Response to consultation on recommendations on outsourcing to cloud service providers
Go back
Definitions We believe the NIST definitions might be more appropriate and more industry standard. We refer to Circular CSSF 17/654 from Luxembourg, which provides definitions of a “cloud computing service producer” and a “resource operator” which assists in understanding the roles involved in a typical outsourcing involving cloud services . “Cloud service provider” in the context of the EBA Guidance could be taken to mean the entity which provides the cloud computing resources as IaaS or PaaS and not any entity which is reselling the IaaS or PaaS to the institution. A common business model is for an application provider (the “resource operator”) to implement its application on the public cloud (for example Azure or AWS) and then to sell a “SaaS” offering to the institution. In this model, the institution will not have a direct relationship with the provider of the public cloud. The outsourcing institution would only contract with the application provider (resource operator). The provider of the public cloud is therefore a subcontractor of the application provider.
4.1 - Materiality Assessment Many cloud services arrangements are very unlike traditional outsourcing arrangements, which entail a high level of bespoke client requirements. When providing a banking solution on a SaaS basis, the outsourcing institution does not manage or specify the day to day IT operations of the management of the infrastructure, platform and applications. The outsourcing institution will still be responsible for setting access rights to the system and its own use of that system. The systems provided by the third parties tend to use secure standardised technologies which a regulated entity could not itself provide.
When outsourcing using a cloud based service, our clients retain control over the configuration of the banking system to meet their needs and the delivery of that service to their customers as well as control and access of data stored. The regulated entity is not therefore outsourcing a primary banking function as such but part of the IT delivery chain and data storage. Therefore we are of the view that greater clarity should be given in the guidance here. We believe a more nuanced approach to assessing the criticality of the activities to be outsourced would be helpful and specifically with reference to the type of data to be held by the service provider and the type of functions undertaken. Some detailed case studies may be very helpful here.
4.2 – Duty to adequately inform supervisors
Information to be provided As explained under the Definitions section above, the outsourcing may in fact be to a third party “resource operator” and not to a cloud service provider.
4.3 - Access and audit rights
For institutions Under 4.3 6 a) we note institutions are required to obtain “full access” to “business premises, including the full range of devices, systems, networks and data used for providing the service outsourced (right of access)”. In the case of a public cloud utilising a virtualised environment, a visit to a data centre will not practically assist in obtaining access to data or devices and will be of limited benefit. Large data centres are extremely secure and the locations of the centres are confidential. Visitors to a data centre create a security risk and hyper scale data centre providers do not encourage such visits. The guidance could be clarified to show that (i) third party certifications and third party audit reports and (ii) effective access to data, could be relied upon by institutions in relation to data centre services. We note the UK FCA FG 16/5 Guidance on “cloud” clarifies that business premises does not necessarily include data centres and the EBA may consider such a clarification.
In relation to 4.3 7 the rights of access would never be totally unrestricted. The cloud provider and resource operator has to at all times ensure the security of the premises and all its client data managed from that site. The FCA Guidance notes that the scope of a visit can be limited to those services that the firm’s group are using.
Most cloud providers would expect the institutions and its auditors to rely on formal certifications from third parties such as SOC 2 audit; ISO 27001 and PCI DSS in relation to data centre facilities. We believe the FCA approach in its Guidance of detailing what constitutes effective access to data may be of assistance. An institution should be able to obtain the same level of assurance by requesting data it requires from the service provider.
In relation to 4.3 8 (v) an institution will be highly unlikely to be able to make a hyper scale cloud provider change the scope of its certifications which are used for a service provided to 1000s of other clients.
4.3 - Access and audit rights
For competent authorities The concerns about security and access to data equally apply to a regulator and we think that a regulator could also rely on certifications and audit reports in the first instance.
The banking system within the cloud could be configured to provide a regulator role based user which could be utilised by a competent authority, subject to appropriate security controls, to provide access to the institution’s data.
4.5 - Security of data and systems We believe this overlaps with the provisions of the General Data Protection Regulation (GDPR). It would be helpful to clarify if there are any additional requirements over and above the security requirements and ex EEA transfer requirements for personal data under the GDPR.
4.7 - Chain outsourcing
We believe the guidance on chain sourcing is very much appropriate in the circumstances of cloud services.
The role of the resource operator would also be relevant here. The resource operator or application provider in a SaaS model will usually need to be able to change the cloud service provider in order to ensure for its clients cost effective services, disaster recovery services and to maintain its offering in line with technological advances. It may also be part of its own risk management to ensure against a concentration of clients with a particular cloud provider. A resource operator would expect to inform the regulated institution in advance of the proposed change which should not lead to any diminution of the service offered to the outsourcing institution.
We would however note that there will be differences in the actual security controls deployed by different parts of the supply chain but that overall all subcontractors should comply with a minimum standard of security.
Harmonisation: It would greatly assist our clients and us as suppliers if there were harmonisation on cloud services requirements across all regulators, or at the very least regulators in the European Union; we note the different approaches already taken by the UK, Luxembourg and the EBA. The nature of providing cloud services often means data storage and access to the data may easily be moved to different locations. This provides business continuity and flexibility as well as cost management. However, as customers may be from several jurisdictions and a bank may have branches outside the home jurisdiction, managing the regulatory requirements becomes onerous, particularly when General Data Protection Regulation and the Network and Infrastructure Security Directive are considered as well. Harmonisation both across jurisdictions and among different national regulators (ie the new data protection supervisory authorities and the new cybersecurity regulator) would bring the benefit of greater certainty to regulated entities and suppliers when designing and managing solutions and assist with ensuring better compliance. It will also assist clients and suppliers to develop and use cloud services on a more cost effective basis which would encourage the uptake of cloud services over time.
2.2 Other outsourcing guidelines: We would welcome that EBA updates the broader Committee of European Banking Supervisors Guidelines on Outsourcing as well. We also believe that the Basel Committee on Banking Supervision’s paper on Outsourcing in Financial Services could benefit from review; in particular the definition of outsourcing is somewhat out of date.
Question 1: Are the provisions from these recommendations clear and sufficiently detailed to be used in the context of cloud outsourcing?
Recommendation CommentDefinitions We believe the NIST definitions might be more appropriate and more industry standard. We refer to Circular CSSF 17/654 from Luxembourg, which provides definitions of a “cloud computing service producer” and a “resource operator” which assists in understanding the roles involved in a typical outsourcing involving cloud services . “Cloud service provider” in the context of the EBA Guidance could be taken to mean the entity which provides the cloud computing resources as IaaS or PaaS and not any entity which is reselling the IaaS or PaaS to the institution. A common business model is for an application provider (the “resource operator”) to implement its application on the public cloud (for example Azure or AWS) and then to sell a “SaaS” offering to the institution. In this model, the institution will not have a direct relationship with the provider of the public cloud. The outsourcing institution would only contract with the application provider (resource operator). The provider of the public cloud is therefore a subcontractor of the application provider.
4.1 - Materiality Assessment Many cloud services arrangements are very unlike traditional outsourcing arrangements, which entail a high level of bespoke client requirements. When providing a banking solution on a SaaS basis, the outsourcing institution does not manage or specify the day to day IT operations of the management of the infrastructure, platform and applications. The outsourcing institution will still be responsible for setting access rights to the system and its own use of that system. The systems provided by the third parties tend to use secure standardised technologies which a regulated entity could not itself provide.
When outsourcing using a cloud based service, our clients retain control over the configuration of the banking system to meet their needs and the delivery of that service to their customers as well as control and access of data stored. The regulated entity is not therefore outsourcing a primary banking function as such but part of the IT delivery chain and data storage. Therefore we are of the view that greater clarity should be given in the guidance here. We believe a more nuanced approach to assessing the criticality of the activities to be outsourced would be helpful and specifically with reference to the type of data to be held by the service provider and the type of functions undertaken. Some detailed case studies may be very helpful here.
4.2 – Duty to adequately inform supervisors
Information to be provided As explained under the Definitions section above, the outsourcing may in fact be to a third party “resource operator” and not to a cloud service provider.
4.3 - Access and audit rights
For institutions Under 4.3 6 a) we note institutions are required to obtain “full access” to “business premises, including the full range of devices, systems, networks and data used for providing the service outsourced (right of access)”. In the case of a public cloud utilising a virtualised environment, a visit to a data centre will not practically assist in obtaining access to data or devices and will be of limited benefit. Large data centres are extremely secure and the locations of the centres are confidential. Visitors to a data centre create a security risk and hyper scale data centre providers do not encourage such visits. The guidance could be clarified to show that (i) third party certifications and third party audit reports and (ii) effective access to data, could be relied upon by institutions in relation to data centre services. We note the UK FCA FG 16/5 Guidance on “cloud” clarifies that business premises does not necessarily include data centres and the EBA may consider such a clarification.
In relation to 4.3 7 the rights of access would never be totally unrestricted. The cloud provider and resource operator has to at all times ensure the security of the premises and all its client data managed from that site. The FCA Guidance notes that the scope of a visit can be limited to those services that the firm’s group are using.
Most cloud providers would expect the institutions and its auditors to rely on formal certifications from third parties such as SOC 2 audit; ISO 27001 and PCI DSS in relation to data centre facilities. We believe the FCA approach in its Guidance of detailing what constitutes effective access to data may be of assistance. An institution should be able to obtain the same level of assurance by requesting data it requires from the service provider.
In relation to 4.3 8 (v) an institution will be highly unlikely to be able to make a hyper scale cloud provider change the scope of its certifications which are used for a service provided to 1000s of other clients.
4.3 - Access and audit rights
For competent authorities The concerns about security and access to data equally apply to a regulator and we think that a regulator could also rely on certifications and audit reports in the first instance.
The banking system within the cloud could be configured to provide a regulator role based user which could be utilised by a competent authority, subject to appropriate security controls, to provide access to the institution’s data.
4.5 - Security of data and systems We believe this overlaps with the provisions of the General Data Protection Regulation (GDPR). It would be helpful to clarify if there are any additional requirements over and above the security requirements and ex EEA transfer requirements for personal data under the GDPR.
4.7 - Chain outsourcing
We believe the guidance on chain sourcing is very much appropriate in the circumstances of cloud services.
The role of the resource operator would also be relevant here. The resource operator or application provider in a SaaS model will usually need to be able to change the cloud service provider in order to ensure for its clients cost effective services, disaster recovery services and to maintain its offering in line with technological advances. It may also be part of its own risk management to ensure against a concentration of clients with a particular cloud provider. A resource operator would expect to inform the regulated institution in advance of the proposed change which should not lead to any diminution of the service offered to the outsourcing institution.
We would however note that there will be differences in the actual security controls deployed by different parts of the supply chain but that overall all subcontractors should comply with a minimum standard of security.
Question 2: Are there any additional areas which should be covered by these recommendations in order to achieve convergence of practices in the context of cloud outsourcing?
Please see our comments above about Resource Operators.Harmonisation: It would greatly assist our clients and us as suppliers if there were harmonisation on cloud services requirements across all regulators, or at the very least regulators in the European Union; we note the different approaches already taken by the UK, Luxembourg and the EBA. The nature of providing cloud services often means data storage and access to the data may easily be moved to different locations. This provides business continuity and flexibility as well as cost management. However, as customers may be from several jurisdictions and a bank may have branches outside the home jurisdiction, managing the regulatory requirements becomes onerous, particularly when General Data Protection Regulation and the Network and Infrastructure Security Directive are considered as well. Harmonisation both across jurisdictions and among different national regulators (ie the new data protection supervisory authorities and the new cybersecurity regulator) would bring the benefit of greater certainty to regulated entities and suppliers when designing and managing solutions and assist with ensuring better compliance. It will also assist clients and suppliers to develop and use cloud services on a more cost effective basis which would encourage the uptake of cloud services over time.
2.2 Other outsourcing guidelines: We would welcome that EBA updates the broader Committee of European Banking Supervisors Guidelines on Outsourcing as well. We also believe that the Basel Committee on Banking Supervision’s paper on Outsourcing in Financial Services could benefit from review; in particular the definition of outsourcing is somewhat out of date.