Primary tabs

Interessengemeinschaft Kreditkarten (The IK is a competition neutral platform without legal capacity for entities, which act in the credit and debit card business in Germany (Issuer, Acquirer, Network Service Providers, Processing Entities, Licensors), registered in the EU-Transparency Register under Ident-no. 209142612442-39)

We hereinafter comment on EBA’s Consultation Paper (EBA/CP/2017/06) on the Draft re-commendations on outsourcing to cloud service providers under Article 16 of Regulation (EU) No 1093/2010 (hereinafter referred to as “EBA’s Draft” or “Consultation Paper” or with respect to the Draft Recommendations “Recommendations” or “DR”). All references made to enumerations without additional reference to a specific directive or regulation, also refer to EBA’s Draft / Consultation Paper.

1. Scope of application
a) EBA proposes to base its Recommendations on the CEBS Guidelines on outsourcing of 14 December 2006 (hereinafter referred to as “CEBS Guidelines”), but also cor-rectly points out in the background section of the Consultation Paper, that the out-sourcing of services, as it is now, is much more standardized, automated and execu-ted in a larger scale compared to traditional forms of outsourcings in the past, particu-larly as CEBS dealt with it eleven years ago.
b) The IK is of the opinion that the scope of application of the Recommendations does not sufficiently consider the aforementioned development in the external service vending and outsourcing market.
DR 2.1 refers to the definition of outsourcing as stated in GL 1 a. of the CEBS Guide-lines, which – according to the IK’s opinion - are no longer up-to-date.
This “outsourcing” definition reads as follows:
“an authorized entity’s use of a third party (the “outsourcing service provider”) to per-form activities that would normally be undertaken by the authorised entity, now or in the future. The supplier may itself be an authorized or unauthorized entity”.
Contrasting to the outsourcing definition in the CEBS Guidelines, CEBS at that time correctly differentiated between “outsourcing” and “purchasing” and defined “purchas-ing” as “…the supply of services, goods or facilities without information about, or be-longing to the purchasing institution coming within the control of the supplier; or of standardized products, such as market information or office inventory.”
In the context of the Recommendations, the use of the title headline “outsourcing” and the key concept to treat cloud computing generally as “outsourcing” as defined in the aforementioned CEBS Guidelines is not adequate, since the important differentiation between “outsourcing” on the one hand and “purchasing” on the other hand should be further acknowledged by the Recommendations, as it was the case in the CEBS Guidelines. The specifics and the broad variety of cloud computing services products are not sufficiently considered with a comprehensive coverage of all cloud computing products by outsourcing regulation and therefore the Recommendations should also acknowledge the CEBS concept of purchasing, which is not regulated outsourcing.
Consequently, as a first remark, EBA should generally refer to “cloud computing ser-vices” rather than “outsourcing to cloud service providers”.

c) Again, it must be highlighted, that CEBS at that time correctly emphasized that regu-lated outsourcing refers to activities
“… that would normally be undertaken by the authorized entity”.
The IK is aware that this may certainly apply to certain cloud computing services or functions, but not necessarily to all cloud computing products. Particularly with respect to the purchasing of server capacities and the cloud typical achievement of a high scalability and flexibility with cloud computing products – contrasting to own in-frastructure and server capacities within institutions – confirms at the very beginning that institutions do not regularly “delegate” activities to cloud service providers, but in-stead purchase cloud computing products. The purchasing of these cloud products by the financial community is more comparable to purchasing “commodity”, rather than “delegating functions or activities”.
In this respect, aforementioned GL 1 of the CEBS Guidelines correctly referred to the performance of “activities” of an authorized entity and certainly had classical out-sourcing concepts like Business Process Outsourcing (BPO) in mind. For BPO-activities it is certainly crucial to clearly agree on regulatory requirements applicable to those services and to further technical details of required process flows and interfaces to a bank subject to regular outsourcing regulation.
e) Hence, EBA’s Recommendations should give more emphasis on the distinction be-tween cloud computing as outsourcing and cloud computing as purchasing. The de-velopment of future financial services regulation should remain technologically neutral, open to innovation and flexible to filter out cloud computing activities which are “purchased as a commodity” by the financial services industry, particularly if no pro-cessing of financial transactions are concerned.
f) Cloud computing has historically – due to its expansion on a series of servers and IT-platforms – never been an in-house function of an institution as such services are provided by highly developed external IT service providers. In respect thereof, spe-cialist know-how is required for setting up and maintaining cloud computing services and dedicated cloud infrastructure through a series of server and IT networks. Cloud service providers are pooling expertise and server capacities as main asset of their business. Especially large IT service providers such as Microsoft, SAP or Oracle are quasi monopolists in their business areas. Hence, for most institutions it is technically not possible to run cloud infrastructures in-house by themselves. Because of the radi-cal development of the IT industry in the last years, the business of cloud computing has been developed externally as own type of business from the very beginning and therefore never has been an internal function of institutions. As a consequence there-of, cloud computing services are often not “delegated” from institutions but purchased from external third-parties according to the above mentioned nature of the service from a historical point of view.
2. Inclusion and adaption of outsourcing definition
a) As mentioned above, the IK suggests to apply a more differentiated and up-to date “outsourcing” definition to the Recommendations compared to the definition in the CEBS Guidelines, which already date back to 2006, and to also consider other recent EU financial services regulatory acts, such as MiFID II and PSD II.
b) Therefore, the IK suggests applying an outsourcing definition to DR 2.3, which is more consistent to recent EU regulatory acts, such as Art. 16 (5) Market in Financial Instruments EU-Directive 2014/65 (“MiFID II”) or Art. 19 (6) of the revised EU Pay-ment Services Directive 2015/2366 (“PSD II”):
Both outsourcing definitions apply the base line of the definition of the CEBS Guideline 2006 and only address activities as outsourcing that would normally be underta-ken by the authorized entity, but additionally require as a qualifying momentum that outsourcing of …
“…important operational functions, including IT systems, shall not be undertaken in such way as to impair materially the quality of the institution’s internal control and the ability of the competent authorities to monitor compliance with all of the obligations laid down in applicable regulation.”
Without aforementioned qualifying requirements, as applied on outsourcing in the
area of securities services or payment related services, the outdated outsourcing de-finition as provided by the 2006 CEBS Guidelines goes too far, since also cloud com-puting activities which are not deemed to be important IT-functions and which do not have an impairing effect on the internal controls arrangements of an institution would be in-scope of the EBA cloud computing outsourcing Recommendations.
The approach under MiFID II or PSD II clearly shows that the term “outsourcing” is only used with regard to a two-step approach addressing
(1) the delegation
(2) of important operational functions of an institution to third parties
which would regularly be performed by the institution in-house.
The “important” operational functions – comparable to the concept of “material” activi-ties in the CEBS Guidelines – need to be distinguished from subordinate functions which do not impose relevant risk to the institution.
c) Consequently, if and to the extent, no cloud purchasing is concerned, EBA should feel encouraged to highlight the aforementioned two step approach for outsourced activi-ties while devoting a stronger emphasis on the delegation of important functions, rather than capturing all cloud computing services – irrespective of their importance for the provision of financial services.
1. Differentiation between material and non-material outsourcing
a) Even if cloud computing services may in certain cases qualify as the delegation of function or activities which are required for the operation of financial services, distinc-tion must be made between material and non-material outsourcing (or important and non-important functions) , as already set out by CEBS Guideline 4.3.
b) Non-material outsourcing activities certainly remain subject to individual risk ma-nagement requirements of institutions, but the distinction between material and non-material activities require recommendations beyond the regulatory content of EBA’s Draft. In order to act in compliance with the principle of proportionality, as set out in the Executive Summary of EBA’s Draft and as explicitly pointed out recently by the Financial Stability Institute (FSI), jointly created by the Bank for International Settle-ments (BIS) and the Basel Committee on Banking Supervision (BCBS) to assist su-pervisors around the world in improving and strengthening their financial systems, (FSI Insights on policy implementation No 1, Proportionality in banking regulation: a cross-country comparison, August 2017), the IK suggests to emphasize the principle of proportionality in the context of this distinction between material and non-material outsourcing activities.
2. Recognition of the concept of multi-tenant cloud service providers
DR 3.4 appropriately states that “cloud outsourcing services show a much higher level of standardization which allows the services to be provided to a larger number of dif-ferent customers, in a much more automated manner on a larger scale”.
The IK agrees with the aforesaid conclusion that cloud computing is mainly an auto-mated and standardized service compared to BPO-services as envisaged by the CEBS Guidelines.
With regard to the procurement of cloud computing, institutions are mostly retaining quasi monopolists like Microsoft, Oracle or SAP as already mentioned, who service a broad range of customers with standardized cloud products.
In consideration of the aforementioned, the IK further is of the opinion that with regard to cloud computing it is justified from a regulatory perspective that the specific circum-stances of large and centralized “outsourcing” providers that service a significant number of clients (hereinafter “multi-tenant service providers”) is duly taken into ac-count.
The German National Competent Authority BaFin, in its MaRisk consultation 02/2016 on minimum requirements for risk management (“MaRisk”), recognizes the practical background of those “multi-tenant service providers” who simply cannot offer stan-dardized IT-services, such as cloud computing, to customers, while applying com-pletely different compliance or other IT risk management arrangements for the same IT-service but for maybe some dozens of different customers with different internal security landscapes. EU legislation and EBA Recommendations should still be feasible to be implemented, particularly for retaining multi-tenant providers, but should not impose impossible duties for stakeholders.
Hence, the IK suggests to explicitly consider the concept of multi-tenant service pro-viders with respect to access and audit rights in DR 4.3 in a proportionate manner and to build on it as a frequently applied standard in the IT-processing industry by ad-dressing specific practical requirements of multi-tenant service providers. In this con-text it is proportionate as EBA suggested to either apply pooled customer audits or that institutions be provided by the cloud provider with external audit reports considering compliance with industry IT-security standards and certification requirements such as compliance with ISO 27000 standards and auditing and reporting on data protection compliance.
Hence, in the case of multi-tenant cloud service providers direct access and audit rights of institutions should be limited to exceptional cases when external audit reports do not comply with applicable audit report standards or when shortcomings or other findings are detected.
For the avoidance of any doubt, a definition of “multi-tenant service provider” should be included in DR 2.3 as follows:
“service provider that service a significant number of clients with standardized cloud computing functions.”

3. Appropriate recommendations for chain outsourcing
a) External services provided in a “chain” are not only customary in the provision of IT-Services, but in terms of cloud computing often a key element by virtue of nature. In this respect, DR 4.7 para. 21 might be misinterpreted since it refers to “agreeing” on “chain outsourcing”. EBA should take more into consideration established and well-balanced regulatory practices by NCAs, such as BaFin in the draft MaRisk 2016 AT 9 para. 8 or the FCA in its guidance FG 16/5 for firms on the outsourcing to the cloud (“FCA cloud guidance”). In compliance with this BaFin or FCA practice EBA should feel encouraged not to impose requirements to “agree” on sub-contractors of cloud computing service providers, but to require objection and termination rights of institu-tions if sub-contractors do not comply with regulatory requirements, as already men-tioned in DR 4.7 para 24.
b) Furthermore and again in consideration of the principle of proportionality, extension of sub-contractor monitoring should only apply to those sub-contracted functions which are relevant to the provision of the regulated financial service to determine whether these enable the regulated firm to continue to comply with its regulatory requirements, as set out in the FCA guidance, page 10.
4. Comment on the register for outsourcing (DR 4.2. para. 4)
Further, notwithstanding the aforementioned, it is the IK’s point of view that the obliga-tion to maintain an updated register relating to all material and non-material outsourced activities is defined too broadly and does not entail regulatory benefits. It would generally be sufficient to maintain an updated register for material outsourced activities as minor outsourced activities are not as critical so it may be sufficient to in-clude non-material activities in standard risk management arrangements applicable on financial services and IT-related risk. The obligation to maintain an updated register even for non-material outsourced activities might again be disproportionate in con-sideration of principle of proportionality. For clarification, this obligation should only apply for material outsourcing, not for external purchasing as outlined above.

Additional comment on the Consultation Paper:

Alternative supervisory approach to the technical progress of cloud computing
Due to the aforementioned circumstances, the IK also likes to propose a new alterna-tive supervisory approach with regard to EBA’s Draft.
The IK suggests considering certain dedicated certification requirements for cloud computing providers specifically providing services to financial services providers ra-ther than to continue the assumption that cloud functions are “delegated/outsourced activities” as those services – as outlined above - have never been performed in-house in financial institutions. Here, alternative concepts could be considered like re-cently applied for electronic identification schemes under the EU-eIDAS regulation 910/2014 with mutual recognition of schemes in the EU internal market on the one hand and the enabling of financial service providers to make use of electronic identifi-cations – if compliant with aforementioned regulation – in the ambit of performing AML-know your customer duties, without qualifying this usage of electronic identifica-tions as outsourcing, but as a “certified commodity”.
The IK is of the opinion that “old” and maybe outdated outsourcing regulatory concepts including outsourcing agreements, access and audit rights, as are usual for outsourced business processes (BPO), may no further be appropriate in more complex and sophisticated IT-cloud networks as the specific needs of individual institutions will have a reduced importance compared to a standardized supply of “IT-commodity cloud products”. Here, new regulatory concepts including certifications of standar-dized cloud providers/multi-tenant providers and products may be a good way forward in order to ensure IT-risk mitigation for financial institutions but still follow innovative developments in the IT market.
Interessengemeinschaft Kreditkarten (The IK is a competition neutral platform without legal capacity for entities, which act in the credit and debit card business in Germany (Issuer, Acquirer, Network Service Providers, Processing Entities, Licensors), registered in the EU-Transparency Register under Ident-no. 209142612442-39)