Final Report on EBA Guidelines on outsourcing arrangements – help or hindrance for cloud adoption?
The European Banking Authority (EBA) issued its final report on outsourcing arrangements on 25 February 2019 (EBA/GL/2019/02).
The final report contains the guidelines and a detailed summary of the changes from the previous draft Guidelines issued in June 2018 (EBA/CP/2018/11).
Please see our previous note on our website for a full description of this and the previous regime.
Who does the guidance apply to?
The guidance applies to credit institutions and investment firms subject to the Capital Requirements Directive (“CRD”), but also payment and electronic money institutions. The guidance will apply to firms regulated in the EU, but not directly to UK organisations although there are numerous references to outsourcers located in third countries, which would include UK based providers.
What is outsourcing?
Outsourcing retains a broad definition according to current regulatory practice. Paragraph 28 contains some useful general clarifications of services that are not outsourcing, including market information services eg market data, global network infrastructures (such as Visa and MasterCard), clearing and settlement arrangements and global financial messaging infrastructures subject to oversight by the relevant authorities amongst others. The general “catch all” in paragraph 28g details non-technology services not regarded as outsourcing, although provision of travel services, which is highly automated, is not in fact generally regarded as outsourcing.
The guidance applies not only to the outsourcing of “critical or important functions”, or the equivalent in PSD2 “important functions”, but also to non- material outsourcing. The guidelines contain a helpful summary of the existing regulations on how to assess whether an outsourcing falls within these requirements.
The guidance applies also to cloud services which are outsourcings, and there are some limited provisions specifically for cloud providers. Cloud outsourcing is not automatically regarded as critical or important, so a proportionate approach can be taken when institutions assess risk. However, despite concerted requests for multi-tenant cloud services to be subject to a more lenient regime in some respects, the EBA has emphasised that institutions’ compliance with their regulatory obligations is paramount, and cloud is therefore not to be treated materially differently from other outsourcings, despite the potential cost benefits and technical aspects of cloud that cause friction with these regulatory obligations.
How does the guidance apply to Cloud providers?
There was detailed input into the consultation from cloud providers, many of whom argued that the multi-tenant nature of many large scale cloud services meant that a lighter regulatory treatment in the guidance was necessary. Cloud providers should pay particular attention to the reasoning in the “Summary of responses” section in the final report in relation to how cloud services have been treated. Note in particular the comments on page 81 where cloud providers argued at the consultation stage that cloud products, as highly standardised services and offered to a broad range of customers and typically undertaken by monopolists, should not have an obligation to comply with all regulatory requirements, and a proportionate approach should accordingly be allowed, particularly relating to access and audit rights. No change was made to the proposals. Instead, the EBA’s recommendations on outsourcing to cloud service providers have been integrated into the general outsourcing framework, requiring institutions to comply with their regulatory requirements independent of the fact that they may be standardised or provided by monopolists. Detailed reading of the regulatory provisions as they apply to cloud providers, in particular with regard to due diligence, audit certifications and access to premises and systems, indicate that the EBA is taking a strict approach on this, notwithstanding that there may be some perfectly reasonable security and technological concerns to address on behalf of cloud providers. This note examines some of these requirements in more specific detail.
When does the guidance take effect?
The implementation date for the guidance has now been extended to 30 September 2019, when it will cover all outsourcing arrangements “entered into, reviewed or amended on or after this date” (paragraph 13). The EBA therefore states institutions and payment institutions should review and amend accordingly existing outsourcing arrangements with a view to ensuring that these are compliant with the guidance. Transitional provisions (paragraph 16) require institutions and payment institutions to complete the documentation of all existing outsourcing arrangements (other than for outsourcing arrangements to cloud service providers) no later than the first renewal date of the outsourcing arrangement, but no later than 31 December 2021. It does not state expressly what is required for cloud contracts other than the general date of application described above.
Institutions to maintain an outsourcing policy
Section 7 of the guidelines provides that each institution covered by the guidance must maintain, regularly review and update a written outsourcing policy (paragraph 41). This policy has to be comprehensive, including the main phases of the life cycle of an outsourcing arrangement, and defining the principles, responsibilities and processes in relation to outsourcing. Paragraph 42 contains a specific list of the requirements and how to analyse which functions are critical or important. These requirements should be studied closely as the information needed to prepare these policies will be required from the service provider.
Institutions must also maintain a detailed business continuity plan consistent with other regulatory obligations (section 9 paragraphs 48 and 49) and internal audit functions.
The guidelines contain a detailed requirement to maintain a register of the information on all outsourcing arrangements, which must be maintained including all supporting documentation for “an appropriate period” (not defined). The specific requirements for the register should be generally capable of fulfilment using a standard document management system, but with appropriate reminder systems and triggers for review of the obligations. Contracts will be disclosable to the regulator (paragraph 57).
For service providers, the substance of the guidance will be Title IV regarding the outsourcing process (Title IV sections 12-15). Careful reading of this will be required to anticipate both express and implied contractual and due diligence obligations that will result. These terms may also materially change procurement processes. There will most certainly be general obligations in the tenders produced by institutions to assist with compliance in relation to the outsourcing requirements, including provision of all necessary information to help populate the outsourcing register, obligations to keep information up to date, and to provide full transparency on required areas of interest. In particular, note the following:
Risk assessment (section 12.2)
Institutions will have to assess the risk of the outsourcing, including scenario analysis on risks caused by processes, systems, people or external events (paragraph 65). This may lead to requirements in invitations to tender or contracts to assist with an institution’s risk management, business continuity and concentration risk analysis. The risk assessment must also be cumulative, including concentration risks on the specific outsourcing but also aggregated risks from multiple outsourcing functions, and requiring the assessment of “step in risks” for “significant institutions” (paragraph 66), which is a requirement to provide financial support to a distressed service provider. Risk assessment is specifically mandated to be “thorough” which may include operational risks including legal, ICT, compliance and reputational risks, and all these will have to be specifically itemised and reviewed.
Due diligence requirements in section 12.3 will have to be particularly carefully reviewed. These include some general obligations on the service provider in paragraph 70, regarding competence, capacity and business reputation, which could make procurements more difficult for smaller entities to address critical or important functions.
70. With regard to critical and important functions, institutions and payment institutions should ensure that the service provider has the business reputation, appropriate and sufficient abilities, the expertise, the capacity, the resources (eg human, IT, financial), the organisational structure and, if applicable, the required regulatory authorisation(s) or registration(s) to perform the critical or important function in a reliable and professional manner to meet its obligations over the duration of the draft contract.
Due diligence obligations are also consistent with GDPR and data protection requirements. Providers will note, in particular, paragraph 73 which requires providers to “act in a manner consistent with their values and code of conduct”. This pre-supposes that providers will have written values and codes of conduct, which will be auditable and will need to be reflected throughout the supply chain. Specific guidance is that the provider must act in a “ethical and socially responsible” manner, and adhere to international standards on human rights eg the European Convention on Human Rights, (which includes a right to privacy and therefore potentially has data protection implications) environmental protection and appropriate working conditions, including the prohibition of child labour. These requirements however have to be carefully analysed, particularly in the data centre sector relating to environmental requirements, and in cloud markets where service providers will have to demonstrate their values for utility services. Businesses should refer to the United Nations Guiding Principles on Business and Human Rights, which are currently being discussed in the technology sector, including the trade association techUK, who are launching new guidance for the sector in April 2019. The extent of this obligation should be carefully scrutinised, as technology providers will have to respond to the guidelines’ requirements and institutions should review whether, for example, the impact of significant fines if levied on operators, as regards breach of data protection regulations, are a feature that would have to be taken into account here.
The contractual phase
The guidelines include specific requirements for outsourcing contracts (per section 13). None of these is particularly surprising.
75. The outsourcing agreement for critical or important functions should set out at least:
a clear description of the outsourced function to be provided;
the start date and end date, where applicable, of the agreement and the notice periods for the service provider and the institution or payment institution;
the governing law of the agreement;
the parties’ financial obligations;
whether the sub-outsourcing of a critical or important function, or material parts thereof, is permitted and, if so, the conditions specified in Section 13.1 that the sub-outsourcing is subject to;
the location(s) (i.e. regions or countries) where the critical or important function will be provided and/or where relevant data will be kept and processed, including the possible storage location, and the conditions to be met, including a requirement to notify the institution or payment institution if the service provider proposes to change the location(s);
where relevant, provisions regarding the accessibility, availability, integrity, privacy and safety of relevant data, as specified in Section 13.2;
the right of the institution or payment institution to monitor the service provider’s performance on an ongoing basis;
the agreed service levels, which should include precise quantitative and qualitative performance targets for the outsourced function to allow for timely monitoring so that appropriate corrective action can be taken without undue delay if the agreed service levels are not met;
the reporting obligations of the service provider to the institution or payment institution, including the communication by the service provider of any development that may have a material impact on the service provider’s ability to effectively carry out the critical or important function in line with the agreed service levels and in compliance with applicable laws and regulatory requirements and, as appropriate, the obligations to submit reports of the internal audit function of the service provider;
whether the service provider should take mandatory insurance against certain risks and, if applicable, the level of insurance cover requested;
the requirements to implement and test business contingency plans;
provisions that ensure that the data that are owned by the institution or payment institution can be accessed in the case of the insolvency, resolution or discontinuation of business operations of the service provider;
the obligation of the service provider to cooperate with the competent authorities and resolution authorities of the institution or payment institution, including other persons appointed by them;
for institutions, a clear reference to the national resolution authority’s powers, especially to Articles 68 and 71 of Directive 2014/59/EU (BRRD), and in particular a description of the ‘substantive obligations’ of the contract in the sense of Article 68 of that Directive;
the unrestricted right of institutions, payment institutions and competent authorities to inspect and audit the service provider with regard to, in particular, the critical or important outsourced function, as specified in Section 13.3;
termination rights, as specified in Section 13.4.
Certain of these requirements are set out in more detail in specific sub-sections of the requirements treatment, in particular “Sub-outsourcing of critical or important functions”. This is an issue which has been concerning institutions for some time. Transparency in the supply chain is essential as far as regulators are concerned, as if the weakest link in a supply chain is not disclosed, institutions cannot fully due diligence the outsourcing solutions which they are purchasing.
The guidance gives reasonable flexibility on outsourcing consistent with GDPR obligations, and requires outsourcers to give sufficient time to allow outsourcing institutions to “at least carry out a risk assessment of the proposed changes” with a reasonable obligation to object to changes. There is also a right for an institution to terminate in the case of “undue sub-outsourcing, which is given by way of non-comprehensive examples, such as “where the sub-outsourcing materially increases the risks for the institution or where the service provider sub- outsources without notification”.
Sub-outsourcing is only permitted where a sub-contractor expressly undertakes to comply with applicable laws, regulatory requirements and contractual obligations and grant the institution and competent authority “the same contractual rights” of access and audit as those granted by the service provider. This may cause issues where contractor and sub-contractor perform different functions, for example where a sub-contractor operates a data centre or
multi-tenant environment and where technically, the same access rights could not be granted in practice as to the primary service provider’s services.
Access information and audit rights (section 13.3)
The guidance requires audit rights regardless of the criticality or importance of the outsourcing function. These allow the institution extensive rights of access consistent with regulatory obligations. Institutions “may” (paragraph 91) use pooled audits or importantly in the cloud world, third party certifications and third party or internal auditory reports that the service provider makes available.
However, the guidance is explicit that these certifications and reports must not be relied upon solely by the institution. This will provide an additional layer of audit responsibility for many cloud providers, who have sought to rely on third party audit reports as the primary basis of disclosure, quite naturally given the nature of their businesses, and also who may be seeking to rely on third party certification schemes, some of which will be deemed adequate for the purposes of GDPR compliance.
Third party certifications and audit reports are also subject to additional detailed requirements in paragraph 93 where the institution can only rely on these reports in certain closely defined circumstances. The scope of existing audit reports, accreditations and certifications and those of sub-contractors should be reviewed carefully by service providers to confirm whether the existing audit reports, accreditations and certifications will need to be updated before the guidance comes into force, and to assess the cost obligations arising from this. There is a specific requirement for penetration testing, where relevant.
There is also a specific reference on audits “in multi-client environments”. This implies that multi-tenant environments are not excluded from the audit requirements: the institution is advised that “care should be taken” to ensure that risks to another client’s environment (eg impact on service levels, availability of data, confidentiality aspects) are avoided or mitigated. This requirement is not clearly drafted, as in a multi-tenanted environment there is technically one segregated environment, yet the guidance makes reference to both a multi-client environment and “clients’ environments” within this, so the actual scope of the audit and penetration testing requirements as regards a true multi-tenant environment are obscured.
Termination rights are dealt with at a high level. There is some change in the guidance here which may be of use to service providers, but for cloud providers, the revenue recognition implications of these termination rights will have to be considered with very carefully against appropriate revenue recognition requirements. Termination rights remain quite soft in definition and will have to be worked out in practice with customers.
98. The outsourcing arrangement should expressly allow the possibility for the institution or payment institution to terminate the arrangement, in accordance with applicable law, including in the following situations:
where the provider of the outsourced functions is in a breach of applicable law, regulations or contractual provisions;
where impediments capable of altering the performance of the outsourced function are identified;
where there are material changes affecting the outsourcing arrangement or the service provider (e.g. sub-outsourcing or changes of sub- contractors);
where there are weaknesses regarding the management and security of confidential, personal or otherwise sensitive data or information; and
where instructions are given by the institution’s or payment institution’s competent authority, e.g. in the case that the competent authority is, caused by the outsourcing arrangement, no longer in a position to effectively supervise the institution or payment institution.
For some cloud providers the requirements around transition assistance and exit strategy will also be academic if the only technical obligation is to make data available, but a proportionate approach can be taken as regards the actual requirements in this regard.
Overall, the EBA has taken an approach that is consistent with regulatory obligations. There has been some effort to ensure appropriate technology neutrality in the guidance, but progress towards accommodating larger scale cloud providers’ requirements and views as to what they regard as practical in the guidance will be disappointing for some. It is clear that there will be a significant amount of work for firms and institutions to regard the guidance and another round of contractual negotiations and contract “patches” will be necessary. Each business requirement will require a detailed consideration from both specific regulatory obligations, as well as with a detailed technical understanding of the appropriate outsourcing services as the guidance makes it absolutely explicit that institutions must have full technical understanding of the services that they outsource in order to ensure appropriate regulatory safeguards are complied with.