Q1: Are the provisions from these recommendations clear and sufficiently detailed to be used in the context of cloud outsourcing? ESBG welcomes the opportunity to review and comment on these draft Recommendations.
At the moment, the legislation and supervision applicable to the use of cloud services are currently the purview of national authorities, which leads to different legal frameworks across the European Union. This has multiple implications: banks may be constrained in contracting a cloud service provider located in another Member State (this is also an issue for banks active in several Member States), banks may be at a competitive disadvantage vis-à-vis both other incumbents located in Member States with less stringent regulation, and vis-à-vis newcomers. There is hence urgency for legal certainty and harmonization in using cloud service providers cross-border, and for clarity and harmonization of the supervisory requirements applicable to banks in this respect.
Currently, there are a couple of obstacles that prevent financial services firms from using cloud computing services providers (CSP). These issues can be summarised as follows:
ESBG welcomes these Recommendations which represent a first step towards meeting the wishes that guidelines should be adopted to ensure a common approach by regulators/supervisors regarding procedures and methodologies and that should provide the banking sector the necessary clarity for the adoption of cloud solutions, a step that would provide significant benefits for the industry.
ESBG nevertheless would like to formulate the following remarks:
Special attention should be paid to avoid inconsistencies between regulations or accumulation of similar obligations resulting from different regulations (on location of data or security for instance).
Moreover, despite the clarification of these guidelines it is essential that the European Commission takes some initiatives to constrain CSP’s to implement a main part of EBA Recommendations.
ESBG would suggest the following actions to be designed to facilitate access to cloud solutions and the development of cloud in the banking industry:
ESBG believes that there are some areas in which these Recommendations can be improved, regarding some specific practical hurdles banking entities have found during recent years. ESBG has some specific comments related to the various sections of the draft Recommendations. Please find those comments herewith. Section 4.2 Duty to adequately inform supervisors. Even though ESBG agrees with the detailed list of data outsourcing institutions are expected to inform competent authorities on, it needs to be taken into account that the load of regulatory and supervisory reporting has increased significantly during recent years, and that clarity is needed for expectations to be fulfilled. Therefore, ESBG would suggest that EBA proposes a template form for ex ante reporting of projects including outsourcing to cloud services, so that reporting to different national competent authorities is harmonized.
Section 4.3 Access and audit rights. ESBG positively regards the recognition on these Recommendations of the right of access to a cloud service providers’ business premises (including all sorts of devices, systems, networks and data) and the right to undertake unrestricted inspections and auditing. However, both EBA and competent authorities need to take into account that in practice the physical access to the business premises of a cloud services provider hardly allows an outsourcing institution to properly observe the treatment and path of the data on cloud infrastructures. Actually, the amount of data outsourced is so large that it is inconceivable that a physical access to the business premises of the provider helps analyse any relevant information. As a consequence of that, the EBA should consider including in section 4.3 dispositions ensuring that virtual access to data, with continuous monitoring capabilities for the outsourcing institution, is granted to outsourcing institutions and competent authorities. Otherwise, these recommendations risk of soon becoming irrelevant in practical terms. And in order to adequately monitor the compliance of contractual arrangements in relation to the rights of access and the right to audit, ongoing supervision by national competent authorities should be enhanced on these EBA recommendations.
Section 4.5 Security of data and systems. This section properly recognizes the need that CSPs comply with contractual arrangements regarding security terms, especially those related to confidentiality, privacy, data protection and cybersecurity. ESBG completely agrees with the idea that the adoption of cloud solutions by financial entities has to come hand-to-hand with CSPs’ obligation to deliver all the security measures required by the former, and that the enforcement of this can be significantly enhanced through supervisory activities. Currently not every requirement in relation to cybersecurity issues is fully met by all CSPs, which hinders the adoption of cloud solutions. In particular, ESBG has identified the following critical requirements that are hardly ensured by CSPs: (i) a secure infrastructure of keys and encryption, ensuring multiple encryption of data with keys stored in the financial entities’ infrastructure; (ii) traceability of all data stored in cloud infrastructures; (iii) certified security mechanisms; and (iv) compliance with data protection and privacy rules.
As a consequence of that, banks and other financial entities acting as cloud service consumers need assurance that all contract terms are fulfilled by CSPs, as they all affect the security level around the data outsourced. Two main challenges arise when negotiating contract arrangements with CSPs: (i) CSPs are not always able to comply with specific contract terms in practice (e.g. user’ and supervisor’s right to audit), and (ii) CSP are not always willing neither to negotiate their template contracts in order to accommodate to different regulations and national or entity specificities nor to include non-regulated issues into contractual arrangements. The position CSPs are adopting in contractual negotiations arise from the fact that they are not required to comply with the regulatory and supervisory rules banks are entitled to. Hence, taking this into account, a common regulatory framework should be developed so as to facilitate compliance with a commonly understood set of minimum requirements to operate in the EU, translated into a core of minimum contractual arrangements to be included in all contractual relationships between CSPs and their users, certainly:
Section 4.6 Location of data and data processing. Paragraph 19 of the draft recommendations state that institutions should take “special care” when entering into and managing outsourcing agreement undertaken outside the EEA. However, ESBG considers that this approach may not be enough in order to properly enforce and supervise the current EU regulatory framework under contractual arrangements for outsourcing to cloud service providers. Therefore, ESBG suggests EBA recommends that, every time it is possible, outsourced data stays in the EEA, and that the localization and processing of data outside the EEA is left only for cases in which the data is actually exchanged between data centres in and out of the EEA.
Section 4.7 Chain outsourcing. In relation to the previous issue, ESBG would suggest that special consideration is given to the localization of the data in cases of chain outsourcing. National competent authorities should take a rather strict approach in relation to CSPs outsourcing cloud services to providers that place data outside the EEA.
Section 4.8 Contingency plans and exit strategies. ESBG suggests differentiating regulatory and supervisory expectations for contingency planning referring to the exit to other providers or inwards (back to internal infrastructures). As paragraph 27 of the draft recommendations states, “an outsourcing institution should also ensure that they are able to exit cloud outsourcing arrangements if needed without undue disruption to their provision of services, or adverse effects on their compliance with the regulatory regime and without detriment to the continuity and quality of its provision of services to clients”. This issue, including every aspect mentioned in detail in that paragraph, must be included in contractual arrangements between a bank and a cloud services provider. ESBG fully agrees with exit to other providers having to be ensured by contractual arrangements. However, ESBG finds it very difficult in practice to ensure exit to internal infrastructures, and this should be considered by both the EBA and national competent authorities. Therefore, ESBG would suggest modifying paragraph 27.c) as follows:
“(c) Ensure the outsourcing agreement includes an obligation on the cloud service provider to orderly transfer the activity and that of the subcontractors to another service provider or to the direct management of the outsourcing institution in case of the termination of the outsourcing agreement.” They could be more detailed on the contingency plans and exit strategies. The exit plan depends mainly on the good will of the cloud service provider (CSP) and the use of standards format that allows migration of data. Specific obligations must be imposed on CSPs regarding migration process and standardization. In our view the continuity plan should be the responsibility of the CSP and this should be reflected in the contracting of the institution with the CSP. It is up to the CSP to provide an exit solution to its customers and justification to the regulator.
Q2: Are there any additional areas which should be covered by these recommendations in order to achieve convergence of practices in the context of cloud outsourcing? No, the scope of these recommendations is sufficient. As expressed answering to the first question, the main priority should be, in parallel to the guidelines, to help banks: to spell out guiding principles for contractual terms with CSPs. and to be reassured on the fact that they have met the technical, legal and security standards defined by the European Banking Authority or the European Commission when adopting cloud services (through certification of cloud solutions). About ESBG (European Savings and Retail Banking Group) The European Savings and Retail Banking Group is a Brussels-based association that helps its member savings and retail banks thrive, focus on providing service to local communities and boost SMEs. ESBG brings together nearly 1000 savings and retail banks in 21 European countries that believe in a common identity for policy in Europe. Its members represent one of the largest European retail banking networks, comprising one-third of the retail banking market in the European Union, with 190 million customers, more than 60,000 outlets, total assets of €7.1 trillion, non-bank deposits of €3.5 trillion, and non-bank loans of €3.7 trillion. ESBG members come together to agree on and promote common positions on relevant regulatory or supervisory matters.
European Savings and Retail Banking Group – aisbl Rue Marie-Thérèse, 11 ￭ B-1000 Brussels ￭ Tel: +32 2 211 11 11 ￭ Fax : +32 2 211 11 99 Info@wsbi-esbg.org ￭ www.wsbi-esbg.org
Published by ESBG. August 2017.