We find that the recommendations on outsourcing to cloud service providers (CSPs) in the Consultation paper vary in the degree of clarity they provide to outsourcing financial service providers.
For example, Sections 4.1 and 4.2 list in some prescriptive detail the materiality assessment exercise and the outsourced activities register that outsourcing institutions should establish.
On the other hand, Section 4.3 [Clause 8b (v)] refers to “certifications and audits against widely recognized standards” that outsourcing entities should ensure are attained by CSPs they use. It is not clear whether these should be physical or logical security standards, business continuity/resilience standards, data privacy standards etc.
We request that the EBA provides additional detail where appropriate, to clarify the different Recommendations in this Consultation Paper.
We would like to offer specific feedback on the following draft Recommendations:
1. The reference to “country where the service is performed (including location of data)” in Section 4.2 (Clause 2c) does not take account of the simultaneous use of multiple geographic locations to store Production Network systems/applications & data in dynamically-configurable virtual networks by many CSPs. The identification of the “location of data” as requested here may often be difficult or highly uncertain.
2. The reference to “date of the last due diligence on the outsourcing or subcontracting arrangement” in Section 4.2 (Clause 5l) would suggest that an outsourcing organisation is expected to carry out a regular due diligence of the CSP. Is that the EBA expectation? We would welcome more clarity on the scope/frequency of such due diligence.
3. The recommendation that outsourcing institutions maintain an updated register that includes detailed “information related to all its material and non-material outsourced activities” [Section 4.2 (Clauses 4 and 5)] will cause PSPs to collect/update expanded sets of data even when these relate to outsourced activities that have been assessed as non-material. We would question the value-add that these data will provide to the competent authority; instead, we propose that the Register described in this part of the Recommendations is limited to material outsourced activities.
4. The recommendations that the outsourcing institution ensures that the CSP outsourcing agreement provides “to the institution’s statutory auditor full access to the CSP business premises” in Section 4.3 (Clause 6a) and “unrestricted rights of inspection and auditing (right of audit)” (Clause 6b) ignore the dynamics of the business relationship between financial service providers and the larger, global CSPs. The latter serve tens of thousands of outsourcing entities using hundreds of locations. It is unlikely that an outsourcing institution could secure access to all CSP business premises; instead, we propose that the focus of access is on CSP premises and processes directly involved in the delivery of the services of the outsourcing institution.
5. We would extend the comment above to the Recommendation targeted to competent authorities in Section 4.4 (Clause 10). The expectation that an outsourcing institution can secure a written commitment of a global CSP to provide full access to its multiple locations to the authority (or any 3rd party appointed by the authority) does not take account of the commercial service delivery model used by these CSPs to service financial service providers across the globe. We would again propose that the focus of the recommendation should be on specific CSP premises and processes directly involved in the delivery of services to the outsourcing institution.
In general, we would advise that financial service providers are afforded some degree of flexibility in the structure of the outsourcing agreements they establish with CSPs.
As noted above, we propose that the EBA provides further guidance on the following areas:
1. The scope of due diligence that an outsourcing institution should perform on potential CSPs (e.g. financial, technical, security, availability/business continuity, data protection),
2. The frequency of any repeat due diligence that may be required for existing CSP outsourcers,
3. The criteria that determine that the business continuity plan of a CSP is “suitable” for the services provided to a PSP [as referenced in Section 4.2 (Clause 3a)],
4. The type of action that the competent authority will carry out after it receives the relevant notification (of the use of a CSP to deliver a critical function for an outsourcing institution). We expect that the growing use of CSPs by financial service providers will result in multiple such notifications forwarded to competent authorities. We are concerned that an approach whereby the competent authority is expected to review and individually approve each proposed CSP outsourcing arrangement would result in significant operational workload for the authority and unduly delay the operational plans of outsourcing institutions. Therefore, we propose that outsourcing institutions are allowed to proceed with the establishment of these CSP outsourcing arrangements unless the relevant competent authority raises specific concerns following its review of the CSP outsourcing notification.
5. The criteria an outsourcing institution should use to determine the activities that fall within the scope of its right of audit of the activities of CSP [as referenced in Clauses 6(b), 7 and 8].
6. The scope of certifications/audits that CSPs should complete. The Recommendations should clarify whether such certifications should include security, business continuity, quality and other certifications The recommendation should also confirm whether these certifications may include both self-certification and 3rd party certifications awarded by 3rd party, independent bodies. Finally, the recommendation should identify the “widely recognised standards” [referenced in Clause 8(b)iv] that can form the basis of such CSP certifications.