The EBA's recommendations on cloud outsourcing have been finalised and will enter into force in July. They place new responsibilities on banks and service providers alike, and it is clear that supervisors will soon begin to scrutinise compliance. Banks need to ensure they are fully aware of the new requirements, and should begin implementing them immediately - if they are not already doing so.
The recommendations come at a time when the fast changing technological landscape is already challenging the banking sector. Cloud computing is a unique opportunity for banks to expand their IT capacity and boost efficiency, while cutting costs. As an example of how it can be leveraged, the newly released Second Payment Services Directive (PSD2) will encourage banks to use cloud outsourcing to speed up their product delivery in order to compete against fintechs and third party payment providers. With demand for cloud outsourcing growing, there is greater need for formal supervision.
The EBA published its final recommendations on outsourcing to cloud service providers on 20th December 2017. They apply from 1st July 2018, the first time cloud outsourcing will be the subject of formal European supervision. That poses a tight compliance timeframe for the many banks that increasingly rely on cloud computing - and for their cloud providers, which will also be subject to increasing supervisory interest.
As discussed in our Cloud Outsourcing article from autumn 2017, we expect most banks will need to consider a number of factors as they implement the new requirements. These are:
- Materiality assessments prior to any outsourcing decision (which activities should be considered as material, and in what areas);
- Duty to adequately inform supervisors (whether, when and how to inform supervisors about cloud outsourcing);
- Security of data and systems (obligation for the provider to protect the confidentiality of the outsourced information, key checks to be performed by the institution prior to outsourcing that should be then included in outsourcing agreements with third parties);
- Location of data (data transfers between controllers and processors, echoing the General Data Protection Regulation (GDPR) agenda);
- Chain outsourcing (ensuring that service levels and oversight are not affected);
- Contractual provisions (including access and audit rights in outsourcing agreements); and
- Contingency plans (exiting cloud outsourcing without affecting compliance or customers).
As they implement the new recommendations, banks in the SSM should be aware that there are good reasons to expect that supervisors will pay active attention to this area as soon as the new rules enter force.
One important factor is that on-site inspections dedicated to IT topics have already begun, with outsourcing as a key area of supervisory focus. Another is that January saw the ECB send out an IT questionnaire asking the very questions about how banks assess and manage Information and Communication Technology (ICT) Outsourcing Risk.
We consequently believe the ECB may incorporate such recommendations in its On-Site Inspections methodology and also amend the questionnaire next year by adding dedicated cloud computing questions.
At a high level, the recommendations have changed little from the draft version published in May 2017. However, banks should be aware of some clarifications by the EBA. These include:
- The fact that supervisors should be informed about outsourcing on a proactive, ex ante basis;
- The acknowledgement that outsourced data can have multiple locations;
- The need for an updated register of information on all material and non-material activities outsourced to cloud service providers at both institution and group level.
- The recognition that the outsourcing institution remains ultimately responsible for the transfer of data, but that cloud service providers should provide adequate support to any data transfer.
With less than six months until the new recommendations enter force, banks need to begin to work on implementation now. As mentioned, a materiality assessment of activities outsourced to cloud service providers and reviews of outsourcing agreements is most likely to be the first key step. But before that can happen, banks will need to draw up a full inventory of their outsourced activities - if they have not done so already.
In conclusion, the new recommendations on outsourcing to cloud service providers were needed given the rapid growth of technology in financial services over the past few years. They enter force very soon and their implementation is likely to closely be scrutinised. Banks should act now to be sure of achieving full compliance.
On the upside, the new recommendations complement the existing, broader Guidelines on Outsourcing originally issued by CEBS. This means that banks and service providers should be able to leverage and fine-tune the efforts they have already made in this area. Banks should see the fast changing technological landscape of cloud computing as a unique opportunity to support joint initiatives with supervisory authorities on information sharing and the promotion of best practices to ensure a level playing field for all players in the digital ecosystem, both within the EU and beyond.
Senior Manager, KPMG ECB Office
KPMG in Germany