Overall, the EBA recommendations provide further clarifications on the outsourcing by institutions to cloud service providers. This is a positive development.
We welcome that the EBA recognises the existence of significant levels of uncertainty regarding the supervisory expectations that apply to outsourcing to Cloud Service Providers (CSPs), notably due to fragmentation of the regulatory and supervisory framework for cloud outsourcing, and that this uncertainty is a barrier to development for the use of cloud services.
We support the “principles-based” approach which will provide national supervisors with an adequate degree of flexibility to take into account domestic rules and welcome the concept of proportionality as well as the risk-based approach, which are both essential to achieve the level of flexibility required in cloud outsourcing.
A. Materiality Assessment (section 4.1)
The assessment of materiality is essential. We note there are currently widespread divergences within the industry as to what constitutes materiality. As cloud outsourcing develops, sharing concrete examples of what is material and what is not would be very useful. Using an existing list of activities could be an option, such as the list of activities subject to mutual recognition (as per Directive 2013/36/EU, Annex 1).
B. Duty to inform national supervisors (section 4.2)
Materiality is again an important criterion to consider. In our view, only material activities should be the subject of notification, as paragraph 4.2.2. seems to suggest. It is therefore important that the other information referred to in the rest of that section does not contradict that position.
While we understand why national competent authorities could ask for additional information on an ad hoc basis, the introduction of such option may be interpreted differently by local competent authorities, which could lead to more fragmentation. This would be contrary to the aim of this guidance.
C. Right of Access and Right to Audit (sections 4.3)
We welcome the possibility for the outsourcing institution to use a range of tools in addition to its own audit resources: third-party certification, third party audits and pool audits.
D. Additional Comments
We note that the draft guidelines respect freedom of contractual choice to govern the contracting arrangements, which we welcome. It makes sense for the parties to be able to choose the governing law based on a range of factors.