Uncertainty around the implementation of the upcoming EBA revised guidelines on outsourcing is causing a “wait and see” approach in the industry, especially with respect to cloud computing.

Over recent years, technological and digital developments have not only enhanced customers' expectations for their banking interactions. They have also changed how banks seek to deliver their products and make them accessible to clients.

Indeed, the act of queuing up in a bank in order to make a transfer is a task that some of us have never had to experience, following the advent of online banking and secure app-based money transfers. Some banks in the Single Supervisory Mechanism (SSM) now offer registration via facial recognition on smartphones, and software has even been developed with emotion-measurement technology intended to give banks more insights into the behaviour and needs of their clients.

As banks continue to develop these technological solutions - and to further cut their own costs - reliance on some form of cloud computing outsourcing is growing greater and greater. We noted in our previous article that outsourcing to the cloud is a unique opportunity for banks to achieve economies of scale, flexibility, operational efficiencies and cost-effectiveness. However, as with any fast-paced development in the banking sector, we also noted that supervisors and regulators are increasing their scrutiny of banks' practices. It is already one year since the European Banking Authority (EBA) published recommendations on outsourcing to cloud service providers, and the corresponding EBA Guidelines on outsourcing arrangements will enter into force on 30 September 2019.

The recommendations highlighted a topic in the executive summary, whereby paragraph 2.3 states that “it appears that there is a high level of uncertainty regarding the supervisory expectations that apply to outsourcing to cloud service providers and that this uncertainty forms a barrier to institutions using cloud services” and these Guidelines should be the first step to alleviating this barrier.

The KPMG ECB Office is running an informal survey of a sample of SSM banks on this topic. Preliminary results confirm that although all the banks in our sample are either using to some extent or considering using cloud computing (either via private, public or `hybrid' clouds), many are taking a “wait and see” approach before full commitment, acknowledging in part their wish to see how regulatory requirements develop and how supervisors react to the first moves of other banks.

Furthermore, we understand from some banks that this hesitancy is being compounded by uncertainty over the way in which the European Central Bank (ECB) and other National Competent Authorities (NCAs) will implement the EBA guidelines on outsourcing arrangements.

For example, banks in some countries have highlighted that there are currently gaps between the requirements of the NCAs and the future requirements of the EBA. In the guidelines, paragraphs 58-59 indicate that institutions “should adequately inform competent authorities in a timely manner or engage in a supervisory dialogue with the competent authorities about the planned outsourcing of critical or important functions and/or where an outsourced function has become critical or important”. Since it is currently not always clear how NCAs will define their technical implementation details, it may be that some will also require pre-approval, not just a formal notification as per the EBA guidelines.

This is already the case in the Netherlands, Italy and Spain, but in other countries formal pre-approval is not currently required. Given this uncertainty, some banks have indicated that they are in the process of developing compliance processes for both notification and approval options.

Another uncertainty expressed by banks arises over choosing between public and private cloud solutions, particularly with respect to the security as well as the location of data and subsequent audit rights. The right to audit outsourcing institutions is a fundamental principle of the EBA guidelines. Previously, the EBA recommendations on Cloud Outsourcing acknowledged that banks face additional challenges around security and confidentiality concerns arising from data access in multi-tenant cloud environments (such as public clouds) and this will remain the same once the Guidelines incorporate the recommendations.

For these reasons, we understand that some banks are hesitant to expand into public clouds until supervisory expectations are clear. This is especially true given that the limited number of public cloud providers (eg: AWS, Microsoft Azure) may mean that banks find it hard to secure audit rights, owing to their relatively weaker bargaining position. As a starting point to address this hesitancy and decrease the organisational burden of such audits, the latest EBA revised guidelines on outsourcing will allow institutions to perform pooled audits organised jointly with other clients of the same service provider.

The preliminary results seem to indicate that some banks are still wary of making the first move, and the fact that NCAs and the ECB have not yet defined technical implementation details in full could be compounding the hesitancy. What is clear is that banks should already be in the process of understanding how their institutions measure up against the EBA revised Guidelines on Outsourcing and they should proactively engage in conversation with their JSTs on this. Working assumptions should be developed regarding potential advanced notification to NCAs and the ECB over how outsourcing arrangements can be negotiated to ensure appropriate audit and access rights, especially in the complex cases of chain outsourcing. We understand that the ECB have indicated they will publish a guide on outsourcing to align their supervisory expectations with those set by the recent EBA guidelines. This draft guide from the ECB will be based on best practices identified at banks in terms of outsourcing arrangements, risk management, governance and monitoring.

In our conversations in the network, some banks have stated that they are already talking to their JSTs about potential moves to the public cloud. KPMG would recommend that banks considering such a move, who have not yet initiated dialogue, to start as soon as possible in order to be prepared when the Guidelines come into effect.

Connect with us