Response to consultation on recommendations on outsourcing to cloud service providers
Go back
EBF supports the additional guidance to the existing CEBS Guidelines.
We support the efforts made by the European Banking Authority (EBA) to provide additional guidance to the existing guidelines of the Committee of European Banking Supervisors (CEBS) with the aim of fostering supervisory convergence regarding the current expectations and processes for the use of outsourced cloud computing in financial services (FS). The consideration given to the proportionality principle and to the risk-based approach seems adequate to accommodate the new challenges and ensure these recommendations are future-proof. Nevertheless, it is essential that fragmentation, as regards financial supervisory regulation among Member States (MS), is avoided.
However, the draft recommendations remain too high-level and could leave room to multiple interpretations at national level.
▪ We are additionally concerned that the draft EBA recommendations, as they currently stand, may not be sufficient to have a positive impact on cloud adoption within financial services in Europe.
The draft EBA recommendations which “aim[ed] to address the heterogeneity in the supervisory expectations regarding the technical security of cloud computing services” (see page 6) do not seem to achieve their initial goal as they are still high-level recommendations that will not prevent different interpretations/approaches by supervisors at national level.
In most cases, the draft recommendations include a non-exhaustive list of general criteria, which will allow National Competent Authorities (NCAs) to include their own additional criteria or to have diverging interpretations on how to fulfil the proposed requirements. They also leave many technical security requirements to the discretion, interpretation or risk appetite of the supervisors rather than to the risk appetite of the outsourcing entity where it properly belongs. Supervisors should be able to explain the reasons (to the institution and/or the CSP) in case they do not support an initiative being outsourced to a CSP.
It is important to enable a consistent application of a risk-based approach to cloud computing in FS and to ensure that any recommendations focus on outcomes rather than listing prescriptive requirements. Competent authorities and national regulators must make every effort to comply with these recommendations without adding extra layers to the stipulated requirements.
We believe that the development of guidelines or other instruments requiring direct application by National Competent Authorities would be a better option.
The national supervisory authorities/EBA/European Central Bank (ECB) and other European institutions such as the European Commission (EC) should try to promote the safe use of cloud services in the Digital Single Market (DSM), ensuring a level playing field for all players, both within the EU and beyond. Restricting the use of cloud services will negatively affect the digital transformation of financial institutions in Europe and impede the creation of an innovative FinTech ecosystem.
The ultimate goal must be to avoid the development of different reporting criteria and/or the fragmentation of requirements between Member States.
▪ EBA's objective should be to reach a point where notification on a case-by-case basis is not required at either EU or national level.
We have argued in the past that the requirement of notification of cloud projects on a case-by-case basis significantly increases the time to market thereby reducing the benefit of using the cloud in financial services. The industry firmly believes that EBA should aim, among others, at reaching a point where notification on a case-by-case basis is not required either at EU level or by NCAs. A first step toward this goal is to require notification only of material outsourcing, which will reduce the divergence between MS as to which different elements supervisors may take into account when evaluating cloud projects. We believe the process should allow the communication to take place once the cloud initiative is in the production phase.
It is important to continuously assess and update the EU outsourcing regulation to ensure it is adapted to the technology-enabled world.
Given the rapid growth of technology in financial services over the past few years, which is expected to continue, it is necessary to regularly assess and update the EU outsourcing regulation to make it more relevant to the technology-enabled world of finance. The most notable technologies that will benefit from cloud computing are data analytics, machine learning and distributed ledgers. In addition, many of the start-ups providing technological solutions to the banking industry or directly to consumers take a “cloud first” approach, thereby enabling greater and more efficient use of cloud computing with direct benefits on innovation and competition in financial services.
The industry welcomes the draft EBA recommendations on using cloud computing in financial services, which represent a starting point to set up an essential baseline for a deeper contextualisation around cloud computing specificities.
However, as long as outsourcing rules designed for a different paradigm remain linked to regulatory consideration, the use of cloud in financial services will continue to suffer from unnecessary frictions. The recommendations should thus introduce further clarifications on the outsourcing concepts.
Cloud Service Providers should be certified based on recognised international standards.
Third-parties’ certification mentioned in paragraph 8(b) would help financial institutions by allowing them to rely on a standard approach across Europe. We believe Cloud Service Providers (CSPs) should be certified based on recognised international standards, such as SSAE 16, SOC1 or SOC2, in order to comply with supervisors’ demands in regard to risk mitigation measures. The financial services industry will work with CSPs to define how third-party audits would work and what criteria should be met so as to be accepted by EBA and NCAs. This would create a more agile process facilitating the use of CSPs in financial services.
The adoption of base standard certifications to guarantee compliance or the definition of a cloud outsourcing banking standard against which a certification could be requested, would help outsourcing institutions and CSPs across Europe to reduce the compliance burden and increase security. A more detailed reference to a base standard certification would thus help.
The development of high-level principles by the industry should be favoured.
A non-approval of a risk analysis could come with a clear gap analysis of what control measures were lacking and would need to be implemented in order to reduce risk in any single outsourcing.
We thus believe the creation of a harmonised European and global technology risk framework could be beneficial in alleviating or limiting many of the frictions caused by regulatory uncertainty. However, such a solution would need to be wide-ranging and led by the industry itself in order to overcome the difficulties inherent in cross-jurisdictional approaches.
Essential benefit could be derived by EU regulators’ recognition of a defined best practice.
The EBA should work closely with the financial services industry to develop defined best practice ensuring an increased level of certainty and alleviating frictions in the current process for obtaining cloud services.
The financial services industry will also work with CSPs to define what high-level principles should be met so as to be accepted by the EBA and NCAs. This would create a more agile process to use CSPs in financial services.
Further consideration should be given to the GDPR to be implemented by May 2018.
Cloud outsourcing includes data transfers between controllers and processors. As personal data needs to be secured at all times, adequate organisational and technical measures by both controllers and processors are vital.
It is noted that CSPs should be considered as processors according to article 28 GDPR, meaning that CSPs shall also comply with GDPR obligations (such as article 30 paragraph 2 and articles 32 and 33 paragraph 2 GDPR).
We observe a certain overlap between local data protection laws, the future GDPR provisions for the protection of personal data and the requests made by national supervisors to perform risk analysis. We believe it is essential to take into account that data protection issues should be supervised by Data Protection Authorities (DPAs), on the basis of GDPR and local data protection laws. The National Supervisory Authorities (NSAs) should abide by the GDPR and the DPAs’ decisions, if they have given permission to use a cloud service complying with all security and privacy measures. The decisions of the NSAs should not be stricter than the decisions of the DPAs as this would undermine the usage of the cloud and affect competition with other players that are not under NSA supervision.
In addition, it is important to stress that, in order to ensure a level playing field, EU members’ players should comply equally with regard to GDPR, but should not be forced to comply with additional requirements to data protection, privacy and cybersecurity measures. Doing so would increase the competitive gap with non-European countries who come across fewer obstacles in using the Cloud.
▪ The recommendations should explicitly mention the underlying risk driver.
It would also be very helpful if, for each EBA recommendation, the underlying risk driver were explicitly mentioned. This would help in understanding why a recommendation is formulated as it is.
1. Are the provisions from these recommendations clear and sufficiently detailed to be used in the context of cloud outsourcing?
In general, we believe that these draft recommendations provide additional clarifications to institutions on outsourcing to cloud service providers.
We welcome the recognition by the European Banking Authority (EBA) of the existing significant levels of uncertainty regarding the supervisory expectations that apply to outsourcing to Cloud Service Providers (CSPs) (mainly due to differences in the national regulatory and supervisory frameworks for cloud outsourcing) and the resulting barrier to institutions using cloud services.
We support the efforts made by the EBA to provide additional guidance to the existing guidelines of the Committee of European Banking Supervisors (CEBS) with the aim to foster supervisory convergence regarding the current expectations and processes for the cloud. The consideration given to the proportionality principle and the risk-based approach seems adequate to accommodate the new challenges and ensure these recommendations are future-proof.
This said, although the recommendations represent a positive first step to bringing harmonisation and avoiding national regulatory and supervisory differences, the development of guidelines or other instruments requiring direct application would be a better option than recommendations which do not prevent different approaches/ interpretations by supervisors at national level. In most cases, the recommendations include a non-exhaustive list of general criteria, which will allow National Competent Authorities (NCAs) to include their own additional criteria or to apply diverging interpretations on how to fulfill the proposed requirements.
In our view, the list of criteria should not leave room for interpretation. It is important to enable the consistent implementation of a risk-based approach and that this implementation is built on principles and outcomes rather than on a prescriptive list. Competent authorities and financial institutions must make every effort to comply with these recommendations. It is indeed important that the local regulators do not add extra layers to those requirements.
The EBA should work closely with the financial services industry to develop defined best practices. Such best practices will provide the industry with the level of certainty it requires and will alleviate frictions in the current process for obtaining cloud services without requiring that EBA sets out more prescriptive regulation, which in turn would make the recommendations difficult to adapt to future needs. The financial services industry will also work with CSPs to define what high-level principles should be met so as to be accepted by the EBA and NCAs. This would create a more agile process to use CSPs in financial services.
In addition to the above general comments, please find below our detailed opinion on some of the observations.
CHAPTER 2 – SUBJECT MATTER, SCOPE AND DEFINITIONS
DEFINITIONS
As a general comment, we observe that the definition of cloud computing mentioned in the draft recommendations corresponds to the definition of the National Institute of Standards and Technology (NIST) Special Publication SP 800-145, published in September 2011.The definition provided by the draft EBA recommendations remain however more concise, which may lead to confusion. We therefore recommend to make direct reference to the NIST SP 800-145, which provides a complete definition, as well as to the ISO-IEC 17788-2014, which also represents an international standard which is technology- neutral.
In view of the above, we would request to remove all the definitions mentioned in the summary table at the bottom of page 10. A second reason for the request to remove this table would be that the definition of the NIST SP 800-145 distinguishes between IaaS, PaaS and SaaS, while the draft EBA recommendations seem to apply to any and all forms of cloud computing.
CHAPTER 4 – RECOMMENDATIONS ON OUTSOURCING TO CLOUD SERVICE PROVIDERS
CHAPTER 4.1 - MATERIALITY ASSESSMENT
We welcome the clarification of the required materiality assessment for cloud computing. We agree with the risk-based approach adopted in the guidelines as such an approach remains, in our view, the best way to ensure appropriate risk control and mitigation. In addition to a risk-based approach, the principle of proportionality is important to consider.
There may be instances where the use of cloud computing could be considered by regulators/supervisors as resulting in certain risks (e.g. exit concerns), but - to the contrary - the use of the cloud could contribute to significantly reduce risks compared to the on-premise present situation. Cloud offers a lot of opportunity to materially increase security and facilitate compliance with GDPR.
We would like to stress that materiality assessment differs from the requirements of other risk assessments. Despite the definition of materiality which is provided and based on the CEBS Guidelines, the definition provided by the draft EBA recommendations is not sufficient as it does not give any qualitative or quantitative criteria to objectively establish if a service is considered material or not. The industry should therefore participate to the elaboration of criteria which will be recognised by the National Competent Authorities (NCAs) in order to ensure legal certainty, achieve a certain harmonisation and manage cloud outsourcing of activities with low risk impact.
As a suggestion for amendment, we believe that the term “material” should be limited to the core business by reference to annex 1 Directive 2013/36/EU “List of activities subject to mutual recognition”.
The following wording is therefore proposed:
“1. Outsourcing institutions should, prior to any outsourcing of their activities, assess which activities should be considered as material in line with the list of activities subject to mutual recognition mentioned in annex 1 Directive 2013/36/EU (1). Institutions should perform this assessment of the activities’ materiality on the basis of CEBS guidelines and, in particular as regards outsourcing to cloud service providers, taking into account all of the following:”
(1) Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 on access to the activity of credit institutions and the prudential supervision of credit institutions and investment firms, amending Directive 2002/87/EC and repealing Directives 2006/48/EC and 2006/49/EC Text with EEA relevance
The EBA recommendations should also indicate the possibility of avoiding double assessment in cases the activity is identical or very similar.
It should be indeed possible to rely on initial assessments conducted for identical or similar activities.
In case new aspects should be taken into account for the assessment, this assessment should only cover the points which are diverging from the previous one. Minor changes should not justify a completely new assessment. There could also be cases where the assessment is not necessary: for example when adding an activity into a framed contract with the same or similar objective, only concise additional information might be required, meaning that a new assessment should not be required.
If nevertheless an assessment is needed, a quick review should be conducted within a shorter period than the one usually conducted for a complete assessment.
It is important that the EBA recommendations also cover cases where a service added into a contract has already been communicated or accepted by the authority, and clarify what should (or shouldn’t) be communicated/notified to the authority.
The following wording is therefore proposed:
“(c) in cases where the activity is identical or very similar, the outsourcing institutions should be able to rely on previous similar assessments to avoid unnecessary double assessments and take into account the information already communicated.”
“(b) the direct operational impact of outages, and related legal and reputational risks”
We propose to delete these criteria as it is incorrectly assuming that the risk of disruption increases with a CSP. The opposite may well be the case, depending upon the size of the bank vs the CSP.
“(c) the impact any disruption of the activity might have on their revenue prospects”
We propose to delete this sentence since this cannot be allocated to a single outsourcing. Other methods are generally in place to analyse this aspect.
Among the four criteria mentioned, only criteria (a) and (d) should be maintained
It is important that all banks make the necessary assessments and report them to their NCA. This should in turn ensure that all institutions and NCAs, on aggregate, take systemic risks into consideration. We consider however that among the four criteria mentioned, only criteria (a) and (d) should be maintained. “(a)” is specific to cloud outsourcing and “(d)” covers GDPR considerations. The rest of the criteria are not specific to outsourcing, meaning that they must be taken into account and be assessed in any service, even for those offered directly without any outsourcing agreement.
CHAPTER 4.2 – DUTY TO ADEQUATELY INFORM SUPERVISORS
The current draft recommendations require significant amounts of duplication in form and content of the information to be collected and reported to regulators/supervisors. For example, regarding personal data outsourced that implies an international data transfer outside the EU, it would mean reporting/communicating information to Data Protection Authority (DPA) and to the national supervisory authorities which might have different approaches. As other examples, paragraph 4.2.2 lists the information to be made available for material outsourcing, paragraph 4.2.3 lays out additional information on the firm’s risk analysis that may be requested, and paragraphs 4.2.4 and 4.2.5 detail the requirements of a register of outsourced activity including non-material activity which is to be maintained at institution and group level and submitted to NCAs upon request.
The level of duplication is increased by the right of NCAs to request additional information in all cases as per paragraph 3. We thus question how this information will be understood by NCAs and whether such an ad hoc collection of information would create a potential for continued variation in the regulatory approach across national jurisdictions, which would go against the purpose of these recommendations. We would therefore advocate for a common risk-based approach across national jurisdictions.
PARAGRAPH 2
In our view, this recommendation neither establishes precisely what has to be communicated, nor the Authority/Authorities (national and/or European Central Bank level) to be informed nor the procedure and deadline for Authorities to accept/not oppose the outsourcing of the service.
Currently, some jurisdictions do not observe any authorisation/approval procedure but rather provide “administrative silence” or “silent assent” after one month. Moreover, even if there are security checks conducted by the supervisor, banks never know in advance what would be required to comply with those requirements.
One of the main issues is to make a distinction between non-material and material activities. We believe that non-material services should not be subject to any notifications in line with the CEBS guidelines 5 (2006) which clearly state that there should be no restrictions on the outsourcing of non-material activities" and "in such cases the outsourcing institution does not need to adequately inform its supervisory authority". For non-material services there are several items which may not be available for the assessment of the service that an institution wants to outsource. In particular, if an outsourcing institutions’ initial assessment reveals that the service to be outsourced to the cloud is in no way material, several requirements including the execution of a fully documented in-depth risk analysis, privacy assessment and legal/contractual screening are replaced by a different assessment requiring less documentation. Therefore, for non-material cloud services, we would prefer deleting the proposed EBA requirements for recording information under requirements 5(a) concerning 2(c), 2(e), 2(f), 2(g) and the recommendations under 5(e) and 5(f) (see also our comments to paragraph 5).
We believe that the communication of contractual agreements with CSPs once signed, and the security policy and criteria agreed by the outsourcing institution and the CSP should be enough. Once the NCA has reviewed and validated the underlying conditions and obligations, it should not be necessary to notify the provision of any service within this already assessed framework.
Finally, as mentioned above, there remains room for uncertainty and variation among jurisdictions following the recommendations in the EBA consultation. The EBA and NCAs should thus consider accepting industry best practice for the reporting of outsourced activities. The industry would benefit from standardisation in reporting requirements which could be achieved through industry best practice. Regulators would benefit from a more comprehensive and less ad hoc approach to information collection.
“(c) country where the service is performed (including location of data)”,
It is not clear what ‘including location of data’ means, or what level of detail is required here. Overall, this heavy focus on data locality is seen as problematic, especially given that, currently and even more in the future, it is expected that technology will continue to evolve in a direction where physical location of data will become less and less clear. These recommendations should focus on ensuring access to data from the location of the outsourcing institution and not on the location of data that is already regulated by applicable data protection regulations.
It is also important to stress that according to our interpretation of the CEBS guidelines paragraph 4.3 does not stipulate that the location of data, via reporting of the country where the service is performed, is required.
For those reasons, we propose that requirement “(c)” is removed and in the first sentence of paragraph 2 “on the basis of” is replaced by “as required” [by paragraph 4.3].
PARAGRAPH 3
In our views the sentence “in accordance with the previous paragraph, the competent authority, may ask the outsourcing institution for additional information, on its risk analysis for the material activities outsourced” leaves a certain flexibility to the national supervisors to ask or not additional information, which could lead to a lack of harmonisation among supervisors as each local supervisor may ask for different extra information. We believe it could slow down or even block the use of cloud services due to a continuous requirement for extra information.
We therefore believe that the information requested should be limited and requested only when the information already provided is not sufficient.
The wording “if the information already provided is not sufficient” should be therefore added and “for additional information, on its risk analysis for the material activities outsourced, such as” should be deleted in the first sentence of paragraph 3.
The following wording is therefore proposed:
“3. Further to the information provided, if the information already provided is not sufficient, in accordance with the previous paragraph, the competent authority may ask the outsourcing institution:”
In addition, further clarification is needed regarding the following points:
“(a) whether the cloud service provider has a business continuity plan that is suitable for the services provided to the outsourcing institution;”
It is not clear whether it would be enough to merely know that the CSP has a business continuity plan or if the plan would need to be provided to the outsourcing institution and/or the supervisory authorities. If the latter is required, this may create significant difficulties for the conclusion of a contractual agreement between a financial/outsourcing institution and a CSP, due to the diverging interpretations of NCAs of what constitutes a sufficient business continuity plan (requirements the financial institutions will have to comply with).
Therefore, we recommend that the EBA amends paragraph 3(a) by adding “to be informed” at the beginning of the paragraph and add the following sentence “However, it is not necessary for the national competent authority to see or approve the cloud service provider’s business continuity plan”
In addition, the “(a)” requirement becomes redundant, if CSPs can show they are complying with certain standards or regulations such as the Data Protection requirements, NIS Directive, etc. If supervisors are already aware that certain CSPs are homologated with this requirement, outsourcing institutions should not need to submit evidence of such information each time they need to work with a specific homologated CSP.
The financial industry will also work with CSPs to define what criteria should be met so as to be accepted by the EBA and NCAs.
The following wording is therefore proposed:
“(a) to be informed whether the cloud service provider has a business continuity plan that is suitable for the services provided to the outsourcing institution; However, it is not necessary for the national competent authority to see or approve the cloud service provider’s business continuity plan;”
“(c) whether the outsourcing institution keeps the skills and resources necessary to adequately monitor the outsourced activities.”
It is not clear how to provide evidence that the required skills are present. In addition, this requirement does not seem to take into account that certain outsourced activities maybe automatised and do not need human resources (and therefore skills), which is actually one of the main advantages of certain cloud services.
We therefore consider that the initial sentence should be deleted and replaced by the following one:
“(c) whether the cloud provider adopts a market standard risk management framework and internal control system, and supplies periodically the outsourcing institution with the relevant information”
PARAGRAPH 4
We agree that the outsourcing process should be fully documented, and under management control. Nevertheless, the approach concerning the maintenance of an updated register with information related to material outsourced activities (on group level, level of every legal entity, senior management level) should be left at the discretion of the outsourcing institution, in alignment with the principle of proportionality.
Some banks involve a number of largely independently operating institutions active inside and outside of the European Monetary Union (EMU). Almost all processes are set up in a local context, and maintaining an outsourcing register at group level on a permanent basis is therefore problematic as these institutions lack supporting management structures or information systems to collect and process this information.
The paragraph should therefore be amended by adding the following wording “if required by the National Competent Authority, at” before the wording “group level”, to provide a certain flexibility and reflect the practice that most of the banks are only prepared to provide information at institution level.
In alignment with the principle of proportionality, an approach explicitly confirmed by the EBA in the draft recommendation, we would recommend limiting the register under recommendations 4 and 5 to material cloud services only, the same way as for 4.2.2.
Registrations should therefore be limited to:
- Material activities (excluding non-material files);
- Only the core elements related to an individual outsourcing file (name of the service provider, short description of the activities concerned, renewal or expiry date, date and management body that assessed the materiality).
Because the requirement “(…) The outsourcing institution should make available to the competent authority, upon its request, a copy of the outsourcing agreement and related information (…)” is only necessary for material outsourcings and thus not necessary for non-material outsourcing, the following provision should be deleted “(…) irrespective of whether or not the outsourced activity had been assessed by the institution as material.”
We would also welcome some clarifications on whether this new register is to be created exclusively for the purpose of outsourcing cloud services. The EBA should clarify that the register will only refer to new contracts. Existing outsourcing services will not be concerned until the contract is renewed.
In the EBF view, a risk-based approach to what is included in the register should be favoured. Best practices could also help set these guidelines.
The following wording is therefore proposed:
“4. The outsourcing institution should maintain an updated register with information related to all its material outsourced activities at institution and, if required by the National Competent Authority, at group level. This register should include only the core elements related to an individual outsourcing file. The outsourcing institution should make available to the competent authority, upon its request, a copy of the outsourcing agreement and related information recorded in that register”
PARAGRAPH 5
As a general comment, we observe that risk management duties by CSPs are not mentioned in the document. Because national competent authorities already request an ‘outsourcing register’ for all outsourcing contracts, the required information for outsourcing to CSPs should be duly integrated. Taking into account that not all national competent authorities have defined a standard dataset to be included in the register and some of the information required and requested by national regulations only concerns material outsourcing, we suggest amending the first part of 4.2 paragraph 5 by referring to “for cloud service providers”, deleting “at least” and including “and is likely to be sufficient”.
The amendment proposed should be taken into account because as currently drafted this sentence encourages “gold plating” thereby challenging the goal of harmonisation which is one of the purposes of these recommendations. While we acknowledge that the EBA is trying to create a minimum rather than a maximum list of information, the removal of the phrase ‘at least’ and the addition of ‘and is likely to be sufficient’ would limit creating expectations that NCAs should request additional information about material activities, with
Although CSPs are not subject to direct oversight by Financial Authorities, financial institutions are required to ensure in their outsourcing contracts that Competent Authorities can access and audit CSPs in relation to financial institutions’ activities and according to article 55 of the Recovery and Resolution Directive can take control of the contract in case of bail-in.
Given that introducing these requirements into contracts with CSPs is usually burdensome for CSPs (which provide services also to entities other than financial institutions), the creation of a mechanism that guarantees that CSPs are aware of the requirements above and accept them, would ease the negotiation with CSPs and foster cloud adoption.
Moreover, this mechanism could also foresee the possibility of the CSP seeking a prior review by the Authorities, whose outcome would be an opinion on its capacity and adequacy to comply with financial regulation for different types of services. Should financial institutions intend outsourcing an activity that falls into a type of service for which Authorities have issued a positive opinion, this outsourcing could benefit from a “fast-track” notification/endorsement procedure.
We believe that, if this mechanism (e.g. voluntary CSP certification) were offered on an optional basis with voluntarily recourse to it by CSPs, no major changes on the regulatory framework applicable to CSPs and Financial Institutions would be necessary.
On the other hand, if the Authorities identify CSPs whose capacity/abilities do not allow the outsourcing institutions to comply with applicable financial regulation, their inclusion on a public blacklist of non-compliant CSPs would be very helpful for outsourcing institutions.
SYSTEMIC RISK
In our view, a description on how systemic risks (domestic, international) should be handled, is missing.
Third-parties’ certifications are mentioned in paragraph 8(b) which would help financial institutions to rely on a standard approach across Europe. The adoption of base standard certifications to guarantee compliance or the definition of a cloud outsourcing banking standard against which a certification could be requested, would help financial institutions and CSPs across Europe to reduce the compliance burden and increase security. A more detailed reference to a base standard certification would help.
CYBERSECURITY: SECURITY INCIDENT MANAGEMENT & REPORTING
We suggest that the EBA recommendations clearly refer to existing regulation on security incident management and reporting (such as the NIS Directive) without adding new requirements or setting new criteria, so as to avoid overlaps with other regulations already requiring financial institutions and CSPs to report with different taxonomies, thresholds, etc. Examples are NIS, GDPR, PSD2, and ECB incident reporting framework or national regulations.
Furthermore, we believe that this consultation paper should emphasise that CSPs have to comply fully with the GDPR. In particular, CSPs should ensure that the tools and devices, on which the cloud services run, have been duly implemented so that service providers, and consequently the outsourcing institutions, are compliant with the GDPR provisions (including the security measures e.g. the provision of article 33 GDPR – “Notification of a personal data breach to the supervisory authority”).
DATA PROTECTION
It is important to reiterate that CSPs should ensure also that their tools and devices (on which the cloud services run) technically allow, without undue costs and burdens, the migration of the client’s data to another CSP, upon client’s request. Moreover, the CSPs have to collaborate and ensure the exercise of data subjects rights, as set forth in the GDPR (e.g. right to data portability, right to erasure), where the data subjects decide to exercise their rights towards data controllers (i.e. the outsourcing institutions).
Regarding the transfer of personal data and data localisation, we believe the European and National Supervisory Authorities should align with the decisions of the Data Protection Authorities (DPAs), if they have authorized transfer of data to certain countries complying with the GDPR.
As mentioned previously, we observe a certain overlap between local data protection laws, the future GDPR provisions for the protection of personal data and the requests made by national supervisors to perform risk analysis. We believe it is essential to take into account that data protection issues should be supervised by DPAs, on the basis of GDPR and local data protection laws. The NSAs should abide by the GDPR and the DPAs’ decisions if they have granted permission to use a cloud service complying with all security and privacy measures. Decisions of the NSAs should not be stricter than the decisions of the DPAs as this would undermine the usage of the cloud and affect competition with other players that are not under the NSAs’ supervision.
In addition, it is important to stress that, in order to ensure this level playing field, EU members’ players should comply equally with regard to GDPR, but should not be forced to comply with extra requirements with regard to data protection, privacy and cybersecurity measures. Doing so would create a further competitive gap with non-European countries that face less friction to use the cloud.
STANDARD CONTRACTUAL CLAUSES DEFINED BY THE INDUSTRY
We observe that certain operating models of global CSPs conflict with requirements imposed on financial institutions as data controllers which creates additional challenges for the banking sector. For example, discrepancies are seen between the required timing of notice before sub-processor appointments and what the cloud providers consider as average.
The main impact for banks comes from the difficulty in agreeing to a contract covering open or undefined aspects of the service (such as data location), addressing various regulatory requirements from different regulators in jurisdictions where the contract is in force, and finding a CSP which can operate within EU regulations. Difficulties may occur without any reference to clear guidelines to negotiate contracts with large CSPs (which own global technology platforms accommodating large numbers of institutions in various jurisdictions). For example, banks might not be able to use cloud computing to its full potential because CSPs limit the use of cloud computing to a particular region.
Cloud services provided by external providers are currently handled according to existing legal requirements for outsourcing, defined by standard contracts issued by the CSPs. It is our understanding that, from a CSP perspective, due to the nature of the cloud service, a deep customisation to meet 100% the requirements of their customers is hardly feasible. Despite of the fact that CSPs usually pay attention to regulatory requirements of their customer’s sector, Cloud Services Agreements are offered by most CSPs in standard, non-negotiable, “take it or leave it” terms. Such approach raises many concerns for the banking sector because the cloud service agreements proposed by the CSPs do not fully and adequately address the specific requirements imposed by European and national banking supervisory authorities with which banks have to comply.
For the banking sector, cloud adoption must be considered within the context of maintaining regulatory compliance. Outsourcing institutions/banks therefore typically approach compliance assurance with CSPs through specific contract clauses, Service Level Agreements (SLAs), certifications and audits. The lack of specific and detailed information drives banks and suppliers into a difficult situation: banks are generally forced to evaluate, on their risk assessment criteria basis, whether the provider solutions are adequate in terms of compliance (e.g. in terms of IT security). Banks have thus to make the choice of either rejecting the supplier or accepting the risks that cannot be fully mitigated.
This entire situation creates important barriers to the full adoption of cloud solutions by the banking sector as a whole.
Without limiting the CSPs’ contractual freedom to negotiate specific conditions/clauses in line with their business model, the development, with the industry, of high-level principles covering the specific needs of the banking sector with the aim to also accommodate GDPR requirements, should be encouraged to guarantee legal certainty and facilitate the adoption of the cloud by financial institutions. For example, the contract between a bank and a CSP should include availability, reliability and confidentiality SLAs but leave open for the bank to decide which SLA to include.
Question 1: Are the provisions from these recommendations clear and sufficiently detailed to be used in the context of cloud outsourcing?
EBF key messages EBF supports the additional guidance to the existing CEBS Guidelines.
We support the efforts made by the European Banking Authority (EBA) to provide additional guidance to the existing guidelines of the Committee of European Banking Supervisors (CEBS) with the aim of fostering supervisory convergence regarding the current expectations and processes for the use of outsourced cloud computing in financial services (FS). The consideration given to the proportionality principle and to the risk-based approach seems adequate to accommodate the new challenges and ensure these recommendations are future-proof. Nevertheless, it is essential that fragmentation, as regards financial supervisory regulation among Member States (MS), is avoided.
However, the draft recommendations remain too high-level and could leave room to multiple interpretations at national level.
▪ We are additionally concerned that the draft EBA recommendations, as they currently stand, may not be sufficient to have a positive impact on cloud adoption within financial services in Europe.
The draft EBA recommendations which “aim[ed] to address the heterogeneity in the supervisory expectations regarding the technical security of cloud computing services” (see page 6) do not seem to achieve their initial goal as they are still high-level recommendations that will not prevent different interpretations/approaches by supervisors at national level.
In most cases, the draft recommendations include a non-exhaustive list of general criteria, which will allow National Competent Authorities (NCAs) to include their own additional criteria or to have diverging interpretations on how to fulfil the proposed requirements. They also leave many technical security requirements to the discretion, interpretation or risk appetite of the supervisors rather than to the risk appetite of the outsourcing entity where it properly belongs. Supervisors should be able to explain the reasons (to the institution and/or the CSP) in case they do not support an initiative being outsourced to a CSP.
It is important to enable a consistent application of a risk-based approach to cloud computing in FS and to ensure that any recommendations focus on outcomes rather than listing prescriptive requirements. Competent authorities and national regulators must make every effort to comply with these recommendations without adding extra layers to the stipulated requirements.
We believe that the development of guidelines or other instruments requiring direct application by National Competent Authorities would be a better option.
The national supervisory authorities/EBA/European Central Bank (ECB) and other European institutions such as the European Commission (EC) should try to promote the safe use of cloud services in the Digital Single Market (DSM), ensuring a level playing field for all players, both within the EU and beyond. Restricting the use of cloud services will negatively affect the digital transformation of financial institutions in Europe and impede the creation of an innovative FinTech ecosystem.
The ultimate goal must be to avoid the development of different reporting criteria and/or the fragmentation of requirements between Member States.
▪ EBA's objective should be to reach a point where notification on a case-by-case basis is not required at either EU or national level.
We have argued in the past that the requirement of notification of cloud projects on a case-by-case basis significantly increases the time to market thereby reducing the benefit of using the cloud in financial services. The industry firmly believes that EBA should aim, among others, at reaching a point where notification on a case-by-case basis is not required either at EU level or by NCAs. A first step toward this goal is to require notification only of material outsourcing, which will reduce the divergence between MS as to which different elements supervisors may take into account when evaluating cloud projects. We believe the process should allow the communication to take place once the cloud initiative is in the production phase.
It is important to continuously assess and update the EU outsourcing regulation to ensure it is adapted to the technology-enabled world.
Given the rapid growth of technology in financial services over the past few years, which is expected to continue, it is necessary to regularly assess and update the EU outsourcing regulation to make it more relevant to the technology-enabled world of finance. The most notable technologies that will benefit from cloud computing are data analytics, machine learning and distributed ledgers. In addition, many of the start-ups providing technological solutions to the banking industry or directly to consumers take a “cloud first” approach, thereby enabling greater and more efficient use of cloud computing with direct benefits on innovation and competition in financial services.
The industry welcomes the draft EBA recommendations on using cloud computing in financial services, which represent a starting point to set up an essential baseline for a deeper contextualisation around cloud computing specificities.
However, as long as outsourcing rules designed for a different paradigm remain linked to regulatory consideration, the use of cloud in financial services will continue to suffer from unnecessary frictions. The recommendations should thus introduce further clarifications on the outsourcing concepts.
Cloud Service Providers should be certified based on recognised international standards.
Third-parties’ certification mentioned in paragraph 8(b) would help financial institutions by allowing them to rely on a standard approach across Europe. We believe Cloud Service Providers (CSPs) should be certified based on recognised international standards, such as SSAE 16, SOC1 or SOC2, in order to comply with supervisors’ demands in regard to risk mitigation measures. The financial services industry will work with CSPs to define how third-party audits would work and what criteria should be met so as to be accepted by EBA and NCAs. This would create a more agile process facilitating the use of CSPs in financial services.
The adoption of base standard certifications to guarantee compliance or the definition of a cloud outsourcing banking standard against which a certification could be requested, would help outsourcing institutions and CSPs across Europe to reduce the compliance burden and increase security. A more detailed reference to a base standard certification would thus help.
The development of high-level principles by the industry should be favoured.
A non-approval of a risk analysis could come with a clear gap analysis of what control measures were lacking and would need to be implemented in order to reduce risk in any single outsourcing.
We thus believe the creation of a harmonised European and global technology risk framework could be beneficial in alleviating or limiting many of the frictions caused by regulatory uncertainty. However, such a solution would need to be wide-ranging and led by the industry itself in order to overcome the difficulties inherent in cross-jurisdictional approaches.
Essential benefit could be derived by EU regulators’ recognition of a defined best practice.
The EBA should work closely with the financial services industry to develop defined best practice ensuring an increased level of certainty and alleviating frictions in the current process for obtaining cloud services.
The financial services industry will also work with CSPs to define what high-level principles should be met so as to be accepted by the EBA and NCAs. This would create a more agile process to use CSPs in financial services.
Further consideration should be given to the GDPR to be implemented by May 2018.
Cloud outsourcing includes data transfers between controllers and processors. As personal data needs to be secured at all times, adequate organisational and technical measures by both controllers and processors are vital.
It is noted that CSPs should be considered as processors according to article 28 GDPR, meaning that CSPs shall also comply with GDPR obligations (such as article 30 paragraph 2 and articles 32 and 33 paragraph 2 GDPR).
We observe a certain overlap between local data protection laws, the future GDPR provisions for the protection of personal data and the requests made by national supervisors to perform risk analysis. We believe it is essential to take into account that data protection issues should be supervised by Data Protection Authorities (DPAs), on the basis of GDPR and local data protection laws. The National Supervisory Authorities (NSAs) should abide by the GDPR and the DPAs’ decisions, if they have given permission to use a cloud service complying with all security and privacy measures. The decisions of the NSAs should not be stricter than the decisions of the DPAs as this would undermine the usage of the cloud and affect competition with other players that are not under NSA supervision.
In addition, it is important to stress that, in order to ensure a level playing field, EU members’ players should comply equally with regard to GDPR, but should not be forced to comply with additional requirements to data protection, privacy and cybersecurity measures. Doing so would increase the competitive gap with non-European countries who come across fewer obstacles in using the Cloud.
▪ The recommendations should explicitly mention the underlying risk driver.
It would also be very helpful if, for each EBA recommendation, the underlying risk driver were explicitly mentioned. This would help in understanding why a recommendation is formulated as it is.
1. Are the provisions from these recommendations clear and sufficiently detailed to be used in the context of cloud outsourcing?
In general, we believe that these draft recommendations provide additional clarifications to institutions on outsourcing to cloud service providers.
We welcome the recognition by the European Banking Authority (EBA) of the existing significant levels of uncertainty regarding the supervisory expectations that apply to outsourcing to Cloud Service Providers (CSPs) (mainly due to differences in the national regulatory and supervisory frameworks for cloud outsourcing) and the resulting barrier to institutions using cloud services.
We support the efforts made by the EBA to provide additional guidance to the existing guidelines of the Committee of European Banking Supervisors (CEBS) with the aim to foster supervisory convergence regarding the current expectations and processes for the cloud. The consideration given to the proportionality principle and the risk-based approach seems adequate to accommodate the new challenges and ensure these recommendations are future-proof.
This said, although the recommendations represent a positive first step to bringing harmonisation and avoiding national regulatory and supervisory differences, the development of guidelines or other instruments requiring direct application would be a better option than recommendations which do not prevent different approaches/ interpretations by supervisors at national level. In most cases, the recommendations include a non-exhaustive list of general criteria, which will allow National Competent Authorities (NCAs) to include their own additional criteria or to apply diverging interpretations on how to fulfill the proposed requirements.
In our view, the list of criteria should not leave room for interpretation. It is important to enable the consistent implementation of a risk-based approach and that this implementation is built on principles and outcomes rather than on a prescriptive list. Competent authorities and financial institutions must make every effort to comply with these recommendations. It is indeed important that the local regulators do not add extra layers to those requirements.
The EBA should work closely with the financial services industry to develop defined best practices. Such best practices will provide the industry with the level of certainty it requires and will alleviate frictions in the current process for obtaining cloud services without requiring that EBA sets out more prescriptive regulation, which in turn would make the recommendations difficult to adapt to future needs. The financial services industry will also work with CSPs to define what high-level principles should be met so as to be accepted by the EBA and NCAs. This would create a more agile process to use CSPs in financial services.
In addition to the above general comments, please find below our detailed opinion on some of the observations.
CHAPTER 2 – SUBJECT MATTER, SCOPE AND DEFINITIONS
DEFINITIONS
As a general comment, we observe that the definition of cloud computing mentioned in the draft recommendations corresponds to the definition of the National Institute of Standards and Technology (NIST) Special Publication SP 800-145, published in September 2011.The definition provided by the draft EBA recommendations remain however more concise, which may lead to confusion. We therefore recommend to make direct reference to the NIST SP 800-145, which provides a complete definition, as well as to the ISO-IEC 17788-2014, which also represents an international standard which is technology- neutral.
In view of the above, we would request to remove all the definitions mentioned in the summary table at the bottom of page 10. A second reason for the request to remove this table would be that the definition of the NIST SP 800-145 distinguishes between IaaS, PaaS and SaaS, while the draft EBA recommendations seem to apply to any and all forms of cloud computing.
CHAPTER 4 – RECOMMENDATIONS ON OUTSOURCING TO CLOUD SERVICE PROVIDERS
CHAPTER 4.1 - MATERIALITY ASSESSMENT
We welcome the clarification of the required materiality assessment for cloud computing. We agree with the risk-based approach adopted in the guidelines as such an approach remains, in our view, the best way to ensure appropriate risk control and mitigation. In addition to a risk-based approach, the principle of proportionality is important to consider.
There may be instances where the use of cloud computing could be considered by regulators/supervisors as resulting in certain risks (e.g. exit concerns), but - to the contrary - the use of the cloud could contribute to significantly reduce risks compared to the on-premise present situation. Cloud offers a lot of opportunity to materially increase security and facilitate compliance with GDPR.
We would like to stress that materiality assessment differs from the requirements of other risk assessments. Despite the definition of materiality which is provided and based on the CEBS Guidelines, the definition provided by the draft EBA recommendations is not sufficient as it does not give any qualitative or quantitative criteria to objectively establish if a service is considered material or not. The industry should therefore participate to the elaboration of criteria which will be recognised by the National Competent Authorities (NCAs) in order to ensure legal certainty, achieve a certain harmonisation and manage cloud outsourcing of activities with low risk impact.
As a suggestion for amendment, we believe that the term “material” should be limited to the core business by reference to annex 1 Directive 2013/36/EU “List of activities subject to mutual recognition”.
The following wording is therefore proposed:
“1. Outsourcing institutions should, prior to any outsourcing of their activities, assess which activities should be considered as material in line with the list of activities subject to mutual recognition mentioned in annex 1 Directive 2013/36/EU (1). Institutions should perform this assessment of the activities’ materiality on the basis of CEBS guidelines and, in particular as regards outsourcing to cloud service providers, taking into account all of the following:”
(1) Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 on access to the activity of credit institutions and the prudential supervision of credit institutions and investment firms, amending Directive 2002/87/EC and repealing Directives 2006/48/EC and 2006/49/EC Text with EEA relevance
The EBA recommendations should also indicate the possibility of avoiding double assessment in cases the activity is identical or very similar.
It should be indeed possible to rely on initial assessments conducted for identical or similar activities.
In case new aspects should be taken into account for the assessment, this assessment should only cover the points which are diverging from the previous one. Minor changes should not justify a completely new assessment. There could also be cases where the assessment is not necessary: for example when adding an activity into a framed contract with the same or similar objective, only concise additional information might be required, meaning that a new assessment should not be required.
If nevertheless an assessment is needed, a quick review should be conducted within a shorter period than the one usually conducted for a complete assessment.
It is important that the EBA recommendations also cover cases where a service added into a contract has already been communicated or accepted by the authority, and clarify what should (or shouldn’t) be communicated/notified to the authority.
The following wording is therefore proposed:
“(c) in cases where the activity is identical or very similar, the outsourcing institutions should be able to rely on previous similar assessments to avoid unnecessary double assessments and take into account the information already communicated.”
“(b) the direct operational impact of outages, and related legal and reputational risks”
We propose to delete these criteria as it is incorrectly assuming that the risk of disruption increases with a CSP. The opposite may well be the case, depending upon the size of the bank vs the CSP.
“(c) the impact any disruption of the activity might have on their revenue prospects”
We propose to delete this sentence since this cannot be allocated to a single outsourcing. Other methods are generally in place to analyse this aspect.
Among the four criteria mentioned, only criteria (a) and (d) should be maintained
It is important that all banks make the necessary assessments and report them to their NCA. This should in turn ensure that all institutions and NCAs, on aggregate, take systemic risks into consideration. We consider however that among the four criteria mentioned, only criteria (a) and (d) should be maintained. “(a)” is specific to cloud outsourcing and “(d)” covers GDPR considerations. The rest of the criteria are not specific to outsourcing, meaning that they must be taken into account and be assessed in any service, even for those offered directly without any outsourcing agreement.
CHAPTER 4.2 – DUTY TO ADEQUATELY INFORM SUPERVISORS
The current draft recommendations require significant amounts of duplication in form and content of the information to be collected and reported to regulators/supervisors. For example, regarding personal data outsourced that implies an international data transfer outside the EU, it would mean reporting/communicating information to Data Protection Authority (DPA) and to the national supervisory authorities which might have different approaches. As other examples, paragraph 4.2.2 lists the information to be made available for material outsourcing, paragraph 4.2.3 lays out additional information on the firm’s risk analysis that may be requested, and paragraphs 4.2.4 and 4.2.5 detail the requirements of a register of outsourced activity including non-material activity which is to be maintained at institution and group level and submitted to NCAs upon request.
The level of duplication is increased by the right of NCAs to request additional information in all cases as per paragraph 3. We thus question how this information will be understood by NCAs and whether such an ad hoc collection of information would create a potential for continued variation in the regulatory approach across national jurisdictions, which would go against the purpose of these recommendations. We would therefore advocate for a common risk-based approach across national jurisdictions.
PARAGRAPH 2
In our view, this recommendation neither establishes precisely what has to be communicated, nor the Authority/Authorities (national and/or European Central Bank level) to be informed nor the procedure and deadline for Authorities to accept/not oppose the outsourcing of the service.
Currently, some jurisdictions do not observe any authorisation/approval procedure but rather provide “administrative silence” or “silent assent” after one month. Moreover, even if there are security checks conducted by the supervisor, banks never know in advance what would be required to comply with those requirements.
One of the main issues is to make a distinction between non-material and material activities. We believe that non-material services should not be subject to any notifications in line with the CEBS guidelines 5 (2006) which clearly state that there should be no restrictions on the outsourcing of non-material activities" and "in such cases the outsourcing institution does not need to adequately inform its supervisory authority". For non-material services there are several items which may not be available for the assessment of the service that an institution wants to outsource. In particular, if an outsourcing institutions’ initial assessment reveals that the service to be outsourced to the cloud is in no way material, several requirements including the execution of a fully documented in-depth risk analysis, privacy assessment and legal/contractual screening are replaced by a different assessment requiring less documentation. Therefore, for non-material cloud services, we would prefer deleting the proposed EBA requirements for recording information under requirements 5(a) concerning 2(c), 2(e), 2(f), 2(g) and the recommendations under 5(e) and 5(f) (see also our comments to paragraph 5).
We believe that the communication of contractual agreements with CSPs once signed, and the security policy and criteria agreed by the outsourcing institution and the CSP should be enough. Once the NCA has reviewed and validated the underlying conditions and obligations, it should not be necessary to notify the provision of any service within this already assessed framework.
Finally, as mentioned above, there remains room for uncertainty and variation among jurisdictions following the recommendations in the EBA consultation. The EBA and NCAs should thus consider accepting industry best practice for the reporting of outsourced activities. The industry would benefit from standardisation in reporting requirements which could be achieved through industry best practice. Regulators would benefit from a more comprehensive and less ad hoc approach to information collection.
“(c) country where the service is performed (including location of data)”,
It is not clear what ‘including location of data’ means, or what level of detail is required here. Overall, this heavy focus on data locality is seen as problematic, especially given that, currently and even more in the future, it is expected that technology will continue to evolve in a direction where physical location of data will become less and less clear. These recommendations should focus on ensuring access to data from the location of the outsourcing institution and not on the location of data that is already regulated by applicable data protection regulations.
It is also important to stress that according to our interpretation of the CEBS guidelines paragraph 4.3 does not stipulate that the location of data, via reporting of the country where the service is performed, is required.
For those reasons, we propose that requirement “(c)” is removed and in the first sentence of paragraph 2 “on the basis of” is replaced by “as required” [by paragraph 4.3].
PARAGRAPH 3
In our views the sentence “in accordance with the previous paragraph, the competent authority, may ask the outsourcing institution for additional information, on its risk analysis for the material activities outsourced” leaves a certain flexibility to the national supervisors to ask or not additional information, which could lead to a lack of harmonisation among supervisors as each local supervisor may ask for different extra information. We believe it could slow down or even block the use of cloud services due to a continuous requirement for extra information.
We therefore believe that the information requested should be limited and requested only when the information already provided is not sufficient.
The wording “if the information already provided is not sufficient” should be therefore added and “for additional information, on its risk analysis for the material activities outsourced, such as” should be deleted in the first sentence of paragraph 3.
The following wording is therefore proposed:
“3. Further to the information provided, if the information already provided is not sufficient, in accordance with the previous paragraph, the competent authority may ask the outsourcing institution:”
In addition, further clarification is needed regarding the following points:
“(a) whether the cloud service provider has a business continuity plan that is suitable for the services provided to the outsourcing institution;”
It is not clear whether it would be enough to merely know that the CSP has a business continuity plan or if the plan would need to be provided to the outsourcing institution and/or the supervisory authorities. If the latter is required, this may create significant difficulties for the conclusion of a contractual agreement between a financial/outsourcing institution and a CSP, due to the diverging interpretations of NCAs of what constitutes a sufficient business continuity plan (requirements the financial institutions will have to comply with).
Therefore, we recommend that the EBA amends paragraph 3(a) by adding “to be informed” at the beginning of the paragraph and add the following sentence “However, it is not necessary for the national competent authority to see or approve the cloud service provider’s business continuity plan”
In addition, the “(a)” requirement becomes redundant, if CSPs can show they are complying with certain standards or regulations such as the Data Protection requirements, NIS Directive, etc. If supervisors are already aware that certain CSPs are homologated with this requirement, outsourcing institutions should not need to submit evidence of such information each time they need to work with a specific homologated CSP.
The financial industry will also work with CSPs to define what criteria should be met so as to be accepted by the EBA and NCAs.
The following wording is therefore proposed:
“(a) to be informed whether the cloud service provider has a business continuity plan that is suitable for the services provided to the outsourcing institution; However, it is not necessary for the national competent authority to see or approve the cloud service provider’s business continuity plan;”
“(c) whether the outsourcing institution keeps the skills and resources necessary to adequately monitor the outsourced activities.”
It is not clear how to provide evidence that the required skills are present. In addition, this requirement does not seem to take into account that certain outsourced activities maybe automatised and do not need human resources (and therefore skills), which is actually one of the main advantages of certain cloud services.
We therefore consider that the initial sentence should be deleted and replaced by the following one:
“(c) whether the cloud provider adopts a market standard risk management framework and internal control system, and supplies periodically the outsourcing institution with the relevant information”
PARAGRAPH 4
We agree that the outsourcing process should be fully documented, and under management control. Nevertheless, the approach concerning the maintenance of an updated register with information related to material outsourced activities (on group level, level of every legal entity, senior management level) should be left at the discretion of the outsourcing institution, in alignment with the principle of proportionality.
Some banks involve a number of largely independently operating institutions active inside and outside of the European Monetary Union (EMU). Almost all processes are set up in a local context, and maintaining an outsourcing register at group level on a permanent basis is therefore problematic as these institutions lack supporting management structures or information systems to collect and process this information.
The paragraph should therefore be amended by adding the following wording “if required by the National Competent Authority, at” before the wording “group level”, to provide a certain flexibility and reflect the practice that most of the banks are only prepared to provide information at institution level.
In alignment with the principle of proportionality, an approach explicitly confirmed by the EBA in the draft recommendation, we would recommend limiting the register under recommendations 4 and 5 to material cloud services only, the same way as for 4.2.2.
Registrations should therefore be limited to:
- Material activities (excluding non-material files);
- Only the core elements related to an individual outsourcing file (name of the service provider, short description of the activities concerned, renewal or expiry date, date and management body that assessed the materiality).
Because the requirement “(…) The outsourcing institution should make available to the competent authority, upon its request, a copy of the outsourcing agreement and related information (…)” is only necessary for material outsourcings and thus not necessary for non-material outsourcing, the following provision should be deleted “(…) irrespective of whether or not the outsourced activity had been assessed by the institution as material.”
We would also welcome some clarifications on whether this new register is to be created exclusively for the purpose of outsourcing cloud services. The EBA should clarify that the register will only refer to new contracts. Existing outsourcing services will not be concerned until the contract is renewed.
In the EBF view, a risk-based approach to what is included in the register should be favoured. Best practices could also help set these guidelines.
The following wording is therefore proposed:
“4. The outsourcing institution should maintain an updated register with information related to all its material outsourced activities at institution and, if required by the National Competent Authority, at group level. This register should include only the core elements related to an individual outsourcing file. The outsourcing institution should make available to the competent authority, upon its request, a copy of the outsourcing agreement and related information recorded in that register”
PARAGRAPH 5
As a general comment, we observe that risk management duties by CSPs are not mentioned in the document. Because national competent authorities already request an ‘outsourcing register’ for all outsourcing contracts, the required information for outsourcing to CSPs should be duly integrated. Taking into account that not all national competent authorities have defined a standard dataset to be included in the register and some of the information required and requested by national regulations only concerns material outsourcing, we suggest amending the first part of 4.2 paragraph 5 by referring to “for cloud service providers”, deleting “at least” and including “and is likely to be sufficient”.
The amendment proposed should be taken into account because as currently drafted this sentence encourages “gold plating” thereby challenging the goal of harmonisation which is one of the purposes of these recommendations. While we acknowledge that the EBA is trying to create a minimum rather than a maximum list of information, the removal of the phrase ‘at least’ and the addition of ‘and is likely to be sufficient’ would limit creating expectations that NCAs should request additional information about material activities, with
Question 2: Are there any additional areas which should be covered by these recommendations in order to achieve convergence of practices in the context of cloud outsourcing?
FURTHER EDUCATION OF CSPs ON THE REQUIREMENTS THAT BANKS NEED TO FULFILLAlthough CSPs are not subject to direct oversight by Financial Authorities, financial institutions are required to ensure in their outsourcing contracts that Competent Authorities can access and audit CSPs in relation to financial institutions’ activities and according to article 55 of the Recovery and Resolution Directive can take control of the contract in case of bail-in.
Given that introducing these requirements into contracts with CSPs is usually burdensome for CSPs (which provide services also to entities other than financial institutions), the creation of a mechanism that guarantees that CSPs are aware of the requirements above and accept them, would ease the negotiation with CSPs and foster cloud adoption.
Moreover, this mechanism could also foresee the possibility of the CSP seeking a prior review by the Authorities, whose outcome would be an opinion on its capacity and adequacy to comply with financial regulation for different types of services. Should financial institutions intend outsourcing an activity that falls into a type of service for which Authorities have issued a positive opinion, this outsourcing could benefit from a “fast-track” notification/endorsement procedure.
We believe that, if this mechanism (e.g. voluntary CSP certification) were offered on an optional basis with voluntarily recourse to it by CSPs, no major changes on the regulatory framework applicable to CSPs and Financial Institutions would be necessary.
On the other hand, if the Authorities identify CSPs whose capacity/abilities do not allow the outsourcing institutions to comply with applicable financial regulation, their inclusion on a public blacklist of non-compliant CSPs would be very helpful for outsourcing institutions.
SYSTEMIC RISK
In our view, a description on how systemic risks (domestic, international) should be handled, is missing.
Third-parties’ certifications are mentioned in paragraph 8(b) which would help financial institutions to rely on a standard approach across Europe. The adoption of base standard certifications to guarantee compliance or the definition of a cloud outsourcing banking standard against which a certification could be requested, would help financial institutions and CSPs across Europe to reduce the compliance burden and increase security. A more detailed reference to a base standard certification would help.
CYBERSECURITY: SECURITY INCIDENT MANAGEMENT & REPORTING
We suggest that the EBA recommendations clearly refer to existing regulation on security incident management and reporting (such as the NIS Directive) without adding new requirements or setting new criteria, so as to avoid overlaps with other regulations already requiring financial institutions and CSPs to report with different taxonomies, thresholds, etc. Examples are NIS, GDPR, PSD2, and ECB incident reporting framework or national regulations.
Furthermore, we believe that this consultation paper should emphasise that CSPs have to comply fully with the GDPR. In particular, CSPs should ensure that the tools and devices, on which the cloud services run, have been duly implemented so that service providers, and consequently the outsourcing institutions, are compliant with the GDPR provisions (including the security measures e.g. the provision of article 33 GDPR – “Notification of a personal data breach to the supervisory authority”).
DATA PROTECTION
It is important to reiterate that CSPs should ensure also that their tools and devices (on which the cloud services run) technically allow, without undue costs and burdens, the migration of the client’s data to another CSP, upon client’s request. Moreover, the CSPs have to collaborate and ensure the exercise of data subjects rights, as set forth in the GDPR (e.g. right to data portability, right to erasure), where the data subjects decide to exercise their rights towards data controllers (i.e. the outsourcing institutions).
Regarding the transfer of personal data and data localisation, we believe the European and National Supervisory Authorities should align with the decisions of the Data Protection Authorities (DPAs), if they have authorized transfer of data to certain countries complying with the GDPR.
As mentioned previously, we observe a certain overlap between local data protection laws, the future GDPR provisions for the protection of personal data and the requests made by national supervisors to perform risk analysis. We believe it is essential to take into account that data protection issues should be supervised by DPAs, on the basis of GDPR and local data protection laws. The NSAs should abide by the GDPR and the DPAs’ decisions if they have granted permission to use a cloud service complying with all security and privacy measures. Decisions of the NSAs should not be stricter than the decisions of the DPAs as this would undermine the usage of the cloud and affect competition with other players that are not under the NSAs’ supervision.
In addition, it is important to stress that, in order to ensure this level playing field, EU members’ players should comply equally with regard to GDPR, but should not be forced to comply with extra requirements with regard to data protection, privacy and cybersecurity measures. Doing so would create a further competitive gap with non-European countries that face less friction to use the cloud.
STANDARD CONTRACTUAL CLAUSES DEFINED BY THE INDUSTRY
We observe that certain operating models of global CSPs conflict with requirements imposed on financial institutions as data controllers which creates additional challenges for the banking sector. For example, discrepancies are seen between the required timing of notice before sub-processor appointments and what the cloud providers consider as average.
The main impact for banks comes from the difficulty in agreeing to a contract covering open or undefined aspects of the service (such as data location), addressing various regulatory requirements from different regulators in jurisdictions where the contract is in force, and finding a CSP which can operate within EU regulations. Difficulties may occur without any reference to clear guidelines to negotiate contracts with large CSPs (which own global technology platforms accommodating large numbers of institutions in various jurisdictions). For example, banks might not be able to use cloud computing to its full potential because CSPs limit the use of cloud computing to a particular region.
Cloud services provided by external providers are currently handled according to existing legal requirements for outsourcing, defined by standard contracts issued by the CSPs. It is our understanding that, from a CSP perspective, due to the nature of the cloud service, a deep customisation to meet 100% the requirements of their customers is hardly feasible. Despite of the fact that CSPs usually pay attention to regulatory requirements of their customer’s sector, Cloud Services Agreements are offered by most CSPs in standard, non-negotiable, “take it or leave it” terms. Such approach raises many concerns for the banking sector because the cloud service agreements proposed by the CSPs do not fully and adequately address the specific requirements imposed by European and national banking supervisory authorities with which banks have to comply.
For the banking sector, cloud adoption must be considered within the context of maintaining regulatory compliance. Outsourcing institutions/banks therefore typically approach compliance assurance with CSPs through specific contract clauses, Service Level Agreements (SLAs), certifications and audits. The lack of specific and detailed information drives banks and suppliers into a difficult situation: banks are generally forced to evaluate, on their risk assessment criteria basis, whether the provider solutions are adequate in terms of compliance (e.g. in terms of IT security). Banks have thus to make the choice of either rejecting the supplier or accepting the risks that cannot be fully mitigated.
This entire situation creates important barriers to the full adoption of cloud solutions by the banking sector as a whole.
Without limiting the CSPs’ contractual freedom to negotiate specific conditions/clauses in line with their business model, the development, with the industry, of high-level principles covering the specific needs of the banking sector with the aim to also accommodate GDPR requirements, should be encouraged to guarantee legal certainty and facilitate the adoption of the cloud by financial institutions. For example, the contract between a bank and a CSP should include availability, reliability and confidentiality SLAs but leave open for the bank to decide which SLA to include.