Financial institutions’ interest for using the services of cloud service providers has increased, and not without reason. Cloud services are known for their flexibility, and they offer a number of advantages, such as economies of scale, operational efficiencies, and cost-effectiveness. However, there has been a high level of uncertainty regarding related supervisory expectations forming unwanted barriers to institutions using cloud services. As a response to the situation, the European Banking Authority (“EBA”) issued its Recommendations on Outsourcing to Cloud Service Providers (EBA/REC/2017/03) in December 2017 to clarify the related legal field and to remove any unnecessary barriers. As general outsourcing is based on the guidelines of the Committee of European Banking Supervisors (“CEBS”), EBA’s recommendations provide additional guidance for outsourcing activities specifically to cloud service providers, and they should be read in conjunction with the CEBS guidelines.
Who Are Affected?
The recommendations apply to credit institutions and investment firms as defined in Article 4(1) of Regulation (EU) No 575/2013 (Capital Requirements Regulation – CRR). The competent authorities, such as the Finnish Financial Supervisory Authority (the FIN-FSA, in Finnish: Finanssivalvonta) shall incorporate the regulations into their practices as appropriate.
The Finnish Financial Supervisory Authority has amended its Regulations and Guidelines 1/2012 relating to outsourcing, and the most recent amendments have entered into force on 1 February 2018, taking into account the EBA Recommendations on Outsourcing to Cloud Service Providers as well as the newly implemented requirements of the MiFID II Directive.
Key Points of the EBA’s Recommendations
The principle of proportionality is applied throughout the recommendations, meaning that the size, structure, and operational environment of the outsourcing institution as well as the nature, scale, and complexity of its activities should be taken into account when applying the recommendations.
1. Materiality assessment. Before outsourcing any activities, an assessment of the materiality of the activities should be performed on the basis of guideline 1(f) of the CEBS guidelines taking especially into account the following:
- whether the activities are critical to the continuity or viability of the business and to obligations towards customers,
- the direct operational impact of outages and related legal and reputational risks,
- how the financial institution’s revenue might be affected by any disruption of the activity, and
- whether there are any potential impacts that a confidentiality breach or failure of data integrity could have on the financial institution or its customers.
2. Duty to inform authorities. After the materiality assessment, the outsourcing institution should inform the competent authority of the outsourced activities and the cloud service provider, among other things. The institution must also maintain an up-to-date register of its material and non-material activities outsourced to cloud service providers both on the institution and on the group level.
3. Right of access and audit. Outsourcing institutions should enter into a written agreement with the cloud service provider to oblige the latter to provide a full right of access to its business premises, including all devices, systems, networks, and data relating to the provision of the services outsourced, as well as a right of audit relating to the outsourced services.
4. Appropriate level of security of data and systems. Outsourcing institutions should ensure that the confidentiality of the information transmitted is protected, and they shall also monitor this on an ongoing basis and take any necessary corrective actions promptly.
5. Location of data and data processing. When entering into and managing outsourcing agreements undertaken outside the EEA, possible data protection risks should be taken into account. The outsourcing institution should consider the impacts of potential risks, including legal and compliance issues and oversight limitations related to the countries where the outsourcing services are likely to be provided and where the data is likely to be stored, so as to ensure that such risks are kept within acceptable limits taking into account the materiality of the outsourced activity.
6. ‘Chain’ outsourcing. When the cloud service provider subcontracts parts of the service to other service providers, the outsourcing institution is obliged to ensure that the subcontractor will also fully comply with the obligations between the outsourcing institution and the cloud service provider. The primary outsourcing agreement should also oblige the cloud service provider to inform the outsourcing institution of any planned significant changes to the subcontractors or subcontracted services. All appropriate steps should be taken to address the risk of any weakness or failure relating to chain outsourcing.
7. Business continuity and termination assistance. In the event that the provision of services by a cloud service provider fails or weakens to an unacceptable degree, the outsourcing institution should plan and take measures to avoid any service disruptions. Such measures should include comprehensive exit plans and identification of alternative solutions for removing and transferring the existing activities and data from the cloud service provider. Furthermore, the outsourcing agreement should oblige the cloud service provider to sufficiently support the outsourcing institution in the transfer of the activities.
Once the EBA’s recommendations have been translated into the official languages of the EU and published on the EBA webpage, the competent authorities must report within two months whether they will comply with the recommendations. The FIN-FSA has already recommended that the supervised entities follow the recommendations as of 1 July 2018 when the recommendations enter into force.
In a broader context, the EBA has identified cyber risk as “one of the key risks threatening data integrity and business continuity in today’s interconnected financial system”. Therefore, they have also indicated plans for updating the existing CEBS guidelines on outsourcing (from 2006) as well.
All financial institutions that fall within the scope of the EBA’s recommendations should now ensure that their policies are in line with the EBA’s recommendations as well as the guidance of competent authorities. Any existing cloud outsourcing agreements should be reviewed and, where necessary, renegotiated. Our IP & Technology team will be happy to assist you if you need any guidance.
Managing Associate at Hannes Snellman