New guidelines for EU Financial Institutions moving to Cloud Computing

Prompted by the increasing interest for the use of cloud outsourcing solutions within the banking industry, the European Banking Authority (“EBA“) has recently issued the final recommendations on the use of cloud service providers by financial institutions (“Recommendations“), which will be applicable as of 1 July 2018.

The Recommendations, which are built on the 2006 outsourcing guidelines issued by the Committee of European Banking Supervisors (“CEBS Guidelines“), intend to provide credit institutions and investment firms considering a move to cloud-based services with further clarifications and to lead competent authorities towards the definition of effective supervisory practices and the consistent application of EU law.

With these Recommendations, the EBA has taken significant steps to address some of the uncertainties that have often been seen as a key barrier preventing the outsourcing to cloud service providers so as to provide reassurance to financial institutions and lay the foundations for a supervisory convergence. Such changes give a positive message to the market, despite compliance to the Recommendations will require an effort to financial institutions and IT providers that will have to revise and update procurement policies, contractual templates and clauses in line with the Recommendations.

The Recommendations set out a number of guidelines for outsourcing institutions, which include:

  1. Make a materiality assessment on outsourcing. Outsourcing institutions should assess which activities are material activities prior to outsourcing, taking into account, among others, the risks related to the activities to be outsourced, the operational impact of outages, the impact that any disruption of the activity could have on the institution’s revenue prospects and the potential impact of a confidentiality breach.
  2. Adequately inform supervisors of material activities outsourced to cloud service providers. Outsourcing institutions should provide competent authorities with the details of the cloud service provider, the services and the relevant contract and maintain a register of all information on both material and non-material activities outsourced.
  3. Ensure rights of access and audit in relation to outsourced services. Outsourcing institutions should make sure that the agreements with the cloud services provider include specific provisions regarding the rights to access to the cloud service provider’ premises and to inspect and audit without restriction to be granted both to the institution and competent authorities.
  4. Implement appropriate levels of security of data and systems. The cloud services provider should undertake to meet specific standards in terms of confidentiality, integrity, traceability, continuity of services and performance, whose respect will have to be verified by the outsourcing institution.
  5. Adopt a risk-based approach to data and data processing locations. Outsourcing institutions should take special care when entering into outsourcing agreements with cloud services providers located outside the EEA due to possible data protection risks. Thus, institutions should carry out risk assessments to address potential risk impacts relating to locations where the outsourced activities are provided or data is stored, so as to make sure that risks are kept within acceptable limits.
  6. Consider further risks associated with chain outsourcing. In order to address possible risks related to the subcontracting of parts of the services to other providers, outsourcing institutions should, among others, (i) agree to chain outsourcing solely if the subcontractor will also fully comply with the outsourcing service providers’ obligations, (ii) identify the activities which are excluded from sub-contracting and for which the outsourcing service provider retains full responsibility, and (iii) make sure that the cloud service provider is bound to inform about any planned significant changes to the subcontractors or the subcontracted services named in the initial agreement, save for the outsourcing institution’s right to terminate the agreement in case the changes result in an aggravation of the risk assessment related to the agreed services.
  7. Make contingency plans and have clearly defined exit strategies. Outsourcing institutions should plan and implement arrangements to maintain business continuity in the event the provision of service fails or deteriorates, such as the development and implementation of exit plans and transition plans as well, so as to enable the transfer of existing activities and data with the contractually agreed support of the cloud service provider.

Such Recommendations are inspired by the principle of proportionality, which applies throughout the latter so as to make sure that financial institutions apply the above rules in a manner that is appropriate to them, in terms of size and operational environment, as well as the affected activities’ nature, scale and complexity.Moreover, the EBA ensures that the Recommendations are fully consistent with the provisions of MiFID II on outsourcing and the relevant implementing regulation in relation to institutions offering investment services.

Feel free to contact Laura Borelli and Alessandro Ferrari if you wish to discuss or receive more information!