The cloud certification would help reduce technical, operational and security risks, and would support compliance with the EBA Outsourcing Guidelines.
It would also help the European banking industry be more competitive worldwide by quickly adopting new technologies. In any case, it is clear that a new oversight framework shall not increase the banking and financial sectors obligations and supervisions. The EBA has advised the European Commission to look at the establishment of an appropriate oversight framework for third-party service providers (TPPs), in particular in the area of cloud services. ESBG encourages and shares the need to strengthen and harmonise the current legislative framework for TPPs at both micro and macro level. ​
- At micro level, Supervisors should have access rights, audit rights and sanctioning rights directly from the regulatory framework rather than relying only on contractual provisions in outsourcing contracts. ESBG believes that the Cloud Certification is an additional toolkit and will contribute to achieving this policy objective. ESBG encourages policymakers to increase efforts to create a CSP certification framework.
- At macro level, ESBG also agrees with the EBA that for critical TPPs there is an urgent need for a new oversight framework that sets higher standards related to security and data protection (e.g. obligatory cybersecurity certification). The scope of oversight should aim at monitoring concentration risk, financial stability risks and ensuring cooperation with relevant authorities.
Identified Concerns
ESBG is concerned about the unbalanced power relationship between CSP (Google, Amazon, Microsoft, Alibaba, etc) and cloud service users, such as banks. It is indeed almost impossible for banks to negotiate contractual terms with the powerful CSP that are compliant with the EBA guidelines or applicable legal acts, and this situation generates compliance risk for banks as they are still responsible for the outsourcing arrangement.​
Regarding the regulatory framework, the EBA in its Outsourcing Guidelines, sets unrealistic obligations for banks (e.g. auditing rights, data localisation), as the negotiating position of European banks towards cloud service providers is fairly weak.
Why Policymakers Should Act
Industry sectors like banking urgently need for cloud services offered by big players to fall under a centralised, Europe-wide, validated and standardised EU framework that puts in place legal, technology and security requirements. ESBG has identified some of the major cloud guarantees expected from cloud service providers to comply with the authorities’ requirements and obtain trustworthy banking cloud services.
ESBG welcomes the European Commission’s approach to standardising certain mandatory and sensitive Cloud contractual clauses. Nevertheless, additional efforts are required to strengthen the financial sector’s capacity to negotiate. Beyond the standardisation of Cloud contractual clauses, a complementary approach could be considered to obtain a Trustworthy European Cloud certification for the financial sector.
Background
There is an ongoing reflection on the level of oversight and supervision for providers supplying a public Cloud to the banking and financial sectors. The underlying idea is to ensure that CSPs deliver on a trusted European Cloud which should comply with the technical, security, legal and regulatory requirements imposed by the 2019 EBA Outsourcing Guidelines and the 2020 Guidelines on ICT and security risk management or legal acts like GDPR.
related
European Banking Authority (EBA) on ESG risk management
The European Savings and Retail Banking Group (ESBG) submitted its response to the consultation launched by the European Banking Authority (EBA). ESBG insists on the need for consitency with CSRD and CSDDD, the addressees of this guideline should also
Enhancing Transparency in Bank Disclosures: ESBG delivers comprehensive response to the EBA’s Pillar 3 data hub consultation
On 14 December 2023, the European Banking Authority (EBA) published a discussion paper on the Pillar 3 data hub processes and its possible practical implications.
IASB Exposure Draft (ED) on Financial Instruments with Characteristics of Equity
On 29 November 2023, the International Accounting Standards Board (IASB) proposed amendments in an Exposure Draft to tackle challenges in financial reporting for instruments with both
ESBG’s response to the EFRAG Comment Letter on Financial Instruments with Characteristics of Equity
On 29 November 2023, the International Accounting Standards Board (IASB) proposed amendments in an Exposure Draft to tackle
ESBG advocates for increased clarity and streamlining of supervisory reporting requirements
On 14 March, ESBG submitted its response to the European Banking Authority (EBA) consultation on ITS amending Commission Implementation Regulation (EU) 2021/451 regarding supervisory reporting
WSBI-ESBG advocates for robust implementation of the BCBS Pillar 3 framework for climate-related financial risks
On 14 March, WSBI-ESBG submitted its response to the Basel Committee on Banking Supervision (BCBS) consultation on its Pillar 3 disclosure framework for climate-related financial risks
ESBG stresses the need for consistency and clarity in its Response to the SFDR Review Consultation
ESBG submitted its response to the European Commission’s consultation on the SFDR review, aiming to enhance transparency in sustainability-related disclosures within the financial services sector
ESBG response to the EBA’s consultation on Guidelines on preventing the abuse of funds and certain crypto-assets transfers for ML/TF
The guidelines on the “travel rule” delineate the actions that Payment Service Providers (PSPs), Intermediary PSPs
ESBG responds to the SRB consultation on the future MREL policy
The European Savings and Retail Banking Group (ESBG) submitted its response to the consultation launched by the Single Resolution Board (SRB) in December 2023 on the future of the Minimum Requirement for own funds
ESBG’s response to the Commission’s consultation on the GDPR
The primary EU legislation ensuring the fundamental right to data protection is the General Data Protection Regulation