Banks attempt to square circle between regulators, formidable cloud providers
>> See position paper
>> See ESBG position page on Cloud
BRUSSELS, 16 July 2020 – Industry sectors like banking need urgently for cloud services offered by big players to fall under a centralised, Europe-wide, validated and standardised framework built by the European Union that puts in place legal, technology and security requirements. That’s the main finding outlined in a new position paper on cloud certification published recently by ESBG.
The association notes in the paper that those requirements, which would need to be put in place at European level by EU policymakers, should take into account specific needs of industry served by the likes of Amazon, Microsoft and Google.
The ESBG paper presents legal, technical and compliance arguments that favour certification and the need for it as well as criteria that deem useful to be certified. ESBG pinpoints some of the major cloud guarantees expected from the cloud service providers to comply with the authorities’ requirements, and obtain trustworthy banking cloud services. This list could be a starting point to look at the question in more detail by authorities.
ESBG Managing Director Chris De Noose said: “The paper describes the situation at hand and shows a path to rebalance contractual terms between banks and cloud service providers while ensuring compliance with EBA guidelines. We note in it that ESBG members face little negotiating space with behemoths in the market, with little chance to negotiate any aspect of the service contract with them. They dictate all contractual terms. If those terms don’t match with what the EBA expects banks to follow, namely the guidelines on outsourcing, then a huge issue arises.”
EBA advises Commission to consider third-party service provider oversight framework
The paper comes as the EBA has advised the European Commission to look at setting up an ‘appropriate oversight framework for third-party service providers (TPPs)’, especially covering cloud services.
ESBG encourages and shares the need to strengthen and harmonise the current legislative framework for TPPs at micro and macro levels. At micro level, they identify need to strengthen the toolkit to enable supervisors to supervise more effectively the activities, which are provided by third parties. Such strengthening should enable supervisors to have access rights, audit rights and sanctioning rights directly from the regulatory framework rather than relying only on contractual provisions in outsourcing contracts. The Cloud Certification framework encouraged by ESBG would form an additional toolkit that helps achieve this policy objective. ESBG encourages policy makers to increase policy efforts to create a TPP certification framework. At the macro level, ESBG also agrees with the EBA that for critical TPPs, urgent need exists for a new oversight framework that sets higher standards related to security and data protection, such as obligatory cybersecurity certification. The scope of oversight should aim at “monitoring concentration risk, financial stability risks, and ensuring cooperation with relevant authorities.”
ESBG task force prepared paper for Commission eyes
Addressed to the European Commission, the six-page position paper took months in the making through an ESBG-initiated, dedicated, member-driven association Task Force for Cloud Certification. Part of the work carried out in the framework of its Fintech Regulation Committee, the task force steers committee work and helps the group develop a common understanding on regulatory and contractual issues when financial institutions contract with cloud services providers. The association of some 900 savings and retail banks in more than 20 European countries look now to share their stance with EU and national stakeholders.
ESBG welcomes the Commission approach to standardise certain mandatory and sensitive Cloud contractual clauses. That work should go in parallel with additional efforts, ESBG notes, to strengthen financial sector capacity to negotiate. Beyond standardisation of Cloud contractual clauses, “a complementary approach could be considered to obtain a Trustworthy European Cloud for the financial sector, with the creation of a label relating to Cloud categories (to be defined) and according to their criticality as an essential service.”
ESBG and its task force argue that their paper builds a case for TPP certification in a consistent manner for all European authorities to implement this label or certification that should include a holistic list of criteria of legal, technical and security requirements – for example, derived from the EBA guidelines 2019. The providers would be forced accordingly to adopt this label to the Cloud service “by design” for the banking and financial sector. The paper concludes that the compliance with these guidelines should be centrally controlled by a legal authority to guarantee a European-wide uniform verification and to minimize individual effort for each customer.
De Noose concluded: “We seek dialogue with EU decision-makers to ensure banks circle the square, being compliant, making sure data of customers remains safe and secure.”