Response to consultation on recommendations on outsourcing to cloud service providers
Go back
Looking specifically at section 4.7 on chain outsourcing, LSEG supports the EBA’s guidelines that the outsourcing institution should agree to chain outsourcing only if the subcontractor will also fully comply with the obligations existing between the outsourcing institution and the outsourcing service provider. However, we would welcome further clarification that such obligation includes provision of access and audit rights, as outlined in section 4.3, to outsourcing institutions.
On a high level term, LSEG would welcome more clarity on the boundaries around the outsourcing nature of cloud computing. We observe that it is often difficult to get cloud providers to disclose their regulatory compliant terms, and ultimately, is often a matter of negotiation with cloud providers. Although these arrangements are often seen as outsourcing by regulators, the cloud terms do not always match up to the standards required of outsourcing documentation. As a cloud user, we note that guidance provided by the EBA and various other regulators is helpful, but if providers do not adhere to it, then it restricts our ability to use them and to fully leverage from the benefits of cloud. We believe that it would be beneficial for regulators to provide further clarity and take a more flexible/risk based approach to the definition of what constitutes “cloud outsourcing”, as treating all cloud services as “outsourcing” inhibits a regulated customer taking up the benefits that cloud provides considering cloud suppliers are often reluctant to adhere to traditional outsourcing terms in contracts.
Question 1: Are the provisions from these recommendations clear and sufficiently detailed to be used in the context of cloud outsourcing?
London Stock Exchange Group (LSEG) is delighted to have the opportunity to comment on the EBA Recommendations on outsourcing to cloud service providers. We welcome the guidance provided by the EBA on cloud outsourcing and the EBA’s harmonised approach with other existing regulations on this topic.Looking specifically at section 4.7 on chain outsourcing, LSEG supports the EBA’s guidelines that the outsourcing institution should agree to chain outsourcing only if the subcontractor will also fully comply with the obligations existing between the outsourcing institution and the outsourcing service provider. However, we would welcome further clarification that such obligation includes provision of access and audit rights, as outlined in section 4.3, to outsourcing institutions.
On a high level term, LSEG would welcome more clarity on the boundaries around the outsourcing nature of cloud computing. We observe that it is often difficult to get cloud providers to disclose their regulatory compliant terms, and ultimately, is often a matter of negotiation with cloud providers. Although these arrangements are often seen as outsourcing by regulators, the cloud terms do not always match up to the standards required of outsourcing documentation. As a cloud user, we note that guidance provided by the EBA and various other regulators is helpful, but if providers do not adhere to it, then it restricts our ability to use them and to fully leverage from the benefits of cloud. We believe that it would be beneficial for regulators to provide further clarity and take a more flexible/risk based approach to the definition of what constitutes “cloud outsourcing”, as treating all cloud services as “outsourcing” inhibits a regulated customer taking up the benefits that cloud provides considering cloud suppliers are often reluctant to adhere to traditional outsourcing terms in contracts.