EBA publishes guidance on (i) outsourcing to cloud service providers and (ii) ICT Risk Assessment by competent authorities

On 18 May 2017, the European Banking Authority ("EBA") published its draft recommendations on outsourcing to cloud service providers (the "EBA Recommendations"). Under Article 16 of the Regulation (EU) No 1093/2010, the EBA is required to issue guidelines and recommendations addressed to both national competent authorities (NCAs) and financial institutions, with a view to establishing consistent, efficient and effective supervisory practices and ensuring the "common, uniform and consistent application of the European Union Law".

Stakeholders have previously expressed concern at the high level of uncertainty regarding the "supervisory expectations that apply to outsourcing to cloud service providers" as well as differences in national regulatory and supervisory frameworks for cloud outsourcing (e.g. the duty for outsourcing institutions to adequately inform their competent authority about material (cloud) outsourcing). The EBA Recommendations therefore intend to clarify the EU-wide expectations and enable organisations to harness the benefits of cloud computing whilst ensuring that risks are appropriately identified and managed. The recommendations build on the existing general outsourcing guidance provided in the CEBS Guidelines which have been in place since 2006.

The EBA Recommendations acknowledge that cloud outsourcing services provide a much higher level of standardisation which allows the services to be provided to a large number of different customers on a large scale (when compared with more traditional forms of outsourcing offering more tailored solutions for clients). Whilst cloud services "offer a number of advantages such as economies of scale, flexibility, operational efficiencies, and cost-effectiveness", they also raise challenges in terms of data protection and location, security issues and concentration risk (both in respect of individual institutions as well as at an industry level where large suppliers of cloud services can become a single point of failure where many institutions rely on them).

Key areas covered by the EBA Recommendations include the following:

• How to perform materiality assessments prior to any outsourcing. Assessments should take into account: the criticality and inherent risk profile of the activities (with particular reference to ensuring business continuity and meeting obligations to customers); the operational impact of outages (and related legal and reputational risks); the impact disruption of service may have on revenues; and the impact of confidentiality breaches or data integrity failures on the institution and/or its customers.
• NCAs should expect adequate information from institutions about the outsourcing of material activities to cloud service providers. The EBA sets out a range of information to be provided and highlights that NCAs should be able to request additional information from institutions.
• Outsourcing institutions should maintain a register of all material and non-material outsourced activities at institution and group level, including information about the approval given by the management body or the committee designated by it.
• Access and audit rights are key principles of the CEBS Guidelines and are restated in the EBA Recommendations in respect of cloud service providers. Given the likely multi-tenanted nature of the cloud, the draft recommendations allow for practical approaches to be used by outsourcing institutions such as pooled audits performed jointly with other clients, and third party certifications and third party or internal audit reports made available by the cloud service provider, subject to robust oversight being applied by the outsourcing institution.
• Whilst the CEBS Guidelines already provide guidance on areas such as information confidentiality and system availability, the draft recommendations elaborate further on the need for integrity and traceability, setting out an approach as to how security should be assessed where institutions outsource activities to cloud service providers. The recommendations also aim to ensure supervisory expectations are appropriate in respect of the technical security of cloud computing services – with the recommendation that this should be in line with a proportionality principle, taking account of the need for protection of the particular data and the systems. Appropriate traceability mechanisms aiming to keep records of technical and business operations will also be key to detecting malicious attempts to compromise the security of data and systems.
• Outsourcing institutions will be expected to carefully assess related risks when entering into and managing outsourcing arrangements undertaken outside the EEA. Risks should be kept within acceptable limits commensurate with the materiality of the outsourced activity. These considerations should run in parallel with restrictions under data protection legislation in respect of the international transfer of personal data outside the European Economic Area.
• On chain outsourcing, (i.e. where cloud service providers subcontract elements of service provision), the draft recommendations acknowledge the need to clarify the conditions under which subcontracting can take place in the case of outsourcing to the cloud. The cloud service provider should be obliged to notify the outsourcing institution in advance of any significant changes to subcontractors or subcontracted services initially set out in the agreement between the provider and the outsourcing institution. The EBA Recommendations state that a reasonable notification period should be specified to allow the outsourcing institution time to terminate the contract if the proposed subcontracting is not appropriate.
• Contingency plans and exit strategies, contracts should include termination and exit management provisions, not least to ensure the transfer to another cloud service provider without undue disruption. Outsourcing institutions are expected to have in place appropriate exit plans, to have tested these plans and to have in place key risk indicators that assist in the identification of unacceptable service levels/indicators that trigger the exit plan.

Whilst the EBA Recommendations appear reasonable and perhaps reflect existing best practice in a number of Member States, they seem relatively light alongside other broader, all-encompassing – and potentially overlapping – policy efforts such as the EU General Data Protection Regulation ("GDPR"). Organisations should therefore consider those overlapping frameworks alongside the EBA Recommendations, for example, to consider whether the outsourcing activities include the processing of personal data, and therefore whether there are additional requirements and/or restrictions arising from applicable data protection legislation as well (such as those in the forthcoming GDPR).

The EBA Recommendations are just one of a number of initiatives by regulatory bodies to try to accomodate cloud services where appropriate. The recommendations follow the Financial Conduct Authority's national guidance issued in November of last year for firms outsourcing to the cloud and other third party IT services.

The deadline for responses to the consultation is 18 August 2017 and the EBA is expected to hold a public hearing on the EBA Recommendations on 20 June 2017.

Click here to read the EBA's draft recommendations on outsourcing to cloud service providers.

The EBA Recommendations follow new Guidelines on ICT Risk Assessment by competent authorities or regulators (the "Guidelines") issued by the EBA on 11 May 2017. The Guidelines were produced "in view of the growing importance and increasing complexity of ICT risk within the banking industry and individual institutions". They are intended to take effect from 1 January 2018 and apply in parallel to the current guidance that regulators already follow to determine the operational risk to which banks are exposed. The Guidelines make it clear that financial institutions are expected to be subject to assessment of their operational risk, including in respect of their security, business continuity and data integrity among other areas.

In particular, the Guidelines introduce some common terms to be used by all regulators in the EEA when conducting the assessment. While there are a range of options, to date there has been no broadly adopted global standard for ICT risk terminology in financial services. The EBA's definitions do not solve the problem at a global level, but they at least offer some consistency within the EEA area.

Click here to read the EBA's Guidelines on ICT Risk Assessment. The firm will be issuing a more detailed article on the Guidelines in due course.