[Newsflash n. 31]
On 18 May 2017, the European Banking Authority (“EBA”) launched a public consultation on its recommendations on the use of cloud services by financial institutions.
While a set of CEBS guidelines on outsourcing (“CEBS Guidelines”) have been introduced in 2006 for general outsourcing to a third party of activities that would normally be undertaken by the authorised entity, these EBA recommendations (“Recommendations”), designed to complement the first ones, are addressed to competent authorities, credit institutions and investment firms with the aim at (i) better specifying the supervisory requirements and processes to be applied when institutions outsource activities to cloud service providers and (ii) fostering supervisory convergence across the EU.
The Authority starts from the consideration that whereas the increasing use of cloud services can offer firms a number of advantages such as economies of scale, flexibility, operational efficiencies, and cost-effectiveness, it also raises challenges in terms of data protection and location, security issues, and concentration risk.
Furthermore, such risks may have a systemic impact, in case of failure of large suppliers of cloud services on which many institutions rely on.
The Recommendations, issued pursuant to Art. 16 of Regulation (EU) No 1093/2010, cover numerous aspect of the outsourcing process:
- Materiality Assessment
Before outsourcing any activity, institutions should assess such activities materiality on the basis of CEBS Guidelines, taking into account: (a) their risk profile; (b) the operational impact of service interruptions; (c) the impact of such interruptions on the firm’s revenues; (d) the possible effects of confidentiality breach/data integrity failures.
- Duty to adequately inform supervisors
Outsourcing institutions shall fulfil the duty to inform their competent authorities about material cloud outsourcing according to the specific guidance on the process and content set out by the Recommendations.
- Access and audit rights
Outsourcing institutions should have in place an agreement with the cloud service provider in order to grant both the institution and its supervisory authority: (i) full access to its business premises, including the full range of devices, systems, networks and data used for providing the service; and (ii) unrestricted rights of inspection and auditing.
- Security of data and systems
Outsourcing institutions should define, inter alia, an appropriate level of (i) protection of data confidentiality (using, for example, specific encryption technologies), (ii) continuity of the activities outsourced, and (iii) integrity and traceability of data and systems.
- Location of data and data processing
Outsourcing institutions should adopt a risk-based approach in considering data processing location, taking into account (i) risk impacts, (ii) legal risks and (iii) compliance issues related to the countries where the outsourced services are or are likely to be provided and data is or is likely to be stored.
- Chain outsourcing (“subcontracting”)
Subcontracting requires ex ante notification to the outsourcing institutions, whose consent, however, is not required.
- Contingency plans and exit strategies
Outsourcing institutions should have in place a clear exit strategy to exit cloud outsourcing arrangements, if needed, without (i) disruption to their provision of services, (ii) adverse effects on their compliance with the regulatory regime and (iii) detriment to the clients.
The document published by EBA also includes a detailed cost-benefit analysis and impact assessment on the new processes to be implemented.
Responses to the consultations can be submitted, via the dedicated online form, by 18 August 2017.
We would be happy to offer you any required assistance in submitting your response or any further clarification on the Recommendations or any other cloud services related matter.
Contacts:
Vito Vittore
Senior Partner
Elena Pagnoni
Of counsel
Emilio Tucci
Associate
Luigi Bonifacio
Associate
