Outsourcing to the Cloud: EBA issues Final Report on Recommendations

On 20 December 2017 the European Banking Authority (“EBA”) published its Final Report: Recommendations on Outsourcing to Cloud Service Providers ("CSPs"). The Recommendations will apply from 1 July 2018 to credit institutions as well as investment firms (i.e. not solely to banks). The aim of the EBA Recommendations is to: (i) provide guidance for institutions to enable them to use cloud solutions whilst appropriately managing risk; and (ii) promote supervisory convergence across the EU. The Final Report follows the EBA’s draft recommendations that were published on 18 May 2017 (refer to our previous article here). It should be noted that there is little substantive difference between the draft recommendations and those set out in the Final Report.

Stakeholders have previously expressed concern at the high level of uncertainty regarding the “supervisory expectations that apply to outsourcing to cloud service providers” as well as differences in national regulatory and supervisory frameworks for cloud outsourcing (e.g. the duty for outsourcing institutions to adequately inform their competent authority about material (cloud) outsourcing). The EBA Recommendations therefore intend to clarify the EU-wide expectations and enable organisations to harness the benefits of cloud computing whilst ensuring that risks are appropriately identified and managed. The recommendations build on the existing general outsourcing guidance provided in the CEBS Guidelines which have been in place since 2006.

The principle of proportionality applies throughout the Recommendations, which should be viewed in the context of the size, structure and operational environment of the firm.

The EBA Recommendations acknowledge that cloud outsourcing services provide a much higher level of standardisation which allows the services to be provided to a large number of different customers on a large scale (when compared with more traditional forms of outsourcing offering more tailored solutions for clients). Whilst cloud services “offer a number of advantages such as economies of scale, flexibility, operational efficiencies, and cost-effectiveness”, they also raise challenges in terms of data protection and location, security issues and concentration risk (both in respect of individual institutions as well as at an industry level where large suppliers of cloud services can become a single point of failure where many institutions rely on them).

The key areas covered by the EBA Recommendations include: completing material assessments; informing supervisors ex ante for material outsourcing; access and audit rights; data and systems security; location of data and data processing; chain outsourcing (i.e. when cloud service providers subcontract elements of service provision and contingency planning / exit strategies. For further detail on the Recommendations in each of these areas please click here for our summary.

The EBA Recommendations are just one of a number of initiatives by regulatory bodies to try to accommodate cloud services where appropriate. The recommendations follow the Financial Conduct Authority’s national guidance issued in July 2016 for firms outsourcing to the cloud and other third party IT services.

Whilst the EBA Recommendations appear to reflect existing best practice in a number of Member States, they seem relatively light alongside other broader, all-encompassing – and potentially overlapping – policy efforts such as the forthcoming EU General Data Protection Regulation (“GDPR”) relating to the European data protection framework, and the forthcoming EU Network and Information Security Directive ("NIS Directive") which aims to achieve a common level of network and information systems security across the EU and is due to be implemented in the UK by 9 May 2018. Organisations should therefore consider those overlapping frameworks alongside the EBA Recommendations, for example, to consider whether the outsourcing activities include the processing of personal data or whether any of the organisations in the supply chain fall within the scope of the NIS Directive, and therefore whether there are additional requirements and/or restrictions arising from applicable data protection or cyber security legislation as well.

This point was reiterated in a joint statement on the GDPR issued by the FCA and the ICO on 8 February 2018. The statement confirms that:

• financial services firms will need to consider how the GDPR will apply to them and ensure they are ready to comply with the regulation from May 2018;
• the GDPR does not impose requirements which are incompatible with rules in the FCA Handbook; and
• whilst the ICO will regulate the GDPR, the FCA will monitor compliance with GDPR requirements, for example, the requirements in the Senior Management Arrangements, Systems and Controls (SYSC) module. As part of their obligations under SYSC, firms are required to establish, maintain and improve appropriate technology and cyber resilience systems and controls.