Response to consultation on recommendations on outsourcing to cloud service providers
Go back
At the moment, the legislation and supervision applicable to the use of cloud services are currently the purview of national authorities, which leads to different legal frameworks across the European Union. This has multiple implications: banks may be constrained in contracting a cloud service provider located in another Member State (this is also an issue for banks active in several Member States), banks may be at a competitive disadvantage vis-à-vis both other incumbents located in Member States with less stringent regulation, and vis-à-vis newcomers. There is hence urgency for legal certainty and harmonization in using cloud service providers cross-border, and for clarity and harmonization of the supervisory requirements applicable to banks in this respect.
Currently, there are a couple of obstacles that prevent financial services firms from using cloud computing services providers (CSP). These issues can be summarised as follows:
• Cybersecurity is by far the first and most important priority with regards to the use of cloud computing services, and the aspect raising the largest and most critical risks. Cyber-attacks are a constant threat nowadays, and the security measures provided by CSPs must stand up to the necessary level of security standards. However, experience has showed that CSPs’ security measures are still not as developed as financial sector companies expect and need them to be. This issue has slowed down the adoption of cloud solutions by financial enti-ties.
• The existence of still very few credible CSPs leads to a considerable concentration risk, with regards to cybersecurity risks especially. These risks will be further enhanced in the following years as an increasing amount of financial entities are expected to transfer their data towards cloud infrastructures, where the most valuable data behind their business models may reside (e.g. AI algorithms), generating large incentives for cyber crooks to act against CSPs’ infrastructures.
• Another reason slowing down the adoption of cloud solutions is the reputational risk fi-nancial entities face due to the difficulty for CSPs of ensuring a compliant and secure pro-tection of the information they store (with effect on personal data protection and privacy rules). As CSPs are not required to comply with the same regulatory and supervisory re-quirements of banks, in practice it is truly complicated that CSPs ensure banks cybersecuri-ty objectives in cloud networks.
• The lack of harmonization in regulatory approaches across different jurisdictions and the lack of clarity in supervisory expectations hinder the compliance with rules regarding the use, management and storage of customer information, and increase uncertainty in relation to the criteria for the approval of cloud projects.
• The cloud computing leaders are mainly major US companies such as Microsoft, Salesforce or Oracle. Banks, even major banks, are currently fragile in the negotiation with those companies. The principle for the providers is that cloud services are standard ones subject to standard terms and conditions imposed on the parties. Customers, in particular banks, need to be confident that they have met their needs (technical and legal) when adopting cloud services. Therefore a reference framework is required.
ESBG welcomes these Recommendations which represent a first step towards meeting the wishes that guidelines should be adopted to ensure a common approach by regulators/supervisors regard-ing procedures and methodologies and that should provide the banking sector the necessary clarity for the adoption of cloud solutions, a step that would provide significant benefits for the industry.
ESBG nevertheless would like to formulate the following remarks:
Special attention should be paid to avoid inconsistencies between regulations or accumulation of similar obligations resulting from different regulations (on location of data or security for instance).
Moreover, despite the clarification of these guidelines it is essential that the European Commission takes some initiatives to constrain CSP’s to implement a main part of EBA Recommendations.
ESBG would suggest the following actions to be designed to facilitate access to cloud solutions and the development of cloud in the banking industry:
• Ideally customers should be able to compare the different cloud solutions with an easy evaluation grid (the CSP offering standardized offers which would allow the comparison);
• The European Commission should spell out guiding principles for contracting between in-stitutions (banking or other) and CSPs, whatever the sector.
In order to allow banks to be confident that they have met their needs when adopting cloud services, the CSPs shall provide cloud solutions certified as conforming to technical, legal and security standards defined by the banking authority or the European Commission. In our view CSPs should have the same execution framework with all their clients (includ-ing banking institutions) and should be certified by a regulator.
Contract terms and conditions should also be standardized. The European Commission has already begun to work on a code of conduct on data protection for cloud services and on a Service Level Agreement. Those initiatives could be extended to define:
o Standardized terms and conditions integrating all the provisions proposed by the EBA regarding access and audit rights, security of data and systems, location of da-ta and data processing, chain outsourcing, contingency plans and exit strategies ;
o Standardized level of security depending on the business concerned.
However, the compliance with this framework should not be placed on banks exclusively as they do not have the ability to impose their conditions to CSPs.
• Last but not least the development of European cloud services should be facilitated.
ESBG believes that there are some areas in which these Recommendations can be improved, re-garding some specific practical hurdles banking entities have found during recent years. ESBG has some specific comments related to the various sections of the draft Recommendations. Please find those comments herewith.
Section 4.2 Duty to adequately inform supervisors.
Even though ESBG agrees with the detailed list of data outsourcing institutions are expected to inform competent authorities on, it needs to be taken into account that the load of regulatory and supervisory reporting has increased significantly during recent years, and that clarity is needed for expectations to be fulfilled. Therefore, ESBG would suggest that EBA proposes a template form for ex ante reporting of projects including outsourcing to cloud services, so that reporting to differ-ent national competent authorities is harmonized.
Section 4.3 Access and audit rights.
ESBG positively regards the recognition on these Recommendations of the right of access to a cloud service providers’ business premises (including all sorts of devices, systems, networks and data) and the right to undertake unrestricted inspections and auditing. However, both EBA and competent authorities need to take into account that in practice the physical access to the business premises of a cloud services provider hardly allows an outsourcing institution to properly observe the treatment and path of the data on cloud infrastructures. Actually, the amount of data out-sourced is so large that it is inconceivable that a physical access to the business premises of the provider helps analyse any relevant information. As a consequence of that, the EBA should con-sider including in section 4.3 dispositions ensuring that virtual access to data, with continuous monitoring capabilities for the outsourcing institution, is granted to outsourcing institutions and competent authorities. Otherwise, these recommendations risk of soon becoming irrelevant in practical terms. And in order to adequately monitor the compliance of contractual arrangements in relation to the rights of access and the right to audit, ongoing supervision by national competent authorities should be enhanced on these EBA recommendations.
Section 4.5 Security of data and systems.
This section properly recognizes the need that CSPs comply with contractual arrangements regard-ing security terms, especially those related to confidentiality, privacy, data protection and cyberse-curity. ESBG completely agrees with the idea that the adoption of cloud solutions by financial entities has to come hand-to-hand with CSPs’ obligation to deliver all the security measures re-quired by the former, and that the enforcement of this can be significantly enhanced through su-pervisory activities. Currently not every requirement in relation to cybersecurity issues is fully met by all CSPs, which hinders the adoption of cloud solutions. In particular, ESBG has identified the following critical requirements that are hardly ensured by CSPs: (i) a secure infrastructure of keys and encryption, ensuring multiple encryption of data with keys stored in the financial entities’ in-frastructure; (ii) traceability of all data stored in cloud infrastructures; (iii) certified security mech-anisms; and (iv) compliance with data protection and privacy rules.
As a consequence of that, banks and other financial entities acting as cloud service consumers need assurance that all contract terms are fulfilled by CSPs, as they all affect the security level around the data outsourced. Two main challenges arise when negotiating contract arrangements with CSPs: (i) CSPs are not always able to comply with specific contract terms in practice (e.g. user’ and supervisor’s right to audit), and (ii) CSP are not always willing neither to negotiate their template contracts in order to accommodate to different regulations and national or entity specific-ities nor to include non-regulated issues into contractual arrangements. The position CSPs are adopting in contractual negotiations arise from the fact that they are not required to comply with the regulatory and supervisory rules banks are entitled to. Hence, taking this into account, a com-mon regulatory framework should be developed so as to facilitate compliance with a commonly understood set of minimum requirements to operate in the EU, translated into a core of minimum contractual arrangements to be included in all contractual relationships between CSPs and their users, certainly:
• That all data stored in CSPs’ infrastructures are located, treated and processed in the EEA zone, including when cloud computing services are subcontracted.
• That CSPs allow their users to undertake every operational or technological controls re-quired by internal policies, processes and governance arrangements, as well as every re-quirement regulators or supervisors may ask in the future.
• That all data stored in CSPs is encrypted.
• That CSPs comply with all data protection and privacy rules.
• That CSPs obtain and maintain every certification required by specific regulator or body governing cloud computing services. In this respect, it would be useful to adopt a single certification scheme at EU level, which all CSPs have to obtain in order to be able to pro-vide cloud services. For instance, the European security certification framework (EU-SEC), a project under the Horizon 2020 programme.
• That CSPs ensure cloud users to undertake continuous monitoring activities whenever necessary, as well as virtual or ongoing audit.
• That CSPs must report any IT or cybersecurity incident, in particular when the data breach could be identified as that pertaining to a specific client, to both their clients and their su-pervisors, and that they will ensure that incident reporting deadlines are met by their cli-ents. For example, the 2-hour deadline for the initial reporting of incidents under the EBAs consulted Guidelines on major incident reporting under PSD2 will not be met by banks if contractual arrangements do not oblige CSPs to either report the incidents to the supervi-sors by themselves or report to their client with sufficient time in advance.
• That CSPs have a business continuity plan for every client, so as to ensure the latter are able to switch providers whenever they deem necessary.
• That users of cloud computing services hold the right to extract data anytime.
Section 4.6 Location of data and data processing.
Paragraph 19 of the draft recommendations state that institutions should take “special care” when entering into and managing outsourcing agreement undertaken outside the EEA. However, ESBG considers that this approach may not be enough in order to properly enforce and supervise the cur-rent EU regulatory framework under contractual arrangements for outsourcing to cloud service providers. Therefore, ESBG suggests EBA recommends that, every time it is possible, outsourced data stays in the EEA, and that the localization and processing of data outside the EEA is left only for cases in which the data is actually exchanged between data centres in and out of the EEA.
Section 4.7 Chain outsourcing.
In relation to the previous issue, ESBG would suggest that special consideration is given to the localization of the data in cases of chain outsourcing. National competent authorities should take a rather strict approach in relation to CSPs outsourcing cloud services to providers that place data outside the EEA.
Section 4.8 Contingency plans and exit strategies.
ESBG suggests differentiating regulatory and supervisory expectations for contingency planning referring to the exit to other providers or inwards (back to internal infrastructures). As paragraph 27 of the draft recommendations states, “an outsourcing institution should also ensure that they are able to exit cloud outsourcing arrangements if needed without undue disruption to their provi-sion of services, or adverse effects on their compliance with the regulatory regime and without detriment to the continuity and quality of its provision of services to clients”. This issue, including every aspect mentioned in detail in that paragraph, must be included in contractual arrangements between a bank and a cloud services provider. ESBG fully agrees with exit to other providers hav-ing to be ensured by contractual arrangements. However, ESBG finds it very difficult in practice to ensure exit to internal infrastructures, and this should be considered by both the EBA and na-tional competent authorities. Therefore, ESBG would suggest modifying paragraph 27.c) as fol-lows:
“(c) Ensure the outsourcing agreement includes an obligation on the cloud service provider to or-derly transfer the activity and that of the subcontractors to another service provider or to the direct management of the outsourcing institution in case of the termination of the outsourcing agree-ment.”
They could be more detailed on the contingency plans and exit strategies. The exit plan depends mainly on the good will of the cloud service provider (CSP) and the use of standards format that allows migration of data. Specific obligations must be imposed on CSPs regarding migration pro-cess and standardization. In our view the continuity plan should be the responsibility of the CSP and this should be reflected in the contracting of the institution with the CSP. It is up to the CSP to provide an exit solution to its customers and justification to the regulator.
• to spell out guiding principles for contractual terms with CSPs.
• and to be reassured on the fact that they have met the technical, legal and security stand-ards defined by the European Banking Authority or the European Commission when adopting cloud services (through certification of cloud solutions).
Question 1: Are the provisions from these recommendations clear and sufficiently detailed to be used in the context of cloud outsourcing?
ESBG welcomes the opportunity to review and comment on these draft Recommendations.At the moment, the legislation and supervision applicable to the use of cloud services are currently the purview of national authorities, which leads to different legal frameworks across the European Union. This has multiple implications: banks may be constrained in contracting a cloud service provider located in another Member State (this is also an issue for banks active in several Member States), banks may be at a competitive disadvantage vis-à-vis both other incumbents located in Member States with less stringent regulation, and vis-à-vis newcomers. There is hence urgency for legal certainty and harmonization in using cloud service providers cross-border, and for clarity and harmonization of the supervisory requirements applicable to banks in this respect.
Currently, there are a couple of obstacles that prevent financial services firms from using cloud computing services providers (CSP). These issues can be summarised as follows:
• Cybersecurity is by far the first and most important priority with regards to the use of cloud computing services, and the aspect raising the largest and most critical risks. Cyber-attacks are a constant threat nowadays, and the security measures provided by CSPs must stand up to the necessary level of security standards. However, experience has showed that CSPs’ security measures are still not as developed as financial sector companies expect and need them to be. This issue has slowed down the adoption of cloud solutions by financial enti-ties.
• The existence of still very few credible CSPs leads to a considerable concentration risk, with regards to cybersecurity risks especially. These risks will be further enhanced in the following years as an increasing amount of financial entities are expected to transfer their data towards cloud infrastructures, where the most valuable data behind their business models may reside (e.g. AI algorithms), generating large incentives for cyber crooks to act against CSPs’ infrastructures.
• Another reason slowing down the adoption of cloud solutions is the reputational risk fi-nancial entities face due to the difficulty for CSPs of ensuring a compliant and secure pro-tection of the information they store (with effect on personal data protection and privacy rules). As CSPs are not required to comply with the same regulatory and supervisory re-quirements of banks, in practice it is truly complicated that CSPs ensure banks cybersecuri-ty objectives in cloud networks.
• The lack of harmonization in regulatory approaches across different jurisdictions and the lack of clarity in supervisory expectations hinder the compliance with rules regarding the use, management and storage of customer information, and increase uncertainty in relation to the criteria for the approval of cloud projects.
• The cloud computing leaders are mainly major US companies such as Microsoft, Salesforce or Oracle. Banks, even major banks, are currently fragile in the negotiation with those companies. The principle for the providers is that cloud services are standard ones subject to standard terms and conditions imposed on the parties. Customers, in particular banks, need to be confident that they have met their needs (technical and legal) when adopting cloud services. Therefore a reference framework is required.
ESBG welcomes these Recommendations which represent a first step towards meeting the wishes that guidelines should be adopted to ensure a common approach by regulators/supervisors regard-ing procedures and methodologies and that should provide the banking sector the necessary clarity for the adoption of cloud solutions, a step that would provide significant benefits for the industry.
ESBG nevertheless would like to formulate the following remarks:
Special attention should be paid to avoid inconsistencies between regulations or accumulation of similar obligations resulting from different regulations (on location of data or security for instance).
Moreover, despite the clarification of these guidelines it is essential that the European Commission takes some initiatives to constrain CSP’s to implement a main part of EBA Recommendations.
ESBG would suggest the following actions to be designed to facilitate access to cloud solutions and the development of cloud in the banking industry:
• Ideally customers should be able to compare the different cloud solutions with an easy evaluation grid (the CSP offering standardized offers which would allow the comparison);
• The European Commission should spell out guiding principles for contracting between in-stitutions (banking or other) and CSPs, whatever the sector.
In order to allow banks to be confident that they have met their needs when adopting cloud services, the CSPs shall provide cloud solutions certified as conforming to technical, legal and security standards defined by the banking authority or the European Commission. In our view CSPs should have the same execution framework with all their clients (includ-ing banking institutions) and should be certified by a regulator.
Contract terms and conditions should also be standardized. The European Commission has already begun to work on a code of conduct on data protection for cloud services and on a Service Level Agreement. Those initiatives could be extended to define:
o Standardized terms and conditions integrating all the provisions proposed by the EBA regarding access and audit rights, security of data and systems, location of da-ta and data processing, chain outsourcing, contingency plans and exit strategies ;
o Standardized level of security depending on the business concerned.
However, the compliance with this framework should not be placed on banks exclusively as they do not have the ability to impose their conditions to CSPs.
• Last but not least the development of European cloud services should be facilitated.
ESBG believes that there are some areas in which these Recommendations can be improved, re-garding some specific practical hurdles banking entities have found during recent years. ESBG has some specific comments related to the various sections of the draft Recommendations. Please find those comments herewith.
Section 4.2 Duty to adequately inform supervisors.
Even though ESBG agrees with the detailed list of data outsourcing institutions are expected to inform competent authorities on, it needs to be taken into account that the load of regulatory and supervisory reporting has increased significantly during recent years, and that clarity is needed for expectations to be fulfilled. Therefore, ESBG would suggest that EBA proposes a template form for ex ante reporting of projects including outsourcing to cloud services, so that reporting to differ-ent national competent authorities is harmonized.
Section 4.3 Access and audit rights.
ESBG positively regards the recognition on these Recommendations of the right of access to a cloud service providers’ business premises (including all sorts of devices, systems, networks and data) and the right to undertake unrestricted inspections and auditing. However, both EBA and competent authorities need to take into account that in practice the physical access to the business premises of a cloud services provider hardly allows an outsourcing institution to properly observe the treatment and path of the data on cloud infrastructures. Actually, the amount of data out-sourced is so large that it is inconceivable that a physical access to the business premises of the provider helps analyse any relevant information. As a consequence of that, the EBA should con-sider including in section 4.3 dispositions ensuring that virtual access to data, with continuous monitoring capabilities for the outsourcing institution, is granted to outsourcing institutions and competent authorities. Otherwise, these recommendations risk of soon becoming irrelevant in practical terms. And in order to adequately monitor the compliance of contractual arrangements in relation to the rights of access and the right to audit, ongoing supervision by national competent authorities should be enhanced on these EBA recommendations.
Section 4.5 Security of data and systems.
This section properly recognizes the need that CSPs comply with contractual arrangements regard-ing security terms, especially those related to confidentiality, privacy, data protection and cyberse-curity. ESBG completely agrees with the idea that the adoption of cloud solutions by financial entities has to come hand-to-hand with CSPs’ obligation to deliver all the security measures re-quired by the former, and that the enforcement of this can be significantly enhanced through su-pervisory activities. Currently not every requirement in relation to cybersecurity issues is fully met by all CSPs, which hinders the adoption of cloud solutions. In particular, ESBG has identified the following critical requirements that are hardly ensured by CSPs: (i) a secure infrastructure of keys and encryption, ensuring multiple encryption of data with keys stored in the financial entities’ in-frastructure; (ii) traceability of all data stored in cloud infrastructures; (iii) certified security mech-anisms; and (iv) compliance with data protection and privacy rules.
As a consequence of that, banks and other financial entities acting as cloud service consumers need assurance that all contract terms are fulfilled by CSPs, as they all affect the security level around the data outsourced. Two main challenges arise when negotiating contract arrangements with CSPs: (i) CSPs are not always able to comply with specific contract terms in practice (e.g. user’ and supervisor’s right to audit), and (ii) CSP are not always willing neither to negotiate their template contracts in order to accommodate to different regulations and national or entity specific-ities nor to include non-regulated issues into contractual arrangements. The position CSPs are adopting in contractual negotiations arise from the fact that they are not required to comply with the regulatory and supervisory rules banks are entitled to. Hence, taking this into account, a com-mon regulatory framework should be developed so as to facilitate compliance with a commonly understood set of minimum requirements to operate in the EU, translated into a core of minimum contractual arrangements to be included in all contractual relationships between CSPs and their users, certainly:
• That all data stored in CSPs’ infrastructures are located, treated and processed in the EEA zone, including when cloud computing services are subcontracted.
• That CSPs allow their users to undertake every operational or technological controls re-quired by internal policies, processes and governance arrangements, as well as every re-quirement regulators or supervisors may ask in the future.
• That all data stored in CSPs is encrypted.
• That CSPs comply with all data protection and privacy rules.
• That CSPs obtain and maintain every certification required by specific regulator or body governing cloud computing services. In this respect, it would be useful to adopt a single certification scheme at EU level, which all CSPs have to obtain in order to be able to pro-vide cloud services. For instance, the European security certification framework (EU-SEC), a project under the Horizon 2020 programme.
• That CSPs ensure cloud users to undertake continuous monitoring activities whenever necessary, as well as virtual or ongoing audit.
• That CSPs must report any IT or cybersecurity incident, in particular when the data breach could be identified as that pertaining to a specific client, to both their clients and their su-pervisors, and that they will ensure that incident reporting deadlines are met by their cli-ents. For example, the 2-hour deadline for the initial reporting of incidents under the EBAs consulted Guidelines on major incident reporting under PSD2 will not be met by banks if contractual arrangements do not oblige CSPs to either report the incidents to the supervi-sors by themselves or report to their client with sufficient time in advance.
• That CSPs have a business continuity plan for every client, so as to ensure the latter are able to switch providers whenever they deem necessary.
• That users of cloud computing services hold the right to extract data anytime.
Section 4.6 Location of data and data processing.
Paragraph 19 of the draft recommendations state that institutions should take “special care” when entering into and managing outsourcing agreement undertaken outside the EEA. However, ESBG considers that this approach may not be enough in order to properly enforce and supervise the cur-rent EU regulatory framework under contractual arrangements for outsourcing to cloud service providers. Therefore, ESBG suggests EBA recommends that, every time it is possible, outsourced data stays in the EEA, and that the localization and processing of data outside the EEA is left only for cases in which the data is actually exchanged between data centres in and out of the EEA.
Section 4.7 Chain outsourcing.
In relation to the previous issue, ESBG would suggest that special consideration is given to the localization of the data in cases of chain outsourcing. National competent authorities should take a rather strict approach in relation to CSPs outsourcing cloud services to providers that place data outside the EEA.
Section 4.8 Contingency plans and exit strategies.
ESBG suggests differentiating regulatory and supervisory expectations for contingency planning referring to the exit to other providers or inwards (back to internal infrastructures). As paragraph 27 of the draft recommendations states, “an outsourcing institution should also ensure that they are able to exit cloud outsourcing arrangements if needed without undue disruption to their provi-sion of services, or adverse effects on their compliance with the regulatory regime and without detriment to the continuity and quality of its provision of services to clients”. This issue, including every aspect mentioned in detail in that paragraph, must be included in contractual arrangements between a bank and a cloud services provider. ESBG fully agrees with exit to other providers hav-ing to be ensured by contractual arrangements. However, ESBG finds it very difficult in practice to ensure exit to internal infrastructures, and this should be considered by both the EBA and na-tional competent authorities. Therefore, ESBG would suggest modifying paragraph 27.c) as fol-lows:
“(c) Ensure the outsourcing agreement includes an obligation on the cloud service provider to or-derly transfer the activity and that of the subcontractors to another service provider or to the direct management of the outsourcing institution in case of the termination of the outsourcing agree-ment.”
They could be more detailed on the contingency plans and exit strategies. The exit plan depends mainly on the good will of the cloud service provider (CSP) and the use of standards format that allows migration of data. Specific obligations must be imposed on CSPs regarding migration pro-cess and standardization. In our view the continuity plan should be the responsibility of the CSP and this should be reflected in the contracting of the institution with the CSP. It is up to the CSP to provide an exit solution to its customers and justification to the regulator.
Question 2: Are there any additional areas which should be covered by these recommendations in order to achieve convergence of practices in the context of cloud outsourcing?
No, the scope of these recommendations is sufficient. As expressed answering to the first question, the main priority should be, in parallel to the guidelines, to help banks:• to spell out guiding principles for contractual terms with CSPs.
• and to be reassured on the fact that they have met the technical, legal and security stand-ards defined by the European Banking Authority or the European Commission when adopting cloud services (through certification of cloud solutions).