Cloud Outsourcing: regulators turn their attention to the use of cloud services providers
In light of its concerns over the growing importance of cloud services and the use of cloud outsourcing solutions within the banking industry, in December 2017 the European Banking Authority (EBA) published a report setting out its recommendations on outsourcing to cloud service providers.
The EBA Recommendations are addressed to credit institutions and investment firms as defined in Article 4(1) the Capital Requirements Regulation 2013. The recommendations apply from 1 July 2018 and the key themes arising out of the recommendations are highlighted below.
The EBA has adopted holistic interpretation of what they consider to be “cloud services”. The EBA Recommendations define cloud services as “services provided using cloud computing, that is, a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications and services)”.
Separately the updated FCA Guidance for firms outsourcing to the "cloud" and other third-party IT services (FG16/5) was also published in July 2018. The FCA Guidance notes that it does not apply to a bank, building society, designated investment firm or IFPRU investment firm whom the EBA Recommendations on outsourcing to cloud service providers are addressed. General outsourcing requirements for firms are detailed in the Senior Management Arrangements, Systems and Controls sourcebook (SYSC), with different requirements applying to different types of firm.
EBA Recommendations on outsourcing to cloud services providers
The EBA Recommendations specify the supervisory requirements and processes that apply when outsourcing to cloud service providers, and build on previous 2006 guidelines from the Committee of European Banking Supervisors (CEBS). As noted in the CEBS guidelines, the concept of proportionality applies throughout the recommendations such that the measures undertaken by an outsourcing institution should be proportionate to the size of the institution as well as to the sophistication, nature, scale and diversification of the outsourced activities.
The EBA Recommendations highlight the following key themes:
Access and audit rights
Outsourcing institutions should ensure that they have in place an agreement in writing with the cloud service provider whereby the service provider undertakes to provide to the institution, any third party appointed by the institution and to the institution’s statutory auditor full access to its business premises including the full range of devices, systems, networks and data used for providing the services. Where an outsourcing institution does not employ its own audit resources, it should consider using pooled audits organised jointly with other clients of the same cloud service provider, or third-party certifications and third-party or internal audit reports made available by the cloud service provider.
The security of data and systems
The recommendations expand on the need for integrity and traceability, noting that institutions should ensure that they have in place an agreement in writing with the cloud service provider which sets out an appropriate level of protection of data confidentiality, continuity of activities outsourced, and integrity and traceability of data and systems. The respective needs of the outsourcing institution with respect to quality and performance should feed into written outsourcing contracts and service level agreements. These security aspects should also be monitored on an ongoing basis.
The location of data and data processing
Institutions should take extra care when entering into and managing outsourcing agreements undertaken outside the EEA due to possible data protection risks and risks to effective supervision by the supervisory authority. This includes consideration of the wider political and security stability of the jurisdictions in question and the laws in force in those jurisdictions (including laws on data protection).
Subcontracting and "Chain" outsourcing
The use of subcontractors by the cloud service provider should not affect the services provided under the outsourcing agreement, and appropriate arrangements should be in place for the orderly transfer of the activity, data or services from the subcontractor to another service provider if needed. The outsourcing agreement should also include an obligation for the cloud service provider to inform the outsourcing institution of any planned significant changes to the subcontractors or the subcontracted services named in the initial agreement that might affect the ability of the service provider to meet its responsibilities under the outsourcing agreement.
Contingency plans and exit strategies
The guidance highlights the importance of maintaining and testing a disaster recovery plan in event of a severe failure or deterioration of the service, along with a defined exit strategy. The outsourcing contract should include a termination and exit management clause that on termination allows the services to be transferred to another outsourcing service provider or to be brought in house. The service provider should also be required to provide sufficient assistance and support to affect an orderly transfer.
Both the Bank of England and the EBA are turning their attentions to the dominance of the big cloud services providers and the integral role these outsourced services play to operational stability of financial services firms. A key concern remains the concentration risk of using a select number of providers – the likes of Amazon, Microsoft and Google - that are not regulated in the same way as banks are.
On 13 June 2018 the Bank of England’s Financial Policy Committee (FPC) noted that “for the Cloud, it is important for a firm […] determine the level of effective control it retains. The right of access to review controls, and the strength of its contract, for example. Then the quality of service it expects to get and finally what exit options it has. A firm can get very stuck if it has no effective options to move, when its outsource provider is no longer delivering an adequate service”.
It remains to be seen how this will work out contractually when negotiating service agreements with the large cloud services providers. It is not uncommon for a “take it or leave it” style of negotiation tactic to present itself when firms seek a stronger contractual position from cloud providers.
As recognised by the FPC, “the dominance of just a few providers means that many buyers are not in a strong position to negotiate contract terms with their Cloud provider. This can leave them badly squeezed between regulatory requirements that will often look through and outsourcing and little leverage with their Cloud Supplier who is unregulated to deliver against the regulations.”
Despite the EBA Recommendations on assessing the materiality of the activities outsourced, there still remains confusion in the market over the processes, controls and contractual arrangements which must be put in place in order to meet the regulatory requirements, particularly where cloud based services are supporting critical banking functions.
Unhelpfully the EBA Recommendations have not sought to address the difference between a firm performing a critical or important regulated activity using a third party cloud provider to support and deliver that regulated activity and a firm outsourcing a critical or important regulated activity so that the third party performs the regulated activity using its own cloud technology to support it. Many have called for greater clarity as between the underlying regulatory framework and the processes and controls required.
On 22 June 2018, the EBA launched a public consultation on its draft Guidelines on outsourcing. The draft Guidelines review the existing CEBS Guidelines on outsourcing published in 2006, with the aim of establishing a more harmonised framework for the general outsourcing arrangements of all financial institutions in the scope of the EBA's remit. The deadline for the submission of comments is 24 September 2018. The EBA has clarified that the recommendations on outsourcing to cloud service providers will feed into their review.
This article was written by Christina Fleming. For more infortmation please contact Christina on +44 (0)20 7427 1022 or at email@example.com.
Music to our ears? Well, perhaps not for Apple.
A feud first began when the music streaming giant, Spotify, filed a complaint against music streaming provide rand competitor, Apple Inc.
Charles Russell Speechlys advises Waverton on acquisition of Cornerstone Asset Management
Established in July 2010 and with offices in Edinburgh and Glasgow, Cornerstone offers wealth management and financial planning advice.
Risk allocation in commercial leases: the High Court considers rent suspension, insurance and frustration arguments
Read our summary of the full judgement on the latest Covid arrears case.
Charles Russell Speechlys boosts private wealth offering with the hire of an international tax team
Robert Reymond will be joined at the firm by Leigh Nicoll, Emma Tyrrell and Oliver Cooper.
eprivateclient and Citywealth report on the hire of a new international tax team led by Robert Reymond
The firm strengthened its international wealth structuring capabilities with the hire of an international tax team led by Robert Reymond.
Competition and Markets Authority announces review of the EU vertical agreements block exemption
The UK Competition and Markets Authority is reviewing the future application of the EU vertical agreements block exemption in the UK.
Playing Copycat – Why have M&S begun legal action against Aldi over Colin the Caterpillar?
M&S’s chocolate caterpillar was the first of its kind to land on our supermarket shelves, over 30 years ago.
Building Back Better: Real Estate and Restructuring
How and why should hospitality businesses re-structure post pandemic?
ESG – Searching for substance behind the acronym
ESG is an acronym much used but perhaps less understood.
Use and Regulation of Renewable Energy Certificates in the UAE
The market for trading in renewable energy certificates is set to increase in both visibility and importance.
Focus Antitrust - 21 April 2021
This week's competition update.
Burn After Redditting – Scottish Court of Session Lays Down Marker for Online Copyright Protection
Sky UK Ltd have successfully obtained interim protection from infringement of their broadcast rights through links posted on Reddit.
Charles Russell Speechlys advises shareholders of Modern Networks on sale to Horizon Capital
Modern Networks is a leading provider of IT support, broadband and telecoms managed services to the UK’s commercial property sector.
Paul Henty writes for New Law Journal on the often-painful experience of tackling rules of origin post-Brexit
Defining provenance post-Brexit: Paul Henty charts the often-painful experience of tackling rules of origin.
Charles Russell Speechlys advises Duke Royalty on increasing and extending its revolving credit facility agreement
London listed Duke Royalty was founded in 2015 and is the leading provider of royalty finance to companies in the UK and Europe.
Patrick Gearon FCIArb
Insolvency Legislation in the GCC
The interesting times of the last 14 months were preceded by the interesting times of the financial crisis of 2008/2009.
Focus Antitrust - 14 April 2021
This week's competition update.
Focus Antitrust - 7 April 2021
This week's competition update.
No ticket, no merger: Viagogo and StubHub are one step closer to merging but must satisfy the CMA’s conditions
The £3.2bn acquisition of online ticketing company Stubhub by one of its competitors, Viagogo is one step closer to being finalised.
Client alert: Construction under competition law spotlight
We outline the three investigations which have either recently concluded or are ongoing together with what this means for businesses.