Dutch Banking Association (Nederlandse Vereniging van Banken)
NVB key messages
• NVB supports the efforts made by EBA to provide additional guidance to the existing Committee of European Banking Supervisors 2006 guidelines with the aim to foster supervisory convergence regarding the applicable processes for the cloud. The consideration given to the proportionality principle and the risk-based approach is needed to accommodate the new challenges of the digital era and ensure these recommendations are future-proof.
• However, NVB is concerned that the draft EBA Recommendations may not be sufficient to have a positive impact on cloud adoption or is the most efficient and effective. The development of Guidelines or any other instruments directly applicable would have been a stronger option than Recommendations as the latter do not prevent the development of diverging approaches by supervisors at national level. NVB notes the risk of National Competent Authorities including their own additional criteria or to have different interpretations on how to fulfill the proposed Requirements. The recommendations include in most cases a non-exhaustive list of general criteria, which will leave room for extra requirements.
• Our main concern is that individual institutions need to comply on a case by case basis adding contractual requirements such as audit rights, security measures, instruction rights, and restrictions to the use of subcontractors. In our experience large cloud service providers will be reluctant to cooperate. By making this an obligation of individual institutions we believe the desired level of harmonisation cannot be achieved, which is evidenced by EBA’s report on the incorporation of the CEBS Guidelines (Section 5 of the Consultation paper). In our view it is far more effective if this issue is addressed through EU regulation/authorisation of (large global) cloud service providers, who provide services to licensed EU institutions, such as banks. This approach could result in a uniform/harmonised framework applicable to outsourcing agreements.
Also, see our answer to question 2 below
Apart from these general remarks, please find below our detailed opinion on some of draft Recommendations in outsourcing to cloud service providers (CSPs).
EBA Question 1. Are the provisions from these recommendations clear and sufficiently detailed to be used in the context of cloud outsourcing?
CHAPTER 1 COMPLIANCE AND REPORTING OBLIGATIONS
CHAPTER 2 SUBJECT MATTER, SCOPE AND DEFINITIONS
CHAPTER 3 IMPLEMENTATION
CHAPTER 4 RECOMMENDATIONS ON OUTSOURCING TO CLOUD SERVICE PROVIDERS
In general the Recommendations are clear. NVB would like to highlight some. Recommendations which may benefit from further guidance/detail or which might not achieve the intended goals without further clarification or guidance.
4.1 Materiality Assessment
NVB welcomes the clarification provided on the required materiality assessment for cloud computing. An institution must always assess the materiality of the activities to be outsourced. It’s is important that the materiality assessment is risk based. This will prevent institutions from costly and time-consuming contract negotiations for non-material outsourcing agreements.
The CEBS guidelines were intended to determine whether an activity is material are not very clear and could benefit from further clarification. In practice these Guidelines are not sufficient.
NVB would like to receive more guidance to help banks to decide which activities are material and which ones are not. The National Competent Authority suggested very specific guidelines on the level of materiality depending on risk of business disruption due to the unavailability of systems. However, this has to be addressed at a European level.
Could EBA also give more guidance to the determination of the materiality in regards with the principle of proportionality? For a small subsidiary a cloud outsourcing contract can be material, but for the Group as a whole it might be not material at all. How would this be assessed in case of chain outsourcing where multiple small daughters outsource firstly intra-group non-material activities, which are then bundled and outsourced to a third party.
National Competent Authorities do have right-to-examine agreements with some cloud service providers. Is an exemption for the right-to-examine clause possible, when the supervisor already is capable of exercising this right?
Furthermore, not every use of cloud services should qualify as outsourcing in scope of these Recommendations. In our view, the Recommendations only apply to cloud services if the arrangement under which the cloud service provider performs certain activities for the institution qualifies as outsourcing under applicable law. To the extent that the CEBS guidelines would automatically qualify all use of cloud services as outsourcing, irrespective of the definition of outsourcing under applicable law and the activities performed by the cloud service provider, this view is outdated and needs to be updated
4.2 Duty to adequately inform supervisors
( c) country where the service is performed (including location of data).
This possibly means multiple countries, since support and backup services are often delegated to subcontractors (in different countries, possibly also outside EEA). Especially if 24/7 support is required, cloud service providers typically apply the follow the sun principle providing services from different centers located in different time zones. And in transit, data may pass a number of different countries.
It is not clear what location of data exactly means or what level of detail is needed. E.g., cloud service providers sometimes distribute basic login information over data centers all over the world, as employees that log in to a cloud system will be routed (first) towards the closest data center. This means that, although the prime data will be stored at pre-agreed locations, certain non-sensitive data can be processed in multiple other locations. Please clarify.
Paragraph 4.3 of CEBS Guideline does not include any guidance on the legacy of contracts closed prior to the implementation of this standard. Will there be any grandfathering provisions?
EBA should provide further explanation on the guidelines and effective dates for legacy contracts at the time of the implementation of the EBA standards.
4.3 Access and audit rights
NVB understands the importance to check whether a vendor complies with the agreed provisions. However, in general NVB experiences that major cloud service providers won't allow on-site inspections by, or on behalf of, their customers and leave institutions no other option than to rely on third party assurance for this purpose.
4.3 Access and audit rights
"Right of access”
NVB considers full right of access for institutions at major cloud service providers quite unrealistic. Individual financial institutions lack the bargaining power to receive this right to access. NVB concludes that most European banks likely won’t be able to exercise this right of access. This is not the case in the US and consequently this results in an unlevel playing field with US based banks.
There is a number of possible solutions to address this issue.
Most realistic is to provide guidance that institutions may rely on third-party certifications and third party audit reports or an audit performed by an independent third party as set out in 4.3.8 (a) to exercise the right to access. Banks should no longer have the obligation to audit their cloud service as they can rely on the third party audit results.
Another option, but less realistic would be a solution as stated under 4.3.8 (a): Pooled audits by a consortium of financial institutions or ideally a combination with 4.3.8 (b) Third-party certifications and third party or an audit performed by independent third party, which is accepted by supervisory authorities. This is less realistic as major cloud service providers now refuse to provide a direct right to access for the institution, it is not to be expected that they will change this policy when a couple of institutions join forces.
Special attention is needed for SaaS as there might be more room to negotiate “right to audit’ as these providers are generally smaller. This is less realistic as major cloud service providers now refuse to provide a direct right to access for the institution, it is not to be expected that they will change this policy when a couple of institutions join forces. However, in case SaaS providers subsequently use large cloud service providers as subcontractors, which is often the case, such rights to audit need to be limited to the SaaS provider itself, as large cloud service providers will not agree thereto.
Given the comments above, specific attention should be given to the situation where the ‘pooled audit’ doesn’t cover the entire scope required by a specific institution, but where the institution is too small to obtain specific additions.
4.3 Access and audit rights
Considering the actual early stages of cloud computing and the specialized knowledge that is needed to audit: are there any recommendations on professional certification(s) or audit objections required? Suggestion: Define preferred skills, experience or professional certification(s) required of staff and audit objectives to be met for cloud computing reviews. These should be very regularly updated.
As with the pooled audits: specific attention should be given to the situation where the certification doesn’t cover the entire scope required by a specific institution, but where the institution is too small to obtain specific additions
4.4 In particular for the right to access
NVB doubts if “Unrestricted rights of inspection” will be granted by any Cloud Service Provider.
Certainly, they will not be willing to put this in their general terms and conditions. All in all, NVB thinks recommendation 4.4 is not realistic.
4.5 Security of data and systems
To be able to meet the requirements of this article, outsourcing contracts should at least contain the requirement that the Information Security Management System (ISMS) of the Cloud Service Provider meets with the code of practice for information security management ISO2700x.
Suggestion: Explicitly state the requirement for information security management ISO2700x in the contract.
4.5 Security of data and systems
With regard to 4.5.16 NVB recommends institutions to perform actions described in (article a, b and c), prior to outsourcing and for the purpose of informing the relevant decision maker
NVB does not consider it feasible of make CSP perform these processes themselves upon request.
4.6 Data Processing
NVB suggests to add wording making decision makers aware that 7x24 support from another region may lead to export of data. Outsourcing institutions should be aware whether or not remote support from another region is performed and make sure whether or not the outsourcing provider needs access or has access to the outsourcings institutions data.
4.6 Data Processing
Could EBA give guidance on how to handle data compiled outside EEA or EU and which stays outside the EEA or EU (e.g: customer data of e.g. an American branch)?
4.6 Data Processing
Standard should address recommendations on established or recommended country risk rating agencies or preferred methodology on assessing and assigning country risk ratings.
NVB suggest adding an appendix that gives guidance on the methodology preferred to assign country risk.
4.6 Data Processing
Institutions making use of CSPs should apply 'special care' if they use cloud solutions outside of the EEA. Recommended is a risk-based approach.
NVB expects requirements of the outsourcer's regulator will remain applicable on CSP outside of the EEA. It is considered likely extra requirements will be added on top. For example, a cloud outsourcing contracted in the Netherland and used in Singapore, may result in the specific requirements of the Singapore regulator must be permanently met (eg, Monetary Authority Singapore must be informed within 4 hours when critical payments infrastructure is down, or Singapore's customer data may not be mingled with other customer data).
NVB considers it difficult for banks to get a clear overview of all regulators and supervisors involved with outsourcing outside the EEA and the rules and regulations used.
4.7 Chain outsourcing
With respect to chain outsourcing our main concern is that the requirements proposed can only be agreed upon and monitored with respect to a limited group of service providers. If institutions are required to apply these requirements to all subcontractors, or even all material subcontractors, this would require allocation of an unjustifiable amount of resources. NVB urges EBA to take this into consideration.
In general, ICT supply chains continue to expand and makes secure and reliable chain management of sub(sub)contractors very difficult and expensive.
The outsourcing institution must ensure that it is informed/notified in a timely fashion about on any potential breaches/calamities, service interruptions and material changes in the sub(sub)contracting chain (e.g. those whit external impact).
Below NVB comments on specific articles from the draft Recommendations regarding chain outsourcing.
“21. The outsourcing institution should agree to chain outsourcing only if the subcontractor will also fully comply with the obligations existing between the outsourcing institution and the outsourcing service provider.”
Does EBA require the above for each situation in which a service provider uses subcontractors? Or could this obligation be limited to material subcontractors? How should institutions handle situations in which outsourcing institutions agree hereto, but subsequently do not adequately cover this back-to-back in the agreement with the subcontractor(s)?
“22. The outsourcing agreement […] should specify any types of activities that are excluded from potential subcontracting, and indicate that the cloud service provider retains full responsibility and oversight of those services that they have subcontracted”
NVB does not expect that cloud service providers will be prepared to agree to such restrictions. This would limit the business operations of the cloud service provider too much. In addition, we expect that managing large volumes of individual carve outs would impact the rates against which cloud service providers would offer their services.
“23. The outsourcing agreement should also include an obligation for the cloud service provider to inform the outsourcing institution on any proposed significant changes to the subcontractors or the subcontracted services […] which may affect the ability of the service provider to meet its responsibilities under the outsourcing agreement”
NVB expects that cloud service providers will be reluctant to agree to this as they will not be inclined to inform institutions of changes that will negatively affect their service offering. We believe that the self-assessment by the service provider whether a change may affect its ability to meet its responsibilities will not work in practice. Furthermore, use of the word “proposed” appears inappropriate and should be replaced by “intended” or “envisaged”. Proposed implies that the institution has a right to agree or disagree to a proposed change. An alternative solution to address this would be to agree to a more general obligation to inform the institution of any potential breaches or service interruptions and material changes to subcontracting arrangements.
“24. In the case that the cloud service provider plans changes of a subcontractor or subcontracted service which will have an adverse effect on the risk assessment of the agreed services, the outsourcing institution should have the right to terminate the contract.”
This is not a feasible requirement. This limits the operations of the cloud service provider too much. NVB expects that most service providers will not agree to such a contractual right. Whether the power to forbid a certain subcontractor is relevant also depends on whether the institution has the right to terminate the agreement with the cloud service provider at short notice for convenience.
Next to that, the question is whether this specific termination rights is actually required to effectively manage this risk. Most important seems that the institution is informed on any relevant changes. Most cloud services are subscription based, so institutions can move their services somewhere else. This requirement seems only relevant if the institution does not have the right to terminate the agreement with the cloud service provider at short notice for convenience.
“25. The outsourcing institution should review and monitor the performance of the overall service on an ongoing basis, regardless of whether it is provided by the cloud services providers or its subcontractors.”
The EBA should clarify whether the above requirement means that the institution has to directly monitor and review the performance of each subcontractor or that the requirement is limited to directly monitoring the service provider. As pointed out earlier, institutions cannot be asked to monitor each subcontractor.
Standard does not provide any guidance on the requirements of the outsourcing provider to provide required reporting and transparency of the performance of this subcontractor to be submitted to the outsourcing institution. Additional question: how many layers of subcontractors are allowed?
4.7 Chain outsourcing
First a general question:
Is it also considered “chain outsourcing’ in case of a ‘normal’ outsourcing to a service provider who uses a ‘cloud service provider’ for its IT?
The change of the location of a CSP or a subcontractor during the contracted period to a country outside the risk tolerance of an institution country risk ratings or type of cloud infrastructure should also be grounds for the termination of the contract. If the institution does not have the right to terminate the agreement for convenience on short notice, the right for contract termination by the outsourcing institution must be expanded to also include the event that as a result of a change of location by the outsourcing provider that does not comply with the country risk tolerance standards of the institution.
4.8 Contingency plans and exit strategy
With respect to this part EBA should clarify whether these obligations reach all outsourcing contracts or only material outsourcing contracts. Furthermore, NVB would like to point out that managed exit clauses will not be achievable with respect to all cloud service providers. Most IaaS/PaaS cloud service providers will argue that the institution will be able to migrate its own data from their service to a subsequent solution without requiring any assistance from the cloud service provider. And in other cases the migration typically seems to require a joint effort of the institution, the ‘old’ cloud services provider and the subsequent cloud service provider. Furthermore, how can institutions determine the level of detail EBA requires with respect to continuity arrangements? Does this mean that institutions need to have in place contracts with back-up service providers?
EBA recommends to plan and implement an exit strategy to maintain continuity of their business in the event the provision of a services stops or deteriorates to an unacceptable level. NVB asks EBA to elaborate on this matter. Does this mean already having tested the exit with the old Cloud Service Provider to the back-up cloud service provider? This involves extra arrangements and contracts. Or does EBA mean being able to retrieve all data without any unreasonable delay? Note that an event triggering one institution to exit the services of a cloud service provider, may also trigger other clients of the provider to do the same. At the end of the day such may cause network congestion. Also note that even the amount of data that may need to be migrated upon an exit of a single client may cause that the exit may take quite some time due to limitations in network bandwidth."
NVB sees five points of attention which are not addressed adequately in the consultation documents. We discuss these below.
1. Systemic risk resulting from (large global) CSP’s
As pointed out in paragraph 4 of chapter 3 of the consultation paper, cloud services may result in concentration risk at industry level where large cloud service providers can become a single point of failure when many institutions rely on them. This scenario may unfold, specifically for IaaS/PaaS/SaaS services like Microsoft Azure and Amazon Web Services.
A failure of large cloud services providers may have substantial impact on the availability of financial services. A broad majority of financial institutions is dependent on the cloud services offered by just a few cloud services providers. Considering the data volumes, these providers may not be able to technically facilitate the migration from one cloud services provider to another if an incident triggers a sudden data migration by a large group of financial institutions. Taking into account the importance of large cloud service providers for EU financial services, we expect that this warrants direct applicability of regulatory minimum requirements/safeguards and some form of supervision.
2. Inefficiency of bilateral contract clauses
The market position of large cloud service providers, combined with the high level of standardization and automatization of their services, drastically limits the bargaining power of individual institutions. Individual institutions will not be very effective in negotiating the contractual safeguards required to mitigate outsourcing risks with large cloud service providers. In our view compliance with the requirements set out in the consultation paper will be very challenging taking into account the power of large cloud service providers. Furthermore, the results achieved by individual institutions may vary significantly resulting in opacity, effectively eliminating the desired harmonisation.
Therefore, NVB requests the EBA and the European Commission to investigate an alternative approach with respect to large cloud services providers. Failure of large cloud service providers may cause substantial risks to the stability of the financial systems. We expect their services will be used on an increasing scale by a broad majority of EU financial institutions. Attributing financial institutions with the obligation to ensure appropriate contractual safeguards is not efficient and involves a risk that these safeguards may prove insufficient when tested. An effective approach would be to directly regulate and supervise large cloud services providers providing cloud services to EU financial institutions.
3. Audit rights vs Audit reports
It is highly inefficient to require individual institutions to perform audits on large cloud service providers. In practice, large cloud service providers will be reluctant to allow individual institutions on site access and to audit their activities. Large cloud service providers will have numerous clients worldwide. Granting audit rights to individual clients will have a material impact on their day-to-day business and may result in risks for their day-to-day business.
Reliance on Supplier SOC2 type 2 reports and joint audits with other institutions are only allowed if individual institutions do not employ their own audit resources or when the performance of audits or the use of certain audit techniques might create a risk for another client’s environment.
NVB believes that these exceptions should be the main rule. It would be far more practical if each cloud service provider is required to have a highly detailed SOC2 type 2 report or equivalent report or certification which is updated frequently and that meets certain minimum criteria, on which individual institutions may rely. This would be beneficial to large cloud service providers as well as individual institutions. We believe that audit by individual institutions should only be required in situations where such report would not cover a specific aspect relevant to that institution or, alternatively, that in case of contractually agreed deviations, the cloud service provider commits these will be taken into account by the SOC2 type 2 report, thereby allowing for tailor-made additions.
4. Benefits outsourcing and solidity CSP’s
One of the key benefits of outsourcing is scalability and flexibility. Furthermore, outsourcing plays an important role in innovation/digitalisation in financial services. These benefits should not be overlooked when composing further guidance on outsourcing. In addition, apart from potential risks outsourcing to large cloud service providers may add security.
Large cloud service providers distribute their data centres and systems globally. All major vendors have a high level of resiliency built into their infrastructure, including resiliency to cyberattacks. More so than many of the most major organisations, including banks. Technically we expect the chance of a major failure that would impact a majority of (EU) financial institutions is relatively small.
What is important in this area is that individual institutions take responsibility and ensure that they are very careful in how they distribute their systems. Having more than one cloud service provider and having bank critical applications able to run on multiple clouds at the same time (probably a minority of applications (services)) may proof to be critical for their survival.
5. Transitional provisions
The guidelines proposed in the consultation document are more detailed and contain more requirements than the current guidelines. For example the requirement with respect to the encryption of data in memory. How will these new requirements apply for existing outsourcing agreements and SLA’s? It is unfeasible to make all existing agreements compliant with the new requirements. We believe that detailed transitional arrangements for existing contracts need to be in place.
Dutch Banking Association (Nederlandse Vereniging van Banken)