Response to consultation on recommendations on outsourcing to cloud service providers

Go back

Question 1: Are the provisions from these recommendations clear and sufficiently detailed to be used in the context of cloud outsourcing?

Eurofinas, the voice of consumer credit providers at European level welcomes the opportunity to respond to the European Banking Authority’s (EBA) Draft Recommendations on outsourcing to Cloud Service.

Eurofinas supports the work of the EBA in ensuring that market actors engaging in financial innovations can do so with confidence across Europe and subject to consistent regulatory and supervisory frameworks. We trust that our comments will be taken into account and remain at the disposal of the authority should any further questions arise.

As a Federation, Eurofinas brings together associations throughout Europe that represent finance houses, universal banks, specialised banks and captive finance companies of car or equipment manufacturers. The products sold by Eurofinas members include all forms of consumer credit products such as personal loans, linked credit, credit cards and store cards. Consumer credit facilitates access to assets and services as diverse as cars, furniture, electronic appliances, education etc. It is estimated that together the Eurofinas members financed almost 427 billion euros worth of new loans during 2016 with outstandings reaching 1024 billion euros at the end of the year.

The continuous high phase of digitalisation of financial services and uptake of new and innovative tools is important for lenders to carry out their core activites in an efficient, secure and adaptable way. As pointed out by the EBA, the potential use of cloud services brings benefits of both financial and operational nature, e.g. economies of scale, flexibility, operational efficiencies and cost-effectiveness. The potential gains are substantial. Internal informal industry assessments indicate that cloud outsourcing of core business activities could achieve cost-savings of up to 40 percent.

As outlined in the consultation, the use of cloud services also carries a number of connected risks and challenges, e.g. in relation to increased concentration as well as data protection and location. In the end, the extent of outsourcing, especially of core activities, comes down to the risk appetite of the individual institution. Decisions to utilise cloud solutions must therefore ultimately form part of the institution’s overall strategy and internal/external control systems.

Financial services providers currently face a high degree of legal uncertainty due to inconsistent supervisory approaches as well as differing national frameworks (on e.g. data protection and localisation). We believe this significantly hinders the effective uptake of cloud solutions. Moreover, the situation has also created unnecessary in contractual negotiations with cloud service providers.

Against this background, we very much welcome the EBA’s initiative and believe it is an important measure to further promote the swift, relevant and responsible utilisation of cloud solutions in financial services. A comprehensive and transparent EU framework is necessary.

We appreciate the coherent approach adopted by the EBA on the basis of risk and proportionality. The guidelines’ clarification on the ability for an outsourcing institution to fulfil its audit obligations through pooled audits and third-party certifications is especially important for small and medium-sized institutions. The possibility of pooled audits together with other clients of the same cloud service provider allows for the more efficient usage of relevant and highly specialised expertise with the minimum level of disruption and risk for other cloud clients’ environment and data. In this context, we believe that further guidance would be beneficial to further clarify the necessary qualifications of competent third-party auditors and certifiers.

We think the principal risk (operational and reputational) in relation to cloud services relates to cyber security. The risk of cyber-attacks is an ever-increasing threat and outsourcing providers maintain an adequate level of protection. While cloud solutions offer improved solutions for security, the magnitude of these risks will increase as the concentration of processes with providers will make them more attractive targets.

In this context, further common measures and cooperation between all concerned stakeholders, at EU and national level, could play a significant role to promote the uptake of cloud services and to counter risks. Such measures could involve improved information sharing of best practices, contractual solutions and risk management.

Additional specific comments

• Duty to adequately inform supervisors (Section 4.2)

In order to streamline and harmonise the relevant reporting, we believe that there would be added benefits if the EBA would propose a reporting template for outsourcing projects deemed material.

• Security of data and systems (Section 4.5)

We believe that the proposed guidelines on security of data and systems are relevant and proportionate, generally upholding high standards on cybersecurity, data protection and privacy as well as confidentiality.

The operational and reputational consequences could be severe in case of privacy and security breaches. Given the many different risks at stake, we would welcome further joint efforts by the EBA together with the European Network and Information Security Agency (ENISA) as well as with other international counter bodies.

In particular, greater information sharing must be enabled and encouraged. The fight against cybercrime must be a key priority and it requires the sharing of all relevant data on cyberattacks and fraud within the industry as well as with all relevant authorities and other stakeholders.

• Contingency plans and exit strategies (Section 4.8)

We fully agree with the draft guidelines that exit strategies to other providers should be set out in the contractual arrangements between the service provider and the outsourcing institution. However, we believe that the difficulties and time needed to ensure exit back to internal infrastructures need to be highlighted and that this should be reflected in the final guidelines.

Name of organisation