The European Banking Authority (EBA) has issued its final ‘recommendations on outsourcing to cloud service providers’, following a period of public consultation. The EBA expects the FCA and financial institutions to make every effort to comply.
There have been general outsourcing guidelines in place since those published by the Committee of European Banking Supervisors (CEBS) in 2006. This additional guidance is in response to an increased interest in outsourcing to cloud service providers and aims to address the high level of uncertainty regarding the supervisory expectations that apply to such outsourcing.
The EBA hopes that its recommendations will remove some of the existing barriers that may be preventing financial institutions from outsourcing to cloud service providers. The recommendations will apply from 1 July 2018.
Who is affected by the recommendations?
Competent authorities, such as the UK’s FCA, and financial institutions (defined as credit institutions and investment firms under Article 4(1) of the EU’s Capital Requirements Regulations) must make every effort to comply with the recommendations. The FCA has two months to comply from the date of publication of the translations (an exercise to be completed shortly).
The FCA’s finalised guidance for firms outsourcing to the cloud and other third party IT services, published in July 2016 (the ‘FCA guidelines’), substantially addresses the points raised in the EBA’s recommendations. Consequently, financial institutions compliant with the FCA guidelines should already be broadly acting in accordance with the recommendations.
What do the recommendations set out?
The EBA emphasises that the principle of proportionality applies throughout the recommendations. Institutions are expected to apply the recommendations in a manner that is appropriate to them, in terms of size and operational environment, and the affected activities’ nature, scale and complexity. The recommendations include specific directions and more general guidance for outsourcing institutions, including the following:
1. Understand ‘material’ activities prior to initiating outsourcing
An assessment should be performed on the basis of guideline 1(f) of CEBS guidelines, taking into account:
- whether activities are critical to business continuity/ viability
- the impact of outages – operationally, legally and consequential reputational damage
- how revenue might be affected by any disruption to the activity
- the potential impact of a confidentiality breach.
2. Inform authorities (e.g. the FCA) of material activities to be outsourced to cloud service providers
Where outsourcing services relate to a material activity, outsourcing institutions should provide details of the cloud service provider, the services and the contract to the authority. (This requirement of course supplements existing obligations to notify the regulator of material outsourcings.)
Outsourcing institutions also have a duty to maintain an updated register of information on all material and non-material activities outsourced to cloud service providers at institution and group level.
3. Agree rights of access and audit relating to outsourced services
Outsourcing institutions should have an agreement in writing with cloud service providers that the outsourcing institution, or any third party appointed for these purposes, has:
- full access to business premises, including the full range of devices, systems, networks and data used for providing services outsourced (right of access
- unrestricted rights of inspection and auditing relating to outsourced services (right of audit).
Any party exercising its right of access is expected to provide reasonable notice in advance of an onsite visit, unless early prior notification has not been possible due to an emergency or crisis situation.
4. Implement appropriate levels of security of data and systems
Outsourcing institutions should ensure that standards of data confidentiality/ integrity/ traceability, continuity of services and performance are reflected in written outsourcing contracts and service level agreements. It is for the outsourcing institutions to monitor that agreed standards and security measures are met, with any corrective actions taken promptly.
5. Adopt a risk-based approach to data and data processing locations
Outsourcing institutions should take special care when entering into and managing outsourcing agreements undertaken outside the EEA because of possible data protection risks. Any assessment should address the potential risk impacts, including legal risks and compliance issues, and oversight limitations related to the countries where the outsourced services are or are likely to be provided and where the data are or are likely to be stored, to ensure that these risks are kept within acceptable limits commensurate with the materiality of the outsourced activity.
6. Address additional risks where outsourcing service providers subcontract
‘Chain’ outsourcing, where outsourcing service providers subcontract elements of services to other providers, potentially exposes outsourcing institutions to greater risk; any weakness or failure in the provision of the subcontracted activities can have significant effect on the outsourcing service providers’ ability to meet their responsibilities under outsourcing agreements. This is obviously very relevant to a cloud environment, where service providers often depend on multiple layers of suppliers beneath them. To address this:
- outsourcing institutions should agree to chain outsourcing only if subcontractors will also fully comply with the obligations existing between the outsourcing institutions and outsourcing service providers
- agreements between outsourcing institutions and cloud service providers should include an obligation on the service provider to inform the outsourcing institution of any planned significant changes to the subcontractors or the subcontracted services named in the initial agreement that might affect the ability of the service provider to meet its responsibilities under the outsourcing agreement
- the outsourcing institutions should have the right to terminate the agreement should a cloud service provider plan changes to a subcontractor or subcontracted services that would have an adverse effect on the risk assessment of the agreed services.
7. Make contingency plans and have clearly defined exit strategies
Outsourcing institutions should plan and make arrangements to avoid service disruption in the event that the provision of services by a service provider fails or deteriorates to an unacceptable degree. To achieve this outsourcing institutions should:
- develop and implement exit plans
- identify alternative solutions and develop transition plans
- include a termination and exit management clause within the outsourcing contract that allows the activities being provided to be transferred to another provider or to be reincorporated into the outsourcing institution
- ensure that the outsourcing agreement includes an obligation on the cloud service provider to sufficiently support the outsourcing institution in the orderly transfer of the activity.
What next?
We can expect the FCA to respond to the recommendations with updated guidance. Financial institutions affected by the recommendations, whether already engaging outsourcing cloud suppliers or considering to do so, should ensure that they are in compliance with the EBA’s recommendations, the existing FCA guidance and be alert to any updates from the authority.