Cloud Outsourcing: regulators turn their attention to the use of cloud services providers
In light of its concerns over the growing importance of cloud services and the use of cloud outsourcing solutions within the banking industry, in December 2017 the European Banking Authority (EBA) published a report setting out its recommendations on outsourcing to cloud service providers.
The EBA Recommendations are addressed to credit institutions and investment firms as defined in Article 4(1) the Capital Requirements Regulation 2013. The recommendations apply from 1 July 2018 and the key themes arising out of the recommendations are highlighted below.
The EBA has adopted holistic interpretation of what they consider to be “cloud services”. The EBA Recommendations define cloud services as “services provided using cloud computing, that is, a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications and services)”.
Separately the updated FCA Guidance for firms outsourcing to the "cloud" and other third-party IT services (FG16/5) was also published in July 2018. The FCA Guidance notes that it does not apply to a bank, building society, designated investment firm or IFPRU investment firm whom the EBA Recommendations on outsourcing to cloud service providers are addressed. General outsourcing requirements for firms are detailed in the Senior Management Arrangements, Systems and Controls sourcebook (SYSC), with different requirements applying to different types of firm.
EBA Recommendations on outsourcing to cloud services providers
The EBA Recommendations specify the supervisory requirements and processes that apply when outsourcing to cloud service providers, and build on previous 2006 guidelines from the Committee of European Banking Supervisors (CEBS). As noted in the CEBS guidelines, the concept of proportionality applies throughout the recommendations such that the measures undertaken by an outsourcing institution should be proportionate to the size of the institution as well as to the sophistication, nature, scale and diversification of the outsourced activities.
The EBA Recommendations highlight the following key themes:
Access and audit rights
Outsourcing institutions should ensure that they have in place an agreement in writing with the cloud service provider whereby the service provider undertakes to provide to the institution, any third party appointed by the institution and to the institution’s statutory auditor full access to its business premises including the full range of devices, systems, networks and data used for providing the services. Where an outsourcing institution does not employ its own audit resources, it should consider using pooled audits organised jointly with other clients of the same cloud service provider, or third-party certifications and third-party or internal audit reports made available by the cloud service provider.
The security of data and systems
The recommendations expand on the need for integrity and traceability, noting that institutions should ensure that they have in place an agreement in writing with the cloud service provider which sets out an appropriate level of protection of data confidentiality, continuity of activities outsourced, and integrity and traceability of data and systems. The respective needs of the outsourcing institution with respect to quality and performance should feed into written outsourcing contracts and service level agreements. These security aspects should also be monitored on an ongoing basis.
The location of data and data processing
Institutions should take extra care when entering into and managing outsourcing agreements undertaken outside the EEA due to possible data protection risks and risks to effective supervision by the supervisory authority. This includes consideration of the wider political and security stability of the jurisdictions in question and the laws in force in those jurisdictions (including laws on data protection).
Subcontracting and "Chain" outsourcing
The use of subcontractors by the cloud service provider should not affect the services provided under the outsourcing agreement, and appropriate arrangements should be in place for the orderly transfer of the activity, data or services from the subcontractor to another service provider if needed. The outsourcing agreement should also include an obligation for the cloud service provider to inform the outsourcing institution of any planned significant changes to the subcontractors or the subcontracted services named in the initial agreement that might affect the ability of the service provider to meet its responsibilities under the outsourcing agreement.
Contingency plans and exit strategies
The guidance highlights the importance of maintaining and testing a disaster recovery plan in event of a severe failure or deterioration of the service, along with a defined exit strategy. The outsourcing contract should include a termination and exit management clause that on termination allows the services to be transferred to another outsourcing service provider or to be brought in house. The service provider should also be required to provide sufficient assistance and support to affect an orderly transfer.
Supervisory spotlight
Both the Bank of England and the EBA are turning their attentions to the dominance of the big cloud services providers and the integral role these outsourced services play to operational stability of financial services firms. A key concern remains the concentration risk of using a select number of providers – the likes of Amazon, Microsoft and Google - that are not regulated in the same way as banks are.
On 13 June 2018 the Bank of England’s Financial Policy Committee (FPC) noted that “for the Cloud, it is important for a firm […] determine the level of effective control it retains. The right of access to review controls, and the strength of its contract, for example. Then the quality of service it expects to get and finally what exit options it has. A firm can get very stuck if it has no effective options to move, when its outsource provider is no longer delivering an adequate service”.
It remains to be seen how this will work out contractually when negotiating service agreements with the large cloud services providers. It is not uncommon for a “take it or leave it” style of negotiation tactic to present itself when firms seek a stronger contractual position from cloud providers.
As recognised by the FPC, “the dominance of just a few providers means that many buyers are not in a strong position to negotiate contract terms with their Cloud provider. This can leave them badly squeezed between regulatory requirements that will often look through and outsourcing and little leverage with their Cloud Supplier who is unregulated to deliver against the regulations.”
Despite the EBA Recommendations on assessing the materiality of the activities outsourced, there still remains confusion in the market over the processes, controls and contractual arrangements which must be put in place in order to meet the regulatory requirements, particularly where cloud based services are supporting critical banking functions.
Unhelpfully the EBA Recommendations have not sought to address the difference between a firm performing a critical or important regulated activity using a third party cloud provider to support and deliver that regulated activity and a firm outsourcing a critical or important regulated activity so that the third party performs the regulated activity using its own cloud technology to support it. Many have called for greater clarity as between the underlying regulatory framework and the processes and controls required.
On 22 June 2018, the EBA launched a public consultation on its draft Guidelines on outsourcing. The draft Guidelines review the existing CEBS Guidelines on outsourcing published in 2006, with the aim of establishing a more harmonised framework for the general outsourcing arrangements of all financial institutions in the scope of the EBA's remit. The deadline for the submission of comments is 24 September 2018. The EBA has clarified that the recommendations on outsourcing to cloud service providers will feed into their review.
This article was written by Christina Fleming. For more infortmation please contact Christina on +44 (0)20 7427 1022 or at christina.fleming@crsblaw.com.
Our thinking
Sonia Kenawy
Sonia Kenawy writes for New Law Journal on cryptocurrency and security for costs
Sonia Kenawy writes for New Law Journal on cryptocurrency and security for costs
Pei Li Kew
Pei Li Kew writes for Pharmacy Business on the link between pharmacy and IP
Pei Li Kew writes for Pharmacy Business on the link between pharmacy and IP
Mark Howard
Charles Russell Speechlys advises Acora on its acquisition of Secrutiny
Charles Russell Speechlys advises Acora on its acquisition of Secrutiny
Jonathan McDonald
Jonathan McDonald provides comment for City AM on the Data Reform Bill announced in the Queen's Speech
Jonathan McDonald provides comment for City AM on the Data Reform Bill announced in the Queen's Speech
Nick White
Charles Russell Speechlys advises Symphony Holdings Limited on the sale of its PONY trade mark portfolio for USD $28 million
Charles Russell Speechlys advises Symphony Holdings Limited on the sale of its PONY trade mark portfolio for USD $28 million.
Simon Ridpath
Simon Ridpath featured in the Lawyer’s Hot 100 list
Simon Ridpath features in The Lawyer’s Hot 100 list
Natalie Batra
Patents and Peppa Pig: What is happening to intellectual property rights in Russia?
Certain Russian individuals and businesses can now use patents, utility models and industrial designs without obtaining prior permission.
Simon Green
International Bar Association quotes Simon Green on the future of the legal sector in Hong Kong
International Bar Association quote Simon Green on the future of Hong Kong's legal sector
Charlotte Duly
Charlotte Duly quoted in Retail Gazette on House of Zana trademark dispute
Charlotte Duly quoted in Retail Gazette on House of Zana trademark dispute
Bart Peerless
The Lawyer reports on the Firm's promotion announcement
The Lawyer reports on the Firm's promotion announcement
Bart Peerless
Charles Russell Speechlys promotes six to Partner
Charles Russell Speechlys promotes six to Partner
Tobias Niehl
Luxembourg Client Briefing: Modernisation of Luxembourg Securitisation Law
Luxembourg has amended the Law of 22 March 2004 on securitisation.
Keir Gordon
Charles Russell Speechlys celebrates this year’s Sports Technology Awards finalists
The Sports Technology Awards celebrates tech-led innovation in sports, globally.
Mark Hill
Mark Hill quoted in The Times on the Ed Sheeran High Court copyright case win
Mark Hill quoted in The Times on the Ed Sheeran High Court copyright case win
Caroline Greenwell
Nowhere to hide for greenwashing brands
In the UK, regulators are cracking down, with many companies now at risk of financial and other penalties.
Jamie Cartwright
Weighing up the Plastic Packaging Tax
The Plastic Packaging Tax came into force on 1 April 2022.
Jamie Cartwright
Crunching numbers - Mandatory calorie laws come into force
The Calorie Labelling (Out of Home Sector) (England) Regulations 2021 (the Regulations) are now in force.
Mark Hill
Mark Hill quoted in the Daily Mail discussing Ed Sheeran’s copyright court case win
Mark Hill quoted in the Daily Mail discussing Ed Sheeran’s copyright court case win
Patrick Chan
Corporate Treasurer publishes Patrick Chan's comments regarding the No Consent Regime
Corporate Treasurer publishes Patrick Chan's comments on the No Consent Regime
Jamie Cartwright
Jamie Cartwright comments on the potential impact of the plastic packaging tax
Jamie Cartwright comments on the potential impact of the plastic packaging tax