Guidance on outsourcing to cloud service providers

Author info

The European Banking Authority (EBA) has drafted recommendations aiming to provide guidelines for institutions on cloud computing. They are addressed to, in specific, credit institutions, investment firms and public authorities.

With the intention on clarifying the EU-wide supervisory expectations the EBA has launched a consultation on this draft. The EBA asks the institutions to submit their comments to the draft by the 18th of August 2017 at the latest. Before this deadline there will be a public hearing at the EBA premises in the UK on the 20th of July 2017.

Rise in popularity

The recommendations are built on the general outsourcing guidelines of the Committee of European Bank Supervisors (CEBS) from 2006. Since this general outline the use of cloud computing in the banking industry has gained in popularity. These general guidelines will remain applicable for the general outsourcing by institutions, but the new recommendations will provide for additional guidelines in the specific context of institutions outsourcing to cloud service providers.

Differences in frameworks

The rise in popularity of cloud computing is accompanied by a high level of uncertainty regarding the supervisory expectations that apply to outsourcing to cloud service providers. This constitutes a barrier to institutions using said services. The uncertainty sprouts from the differences in the national regulatory and supervisory frameworks as for example with regards to the information obligations applying to institutions towards competent authorities.

Key areas

The recommendation addresses five key areas:

  1. The security of data and systems: e.g. the institutions should identify and classify its activities, processes and related data and systems as to the sensitivity and required protections, prior to the outsourcing. Additional information on cloud computing and its challenges to security, privacy and trust can be found here.
  2. The location of data and data processing: e.g. institutions should adopt a risk-based approach and implement adequate controls and measures. For example, the use of encryption technologies for data in transit, data in memory and data in rest.
  3. Access and audit rights: e.g. the right of audit for the institutions as well as the competent authorities should be contractually secured and the contract should also ensure that the auditor has full access to the business premises.
  4. Chain outsourcing: e.g. the use of subcontractors by the cloud service provider should not affect the services provided under the outsourcing agreement.
  5. Contingency plans and exit strategies: e.g. an outsourcing institution should ensure that they are able to exit the cloud computing arrangements without undue disruption to their provision of services.

Cloud computing and the EU financial services

Learn more about how European financial institutions outsource to cloud service providers in our article on cloud computing and the EU financial services.

FinTech Lawyers

For more information about FinTech Law, cloud computing, GDPR, PSD2 etc please contact a time.lex lawyer. Edwin Jacobs is a founder of the FinTech Lawyers. A network of European lawyers who advise financial technology businesses in legal and regulatory matters, such as cloud computing.