Cloud Outsourcing: regulators turn their attention to the use of cloud services providers

In light of its concerns over the growing importance of cloud services and the use of cloud outsourcing solutions within the banking industry, in December 2017 the European Banking Authority (EBA) published a report setting out its recommendations on outsourcing to cloud service providers.

The EBA Recommendations are addressed to credit institutions and investment firms as defined in Article 4(1) the Capital Requirements Regulation 2013. The recommendations apply from 1 July 2018 and the key themes arising out of the recommendations are highlighted below.

The EBA has adopted holistic interpretation of what they consider to be “cloud services”. The EBA Recommendations define cloud services as “services provided using cloud computing, that is, a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications and services)”.

Separately the updated FCA Guidance for firms outsourcing to the "cloud" and other third-party IT services (FG16/5) was also published in July 2018. The FCA Guidance notes that it does not apply to a bank, building society, designated investment firm or IFPRU investment firm whom the EBA Recommendations on outsourcing to cloud service providers are addressed. General outsourcing requirements for firms are detailed in the Senior Management Arrangements, Systems and Controls sourcebook (SYSC), with different requirements applying to different types of firm.

EBA Recommendations on outsourcing to cloud services providers

The EBA Recommendations specify the supervisory requirements and processes that apply when outsourcing to cloud service providers, and build on previous 2006 guidelines from the Committee of European Banking Supervisors (CEBS). As noted in the CEBS guidelines, the concept of proportionality applies throughout the recommendations such that the measures undertaken by an outsourcing institution should be proportionate to the size of the institution as well as to the sophistication, nature, scale and diversification of the outsourced activities.

The EBA Recommendations highlight the following key themes:

Access and audit rights

Outsourcing institutions should ensure that they have in place an agreement in writing with the cloud service provider whereby the service provider undertakes to provide to the institution, any third party appointed by the institution and to the institution’s statutory auditor full access to its business premises including the full range of devices, systems, networks and data used for providing the services. Where an outsourcing institution does not employ its own audit resources, it should consider using pooled audits organised jointly with other clients of the same cloud service provider, or third-party certifications and third-party or internal audit reports made available by the cloud service provider.

The security of data and systems

The recommendations expand on the need for integrity and traceability, noting that institutions should ensure that they have in place an agreement in writing with the cloud service provider which sets out an appropriate level of protection of data confidentiality, continuity of activities outsourced, and integrity and traceability of data and systems. The respective needs of the outsourcing institution with respect to quality and performance should feed into written outsourcing contracts and service level agreements. These security aspects should also be monitored on an ongoing basis.

The location of data and data processing

Institutions should take extra care when entering into and managing outsourcing agreements undertaken outside the EEA due to possible data protection risks and risks to effective supervision by the supervisory authority. This includes consideration of the wider political and security stability of the jurisdictions in question and the laws in force in those jurisdictions (including laws on data protection).

Subcontracting and "Chain" outsourcing

The use of subcontractors by the cloud service provider should not affect the services provided under the outsourcing agreement, and appropriate arrangements should be in place for the orderly transfer of the activity, data or services from the subcontractor to another service provider if needed. The outsourcing agreement should also include an obligation for the cloud service provider to inform the outsourcing institution of any planned significant changes to the subcontractors or the subcontracted services named in the initial agreement that might affect the ability of the service provider to meet its responsibilities under the outsourcing agreement.

Contingency plans and exit strategies

The guidance highlights the importance of maintaining and testing a disaster recovery plan in event of a severe failure or deterioration of the service, along with a defined exit strategy. The outsourcing contract should include a termination and exit management clause that on termination allows the services to be transferred to another outsourcing service provider or to be brought in house. The service provider should also be required to provide sufficient assistance and support to affect an orderly transfer.

Supervisory spotlight

Both the Bank of England and the EBA are turning their attentions to the dominance of the big cloud services providers and the integral role these outsourced services play to operational stability of financial services firms. A key concern remains the concentration risk of using a select number of providers – the likes of Amazon, Microsoft and Google - that are not regulated in the same way as banks are.

On 13 June 2018 the Bank of England’s Financial Policy Committee (FPC) noted that “for the Cloud, it is important for a firm […] determine the level of effective control it retains. The right of access to review controls, and the strength of its contract, for example. Then the quality of service it expects to get and finally what exit options it has. A firm can get very stuck if it has no effective options to move, when its outsource provider is no longer delivering an adequate service”.

It remains to be seen how this will work out contractually when negotiating service agreements with the large cloud services providers. It is not uncommon for a “take it or leave it” style of negotiation tactic to present itself when firms seek a stronger contractual position from cloud providers.

As recognised by the FPC, “the dominance of just a few providers means that many buyers are not in a strong position to negotiate contract terms with their Cloud provider. This can leave them badly squeezed between regulatory requirements that will often look through and outsourcing and little leverage with their Cloud Supplier who is unregulated to deliver against the regulations.”

Despite the EBA Recommendations on assessing the materiality of the activities outsourced, there still remains confusion in the market over the processes, controls and contractual arrangements which must be put in place in order to meet the regulatory requirements, particularly where cloud based services are supporting critical banking functions.

Unhelpfully the EBA Recommendations have not sought to address the difference between a firm performing a critical or important regulated activity using a third party cloud provider to support and deliver that regulated activity and a firm outsourcing a critical or important regulated activity so that the third party performs the regulated activity using its own cloud technology to support it. Many have called for greater clarity as between the underlying regulatory framework and the processes and controls required.

On 22 June 2018, the EBA launched a public consultation on its draft Guidelines on outsourcing. The draft Guidelines review the existing CEBS Guidelines on outsourcing published in 2006, with the aim of establishing a more harmonised framework for the general outsourcing arrangements of all financial institutions in the scope of the EBA's remit. The deadline for the submission of comments is 24 September 2018. The EBA has clarified that the recommendations on outsourcing to cloud service providers will feed into their review.

This article was written by Christina Fleming. For more infortmation please contact Christina on +44 (0)20 7427 1022 or at christina.fleming@crsblaw.com.