Analysis: outsourcing to the cloud – EBA’s recommendations
The European Banking Authority (EBA) recently opened a consultation on its draft recommendations for financial institutions outsourcing to cloud service providers across all cloud-related domains including infrastructure, platform and software as a service.
The recommendations are intended “to clarify the EU-wide supervisory expectations if institutions intend to adopt cloud computing, so as to allow them to leverage the benefits of using cloud services, while ensuring that any related risks are adequately identified and managed”.
A public hearing took place at the EBA’s Canary Wharf, London premises on 20 June 2017. The consultation is set to close on 18 August 2017.
The recommendations build on other European initiatives, such as the European Cloud Initiative (part of the Digital Single Market Strategy for Europe), the CoCo Cloud project and the Cloud Select Industry Group (C-SIG), as well as – of course – the General Data Protection Regulation (GDPR) – which will, amongst other things, also affect the use of the cloud by any organisation which serves European customers.
Legal basis and application
The legal basis for the recommendations is found in Article 16 of Regulation (EU) No 1093/2010 which mandates the EBA to issue guidelines and recommendations addressed to competent authorities, with a view to establishing consistent, efficient and effective supervisory practices and ensuring the common, uniform and consistent application of European Union law. The recommendations, once finalised, will apply to credit institutions, investment firms and competent authorities covered by the EBA’s remit. The EBA plans to look at extending the recommendations to other types of regulated entities in due course.
Once final, the recommendations will set out the EBA’s view of appropriate supervisory practices within the European System of Financial Regulation or how EU law should be applied in a particular area. Competent authorities (i.e. regulators) falling under the ambit of the EBA should incorporate the regulations into their practices as appropriate – by amending their legal framework or supervisory practices – including where recommendations are primarily directed at institutions.
The recommendations build on and supplement the existing Committee of European Banking Supervisors (CEBS) guidelines on outsourcing. The CEBS guidelines, published back in December 2006, remain applicable to outsourcing by institutions generally speaking, whilst the EBA’s draft recommendations seek to add clarity in the specific field of outsourcing to the cloud. In due course, the CEBS guidelines will be updated in line with this clarification.
Risks inherent in cloud outsourcing
The EBA notes that, compared with traditional outsourcing models which typically entail a highly-bespoke client-solution, cloud outsourcing services are much more standardised so as to enable the services to be provided to a larger number of customers, in a more automated fashion, and to a much larger scale, bringing the benefits of economies of scale, flexibility, operational efficiencies and lower costs.
However, cloud service adoption also poses risks such as data protection and location (since cloud services often depend on a geographically dispersed computing infrastructure), security and concentration risk for individual institutions. At an industry level, larger cloud suppliers can become single points of failure in the finance ecosystem where relied on by many customers.
The recommendations are to be applied in a proportionate manner, that is having regard to the relevant institution’s size, structure and operating environment, and to the nature, scale and complexity of its activities.
In assessing materiality (i.e. the threshold for an institution to have to notify its regulator of the planned outsourcing), the EBA sets out specific directions in relation to cloud solutions (beyond those in the CEBS guidelines, which still apply):
- criticality and risk profile of in-scope activities;
- outage-related operational risk, and related legal and reputational risks;
- impact of disruption on revenue earning; and
- impact on the institution and its customers of a confidentiality breach or data integrity failure.
Each institution must maintain a register of all outsourced activity, whether or not material, at both institution and group level, and provide the same, together with copies of any outsourcing agreement, to its regulator on request.
The recommendations address five key areas to be considered specifically in connection with the cloud:
- access and audit rights;
- chain outsourcing (i.e. subcontracting);
- contingency plans and exit strategies;
- location of data and data processing; and
- security of data and systems.
Access and audit
The recommendations make it clear that each cloud outsourcing contract must include undertakings from the cloud service provider to provide full access to premises and systems etc. to the institution, its auditors and regulators, together with unrestricted rights of inspection and audit. These rights of access and audit must “not be impeded or limited by contractual arrangements” and should be exercised in a risk-based manner.
Where the institution doesn’t directly appoint a third-party auditor, it should – as a minimum – consider as an alternative the use of “pooled audits” carried out by a single auditor on behalf of a group of clients of the cloud provider or relying on third party certifications, third party or internal audits obtained or carried out by the cloud service provider.
In the latter case, the EBA sets out specific guidance as to the diligence and verification to be carried out by the institution which should be reflected in the applicable contract.
Institutions should review access and audit clauses in templates used for cloud service outsourcing, and contracts proposed by service providers, to ensure compliance with the detail of the recommendations in this area.
The EBA uses the term “chain” outsourcing to refer to the cloud service provider subcontracting elements of the outsourced service to other parties, which it says is “more dynamic” than in traditional outsourcing. Subcontracting should only be permitted where the subcontractor agrees to “fully comply with the obligations existing between” the institution and its service provider.
Any types of activities specifically excluded from the subcontracting right should be expressly set out in the outsourcing agreement which must also make it clear that the cloud service provider is fully responsible for the oversight, and the acts and omissions, of its subcontractors.
The EBA says that the associated risks (e.g. the insolvency or other failure of a subcontractor or associated weakness) must be taken into account by the institution where they will significantly affect the cloud service provider’s performance, but that such risks can be mitigated through arrangements to facilitate the orderly transfer of the affected activity, data or services from one subcontractor to another if needed.
The cloud outsourcing contract must provide that any changes to subcontracting arrangements (to the named subcontractor or to the related subcontracted services) are notified by the cloud service provider to the institution, per a contractually agreed notice period, with a corresponding right for the institution to terminate the cloud services contract if the new subcontracting arrangements adversely impact its risk assessment of the outsourcing arrangements.
Institutions and their advisers must ensure that contract wording permitting subcontracting in cloud service outsourcing deals covers these requirements; likewise the cloud service provider will want to ensure that the exercise of such rights is not detrimental to their ability to provide and evolve their cloud-based solutions, and that where a subcontracting change as notified leads to an adverse finding, that the institution in fact carried out its risk assessment in an objective manner to avoid a termination “for convenience” by the backdoor.
Contingency planning and exit
In line with the CEBS guidelines, the EBA restates the obligation on institutions to plan for, and implement where needed, continuity arrangements in the event of failure or an unacceptable deterioration of the service provider, including contingency plans and a defined exit strategy.
Cloud outsourcing contracts should include:
- termination and exit management clauses, to enable re-sourcing or re-capture of the outsourced activities;
- transition assistance and exit support provisions to ensure that exit does not unduly disrupt the quality and continuity of their services or result in regulatory non-compliance;
- rights for the institution to undertake ongoing service monitoring and oversight, and provide for indicators which will trigger exit plans as needed.
Institutions undertaking cloud (or indeed any) outsourcing need to develop, maintain, update and test their exit strategies and plans on a regular basis, including identifying alternative solutions and developing plans to transition outsourced activities in a controlled and tested manner, with particular account of data location issues and the need to maintain business continuity during the exit period.
Exit strategies should develop key risk indicators in order to identify unacceptable performance and undertake business impact analyses to understand the human and material resources, and time, needed to implement exit plans.
Due to data protection risks, and the challenges of effective regulatory supervision, the EBA points out that special care needs to be taken in connection with outsourcing solutions outside of the EEA. A risk-based approach should be adopted by institutions outsourcing to the cloud when considering data and data processing locations, including risk assessment of:
- oversight limitations;
- wider political and security stability;
- local legal and compliance regimes, including data protection laws; and
- local law enforcement issues including the application of insolvency law in the case of service provider insolvency.
With the coming into force of the GDPR across the EEA in May 2018, data protection and privacy issues will already be high on the agenda of institutions covered by the regulations. Further, in the context of the cloud outsourcing recommendations of the EBA, institutions need to carry out regular risk assessments so as to ensure that risks are kept “within acceptable limits commensurate with the materiality of the outsourced activity”.
The EBA restates, per the CEBS guidelines, the need for outsourcing contracts to ensure that confidential information transmitted by the institution to the service provider is protected.
In addition, building on those guidelines, cloud outsourcing contracts and related service level agreements should provide for KPIs and service levels measuring and managing the service provider with regards to quality and performance of its services including ongoing monitoring of security aspects. In this area, pre-contractual diligence and verification by the institution should cover:
- as regards the potential activities, processes and related data and systems under consideration for outsourcing, their classification by reference to sensitivity, and identification of required protections;
- performance of a risk-based selection process to determine which activities etc should be outsourced;
- definition, in the context of the proposed cloud outsourcing, of the institution’s required levels of protection of data confidentiality, continuity of activities outsourced, and integrity and traceability of data and systems.
In addition to robust confidentiality clauses, outsourcing contracts for cloud services need to cover the items identified under bullet three above. These may include specific measures such as “the usage of encryption technologies in combination with appropriate key management architecture for data in transit, data in memory and data at rest”.
Institutions should monitor performance against their key security measures, and ensure that any corrective action is promptly taken in accordance with the outsourcing contract.
Whilst the EBA’s recommendations are common sense, they mostly reflect current good practices, such as the need for audit rights, security assessments, contingency plans and exit strategies, which the majority of buyers of cloud services will already be following. However, there are some specific nuances in the recommendations which institutions will need to consider across the cloud services sourcing lifecycle, in terms of selecting, contracting for, and managing outsourced cloud services, as well as handling any exit and transition of the activities back in-house or to another service provider.
Financial services firms looking at the cloud will also need to consider the position of national financial regulators. The UK’s Financial Conduct Authority (FCA), for example, published its “finalised guidance” on cloud computing last year.
Fortunately, the FCA’s and EBA’s approaches are not incompatible, although the FCA guidance describes its “expectations” whereas the EBA’s recommendations contain much more detail spelling out specific rights required to be included in cloud outsourcing contracts.
By Tim Wright, leader of the London global sourcing team, Pillsbury