comply with the Recommendations in ways that are applicable and appropriate with respect to their respective size, as well as the complexities and risks relating to the outsourced services. Below is a high level outline of the Recommendations:
The risks with outsourcing will certainly vary depending on the materiality of the activities contemplated. The EBA recommends that Institutions assess which activities are considered “material” prior to outsourcing any activities, and that they consider the criticality and inherent risk profile of the activities, the operational impact of outages, the impact of disruption, and the impact of a confidential information or data breach.
Duty to Adequately Inform Supervisors
Authorities should be informed when Institutions are outsourcing material activities to cloud service providers, and the Institutions should provide the relevant information to such authorities, including the name of the provider, a description of the location of the activities and data, and the contractual details.
Access and Audit Rights
Institutions should confirm whether their agreements with cloud service providers afford them audit and access rights, as well as unrestricted rights of inspection. Institutions should also make sure that their staffs performing these audits and inspections have the expertise to do so effectively.
Security of Data and Systems
The Recommendations around security of data and systems expand the CEBS guidelines and state that Institutions should conduct assessments prior to contracting with providers to determine what data is involved, what level of sensitively such data holds, and what appropriate levels of confidentiality and security protection are required. Institutions must also continually monitor the provider’s compliance with its security obligations.
Location of Data and Data Processing
While the General Data Protection Regulation likely covers much of what is included in the Recommendations, Institutions still need to be very discerning when entering into agreements outside of the European Economic Area in order to provide adequate protection for their data. They should also conduct risk assessments to address potential impacts relating to the various geographic areas where the outsourced activities are provided or data is either accessed or stored.
Allowing a cloud services provider to subcontract part of its obligations poses potential risks. The Recommendations aim to address this by including practical suggestions such as: the provider should be required to inform the Institution of any significant changes in subcontracting, and each subcontractor must agree to the same contractual obligations as the provider.
Business continuity and avoiding disruptions in service are imperative for any Institution outsourcing all or part of its IT services. The Recommendations include mandates to develop and document exit plans, identify alternative solutions, and require providers to support the transition of any activities to another party at the end of the contractual relationship.
What’s Next for Financial Institutions?
Institutions that are instructed to comply with the Recommendations should make sure that they are in compliance, and be prepared to provide updates and information to applicable authorities – whether they are currently outsourcing activities to cloud services providers or anticipate doing so in the near future.