Response to consultation on recommendations on outsourcing to cloud service providers

Go back

Question 1: Are the provisions from these recommendations clear and sufficiently detailed to be used in the context of cloud outsourcing?

BPFI strongly support the efforts of the EBA to detail requirements around outsourcing to Cloud Service Providers. However, BPFI members believe that the Recommendations are not sufficiently detailed or exhaustive. BFPI also supports the EBF in its call for the development of Guidelines or other instruments that would require a more direct application of these requirements. In general, the recommendations proposed by the EBA remain at quite a high-level and are non-exhaustive which leaves significant uncertainty still for market players. More certainty is required for financial institutions outsourcing to CSPs and the recommendations should leave little room for interpretation. We would also highlight the lack of reference in the draft recommendations to industry frameworks such as the ENISA and for example the guidelines on Cloud Security Risk Assessment and the Guidelines on Incident notification for DSPs in the context of the NIS Directive. In addition we would highlight the North American Institute of Standards Technology, Cloud Security Alliance, Security Trust and Assurance Register and ISO27017:2015 Guidelines on Cloud. All such frameworks and guidance are often used by financial institutions when assuring or overseeing risk in cloud outsourcing arrangements.

Question 2: Are there any additional areas which should be covered by these recommendations in order to achieve convergence of practices in the context of cloud outsourcing?

Financial institutions want to move to cloud to leverage efficiency and scalability however alongside the challenges of knowing and understanding that brings but from a consumer protection point of view, the boundaries of trust are no longer clear. These recommendations should seek to address these specifics. This goal is further complicated with the introduction of new regulatory and data protection principles which financial institutions are subject to and guidance would be helpful in the application of these rules in an outsourcing context.
It is also important to note that Cloud Service Provider outsourcing differs from other types of outsourcing in the way boundaries are set between the cloud customer and the CSP. The size and challenge in terms of audit and compliance is quite different, depending on the type of outsourcing being considered. There are also significant differences in the risks that relate to vendor lock-in depending on the model type. Additionally, the different boundaries associated with the different models translate to diverse scenarios that are regrettably not explicitly considered in the guidelines.
Other areas that could be explored further include key management and encryption and areas where cloud services would require special consideration such as incident management, change management, disaster recovery and BCM, risk management, API outsourcing, vendor management and governance among other things. Above all else, the recommendations should in our view explicitly allow for proportionality depending on the risk profile of the service managed by the CSP.
We would also wish to underline the importance that regulators and policy-makers ensure that EU outsourcing regulatory approach is adapted to the modern world and incorporates relevant legislation in relation to e-Privacy and Data Protection but also allows for technological developments including Distributed Ledger Technology, data analytics etc. One specific point we would highlight is that given the importance of data as an asset, any regulation/recommendations around outsourcing to CSPs should be more data-focused and assist firms in understanding the challenges associated with data security, data-classification, data-retention and data deletion.
Cloud computing is driving the vast spectrum of current and emerging applications, digital products and API services while also being a key technology enabler for future banking models. It is imperative that a risk-based approach that could be used regardless of the size of the supplier is the optimal approach to ensure the regulatory approach does not hinder adoption.
Lastly, in relation to the Status of these draft recommendations, we wish to highlight to the EBA that already a number of members have been asked to demonstrate alignment with these draft recommendations. While members are happy to facilitate such assurances, we believe this sets a somewhat unusual precedent in requiring members to be compliant with unfinished recommendations.
Please find below a number of specific issues BPFI members would wish to highlight in relation to the draft recommendations.

Name of organisation

Banking & Payments Federation Ireland (BPFI)